ML100690392

From kanterella
Jump to navigation Jump to search

Licensee Slides from 3/3/2010 Meeting with Pacific Gas and Electric Company to Discuss Digital Upgrade and Eagle-21 Portion of Reator Trip System at Diablo Canyon Power Plant, Units 1 and 2
ML100690392
Person / Time
Site: Diablo Canyon  Pacific Gas & Electric icon.png
Issue date: 03/03/2010
From: Hefler J, Shannon Patterson, Quinn T, Schrader K
Pacific Gas & Electric Co
To: Wang A
Plant Licensing Branch IV
Wang, A B, NRR/DORL/LPLIV, 415-1445
References
TAC ME1778, TAC ME1779
Download: ML100690392 (32)
v  d  e


Text

DIABLO CANYON POWER PLANT PROCESS PROTECTION SYSTEM REPLACEMENT Phase 0 Discussions March 3rd, 2010 Scott B. Patterson Pacific Gas & Electric Co.

Avila Beach, CA sbp1@pge.com 805-545-4082 Ken Schrader Pacific Gas & Electric Co.

Avila Beach, CA kjse@pge.com 805-545-4328 John Hefler Altran Solutions Corp.

San Francisco, CA jhefler@altransolutions.com 415-543-6111 Ted Quinn Altran Solutions Corp.

San Francisco, CA tedquinn@cox.net 415-543-6111 1

Agenda

  • Introductions
  • Update on Project Schedule
  • Diversity and Defense-in-Depth Evaluation
  • ISG-6 schedule and use
  • Security
  • Communications
  • PG&Es plans for software development
  • Public Comments
  • Closing Comments/Adjourn 2

Update on Project Schedule

  • Delays
  • 2010 budget was reduced which delayed our Process Control System (PCS) replacement by 20 months
  • PCS has to be installed prior to Process Protection System (PPS)
  • This pushed the PPS replacement schedule by 20 months
  • ISG 6 delayed until May 2010
  • Need this to be able to follow guidance and provide feedback as a pilot plant
  • These delays allow more time to prepare and understand the requirements
  • Expected LAR submittal is May 2011, Reference documents earlier 3

Diversity and Defense-in-Depth Evaluation

  • PG&E Internal Reviews are complete
  • ALS Topical Report submittal required before we submit the D3 Evaluation ?
  • Our D3 Evaluation takes credit for features of this platform
  • Specifically that it is not susceptible to CCF
  • Without this feature, the architecture will need to change
  • Forecast for ALS Topical Report submittal is late March
  • Expected Approval ?
  • Tricon version 10.5 Topical Report is under review
  • Expected approval is Fall 2010
  • The architecture that we are proposing provides a safety improvement over the existing architecture
  • Once our D3 Evaluation is submitted, we suggest a meeting to discuss the details 4

Project Scope 5

Existing FSAR Chapter 15 Event Analyses That Take Credit for Manual Operator Action (where both primary and backup protection are in Eagle 21)

Loss of Forced Reactor Coolant Flow, Locked Rotor (Single loop > P8)

  • Mitigating functions are Pressurizer Pressure and Containment Pressure 6

Proposed Replacement PPS Addresses CCF Without an Additional DAS or Manual Actions

  • The Control System Innovations Advanced Logic System (ALS) architecture is internally diverse, logic-based and is not susceptible to CCF due to software.
  • Implements key design attributes, which (when combined with appropriate application development V&V) are sufficient to address Common Cause Failure issues.
  • The Tricon architecture is software-based; CCF must be considered and addressed.
  • Sufficient external, automatic diverse functions exist for channels processed through Tricon (Unchanged from Diablo Canyon Eagle 21 SER).
  • Functions previously credited with automatic mitigation in the Diablo canyon Eagle 21 SER continue to be mitigated automatically.
  • Provides controls and indications unaffected by CCF (BTP 7-19 Position 4):
  • Independent of any digital software processing
  • Isolated as needed to prevent potential control/protection interaction
  • The proposed replacement automates the three functions previously credited for manual mitigation in the Eagle 21 SER.
  • Eliminating manual actions enhances safety.

7

(ALS Provides Inherently Diverse Front-End Isolation and Actuation)

Note: SSPS & AMSAC are original equipment; not being replaced.

