ML031970017

From kanterella
Jump to navigation Jump to search
Response to Request for Additional Information to Proposed Amendment to Technical Specification 3.2.4, 3.3.1, & 3.3.3
ML031970017
Person / Time
Site: Palo Verde  Arizona Public Service icon.png
Issue date: 07/10/2003
From: Mauldin D
Arizona Public Service Co
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
102-04964-CDM/SAB/DWG
Download: ML031970017 (18)
v  d  e


Text

11iR 10 CFR 50.90 David Mauldin Vice President Mail Station 7605 Palo Verde Nuclear Nuclear Engineering TEL (623) 393-5553 P.O. Box 52034 Generating Station and Support FAX (623) 393-6077 Phoenix, AZ 85072-2034 102-04964-CDM/SAB/DWG July 10, 2003 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk Mail Station P1-37 11555 Rockville Pike Rockville, MD. 20852

Reference:

Letter 102-04864-CDM/TNW/DWG, "Request for Amendment to Technical Specifications: 3.2.4, Departure From Nucleate Boiling Ratio (DNBR),

3.3.1, Reactor Protective System (RPS) Instrumentation - Operating, 3.3.3, Control Element Assembly Calculators (CEACs)" , dated November 7, 2002, from C.D. Mauldin, APS to USNRC

Dear Sirs:

Subject:

Palo Verde Nuclear Generating Station (PVNGS)

Units 1, 2, and 3 Docket Nos. STN 50-528/5291530 Response to Request for Additional Information to Proposed Amendment to Technical Specification 3.2.4, 3.3.1, and 3.3.3 In the letter referenced above, Arizona Public Service Company (APS) requested an amendment to Technical Specification (TS) 3.2.4, Departure From Nucleate Boiling Ratio (DNBR), 3.3.1, Reactor Protective System (RPS) Instrumentation - Operating, and TS 3.3.3, Control Element Assembly Calculators (CEACs). During the review, members of the staff from the NRC Reactor Systems Branch requested additional information related to the proposed amendment. APS has provided the additional information requested in the enclosure to this letter.

No new commitments are being made to the NRC by this letter. Should you have any questions, please contact Thomas N. Weber at (623) 393-5764.

Sincerely, CDM/SAB/DWG/kg

?,)a! Fed(~ 4Z Enclosure cc: Regional Administrator, NRC Region IV J. N. Donohew N. L. Salgado A. V. Godwin

%2CrcA

STATE OF ARIZONA )

) ss.

COUNTY OF MARICOPA )

1, David Mauldin, represent that I am Vice President Nuclear Engineering and Support, Arizona Public Service Company (APS), that the foregoing document has been signed by me on behalf of APS with full authority to do so, and that to the best of my knowledge and belief, the statements made therein are true and correct Sworn To Before Me This 10 Day Of 2 gz

.QjlA l 2003.

Notary Public Notary Commission Stamp

ENCLOSURE Response to Request for Additional Information to Proposed Amendment to Technical Specifications 3.2.4, 3.3.1, and 3.3.3

Response to Request for Additional Information to Proposed Amendment to Technical Specifications 3.2A, 3.3.1, and 3.3.3 Detailed below are Arizona Public Service Company's (APS) responses to the six specific requests for additional information requested by the NRC Reactor Systems Branch pertaining to the implementation of the new Core Protection Calculator System (CPCS) at Palo Verde Nuclear Generating Station (PVNGS).

NRC Reauest #1:

The licensees post-installation test program includes using a Core Protection Calculator (CPC) simulation program after startup that calculates local power density (LPD) and departure from nucleate boiling ratio (DNBR) based on actual plant parameters and compares to CPC LPD and DNBR values.

a. At what power level(s) will this testing be performed? Include a discussion of the consequences should an anticipated operational occurrence which relies on these trips occur during power ascension and prior to the testing being completed and verified.
b. Please provide the acceptance criteria values which will be used to determine that the CPC calculated LPD and DNBR values are acceptable. Also provide the basis for these acceptance criteria.
c. Please discuss any benchmarking or validation process used to ensure the accuracy of the CPC simulation program.

