Text

E-1 Example SER - DRahn and MLi Example-Safety Evaluation Report for Electrical and Digital Instrumentation and Control for Normal Power Supply at a New Fuel Cycle Facility Note: The following enclosure provides an example of the type of safety evaluation report (SER) the NRC staff develops to support an electrical and digital instrumentation and control review for a new fuel cycle facility. The information is general and for illustrative purposes only. Although a site-specific SER would follow this general layout, the language would be updated based on the review of the specific facility. In addition, any references to codes and standards referenced below are provided as placeholders only and do not necessarily represent the latest versions or appropriate documents, which should be used when developing a new application.

APPENDIX E ELECTRICAL POWER AND INSTRUMENTATION AND CONTROL SYSTEMS This section of the SER contains a summary of the U.S. Nuclear Regulatory Commission (NRC) staffs review and evaluation of the electrical power and instrumentation and control (I&C) systems for the facility. The objective of this review is to verify whether the aspects of the design of the electrical and I&C systems will meet the regulatory requirements specified in Title 10 of the Code of Federal Regulations (10 CFR) Part 70, Subpart H, Additional Requirements for Certain Licensees Authorized to Possess a Critical Mass of Special Nuclear Material. To conduct this review, the NRC staff has evaluated the adequacy of the proposed conceptual design and intended operations of these systems as reflected in the applicants commitments and goals with respect to that design. Staff evaluated the applicants commitments for completing the design of the electrical and I&C systems in a manner that addresses specific regulatory acceptance criteria, identified in Section E.2 below. These commitments and goals are described within the Integrated Safety Analysis (ISA) Summary (ANF, [YEAR]) and the Safety Analysis Report (SAR) (ANF, [YEAR]) and modified by clarifications contained in an e-mail from the applicant to the NRC staff (ANF, [YEAR]).

E.1 REGULATORY REQUIREMENTS The regulations applicable to the electrical power and I&C systems are as follows:

10 CFR 70.22, specifically relating to the requirement that the applicant is to provide a description of the equipment and facilities and proposed procedures to protect health and minimize danger to life and property.

10 CFR 70.23, specifically relating to the requirement that the Commission determine that the proposed equipment, facilities, and procedures are adequate to protect health and minimize danger to life and property.

10 CFR 70.61(e), specifically relating to the requirement that each engineered or administrative control or control system that is needed to meet the performance requirements be designated as an item relied on for safety (IROFS) and relating to the safety program that ensures each IROFS will be available and reliable to perform its intended function when needed.

E-2 Example SER - DRahn and MLi 10 CFR 70.62, specifically relating to the establishment and maintenance of a safety program and to the performance of an ISA.

10 CFR 70.64, specifically relating to the application of Baseline Design Criteria (BDC) and defense-in-depth practices to new facilities or new processes at existing facilities.

10 CFR 70.65, specifically relating to the need for applications to contain a description of the applicants safety program, and a summary of the ISA that demonstrates the applicants compliance with the requirements of 10 CFR 70.61, including a description of management measures and proposed IROFS in sufficient detail to provide an understanding of the functions of the IROFS in relation to the performance requirements of 10 CFR 70.61.

E.2 REGULATORY GUIDANCE AND ACCEPTANCE CRITERIA The guidance applicable to NRC's review of the electrical and I&C systems section of the ACME Nuclear Facility (ANF) license application is contained in Chapter 3 of "Standard Review Plan for the Review of a License Application for a Fuel Cycle Facility," NUREG-1520, Revision 2 (NRC, 2015). The acceptance criteria applicable to this review are contained in Sections 3.4.3.2(4)(d) and 3.4.3.2(6) of NUREG-1520 (NRC, 2015) as applicable to the review of BDC contained in 10 CFR 70.64(a) and the description of each IROFS, respectively. Section 3.4.3.2(4)(d) of NUREG-1520 (NRC, 2015) states that the ISA Summary should explain how each baseline design criterion was addressed in the design of the facility and Section 3.4.3.2(6) of NUREG-1520 (NRC, 2015) states that the ISA documentation should identify essential utilities and support systems on which IROFS depend to perform their intended functions. In addition, the staff used guidance from the National Electric Code (NEC), applicable Institute of Electrical and Electronics Engineering (IEEE) standards, and additional NRC guidance documents.

Specific criteria applicable to the design of electrical and I&C aspects of the facility are the need to ensure that any applicable BDC of 10 CFR 70.64 are achieved, and that the concept of defense-in-depth has been applied to the design. In addition, the electrical and I&C systems design and operation should fulfill the functional requirements determined from the ISA, and facility IROFS should be available and reliable to perform their intended safety functions when needed.

Applicable BDC for the design of the electrical system include:

10 CFR 70.64(a)(4) Environmental and dynamic effects. The design must provide for adequate protection from environmental conditions and dynamic effects associated with normal operations, maintenance, testing, and postulated accidents that could lead to loss of safety functions.

10 CFR 70.64(a)(7) Utility services. The design must provide for the continued operation of essential utility services.

10 CFR 70.64(a)(8) Inspection, testing, and maintenance. The design of IROFS must provide for adequate inspection, testing, and maintenance, to ensure their availability and reliability to perform their function when needed.

E-3 Example SER - DRahn and MLi Further, although the code does not require adherence to any particular industry standards containing specific design criteria that are to be used in the design of the electrical power systems, appropriate design considerations for electrical systems include the following criteria:

Provisions so that safety components of the electrical systems can be tested periodically for operability and required functional performance; Electrical and physical separation between systems and components performing safety and non-safety functions, and between redundant safety functions, to ensure that any required independence is maintained and that failures occurring within non-safety systems and components do not adversely affect safety functions; No single failure vulnerability which would act to prevent the accomplishment of safety functions; Sufficient capacity and capability to ensure the IROFS supported by the electrical systems perform their intended functions; Adequate protective relaying and breaker control to ensure required functional performance and adequate response to electrical fault/overload conditions; Status monitoring of the behavior of the systems and components that are identified as IROFS; and System capability to maintain safety action functionality when subjected to tornadoes, tornado missiles, earthquakes, floods, and any other appropriate severe natural phenomena as established in the ISA.

Applicable BDC for the design of the I&C systems include:

10 CFR 70.64(a)(10) Instrumentation and Controls. The design must provide for inclusion of instrumentation and control systems to monitor and control the behavior of IROFS.

10 CFR 70.64(a)(4) Environmental and dynamic effects. The design must provide for adequate protection from environmental conditions and dynamic effects associated with normal operations, maintenance, testing, and postulated accidents that could lead to loss of safety functions.

10 CFR 70.64(a)(8) Inspection, testing, and maintenance. The design of IROFS must provide for adequate inspection, testing, and maintenance, to ensure their availability and reliability to perform their function when needed.

Further, although the code does not require adherence to any particular industry standards containing specific design criteria that are to be used in the design of the I&C systems, specific design considerations for I&C systems would include the following criteria:

Provisions so that I&C system safety components can be tested periodically for operability and required functional performance;

E-4 Example SER - DRahn and MLi Electrical, physical, and control/separation between systems and components performing safety and non-safety functions, and between redundant safety functions, to ensure that any required independence is maintained and that failures occurring within non-safety systems and components do not adversely affect safety functions; No single failure vulnerability which would act to prevent the accomplishment of safety functions; Adequate instrument spans, setpoints, and control ranges to ensure proper monitoring and control of IROFS; Provisions so that I&C system components fail in a safe failure mode; Status monitoring of the behavior of the systems and components that are identified as IROFS; and System capability to maintain functionality when subjected to tornadoes, tornado missiles, earthquakes, floods, and any other appropriate severe natural phenomena as established in the ISA.

In addition, in accordance with 10 CFR 70.64(b) the design of the electrical system and the I&C system must be based on defense-in-depth practices, and incorporate to the extent practicable a preference for the selection of engineered controls over administrative controls to increase overall system reliability, and features that enhance safety by reducing challenges to IROFS.

E.3 STAFF REVIEW AND ANALYSIS E.3.1 Electrical Power Supply System The ISA Summary (ANF, [YEAR]) and SAR (ANF, [YEAR]) provide a description of the applicants proposed approach and design criteria to be used for the design of the electrical system for the proposed ANF. The SAR and ISA Summary describe the applicants plans for designing the electrical system with a high level of redundancy to maintain a reliable power supply to the process equipment loads to meet investment protection requirements. The applicant has stated in the ISA Summary that the electrical power system will not be relied on to ensure that facility safety functions are achieved (ANF, [YEAR]). Instead, facility IROFS will be designed such that systems and components required to perform safety functions, will maintain their safety function state or fail into a safe state upon a total loss of electrical power (ANF,

[YEAR]). The following is a description from the ISA Summary (ANF, [YEAR]) of the normal electrical system, its role in supporting the utility requirements for facility production equipment, and its relationship to facility IROFS.

The ISA Summary (ANF, [YEAR]) identifies that the facility electrical system will be composed of a normal power distribution system that is designed to provide electrical power for all day-to-day operational plant loads and standby power for investment protection, plus an emergency power distribution system that provides power to loads supporting the operation of IROFS that cannot tolerate interruptions in power, and which are needed to ensure the facility will meet its 10 CFR 70.61 performance objectives.

