ML030580424
| ML030580424 | |
| Person / Time | |
|---|---|
| Site: | Surry  |
| Issue date: | 02/14/2003 |
| From: | Hartz L Virginia Electric & Power Co (VEPCO) |
| To: | Document Control Desk, Office of Nuclear Reactor Regulation |
| References | |
| 03-099 | |
| Download: ML030580424 (19) | |
Text
VIRGINIA ELECTRIC AND POWER COMPANY RICHMOND, VIRGINIA 23261 February 14, 2003 U.S. Nuclear Regulatory Commission Serial No.03-099 Attention: Document Control Desk NLOS/GDM R1 Washington, D.C. 20555 Docket Nos. 50-280, 281 License Nos. DPR-32, 37 Gentlemen:
VIRGINIA ELECTRIC AND POWER COMPANY SURRY POWER STATION UNITS 1 AND 2 PROPOSED TECHNICAL SPECIFICATION CHANGE DELETION OF MONTHLY ANALOG ROD POSITION TEST REQUEST FOR ADDITIONAL INFORMATION In a letter dated November 5, 2002 (Serial No.02-688), Virginia Electric and Power Company (Dominion) requested license amendments, in the form of changes to the Technical Specifications (TS) to Facility Operating Licenses Numbers DPR-32 and DPR-37 for Surry Power Station Units 1 and 2, respectively. The requested TS changes would delete the monthly analog rod position test for the control rod bottom bistables. During staff review of the TS change request, the NRC determined that additional information was necessary to complete their review. A conference call was held on December 10, 2002, to discuss the staff's questions. At the conclusion of the conference call, Dominion agreed to provide a written response to the NRC's questions.
That response is provided in the attachment to this letter.
We have evaluated the TS change request previously submitted with respect to the supplemental information provided herein and have determined that the additional information does not require any revision of the No Significant Hazards Consideration provided in our original November 5, 2002 submittal.
If you have any further questions or require additional information, please contact us.
Very truly yours, Leslie N. Hartz Vice President - Nuclear Engineering Attachment
Commitments made in this letter: None cc: U.S. Nuclear Regulatory Commission Region II Sam Nunn Atlanta Federal Center Suite 23T85 61 Forsyth Street, SW Atlanta, Georgia 30303 Mr. R. A. Musser NRC Senior Resident Inspector Surry Power Station Commissioner Bureau of Radiological Health 1500 East Main Street Suite 240 Richmond, VA 23218
SN: 03-099 Docket Nos.: 50-280/281
Subject:
Proposed TS Change Deletion of Monthly Analog Rod PositionTest RAI COMMONWEALTH OF VIRGINIA )
)
COUNTY OF HENRICO )
The foregoing document was acknowledged before me, in and for the County and Commonwealth aforesaid, today by Leslie N. Hartz, who is Vice President - Nuclear Engineering, of Virginia Electric and Power Company. She has affirmed before me that she is duly authorized to execute and file the foregoing document in behalf of that Company, and that the statements in the document are true to the best of her knowledge and belief.
Acknowledged before me this 14th day of February, 2003.
My Commission Expires: March 31, 2004.
Notary Public
ATTACHMENT Response to NRC Request for Additional Information Technical Specification Change Request Deletion of Monthly Analog Rod Position Test Surry Power Station Units 1 and 2 Virginia Electric and Power Company (Dominion)
Response to NRC Request for Additional Information Deletion of Monthly Analog Rod Position Test Surrv Power Station Units 1 and 2 A. Overview
- 1. Existinq Analoa Individual Rod Position Indication System The existing Individual Rod Position Indication (IRPI) System for Surry Units 1 and 2 is a non-safety system. The existing system is based on analog technology and is qualified for seismic integrity.
The existing IRPI system provides indication of individual rod positions to the reactor operator, as well as indication and alarm of a "rod bottom" condition. The existing IRPI system also provides rod position and "rod bottom" information to the plant computer.
