ML101950367

From kanterella
Jump to navigation Jump to search
Uftr Digital Control System Upgrade UFTR-QA1-103, Diversity and Defense-In-Depth (D3) Analysis
ML101950367
Person / Time
Site: 05000083
Issue date: 07/07/2010
From: Haghighat A
Univ of Florida
To:
Office of Nuclear Reactor Regulation
References
Download: ML101950367 (24)


Text

ProjectID: QA-I UF/NRE QUALITYASSURANCE DOCUMENT Revision 0 Copy I UFTR Page I of 24 Project

Title:

UFTR DIGITAL CONTROL SYSTEM UPGRADE UFTR-QA1-103, Diversity and Defense-in-Depth (D3) Analysis Prepared by, Reviewed by, Prof. Alireza Haghighat Dr. Gabriel Ghita

. 4 .. /t..".t... (Signature) f ... (Signature)

Date: ..7/.7 0 Date: . .... . -.)

Approved by, Prof. Glenn Sjoden ,

Date: .7.....

Preparedby Reviewed by QA-I, UFTR-QA I-103 UFINRE Name: Revision 0 Copy I UFTR Name:

Date: Initials: Date: Initials: Vol. 1 Page2 of 24 THE DISTRIBUTIONLIST:

No. Name Affiliation Signature Date 1.

2.

3.

4.

5.

6.

Preparedby Reviewed by QA-), UFTR-QAI-103 UFINRE Name: Revision 0 Copy I UFTA Name:

Date: Initials: Date: Initials: VoL 1 Page 3 of 24 THE LIST OF THE REVISED PAGES OF THE DOCUMENT Revision no. Reviewed by Approved by The Modified Pages Dale

Preparedby Reviewed by QA-)1, UFTR-QA1-103 UFINRE Name: Revision 0 Copy I UFTR Name:

Date: Initials: Date: Initials: Vol. 1 Page4 of 24 TABLE OF CONTENTS

1. Purpose ................................................................................................................................... 5
2. References .............................................................................................................................. 6 2.1 U FTR Docum ents ....................................................................................................... 6 2.2 R egulation ............................................................................................................... 6 2.3 A RE VA NP Inc D ocum ents ....................................................................................... 6
3. Definitions, Acronyms, and Abbreviations ...................................................................... 7 3.1 D efinitions ............................................................................................................... 7 3.2 A cronym s ........................................................................................................................ 8
4. Background ............................................................................................................................ 9
5. New or U nusual Design Features .................................................................................... 10
6. Scope ..................................................................................................................................... 11 6.1 What is in Scope ....................................................................................................... 11 6.2 W hat is not in Scope ................................................................................................ 11
7. D escription of Analysis M ethods .................................................................................... 12
8. A uthorities and G uidelines ............................................................................................. 13
9. Types of Failures ................................................................................................................. 14
10. Sources of D esign Inform ation ...................................................................................... 15
11. A ssum ptions ......................................................................................................................... 16 11.1 W orst-C ase Assum ptions ......................................................................................... 16 11.2 Assumptions Based on System Structure ............................................................. 16
12. D escription of the D esign ................................................................................................ 17
13. Findings ................................................................................................................................ 19 13.1 D iversity Betw een B locks ...................................................................................... 19 13.1.1 TX S vs. T-3000 .............................................................................................. 19 13.1.2 Manual Reactor Scram (MRS) ................................................................... 19 13.2 Diversity Between Echelons of Defense ................................................................. 20 13.3 C onclusion of Findings .......................................................................................... 20 A ppendices ................................................................................................................................... 21 Appendix A- Manual Reactor Scram (MRS) Block ...................................................... 21 Appendix B- TELEPERM XS (TXS) Block.................................................................. 22 Appendix C- T-3000 Block Designation ........................................................................ 23

Preparedby Reviewed by QA-), UFTR-QAI-103 UFINRE UFTRI Name: Name: Revision 0 Copy 1 Date: Initials: Date: Initials: Vol. 1 Page 5 of 24

1. Purpose The purpose of this analysis is to determine whether the proposed UFTR protection system upgrade exhibits adequate diversity and defense-in-depth (D3) to address all reasonable vulnerabilities to system failure. The proposed TELEPERM XS (TXS) system upgrade consists of both hardware and software that monitors and automatically initiates protective action for the UFTR. This document is consistent with guidelines provided by NUREG/CR 6303,/6/, and in accordance with acceptance criteria established by BTP 7-19, /4/.

