ML111170432
ML111170432 | |
Person / Time | |
---|---|
Site: | Grand Gulf |
Issue date: | 04/27/2011 |
From: | Wang A B Plant Licensing Branch IV |
To: | Burford J, Guy Davant, Millar D Entergy Operations |
Wang, A B, NRR/DORL/LPLIV, 415-1445 | |
Shared Package | |
ML111170422 | List: |
References | |
TAC ME2531 | |
Download: ML111170432 (14) | |
Text
ENCLOSURE REQUEST FOR ADDITIONAL INFORMATION GRAND GULF NUCLEAR STATION, UNIT 1 GGNS), LICENSE AMENDMENT REQUEST (LAR)
FOR POWER RANGE NEUTRON MONITORING SYSTEM UPGRADE TAC Number ME2531 Instrumentation and Controls Branch By application dated November 3, 2009 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML093140430), Entergy Operations, Inc. (Entergy, the licensee), requested the US Nuclear Regulatory Commission (NRC) staff approval of an amendment to the Grand Gulf Nuclear Station, Unit 1, technical specifications to reflect installation of the digital General Electric - Hitachi (GEH) Nuclear Measurement Analysis and Control (NUMAC) Power Range Neutron Monitoring System (PRNMS).
The following four RAIs, 1) through 4), address the regulatory evaluation criteria for a high quality development process, which is applicable to important to safety systems and described within NUREG-0800, Standard Review Plan (SRP), Branch Technical Position (BTP) 7-14 "Guidance on Software Reviews for Digital Computer-Based Instrumentation and Control Systems" Rev 5, March 2007 (ADAMS Accession No, ML070670183).
- 1) BTP 7-14 contains the evaluation criteria for the high quality development process that is applicable to important to safety system programming, which includes the Power Range Neutron Monitor System (PRNMS).
Describe the processes used to develop and program microprocessor and Programmable Logic Device (PLD) firmware in sufficient detail for evaluation to satisfy the above criteria or to determine them to be acceptable alternatives.
The following identifies what the NRC staff considers as sufficient detail. The level of detail is expected to be consistent with information requirements in the Interim Staff Guidance (ISG) for the Licensing Process of Digital Instrumentation & Controls, Digital I&C-ISG-06, (ADAMS Accession No, ML110140103). Sufficient detail includes either references to accession numbers of previously docketed and reviewed information, for which changes have been identified, or placement on the docket the applicable revisions of these development processes and other products, which had been referenced in prior responses.
The following further clarifies the rationale for this RAI but does not include additional information requests. Part of the response to RAI #1 (ADAMS Accession No, ML101190125), which was provided in Table 1-7 of Attachment 2 to GNRO-2010/00051 (ADAMS Accession No, ML102150028), identifies changes and a very high level mapping of BTP 7-14 to development processes and products, but does not provide either information or mapping of the guidance to sections within the referenced documents. Supplemental information is necessary for the NRC staff to evaluate the processes and products as satisfying the current regulatory evaluation criteria. Simply mapping sets of document titles to planning documents of Section B.2.1 of BTP 7-14 does not allow the NRC staff to assess how the licensee satisfies the evaluation criteria. Table 1-11 of Attachment 2 to GNRO-2010/00051 (ADAMS Accession No, ML102150028) similarly provides only a correlated list of 7-4.3.2-2003 section titles to a list of document titles at a high level.
- 2) BTP 7-14 identifies that the Software Management Plan "should ensure that the quality assurance organization, the software safety organization and the software verification and validation (V&V) organization maintain independence from the development organization. In particular, the plan should ensure that these assurance organizations do not report to the development organization, and not be subject to the financial control of the development organization."
Describe the characteristics of the Software Management Plan used to develop and program microprocessor and PLD firmware in sufficient detail for evaluation to satisfy the above criteria or to determine them to be acceptable alternatives. Sufficient detail includes mapping the specific process roles, such as those provided in RAI #1's response in Table 1-11 of Attachment 2 to GNRO-2010/00051 (ML102150028), with their organization.
The following further clarifies the rationale for this RAI but does not include additional information requests. RAI #1's response in Table 1-7 of Attachment 2 to GNRO-2010/00051 (ADAMS Accession No, ML102150028) does not address organization independence for microprocessor firmware development nor describe maintenance of independence at each stage of verification and validation. The response does not describe 1) the scope/coverage of this verification and validation, 2) the criteria used to identify items having "safety-significant aspects," and 3) how safety-significance determinations provide equivalency to Software Safety planning. Similarly, RAI #1's response in Table 1-8 of Attachment 2 to GNRO-2010/00051 (ADAMS Accession No, ML102150028) does not address the criteria to maintain independence for PLD firmware development.