Normal Power Supply System

E-5 Example SER - DRahn and MLi The normal distribution system will be designed with a high degree of redundancy such that critical load buses (including buses that supply power to IROFS) are capable of being fed from alternate power supply buses or through buses which may be connected to sources of onsite standby or uninterruptible power supplies. Source normal electrical power to the ANF will be supplied from [NUMBER] external (off-site) [NUMBER] kilovolts (kV) power feed(s) from the

[NUMBER] Power grid to the ANF substation. At the ANF substation, the electrical power will be stepped down in voltage to [NUMBER] kV through [NUMBER] parallel [PERCENTAGE] capacity

[NUMBER] kV-to-[NUMBER] kV transformers, and then supplied through the ANF [NUMBER]

kV distribution system to the various glovebox evacuation process buildings and other glovebox evacuation support buildings and facilities. Within the electrical support buildings, the distribution voltages will be further stepped down to [NUMBER] volts alternating current as necessary, depending on the building or facility requirements to power items used for the

[TYPE, E.G., ENRICHMENT, FABRICATION, CONVERSION] process and to support the operations, maintenance, and administration of the facility. The main power supply buses will be capable of being fed from different main power transformers, through the appropriate combinatorial use of normally open and normally closed supply breakers. Under normal conditions, main power buses will be connected through normally closed breakers to a dedicated main [NUMBER]kV-to-[NUMBER] kV transformer. In the event of a fault or failure of its associated normal main power transformer, the main bus may be disconnected from its normal source and connected to an alternate transformer, or bus by closing a normally open tie breaker to the parallel bus.

Similarly, the plant [NUMBER]V normal distribution system will be designed such that power is fed from the [NUMBER] kV system through the [NUMBER] kV-to-[NUMBER] V step-down transformers for distribution to all [NUMBER] V and lower voltage loads (ANF, [YEAR]). The normal load system [NUMBER] V switchgear will be operated with all normal supply breakers closed and all alternate supply breakers open (ANF, [YEAR]).

Loads which can tolerate a short break in power supply will be powered from buses which can be fed from either a normal feed from the switchgear and distribution system above it, or from a source of standby power provided by a standby diesel generator (see below). Vital loads will be fed from buses that are normally powered through uninterruptible power supplies (UPSs).

The redundant power supply design will be arranged such that the normal power supply for a load is connected through the A power distribution system and the alternate B distribution system is in back-up or standby mode. In the event of an electrical fault occurring within the normal power supply, the fault will be detected and isolated by protective devices. In the event of a fault occurring in either of the [NUMBER] kV switchgear line-ups, the protective devices will automatically de-energize the affected portion of the line-up, resulting in a loss of power to the equipment in the line-up until manual switching is performed to serve the loads from the alternate source. In the event of an electrical fault occurring in the feeders from the switchgear, circuit breakers will trip, resulting in the loss of supply to the [NUMBER] kV-to-[NUMBER]V step-down transformers connected to that circuit. In the event of a fault occurring in a [NUMBER] kV-to-[NUMBER]V step-down transformer system, the fault is detected by protective devices that isolate that transformer system from the [NUMBER] kV switchgear. The [NUMBER] kV system will be designed such that any loss of power due to individual faults can be restored by manual switching to the alternate supply.

Section [NUMBER] of the ISA Summary (ANF, [YEAR]) states that the normal electrical system will also include an on-site diesel engine driven electrical generator that provides a source of

E-6 Example SER - DRahn and MLi standby power for buses that serve essential short-break and vital no-break loads. In the event of a loss of normal power supply, the standby power generator will start, transition on line, and provide power for short term outages to facilitate an orderly shutdown of the facility for investment protection purposes. This source of standby power is not credited in the ISA Summary for achieving the facility performance requirements of 10 CFR 70.61 as all IROFS are designed to fail safe.

In addition, loads which cannot tolerate even a momentary loss of power will be served by UPSs. The normal source of power for such loads will be through the UPS. The UPS system will be designed such that in the event of a loss of normal alternating current (AC) input to the UPS, the UPS batteries will automatically supply power to maintain the UPS/no-break loads without interruption. When normal AC power is restored, the batteries will stop delivering power to the load and automatically revert to the charging mode. The complete failure of a UPS will initiate automatic transfer of the load of the UPS to the AC bus supplying power to the UPS. When the UPS is restored to service after its repair, the load will be synchronized and manually switched back to the UPS without interruption.

The loads which needed the reliability afforded by the short-break distribution system include

[LIST OF SYSTEMS THAT NEED SHORT-BREAK POWER]. The loads requiring the reliability afforded by the vital/no-break distribution system include the [LIST OF VITAL SYSTEMS]. In addition, some equipment is served by local UPS systems. These include the emergency [LIST OF EMERGENCY SYSTEMS].

The ISA Summary (ANF, [YEAR]) and SAR (ANF, [YEAR]) identify that a total loss of the normal electrical power system will not have any safety implications; in the event of a loss of normal electrical power, the safety functions that are to be achieved through systems, equipment, and circuits implemented within IROFS will still be achieved. This will be accomplished by designing each IROFS served by normal electrical power such that once the IROFS is activated, the safety function is maintained, or the IROFS design features force the IROFS to fail into a safe condition upon loss of electrical (or air) supply. In a response to the NRC staffs request for additional information (RAI) (ANF, [YEAR]), the applicant stated that there will be only a few IROFS loads that cannot tolerate a break in the normal power supply, and that the safety functions required to be achieved by most IROFS that depend on electrical power will be able to tolerate a break in their normal power supply because such a break will cause IROFS to fail safe. Further, the applicant stated in Section [NUMBER] of the ISA Summary (ANF, [YEAR]) that, although certain IROFS will be powered through UPSs backed up by battery systems, electrical power (normal or emergency) is not required to be, or to support, most IROFS. However, for a small subset of IROFS, which includes the [List of IROFS that cannot tolerate a loss of power], an emergency power supply system is required to protect health and minimize danger to life, within the performance requirements of 10 CFR 70.61. The emergency power supply system is described in the paragraphs below. The applicant states that IROFS are powered by power supplies which are not IROFS and are not part of the IROFS boundary (ANF, [YEAR]).

Section [NUMBER] of the ISA Summary (ANF, [YEAR]) and Section [NUMBER] of the SAR (ANF, [YEAR]) state that IROFS equipment will be isolated from these power supplies using the applicable guidance of RG 1.75, Criteria for Independence of Electrical Safety Systems (NRC,

[YEAR]), in establishing separation criteria between IROFS and non-IROFS equipment.

Irrespective of how IROFS are powered, IROFS will be designed to maintain their safe state condition, or to fail into a safe state, which ensures that IROFS automatically execute their required safety actions upon a loss of electrical power. For IROFS normally requiring a source

E-7 Example SER - DRahn and MLi of electrical power that are to be used in conjunction with enhanced administrative controls, such as instruments providing information used by facility operators to accomplish preventative safety actions, applicable operating procedures will be developed to provide appropriate directions for the operator to follow in the event of a loss of power to the device.

To verify that facility IROFS are functioning and ready to perform their required safety actions, the status of IROFS will be monitored through hardwired connections to a process control systems (PCS) through a local PLC. The connections between the IROFS and the PLC will be electrically isolated such that a failure within the PLC will not adversely affect the operation of the IROFS. The status of IROFS will be monitored by facility operators through an alarm signal generated by the local PLC and sent to the PCS in the event of a problem with the availability of the IROFS.

Based upon a review of the description of the electrical system (summarized above) contained in the ISA Summary (ANF, [YEAR]), the staff concludes that the intent of Section 3.4.3.2(6) of NUREG-1520 (NRC, [YEAR]), requiring a description of the assumptions and conditions under which the electrical power supply is relied upon to provide continuous power to IROFS, has been met. Further, the staff has determined based on the above information, that in committing to design all IROFS fed from the Normal Power Supply System to fail into their safe mode in the event of a loss of normal power supply, the applicant has ensured that the electrical utility systems design for the facility provides reasonable assurance that the regulatory requirements are met.

E.3.1.1BDC Applicable to the Electrical System E.3.1.1.1 BDC Regarding Continued Operation of Essential Utility Services The applicant stated in Section [NUMBER] of the ISA Summary (ANF, [YEAR]) that ANF electrical power distribution system will be designed with a high level of redundancy to maintain a reliable power supply to process equipment for investment protection. However, as an alternative to designing the ANF such that the continued operation of essential utility services is required in order to meet the facility safety performance objectives, the applicant has proposed to design the normal electrical power system for the ANF such that a total loss of power will not have any adverse effects on safety for most IROFS. Although under normal conditions a reliable source of electrical power will be available to support facility IROFS, the applicant has proposed to complete the design of the ANF in a manner that most of the IROFS will be designed to complete their protective actions in the event of a loss of power. That is, upon a loss of electrical power or other utility services, the IROFS will either maintain their safety function, or fail into a safe condition that accomplishes the required safety action.

Section [NUMBER] of the ISA Summary indicates that for most IROFS, electrical power (normal or emergency) is not required to support an IROFS. Further, the applicant has stated there are only a few IROFS within the ANF that cannot tolerate a break in the normal power supply.

Powered IROFS or IROFS that depend on electrical power in some way can tolerate a break in their normal power supply because such a break will cause the IROFS to fail safe. The safety functions of IROFS are performed on a loss of power.

Since there will be no features within the electrical power supply system that are considered to be IROFS or will form a part of the IROFS boundary, the design, operations, maintenance, and testing of the electrical power supply system will not have the same level of quality rigor applied

E-8 Example SER - DRahn and MLi as those for IROFS (i.e., it will not be treated as a Quality Assurance (QA) Level 1 or QA Level 2 item in the QA Program.) Therefore, it is important to consider how IROFS that are to be connected to the electrical power supply will be protected from the effects of potential failures or faults originating within the electrical power supply system. Section [NUMBER] of the ISA Summary (ANF, [YEAR]), Section [NUMBER] of the SAR (ANF, [YEAR]) outline the applicants commitment to apply design criteria appropriate for maintaining independence between safety related and non-safety related systems. Section [NUMBER] of the ISA Summary state that electrical power is not required to protect health and minimize danger to life, within the performance requirements of 10 CFR 70.61. These sections also state that IROFS will be powered by power supplies which are not IROFS and are not part of the IROFS boundary.

