Supplemental Information Concerning License Amendment Request to Revise License Basis to Allow Ganged Rod Drive Capability of the Rod Control Management System (Rcms)

ML061520489
Person / Time
Site:	LaSalle
Issue date:	06/01/2006
From:	Bauer J Exelon Generation Co, Exelon Nuclear
To:	Document Control Desk, Office of Nuclear Reactor Regulation
References
RS-06-084
Download: ML061520489 (23)
v • d • e

Text

10 CFR 50.90 June 1, 2006 RS-06-084 U. S . Nuclear Regulatory Commission Attn : Document Control Desk Washington, DC 20555-0001 LaSalle County Station, Units 1 and 2 Facility Operating License Nos . NPF-1 1 and NPF-1 8 NRC Docket Nos. 50-373 and 50-374

Subject:

Supplemental Information Concerning License Amendment Request to Revise License Basis to Allow Ganged Rod Drive Capability of the Rod Control Management System (RCMS)

References : (1) J .A . Bauer (Exelon Generation Company, LLC) letter to NRC dated March 15, 2006, "Request for a License Amendment to Revise License Basis to Allow Ganged Rod Drive Capability of the Rod Control Management System (RCMS)

(2) J .A. Bauer (Exelon Generation Company, LLC) letter to NRC dated May 10, 2006, "Supplemental Information Concerning License Amendment Request to Revise License Basis to Allow Ganged Rod Drive Capability of the Rod Control Management System (FICIVIS)"

In Reference 1, Exelon Generation Company, LLC (EGC) submitted a license amendment request (LAR) for Facility Operating License Nos. NPF-1 1 and NPF-18 for LaSalle County Station (LSCS), Units 1 and 2 respectively, requesting NFIC review and approval of a change to the LSCS Licensing Basis. The proposed Licensing Basis change revises the LSCS Updated Final Safety Analysis Report (UFSAR) to include the description of a potential ganged rod withdrawal error as an "infrequent incident," consistent with the description of a single control rod withdrawal error in UFSAR Section 15 .4.1 .2, "Continuous Rod Withdrawal During Reactor Startup." Approval of the LAR will theenable EGC to implement a new operational capability (i.e .,

ganged rod movement) as part of new LSCS Rod Control Management System (RCMS) .

EGC will install the new RCMS modification pursuant to 10 CFR 50.59, "Changes, tests, and experiments."

In a conference call on April 11, 2006, representatives from EGC and the NRC discussed several NRC issues concerning the proposed LAR. In Reference 2, EGC provided a partial

June 1, 2006 U.S . Nuclear Regulatory Commission Page 2 response to the NRC's issues, including a design document requested by the NRC during the April 11, 2006 teleconference . EGC also indicated that additional information addressing the NRC's issues would be provided, including a revised single failure analysis to explicitly address the mitigation of potential software failures, hardware failures, and human errors, as part of a defense-in-depth assessment of the new RCMS pertaining to ganged rod movement . This additional information is provided in the Attachment .

The revised single failure analysis in the Attachment is presented as part of an EGC review that addresses the major design considerations of the RCMS, relative to applicable acceptance criteria for non safety-related control systems, as described in NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Section 7.7, "Control Systems." The information provided in the Attachment does not impact the No Significant Hazards Consideration or the Environmental Assessment that was provided in Reference 1 .

If any additional information is needed, please contact Mr. John L. Schrage at (630) 657-2821 .

I declare under penalty of perjury that the foregoing is true and correct. Executed on the Vt day of June 2006.

Respectfully, Joseph A. Bauer Manager, Licensing

Attachment:

LaSalle County Station RCMS, Review of Major Design Considerations and Applicable Acceptance Criteria, NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants" Section 7.7, "Control Systems"

Attachment LaSalle County Station RCMS Review of Major Design Considerations and Applicable Acceptance Criteria NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Section 7.7, "Control Systems" This attachment provides supplemental information regarding the installation and operation of a new Rod Control Management System (RCMS) at LaSalle County Station (LSCS), relative to a license amendment request (LAR) requesting NFIC review and approval to change the LSCS Licensing Basis. The proposed Licensing Bats change revises the LSCS Updated Final Safety Analysis Report (UFSAR) to include the description of a potential ganged rod withdrawal error as an infrequent incident, consistent with the description of a single control rod withdrawal error in UFSAR Section 15 .4.1 .2, "Continuous Rod Withdrawal During Reactor Startup." Approval of the LAR will enable EGC to implement a new operational capability (i.e., ganged rod movement) the as part of new LSCS RCMS . EGC will install the new RCMS modification, with the ganged rod movement feature defeated, pursuant to 10 CFR 50.59, "Changes, tests, and experiments,"

during the next refuel outage on each unit at LSCS.

This attachment addresses the major design considerations of the RCMS, relative to the applicable acceptance criteria for non safety-related control systems, as described in NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Section 7.7, "Control Systems ." The following information is presented:

1 .0 Design Bases, Safety Classification, Independence, and Accident Effects of Existing Reactor Manual Control and Rod Worth Minimizer Systems, and Replacement RCMS System 2.0 RCMS Software Development and Validation Processes 3.0 RCMS Access Control and Cyber Security 4.0 RCMS Man-in-Loop Administrative Controls 5.0 Assessment of Potential RCMS Failures Affecting Ganged Rod Movement Capability 6.0 References 1 .0 Design Bases, Safety Classification, Independence, and Accident Effects of Existing Reactor Manual Control and Rod Worth Minimizer Systems, and Replacement RCMS System 1 .1 Reactor Manual Control System (RMCS)

The new RCMS replaces the existing Reactor Manual Control System (RMCS) and Rod Worth Minimizer (RWM). The existing RMCS includes the Rod Drive Control System (RDCS) the and the Rod Position Information System (RPIS) . The new RCMS integrates all design basis functions of the former RDCS, RPIS and the RWM .

The current RMCS consists of the electrical circuitry, switches, indicators and alarm devices provided for operational manipulation of the control rods and the surveillance of associated equipment. The system includes the interlocks that inhibit rod movement under certain conditions, which prevent multiple operator errors or equipment malfunctions from requiring the operation of the reactor protection system (RPS) .

Page 1

Attachment LaSalle County Station RCMS Review of Major Design Considerations and Applicable Acceptance Criteria NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Section 7.7, "Control Systems" The RMCS does not include any of the circuitry or devices used to automatically or manually scram the reactor. In addition, the system does not include the control rod drives and the control rod drive hydraulic system (see References 1 and 2).