Preparedby Reviewed by QA-), UFTR-QAI-103 UFINRE UFTR Name: Name: Revision 0 Copy I Date: Initials: Date: Initials: VoL 1 Page 6 of 24

2. References 2.1 UFTR Documents

/1/ UFTR-QAI-14, "Safety System Design Basis," 2009

/2/ UFTR "Safety Analysis Report (SAR)".

/3/ UFTR Supplementary Safety Analysis Report (SSAR) 2009.

2.2 Regulation

/4/ BTP 7-19, "Guidance for Evaluation of Diversity and Defense-in-Depth in Digital Computer-Based Instrumentation and Controls Systems," March 2007

/5/ IEEE Std. 603-1998, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations," 1998

/6/ NUREG/CR 6303, "Method for Performing Diversity and Defense-in-Depth Analyses of Reactor Protection Systems," December 1994

/7/ NUREG/CR-7007, "Diversity Strategies for Nuclear Power Plant Instrumentation and Control Systems" 2.3 AREVA NP Inc Documents

/8/ "TXS Manual: System Overview," 2006.

Preparedby Reviewed by QA-1, UFTR-QAI-103 UFINRE UF/R Name: Name: Revision0 Copy I UFTR Date: Initials: Date: f Initials: Vol. 1 Page 7 of 24

3. Definitions, Acronyms, and Abbreviations 3.1 Definitions Common Cause Failure:Multiple failures attributable to a common cause.

Defense-in-Depth: The practice of having multiple, redundant, and independent layers of safety systems to reduce the risk that a single failure of a component or system will cause the catastrophic failure of the reactor.

Design Basis Event: Postulated events used in the design to establish the acceptable performance requirements for the structures, systems, and related components.

Diversity: In fault tolerance, realization of the same function by different means. For example, use of different signals, processors, storage media, programming languages, algorithms, or development teams.

Invalid: A signal is invalid if it experiences any type of failure or is not within the range defined by the design basis.

NuclearInstrumentation (NI): The portion of a train that directly senses and responds to changes in neutron and/or gamma ray levels in the reactor core and converts the measured interaction into an electric, optic, or pneumatic signal.

OperatingBypass: The inhibition of the capability to accomplish a safety function that could otherwise occur in response to a particular set of generating conditions ProtectiveAction: The initiation of a signal within the sense and command features or the operation of equipment within the execute features for the purpose of accomplishing a safety function.

Redundant Equipment or System: A piece of equipment or a system that duplicates the essential function of another piece of equipment or system to the extent that either may perform the required function, regardless of the state of operation or failure of the other.

Safety Function: One of the processes or conditions (for example, emergency negative reactivity insertion, post-accident heat removal, emergency core cooling, post-accident radioactivity removal, and containment isolation) essential to maintain plant parameters within acceptable limits established for a design basis event.

Sensor: The portion of a train, other than nuclear instrumentation, that responds to changes in a plant variable or condition and converts the measured process variable into an electric, optic, or pneumatic signal.

Sensing Equipment: This expression includes both nuclear instrumentation (NI) and sensors.

Train: An arrangement of components and modules as required to generate a single protective action signal when required by a generating station condition. A train loses its identity where single protective action signals are combined.

UFNRE Preparedby Reviewed by QA-), UFTR-QAI-103 Name: Revision 0 Copy I UFTR Name:

Date: Initials: Date: Initials: VoL 1 Page8 of 24 3.2 Acronyms AC Alternating Current AQP Acquisition and Processing BDT Blade-Drop Trip BTP Branch Technical Position CCF Common Cause Failure D3 Diversity and Defense-in-Depth DAR Design Analysis Report DC Direct Current ESFAS Engineered Safety Features Actuation System FT Full Trip GW Gateway HEU Highly Enriched Uranium LIMI Human Machine Interface HW Hardware IEEE Institute of Electrical and Electronics Engineers LEU Low Enriched Uranium LOCA Loss of Coolant Accident MCR Main Control Room MIS Monitoring and Indicator System MRS Manual Reactor Scram MSI Monitoring Service Interface NI Nuclear Instrumentation NRC Nuclear Regulatory Commission NSSS Nuclear Steam Supply System NUREG Nuclear Regulatory Commission Regulation PAM Post Accident Monitoring PI Process Instrumentation QDS Qualified Display System RTS Reactor Trip System SAR Safety Analysis Report SU Service Unit SWCCF Software Common Cause Failure TXP TELEPERM XP TXS TELEPERM XS UFTR University of Florida Training Reactor