APS Response to Request #1:

The use of the CPC simulation program after startup only serves as a form of channel check. The CPCs will be declared operable prior to exceeding 1x10 4% neutron rated.

thermal power (NRTP) during startup based on the satisfactory completion of other testing.

The intent of using the simulation program is to compare what the CPCs calculate for DNBR and LPD with a computer program using the same input data and similar algorithms. The plant computer generates a CPC report which gives the input values (reactor coolant system hot and cold leg temperatures, pressure, flow - pump speeds, CEA positions, and three excore axial power signals) and the output values of DNBR and LPD for each channel.

Since these values are nearly simultaneously recorded, variance in data collection is minimal. The difference between the program algorithms is that the CPCs calculate dynamic values whereas the simulation program only calculates static values.

Nonetheless, this methodology provides very accurate comparisons.

1

a. Test data used for comparison with the simulation program is currently scheduled to be obtained at the 20%, 70%, and 100% power plateaus.

APS does not expect the consequences of an event to be any different with the new CPCS during power ascension. As specified in Technical Specification (TS) 3.3.1, the CPCs are required to be operable at greater than or equal to 1x104% NRTP.

Prior to exceeding 1x10 4% NRTP the CPCs will be declared operable based on the satisfactory completion of testing that validates the as-built system against system functional and performance requirements. The diversity and depth of the various scheduled tests provide sufficient confidence that the new CPCS will perform as designed during an anticipated operational occurrence. These tests include, but are not limited to, the following:

1) Factory Acceptance Tests (FATs) - module tests, unit tests, one channel system tests, four channel system tests, one channel hardware factory acceptance tests
2) Site Acceptance Tests (SATs) - point to point wiring checks, power checks, annunciator tests, time response tests, channel calibration tests, channel functional tests The test using the CPC simulation program is a secondary check that verifies the fundamental inputs, the static algorithms/programs, and addressable constants are properly functioning in a manner independent from the other tests.
b. The final acceptance criteria has not yet been determined. An analysis package is being developed to quantify the acceptance criteria. To ensure that the data and therefore the acceptance criteria are representative of the conditions under which Unit 2 will experience, plant data was gathered during the Unit 1 and Unit 3 Cycle 11 startup testing. The data collection and comparison to the CPC simulator program is a normal activity as part of the PVNGS initial reload power ascension testing. Statistical analysis of the Unit 1 and Unit 3 data resulting in a 95/95 probability/confidence level will be used as the basis for the acceptance criteria used in Unit 2.

The planned method for determining acceptable CPC LPD and DNBR values using the CPC Simulator will basically be as follows:

1. The CPC Simulator will calculate a static LPD and DNBR using the following information:
  • Reload Data Block (cycle independent constants used by the CPCs in the algorithms to calculate DNBR, LPD, etc.)
  • Addressable Constant values from the Addressable Constant Log (type I and type 11) located in the unit control room
  • Plant data taken during startup testing 2
2. The static values calculated by the CPC Simulator will then be compared with dynamic values calculated by the installed CPCs.
3. The results will then be evaluated.
c. The CPC simulator program was developed in accordance with the PVNGS quality assurance program. As such, it has been independently validated and verified.

This program is used routinely when addressable constants are changed to ensure proper installation of these new constants.

NRC Request #2:

The licensee states that the PVNGS UFSAR Chapter 15 analyses are not impacted by the upgraded CPCS. Please provide quantitative results which demonstrate that the UFSAR Chapter 15 assumptions for CPC performance, response time and accuracy will continue to be satisfied with the upgraded CPCS.

APS Response to Request #2:

CPCS performance is measured in the response time and accuracy of the CPCS output. Table 2-1 below provides the comparison of the Common Q CPC response time to the response times specified for the CPC related inputs listed in the Updated Final Safety Analysis Report (UFSAR) Table 7.2-4AA, "Reactor Protection System Response Times".