- 3) BTP 7-14 identifies that the Software Development Plan "should require that tools be qualified with a degree of rigor and level of detail appropriate to the safety significance of the software which is to be developed using the tools. Methods, techniques and tools that produce results that cannot be verified or that are not compatible with safety requirements should be prohibited, unless analysis shows that the alternative would be less safe."
Describe the characteristics of the Software Development Plan used to develop and program microprocessor and PLD firmware in sufficient detail for evaluation to satisfy the above criteria or to determine them to be acceptable alternatives.
The following further clarifies the rationale for this RAI but does not include additional information requests. RAI #1's response in Table 1-11 of Attachment 2 to GNRO-2010/00051 (ADAMS Accession No, ML102150028) does not explain the quality of software tools or how the verification and validation activities will detect any defects in microprocessor or PLD firmware that may be introduced by tools. The information associated with software development tools is defined in Enclosure B of the ISG for the Licensing Process of Digital Instrumentation & Controls, Digital I&C-ISG-06, (ADAMS Accession No, ML110140103) for "Software Tool Verification Program" and "Software Tool Analysis Report."
- 4) BTP 7-14 Acceptance Criteria for Design Outputs identifies for Correctness that "Unused or unneeded functions and code should not be in the safety-related software, even if the software developer wishes to include them for ease of use, future development, or other reasons. The system and software requirements and the final code should be examined to insure that only those features need to implement the safety functions and to perform system and software testing are included."
Describe the operation of the safety-related software when the jumper is present in sufficient detail for evaluation to satisfy the above criteria or to determine the approach to be an acceptable alternative. The description should include, but is not limited to, a discussion of the method used to jumper out the Detect and Suppress Solution - Confirmation Density (DSS-CD) trip-a 4th Oscillating Power Range Monitor (OPRM) function-and the means to verify the jumper's presence.
The following further clarifies the rationale for this RAI but does not include additional information requests. RAI #3's response in Attachment 1 to GNRO-2010-00035 (ADAMS Accession No, ML101410094) identified the existence of this jumper but it neither explained the rationale for installing it nor did it provide sufficient detail to allow an evaluation of the implementation and verification of this jumper's presence (or future absence) to determine that it cannot cause an adverse affect on PRNMS safety functions and does not result in unused code (the DSS-CD function) within the PRNMS when the jumper is present.
The following three RAIs, 5) through 7), address a detailed identification of the system configuration under review. As stated in the ISG for the Highly-Integrated Control Rooms-Communications Issues of Digital Instrumentation & Controls, DI&C-ISG-04 (ADAMS Accession No, ML083310185), the applicant's demonstration and NRC staff's verification of digital upgrades that contain bi-directional non-safety to safety communications or inter-divisional communications should include a detailed review of the system configuration.
- 5) Concisely and consistently describe a sufficiently complete configuration of the equipment where the description addresses, but is not necessarily limited to, the following considerations: a) Use of a minimum the number of tables that collocates the information; b) Ensuring that a unique descriptive name is consistently used to reference a configuration item and this name unambiguously corresponds to an item identified in the Nuclear Measurement Analysis and Control (NUMAC) PRNMS licensing topical report, wherever applicable; c) Ensuring that the configuration does not include some items that are identified as unchanged from the NUMAC PRNMS licensing topical report while excluding others; d) Ensuring that the configuration includes all major assembly/module part numbers and revision identifiers along with the firmware and revision identifier for each associated microprocessor or PLD; e) Ensuring that each identified PRNMS interface maps to configuration items using consistent nomenclature; f) Ensuring that the configuration includes all items and is not limited to only those involved in the Average Power Range Monitor (APRM) and OPRM trip functions; g) Ensuring that identified items are consistent with the configuration control processes, which may include GGNS plant-specific data file(s) h) Ensuring that updates, which may have occurred since the original RAI response, are included.
The following further clarifies the rationale for this RAI but does not include additional information requests. RAI 6's response in Attachment 6 to GNRO-2010/00040 (ADAMS Accession No,ML101790438) did not provide a table or concise set of tables that use consistent hardware names and define the complete configuration of the equipment identified for review in the LAR. An overall configuration of the equipment identified for review in the LAR, with part numbers and revisions, was not provided. The licensee's response to RAI 6 in Attachment 6 to GNRO-2010/00040 (ADAMS Accession No, ML101790438) states "The response to RAI #1 provides the information necessary to evaluate the equipment configuration (e.g., identify the revisions/version of hardware, PLD firmware, and microprocessor firmware) for the Grand Gulf PRNM system." However, RAI 1 does not identify all hardware that is identified in RAI 6 (e.g. 2/4 Fiber-Optic Interface Card) even though for other hardware RAI 1 does contain an entry for a non-changed item (e.g. DC-to-DC converter). Also, in the licensee's response to RAI 1, the licensee did not provide a fully defined part number for the "2/4 Logic Card" and Table 1-4 indicated the "2/4 Logic Card" was "Not Complete." This card embeds safety-related PLD firmware whose revision was not identified. Finally, the scope of firmware identified in Table 1-5 was limited to NUMAC APRM/OPRM firmware, does not identify all PLDs' information (i.e. revisions/versions), and excludes PRNMS Communication Interface (PCI) firmware.