IROFS equipment will be isolated from these power supplies using the appropriate guidance of RG 1.75, Criteria for Independence of Electrical Safety Systems, (NRC, [YEAR]), in establishing separation criteria between IROFS and non-IROFS equipment. RG 1.75, Revision

[NUMBER], endorses the use of industry standard IEEE 384, Standard Criteria for Independence of Class 1E Equipment and Circuits (IEEE, [YEAR]). Within IEEE Standard 384-

[YEAR], Clause 7.1.2 describes the use of suitable isolation devices for maintaining independence between safety and non-safety circuits and between redundant safety channels.

Clause 7.1.2 states that a device is considered to be a power circuit isolation device if it is applied such that the maximum credible voltage or current transient applied to the non-Class 1E side of the device will not degrade below an acceptable level the operation of the circuit on the other side of that device. It further describes specific requirements pertaining to circuit breakers tripped by fault currents, circuit breakers tripped by accident signals, input current limiters (such as components within inverters, regulating transformers, and battery chargers with current limiting characteristics), and fuses that may be used as qualified isolation devices.

Within RG 1.75, Revision [NUMBER], (NRC, [YEAR]), Regulatory Position C (1) states that these sections within IEEE 384-1992 should be supplemented with a condition that breakers, or fuses that are automatically opened by fault current may be used as an isolation device provided that a) the fault current will cause the nearest circuit breaker or fuse to interrupt the fault current prior to initiation of a trip of any upstream protection device, and b) periodic testing of circuit breakers (periodic visual inspections of fuses and fuse holders) during every refueling must demonstrate that the overall coordination scheme under multiple faults of non-safety related loads remains within the limits specified in the design criteria for the nuclear plant.

The NRC staff recognizes that the ANF facility does not make use of the term Class 1E but anticipates that the applicant plans to equate this term with that used for the corresponding treatment of systems and components having the appropriate quality level designation for IROFS. Additionally, the applicant will complete the detailed design of the ANF by considering the qualified isolation device to form a part of the IROFS boundary, and the isolation device will be treated in the same manner as other QA Level 1 and QA Level 2 devices forming a part of the IROFS boundary. In addition, the NRC staff notes that sub-clause (a), in the RG 1.75, Revision [NUMBER], Regulatory Position C (1), assumes that the isolation device is used to protect an upstream Class 1E circuit from faults occurring in a downstream non-Class 1E circuit.

Since the applicant has proposed to apply this regulatory guidance in its design for isolating a downstream IROFS circuit or component from a non-IROFS upstream power supply, the considerations of this sub-clause should be adequately evaluated for applicability by the applicant. The NRC staff notes that the capability of the isolation devices selected by the applicant should be confirmed by testing to ensure that they are capable of not degrading the performance of the IROFS in a manner that invalidates the assumptions and analyses that the IROFS will either perform its required safety action or fail in a manner that ensures the required safety action will be achieved. That is, with the isolation device installed, faulted or degraded

E-9 Example SER - DRahn and MLi voltage conditions occurring within the upstream non-IROFS power supply should not prevent or degrade the ability of the IROFS to change state and fail into a mode or manner that assures the required safety performance objective will be achieved. In addition, the applicant stated that if circuit breakers are required to provide isolation, these breakers will be part of the IROFS boundary and would be specified and procured per ANF Quality Assurance Program Description (QAPD) requirements. Breaker setpoints would be determined per approved methodology to ensure proper operation. IROFS breakers would also undergo periodic surveillance testing to ensure setpoint tolerances are maintained.

Finally, since the applicant plans to treat the isolation devices as part of IROFS, the frequency of surveillance of these qualified isolation devices will be consistent with that for the other features of IROFS that must be inspected and/or tested as part of the applicable management measures appropriate to the level of risk reduction relied on for that IROFS. The periodic surveillance requirements, preventative maintenance program, corrective maintenance program, functional test program, and configuration management programs applied as part of the required maintenance measures for IROFS will include these isolation devices as part of the IROFS boundary to assure the availability and operability of IROFS.

With the above described considerations for assuring adequate independence and isolation between IROFS and non-IROFS systems, circuits, equipment and components addressed, the NRC staff finds that the applicants proposed electrical system design (that does not require the continued operation of essential utility services) adequately addresses the intent of this baseline design criterion with regard to the assurance of continued availability and reliability of IROFS to meet the safety performance objectives for the ANF facility.

E.3.1.1.2 BDC on Environmental Conditions and Dynamic Effects Section [NUMBER] of the applicants ISA Summary describes the applicants proposed electrical system design. The applicant proposes to design the electrical system with high quality commercial grade equipment arranged to comply with IEEE C2-2007, the National Electrical Safety Code (NESC) (IEEE, 2007b); National Fire Protection Association (NFPA) 70-2008 the NEC (NFPS, 2008); and NFPA 70E-2009, the Standard for Electrical Safety in the Workplace (NFPA, 2004). Although the electrical system design will be designed with a high degree of redundancy (see Appendix E, Section 3.1 above) and defense-in-depth (see Appendix E, Section 3.1.1.1.4 below) the applicant states that the ANF will be designed such that the total failure of all electrical power will not have an adverse effect on the ability of the facility to meet its required safety performance objectives. Under normal conditions for operation, electrical power will be supplied to facility IROFS that will be designed to provide for adequate protection from environmental conditions and dynamic effects associated with normal operations, maintenance, testing, and postulated accidents that could lead to loss of safety functions.

Section [NUMBER] of the applicants ISA Summary (ANF, [YEAR]), states that such IROFS will be qualified to perform their required safety functions under normal and accident conditions, e.g., pressure, temperature, humidity, seismic motion, chemical exposure, electromagnetic interference, and radio-frequency interference, as required by the ISA. In addition, the ISA Summary (ANF, [YEAR]) states that IROFS are designed to fail safe when a loss of power occurs. Therefore, the electrical power system for the facility does not have to be specifically designed to meet the extremes of environmental conditions and dynamic effects of testing and maintenance. Nevertheless, the main components of the electrical power system, including the switchgear and electrical distribution equipment that delivers normal electrical power to the facility IROFS will be housed and protected within ANF structures designed to meet the

E-10 Example SER - DRahn and MLi International Code Council (ICC) International Building Code (IBC) (ICC, 2006) requirements, as discussed and evaluated in Appendix F of this SER, and the hazards evaluated for the ANF include potential adverse effects of weather (high winds, tornadoes, rain, snow, hail, etc.) and fire and flooding conditions. (Refer to Appendix A of this SER for additional information.)

Section [NUMBER] of the ISA Summary (ANF, [YEAR]) states that all component IROFS (many of which will be normally powered by the electrical system,) will be designed and implemented using criteria that ensures protection against dynamic effects, such as missiles and discharging fluids that may result from natural phenomena, accidents at nearby industrial, military, or transportation facilities, equipment failure, and other similar events and conditions both inside and outside the facility. In addition, they will be designed and located so that they can continue to perform their safety functions effectively under credible fire and explosion conditions.

With the above described considerations for assuring adequate design of IROFS to be qualified to perform their required safety functions under normal and accident conditions, in the presence of adverse environmental and dynamic effects, the NRC staff finds that the applicants proposed electrical system design (that does not require the continued operation of essential utility services) adequately addresses the intent of this baseline design criterion with regard to the assurance of continued availability and reliability of IROFS to meet the safety performance objectives for the ANF facility.

E.3.1.1.3 BDC to Provide for the Capability of IROFS to be Inspected, Tested, and Maintained The intent of this criterion is to assure that adequate inspection, testing, and maintenance of systems, equipment, and components that are relied upon to perform required safety actions in the context of enabling the facility to meet its required performance objectives are conducted to ensure that IROFS are available and reliable to meet their required safety functions. Section

[NUMBER] of the applicants ISA Summary describes the applicants proposed electrical system design. The applicant proposes to design the electrical system with high quality commercial grade equipment arranged to comply with IEEE C2-2007, the NESC (IEEE, 2007b); NFPA 70-2008, the NEC (NFPA, 2008); and NFPA 70E-2009, the Standard for Electrical Safety in the Workplace (NFPA, 2004). Aspects of these industry codes and standards address the need for designing the electrical power system to be designed with the capabilities for periodic inspection, testing, and maintenance, and the need to conduct such periodic surveillance.

However, the applicant has proposed to design the electrical power system such that it is not relied upon to enable the facility to achieve its required safety performance objectives. Instead, the IROFS will be designed to maintain their safety functions or to fail in a manner that assures that their required safety functions will be achieved in the event of a total loss of electrical power (or other utilities). In order to assure that there will be no adverse effects on the IROFS due to a failure or degraded condition occurring within the electrical power system, appropriate isolation devices will be utilized to maintain independence between non-IROFS equipment, circuits and systems, and non-IROFS equipment, circuits, and systems (ANF, [YEAR]). The applicant has stated that these isolation devices will be a part of the IROFS boundary, and that IROFS will be inspected, tested, and maintained in accordance with the appropriate management measures for those IROFS (ANF, [YEAR]).

With the above described considerations for assuring that such isolation devices will be a part of the IROFS boundary and will be inspected, tested, and maintained in accordance with the appropriate management measures for those IROFS, the NRC staff finds that the applicants proposed electrical system design (that does not require the continued operation of essential utility services) adequately addresses the intent of this baseline design criterion with regard

E-11 Example SER - DRahn and MLi to the assurance of continued availability and reliability of IROFS to meet the safety performance objectives for the ANF facility.