I Process Inputs I (4-20 mA)

I WR Temperatures I RTD Inputs PZR Pressure (DTTA)

(4-20 mA) Class I Analog Outputs (200 Platinum) (4-20 mA)

Trips to SSPS (4-20 mA)

(Discrete)

NR Temperatures Containment Pressure TRICON Trips (To SSPS)

(4-20 mA)

Class I Analog Outputs (Discrete)

(4-20 mA)

(4-20 mA) Neutron Flux Inputs I

(0-10 VDC) RNASA RNASB II Protection Set Trouble (Discrete)

RCS Flow MAS (Discrete) Channel(s) in Bypass (4-20 mA)

Protection Set Failure (Discrete)

MAS I I (Discrete)

II Data Link II PZR Pressure ALS DTTA RTD Failure Communication PPC MAS (4-20 mA) (Discrete) Links Data Link C Workstation (Fiberoptic)

Process Inputs Non Class I (4-20 mA) Process Control Analog Outputs (4-20 mA) (4-20 mA)

Non Class I Analog Outputs RNARA RNARB (4-20 mA) (Discrete)

Protection Set Trouble Data Link TRICON (Discrete)

PPC (4-20 mA)

Data Link REMOTE MAS B Workstation S/G Feedflow Protection Set Failure CHASSIS (Discrete)

(DFWCS)

Channel(s) in Bypass AMSAC Diverse Isolation (Discrete)

I (4-20 mA) II ALS - Advanced Logic System DTTA RTD Failure II (Discrete) II DFWCS - Digital Feedwater Control System DTTA - Delta T/Taverage (Thermal Trips)

HMI - Human Machine Interface PPC - Plant Process Computer Data Link ALS B MAINTENANCE PZR - Pressurizer TERMINAL Data Link HMI WORKSTATION RNARA/RNARB - Auxiliary Relay Cabinets Data Link (Class II)

TRICON C RTD - Resistance Temperature Detector RCS - Reactor Cooling System SSPS - Solid State Protection System WR - Wide Range 8

Diverse Equipment Not Subject to Common Cause Failure (CCF)

(Unaffected by Replacement PPS Project) 9

Interim Staff Guidance 6

  • ISG 6 draft is out for review
  • March 24th Review of Industry Comments
  • Issue Final ISG 6 in May
  • The Final ISG 6 is essential for DCPP to commit resources to the LAR
  • Need the new guidance to minimize confusion/time on what and when to submit
  • We only want to do this once
  • Intention is to submit our LAR as Tier 1 referencing two approved generic Topical Reports - ALS and Tricon
  • Only address plant specific items
  • Need both Topical Reports approved prior to LAR submittal 10

Update on LAR Schedule 11

Security

  • Diablo Canyon is responsible to ensure compliance with the applicable security regulations and guidance during all life cycle phases of the plant upgrade following 10 CFR 73.54, Regulatory Guide 1.152 Rev. 2 and ISG-01.
  • Applicable to:
  • Vendor equipment software development
  • Diablo Canyon responsible departments 12

Implementation of 10 CFR 73.54

  • To fully implement 10 CFR 73.54, a licensee must integrate Security Controls in existing programs, procedures, and processes:
  • Engineering Design Control / SQA
  • Maintenance
  • Work Orders
  • Corrective Action Program
  • Training program
  • Operations training program 13

Diablo Canyon Eagle-21 Replacement

  • This design change process involves project engineering procedures at Diablo Canyon and two vendors who are providing hardware and software to replace the Eagle-21:
  • Invensys Operations Management (IOM) - Tricon
  • CS Innovations (CSI) - Advanced Logic System 14

Eagle-21 Replacement Vendors

  • The security of computer systems is established by:
  • Designing in security features to meet the licensees security requirements
  • Developing the systems without undocumented codes (e.g., back doors), including viruses, worms, Trojan horses and bomb codes
  • Installing and maintaining those systems IAW station admin procedures and licensees security program.

15

NRC Reg. Guide 1.152 Rev. 2

  • Security
  • Uses waterfall lifecycle phases:
  • Concepts
  • Requirements
  • Design
  • Implementation
  • Test
  • Installation, Checkout and Acceptance Testing
  • Operation
  • Maintenance
  • Retirement 16

Security Summary

  • Diablo Canyon will comply with the applicable guidance on security both for the vendor design program (offsite) and the onsite installation, testing and later phases as called for in NRC Reg. Guide 1.152, ISG-01 and the applicable Regulations.
  • Diablo Canyon will address RG 5.71 separately 17

Communications

  • ISG-04, Highly Integrated Control Rooms - Communications Issues (ISG #4)
  • Three General Areas of Interest
  • General Areas of Interest
  • Interdivisional Communications (Staff Position 1)
  • Command Prioritization (Staff Position 2)
  • Multidivisional Control & Display Stations (Staff Position 3)
  • NOTE: Phase 0 discussion today only addresses Staff Position 1. All Staff Positions will be addressed by Diablo Canyon and the vendors in separate submittals 18

Interdivisional Communications (Staff Position 1)

  • Safety-to-safety - not applicable for the Eagle-21 replacement as no safety-to-safety channel communication will occur.
  • Safety-to-non-Safety - the Tricon and ALS systems communicate with two non-safety digital systems:
  • Plant Process Computer - one-way, display only
  • MVDU (Maintenance Video Display Unit) - bidirectional
  • The qualified Tricon Communications Module (TCM) isolates external communications from the Main Processors (MP) to ensure that the non-safety communications functions do not disrupt safety-related operation.
  • ALS communications to PPC are isolated, one-way, and point to point.
  • ALS communications to the MVDU are bidirectional and controlled by an external hardware keyswitch 19