Table 2-1 Time Response Comparison Input UFSAR Ch 15 Response Time Total CPC Output to CPC Output (seconds) Response Time (seconds)

(Note 6) (Note 7)

Excore (Nis) 0.6000 0.1475 (Note 1)

T-cold 0.6000 0.5943 (Note 2)

T-hot 0.6000 0.5943 (Note 2)

CEA Position 0.6000 0.4960 (CEAC PF)

(Note 3)

CEA Position CPC 1.2000 1.0680 (Note 3)

Pressurizer 0.6000 0.1775 Pressure (Note 4) 3

Table 2-1 Time Response Comparison (cont'd)

Input UFSAR Ch 15 Response Time Total CPC Output to CPC Output (seconds) Response Time (seconds)

(Note 6) (Note 7)

RCP Speed 0.1500 0.1255 (Loss of AC)

(NoteS)

Table 2-1 Notes

1. Measured from the detector output
2. Measured from the resistive-temperature detector (RTD) output
3. Measured from the sensor output
4. Measured from the pressure transmitter output
5. Measured from the pulse shaper input
6. UFSAR Table 7.2-4AA provides the basis for Chapter 15 response times and includes Reactor Trip Switchgear Breaker opening time of 0.15 seconds. Since there are no changes being made to the reactor trip switchgear as a result of implementing the new CPCS, the UFSAR represented value has been reduced by 0.15 seconds for the purpose of addressing CPC response times only.
7. The total CPC output response times are conservative (i.e., not to exceed) analytical values.

The processing uncertainties of the Upgrade CPC, defined as those resulting from the differences in machine precision between CPCS and the more accurate CPC/CEAC Fortran Simulation, continue to be bounded (as was the case with the legacy CPCS) by those used in the safety analysis as demonstrated in Table 2-2 below:

Table 2-2 Processing Uncertainty Comparison PVNGS Safety Analysis Assumptions Upgraded CPCS Uncertainties DNBR +/- 0.0093 DNBR -0.00061, +0.00018 LPD +/- 2.204% LPD -0.059%, +0.081%

NRC Request #3:

The licensee states that the upgraded CPCS will utilize safety-related algorithms which are functionally identical to the existing CPCS. Please define exactly what is meant by "Functionally identical" (e.g., calculation method, frequency of calculation,...) and discuss any verification and validation processes performed to ensure identical functionality.

4

APS Response to Request #3:

"Functionally identical" means that the algorithms will accomplish the same function within the same requirements for system time response and accuracy. Table 3-1 below shows a comparison of algorithms between the two systems:

Table 3-1 Algorithm Comparison Legacy CPCS l Upgraded CPCS ALGORITHM INPUTS: ALGORITHM INPUTS:

1. Channel A CEAs - 22 CEAs from RSPT1. 1. Channel A CEAs - 22 CEAs from RSPT1, redundantly processed by two CEA Position Processors (CPPI and CPP2) within CPC channel A, plus all other CEAs via fiber optic links from the other three CPC channels.
2. Channel B CEAs -67 CEAs from RSPT1 plus 2. Channel B CEAs - 67 CEAs from RSPT1, 22 CEAs from CPCS A via isolation amplifier. redundantly processed by two CEA Position Processors (CPP1 and CPP2) within CPC channel B, plus all other CEAs via fiber optic links from the other three CPC channels.
3. Channel C CEAs -67 CEAs from RSPT2 plus 3. Channel C CEAs - 67 CEAs from RSPT2, 22 CEAs from CPCS D via isolation amplifier. redundantly processed by two CEA Position Processors (CPP1 and CPP2) within CPC channel C, plus all other CEAs via fiber optic links from the other three CPC channels.
4. Channel D CEAs - 22 CEAs from RSPT2. 4. Channel D CEAs - 22 CEAs from RSPT2, redundantly processed by two CEA Position Processors (CPP1 and CPP2) within CPC channel D, plus all other CEAs via fiber optic links from the other three CPC channels.

I 5. CEA Penalty Factors (PF) - Each channel 5. CEA Penalty Factors (PF) - Each channel receives a CEACI PF from CEACI located in calculates its own CEAC1 and CEAC2 PF from CPC channel B, and a CEAC2 PF from the CEA inputs received.

CEAC2 located in CPC channel C.

6. RCP Speed 6. No change.
7. Excore Neutron Flux 7. No change.
8. Pressurizer Pressure 8. No change.
9. Hot Leg Temperature 19.No change.
10. Cold Leg Temperature 10. No change.