- 6) Describe any further changes to the equipment since the original RAI responses including any that resulted from the testing that has been performed.
- 7) Regulatory Guide 1.152, "Criteria for Use of Computers in Safety Systems of Nuclear Power Plants" (ML053070150), endorses IEEE Std. 7-4.3.2-2003, and IEEE Std. 7-4.3.2 clause 5.11, Identification, states that "Means shall be included in the software such that the identification may be retrieved from the firmware using software maintenance tools."
Describe the characteristics of the identification used for microprocessor and PLD firmware in sufficient detail for evaluation to satisfy the above criteria or to determine them to be acceptable alternatives.
The following further clarifies the rationale for this RAI but does not include additional information requests. RAI 1's response in Table 1-11 of Attachment 2 to GNRO-2010/00051 (ADAMS Accession No,ML102150028) does not identify the degree, if any, that firmware version information can be retrieved by maintenance tools.
The following four RAIs, 8) through 11), address the evaluation of digital upgrade failures to include common-cause programming failures, their potential impact on safety functions, and the ability of the plant to cope with any resulting vulnerability. These RAIs are based upon the evaluation criteria within NUREG-0800, SRP, Branch Technical Position (BTP) 7-19 "Guidance for Evaluation of Diversity and Defense-in-Depth on Digital Computer-based Instrumentation and Control Systems," Rev 5, March 2007 (ADAMS Accession No, ML070550072), and the ISG for the Diversity and Defense-in-Depth Issues of Digital Instrumentation & Controls, DI&C-ISG-02 (ADAMS Accession No, ML091590268).
- 8) Describe in detail how the upgrade addresses common-cause programming failures that could adversely affect safety function redundancy to demonstrate that either the digital upgrade maintains the plant within its design basis or that the plant has the ability to cope with any vulnerability to satisfy the above criteria or to determine the proposed approach is an acceptable alternative.
The following further clarifies the rationale for this RAI but does not include additional information requests. RAI #3's response in Attachment 1 to GNRO-2010/00051 (ADAMS Accession No, ML102150028) did not demonstrate that the Acceptance Criteria identified in BTP 7-19 were satisfied. No analysis was provided that addressed potential common-cause programming failures of each programmable entity (microprocessor and PLD) to defeat redundancy.
- 9) Describe in detail how the upgrade addresses common-cause programming failures that could adversely affect multiple echelons of defense to demonstrate that either the digital upgrade maintains the plant within its design basis or that the plant has the ability to cope with any vulnerability to satisfy the above criteria or to determine the proposed approach is an acceptable alternative.
The following further clarifies the rationale for this RAI but does not include additional information requests. RAI #3's response in Attachment 1 to GNRO-2010/00051 (ADAMS Accession No, ML102150028) did not demonstrate the Acceptance Criteria identified in BTP 7-19 were satisfied but only identified diversity provided through "other sensor inputs into RPS," and did not indicate whether defense-in-depth is also maintained. The response did not address whether the NUMAC platform is relied upon for echelons of defense other than the RPS (i.e., Control, Engineered Safety Features Actuation, and Monitoring and Indicators). No analysis was provided that addressed potential common-cause programming failures of each programmable entity (microprocessor and PLD) to defeat different echelons of defense.
- 10) Application of the PRNMS LTR requires its failure analysis conclusions be confirmed by the utility through a confirmation that the events defined in EPRI Report No. NP-2230 or Appendices F and G of NEDC-30851 P-A encompass the events (i.e. bound the complete set) that are analyzed for the plant.
Describe in detail the confirmation of the failure analysis, including consideration of common-cause programming failures, to address all events that are analyzed for the plant.
The following further clarifies the rationale for this RAI but does not include additional information requests. The NRC staff could not determine how RAI 3's response in to GNRO-2010/00051 (ADAMS Accession No, ML102150028) addressed GGNS Final Safety Analysis Report, as Updated (UFSAR) Section 15.2.4 for "Partial MSIV Closure" as defined in Appendix G. RAI 3's response did not correlate the "Other Events" of Appendices G (Reference 11 of the PRNM LTR) to APRM/OPRM functions (similar to Table F-1 in Attachment 1 to GNRO-2010/00051). The NRC staff could not determine how RAI 3's response addressed "Control Rod drop accident" in GGNS UFSAR 15.4.9, 15.4.9.2.3 and 15A.6-35) for which a documented potential radioactive release consequence is identified and the PRNMS provides a role.