E.3.1.1.4 Defense-in-Depth Design Practices The applicants proposed design of the electrical system for the ANF makes use of defense-in-depth practices. Although the IROFS will be designed to maintain their safety functions or to fail into a state that accomplishes the required safety action in the event of a loss of power, under normal conditions IROFS are provided with a highly reliable source of electrical power. Event sequences with high or intermediate consequences are provided with independent IROFS to provide a high level of risk reduction capability for the event sequence. For these event sequences, if one of the IROFS does not function appropriately to apply a required safety action, the independent IROFS is still available to perform its required action to prevent or mitigate the risk posed by the event sequence. For equipment needed for investment protection that cannot tolerate a momentary interruption of power, the normal source of electrical power is provided through a UPS. In the event of a loss of normal AC power to the UPS, the applicant has stated that batteries will provide the motive energy needed for to bring the facility to a condition consisted with the investment protection needs. In the event of a failure of the UPS, the equipment needed for investment protection will be powered by the normal AC power supply if it is still available. For equipment needed for investment protection which can tolerate a momentary interruption of electrical power, a source of standby electrical power is available. Those loads are fed from buses that may be powered by a standby diesel generator system.

Upon detection of a loss of electrical power to the bus feeding such equipment, the diesel generator will automatically start and supply power to the connected short break loads. The status of IROFS needed to prevent or mitigate event sequences will be monitored through the PCS. The PCS will be powered by the vital no-break electrical system that utilizes UPSs to deliver required electrical power to reliably provide ANF operators with information regarding the status of IROFS.

The NRC staff has found that these proposed design features provide adequate evidence that the applicant will apply the application of defense-in-depth design features when completing the design of the ANF facility. Further, in applying the use of multiple active engineered IROFS to prevent or mitigate high and intermediate consequence IROFS, whose failure into a safe state upon a loss of electrical power results in the accomplishment of required safety functions, the requirements of 10 CFR 70.64(b) will be met.

E.3.1.2Applicable Industry Codes and Standards for the Normal Electrical Power Supply Systems The applicants ISA Summary (ANF, [YEAR]) and SAR (ANF, [YEAR]) state that the applicant proposes to apply the following industry codes and standards to the completion of the design of the ANF:

To assure independence between IROFS and non-IROFS equipment:

RG 1.75, Criteria for Independence of Electrical Safety Systems, Revision, (USNRC, 2005).

E-12 Example SER - DRahn and MLi IEEE Standard 384-1992, IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits, (IEEE, 1992).

For general design, life safety, and electrical workplace safety requirements:

NFPA 70-2008, NEC, (NFPA, 2008).

IEEE C2-2007, NEC, (IEEE, 2007b).

NFPA 70E, Standard for Electrical Safety Requirements for Employee Workplaces, (NFPA, 2004).

NFPA-101, Life Safety Code, (NFPA, 2006).

For design of protective relaying of the bus distribution system:

IEEE C37.90, IEEE Standard for Relays and Relay Systems Associated with Electric Power Apparatus, (IEEE, 1989).

IEEE C37.90.1, IEEE Standard for Surge Withstand Capability (SWC) Tests for Relays and Relay Systems Associated with Electric Power Apparatus, (IEEE, 2002).

For electrical equipment grounding requirements:

IEEE 80-2000, Guide for Safety in AC Substation Grounding (IEEE, 2000).

IEEE 81-1983, Guide for Measuring Earth Resistivity, Ground Impedance, and Earth Surface Potential of a Ground System (IEEE, 1983a).

IEEE 142-2007, Grounding of Industrial and Commercial Power Systems (IEEE, 2007a).

For the design of direct current (DC) power distribution systems:

IEEE 946, IEEE Recommended Practice for the Design of DC Auxiliary Power Systems for Generating Stations, (IEEE, 2004a).

IEEE 519, IEEE Recommended Practice and Requirements for Harmonic Control in Electrical Power Systems, (IEEE, 1992b).

ICC International Fire Code, (ICC, 2008).

NFPA 70, NEC, (NFPA, 2008).

For sizing and installation of battery systems supporting DC power distribution:

IEEE 485, IEEE Recommended Practice for Sizing Lead-Acid Batteries for Stationary Applications (IEEE, 1997)

IEEE 484, IEEE Recommended Practice for Installation, Design and Testing of Vented Lead-Acid Batteries for Stationary Applications, (IEEE, 2002b)

E-13 Example SER - DRahn and MLi For maintenance of battery systems:

IEEE 450, IEEE Recommended Practice for Maintenance, Testing, and Replacement of Vented Lead-Acid Batteries for Stationary Applications, (IEEE, 2002c)

E.3.1.3Findings for the Proposed Design of the Normal Electrical System The staff has determined, based on the above evaluation of the information presented by the applicant in the SAR and ISA Summary, as supplemented by responses to the NRC staffs RAI, including the commitments to the specific industry codes and standards listed above, and provided that the applicant accomplishes the commitments discussed above during the design of the ANF facility electrical system, the proposed alternative approach design of the electrical systems will meet the intent of the requirements of 10 CFR 70.64(a) and 10 CRF 70.64(b).

The staff also concludes that the information contained in the documents referenced in the above summary represents an acceptable alternative approach to Section 3.4.3.2(4)(d) and 3.4.3.2(6) of NUREG-1520, Revision X (NRC, [YEAR]).

The NRC staff has reviewed the ISA Summary and other information pertinent to the design of the electrical systems for the ANF and finds that the alternative approach proposed by the applicant will provide reasonable assurance that the applicants identified IROFS and engineered and administrative controls required to ensure compliance with the performance requirements of 10 CFR 70.61 will accomplish their required safety actions when needed.

Specifically, the NRC staff finds that the ISA results, as documented in the ISA Summary, provide reasonable assurance that the IROFS, the management measures, and the applicants programmatic commitments will, if properly implemented, make all credible intermediate consequence accidents unlikely, and all credible high consequence accidents highly unlikely.

E.3.2 I&C Section [NUMBER] and Table [NUMBER] of the ISA Summary (ANF, [YEAR]) provide a summary description at a functional level of the applicants proposed design and characteristics of IROFS that will be further designed and applied at the ANF to mitigate or prevent the event sequences summarized and described in Section [NUMBER] of the ISA Summary. These event sequences are those which result from the process and environmental hazards associated with the systems described in Section [NUMBER] through [NUMBER] of the ISA Summary. Within the ISA Summary Section [NUMBER] description of the proposed IROFS are I&C that are proposed to be used as active engineered IROFS and enhanced administrative IROFS. The proposed characteristics and design criteria associated with these proposed IROFS is evaluated in the sections that follow.

E.3.2.1ANF Process Control System (non-IROFS)

Section [NUMBER] of the ISA Summary provides a functional description of the proposed ANF PCS. The PCS will be designed to consist of the ANF [NAME] Control System ([CONTROL SYSTEM ACRONYM-1]) and [NAME] Control System ([CONTROL SYSTEM ACRONYM-2]),

associated interfaces to process [VARIOUS] equipment and [VARIOUS] systems. The primary functions of the PCS will be to provide for [TYPES OF PROTECTION]; enable operators to supervise [TO CONTROL, MONITOR, AND PROTECT VARIOUS SYSTEMS]. The PCS will provide for remote [ACTIONS]. The PCS will also be designed to advise facility operators

E-14 Example SER - DRahn and MLi regarding [VARIOUS CONDITIONS]. However, the PCS will not be required to accomplish any safety functions in the context of the 10 CFR 70.61 facility performance objectives, nor will it be relied upon to play a role in the direct protection of the public or the environment. The PCS is not considered to be a facility IROFS.

As described in Section [NUMBER] of this SER pertaining to the ANF electrical systems above, the PCS will be one of the key loads for the vital/no-break electrical distribution system that relies on UPSs for motive power. The applicant states that the PCS will be powered through

[NUMBER] UPSs, each with a [TIME] capacity, which is sufficient capacity to allow the system to keep functioning to protect facility assets and place the facility in a safe state until power can be restored.

The applicant states that the PCS will be designed such that the top level of hierarchy will be a

[CONTROL SYSTEM ACRONYM-1]. The [CONTROL SYSTEM ACRONYM-1] is a supervisory control and data acquisition system with redundant networks, servers, operator workstations, and process overview screens. The supervisory capability of the [CONTROL SYSTEM ACRONYM1-] will allow facility operators to monitor and control plant processes and auxiliaries, allow operators and maintenance personnel to obtain information about the status of plant equipment, allow remote control of certain process operations, alert operators regarding potential adverse conditions associated with the process so that action can be taken to prevent interruption of the process, and provide facility personnel with historical process and equipment data that would enable them to ascertain the effectiveness of facility operations.

In addition to the [CONTROL SYSTEM ACRONYM-1], a major component of the PCS will be the set of [CONTROL SYSTEM ACRONYM-2]. The [CONTROL SYSTEM ACRONYM-2] will be located close to the process equipment distributed throughout the ANF. The [CONTROL SYSTEM ACRONYM-2]s will consist of process instrumentation and local control centers (LCCs). In addition, local operator interface stations will allow local operators to control equipment locally via the LCCs. The applicant states in Section [NUMBER] of the ISA Summary that the LCSs will be designed such that complete local control of a process would be possible without intervention from the [CONTROL SYSTEM ACRONYM] and will generally consist of the capability to control all the functions of a particular process unit.

Locally-mounted process instrumentation and controls will communicate with the LCCs via local area network connections or hard-wired connections. The LCCs will be designed such that locally-mounted PLCs and hardwired instruments perform the required process control and system protection functions and support local operator interface functions. The PLCs will be designed with proprietary software that provides advanced control system functionality and facilities for software documentation and fault analysis. The LCCs and LCSs will be designed such that all data from the LCCs will be available to the [CONTROL SYSTEM ACRONYM-1]

equipment described above via redundant data networks. Where the local process is sufficiently complex, the local operator interface screens will provide local operators with process visualization, a display of equipment status and operating data, and allow the ability to transfer control from local control to remote control. Local controllers for regulating valves will be located within the LCSs as well.

Although the PCS provides the primary control for process areas, certain processes will require highly specialized LCSs that will be interfaced with and integrated into the PCS.