The system is classified as a power generation system and is not safety-related . The RMCS is an operational control system and has no safety function (see References 1 and 3).

1 .1 .1 The existing RMCS instrumentation and controls satisfy the following safety design bases (see Reference 4).

a. The circuitry provided for the manipulation of control rods shall be designed so that no single failure can negate the effectiveness of a reactor scram .

b. Repair, replacement, or adjustment of any failed or malfunctioning component shall not require that any (dement needed for reactor scram be bypassed unless a bypass is normally allowed.

1 .1 .2 The RMCS is designed to satisfy the following power generation design bases (see Reference 5) .

a. Inhibit control rod withdrawal following erroneous control rod manipulations so that RPS scram is not required .

Inhibit control rod withdrawal in time to prevent local fuel damage as a result of erroneous control rod manipulations .

Inhibit control rod movement whenever such movement would result in operationally undesirable core reactivity conditions or whenever instrumentation is incapable of monitoring the core response to rod movement .

d. Limit the potential for inadvertent rod withdrawal leading to RIPS action by designing the RMCS in such a way that deliberate operator action is required to effect a continuous rod withdrawal .

e. Provide the licensed operator with the means to achieve prescribed control rod patterns ; provide information pertinent to the position and motion of the control rods in the control room.

1 .1 .3 The RMCS is not required for safety functions, nor required to operate after the design-basis accident . The system is only required to operate in the normal plant environments for power generation purposes (see References 5 and 6) .

1 .1 .4 The RMCS instrumentation and controls are designed in accordance with the following specific regulatory requirements and industry standards:

a. General Design Criterion 1, "Quality Standards and Records" (see References 7 and 8).

Attachment LaSalle County Station RCMS Review of Major Design Considerations and Applicable Acceptance Criteria NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Section 7.7, "Control Systems" The total quality assurance program is described in UFSAR Chapter 17.0 and consists of Topical Report CE-1A. The detailed quality assurance program developed by EGC satisfies the requirements of Criterion 1 .

The quality assurance program for LSCS is conducted in accordance with the EGC Quality Assurance Program for Nuclear Generating Stations . This program was initially submitted to the NRC in June 1975, as Topical Report CE-1 . By letter dated December 29, 1975, the NRC informed Commonwealth Edison Company (i.e., the predecessor of EGC, and the license applicant at the time) that Topical Report CE-1 was an acceptable program for the design, procurement, construction, and operations activities within Commonwealth Edison's scope of work for nuclear power plants .

The NRC approved Revision 70 of Quality Assurance Topical Report EGC-1 -A in December 2002 .

b. General Design Criterion 13, "Instrumentation and Control" (see Reference 9) .

Adequate instrumentation has been provided to monitor system variables in the reactor core, reactor coolant pressure boundary, and reactor containment. Appropriate controls have been provided to maintain the variables in the operating range and to initiate the necessary corrective action in the event of an abnormal operational occurrence or accident.

C. General Design Criterion 24, "Separation of Protection and Control Systems" and IEEE-Standard 279-1971, "Criteria for Protection Systems for Nuclear Power Generating Systems" (see References 10, 11, and 12).

There is separation between the reactor protection system and the process control systems. Sensors, trip channels, and trip logics of the reactor protection system are not used directly for automatic control of process systems. Therefore, failure in the controls and instrumentation of process systems cannot induce failure in any portion of the protection system. The protection system is separated from the reactor manual control system as required by General Design Criterion 24.

d. General Design Criterion 26, "Reactivity Control System Redundancy and Capability" (see Reference 13).

Two independent reactivity control systems utilizing different design principles are provided. Control of reactivity is operationally provided by a combination of movable control rods, burnable poisons, and the reactor coolant recirculation system flow. These systems accommodate fuel burnup, load changes, and long-term reactivity changes.

Reactor shutdown by the control rod drive system is sufficiently rapid to prevent exceeding of acceptable fuel design limits for normal operation and all abnormal operational transients . The circuitry for manual insertion or withdrawal of control rods is completely independent of the circuitry for reactor scram . This separation of the scram and normal rod control Page 3

Attachment LaSalle County Station RCMS Review of Major Design Considerations and Applicable Acceptance Criteria NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Section 7.7, "Control Systems" functions prevents failures in the reactor manual control circuitry from affecting the scram circuitry .

The design of the rod worth minimizer system includes appropriate margin for malfunctions such as stuck rods in the event that they do occur . Control rod withdrawal sequences and patterns are selected prior to operation to achieve optimum core performance, and, simultaneously, low individual rod worths . The operating procedures to accomplish such patterns are supplemented by blocking of rod withdrawals that do not conform to the sequence utilized in the RWM system . An additional safety design basis of the control rod system requires that the core in its maximum reactivity condition be subcritical with the control rod of the highest worth fully withdrawn and all other rods fully inserted . Because of the carefully planned and regulated rod withdrawal sequence, prompt shutdown of the reactor can be achieved with the insertion of a small number of the many independent control rods. In the event that a reactor scram is necessary, the unlikely occurrences of a limited number of stuck rods (within the available amount of shutdown margin discussed above) will not hinder the capability of the control rod system to render the core subcritical .

A standby liquid control system containing neutron absorbing sodium pentaborate solution is the independent backup system . This system has the capability to shut the reactor down from full power and maintain it in a subcritical condition at any time during the core life .

Based upon the discussion above, the redundancy and capabilities of the reactivity control systems for LSCS satisfy the requirements of Criterion 26.

1 .2 Rod Drive Control Subsystem (see References 14, 15, and 16)

The design function of the RDCS is to control the solenoid operated valves that control the drive water path for each control rod. The RDCS also includes the logic circuits for the rod block trip instrumentation and control system . The design function of the rod block circuitry portion of the existing RMCS is to inhibit movement or selection of control rods based upon receipt of input signals from other systems and subsystems . The rod block logic circuitry is arranged as two trip channels and each logic circuit can provide a separate rod block signal to inhibit rod withdrawal. Rod withdrawal is permitted only if the outputs from the two logic circuits agree at all times .

13 Rod Position Information Subsystem (see Reference 17)

The design function of the RPIS is to provide information pertinent to the position and motion of the control rods to the licensed operator in the control room. This system includes the rod position probes and the electronic hardware that processes the probe signals and provides the position indication data.