Preparedby Reviewed by QA-], UFTR-QA1-103 UFINRE Name: Revision =0 Copy I UFTI Name:

Date: Initials: Date: Initials: VoL 1 Page 9 of 24

4. Background

The UFTR was built in 1959 and was one of the first nuclear reactors on a university campus.

Originally designed for highly enriched uranium (HEU) fuel, the UFTR was converted to a low enriched uranium (LEU) fuel system in 2006. The UFTR is currently completing relicensing to update the Safety Analysis Report (SAR) for the new fuel enrichment. The current licensed protection system for the UFTR has not changed since its original design. The existing analog system has become outdated with the onset of digital controls for commercial plants. The proposed digital protection system upgrade is designed to make the UFTR more relevant to current trends towards digital protection/control in commercial reactors for training purposes.

UF17NRE ProjectID: QA-I UFTR QUALITYASSURANCE DOCUMENT Revision 0 1 Copy 1 Page 10 of 24

5. New or Unusual Design Features The UFTR is a self-limiting research and training reactor which requires no additional engineered safeguards beyond those designed into the reactor core or incorporated into the main cooling, protection, control and radiation monitoring systems. As a result of low power and high thermal conductivity of metallic fuel, there is no need for protective cooling. Further, the UFTR core design has negative coefficient of reactivity for both primary coolant void and temperature.

Analysis of UFTR design in the UFTR Safety Analysis Report (SAR), /2/, and the UFTR Supplementary Safety Analysis Report (SSAR), /3/, show that there is no credible accident that would result in radiological exposures to the public, facility staff and the environment, and therefore, there is no need for the ESFAS. As a result, the four echelons of defense listed in NUREG/CR-6303, /6/, become three for the UFTR:

" Control System

" Reactor Trip System (RTS)

  • Monitoring and Indicator System (MIS)

Echelons of defense are specific applications of the principle of defense-in-depth, which exist to provide multiple barriers to radiation release for a reactor. The following analysis will define the proposed system architecture and analyze the diversity that exists between system components to improve the defense-in-depth for the UFTR.

Preparedby Reviewed by QA-I, UFTR-QAI-103 UFTR Name: Name: Revision 0 Copy I Date: Initials: Date: Initials: VoL 1 Page11 of 24

6. Scope 6.1 What is in Scope This analysis considers all system components that provide for the aforementioned three echelons of defense. All of these components are discussed in Section 12 of this document. In accordance with BTP 7-19,/4/, since the UFTR license does require any redundancy, there is no concern for the common-cause failure (CCF).

6.2 What is not in Scope The information provided by UFTR-QA1-14, /1/, shall not be repeated in this document. This includes analysis of design basis events, since the current UFTR SAR, /2/,

shows that no diverse mitigation is required for these events and no additional best-estimate analysis is required for this analysis. Single failure of components is not considered in this document because the current SAR, /2/, Chapter 7, does not require it.

ProjectID: QA-1 UFINRE QUALITY ASSURANCE DOCUMENT Revision 0 Copy I UFTR Page 12 of 24

7. Description of Analysis Methods The method used in this analysis shall be consistent with the method given in NUREG/CR-6303, /6/. The system architecture shall be defined by system blocks, which shall be justified by criteria given in the aforementioned document. The resulting diversity and defense-in-depth (D3) between system blocks will be analyzed.

UFINRE Preparedby Reviewed by QA-1, UFTR-QAI-103 UFTR Name: Name: Revision 0 Copy I Date: Initials: Date: Initials: VoL -1 Page 13 of24

8. Authorities and Guidelines The analysis performed in this document shall be consistent with the guidelines provided in Section 3 of NUREG/CR-6303, /6/. Additional standards and guidelines are provided by the UFTR-QA 1 - 14, /1 /.