Interdivisional Communications (Staff Position 1)

  • The Tricon keyswitch is a physical interlock that controls the mode of the Tricon
  • The position of the keyswitch is continuously monitored by the three Tricon main processor modules (MPs)
  • The MPs vote on the position of the keyswitch
  • Multiple failures are necessary in order to inadvertently allow software programming of the Tricon 20

Safety-to-non-Safety Digital Communication Interfaces

  • Safety-to-non-Safety digital communication interfaces:
  • Plant Process Computer (PPC) - obtains data from all four divisions (read only)
  • Currently this is an analog out from Eagle 21 and an analog in to the PPC (less accurate, requires calibrations, not all desired parameters available)
  • This connection will use a data isolation device like the NetOptics Network Port Aggregator referenced in the Oconee SER to ensure one-way communications to the PPC 21

Safety-to-non-Safety Digital Communication Interfaces

  • MVDU - Maintenance Video Display Unit
  • Functions
  • Removing a channel from service (bypass, trip, defeat alarms, etc.)
  • Updating specific tunable parameters like:
  • Full Power Delta-T
  • Full Power Tavg
  • Normalization of Steam Flow, RCS Flow Indication
  • Calibrating Analog and Digital Outputs
  • Troubleshooting and Diagnostics
  • Alarm logger
  • Need the ability to update parameters with a MVDU and take only the affected channel out of service
  • Need the ability to perform troubleshooting and diagnostics without taking the channel out of service 22

Safety-to-non-Safety Digital Communication Interfaces

  • MVDU Controls to Ensure Changes are Accurate
  • Safety Related Controls
  • Hardware switch directly tied to a digital input removes channel from service
  • Software Partitioned by Instrument Loop
  • Safety related software V&V
  • Access Control to the area and cabinet
  • Vital Area access
  • Key required for cabinet door
  • Approved Procedures required to perform testing and updates
  • During update the values are limited to pre-determined ranges
  • Non-Safety Controls
  • One MVDU per Channel/Protection Set
  • MVDU Password Protected to make changes
  • Limited people with account and password
  • Access privileges dependent upon procedure (e.g., instrument loop test versus setpoint change)
  • Software V&V integrated with the final system
  • HMI software will be partitioned by Instrument Loop
  • Channel check of indications after maintenance 23

Non-Safety Communication Diagram 24

Typical Loop FT-414 LOOP E ANNUN E TEST FB-414 Update FS-414 SP SEL 120 VAC AND SIG FS-414 ST SEL AND OOS OOS 1 - RESET 0 SIG 0 - TRIP BYPASS Low Flow Bypass/ 0 K-Comparator FS-414 K-414 DO 1

Trip Logic 414 (FS-414)

E TOGGLE FB-414 1 TRIP New FS-414 SP SSPS Input Tracking (Note 1) Relay E

Input Out To Trouble ANNUN Of Range AND FT-414 OOR Alarm OOS NOT Program OOS E

DI Channel Test FI-414 SEL OOS Gate E AND Enable OOS SIG 0 FI-FT-414 EU FI-414 AO 414 FT- Signal 1 AI 414 Processing E FI-414 Test Value Tracking (Note 1)

OOS - Out Of Service Note 1: Input 1 tracks Output when Input 0 is selected (bumpless transfer to test mode).

OOR - Out Of Range 25

Loop Out of Service Gate Enable only enables a hard coded set of variables for that loop only 26

Analog Output in Test from HMI 27

Digital Output in Test from HMI 28

Parameter Update from HMI 29

Safety-to-non-Safety Digital Communication Interfaces

  • MVDU Controls to prevent inadvertent changes:

OOS switch HMI Failurea 0 0 0 0 1b 0 1c 0 0 1c 1b 1 a: Failure is defined as hardware failure, software failure, human error b: HMI failures - log-on false positive (s/w error); weak password; maintenance error (procedural or human, e.g. maintenance technician types in AND accepts incorrect parameter value); communication error causes corrupt value (also entails multiple faults) c: OOS switch failures - hardware failure; maintenance error (procedural or human); weak physical access controls

  • Write/Test error requires both OOS switch failure and HMI failure 30

Software Development

  • Triconex and CS Innovations will develop and test the initial application software for their portion of the project with oversight of the V&V process by PG&E
  • PG&E intends to submit the Software Operation and Maintenance Plan to allow software changes by the vendor or PG&E after initial installation
  • The ALS platform will require the vendor to make changes due to its technology
  • Firmware updates will be handled by the vendors under their programs 31

Questions 32

Retrieved from "https://kanterella.com/w/index.php?title=ML100690392&oldid=2650339"