Attachment LaSalle County Station RCMS Review of Major Design Considerations and Applicable Acceptance Criteria NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Section 7.7, "Control Systems" 1 .4 Rod Worth Minimizer (see Reference 18)

The design function of the RWM is to enforce adherence to established startup, shutdown, and power level control rod patterns . The RWM prevents the operator from establishing control rod patterns that are inconsistent with pre-stored sequences by initiating appropriate rod withdrawal block, and rod insert block interlock signals to the RMCS rod block circuitry.

The RWM sequences limit individual control rod worths to acceptable levels, as determined by the design-basis control rod drop accident . The existing RWM has two channels, but only one is selected for use at a time, so it functions as a single channel system . The RWM function can be bypassed and its block function disabled only by specific procedural control initiated by the licensed operator.

1 .5 Accident Effects (see Reference 19)

The RMCS circuitry is completely independent of the circuitry controlling the scram valves (i.e., the RPS) . This separation of the scram and normal rod control functions prevents failures in the reactor manual control circuitry from affecting the scram circuitry.

No single failure in the RMCS can result in the prevention of a reactor scram, and the repair, adjustment, or maintenance of RMCS components does not affect the scram circuitry.

The RMCS is not required for plant safety . The system has no function during a loss-of-coolant accident or any design-basis accident.

This system is not used for plant shutdown resulting from accident or nonstandard operational conditions.

The function of the RMCS is to control core reactivity and thus power level . Interlocks from many different sources are incorporated to prevent the spurious operation of drives or undesirable rod patterns throughout all ranges of operation.

This system contains no components, circuits or instruments required for reactor trip or scram . There are no operator manual controls that can prevent scram .

The consequence of improper operator action or the failure of rod block interlocks is an inadvertent reactor scram.

1 .6 Comparison of New RCIVIS Design to Existing RMCS Design The implementation of the new RCIVIS system will retain all of the system-level functions of the existing RMCS and RWM, as well as add additional capabilities . The replacement system is classified as non-safety-related, and has been designed to the same regulatory criteria and standards as the existing system. RCMS system inputs remain functionally unchanged and outputs are compatible with the interfacing systems.

The primary physical equipment difference between the existing RMCS and the replacement RCIVIS is that the existing RMCS uses digital Transistor-Transistor-Logic (TTL) electronics (i.e ., no microprocessors) for the logic, and discrete indicators (i .e .,

LEDs or incandescent) for operator information . The replacement RCMS uses Page 5

Attachment LaSalle County Station RCIVIS Review of Major Design Considerations and Applicable Acceptance Criteria NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Section 7.7, "Control Systems" microprocessor controllers for logic and LCD flat-panel touch screen displays for operator information .

The use of the flat-panel touch screen displays instead of the discrete indicators creates a fundamental change to the human system interface . The graphical interfaces were developed in accordance with a Human Factors Engineering (HFE) program . This HFE program utilized a methodology consistent with current industry and regulatory standards and guidelines (i.e., NUREG-0700, "Human-System Interface Design Review Guidelines") . Because of the possible impact of the fundamental change in the way the information is presented to the operator, EGC has evaluated and approved this change pursuant to the requirements of 10 CFR 50.59, "Changes, tests, and experiments."

In the current system, the 'lull-core display' does not include actual rod position (other than full-in or full-out) and is limited to the fixed indicators . There is no method to indicate abnormal or special conditions for the rod. The replacement system uses a computer-driven LCD display, providing the capability to display information specific to the plant condition and to provide the operator with essentially all available system information to allow more effective evaluation of abnormal conditions. The display provides high resolution viewing of information from all normal operator positions within the main control room front panel area .

The new RCMS can also be operated with any combination or all of the following components inoperable or bypassed . It should be noted that the system does not allow ganged withdrawal with one or more RCIVIS components bypassed .

One RCMS Controller ;

One MCR Controller ;

One RCIVIS Interface unit; or One MCR Interface unit .

Because of the possible impact of taking portions of the normally dual channel RCIVIS to "single channel" status, which is different from the existing RMCS, EGC has evaluated and approved this change pursuant to the requirements of 10 CFR 50.59.

Half of the existing Neutron Monitoring System (NMS) monitors provide inputs to one of the existing RMCS rod block logic circuits, and the other half provide inputs to the other RMCS rod block logic circuit. Both channels of the replacement RCIVIS will receive all of the NMS inputs . Providing all the NMS inputs to both channels does not create an adverse change to the system interfaces, since the channels remain separated within the NMS. The required rod block logic is maintained by the new RCMS . The new RCIVIS design maintains two separate logic channels as required for the rod block circuitry.

As is the case with the existing RMCS and RWM, the components for the replacement RCIVIS are not safety-related or seismic, but are seismically installed in the cabinets and panels to satisfy seismic 11/1 concerns, where required .

Attachment LaSalle County Station RCMS Review of Major Design Considerations and Applicable Acceptance Criteria NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Section 7.7, "Control Systems" 1 .7 Comparison of New RCMS/RWM Design to Existing RWM Design The existing RWM design functions are programmed into both channels of the RCMS, which normally operates as a dual channel system. Therefore, the RWM design the functions are maintained, with greater redundancy than current system. Taking one channel of the replacement RCMS out of service still leaves the RWM program active in the remaining RCMS channel to enforce the desired rod patterns, with the same level of redundancy as the existing RWM programming . Thus, even with all or part of one channel of the RCMS taken out of service, or bypassed, the existing RWM design functions are maintained .

The RWM Low Power Setpoint (LPSP) and Low Power Alarm Point (LPAP) are developed in the digital feedwater system and input to the existing RWM in parallel with the Plant Process Computer (see Reference 18) . For the new configuration, the LPSP and LPAP are input to both channels of the RCMS . Because the RWM programming will now be resident within the RCMS Controllers, this is the equivalent of providing these inputs to the old RWM. The RCMS will then provide the LPSP and LPAP to the Plant Process Computer. These changes do not change the control rod patterns that are prescribed by the RWM, or the existing RWM logic. The existing external interface between the RMCS and the RWM computer is eliminated . No new system interactions are created.

2.0 RCMS Software Development and Validation Processes The software for the new RCMS modification at LSCS has been developed by both EGC and General Electric (GE). This software is not required to be safety-related, as the entire RCMS is not safety-related .