- 11) Describe in detail the analysis performed to evaluate any potential common-cause programming failure of the PCI that could adversely affect safety functions performed by the Rod Control & Indication System (RC&IS).
The following further clarifies the rationale for this RAI but does not include additional information requests. The PCI is a new component that had not been previously analyzed in the LTR, the PCI provides a non-safety interface with the RC&IS, and GGNS UFSAR Section 7.7.1.2.1.3 states that "the rod control and information system is an operational system with some safety function." RAI #3's response in Attachment 1 to GNRO-2010/00051 (ADAMS Accession No, ML102150028) references a prior SER statement that "GE performed equipment failure analyses to evaluate the effects of module level failures on critical system functions, and to assess qualitatively the defense-in-depth of the PRNMS;" however, it has not been demonstrated that this prior analyses remains sufficient, a PCI to RC&IS interface was not previously identified. Therefore, it has not been demonstrated that failures of this interface were previously analyzed to address potential adverse effects on the RC&IS.
The following eight RAIs, 12) through 19), address the evaluation of communication interfaces and their potential to adversely affect APRM/OPRM safety functions. These RAIs are based upon ISG for the Highly-Integrated Control Rooms-Communications Issues of Digital Instrumentation & Controls, DI&C-ISG-04 (ADAMS Accession No, ML083310185), and also BTP 7-19 where potentially applicable.
- 12) Staff Position 1.11 of DI&C-ISG-04 states, in part, that "The progress of a safety function processor through its instruction sequence should not be affected by a message from outside its division." Staff Position 1.12 of DI&C-ISG-04 states, in part, that "Communication faults should not adversely affect the performance of required safety functions in any way."
Describe in detail how firmware within the OPRM/APRM chassis, which is considered safety-related ensures the integrity of all data processed within the OPRM/APRM (e.g. valid message formats and ranges) to satisfy the above criteria or to determine the proposed approach is an acceptable alternative.
The following further clarifies the rationale for this RAI but does not include additional information requests. The information provided has not described data flows or the communication protocol by which non-safety system data is provided to each redundant OPRM/APRM channel for processing. No description of the processing is provided to identify whether the data directly affects the safety processor for either safety function or support software, and whether this data processing is limited to a channel in INOP or BYPASS as determined by the safety processor. The meaning of the RAI response in the DI&C-ISG-04 compliance matrix in Attachment 3 to GNRO-2010/00040, item #42, to Staff Position 1.11 of DI&C-ISG-04 is not clear. The meanings of the RAI responses in the DI&C-ISG-04 compliance matrix in Attachment 3 to GNRO-2010/00040, items #43 and #51, to Staff Position 1.12 of DI&C-ISG-04 are not clear. This RAI response need not address the previously described hardware-based integrity checks associated with the communication protocol and data buffering that have not changed since the PRNMS LTR.
- 13) Staff Position 1.8 of DI&C-ISG-04 states that "Data exchanged between redundant safety divisions or between safety and nonsafety divisions should be processed in a manner that does not adversely affect the safety function of the sending divisions, the receiving divisions, or any other independent divisions."
Describe in detail each of the following four (4) interfaces to satisfy the above criteria or to determine the proposed approach is an acceptable alternative: i) Interface(s) between the PCI and the RC&IS ii) Interface(s) between the two-out-of-four voter and the RC&IS iii) Inter-divisional interfaces between PCIs iv) Inter-divisional interfaces between two-out-of-four voters For each interface describe: a) whether it is an interface between non-safety and safety, or non-safety and non-safety; b) how independence among safety-divisions is maintained through an explanation of the protocol, data and signal format, data flow, and isolation provided; c) the evaluation of the interface to satisfy DI&C-ISG-04 and BTP 7-19 or the justification why the criteria does not apply; d) the corresponding section(s) of the PRNMS LTR that describes the interface.
The following further clarifies the rationale for this RAI but does not include additional information requests. These interfaces were first depicted in replacement Figure E.2.1 of to GNRO-2010/00040 (ADAMS Accession No, ML101790438). The NRC staff currently understands that this PCI to RC&IS interface corresponds to the replacement Section 5.3.17.3.4 of Attachment 6 to GNRO-2010/00040; however, this remains unclear. No subsection under 5.3.17 could be identified for the two-out-of-four voter and RC&IS interface. The DI&C-ISG-04 compliance matrix in Attachment 6 to GNRO-2010/00040 (ML101790438) has limited focus on the non-safety to safety interfaces between the PCI and APRM/OPRM and the inter-divisional safety to safety interface between each APRM/OPRM and all four 2-out-of-4 voters. The information provided did not address design features that would prevent data from one safety division to pass through a PCI and potentially defeat APRM/OPRM channel redundancy.