These include the [LIST OF SYSTEMS]. In addition to the process equipment, the PCS will be designed with interfaces to enable the monitoring of the status of (but not control of)

E-15 Example SER - DRahn and MLi several plant auxiliary systems, such as the [LIST OF SYSTEMS]. Also, the PCS will be designed such that supervisory control and status monitoring of several non-separation/enrichment functions, such as for [LIST OF SYSTEMS].

Section [NUMBER] of the ISA Summary (ANF, [YEAR]) also states that there will be several facility process systems that will be stand-alone, self-contained, and self-supporting. These include the solid feed and purification stations, the automated batch process control and protection system, and the product and main process take-off systems (ANF, [YEAR]).

These self-contained, self-supporting control systems will provide for complete control and protection functions, fault analysis, and operator interface functions (ANF, [YEAR]). The asset and investment protection functions provided by these stand-alone process systems will be designed to be simple, local, and direct, and be completely isolated and independent of the supervisory protection functions provided by the capabilities of the PCS (ANF,

[YEAR]).

E.3.2.2 I&C IROFS Within the context of the 10 CFR 70.61 facility safety performance objectives, all safety functions for the ANF will be accomplished by facility IROFS. Section [NUMBER] of the ISA Summary describes, at a high level, the proposed functional requirements and design characteristics for these IROFS. A number of these IROFS will consist of local, hard-wired control systems that integrate several instruments and/or controls to serve as active engineered safeguard functions, or active engineered controls. IROFS that reduce the likelihood of occurrence of an accident scenario are referred to as preventative IROFS, whereas the IROFS that reduce the consequences of accident scenarios are referred to as mitigative IROFS. The NRC staff has reviewed the list of IROFS in Table [NUMBER] of the ISA Summary in the context of the accident event sequences described in Section

[NUMBER] of the ISA Summary. In addition, the NRC staff has performed a vertical slice review at the applicants offices in [LOCATION], of a representative sample of the ANF facility design documents which describe the intended operations of key ANF processes, identified likely hazards associated with those processes, the likelihood and potential consequences of accident event sequences associated with those hazards, and the proposed application of IROFS to mitigate or prevent those accident sequences. This review was conducted so that the NRC staff could gain an understanding of how the applicant intends to apply such IROFS, and how the intended functions of these IROFS will be capable of mitigating or preventing the event sequences identified. In addition, the NRC staff performed this review to ascertain how the applicant intends to design, implement, and maintain IROFS so that they are available and reliable when needed. The NRC staff notes that none of the IROFS identified by the applicant has yet been designed or procured; therefore, the applicants description of the proposed IROFS using high-level functional design and operating requirements, in conjunction with proposed design criteria to be used when completing the design of these IROFS, together with a description of proposed management measures and QA procedures, forms the basis for the NRC staffs evaluations described below.

A smaller set of such instrumentation serving as IROFS will be devices that provide key process data in the form of indications and alarms to facility operators that enable them to take procedural preplanned normal operating functions or preventative safety actions in response to the readings provided by the instruments to prevent the occurrence of the

E-16 Example SER - DRahn and MLi identified accident sequences. These are referred to as enhanced administrative controls (EACs) IROFS.

Depending on the degree of risk reduction attributed to the design of each IROFS, one of two different sets of management measures and quality levels will be applied to the final design, implementation, and maintenance of IROFS to ensure that they are reliable and available when called upon to perform their required protective safety functions. These management measures are described in detail in Section [NUMBER] of the ISA Summary.

The quality levels (QA Level 1 and QA Level 2) are described in Section [NUMBER] of the ANF QAPD. In addition, these IROFS will be designed using applicable industry codes and standards appropriate for such functions.

According to Section [NUMBER] of the ISA Summary (ANF, [YEAR]), the components used within the IROFS boundaries will be of proven technology for their intended application and will be qualified to perform their required safety functions under normal and accident conditions and will address such qualification factors as process and ambient pressure, temperature, humidity, seismic motion, chemical exposure, electromagnetic interference, and radio-frequency interference. An evaluation of the qualification plans for such IROFS devices was performed by the NRC staff and is presented below.

Appendix [LETTER] of the ANF ISA Summary (ANF, [YEAR]) provides a description of the applicants proposed guidelines for developing boundary definitions for IROFS and describes the proposed attributes that will be required of IROFS performing the various categories of required safety actions. The applicant has assigned three categories, or bins, to identify the particular design, implementation, and maintenance qualification requirements for I&C-related IROFS. These categories are Bin 1, the group of IROFS that will perform active engineered control functions where no operator interaction will be required to satisfy the intended safety action of the IROFS; Bin 2, where the intended safety action will be performed through an operator interaction with an IROFS component using an administrative process in order to accomplish the required safety action; and Bin 3, in which the intended IROFS function will be fulfilled through operator monitoring of a specific parameter (usually through an IROFS instrument) to ensure the parameter is within specified limits (ANF,

[YEAR]).

The various attributes that are required to be attributable to I&C IROFS will include the following: a) separation from other redundant or diverse IROFS, b) the application of redundancy or diversity and independence from other IROFS, c) electrical separation/isolation, d) design of the IROFS to work appropriately in conjunction with its power supply so as to be fail-safe and/or highly reliable, e) validation and verification of any software used by the

IROFS, f) the establishment and documentation, using a suitable methodology, of appropriate IROFS instrumentation setpoints, g) the design for IROFS to complete their protective actions, once initiated, and the requirement for manual, rather than automatic reset of the safety function, h) qualification of the IROFS for the range of environments in which they are required to operate, i) qualification of the IROFS for the range of seismic activity, if appropriate, k) qualification for the range and frequency of power supply voltages, including power surges, l) design to withstand the range and frequency of electromagnetic and radio-frequency interference, m) protection from the effects of fires, lightening, and internal flooding, and n) protection from adverse interactions with non-IROFS equipment.

E-17 Example SER - DRahn and MLi The management measures identified by the applicant that are appropriate to the I&C IROFS include configuration management; a formal program of appropriate maintenance, including preventative maintenance, pre-operational and periodic functional testing and inspection; periodic calibration; and response-time testing, where appropriate.

The NRC staff has concluded that the intent of Sections 3.4.3.2 (4) and (6) of NUREG-1520 (NRC, [YEAR]), requiring a description of the assumptions and conditions under which the IROFS are intended to function to achieve their required safety actions, has been met. This determination is based on the following considerations:

1) a review of the proposed descriptions of the functional requirements for the design of the proposed I&C equipment for use as IROFS, as described in Section [NUMBER]

of the ISA Summary;

2) the description of how such IROFS will be designed, implemented, and maintained to ensure the reliability and availability of the required safety actions, as described in Section [NUMBER] of the ISA Summary;

3) the description of the proposed QA program that will be used in conjunction with the ANF, as described in the ANF QAPD; and

4) the vertical slice review of a sample of engineering documents associated with key ANF processes with potential safety hazards that was conducted at the applicants offices.

The following sections summarize the findings of the NRC staff in the area of BDC applicable to the design, implementation, and maintenance of I&C proposed by the applicant for use as IROFS at the ANF.

E.3.2.3BDC Applicable to the I&C E.3.2.3.1 BDC Regarding the Inclusion of I&C to Monitor and Control the Behavior of IROFS Table [NUMBER] of the ISA Summary identifies that specific IROFS will consist of I&C to initiate protective actions that enable required preventative or mitigative safety actions to be achieved. The applicant states that these I&C will be hard-wired devices arranged to achieve redundancy and/or diversity, and independence between redundant IROFS. In Section

[NUMBER] of the ISA Summary, in Section [NUMBER] of the SAR, and in responses to the NRC staffs RAI, the applicant stated that these IROFS will be designed, fabricated, erected, and tested in accordance with the QA criteria set forth in the ANF QAPD. IROFS components and systems will be designed in compliance with requirements identified in the ISA and the applicable codes and standards approved at the time of design, (ANF, [YEAR]).

IROFS components and their designs will be of proven technology for their intended application, and installed in accordance with applicable ANF engineering specifications and manufacturers recommendations. (ANF, [YEAR]) The IROFS will be designed such that upon failure or upon loss of utilities, such as electrical power or instrument air supply, the IROFS will maintain their safety action or fail into a safe mode. The applicant has will ensure the reliability and availability of these I&C IROFS through the use of management measures that are applied commensurate with the level of risk reduction relied upon for each IROFS.

The management measures include the implementation of applicable sections of the QAPD, the ANF configuration management program, the preventative and corrective maintenance program, the personnel training and qualification program, facility procedures, audits and assessments, incident investigation and corrective action processes, and records management.

E-18 Example SER - DRahn and MLi The required testing and calibration of these I&C IROFS will be established such that they are consistent with the assumptions and conditions identified in formal setpoint calculations, as applicable. Section [NUMBER] of the SAR (ANF, [YEAR]) indicates that for hardware IROFS involving instrumentation which provides automatic prevention or mitigation functions, setpoint calculations will be performed in accordance with setpoint methodology that is consistent with the applicable guidance of RG 1.105, Revision [NUMBER], Setpoints for Safety Related Instrumentation, (NRC, [YEAR]). The applicant has committed to implement an engineering procedure which will be available for NRC staff inspection that follows the guidance of RG 1.105, Revision [NUMBER], regulatory positions to allocate margin for uncertainty in instrumentation channel accuracies and instrument drift between calibrations; allocate margin for uncertainties introduced from calibration standards, equipment, and methods; instrument reference accuracy; power supply fluctuations; normal and anticipated abnormal ambient environmental effects including radiation and chemical exposure; analog-to-digital conversion and digital signal processing effects (if applicable);

instrument performance during design basis events; process dependencies, dynamics, and installation-based effects; and allocate safety margin to account for process modeling error or process dynamic uncertainties.