The EGC-developed software consists of the "Sequence Builder" and "Transfer" applications . These two applications were developed in accordance with EGC procedures IT-AA-101, Revision 4, "Digital Technology Systems (DTS) Quality Procedure" and IT-AA-101-1000, "DTS Quality Assurance Level Classifications." These procedures establish the quality assurance requirements needed to ensure that the appropriate degree or level of testing, verification, and validation is addressed. The process that is defined by these procedures provides a graded approach to DTS quality in a manner commensurate with the risk impact that an application could have on nuclear safety . As such, EGC has classified both applications as "Regulatory Related ."

This classification is applied to applications that are required by regulations, or whose failure to operate as expected will have an indirect effect on nuclear plant safety .

The remainder of the RCMS software was developed by GE. Consistent with the EGC-developed applications, all GE-developed applications are considered non-safety related in function . However, as the RCMS is used for reactivity control, the GE-developed applications have been developed using a process that was based on the standard NUMACTM Software Configuration Management Plan (SCMP), the NUMAC Software Management Plan (SMP), and the NUMAC TM Software Verification and Validation Plan (SVVP).

Attachment LaSalle County Station RCMS Review of Major Design Considerations and Applicable Acceptance Criteria NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Section 7.7, "Control Systems" This RCMS Software Development Plan establishes the software verification and validation process that was implemented by GE for all software-based components of the LSCS RCMS modification . The plan identifies specific software-related deliverables that were produced during each phase of the project, and establishes certain review criteria, for each software related deliverable, for the purpose of providing guidance in the preparation, review, and approval of these items .

2 .1 RCMS Software Development Plan The RCMS Software Development Plan specifically addresses issues such as design control, change control, documentation, record keeping, independent verification, and software development requirements, as described in RG 1 .152, "Criteria for Digital Computers in Safety Systems of Nuclear Power Plants ." For the RCMS software, the development process is comprised of six stages, called baselines.

Baseline 1 - Definition and Planning This design phase identified and confirmed all top-level requirements applicable to the LSCS RCMS Project, including contractual and licensing commitments . Included in this phase was confirmation of applicability of the standard NUMACTM Software Plans.

Baseline 2 - Product Performance Definition This phase defined the basic instrument design of all the major RCMS components, including the hardware design, hardware/software allocation of functions, and user interface design and communication protocol definition for communication links with external systems such as the Plant Process Computer.

Baseline 3 - High Level Software Design This phase provided for the high level design of the software, including the architecture and structure, the definition of individual software modules, the functional allocation to software modules and operating priorities, and the communication protocol definition for internal communication links between the various RCMS components .

Baseline 4 - Coding and Module Test This phase encompassed the detailed software design, coding and module testing. Verifications that were completed in this phase include code reviews of all software . All modules were code reviewed . Code review verifications were conducted and documented where the output of the verification was a single source file or multiple source files identified by filename and PVCS version number. Module testing, as described in the NUMACTM SMP, was performed at the discretion of the software developer, to the extent required to provide the developer with a high level of confidence that the code is performing as it should . No formal module test documentation Page 8

Attachment LaSalle County Station RCMS Review of Major Design Considerations and Applicable Acceptance Criteria NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Section 7.7, "Control Systems" (i.e . Module Test Data Sheets) was required at this phase. However, if a functional requirement could not be tested in a "black box" test environment (Validation Test), and could only be tested in a "white box" test environment, then the Software Functional Test Report included documentation of the "white box" testing that was performed in order to demonstrate compliance with the functional requirement.

Baseline 5 - Integration Test This phase provides for the integration of the functional software, the display software, and the target hardware, as well as integration of the various instruments within the system. This testing may be done using emulators and other special tools that allow confirmation of individual software functions within the instruments (white box testing) . Any necessary software design changes will be finalized within this phase.

Integration testing, as described in the NUMACTM SMp, is performed at the discretion of the software developer, to the extent required to provide the developer with a high level of confidence that the code is performing as it should .

Upon completion of the testing, a Software Functional Test Report is prepared by the software developer. The Software Functional Test Report is a summary report of all "white box" testing performed by the software developer during the Module Test phase and the Integration Test phase. Supporting data, such as emulator trace printouts, screen printouts, and other pertinent test data is referenced in the test report .

If a functional requirement cannot be tested in a "black box" test environment, then the Software Functional Test Report must include documentation of the "white box" testing that was performed in order to demonstrate compliance with the functional requirement.

Baseline 6 - Validation and Software Release This phase covers the formal validation testing . Validation testing exercises all functions of the RCMS related to either the hardware interfaces or the user interface (i.e., black box testing) . This integrated testing will be performed on the production RCMS hardware, and will software serve as a combined Validation and Factory Acceptance Test (VFAT). Upon successful conclusion of this baseline phase, the software (or firmware 1) will be released for use in the RCMS .

As part of the NUMACTM SVVP process, the executable programs of the RCMS and MCR Interface units will be burned into non-volatile memory. The executable programs in the RCMS and MCR Controllers will be held in flash memory and uploaded on boot-up .

1 In the context of this plan, "firmware" is software that has been installed on an EPROM or EPROM Set and issued into the document control system as a hardware component.

Page 9

Attachment LaSalle County Station RCMS Review of Major Design Considerations and Applicable Acceptance Criteria NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Section 7.7, "Control Systems" The final VFAT will be completed using the production equipment and programs that will be installed in the plant. This SVVP process ensures that the probability of a common mode failure of the software for those functions tested, while not quantifiable, is low enough to warrant categorization as an infrequent incident.

In addition to the EGC and GE software Verification and Validation (V&V) processes, EGC has implemented an independent third party oversight organization (i.e .,

Process Design Consultants, Inc. (ProDesCon TM)) to ensure that the software development and V&V processes are not compromised.

2.2 RCMS Software Design Features and Requirements The design features and requirements of the RCMS software applications that are described below will be used in the evaluation of the probability and severity of a single failure in the software that would allow a potential ganged rod withdrawal error.

2.2.1 Installing and Activating a Rod Sequence In order to add a RWM rod sequence to the RCMS, and activate this sequence, the following software logic steps are required . These logic steps will be validated by the VFAT :

a. The Sequence Builder and Transfer Programs will enforce the Banked Position Withdrawal Sequence (BPWS) rules of the fuel designer, such that there are no excessive reactivity additions due to sequence step configurations . If the BPWS rules would be violated by the sequence, the Sequence Builder Program provides a warning that requires acknowledgement by the licensed operator .