The existing IRPI system determines a "rod bottom" condition by comparing the analog signal for each rod position to a predetermined setpoint with an analog bistable comparator. When the analog signal for a rod position falls below the predetermined setpoint, the analog bistable causes a relay to change state. The relay provides contacts that provide the "rod bottom" indication and alarm.
- 2. Computer Enhanced Rod Position Indication (CERPI) System The existing IRPI system at Surry Units 1 and 2 will be replaced with a Westinghouse standard CERPI system. The CERPI system provides the equivalent functionality of the IRPI system, with improvements in accuracy, performance, and fault-tolerance. A block diagram of the CERPI system is shown in Figure 1.
The CERPI system consists of the following major elements:
"* Signal Conditioning - converts the sensor signals to analog control rod position signals and signals that indicate the resistance of each sensor.
"* Programmable Logic Controller (PLC) - acquires the analog rod position and sensor resistance signals and calculates control rod positions that are corrected for offset, span, linearity and temperature effects. The PLC also receives control rod bank position motion demand signals and determines demand positions for each bank of rods used 'for control. The PLC determines system status and alarm conditions. The PLC provides the following interfaces:
- Alarm contact outputs to the annunciator system,
- Network connection to the Operator Flat Panel Displays and Maintenance and Test Panel for signal values, calculated values, and system status, and
- Signals to the plant computer for rod positions and for a rod bottom condition.
Rod bottom signals are provided to the Emergency Response Facility (ERF) computer.
Page 1 of 15
Operator Flat Panel Display (OFPD) - receives rod position information from the PLC over the AF 100 network and provides a color graphic, touch screen, and flat panel display interface for the reactor operator. The OFPDs are located in the control room. Fiber optic cable is utilized as the communication media between the PLC and the OFPD.
Maintenance and Test Panel (MTP) - acquires information from both redundant PLCs over the AF100 network. The MTP provides a color graphic, touch screen, and flat panel interface for the maintenance technician. From this interface, the maintenance technician can perform calibration, surveillance and fault diagnosis.
The MTP also provides an interface for transmitting information to the plant computer.
Page 2 of 15
ANALOG INPUT SIGNALS CONDITIONED ANALOG SIGNALS AF 100 NETWORK FIBER OPTIC MODEM (TYPICAL)
Figure 1 Simplified Block Diagram of CERPI Page 3 of 15
B. Response to NRC Questions Question 1 If Surry is trying to justify elimination of surveillances based on digital system self testing, it is critical to know just what that self-testing feature actually tests, and how these tests verify the same items which the surveillances being eliminated verify. It is also critical to determine that the self test actually tests those things it is supposed to test, and how this was assured. To assist in these determinations, please submit the following documentation:
- a. A list of all diagnostictests and what functions are tested.
Response
A list of functions and the associated diagnostic tests are described below.
Function Diagnostic Test 1 Sensor a. Analog Input Trouble One of the diagnostic tests for this diagnostic function is a determination of whether the input signal is out of range, either high or low. A sensor failure could cause this condition on either the rod position analog input or the sensor resistance analog input. This diagnostic will cause a CERPI Trouble alarm.
1 Sensor b. Rod to Rod Deviation Alarm Function This alarm is generated when the difference between the highest and lowest rod position in a control bank exceeds a setpoint. Sensor failure would tend to cause a deviation between the indicated position with the failed sensor and another rod position in the bank.
Rods in a bank are controlled to be aligned with each other.
1 Sensor c. Rod to Control Bank Deviation Alarm Function This alarm is generated when the position of a rod deviates from the position of the bank by a predetermined amount. The bank position is determined from pulse signals from the rod control system that indicate that a rod bank has been inserted or withdrawn. Sensor failure would tend to cause the analog rod position to deviate from the bank demand position.
1 Sensor d. Rod Bottom Alarm Function This alarm is generated when a rod position is determined to be below the rod bottom setpoint.
Depending on the sensor failure mode, the failure could actuate this alarm function.
Page 4 of 15
Function Diagnostic Test 2 Signal Conditioning a. Oscillator Supervision and Control The signal conditioning contains two redundant sets of oscillators, a main oscillator and a backup oscillator.