At the time the NRC staff conducted its review, the applicant had not identified any IROFS that will make use of digital technology. All proposed IROFS, at the time of the NRC staffs review, were identified as hardwired, analog controls. However, in the event that in the future the applicant elects to utilize digital technology for IROFS, the applicant has committed to use a high-quality development process for the design, implementation, and maintenance of any such IROFS. Specifically, Section [SECTION] of the SAR (ANF,

[YEAR]) commits to the following:

For IROFS that use software, firmware, microcode, programmable logic controllers, and/or any digital device, including hardware devices which implement data communication protocols (such as Fieldbus devices and Local Area Network controllers),

etc., design will adhere to accepted best practices in software and hardware engineering, including software quality assurance controls as discussed in the QAPD throughout the development process and the applicable guidance of the following industry standards and regulatory guides:

a) American Society of Mechanical Engineers (ASME) NQA-1-1994 Edition, Quality Assurance Requirements for Nuclear Facility Applications, Part II, Subpart Part 2.7, Quality Assurance Requirements of Computer Software for Nuclear Facility Applications, as revised by the NQA-1a-1995 Addenda of ASME NQA-1-1994 Edition, Part 1, Supplement 11S-2, Supplementary Requirements for Computer Program Testing. (ASME, 1994) (ASME, 1995).

b) Electric Power Research Institute (EPRI) NP-5652, Guideline for the Utilization of Commercial Grade Items in Nuclear Safety Grade Applications, June 1988 (EPRI, 1988).

c)

EPRI Topical Report (TR) -102323, Guidelines for Electromagnetic Interference Testing in Power Plants, Revision 1, December 1996 (EPRI, 1996a).

d) EPRI TR-106439, Guideline on Evaluation and Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Applications, October 1996 (EPRI, 1996b).

e) RG 1.152, Criteria for Digital Computers in Safety Systems in Nuclear Power Plants, Revision 1, January 1996 (NRC, 1996).

E-19 Example SER - DRahn and MLi f)

RG 1.168, Revision 1, Verification, Validation, Reviews, and Audits for Digital Software Used in Safety Systems of Nuclear Power Plants, October, 2004 (NRC, 2004).

g) RG 1.169, Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, September 1997 (NRC, 1997a).

h) RG 1.170, Software Test Documentation for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, September 1997 (NRC, 1997b).

i)

RG 1.172, Software Requirements Specifications for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, September 1997 (NRC, 1997c).

j)

RG 1.173, Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems for Nuclear Power Plants, September 1997 (NRC, 1997d).

Since the proposed design, which was not complete at the time of this review, does not include IROFS that use software, firmware, microcode, PLCs, and/or any digital device, including hardware devices which implement data communication protocols, the staff finds this commitment satisfactory. However, should the applicant choose to implement design changes to include any of the preceding features, prior NRC approval will be necessary.

The NRC staff will impose the following license condition:

Currently, the design information concerning any IROFS that may use software, firmware, microcode, programmable logic controllers, and/or any digital device, including hardware devices which implement data communication protocols (for example, Fieldbus devices and Local Area Network controllers) is preliminary and not complete.

Should the completed design of any IROFS (including every component within an IROFS boundary) include any of the preceding features, the licensee shall obtain Commission approval prior to implementing the IROFS.

In a response to the NRC staffs RAI (ANF, [YEAR]), the applicant stated that the specific designs of the instrumentation that will be utilized as IROFS will be developed as part of the detailed design phase. The detailed design phase includes defining the methodology for achieving independence and the determination of the required fail-safe modes. However, the applicant states that the operation and status of IROFS for the ANF will be monitored by facility operators through the use of the PCS by means of a status alarm. (ANF, [YEAR])

This alarm will be provided by an isolated, hardwired signal from the associated IROFS to the PCS local PLC described above. This signal will be a one-way signal directed from the process equipment to the PCS local PLC. The design of the isolation device will conform to the requirements of RG 1.75, Revision 3 (NRC, 2005). The isolator will be considered as part of the IROFS boundary and will be designed such that no credible failure at the output of the isolation device shall prevent the associated IROFS from meeting its specified safety function.

Since there will be no features within the PCS that are considered to be IROFS or will form a part of the IROFS boundary, the design, operations, maintenance, and testing of the PCS will not have the same level of quality rigor applied as those for IROFS (i.e., it will not be treated as QA Level 1 or QA Level 2 in the QA program.) Therefore, it is important to consider how IROFS that are to be connected to the PCS will be protected from the effects of potential failures or faults originating within the PCS. The applicant has committed to revising Section

[NUMBER] of the ISA Summary to state that the RG 1.75, Revision 3, Criteria for Independence of ElectricalSafety Systems, (NRC, 2005) will be applied in establishing separation criteria between IROFS and non-IROFS equipment (ANF, [YEAR]). RG 1.75,

E-20 Example SER - DRahn and MLi Revision 3, endorses the use of industry standard IEEE 384-1992, Standard Criteria for Independence of Class 1E Equipment and Circuits (IEEE, 1992a). Within IEEE Standard 384-1992, Clause 7.2.2 describes the use of suitable isolation devices for maintaining independence between safety and non-safety I&C circuits and between redundant safety channels of I&C systems. It states that a device is considered to be an electrical isolation device for I&C circuits if it is applied such that 1) the maximum credible voltage or current transient applied to the non-Class 1E side of the device will not degrade the operation of the Class 1E circuit on the other side of that device below an acceptable level, and 2) shorts, open circuits, or grounds occurring in the non-Class 1E side will not degrade the circuit connected to the Class 1E side below an acceptable level. The highest voltage to which the isolation device non-Class 1E side is exposed shall determine the minimum voltage level that the device shall withstand across the non-Class 1E side terminals, and between the non-Class 1E side terminals and ground. Transient voltages that appear in the non-Class 1E side must also be considered. The capability of the isolator to perform its isolation function must be demonstrated by qualification test, which considers the levels and duration of the fault current on the non-Class 1E side. It further identifies specific types of devices that may be considered as suitable isolation devices for I&C circuits, and provide specific criteria and limitations pertaining to the use of fuses as qualified isolation devices.

Within RG 1.75, Revision 3 (NRC, 2005), Regulatory Position C (1) states that the section within IEEE 384-1992 pertinent to the use of fuses as a suitable instrumentation circuit isolation device (in this instance, Clause 7.2.2) should be supplemented with a condition that fuses that are automatically opened by fault current may be used as an isolation device provided that 1) the fault current will cause the nearest circuit breaker or fuse to interrupt the fault current prior to initiation of a trip of any upstream protection device, and 2) periodic testing of circuit breakers (periodic visual inspections of fuses and fuse holders) during every refueling must demonstrate that the overall coordination scheme under multiple faults of non-safety related loads remains within the limits specified in the design criteria for the nuclear plant.

The NRC staff recognizes that the ANF facility does not make use of the term Class 1E but expects that the applicant plans to equate this term with that used for the corresponding treatment of systems and components having the appropriate quality level designation for IROFS. Additionally, the applicant will complete the detailed design of the ANF by considering the qualified isolation device to form a part of the IROFS Boundary, and the isolation device will be treated in the same manner as other QA Level 1 and QA Level 2 devices forming a part of the IROFS boundary. In addition, the NRC staff notes that sub-clause a) in the RG 1.75, Revision 3, Regulatory Position C.1, assumes that the isolation device is used to protect an upstream Class 1E circuit from faults occurring in a downstream non-Class 1E circuit. Since the applicant has proposed to apply this regulatory guidance in its design for isolating an upstream instrumentation and control IROFS circuit or component from a downstream non-IROFS PCS status monitoring circuit, the considerations of this sub-clause should be adequately evaluated for applicability by the applicant. The NRC staff notes that the capability of the isolation devices selected by the applicant should be confirmed by testing to ensure that they are capable of not degrading the performance of the IROFS in a manner that invalidates the assumptions and analyses that the IROFS will either perform its required safety action or fail in a manner that ensures the required safety action will be achieved. That is, with the isolation device installed, faulted or degraded conditions occurring within the PCS or PLC should not prevent or degrade the ability of the IROFS to change state and fail into a mode or manner that assures the required safety performance objective will be achieved.

E-21 Example SER - DRahn and MLi Finally, since the applicant plans to treat these isolators as part of IROFS, the frequency of surveillance of these qualified isolation devices will be consistent with that for the other features of IROFS that must be inspected and/or tested as part of the applicable management measures appropriate to the level of risk reduction relied on for that IROFS.

The periodic surveillance requirements, preventative maintenance program, corrective maintenance program, functional test program, and configuration management programs applied as part of the required maintenance measures for IROFS will include these isolation devices as part of the IROFS boundary to assure the availability and operability of IROFS.

With the above described considerations addressed for providing I&C IROFS to mitigate or prevent event sequences associated with identified ANF process hazards; and in designing, implementing, and maintaining IROFS to ensure the availability and reliability of the initiation of safety functions; and in providing for I&C to monitor and control the behavior of IROFS; and in assuring adequate independence and isolation between IROFS and non-IROFS systems, circuits, equipment and components, the NRC staff finds that the applicants proposed design criteria for I&C IROFS adequately addresses the intent of the 10 CFR 70.64 baseline design criterion with regard to the assurance of continued availability and reliability of IROFS to meet the safety performance objectives for the ANF facility of 10 CFR 70.61.