When the Sequence Builder Program builds a sequence for transfer to the RCMS, it will establish a set of configuration requirements (e.g., sequence identification, number of affected rods, and the total number of steps) . The RCMS Controller task for the receipt of sequences will verify the reasonableness of these requirements to ensure that there was no corruption during transfer. This will also include a checksum validation . If these checks are not satisfied, the sequence will be rejected, and a cancellation message will be transmitted to the Sequence Builder program .

C. Once the sequence is validated and transferred to the RCMS, the licensed operator can then select the sequence as the active sequence, as directed by procedure. This action requires password entry . After validation of the password by the RCMS, the licensed operator selects the desired sequence by activating the "MAKE ACTIVE" touch-button when the desired sequence is highlighted, followed by activating the "ACCEPT' touch-button .

A second individual (i .e ., either a licensed Reactor Operator, Senior Reactor Operator, or Qualified Nuclear Engineer) will then verify the licensed operator's action of selecting an active sequence, in accordance with procedural requirements .

Page 1 0

Attachment LaSalle County Station RCMS Review of Major Design Considerations and Applicable Acceptance Criteria NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Section 7.7, "Control Systems"

d. The RWM will conduct a sequence latching function when a new sequence is selected . This function will "latch" the RWM at the step in the sequence that has the least sequence errors, based on rod position information. The licensed operator can modify the latched step if there are multiple steps with no errors using the sequence alignment function . This licensed operator action to modify the latched step is controlled and directed by procedure. Once latched at a step, the RWM will only change the latched sequence to an adjacent step .

2.2 .2 Selection of a Rod Gang from the Active Sequence Selection of a gang for withdrawal requires the following steps:

a. The RCMS Controller must be enabled to allow gang motion .

i. The licensed operator must enter a password on a "SET SYSTEM PARAMETERS" screen ;

ii . The licensed operator must change the "GANG MODE" on the SET SYSTEM PARAMETERS screen to "ENABLE," and then accept this using the "ACCEPT" touch-button .

b. The licensed operator then must select the "GANG" mode for motion by activating the "GANG" touch-button on the "SELECT" screen .

C. When the licensed operator touches and releases a rod touch button on the "SELECT" screen, the following process occurs to select each rod in the gang:

i. The MCR Controller in "CONTROL MODE" sends the selection request to both FICIVIS Controllers .

Both RCMS Controllers verify agreement for the selected rod .

iii . Both RCMS Controllers return the selected rod to MCR Controllers.

iv. The MCR Controller compares both selections . A critical Self-Test error is generated if there is disagreement. This error will prevent selection of a gang for withdrawal .

V. The MCR Controller in "CONTROL MODE" displays rod selection .

d. When a gang is successfully selected, the RWM software will calculate a specific withdraw and insert permissive for each rod in the gang. This calculation requires that the RWM consider the rod to be moveable in either withdraw and/or insert .

e. For a gang withdraw permissive to be in place, all RCMS/MCR Controllers and Interface units must be operable and not bypassed .

2 .2.3 Withdrawing a GANG The following actions are necessary to withdraw a gang of rods that are selected in the latched step :

Page 1 1

Attachment LaSalle County Station RCMS Review of Major Design Considerations and Applicable Acceptance Criteria NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Section 7.7, "Control Systems"

a. The licensed operator commences gang withdrawal by pressing the "WITHDRAW" button for single notch movement, or simultaneously pressing both the "WITHDRAW" and "CONTINUOUS WITHDRAW" buttons for continuous movement

b. For each rod in the gang with a withdraw-permissive, the appropriate motion commands are generated and sent to the RCMS Interface unit .

Each rod now has a separate signal . Each rod will stop withdrawal as it approaches the limit of the step of the active sequence .

2.2.4 RCMS Interface Routing For gang withdrawal, each RCMS Interface unit will take the inputs from both RCMS Controllers and will process the input data words and output command words to the applicable HCU Transponder cards for rod motion through the following actions:

a. Each RCMS Interface Unit will compare the rod motion command words from both controllers . If the command words from the two controllers do not agree, no motion commands are sent to the transponders .

The RCMS Interface Unit will generate repetitive command words to the HCU Transponder cards with alternating control bits to direct the appropriate HCU Directional Control Valves to open or close, which will move the rod(s) . The alternating pattern will be checked on the HCU Transponder card, which will stop motion if the alternating pattern is not present.

2.2.5 Self-Test Monitoring The controllers and interface units have self-test capabilities that will generate Critical or Non-Critical faults on detection of a variety of checks. A critical fault will generate an RCMS or MCR INOP alarm, which will disable rod motion .

Watchdog timers am in place on all RCMS and MCR Controllers and all RCMS and MCR Interface units . These are physical timers that, if timed out, will cause the affected unit to restart.

On startup or reboot, the RCMS and MCR controllers perform Program and Configuration checksum diagnostics to validate that the executable programs and configurations are correct.

2.2.6 Annunciator Alarms The RCMS Interface Units send discrete digital outputs to the control room annunciator system when the following conditions exist:

RCMS INOP Alarm; RCMS TROUBLE Alarm; and Rod Out Block Alarm.

Attachment LaSalle County Station RCMS Review of Major Design Considerations and Applicable Acceptance Criteria NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Section 7.7, "Control Systems" These alarms will trigger plant annunciator alarms when the RCMS identifies errors in the operation of the system. Specifically :

a. RCMS INOP (TROUBLE) alarms identify critical (non-critical) self-test errors that would indicate a controller failure; and The Rod Out Block Alarm will indicate when a rod out block exists and when a withdraw error exists that has been caused by a rod withdrawn outside the limits of the latched step .

2.2.7 General Task Function Processing The RCMS and MCR Controller software operates under the control of an event-driven, real-time, multitasking operating system, which allows the various tasks to be executed in a pseudo-concurrent fashion. A monitoring task also executes periodically, allowing interrupt-driven input/output (1/0) to interrupt and request services . When a request for service is detected, the monitor task transfers to a specified routine for the requested service . The various routines unique to the RCMS and MCR Controller applications are written in the standard ANSI "C" programming language.

3.0 RCMS Access Control and Cyber Security The electronic information assets of the RCMS will be protected from unauthorized access, disclosure, modification, and destruction by the following physical and electronic access control measures, in accordance with EGC policy, IT-AC-1, "Corporate Information Technology (IT) Policy," and procedure IT-AC-551-1, "Access Control."