- 14) For the inter-divisional communications interface between 2-out-of-4 voter channels, further describe in detail: a) any function that the programmed PLD performs in support of these communications; b) If this inter-divisional communications exists and a common programmed PLD is involved in all four divisions, then include an additional evaluation of this interface to satisfy BTP 7-19 or to determine that the proposed approach is an acceptable alternative. Otherwise the detail may justify why the criteria does not apply.
The following further clarifies the rationale for this RAI but does not include additional information requests. The replacement Figure E.2.1 of Attachment 6 to GNRO-2010/00040 (ADAMS Accession No, ML101790438) does not identify direct 2-out-of-4 voter inter-divisional communications; however, DI&C-ISG-04 matrix response item #75 states that "The voter using hardware logic sends a fiber-optic signal to the other divisions." Also, the original Figure E.2.1 showed "SELF TEST DATA & BYPASS STATUS DATA" from each 2-out-of-4 voter to its divisions APRMs, where the APRM could then feedback its status to all four voters. However, the replacement figure neither depicts this signal flow nor other inter-divisional communications between 2-out-of-4 voters. Therefore, it is unclear whether 1) the "SELF TEST DATA & BYPASS STATUS DATA" interface still exists or 2) inter-divisional communications between 2-out-of-4 voters exist.
- 15) DI&C-ISG-04 Position 1.13 states for communications that are needed to support a safety function, the effectiveness of error detection/correction should not affect the operation of the safety-function. Furthermore DI&C-ISG-04 Position 1.19 states that communications throughput thresholds and safety system sensitivity to communications throughput issues should be confirmed by testing.
Describe in detail the methods used to test that each safety processor within PRNMS upgrade cannot be adversely influenced by the non-safety or inter-divisional communications activities for each of the following five (5) interfaces to satisfy the above criteria or to determine the proposed approach is an acceptable alternative: i) between the PCI and APRM/LPRM ii) between the PCI and RC&IS iii) between the 2-out-of-4 voter and RC&IS iv) inter-divisional between PCIs v) inter-divisional between 2-out-of-4 voters.
- 16) Staff Position 1.10 of DI&C-ISG-04 governs communications of a safety division with maintenance and monitoring equipment.
Describe in detail the communications used in performance of maintenance and monitoring to completely address Staff Position 1.10 of DI&C-ISG-04, including the following to satisfy the above criteria or to determine the proposed approach is an acceptable alternative: a) whether the dedicated division's local front panel is required to be used to confirm gain adjustments prior to use and without regard to the method used to provide gains to the APRM; b) whether only one division's gains may be confirmed/accepted at a time; c) whether the communication path that provides gains to the APRM via the NUMAC Interface Computer is connected and active at all times; and d) whether the restriction to adjust only one division's gains at a time is by means of physical cable disconnect, or by means of keylock switch that either physically opens the data transmission circuit or interrupts the connection by means of hardwired logic (versus reliance upon a combination of firmware enable, password and/or reading keylock position, and administrative controls).
The following further clarifies the rationale for this RAI but does not include additional information requests. The RAI response DI&C-ISG-04 compliance matrix in Attachment 3 to GNRO-2010/00040, items #39 through #41, did not address all of Staff Position 1.10.
- 17) With respect to maintenance and monitoring, describe the administrative controls using terminology consistent with the LTR and in full consideration of the response to RAI #16 above sufficiently to address: a) Whether the activities associated with use of the OPERATE-SET mode are achieved at the local channel's front panel; b) How the OPERATE-SET mode is entered; and c) To explicitly map the description to the three levels of security that are identified in the LTR paragraph 5.3.13.
The following further clarifies the rationale for this RAI but does not include additional information requests. RAI #9's response in Attachment 1 to GNRO-2010/00040 (ADAMS Accession No, ML101790436) does not use the same terminology as the LTR and is difficult to correlate with the response provided for Staff Position 1.10 of DI&C-ISG-04 or key switch position/features that may be built into a NUMAC chassis.
- 18) Staff Positions 1.19 and 1.20 of DI&C-ISG-04 address the potential impact of data throughput and data error rates on worst-case response time.
Describe in detail the testing performed to ensure proper performance of all safety functions to satisfy the above criteria or to determine the proposed approach is an acceptable alternative.
The following further clarifies the rationale for this RAI but does not include additional information requests. The RAI response DI&C-ISG-04 compliance matrix in Attachment 3 to GNRO-2010/00040, items 64 and 65, did not address throughput and error rates observed through design and qualification testing on system response time calculations.