The main oscillator is used to develop the excitation signal for the primary coil of the sensor. The PLC monitors selected rod position signals and detector resistance signals to determine whether a main oscillator has failed. When a main oscillator failure is detected, the PLC sets a main oscillator failure alarm flag and automatically transfers to the backup oscillator. If the transfer to the backup oscillator does not clear the alarm condition, the PLC sets an oscillator bus failure flag. The PLC also monitors the backup oscillator while the main oscillator is used for sensor excitation. If the backup oscillator fails, the PLC sets a backup oscillator failure alarm flag. If one or more of the alarm flags are set, the PLC will actuate the CERPI Trouble alarm. The maintenance technician can determine which alarm flag was set by utilizing the MTP.
2 Signal Conditioning b. Analog Input Trouble Similar to the sensor failure described previously, a signal conditioning failure could cause this condition on either the rod position analog input or the sensor resistance analog input. This diagnostic will cause a CERPI Trouble alarm.
2 Signal Conditioning c. Rod to Rod Deviation Alarm Function This alarm is generated when the difference between the highest and lowest rod position in a control bank exceeds a setpoint. Similar to the sensor failure described previously, a signal conditioning failure would tend to cause a deviation between the indicated position with the failed sensor and another rod position in the bank. Rods in a bank are controlled to be aligned with each other.
2 Signal Conditioning d. Rod to Control Bank Deviation Alarm Function This alarm is generated when the position of a rod deviates from the position of the bank by a predetermined amount. The bank position is determined from pulse signals from the rod control system that indicate that a rod bank has been inserted or withdrawn. Similar to the sensor failure described previously, a signal conditioning failure would tend to cause the analog rod position to deviate from the bank demand position.
Page 5 of 15
Function Diagnostic Test 2 Signal Conditioning e. Rod Bottom Alarm Function This alarm is generated when a rod position is determined to be below the rod bottom setpoint.
Similar to the sensor failure described previously, a signal conditioning failure could actuate this alarm function.
3 Programmable Logic a. Processor Module Diagnostics Controller The CERPI system utilizes the AC 160 PM 646A processor module that is the same processor module used for Common Q. The PM 646A diagnostics include the following:
"* Test of CPU Instruction Set - CPU instructions are executed and then CPU registers and corresponding memory locations are verified against expected results. This diagnostic is performed at processor initialization.
"* Test of System and User FPROM (Flash Programmable ROM) - This test checks the CRC (Cyclical Redundancy Check) checksum of the system software in the system FPROM and the application in the user FPROM. This diagnostic is performed at initialization and on-line.
"* RAM Test - A single bit is shifted in a double word and then written to memory. After each shift the double word is read back from memory and compared with the written value. This procedure is performed for all memory locations. This diagnostic is performed at initialization
"* Domain CRC - The CRC checksums of all read only domains in RAM are verified. This diagnostic is performed on-line.
"* Test of Real Time Clock (RTC) - This test verifies the 1-second interrupt generated by the RTC.
This diagnostic is performed on-line.
"* RAM Check - The RAM on the Processor Section of the PM 646A is hardware supervised for corrupted data without any loss of performance. A
'mirrored' RAM is used in conjunction with comparator logic (RAM Checker) to perform this function. This diagnostic is performed on-line.
The PM 646A also performs diagnostics on the high speed link communications function, however this function is not used in the CERPI application.
The processor module diagnostic functions will actuate the CERPI Trouble alarm if a failure is detected.
Page 6 of 15
Function Diagnostic Test 3 Programmable Logic b. 1/0 Module Diagnostics Controller The CERPI system utilizes the Advant S600 I/O product family for I/O. CERPI utilizes the Al 620 analog input module, the DI 620 digital input module, the DO 620 digital output module. All of these module types are identical to the modules utilized for Common Q. CERPI also utilizes a model AO 610 analog output module, which is different than the analog output module utilized for Common 0.