3.1 Physical Security All RCMS components are located in areas with physical access control measures in place (Security Badge readers and/or locked doors) .

3 .2 Electronic Security 3.2 .1 All RCMS components are connected via a dedicated private network with no direct connection to the EGC public network.

Plant 3.2 .2 Data connections between each RCMS Controller and the Process Computer (PPC) and RWM Sequence Computer are via dedicated connections private to the PPC network . These connections provide bi-directional messaging capabilities between the systems; no access to RCMS control functions is directly available via these links.

3.2.3 All PPC components and the RWM Sequence Computer are located behind the LSCS PPC Firewall . The PPC Firewall is a Nokia IP530 appliance running Checkpoint v5A software . Read/Write and administrative access privileges to the PPC and RWM Sequence Computer from the Exelon Wide Area Network (WAN) through the Firewall are provided to a limited group of individuals. Access is controlled via a unique UserlD and Password .

Page 1 3

Attachment LaSalle County Station RCMS Review of Major Design Considerations and Applicable Acceptance Criteria NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Section 7.7, "Control Systems" 3.2.4 Access privileges to the PPC and RWM Sequence Computer from outside the Exelon Network through the Corporate Internet Firewall are provided to a limited group of individuals. The Corporate Internet Firewall is comprised of multiple Nokia IP710 platforms running Checkpoint v5.5 software . Both two-factor authorization (individual PIN and SecurlD Token) and a unique UsedD and Password are required for access .

4.0 RCMS Man-in-Loop Administrative Controls The following "Man-In-Loop" controls (i .e., administrative controls required by procedure and implemented by the licensed operator) are used in evaluating the probability and severity of a single failure causing a potential ganged rod withdrawal error.

4.1 Man-in-Loop Controls for Upload of Active Sequence to RCMS The addition of a RWM sequence to the RCMS requires the following manual (i.e.,

procedurally-required and operator-performed) actions:

4.1 .1 As stated in Section 2.2.1 .b, the Sequence Builder and Transfer Programs enforce the Banked Position Withdrawal Sequence (BPWS) rules of the fuel designer such that there are no excessive reactivity additions due to sequence step configurations . If the BPWS rules would be violated by the sequence, the Sequence Builder program provides a warning that requires acknowledgement by the licensed operator .

4.1 .2 The licensed operator will be supplied with a hard copy of the desired sequence and will be required to verify that the loaded sequence in RCMS/RWM agrees with the hard copy after loading any new sequence . This is a Technical Specification (TS) Surveillance Requirement (SR).

TS SIR 3.3.2.1 .8 states : "Verify control rod sequences input to the RWM are in conformance with analyzed position sequence ." This SR has a frequency of:

"Prior to declaring RWM OPERABLE following loading of sequence into the RWM."

4.2 Man-in-Loop Controls for Activation of Rod Sequence Placing a given sequence into active use requires the following procedurally-required Man-in-Loop actions :

active 4.2.1 Selection of an sequence requires that the licensed operator use password entry prior to selection of a sequence .

4.2.2 The licensed operator must touch the "MAKE ACTIVE" button on the screen to change the sequence to the new selected sequence .

4.2.3 The licensed operator must verify that the name of the newly activated sequence matches the name of the hard copy sequence that was previously verified per TS SR 3.3.2.1 .8 and authorized for use.

Attachment LaSalle County Station RCMS Review of Major Design Considerations and Applicable Acceptance Criteria NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Section 7.7, "Control Systems" 4 .3 Man-in-Loop Verification of RWM Operability and Functionality Technical Specifications for the RWM require periodic testing of RWM software-driven Control Rod Blocks . This includes SR 3.3 .2.1 .2, a Channel Functional Test in Mode 2, SR 3.3.2 .1 .3, a Channel Functional Test in Mode 1, and SR 3 .3.2 .1 .6, a non-bypass Verification . These required functional tests, performed by the either the licensed operator (i .e., Man-in-Loop), or instrument technicians, validate RWM software functions .

4 .4 Man-in-Loop Controls when RWM is Bypassed When the RWM function is bypassed, the RCMS software is designed to disallow gang motion, with the exception of gang insertion when the reactor mode switch is in "SHUTDOWN," (i .e., in order to more rapidly insert control rods in response to an ATWS scenario). In addition, if the RWM function is bypassed below the low power set point (i.e., less than or equal to 10%) TS SIR 3.3.2.1 .9 requires a second licensed operator or other qualified member of the technical staff to verify position of control rods prior to and during the movement of control rods. This SR adds a Man-in-Loop check to the gang withdraw restriction imposed by RCMS software.

4.5 Man-in-Loop Controls for Selection of a Rod Gang from the Active Sequence 4.5.1 Prior to commencing planned rod moves, including any withdrawals, the licensed operator is required by procedure to perform a required system set-up check of the RCMS . Part of this is a check that the "GANG MODE" RCMS System Level option is in "ENABLE" on the "SYSTEM PARAMETERS" screen only when the active sequence allows gang motion, and no other administrative restriction has been placed on gang use. If the active sequence or other administrative restriction does not allow for any gang motion, procedures require that the licensed operator verify that the "GANG MODE" option is in "DISABLED ."

4.5.2 Prior to performing each step of a sequence, the licensed operator is procedurally required to check if "GANG" or "SINGLE" use is allowed/directed for that step of the sequence :

a. If allowed and directed by the active sequence, the licensed operator must select, or verify selected, "GANG" from the Main Control Soft keys. That soft key will change to a green background and the "SINGLE" soft key will return to the gray background color. The licensed operator will then visually verify that the "GANG" soft key is illuminated.

b. If gang motion is not allowed or directed by the active sequence, the licensed operator must select, or verify selected, "SINGLE" from the Main Control Soft keys. That soft key will change to a green background and the "GANG" soft key will return to the gray background color.

c. The licensed operator must select a rod from the current step of the active sequence, or a directly adjacent step, if the rod is at the current step's limit.

To do this, the licensed operator will need to access the "SELECT" screen on the "CONTROL MODE" screen .

Attachment LaSalle County Station RCIVIS Review of Major Design Considerations and Applicable Acceptance Criteria NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Section 7.7, "Control Systems" d . The licensed operator will touch and release the appropriate rod on the "SELECT" screen and then implement the following actions:

When "SINGLE" is directed by the active sequence, the licensed operator must verify only the border on the selected rod turns green on the "SELECT" screen and that the rod that is selected matches the rod specified in the hard copy of the active sequence .

ii . When "GANG" is directed by the active sequence, the licensed operator must verify the border on the selected rod and all other rods in the gang turn green on the "SELECT" screen and that the gang that is selected matches the gang specified in the hard copy of the active sequence .