E.3.2.3.2 BDC Regarding the Provision for Adequate Protection from Environmental Conditions and Dynamic Effects leading to the Loss of Safety Functions Section [NUMBER] of the applicants ISA Summary (ANF, [YEAR]) and Section [NUMBER]

of the SAR (ANF, [YEAR]) state that IROFS will be qualified to perform their required safety functions under normal and accident conditions, e.g., pressure, temperature, humidity, seismic motion, chemical exposure, electromagnetic interference, and radio-frequency interference, as required by the ISA. Further, IROFS will be housed and protected within ANF structures designed to meet the IBC (ICC, 2006) requirements, and the hazards evaluated for the ANF include potential adverse effects of weather (high winds, tornadoes, rain, snow, hail, etc.) and fire and flooding conditions. (Refer to Appendix A of this SER for additional information.) Section [NUMBER] of the ISA Summary (ANF, [YEAR]b) states that all component IROFS will be designed and implemented using criteria that ensures protection against dynamic effects, such as missiles and discharging fluids that may result from natural phenomena, accidents at nearby industrial, military, or transportation facilities, equipment failure, and other similar events and conditions both inside and outside the facility. In addition, they will be designed and located so that they can continue to perform their safety functions effectively under credible fire and explosion conditions.

Specifically, Section [NUMBER] of the SAR (ANF, [YEAR]) states that I&C IROFS components and systems will be qualified using the applicable guidance in Institute of Electrical and Electronics Engineers (IEEE) standard IEEE-323, [YEAR], "IEEE Standard for Qualifying Class 1 E Equipment for Nuclear Power Generating Stations" (IEEE, [YEAR]), and that IROFS components and systems will be designed, procured, installed, tested, and maintained using the applicable guidance in RG 1.180, "Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference in Safety-Related Instrumentation and Control Systems," Revision 1, dated October 2003 (NRC, 2003).

IEEE 323 provides guidance for the environmental and seismic qualification of equipment required to perform safety actions under abnormal environmental and seismic conditions.

E-22 Example SER - DRahn and MLi With regard to the methodology for performing seismic qualification of such equipment, IEEE 323-1983 states: The test sample shall be subjected to simulated operating basis earthquake and safe shutdown earthquake seismic vibration in accordance with ANSI/IEEE Std 344-1975. The applicant stated that IROFS that must remain available and operable under a facility design basis seismic event will be evaluated using the guidance of IEEE Standard 344-2004, (i.e., rather than IEEE 344-1975.) The NRC staff notes that the 2004, version of IEEE Standard 344, IEEE Recommended Practice for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations allows such qualification to be conducted using tests, analyses, or experienced-based evaluations that will yield data to demonstrate Class 1E equipment performance claims or to evaluate and verify performance of devices and assemblies as part of an overall qualification effort. The NRC staff finds this approach to be acceptable for the ANF facility.

With the above described considerations for assuring adequate design of I&C IROFS to be qualified to qualified to perform their required safety functions under normal and accident conditions, in the presence of adverse environmental and dynamic effects, the NRC staff finds that the applicants proposed design adequately addresses the intent of this baseline design criterion with regard to the assurance of continued availability and reliability of IROFS to meet the safety performance objectives for the ANF facility.

E.3.2.3.3 BDC Regarding the Provision for the Capability of IROFS to be Inspected, Tested, and Maintained to Ensure their Availability and Reliability As described above, in Section [NUMBER] of the ISA Summary (ANF, [YEAR]), the applicant has committed to establish a program to ensure the reliability and availability of I&C IROFS.

The management measures proposed for I&C IROFS include the implementation of a surveillance and monitoring program for QA Level 1 and QA Level 2 IROFS as defined in the ANF QAPD, and applicable sections of the preventative and corrective maintenance program, and the ANF corrective action program. Functional testing will be conducted for IROFS as part of the pre-operational testing program, and as part of the continual facility operational testing program. The frequency of required testing and calibration of these I&C IROFS will be established such that they are consistent with the assumptions and conditions identified in formal setpoint calculations, as applicable, and with the manufacturers recommendations for such periodic calibration. In a response to an NRC staff RAI (ANF,

[YEAR]), the applicant stated that a detailed measurement and test equipment program for the ANF has not yet been developed. However, Section [NUMBER] [TITLE] of the ANF QAPD (ANF, [YEAR]) states that measurement and test equipment will be properly handled and stored to maintain accuracy in accordance with the manufacturers recommendations in a manner that ensures its integrity, accuracy, and precision.

With the above-described considerations for assuring adequate inspection, testing, and maintenance of I&C IROFS, the NRC staff finds that the applicants proposed design adequately addresses the intent of this baseline design criterion with regard to the assurance of continued availability and reliability of IROFS to meet the safety performance objectives for the ANF facility.

E.3.2.3.4 BDC Regarding the Use of Defense-in-Depth Design Practice and a Preference for Engineered Controls over Administrative Controls As described above in Section [NUMBER] of this SER, the applicant has proposed to provide a PCS which serves as the normal control system for maintaining facility processes

E-23 Example SER - DRahn and MLi within its desired operating parameters. The supervisory capability of the [CONTROL SYSTEM ACRONYM-1], which is a part of the PCS, will allow facility operators to monitor and control plant processes and auxiliaries, allow operators and maintenance personnel to obtain information about the status of plant equipment, allow remote control of certain process operations, and alert operators regarding potential adverse conditions associated with the process so that timely action can be taken to maintain it within desired parameters, and prevent interruption of the process (ANF, [YEAR]).

Section [NUMBER] of the ISA Summary describes the facility processes associated with the specific unit functions within the ANF. Section [NUMBER] of the ISA Summary (ANF,

[YEAR]) identify the accident sequences associated with the identified ANF hazards and the list of IROFS that will be applied to prevent the occurrence of or to mitigate the consequences of those accident sequences. The NRC staff performed a review and evaluation of the proposed I&C IROFS to gain an understanding as to how the applicant intends to meet the facility safety performance objectives of 10 CFR 70.61.

Table [NUMBER] of the ISA Summary provides a description, at a functional level, of the IROFS that will be relied upon to accomplish the required safety actions needed to ensure that the facility safety performance objectives of 10 CFR 70.61 will be met in the event, for example, that the PCS does not enable the facility operators to take timely actions to maintain the processes within desired parameters. Although the specific set of equipment and components that will be used to perform the required safety functions have not yet been designed or procured, the NRC staff reviewed and evaluated the functional descriptions of the IROFS in this list and the applicants proposed design criteria and management measures that will be applied when completing the design and developing the specific management measures that will be applied to these IROFS to ensure that they will be available and reliable when needed to perform their required safety functions. During this evaluation process, the NRC staff found that the applicant has proposed for high-and intermediate-risk event sequences, a set of multiple redundant and/ or diverse, independent, hard-wired, I&C components, devices, or redundant systems of components functioning together to accomplish the required safety actions. The NRC staff evaluation of the description of the IROFS on this list determined that the applicant has proposed, to make use of automatic engineered controls for preventative and mitigative risk reduction functions, so as to enable the facility to meet its safety performance objectives, while implementing only a few solely administrative or enhanced administrative controls.

The NRC staff has found that these proposed design features provide adequate evidence that the applicant intends to apply defense-in-depth design features when completing the design of the ANF facility. Further, in applying the use of multiple active engineered IROFS to prevent or mitigate high and intermediate consequence IROFS, whose failure into a safe state upon a loss of electrical power results in the accomplishment of required safety functions, the applicant has demonstrated its intent to meet the requirements of 10 CRF 70.64(b).

E.3.2.4Applicable Industry Codes and Standards for the I&C The applicants ISA Summary (ANF, [YEAR]) and SAR (ANF, [YEAR]) state that the applicant has proposed to apply the following industry codes and standards to the completion of the design of the ANF:

E-24 Example SER - DRahn and MLi To assure independence between I&C-related IROFS and non-IROFS equipment:

RG 1.75, Criteria for IESS, Revision 3, (NRC, 2005).

IEEE Standard 384-1992, IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits (IEEE, 1992).

For the qualification of I&C to perform required functions under normal and accident conditions, e.g., pressure, temperature, humidity, seismic motion, chemical exposure, electromagnetic interference, and radio-frequency interference, as required by the ISA:

IEEE-323, 1983, "IEEE Standard for Qualifying Class 1 E Equipment for Nuclear Power Generating Stations" (IEEE, 1983b).

IEEE Standard 344-2004, IEEE Recommended Practice for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations (IEEE, 2004b).

RG 1.180, "Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference in Safety-Related Instrumentation and Control Systems," Revision 1, dated October 2003 (NRC, 2003).

For the establishment of instrumentation settings such that allowances for instrument channel uncertainties are accounted for:

RG 1.105, Revision 3, Setpoints for Safety Related Instrumentation, (NRC, 1999).

For the development of IROFS that use software, firmware, microcode, programmable logic controllers, and/or any digital device, including hardware devices which implement data communication protocols:

ASME NQA-1a-1995, Addenda to ASME NQA-I -1994 Edition, Quality Assurance Requirements for Nuclear Facility Applications, Subpart Part 2.7, Quality Assurance Requirements of Computer Software for Nuclear Facility Applications, January 1, 1995.

(ASME, 1995).

ASME NQA-1-1994 Edition, Quality Assurance Requirements for Nuclear Facility Applications, Part II, Supplement 11S-2, Supplementary Requirements for Computer Program Testing, July 29, 1994. (ASME, 1994).

EPRI NP-5652, Guideline for the Utilization of Commercial Grade Items in Nuclear Safety Grade Applications, June 1988 (EPRI, 1988).

EPRI TR-102323, Guidelines for Electromagnetic Interference Testing in Power Plants, Revision 1, December 1996 (EPRI, 1996a).

EPRI TR-106439, Guideline on Evaluation and Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Applications, October 1996 (EPRI, 1996b).

RG 1.152, Criteria for Digital Computers in Safety Systems in Nuclear Power Plants, Revision 1, January 1996 (NRC, 1996).

E-25 Example SER - DRahn and MLi RG 1.168, Revision 1, Verification, Validation, Reviews, and Audits for Digital Software Used in Safety Systems of Nuclear Power Plants, October, 2004 (NRC, 2004).

RG 1.169, Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, September 1997 (NRC, 1997a).

RG 1.170, Software Test Documentation for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, September 1997 (NRC, 1997b).