ALGORITHM LPD AND DNBR TRIP AND ALGORITHM LPD AND DNBR TRIP AND PRETRIP OUTPUTS: PRETRIP OUTPUTS:

1. A total of four contacts per channel are 1. No change.

provided to the Plant Protection System.

5

Table 3-1 Algorithm Comparison (contd)

Legacy CPCS Upgraded CPCS OTHER CPCS OUTPUTS: OTHER CPCS OUTPUTS:

1. DNBR Margin, LPD Margin and Excore Power 1. No changes, except that the DNBR Margin are displayed on main control board meters signal is re-ranged from 0-10 to 0-2 for better and are transmitted to the PMS computer via resolution.

the Remote Input System (RIS).

2. A number of annunciator outputs are available 2. The total number of annunciator outputs are from each CPC channel (CEA Withdrawal increased due primarily to the addition or Prohibit, CPC sensor failure, CPC failure, removal of components (e.g., increased DNBR/LPD bypass) while others are from number of CEACs, addition of CEA Position specific CPC channels (CEAC inoperable, Processors (CPPs), removal of CPIAs, etc).

CEA sensor failure, CEA deviation, CEAC failure, CEA Position Isolation Amplifier (CPIA) test enable)

3. The Remote Operators Module serves as the 3. The function of the ROM is duplicated on the only safety related operator interface to the Operators Module (OM) in the control room, CPCS. The module is very simple, with only a and the Maintenance and Test Panel (MTP), in three digit numeric display to indicate the Point the Auxiliary Protection Cabinet (APC).

ID (PID) of interest, and a 5 digit display to Although these are both Class 1E devices, indicate the value of the selected PID, and a neither is required for the CPCS to perform its small number of switches and lamps. safety function. Loss of either will not cause a channel trip. The displays are Flat Panel Displays (FPDs) touch screens. There is one display to mimic the existing ROM, plus many others to show groups of data, perform simple trending, check system health, and to perform STs and maintenance functions.

4. Data transmission to the PMS computer is 4. Data transmission to the PMS computer is performed over a serial link by each of the 4 accomplished as follows. Each of the four CPCs and 2 CEACs. The data transmission MTPs transmits a data file that contains the occurs every 10 minutes, or on operator information for the CPC and two CEACs for demand. that channel. This information is broadcast about every second over an ethernet link. To maintain compatibility with the PMS system (which is not changed by the CPC upgrade), a new, non-safety, data-link computer is added between the upgraded CPCs and the PMS.

This computer translates the data, the data format, the transmission method and period of transmission so that the PMS receives the same information as it did with the legacy CPC system.

ADDRESSABLE CONSTANTS: ADDRESSABLE CONSTANTS:

(See response to NRC Request #6.) (NA) 6

Table 3-1 Algorithm Comparison (cont'd)

Legacv CPCS Unaraded CPCS ALGORITHM OVERVIEW: ALGORITHM OVERVIEW:

1. Four interdependent programs, all running on 1. No change, except that FLOW, UPDATE and a CPC processor in each of the 4 channels. TRIPSEQ programs/modules are all called The programs are titled FLOW, UPDATE, within one task, in that order.

POWER, and STATIC. There is also a subroutine called TRIPSEQ that is called just after FLOW and just after UPDATE.

2. The CEAC Penalty Factor program is running 2. There are two CEAC processors in each of the on the CEAC processor in Channel B and C. four CPC channels, each running the CEAC Penalty Factor program.

NOTE: ALGORITHM CHANGE INTRODUCTION:

For the purposes of the CPC upgrade, CPC software changes can be divided into three types, Palo Verde Specific Algorithm changes, Generic Common Q Implementation Algorithm changes, and non-algorithm changes. Generic Common 0 Implementation Algorithm changes have been reviewed and approved by the NRC via the UNRC SER for Generic Common Qualified (Common 0) Platform Topical Report". These first two classes of software changes must have a very specific test program performed as part of the software V&V. This testing is discussed further in the response to this question. This testing is being performed as part of this CPCS replacement project and is being conducted by Westinghouse. The non-algorithm software changes require a software lifecycle management program commensurate with their safety risk.