4.6 Man-in-Loop Controls for Movement of a Rod Gang 4.6.1 The licensed operator commences gang withdrawal by pressing the "WITHDRAW" button for single notch movement, and by simultaneously pressing both the "WITHDRAW" and "CONTINUOUS WITHDRAW" buttons for continuous movement . The "WITHDRAW" and "CONTINUOUS WITHDRAW" push buttons are in the same location and in the same configuration as the current RMCS push buttons. These buttons are separated in space by enough distance to ensure that two hands would be required to cause a continuous rod withdrawal .

4 .6 .2 For each rod in the gang with a withdraw-permissive, when the "WITHDRAW" button is activated by the licensed operator for a single notch movement or both the "WITHDRAW" and "CONTINUOUS WITHDRAW" buttons are simultaneously activated by the licensed operator for continuous movement, the RCIVIS will generate the appropriate motion commands and send these commands to the RCMS Interface unit .

4.6.3 For gang motion in a step that ends at an intermediate position, the "POSITION SCREEN" must be displayed . On the "POSITION SCREEN," the rods in the four-rod display will display the gang movement and will indicate "SETTLE" as each rod approaches the end-of-travel or the end-of-step limit.

5.0 Assessment of RCMS Failures Affecting Ganged Rod Movement Capability 5.1 Licensing Basis The Continuous Rod Withdrawal Error (CRWE) accident/transient is described in the LSCS UFSAR, Section 15 .4.1 .2 as an event where the licensed operator, during reactor startup, selects the highest worth rod, out-of-sequence, and withdraws this out-of-sequence rod fully from the core. As stated in UFSAR 15.4.1 .2, the probability of initiating causes (or multiple errors) for this event alone is considered low enough to categorize it as an infrequent incident. The probability of further development of the event is extremely low because it is contingent upon the failure of the RWM, concurrent with out-of-sequence rod selection, plus operator non-acknowledgement of continuous

Attachment LaSalle County Station RCMS Review of Major Design Considerations and Applicable Acceptance Criteria NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Section 7.7, "Control Systems" alarm annunciations prior to safety system actuation. As such, UFSAR 15.4.1 .2 states :

"Control rod withdrawal errors are not considered credible in the startup power range."

However, UFSAR Section 15 .4.1 .2 does not address ganged rod motion as part of that analysis . NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants" addresses the evaluation of this accident/transient for ganged rod motion in Section 15.4.1, "Uncontrolled Control Rod Assembly Withdrawal From a Subcritical or Low Power Startup Condition ."

In Section 15 .4.1 of NUREG-0800, for BWR/6 designs, the NFIC reviewed the possibilities for single failures of the reactor control system that could result in uncontrolled withdrawal of control rods under low power startup conditions. The NRC concluded that the requirements of General Design Criterion (GDC) 10, "Reactor Design," GDC-1 7, "Electric Power Systems," GDC-20, "Protection System Functions,"

and GDC-25, "Protection System Requirements for Reactivity Control Malfunctions," had been met based upon the inclusion in the plant design of a Rod Pattern Control System (i .e., "Rod Block Instrumentation") .

As described in NUREG-1434, Revision 3, "Standard Technical Specifications General Electric Plants, BWR/6 Bases," Section 3.3.2.1, "Control Rod Block Instrumentation," the rod pattern controller, along with licensed operator actions, ensures that, "during start-up conditions, only specified control rod sequences and relative positions are allowed over the operating range of all control rods inserted to [10]% RTP." The NRC reviewed this system in NUREG-0800 and found it acceptable because it precluded single failures in the reactor control system that could result in uncontrolled withdrawal of control rods under low-power conditions . The scope of the NRC review included the design features that act to prevent such withdrawals. The review also demonstrated that no single failure would permit an uncontrolled rod withdrawal that could lead to reactivity insertions greater than those routinely encountered during operation.

The following evaluation of the new RCMS system is provided to demonstrate that the RCMS is also designed such that no single failure can cause an uncontrolled ganged rod withdrawal, and thus the NRC evaluation in NUREG-0800, Section 15.4.1 is applicable to ganged rod motion at LSCS.

5.2 Assessment of Single Failures There are three major elements that have been evaluated in this single failure analysis, software design, hardware design, and administrative, or "Man-in-Loop" requirements .

Each of these elements contributes to the single fault tolerance of ganged rod withdrawal in the RCMS . These elements will be referenced in the analysis of potential single failures . Thus, this analysis will address the single fault tolerance of the RCMS to demonstrate that the software, hardware, and administrative requirements will reliably provide the sequence control necessary to conclude that gang rod withdrawal errors are not considered credible in the startup power range .

The LSCS UFSAR, Section 15.4.1 .2 indicates that the initiating event for the CRWE is operator action and inaction which results in the out-of-sequence selection of the highest

Attachment LaSalle County Station RCMS Review of Major Design Considerations and Applicable Acceptance Criteria NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Section 7.7, "Control Systems" worth rod, withdrawal of this out-of-sequence rod fully from the core, and non-acknowledgement of the resulting alarm annunciations, prior to safety system actuation .

From a software perspective, the NUMAC TM process that was used for development and validation of the RCMS software, as described in Section 2 above, yields software that has a low probability of failure. However, any software-based system can generate random faults . Based on the development and validation process, there is a very low probability of a common mode failure in those areas that are tested in the V&V testing process (see Section 2.1, "RCMS Software Development Plan") . Because of this low probability of a common mode failure, random errors are assumed in only one program of one component.

5.2.1 Active Sequence Upload The RCMS is designed to only move ganged rods when the RWM sequence has gangs designated, as described in Section 2.2.1, "Installing and Activating a Rod Sequence ." These sequences are prepared external to the RCMS and are uploaded to the RCMS . If the upload is not correct, either the logic checks of the sequence, or the checksum verification by the transfer program will identify that the sequence was corrupted.

As a backup, the licensed operator will detect an error between the uploaded sequence and the hard copy of the sequence that the licensed operator was provided. Thus, the self-checking software or the Man-in-Loop administrative controls would detect a single failure in the software. A single error by the licensed operator in uploading a sequence will be caught by the logic checks of the RCMS . The diversity of the administrative and design elements ensure that only a correct sequence can be uploaded to the RCMS .