- 19) Staff Position on Command Prioritization of DI&C-ISG-04 could apply to the 2-out-of-4 voter design if the same 2-out-of-4 voter (or a common design) is used to process any of the following in addition to the PRNMS trips: a) the diverse actuation signals in addition to those generated by the PRNMS (i.e. those diverse trips associated with RAI 3 in Attachment 1 to GNRO-2010/00051); or b) the Manual Trips signal; or c) the future diverse automatic trip required to enable DSS-CD function.
Describe the plant's intended use of the PRNMS 2-out-of-4 voter design to satisfy the above criteria or to determine the proposed approach is an acceptable alternative and include justification, as applicable, that evaluates criteria within DI&C-ISG-02 and BTP 7-19.
The following further clarifies the rationale for this RAI but does not include additional information requests. The RAI response DI&C-ISG-04 compliance matrix in Attachment 3 to GNRO-2010/00040, item 71, to Staff Position on Command Prioritization of DI&C-ISG-04 mentions diverse systems but does not state that they are not input to a NUMAC platform-based 2-out-of-4 voter.
The following RAI, 20), addresses PRNMS response time performance.
- 20) NUREG-0800, SRP, BTP 7-21, Guidance on Digital Computer Real-Time Performance (ADAMS Accession No, ML070550070), provides the NRC staff guidance for reviewing the performance of a digital safety system and contains the acceptance criteria for Limiting Response time as follows, "Limiting response times should be shown to be consistent with safety requirements (e.g., suppress power oscillations, prevent fuel design limits from being exceeded, prevent a non-coolable core geometry). Setpoint analyses and limiting response times should also be shown to be consistent." These limiting response times must be acceptable to the organizations responsible for reactor systems, electrical systems, and plant systems before acceptance as a basis for timing requirements.
Describe in detail the performance of the replacement system to demonstrate that its real-time performance and response time is adequate. The response should include identification of the response time performance start and end event(s) and the instrument's response time performance relationship to the safety analyses to satisfy the above criteria or to determine the proposed approach is an acceptable alternative. The following further clarifies the rationale for this RAI but does not include additional information requests. RAI #2's response in Table 2-2 of Attachment 1 to GNRO-2010/00051 (ADAMS Accession No, ML102150028) contains performance values for "PRNMS Performance" and "RPS Requirement" without clearly identifying the start and end event(s) of the response time performance requirement(s). The relationships among the "RPS Requirement," the "PRNMS Requirement," and the safety analyses is not described. The staff understands that response times associated with PRNMS APRM/OPRM generated trips include LPRM sensing through 2/4 logic outputs to the RPS. The information associated with system response time of digital upgrades is defined in Enclosure B of the ISG for the Licensing Process of Digital Instrumentation & Controls, Digital I&C-ISG-06, (ADAMS Accession No, ML110140103) for "System Response Time Confirmation Report."
The following three RAIs, 21) through 23), address equipment qualification.
- 21) IEEE Std 603 Clause 5.4 states that safety system equipment shall be qualified by type test, previous operating experience, or analysis, or any combination of these three methods, to substantiate that it should be capable of meeting the performance criteria as specified in the design basis (e.g., IEEE Std 603 Clause 4.10), while being exposed to specified environmental conditions (e.g., IEEE Std 603 Clause 4.7). Regulatory Guide 1.209, "Guidelines for Environmental Qualification of Safety-related Computer-based Instrumentation and Control Systems in Nuclear Power Plants" (ML070190294), endorses IEEE 323-2003 Sections 6.2.3 and 6.3.1, which requires "qualification test programs to account for reasonable uncertainties in demonstrating satisfactory performance and normal variations in commercial production, thereby providing assurance that the equipment can perform under the most adverse service condition specified" and that "margin shall be added if not included in the specified service conditions."
Describe how the qualification levels identified for Humidity and Radiation were evaluated to satisfy the above criteria or to determine the levels identified are acceptable.
The following further clarifies the rationale for this RAI but does not include additional information requests. RAI 5's response in Attachment 1 to GNRO-2010/00070 (ADAMS Accession No, ML103490095) does not identify margin for the low end of the Humidity envelope or for the maximum Gamma Rate (rad/hr) for Radiation.
- 22) Regulatory Guide1.209 endorses with the enhancements and exceptions IEEE 323-2003. Regulatory Position C (4) states that for safety-related computer-based I&C systems intended for implementation in a mild environment, "the NRC staff takes exception to Section 7.1 of IEEE Std. 323-2003. The evidence of qualification in a mild environment should be consistent with the guidance given in Section 7.2 selectively based on actual environmental conditions, and the records should be retained at a facility in an auditable and readily accessible form for review and use as necessary."
Describe the testing performed in sufficient detail to satisfy the above criteria or to determine the proposed approach is an acceptable alternative.