PALO VERDE SPECIFIC ALGORITHMS PALO VERDE SPECIFIC ALGORITHMS CHANGES CHANGES

1. A Reactor Power Cutback System (RPCS) is 1. The only Palo Verde specific algorithm change used at PVNGS to drop selected CEAs into the is related to the RPCB Flag programming core to reduce reactor power rapidly during a error. This programming error has required large loss of load or loss of a main feedwater that all three RPCB subgroups be selected pump. This allows other control systems to during normal operation.

maintain the plant in a stable condition without a reactor trip, and without lifting any safety Correcting this coding deficiency would result in the CEACs recognizing a slipped rod in valves during loss of large load transients with group 5 or 4 during a reactor power cutback the condenser available. event, resetting the flag following identification The Reactor Power Cutback (RPCB) algorithm of slippage prior to completion of the time in the existing CEAC program monitors CEA delay, and preventing unnecessary delay in movement and position for indications of a updating radial peaking factors and RPCB event. If one or both RPCB-designated determining if a subgroup deviation or out of CEA Regulating Groups (lead groups 5 and 4) sequence CEA configuration exists.

are observed to be dropping (and no other Correcting this deficiency would also allow the CEAs are dropping, thus distinguishing it from units the option of selecting either one or both a normal reactor trip), the RPCB flag is set for RPCB groups (manually or automatically).

a specified time delay.

This change would restore the operation of the The duration is in seconds and is an addressable constant. This flag is transmitted Reactor Power Cutback System to its fully intended function as described in section to the CPCs and is used by the CPCs to delay 7.7.1.1.6 of the Palo Verde Updated Final application of increased radial peaking factors Safety Analysis ReDort (UFSAR). This would 7

Table 3-1 Algorithm Comparison (cont'd)

Legacy CPCS Upgraded CPCS PALO VERDE SPECIFIC ALGORITHMS PALO VERDE SPECIFIC ALGORITHMS CHANGES (cont'd) CHANGES (cont'd) due to the lead group insertions. The result in minimizing excessive power algorithm is presently coded to accommodate reductions for events that initiate a reactor dropping or bottomed CEAs. power cutback when only one group is needed to stabilize the plant within the capability of During an event in 1991, lightning struck the other control systems [i.e., Steam Bypass Unit 3 main transformer causing a generator Control System (SBCS) and Feedwater and turbine trip. This event was documented Control System (FWCS)] as intended.

in Licensee Event Report (LER) 91-008-00.

The RPCB system initiated the drop of Regulating Group 5. At this time the unit was exercising the option of selecting and dropping only the lead group. Subsequently, Regulating Group 4 was inserted into the core to further reduce reactor power.

Approximately at the end of the first time delay, CEA subgroup 22 of Regulating Group 4 slipped approximately 11 inches causing a second time delay. Because CEA subgroup 22 was misaligned from the other subgroup in the group, a CPC DNBR trip was generated when the second time delay ended. Review of the software indicated that a RPCB subgroup slipping could set the RPCB flag, but would not reset the flag when the slip stopped.

This is a deficiency in the software and System Requirement Specifications (SysRS). As a compensatory action, the procedures were changed to require selecting both RPCB regulating groups such that an RPCB event would require both groups to fully insert.

It is noted that if the subgroup were not part of the RPCB groups, the RPCB (time delay) flag would not have been set a second time.

GENERIC ALGORITHM CHANGES: GENERIC ALGORITHMS CHANGES:

1. FLOW Timing - 50ms 1. FLOW Timing - No change
2. UPDATE Timing - 1OOms 2. UPDATE Timing - 50ms
3. POWER Timing - 1 second 3. POWER Timing - 250ms
4. STATIC Timing - 2 seconds 4. STATIC Timing - no change
5. TRIPSEQ Timing - Called just after FLOW and 5. TRIPSEQ Timing - Called just after UPDATE.

just after UPDATE as a subroutine FLOW, UPDATE and TRIPSEQ are all in one task.

6. CEAC Penalty Factor Timing - lOOms 6. CEAC Penalty Factor Timing - No change.

8

Table 3-1 Algorithm Comparison (cont'd)

Legacy CPCS Upgraded CPCS GENERIC ALGORITHMS CHANGES (cont'd):

It was initially intended that the FLOW, UPDATE, POWER, STATIC, TRIPSEQ and CEAC Penalty Factor Programs/Modules all run at the same frequency as the legacy CPCS.