Preparedby Reviewed by QA-J, UFTR-QAI-103 UFINRE Name: Revision 0 Copy I UFTR Name:

Date: Initials: Date: Initials: Vol. 1 Page14 of 24

9. Types of Failures Since the plant design basis can accommodate a complete failure of the protection system, it bounds any Software Common Cause Failure (SWCCF) (NUREG/CR-6303/15/). As such, no additional analysis of the SWCCF is necessary.

Preparedby Reviewed by QA-I, UFTR-QAI-103 UF/NRE Name: Revision 0 Copy )

UFTR Name:

Date: Initials: Date: Initials: VoL 1 Page15 of 24

10. Sources of Design Information The following list cites the sources for design information used to perform this analysis.
  • UFTR-QAI-14,/I/
  • TXS Manual: System Overview, /8/

Preparedby Reviewed by QA-I, UFTR-QA1-103 UF/NRE Name: Revision 0 Copy I UFTR Name:

Date: Initials: Date: Initials: Vol. 1 Page 16 of 24

11. Assumptions 11.1 Worst-Case Assumptions Failure Consequences Failures are assumed to occur in the most limiting fashion possible consistent with hardware or software construction. For instance, a module which de-energizes to trip is assumed to fail so that it continues to block trip.

Latency of Failures Failures are assumed to be latent and undetectable until stressed by event or accident, at which time the failure becomes manifest.

11.2 Assumptions Based on System Structure ProperFunctioningof Equipment Equipment that has been specially designed to have a specific purpose for protection of electrical equipment, such as isolation or one-way communication, shall be assumed to function correctly.

Preparedby Reviewed by QA-1, UFTR-QAI-103 UF/NRE Name: Revision 0 Copy I UFTR Name:

Date: Initials: Date: Initials: Vol. 1 Page17 of 24

12. Description of the Design The proposed protection system is comprised of three blocks. Appendices A-C of this document provides the justification for physical and logical failure containment in each block.

System blocks are shown in Figure 12-I below, where arrows depict intended functional interface.

NUSensors MRS TXS T-3000 RTS Figure 12- 1. The proposed UFTR Protection System The above system includes the TXS as the primary protection system, providing Monitoring and Indicator System (MIS) and Reactor Trip System (RTS), the T-3000 system (with a diverse hardware and software) providing reactor control and a diverse MIS, and a hardwired Manual Reactor Scram (MRS) providing a diverse RTS as compared to TXS.

Further, because of the unidirectional communication betWeen the TXS and T-3000, and no communication between the TXS and MRS, the failure of the MRS or T3000 blocks will not impact the operation of the TXS. In summary, as shown in Table 12-1, the above proposed system effectively addresses the functions of the RPS.

Table 12- 1: System blocks and their span across the three echelons of defense MRS [

TXS ,

T-3000 ,/

The above Table clearly indicates that the two functions of the protection system, i.e.,

RTS and MIS, are achieved via two diverse systems. This means that if the TXS fails, especially if its processors freeze, the T-3000 system provides the necessary indication for the operator to engage the MRS.

Preparedby Reviewed by QA-), UFTR-QAI-103 UF/NRE Name: Revision 0 Copy I UFTR Name:

Date: Initials: Date : Initials: Vol. 1 Page18 of 24 It is important to note that all the signals within a train are input to both TXS and T-3000. This allows T-3000 to display monitoring information independent of the TXS block, which is crucial during TXS failure. In this situation, operator can identify the status of TXS by monitoring the T-3000 displays, and therefore invoke the MRS. It is also worth noting that the TXS includes a Gateway (GW) for unidirectional communication with the T-3000 as shown in Figure 12-1. A more detailed description of architecture within each block is provided in Appendices A to C of UFTR-QA-14, /I/.

Preparedby Reviewed by QA-), UFTR-QAI-103 U/RE Name: Name: Revision 0 Copy I Date: Initials: Date: Initials: Vol. 1 Page 19 of 24

13. Findings 13.1 Diversity Between Blocks 13.1.1 TXS vs. T-3000 Both TXS and T-3000 are computer-based systems. The TXS operating system software is accepted as equivalent to US nuclear standards by the NRC in the safety evaluation report for the TXS Topical Report, /8/.