The following further clarifies the rationale for this RAI but does not include additional information requests. RAI 5's response in Attachment 1 to GNRO-2010/00070 (ADAMS Accession No, ML103490095) does not describe the unique test setup(s) and units under test. Information associated with qualification of digital upgrades is defined in Enclosure B of the ISG for the Licensing Process of Digital Instrumentation & Controls, Digital I&C-ISG-06, (ADAMS Accession No, ML110140103) for "Qualification Test Methodologies" and "Summary of Digital EMI, Temp., Humidity, and Seismic Testing Results."
- 23) Regulatory Guide 1.180, "Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference in Safety-Related Instrumentation and Control Systems" (ADAMS Accession No, ML032740277), identifies test methods acceptable to the staff to assure EMI/RFI compatibility. Application of Regulatory Guide 1.180 produces margin to ensure that systems are not exposed to EMI/RFI levels within 8 dB of the specified operating envelopes of identified sources.
Describe the EMI/RFI compatibility testing performed in sufficient detail for evaluation to satisfy the above criteria or to determine it to be an acceptable alternative.
The following further clarifies the rationale for this RAI but does not include additional information requests. RAI #5's response in Attachment 1 to GNRO-2010/00070 (ADAMS Accession No, ML103490095) does not summarize the basis for the test levels chosen for EMI/RFI compatibility to demonstrate margin in accordance with Regulatory Guide1.180. Any role that EN-DC-217 plays in establishing, justifying and maintaining EMI/RFI compatibility margin is not described with respect to the test levels and limits. Emission/susceptibility requirements for safety equipment and emission requirements for nonsafety equipment that are non-conservative with respect to Regulatory Guide1.180 or the referenced standard (e.g. MIL-S-461E) are neither highlighted nor justified. Within Tables 3-3 through 3-6 of Attachment 1 to GNRO-2010/00070 (ML103490095), the licensee identified qualification tests and limits, some of which differ from the approved LTR and current Regulatory Guidance. These qualification tests were identified as GGNS specific;therefore, the staff evaluation is not considering these qualification tests and limits for general applicability as an LTR update.
The following two RAIs, 24) and 25), address setpoints.
- 24) Regulatory Guide 1.105, "Setpoints for Safety-Related Instrumentation" (ADAMS Accession No, ML993560062), Regulatory Position C.1 states that "Section 4 of ISA-S67.04-1994 specifies the methods, but not the criterion, for combining uncertainties in determining a trip setpoint and its allowable values. The 95/95 tolerance limit is an acceptable criterion for uncertainties. That is, there is a 95% probability that the constructed limits contain 95% of the population of interest for the surveillance interval selected."
Describe in detail the following to satisfy the above criteria or to determine the proposed approach is an acceptable alternative: a) the channel performance data that has been used to establish the basis for determining acceptable values of the limiting setpoints (NSPs); b) the channel performance data that has been used to establish the basis for determining acceptable values for the as-found and as-left tolerances; c) the documentation of representative of the PRNM and OPRM sensor, signal conversion, and NUMAC chassis error performance data that has been (or will be) used within the calculation, to demonstrate that the analysis of this data for each PRNMS channel meets the NRC acceptance criteria of 95/95 for the margin between the analytical limit and the NTSP1; d) how the performance data is used to establish the final setpoint, and as-left and as-found tolerances, The following further clarifies the rationale for this RAI but does not include additional information requests. RAI 10's response in Attachment 1 to GNRO-2010/00040 (ADAMS Accession No, ML101790436) does not provide sufficient detail of the proposed approach for evaluation to satisfy RG 1.105's criteria or to determine it as an acceptable alternative.
- 25) Describe whether a licensing commitment or condition is intended to address the statements that Entergy will complete actions to establish the as-found and as-left tolerances and to reflect them in the associated surveillance test procedures prior to startup.
The following further clarifies the rationale for this RAI but does not include additional information requests. RAI #10 response in Attachment 1 to GNRO-2010/00040 (ADAMS Accession No, ML101790436) appears to contain statements that create either licensing commitment or condition.
The following three RAIs, 26) through 29), address miscellaneous technical information that was provided in the form of changes pages to the LTR as a means to describe the GGNS plant-specific application.
- 26) Describe the number and nature of APRM channel-to-PCI interfaces in sufficient detail to establish whether the LPRM-to-PCI interfaces represent four of eight APRM channel-to-PCI interfaces, whether inter-divisional communications among all four PCI channels is required to produce a valid Recirculation Flow channel check alarm, and the expected behavior of the Recirculation Flow channel check alarm when either an inter-divisional communication between PCI channel is unavailable or the APRM channel is INOP.