Changes were made subsequent to the CPC SE to correct problems discovered during analysis and testing of the CPC Algorithms (as implemented on the Common-Q hardware). The required safety analysis response time was not met for all accidents due to the hardware implementation chosen for the Common-Q system. However, the safety analysis response times could be met by speeding up the cycle times (program timing) of the Power module (from 1second to 0.25 seconds) and Update module (from 1OOms to 50ms). This solved the primary response time issue, but created two smaller issues.

First, it increased the statistical probability that a RPCB flag might not be set soon enough during a valid RPCB event, and a plant trip might occur. An existing software task in the CEAC CPU that transfers data from global memory to the HSL was made into two separate tasks to ensure this would not occur. This change is completely removed from the Penalty Factor task running in the same CPU, which remains unchanged.

Second, there would have to be a change to part of the lead/lag filter code in the program UPDATE.

This portion of the code looks at a parameter, for example temperature, at the current value, and at the value for the three previous executions of the software module.

If the execution time is cut in half (the solution for the overall response time problem mentioned previously), then the filter is only looking at that parameter for half the period of time than it was previously looking at. By looking at the parameter for twice the number executions, but just using the value from every other execution. The change was verified to be functionally equivalent by re-running a set of transient test cases on the modified FORTRAN code and getting the same output results.

9

Table 3-1 Algorithm Comparison (cont'd)

Legacy CPCS 1-Upgraded CPCS OTHER GENERIC ALGORITHM CHANGES: OTHER GENERIC ALGORITHM CHANGES:

7. NA 7. In the "NRC SER for Generic Common Qualified (Common 0) Platform Topical Report", the NRC discusses how the Common Q replacement CPCS will run CPC Safety Related algorithms functionally identical to the existing core protection calculators in existing Combustion Engineering (CE) plants.

The generic exception is for those software changes to reflect new hardware platform features (such as diagnostics and error handling) and backplane communications between the CPCS and CEACs in the proposed Common 0 replacement system.

4.

NON ALGORITHM CHANGES: NON ALGORITHM CHANGES:

These new features are not considered algorithm changes since they do not cause a change to the CPC algorithms.

1. CEA Rate of Change Reset 1. The coding enhancement in the replacement In the existing CPCS and when monitoring CPCS would allow the operators to manually CEA positions, the CEAC program performs reset the CEA position in the CEAC to the validity checks of the CEA input signal. These current good position (as validated by checks consist of 1) a range check to verify the redundant position RSPT/Pulse Counter CEA position is within the CEA operating band indication) without rebooting, thus reducing and 2) a rate of change check to verify CEA operational delays. There is no impact on movement is reasonable. DNBR and LPD.

The range check is a comparison of the CEA If the condition is due to the software lock-in, position to the lower and upper limit of the then continued group movement will create a operating band and to lower and upper failed deviation and generate a penalty. This would sensor setpoints, which are outside the be a very conservative response. If the CEA operating band. If the CEA position is position deviation is real, both CEACs will detected outside the failed sensor setpoints, monitor it and respond accordingly.

the CEA is considered failed; but the failure can be automatically cleared if the position is detected inside the failed sensor setpoints.

The rate of change check is a comparison of the present CEA position with its position from the previous program execution (i.e., every 0.1 seconds). If this difference exceeds a preset limit (e.g., due to erratic RSPT indication), and then the CEA sensor is considered failed, a CEA Sensor Failure alarm is activated, and the last good position is retained.

10

Table 3-1 Algorithm Comparison (cont'd)

Legacy CPCS Upgraded CPCS NON ALGORITHM CHANGES (cont'd):

In essence, this freezes or locks in the CEA's indicated position. If group movement were continued, and the affected CEA continued to move with its group, a pseudo CEA deviation could develop which (for 12-fingered CEAs) would result in a penalty being transmitted to the CPCs causing a CPC DNBR trip.

The only options in the existing CPCS to clear this position lock is to either reverse movement of the group until all CEA positions in the group are indicating the same position (which may not be preferred if CEAs were moved for ASI control) or to stop CEA movement and call a technician to reboot the computer.