The T-3000 uses industrial technology, which is developed based on different standards resulting in the following general dissimilarities from the TXS technology:

  • Different network protocols
  • Different diagnostics concept
  • Different maintenance concept
  • Different HW / operating systems for service units

" Different HMI

  • Different signal message format and content
  • Different connectivity to external systems
  • Different IT security concepts As a result, the following diversity elements (taken from NUREG/CR-6303, /6/)

distinguish the two technologies:

" Design (different approaches within a technology and different architectures)

" Equipment (different manufacturers of fundamentally different equipment designs)

  • Functional (different underlying mechanisms to accomplish safety function, different purpose, function, control logic, or actuation means of same underlying mechanism, and different response time scale)
  • Human (different design organizations/companies, different designers, engineers, and/or programmers, and different implementation/validation teams (testers, installers, or certification personnel))

" Software (different algorithms, logic, and program architecture, different timing or order of execution, different runtime environments, and different functional representations)

The diversity assessment is informed by using the insights and analysis tool from draft NUREG/CR-6303, /6/.

13.1.2 Manual Reactor Scram (MRS)

The MRS can be shown to have inherent diversity and independence from the TXS. The method for diversity utilized by this block is characterized by "Strategy A" found in NUREG/CR-7007, /7/. This draft document defines this strategy, which is described in the following excerpt:

Preparedby Reviewed by QA-I, UFTR-QAI-103 UFINRE Name: Revision 0 Copy I UFTR Name:

Date: Initials: Date: Initials: Vol. 1 Page20 of 24 "Strategy A focuses on the use offundamentally diverse technologiesas the basisfor diverse systems, redundancies,or subsystems. The Strategy A baseline,at the system or platform level, is illustratedby the example of analogand digital implementations providing design diversity. This choice of technology inherently contributes notable equipment manufacturer,processing equipment,functional, life-cycle, and logic diversities. Intentionalapplicationof life-cycle and equipment manufacturerdiversities is included in the baseline, while the traditionaluse offunctional and signal diversities is also adopted.The use of a microprocessor-basedprimaryprotection[safety] system and an analog (Laddic logic) secondaryprotection [safety] system at the Sizewell NPP represents the principalexample of Strategy A drawnfrom the surveyfindings."

The design diversity that exists between analog and digital controls is shown to be sufficient for claiming diversity between MRS and the other two blocks.

13.2 Diversity Between Echelons of Defense Diversity between echelons of defense for the UFTR allows all three echelons to remain functional during the failure of any one system block. The following list shows the effect of failure of each block on the echelons of defense:

  • MRS Block Failure: All the echelons of defense will remain operational. TXS will initiate RTS. T-3000 and TXS will also remain available for Monitoring and Indication.
  • TXS Block Failure: All echelons of defense will remain operational. MIS echelon will only contain indication of failed TXS system (via T-3000) and initiation of RTS will occur via MRS. Sensing equipment will be available via T3000 since it receives its own input from the NIs and sensors.
  • T-3000 Block Failure:All echelons of defense will remain operational.

In summary, the MRS' provides a diverse means for initiating the RTS during TXS failure, while T-3000 provides a diverse indicator in case the TXS failure. It is important to note that failure of the RTS echelon due to TXS failure and lack of operator action cannot cause an uncontrolled release of radioactivity. This inherent feature of UFTR is discussed in UFTR SSAR, /3/.

13.3 Conclusion of Findings The proposed system exhibits adequate D3 to address all reasonable vulnerabilities to system failure. The TXS system will also have improved reliability due to extensive signal diversity and redundancy monitoring and indication systems (i.e., TXS and T-3000). As a final note, the accident analysis provided in the UFTR SAR, 2/, indicates that no failure of equipment or operator action/inaction can result in fuel failure and therefore there is no possibility of uncontrolled release of radioactivity.

Preparedby Reviewed by QA-I, UFTR-QAI-103 UFINRE UFTR Name: Name: Revisiono Copy I Date: Initials: Date: Initials: Vol. 1 Page21 of 24 Appendices Appendix A- Manual Reactor Scram (MRS) Block The MRS consists of two manual trip switches that are not controlled by software or computer-based components. It spans the RTS and monitoring and indications system echelons. This block receives no input from monitoring equipment and provides two manual trip initiation features: Blade Drop Trip (BDT) or full trip (FT). For more discussion on manual trips, refer to UFTR Safety System Design Basis, /1/. The following Tables A-1 and A-2 provide the methods used for containment of physical and logical failures within this block, respectively.