Each S600 I/O module performs self-diagnostics. The diagnostics include the determination of the following:
"* The module is in the correct position
"* The module is of the right type
"* The module process connector is in place
"* The module is not defective If the I/O module diagnostics detect a fault, they set an error flag in their database. The processor module monitors the error flags for each I/O module and actuates the CERPI Trouble alarm if an error is detected.
3 Programmable Logic c. Diagnostics for the Communications Module for Controller AF 100 Network The CERPI system utilizes the Cl 631 communication module to interface with the AF 100 network. This communication module is identical to the communication module utilized for Common Q.
The Cl 631 communications module has the following diagnostics:
"* Low power supply voltage
"* Fatal hardware error
"* Fatal bus disturbance The diagnostics set the error flag for the module. The processor module monitors the error flag and actuates the CERPI Trouble alarm if an error is detected.
3 Programmable Logic d. CPU Load Diagnostic Controller The CERPI processor monitors the processor load. If the processor load increases beyond a predetermined value, the processor will initiate a CERPI Trouble alarm.
Page 7 of 15
Function Diagnostic Test 3 Programmable Logic e. Watchdog Timer and Watchdog Timer Diagnostic Controller The watchdog timer monitors the real time operation of the PLC. If the PLC halts or slows down, the watchdog timer actuates a relay that will result in the CERPI Trouble alarm.
In addition, the processor periodically tests the watchdog timer to assure that it is operating correctly.
The processor will cause the CERPI Trouble alarm to actuate if a fault is detected in the watchdog timer.
The watchdog timer and watchdog timer diagnostic are identical to that utilized for Common Q.
4 Power Supplies Power Supply Diagnostics Each redundant PLC is powered by a separate power supply. The supply is internally redundant and is identical to a Common Q power supply configured for 24 VDC. The signal conditioning is also powered from these power supplies.
The power supplies have internal monitoring to determine whether a power supply has failed. The monitoring includes:
"* Power supply fault
"* Overvoltage
"* Undervoltage If one of these conditions occurs, the internal power supply monitoring provides digital outputs that will actuate the CERPI Trouble alarm. The PLC also monitors digital outputs from the power supply and provides an indication of the power supply's status on the MTP.
5 Maintenance and Test Panel The MTP displays the date and time as an indication of MTP health.
6 Operator Flat Panel Display The OFPD displays have a dynamically updated symbol to indicate OFPD health.
Page 8 of 15
Question 1
- b. A detailed explanation of how these diagnostics were verified as actually testing those items they are supposed to test. This is usually done using some type of Verification and Validation (V& V) program.
Response
The diagnostics associated with the Advant AC 160 PLC and 3600 I/O utilized for Common Q were verified as part of the Common Q verification and validation program described in the Common Q Topical Report. This included a design life cycle evaluation and an operating history evaluation of the previously developed software, including self diagnostics. These diagnostics are described in the following sections of the response to Question 1.a. above: 1.a, 2.b, 3.a, 3.b, 3.c, and 3.e.
In addition, the AC 160 and S600 product software has the level of quality appropriate for IEC 880 Category A applications. This required a comprehensive analysis and test of the self-diagnostic software to verify that these diagnostics were actually testing those items they are supposed to test.
The diagnostics for the analog output card AO 610 are verified by operating experience and the manufacturer's design and quality program, including the module's similarity to the other S600 modules utilized for Common Q.
The diagnostics associated with the Common Q power supply, (reference item 4 in the response to Question 1.a above) of the Common Q Topical Report, were verified as part of the factory calibration procedure.
The MTP and OFPDs are identical to the Common Q equipment and the underlying diagnostics were verified as part of the Common Q program. The display formats are different and unique to the CERPI application but they utilize the same philosophy of indication of operation. The CERPI V&V program verified the CERPI specific displays.
The diagnostics that are performed by applications software in the PLC were verified by a formal V&V program performed by the manufacturer, Westinghouse Electric Company, in accordance with Westinghouse Nuclear Automation Policies and Procedures NP 4.19.1 and NA 4.6. These diagnostics are described in the following sections of the response to Question l.a. above: 1 .b., 1.c., 1 .d., 2.a., 2.c., 2.d., 2.e., 3.d.