RG 1.172, Software Requirements Specifications for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, September 1997 (NRC,1997c).

RG 1.173, Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems for Nuclear Power Plants, September 1997 (NRC, 1997d).

E.3.2.5Findings for the Proposed Design of the I&C Design The staff has determined, based on the above evaluation of the information presented by the applicant in the SAR and ISA Summary, as supplemented by responses to the NRC staffs RAI, including the commitments to the specific industry codes and standards listed above, the proposed alternative approach design will meet the intent of the requirements of 10 CFR 70.64(a) and 10 CRF 70.64(b).

The staff also concludes that the information contained in the documents referenced in the above summary represents an acceptable alternative approach to Section 3.4.3.2(4)(d) and 3.4.3.2(6) of NUREG-1520 (NRC, [YEAR]).

The NRC staff has reviewed the ISA Summary and other information pertinent to the design of the I&C IROFS, and finds that the applicant has provided reasonable assurance that the identified I&C IROFS will accomplish their required safety actions when needed to enable facility compliance with the performance requirements of 10 CFR 70.61. Specifically, the NRC staff finds that the ISA results, as documented in the ISA Summary, provide reasonable assurance that the IROFS, the management measures, and the applicants programmatic commitments will, if properly implemented, make all credible intermediate consequence accidents unlikely, and all credible high consequence accidents highly unlikely.

E.4 EVALUATION FINDINGS The NRC staff concludes that the applicants design criteria commitments, QA requirements, and management measures, regarding the proposed elements of the electrical utility and I&C IROFS design portion of the applicants safety program, will be adequate to provide reasonable assurance that these IROFS will be available and reliable to perform their intended safety function(s) when needed and in the context of the performance requirements of 10 CFR 70.61.

Should the applicant choose to implement design changes to IROFS that use software, firmware, microcode, PLCs, and/or any digital device, including hardware devices which implement data communication protocols, prior NRC approval will be necessary. The NRC staff will impose the following license condition:

E-26 Example SER - DRahn and MLi Currently, the design information concerning any IROFS that may use software, firmware, microcode, programmable logic controllers, and/or any digital device, including hardware devices which implement data communication protocols (for example, Fieldbus devices and Local Area Network controllers) is preliminary and not complete.

Should the completed design of any IROFS (including every component within an IROFS boundary) include any of the preceding features, the licensee shall obtain Commission approval prior to implementing the IROFS.

The NRC staff finds that the applicant has performed an ISA to identify and evaluate those hazards and potential accidents as required by the regulations. The NRC staff has reviewed the ISA Summary and other information as it pertains to the electrical power system and I&C used as IROFS, and finds that it provides reasonable assurance that the applicant has identified appropriate IROFS and established engineered and administrative controls to ensure compliance with the performance requirements of 10 CFR 70.61. Specifically, the NRC staff finds that the ISA results, as documented in the ISA Summary, provide reasonable assurance that the I&C IROFS, the associated management measures, and the applicants programmatic commitments will, if properly implemented, make the credible intermediate consequence accidents unlikely, and the credible high consequence accidents highly unlikely.

E-27 Example SER - DRahn and MLi REFERENCES (ANF, [YEAR]) Acme Nuclear Facility, Response to Requests for Additional Information -

Generic Nuclear Services LLC License Application for the ACME Nuclear Facility, dated September 28, [YEAR].

(ANF, [YEAR]) Acme Nuclear Facility, ACME Nuclear Facility Safety Analysis Report, Revision 2, [YEAR].

(ANF, [YEAR]) Acme Nuclear Facility, Integrated Safety Analysis Summary for the ACME Nuclear Facility, Revision 2, [YEAR].

(ANF, [YEAR]) U.S. NRC, Supplemental Responses to U.S. NRC Requests for Additional Information and Marked Pages for Future Revisions to the ANF SAR and ISA Summary, dated

[DATE].

(ANF, [YEAR]) Acme Nuclear Facility, Quality Assurance Program Description for Design, Construction, Operation, and Decommissioning of the ACME Nuclear Facility, Revision

[NUMBER], [YEAR].

(ASME, 1995) American Society of Mechanical Engineers, NQA-1a-1995, Addenda to ASME NQA-I -1994 Edition, Quality Assurance Requirements for Nuclear Facility Applications, Subpart Part 2.7, Quality Assurance Requirements of Computer Software for Nuclear Facility Applications, 1995.

(ASME, 1994) American Society of Mechanical Engineers, ASME NQA-1-1994 Edition, Quality Assurance Requirements for Nuclear Facility Applications, Part II, Supplement 11S-2, Supplementary Requirements for Computer Program Testing, 1994.

(EPRI, 1996a) Electric Power and Research Institute, EPRI Topical Report TR-102323, Guidelines for Electromagnetic Interference Testing in Power Plants, Revision 1, 1996.

(EPRI, 1988) Electric Power and Research Institute, NP-5652, Guideline for the Utilization of Commercial Grade Items in Nuclear Safety Grade Applications, 1988.

(EPRI, 1996b) Electric Power and Research Institute, EPRI Topical Report TR-106439, Guideline on Evaluation and Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Applications, 1996.

(ICC, 2008) International Code Council, ICC International Fire Code, 2008.

(ICC, 2006) International Code Council, ICC International Building Code, 2006 (IEEE, 2007a) Institute of Electrical and Electronics Engineers, IEEE 142-2007, Grounding of Industrial and Commercial Power Systems, 2007.

E-28 Example SER - DRahn and MLi (IEEE, 2007b) Institute of Electrical and Electronics Engineers, IEEE C2-2007, National Electrical Safety Code, 2007.

(IEEE, 2004a) Institute of Electrical and Electronics Engineers, IEEE 946, IEEE Recommended Practice for the Design of DC Auxiliary Power Systems for Generating Stations, 2004.

(IEEE, 2004b) Institute of Electrical and Electronics Engineers, IEEE Standard 344-2004, IEEE Recommended Practice for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations, 2004.

(IEEE, 2002a) Institute of Electrical and Electronics Engineers, IEEE C37.90.1, IEEE Standard for Surge Withstand Capability (SWC) Tests for Relays and Relay Systems Associated with Electric Power Apparatus, 2002.

(IEEE, 2002b) Institute of Electrical and Electronics Engineers, IEEE-484, IEEE Recommended Practice for Installation, Design and Testing of Vented Lead-Acid Batteries for Stationary Applications, 2002.

(IEEE, 2002c) Institute of Electrical and Electronics Engineers, IEEE-450, IEEE Recommended Practice for Maintenance, Testing, and Replacement of Vented Lead-Acid Batteries for Stationary Applications, 2002.

(IEEE, 2000) Institute of Electrical and Electronics Engineers, IEEE 80-2000, Guide for Safety in AC Substation Grounding, 2000.

(IEEE, 1997) Institute of Electrical and Electronics Engineers, IEEE-485, IEEE Recommended Practice for Sizing Lead-Acid Batteries for Stationary Applications, 1997 (IEEE, 1992a) Institute of Electrical and Electronics Engineers, IEEE Standard 384-1992, IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits, 1992.

(IEEE, 1992b) Institute of Electrical and Electronics Engineers, IEEE 519, IEEE Recommended Practice and Requirements for Harmonic Control in Electrical Power Systems, 1992.

(IEEE, 1989) Institute of Electrical and Electronics Engineers, IEEE C37.90, IEEE Standard for Relays and Relay Systems Associated with Electric Power Apparatus, 1989.

(IEEE, 1983a) Institute of Electrical and Electronics Engineers, IEEE 81-1983, Guide for Measuring Earth Resistivity, Ground Impedance, and Earth Surface Potential of a Ground System, 1983.

(IEEE, 1983b) Institute of Electrical and Electronics Engineers, IEEE-323-1983, "IEEE Standard for Qualifying Class 1 E Equipment for Nuclear Power Generating Stations,"

Approved July 19, 1984.

E-29 Example SER - DRahn and MLi (NFPA, 2008) National Fire Protection Association, NFPA 70-2008, National Electrical Code, 2008.

(NFPA, 2006) National Fire Protection Association, NFPA-101, Life Safety Code, 2006.

(NFPA, 2004) National Fire Protection Association, NFPA 70E, Standard for Electrical Safety Requirements for Employee Workplaces, 2004.

(NRC, 2005) U.S. Nuclear Regulatory Commission, RG 1.75, Criteria for Independence of Electrical Safety Systems, Revision 3, 2005.

(NRC, 2004) U.S. Nuclear Regulatory Commission, RG 1.168, Revision 1, Verification, Validation, Reviews, and Audits for Digital Software Used in Safety Systems of Nuclear Power Plants, 2004.

(NRC, 2003) U.S. Nuclear Regulatory Commission, RG 1.180, "Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference in Safety-Related Instrumentation and Control Systems," Revision 1, 2003.

(NRC, 2002) U.S. Nuclear Regulatory Commission, NUREG-1520, Standard Review Plan for the Review of a License Application for a Fuel Cycle Facility, March, 2002.

(NRC, 1999) U.S. Nuclear Regulatory Commission, RG 1.105, Revision 3, Setpoints for Safety Related Instrumentation, 1999.

(NRC, 1997a) U.S. Nuclear Regulatory Commission, RG 1.169, Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, 1997.

(NRC, 1997b) U.S. Nuclear Regulatory Commission, RG 1.170, Software Test Documentation for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, 1997.

(NRC, 1997c) U.S. Nuclear Regulatory Commission, RG 1.172, Software Requirements Specifications for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, 1997.

(NRC, 1997d) U.S. Nuclear Regulatory Commission, RG 1.173, Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems for Nuclear Power Plants, 1997.

(NRC, 1996) U.S. Nuclear Regulatory Commission, RG 1.152, Criteria for Digital Computers in Safety Systems in Nuclear Power Plants, Revision 1, January 1996.