2. The Power Calibration ST performs a manual 2. The Power Calibration ST is automated. The calculation of new ACs using a power value only manual steps areto enter a power value from the PMS COLSS and other primary from PMS COLSS into the OM, initiate the system parameters read from CPCs. calculation, and then approve the calculation.
3. Sensor Status Word (SSWs) are displayed in 3. The Sensor Status Words (SSWs) are hexadecimal format. The hexadecimal word decoded and displayed on the OM and MTP must be manually decoded by operations to as a list of sensors that are failed or not failed.

determine the failed sensor.

4. Point ID (PIDs) numbers are the only 4. The new system displays all parameter values identifying characteristic of any parameter. with the associated PID number, as well as a short label and a full description (depending on display). Some PID numbers have been changed.
5. Pre-trips for auxiliary trips do not exist. 5. A new CPC Auxiliary Trip Pretrip for ASI, ASGT, VOPT and Hot Leg at Saturation are created outside of the Westinghouse provided I CPC system using information transmitted to the Plant Monitoring System. These are intended only as operator aids and serve no safety function.

Upgraded CPCS Algorithm Verification and Validation Process As a clarification, both Westinghouse and APS use the term Verification and Validation (V&V) to describe a specific portion of the software life cycle process as described in various IEEE documents. The testing of the CPC algorithms to meet requirements was performed as part of the design process and performed by the Westinghouse CPC design team. The Westinghouse V&V team, which has a separate reporting structure, reviewed these results as part of their efforts. As previously stated, the testing of the upgraded CPCS algorithms was conducted by Westinghouse as outlined below:

11

1) Upgraded CPCS Algorithm Testing - Phase I This testing is performed to verify the implementation of modifications to the CPC/CEAC software. This testing is performed on relatively small, single-entry/single-exit segments of the code called modules. Inthe upgraded CPCS, these modules consist of individual custom PC elements or groups of elements. Module testing will be performed for the custom PC elements used in each of the CPCS processors (CPC, Aux CPC, CEAC and CPP). Inputs are applied and outputs are recorded using the module test function of the I/O Simulator and the SCF. Module test cases will be developed based on Phase 1 test cases used for the legacy CPCS, and/or based on inputs calculated to exercise the branches in the Common Q C code. An automated branch coverage tool, LDRA, is used to demonstrate branch coverage. Acceptance criteria for test outputs is based on the legacy CPCS Phase 1 testing with an expected result of 0.1%. The module test documentation lists the modules to be tested, their constituent PC elements, the input method and the basis for the test cases.
2) Upgraded CPCS Algorithm Testing - Phase II Phase II testing is comprised of the Input Sweep Test, Dynamic Software Verification Test and the Live Input Single Parameter Test.

Input Sweep Test The Input Sweep Test has three main functions:

1. Determine the processing uncertainties of the CPC/CEAC algorithms as used in the CPC/CEAC system hardware that are inherent in the design. Processing uncertainties are defined as those resulting from differences between the machine precisions of the CPCS and the more accurate CPC/CEAC FORTRAN simulation.
2. Verify the CPC/CEAC algorithms will initialize to a steady state condition for a large number of input combinations.
3. Identify any abnormalities in the CPC/CEAC algorithms that were previously not uncovered.

Dynamic Software Verification (DSVT) Test The Dynamic Software Verification Test has the function to verify that the dynamic response of the integrated CPC software is consistent with that predicted by design analysis.

CEN-39 requires five specific dynamic test cases be executed, at a minimum, for any CPC algorithm change. In addition to the five required tests a number of other test cases from CEN-39 were chosen to cover each major test category since the software was completely written. Other test cases were also selected or created 12

due to the change to fix the reactor power cutback (RPCB) programming error, and to verify the revised treatment of the control element assembly (CEA) penalty factors.