Question 1
- c. Documentation on the quality control program used to insure these things were done.
Response
CERPI is a non-safety system. The CERPI system was designed and tested under Westinghouse's non-safety quality control program. This program is described in Westinghouse Electric Company's Quality Management System.
Page 9 of 15
Question 1
- d. Since most diagnosticsfor digital equipment test only the equipment itself, please explain how the self-test features test the non-digital portions of the systems, such as the rod position detectors and the temperature compensation signal for those detectors.
Response
The CERPI system utilizes diagnostics and applications software to test the non-digital portions of the system. These diagnostics are described in the response to Question l.a above under the categories of sensor, signal conditioning, and power supply.
CERPI utilizes sensor resistance as the input signal for the temperature calibration and the diagnostics for this are covered under the category of sensor.
Question 1
- e. A list of all standards which were used in the development of the diagnostic tests, and the reason these standardswere consideredadequate.
Response
- Common Q Equipment The diagnostics for the Common Q equipment were developed in accordance with the codes and standards described in Section 4, "Codes and Standards," of the Common Q Topical Report. The diagnostics are described in Section 6.4 of the Topical Report.
The adequacy of the codes and standards and the resultant diagnostics is described in the NRC's Safety Evaluation Reports (SER) for this topical report.
The use of equipment and associated diagnostics which has been found to be suitable for a Class 1E system was determined to be adequate for the non-safety CERPI application.
0 Analog Output Module The analog output module for the CERPI system is the Advant S600 module AO 610.
The description of the similarity of this module to its Common Q counterpart is provided in the response to Question 2 below. Based on this similarity and the commonality of the design standards utilized for the diagnostic capability for modules in the Advant S600 product line, the AO 610 is considered adequate for this non-safety CERPI application.
0 Sensor The CERPI system utilizes the same sensors as the IRPI system. The sensor diagnostics were designed in accordance with the CERPI system requirements specification and are described in the responses to Question 1.a and 1 .b above.
Page 10 of 15
The CERPI sensor diagnostics provide capability that did not exist in the original IRPI system. These diagnostics are adequate based on the improvement of capability when compared to the existing system.
0 Signal Conditioning The CERPI signal conditioning equipment diagnostics were designed in accordance with the CERPI system requirements specification and are described in the responses to Question l.a and 1.b above. The CERPI signal conditioning diagnostics provide capability that did not exist in the original IRPI system. These diagnostics are adequate based on the improvement of capability when compared to the existing system.
Question 2 Surry states that the equipment is similar to the Common Q. Please provide an exact description of the equipment used in this system. Please include in this descriptionany similarities and differences between this equipment and the Common Q equipment.
Please include a list of the industry standards used in the design, test and qualification of this equipment.
Response
The Common Q Topical Report for the Common Qualified Platform describes the following Common Q building blocks:
- 1. Advant Controller 160 (AC 160) described in Sections 5.1 and 6.2
- 2. Power Supply described in Sections 5.2 and 6.2
- 3. Flat Panel Display System (FPDS) described in Sections 5.3 and 6.2
- 4. AF 100 Communication described in Sections 5.4 and 6.2
- 5. High Speed Link (HSL) Communication described in Sections 5.5 and 6.2 Westinghouse has submitted additional information to the NRC to close open items in the NRC's SER associated with the following items:
"* Use of the PM 646A processor module
"* Power Supply
"* Flat Panel Display System
"* Watchdog Timer The industry standards used in the design, test, and qualification of the Common Q equipment are provided in Section 4 of the Topical Report.
The description of the CERPI equipment and a comparison of it with the Common Q equipment are provided in the Table below:
Page 11 of 15
CERPI Equipment Description Common Q Comparison Reference Equipment 1 Advant AC 160 model RF 616 subrack Same Identical 2 Advant AC 160 model RF 620 Same Identical extension subrack 3 Advant AC 160 model Cl 631 Same Identical communications module 4 Advant AC 160 model PM 646A Same Identical processor module 5 Advant S 600 model Al 620 analog Same Identical input module 6 Advant S 600 model DI 620 digital Same Identical input module
- 7. Advant S600 model DO 620 digital Same Identical output module 8 Advant S600 model AO 610 analog Model AO Similar output module 650 analog See the Similarity output Analysis that follows module this table.