The following further clarifies the rationale for this RAI but does not include additional information requests. RAI 6's response in Attachment 6 to GNRO-2010/00040 (ADAMS Accession No, ML101790438) discusses eight APRM channel-to-PCI interfaces (eight are described in the modifications for paragraphs 3.2.3.2.2 and 5.3.17.3.3). However, only four APRM-to-PCI interfaces are shown in replacement Figures E.1.7 and E.2.1 of Attachment 6 to GNRO-2010/00040. The affect that communication failures may have on Recirculation Flow channel check alarms has not been fully described.
- 27) 10 CFR Part 50 Appendix A identifies General Design Criterion 23--Protection system failure modes. This criterion states that "The protection system shall be designed to fail into a safe state or into a state demonstrated to be acceptable on some other defined basis if conditions such as disconnection of the system, loss of energy (e.g., electric power, instrument air), or postulated adverse environments (e.g., extreme heat or cold, fire, pressure, steam, water, and radiation) are experienced." Furthermore, while allowing for an exception IEEE 603-1991 Clause 6.7 states that the "Capability of a safety system to accomplish its safety function shall be retained while sense and command features equipment is in maintenance bypass. During such operation, the sense and command features shall continue to meet the requirements of 5.1 and 6.3."
Describe in detail the 2-out-of-4 logic modification sufficient to satisfy the above criteria. This description should: a) fully explain the logic's behavior, eliminate apparent inconsistencies (e.g. conditions that will produce a SCRAM request to the RPS, fail safe states, etc.) and justify why the proposal produces acceptable voter logic; b) explain for each required channel availability of APRM functions whether the LCOs and SRs (and associated logic tests) distinguish (or need to distinguish) this unique "loss of power" condition, and if so to what degree; c) provide justification to support the modification as acceptable in terms of the surveillance requirements, tests, and intervals. Sufficiently describe each of the following in the information provided: a) why the modification to Paragraph 5.3.2.3 states unequivocally that a SCRAM will occur on total loss of UPS power, where Paragraph 5.3.2.6 indicates that no SCRAM will result upon a loss of power to the division's UPS bus and that one trip from the other division is required to SCRAM; b) the meaning of "All PRNM equipment operating on the UPS buses is designed to fail safe on loss of power;" c) whether the as described loss of power constitutes the loss of 2 channels, so that the LCO is not met for Modes 1, 2 or 3, which represents all Modes where a minimum of 3 channels are required for some type of APRM trip (excluding the 2-Out-of-4 Voter as contained in Table 3.3.1.1-1 and identified as the "Required Channels per Trip System" of "3."); d) the adequacy of the proposed approach to satisfy General Design Criterion 23 above; e) the adequacy of the proposed approach to satisfy IEEE 603-1991 Clause 6.7 above; f) the modifications to LTR Paragraph 5.3.8.1 to clarify and identify 1) the power supplies whose loss results in an INOP condition, 2) what defines the "safe condition," 3) how the trip "safe condition" is known to result from the loss of input power and not another form of concurrent/common-cause failure, and 4) how the determination method is reliable and independently made by each 2-out-of-4 voter.
The following further clarifies the rationale for this RAI but does not include additional information requests. RAI 6's response describes a 2-out-of-4 logic modification in paragraph 5.3.2.3 in Attachment 6 to GNRO-2010/00040 (ADAMS Accession No, ML101790438). However, the description appears inconsistent with other information and is not accompanied by statements to justify it as satisfying the above criteria.
- 28) 10 CFR Part 50 Appendix A identifies General Design Criterion 21--Protection system reliability and testability. This criterion states in part that the protection system shall be designed for high functional reliability.
Describe in detail the analysis performed to ensure that the conclusions of Section 5.3.14 in NEDC-32410P-A dated October 1995 remain valid and satisfy the above criterion.
The following further clarifies the rationale for this RAI but does not include additional information requests. RAI 8's response in Attachment 1 to GNRO-2010/00064 (ADAMS Accession No, ML102810307) does not demonstrate that the analysis has been performed to reaffirm the conclusion of Section 6.0 in NEDC-32410P-A Supplement 1 dated November 1997. RAI 8's response does not address the potential of failures of non-safety equipment that may adversely affect the availability of the APRM to perform its safety function. The Mean Time Between Failures (MTBF) are less conservative than those originally identified in the LTR. Servicing a failed item that the licensee has identified as not supporting the safety function (e.g. PCI, Display) has not been discussed in either the LTR or RAI 8's response to assess any potential impact that repair of new or modified equipment may have on the availability of the safety function.
- 29) Similar to RAI 28) above, the licensee is requested to explain whether either PCI or 2 out-of-4 voter unavailability can adversely impact the availability of any RC&IS safety function-see earlier RAIs 11) and 13) that reference GGNS UFSAR Section 7.7.1.2.1.3 and the signals shown in Figure E.2.1 of Attachment 6 to GNRO-2010/00040, and ask the licensee to explain whether the RC&IS has a safety function.