The following dynamic test cases were used to verify functional equivalency for the algorithm timing changes:

  • four pump loss of flow
  • one CEA drop (full-length rod)
  • controlled startup
  • one target part length rod drop a RPCB - drop of lead bank
  • RPCB - drop of next to lead bank then lead bank (expected
  • uncontrolled bank withdrawal worth transient)
  • 100-125% power ramp
  • RPCB noise fix
  • 30-70% power increase (fast ramp)
  • rapid deprssurization* CEA Calculator (CEAC) failures
  • part length group exercise
  • pump speed ramp (100-90%)
  • low temperature, high pressure
  • temperature ramp (increase Tcold by (CEAs out) 20 deg F)
  • axial shape index (ASI) range
  • single CEA ramp (non-target rod limit (CEAs out) withdrawal)
  • excore detector ramp 5-35%
  • hot leg saturation trip (Thot Increasing and back ramp)

The Live Input Single Parameter (LISP) Test The Live Input Single Parameter Test has three main functions:

1. To verify that the dynamic response of the integrated CPC/CEAC software and hardware is consistent with that predicted by design analysis.
2. To supplement design documentation quality assurance, Phase I module tests, Input Sweep tests, and DSVT testing in assuring correct implementation of software modifications.
3. To evaluate the integrated hardware/software system during operational modes approximating plant conditions.

13

The following Live Test Input Cases were run:

  • RCP ramp (100-90% rated speed)
  • excore detector ramp (100-125% power)
  • cold leg temperature ramp (565.5 to 595.5 deg F)
  • primary pressure ramp (2250 to 1850 psia)
  • non target CEA withdrawal (73 to 95 inches withdrawn)

NRC Request #4:

Please discuss any impacts of the upgraded CPCS on the relationship and compatibility with the Core Operating Limit Supervisory System (COLSS).

APS Response to Request #4:

There is no "direct" data transfer between the CPCS and COLSS. There is a minor relationship, as described in Table 4-1 below:

Table 4-1 COLSS Relationship Comparison Legacy CPCS Upgraded CPCS POWER CALIBRATION: POWER CALIBRATION:

1. To perform the power calibration of the excore 1. In the upgraded system, the power calibration nuclear instruments, operations personnel is partially automated. A value from COLSS perforn a manual calculation at steady state (typically JSCALOR) will be manually entered power using a value from COLSS (typically into the CPCS at the Operators Module. The JSCALOR). This JSCALOR value and other new CPCS will directly perform the calculation plant data values taken from the CPCS are for the new ACs, without any manual combined in a manual calculation that result in calculation by the operators. The calculated new addressable constants (ACs) that would results will be presented to the operators.

be entered manually into the CPCS. When authorized (typically by the Control Room Supervisor), the CPCS will also replace the old ACs with the new ACs without any further manual entry by the operators.

NRC Request #5:

The Control Element Assembly Calculators (CEAC) calculate CEA position related penalty factors for use in the CPCs. Isthe CEAC calculation of the penalty factors in the upgraded CPCS identical to the method used in the current system? Please provide a discussion and justification for any differences.

APS Resoonse to Reauest #5:

The CEAC calculation of the penalty factors in the upgraded CPCS is functionally identical to the method used inthe current system.

14

NRC Request #6:

Please discuss any impacts of the upgraded CPCS on the CPC Addressable Constants.

APS Response to Request #6:

There are no functional changes to the CPC Addressable Constants (ACs) implemented by the new system. However, the upgraded CPC does provide a better HMI to view or change ACs. Table 6-1 below summarizes the differences associated with ACs between the two systems:

Table 6-1 Addressable Constant Comparison Legacy CPC Upgraded CPC ADDRESSABLE CONSTANTS: ADDRESSABLE CONSTANTS:

There are: No change in amount, function, or definition.

  • 9 type I ACs for the CPC However, associated point IDs for some ACs have changed. These changes have been identified
  • 35 type 11ACs for the CPC and are being updated in applicable procedures.
  • 1type 11AC for the CEAC.

All ACs have specific functions and definitions.

The CPC has the ability to upload and download This feature is expanded to include type I ACs.

type 11addressable constants to and from removable media, thereby reducing the potential for errors due to manual entry.

The CPC performed a range check of ACs. No change.

Palo Verde has administrative controls in place for No change.

changing type I ACs and type 11ACs.

15

Retrieved from "https://kanterella.com/w/index.php?title=ML031970017&oldid=2691733"