5 .2.2 Active Sequence Selection/Activation If a valid sequence is loaded into the RCMS, then it can be activated (i .e.,

selected for use) . This requires a password-protected action by the licensed operator, including procedural verification against a hard copy of the required sequence, and thus cannot be an accidental selection .

Once a loaded sequence is selected as the active sequence, the RCMS will ascertain which step in the sequence is the correct step . The licensed operator is required by procedure to verify that the step is correct and, if necessary, change the sequence alignment to ensure that the correct step is "latched," once again, as directed by procedure. The diversity of the administrative and design elements ensure that only a correct sequence can be selected as active in the RCMS .

Once the active sequence is in place, continuous self-checks inherent to the RCMS are performed to ensure that corruption of the program does not occur during rest periods. Any self-test failure or Technical Specification Surveillance failure will alert the licensed operator of a failure in the system. This continuous check will provide an annunciator alarm if a fault is detected .

Attachment LaSalle County Station RCMS Review of Major Design Considerations and Applicable Acceptance Criteria NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Section 7.7, "Control Systems" 5.2 .3 Selection of a Rod GANG from the Active Sequence

a. Prior to performing each step of a rod sequence, the licensed operator is procedurally required to check if "GANG" or "SINGLE" use is allowed/directed for that step of the sequence .

b. If gang motion is administratively allowed, the RCMS Controller must be enabled to allow "GANG" motion . This requires a password-protected action by the licensed operator, including procedural verification against a hard copy of the required sequence, and thus cannot be an accidental selection .

Once the RCMS has been enabled for GANG motion, the licensed operator is then required to select a rod from the latched sequence and verify against a hard copy of the active sequence that the selected rods are from the correct step (see Section 4.52c) . If a rod from the current latched step is not selected, the RCMS software will not grant a withdrawal-permissive . This diversity of controls (i.e., software and Man-in-Loop) will ensure that the correct gang is selected for the latched sequence step, even with a single failure .

To ensure that all of the redundancy of the RCMS hardware and software is being applied for a gang withdrawal, the RCMS system will prevent gang withdrawal if any RCMS element is bypassed .

5.2.4 Movement of a Gang In order to move a rod gang, the processes described above in Sections 5 .2.1 through 5.2.3 must have been successfully completed without a single failure.

These processes ensure that the rod sequence being used in RCMS is the correct sequence, and that the selected gang is correct. The hardware and software also ensure that, for ganged rod withdrawal, no components of RCMS are inoperable or bypassed .

The licensed operator commences gang withdrawal by pressing the "WITHDRAW" button for a single notch movement, or simultaneously pressing both the "WITHDRAW" and "CONTINUOUS WITHDRAW" buttons for continuous movement . The "WITHDRAW" and "CONTINUOUS WITHDRAW" push buttons are in the same location and in the same configuration as the current RMCS push buttons. These buttons are separated in space by enough distance to ensure that two hands would be required to cause a continuous rod withdrawal, thus eliminating the possibility of an inadvertent operator action resulting in a continuous withdrawal of the gang .

Rod motion is implemented by RCMS by controlling a separate Hydraulic Control Unit output for each rod. There are no common components where a failure could cause multiple rods to move at the same time .

Because the current step in the active sequence is correct, and the correct rod gang has been selected, if the licensed operator initiates a continuous

Attachment LaSalle County Station RCMS Review of Major Design Considerations and Applicable Acceptance Criteria NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Section 7.7, "Control Systems" withdrawal, there would be no abnormal condition unless the gang was withdrawn beyond the upper position limit on the latched step .

When each rod in a gang approaches the top of its latched step withdrawal limit, the RCMS will automatically shift the rod to settle to prevent it exceeding its limit .

During rod or gang movement, the licensed operator is procedurally required to verify that actual rod travel is in compliance with the applicable step of the active sequence. Thus, the diversity of the administrative and design elements ensure that withdrawal of a gang will stop at its upper withdrawal limit even with a single failure .

Attachment LaSalle County Station RCMS Review of Major Design Considerations and Applicable Acceptance Criteria NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Section 7 .7, "Control Systems" 6.0 References LSCS Updated Final Safety Analysis Report (UFSAR) Chapter 7.0, "Instrumentation and Controls," Section 7.7.2, "Reactor Manual Control System," Subsection 7.7.2 .1 .1, "General"

2. UFSAR Section 7.1 .2, "General Description of Individual Systems"

3. U FSAR Table 7.1-1, "System Classification"

4. UFSAR Subsection 7.7.2.1, "Design Bases"

5. UFSAR Subsection 7.7.2.2 .2.6, "Environmental Considerations"

6. UFSAR Section 7 .7.7, "Process Computer System Instrumentation and Controls,"

Subsection 7.7.7.2.4, "Environmental Considerations"

7. UFSAR Chapter 3 .0, "Design of Structures, Components, Equipment, and Systems,"

Section 3.1, "Conformance with NRC General Design Criteria," Subsection 3 .1 .2.1 .1, "Evaluation Against Criterion 1 - Quality Standards and Records!"

8. UFSAR Chapter 17.0, "Quality Assurance."

9. UFSAR Subsection 3 .1 .2.2.4, "Evaluation Against Criterion 13 - Instrumentation and Control" 10 . UFSAR Subsection 3.1 .2 .3 .5, "Evaluation Against Criterion 24 - Separation of Protection and Control Systems" 11 . UFSAR Subsection 7.7.2.3.1 .2, "Specific Requirements"

12. UFSAR Table 7.1-2, "Codes and Standards Applicability Matrix"

13. UFSAR Section 3.1 .2.3.7, "Evaluation Against Criterion 26 - Reactivity Control System Redundancy and Capability"

14. UFSAR Subsection 7.7.2.2.2, "Rod Movement Controls Systems" 15 . UFSAR Subsection 7.7.2 .2.3, "Rod Block Trip Instrumentation and Control System"

16. UFSAR Subsection 7.7.2 .2.3.6, "Redundancy"

17. UFSAR Subsection 7.7.2.2.2 .3, "Rod Position Information System"

18. UFSAR Subsection 7.7.7.2.3, "Rod Worth Minimizer Equipment Design"

19. UFSAR Subsection 7.7.2.3.1 .1, "General Functional Requirement Conformance"