9 Advant AC 160 model RB 601 dummy Same Identical module 10 Westinghouse Common Q Power Same One of the available Supply - configured for redundant 24 configurations for the VDC outputs Common Q power supply.
11 Westinghouse Maintenance and Test Same Identical Panel 12 Westinghouse Operator Flat Panel Same One of the available Display - configured for a 12 inch configurations for the display Common Q Flat Panel Display.
13 Advant AC 160 model TC 514 Fiber Same Identical Optic Modem - used for communication with the Operator Flat Panel Display.
Page 12 of 15
CERPI Equipment Description Common Q Comparison Reference Equipment 14 Allied Telesyn model AT-MC 102XL None This modem fiber optic modem for Fast Ethernet provides electrical isolation by converting the Ethernet signal from the MTP to a fiber optic signal to the plant computer interface equipment.
It satisfies the Common Q requirement for electrical isolation of the MTP. Although not required for the non-safety CERPI application this modem was used to allow the cable run to be fiber optic.
Page 13 of 15
Similarity Analysis Analog Output Module AO 610 and Module AO 650 The CERPI analog output is required to interface with the process instrument racks for the pulse to analog converter function. The performance of the analog output must be equal to, or better than, the performance of the analog equipment it is replacing; furthermore, it must be compatible with the interface characteristics of the process instrument racks. The table below provides a comparison of the CERPI analog output module with the Common Q analog output module.
Characteristic Plant Specific AO 610 AO 650 Technical Comparison Interface Technical Data Data Number of 4 or more 16 8 Both are Outputs adequate Short Circuit Required Open and short Open and short Both are and Open circuit circuit protection adequate Circuit protection Protection Output Range 0 to +10 VDC 0 to +10 VDC 0 to +5 VDC Both are 0 to +21 ma 0 to +10 VDC adequate
+1 to +5 VDC
-10 to +10 VDC
-20 ma to + 20 ma Isolation Not required 500 V RMS for 500 V RMS for Both are each group of each channel adequate 16 Overrange 0 to > +10 0 to 10.5 VDC 0 to 11.5 VDC Both are VDC (listed for range of adequate interest only)
Analog Output + 0.43% 0.1% 0.1% Both are Error budgeted for adequate all PLC equipment Resolution 12 bits 12 bits 12 bits plus sign Both are adequate Output < 2 seconds 20 milliseconds 8 milliseconds Both are Transfer Time budgeted for adequate complete system time response Page 14 of 15
Question 3 If this equipment is a Common Q system, please show how the plant specific requirements shown in the NRC SER on the Common Q were met.
Response
The CERPI system utilizes Common Q equipment and other equipment as described in the responses to Questions 1 and 2 above. The CERPI system is not a Common Q system because it is a non-safety related system. The CERPI system was qualified for structural integrity.
C. Summary The CERPI system provides extensive diagnostics to detect and alarm failures. These diagnostics are performed while the system is operating on-line and replace the existing monthly analog rod position test performed on the existing IRPI system.
The current monthly test of the IRPI system requires that each of the 48 IRPI channels be taken out of service. Mechanical devices, subject to wear, are utilized to switch the signal from the sensor to a test source, and the test source is then used to cause a rod bottom alarm, thus checking the setpoint value. The current monthly test causes a significant number of alarms in the control room.
The CERPI system diagnostic capability provides significant advantages relative to the existing monthly test required for the IRPI system. These advantages are:
"* Thorough testing - replacing the single test that verifies the alarm setpoint.
"* More frequent testing - on-line diagnostics are performed at a significantly shorter interval than monthly.
"* Increase in system availability - no down time required for monthly testing.
"* Decrease in control room alarms - diagnostics cause no alarms to be generated unless there is an equipment failure.
Page 15 of 15