Table A- 1: Methods for physical failure containment in the MRS block Criteria for Physical Method of Containment Failure Containment Physical separation MRS shall be physically separate from the TXS block This block does not require electrical connections to Electrical isolation oteblcs other blocks.

Power supply separation of blocks is not necessary since the BDT is "failsafe" during a loss of power event. For more information on trip functions, refer to the UFTR Safety System Design Basis, /1/.

Signal cables to and from the MRS will be shielded Electrical shielding from interference.

Table A- 2: Methods for logical failure containment in the MRS block Criteria for Logical Method of Containment Failure Containment Software module There is no software within this block.

separation No interaction through There is no memory required for this block.

shared memories Unidirectional communication with There is no communication with other systems other systems The software continues to work regardless of This block is not connected to any network.

local area network faults All input data from other systems are Inputs are directly from manual control from operator.

qualified before use

Preparedby Reviewed by QA-I, UFTR-QAI-103 UF/NRE Name: Revision 0 Copy I UFTR Name:

Date: Initials: Date: Initials: Vol. 1 Page 22 of 24 The preceding two tables show how each failure containment criteriion is met for the MRS, which justifies its designation as a block in the analysis.

Appendix B- TELEPERM XS (TXS) Block The TXS system block consists of the hardware, software, and displays that are described in UFTR-QA I -14, /1/. The TXS computer cabinets and components shall be physically and logically isolated from all other safety and non-safety equipment. The following Tables B-I and B-2 describe the requirements and methods for physical and logical failure containment within the TXS block, respectively. These criteria are listed in NURGEG/CR 6303,/15/.

Tables B- I and B-2 show how each failure containment criteriion is met for the TXS system, which justifies its designation as a block in this analysis.

Table B-i: Methods for physical failure containment in TXS block.

Criteria for Physical Method of Containment Failure Containment TXS hardware is contained inside metal cabinets that are physically separate from the other two blocks.

Electrical isolation between the signal circuit and the Electrical isolation interface to the system bus is implemented by means of optocouplers.

Power supply separation of blocks is not necessary since the Blade Drop Trip (BDT) function is "failsafe" Power supply separation during a loss of power event. For more information on trip functions, refer to the UFTR Safety System Design Basis, 1//.

Prevention of electromagnetic interference is achieved Electrical shielding by the shielding effect of metallic front plates in each cabinet. Signal cables to and from TXS will also be shielded from interference.

Preparedby Reviewed by QA-), UFTR-QAI-103 UFINRE Name: Revision 0 Copy 1 UFTR Name:

Date: Initials: Date: Initials: Vol. 1 Page23 of 24 Table B-2: Methods for logical failure containment in TXS block.

Criteria for Logical Method of Containment Failure Containment There are no block divisions within the TXS system, sofwaremode thus there is no need to claim separation of software separation modules within this system.

No interaction through TXS system does not share memory with any other shared memories computer system.

Unidirectional MSI provides unidirectional communication with non-communication with safety system through GW.

other systems The software continues MSI provides the means of prevention of inadvertent to work regardless of and/or malicious attempts on the processing of signals local area network faults and decision making on reactor operations.

All input data from The only input to TXS is from NIs/sensors, which is other systems are processed by the AQP. Failure of sensing qualified before use instrumentation will not cause failure in TXS.

Appendix C- T-3000 Block Designation The T-3000 block is not essential for the safe shutdown of the UFTR, thus one-way propagation of failures from the TXS block is implemented through GW. Methods for physical and logical containments of failure within this block are shown in Tables C-1 and C-2 below.

The two tables show how each failure containment criterion is met for the control system, which justifies its designation as a block in this analysis.

Preparedby Reviewed by QA-1, UFTR-QAI-103 UF/NRE Name: Revision 0 Copy I UFTR Name:

Date: Initials: Date: initials: Vol. 1 Page24 of 24 Table C-I: Methods for physical failure containment in the T-3000 block Criteria for Physical Method of Containment Failure Containment Physical sNon-safety computer system is in a separate metal lseparation cabinet, away from the components of the other blocks.

Electrical isolation Breakers and fuses Power supply separation of blocks is not necessary since the BDT is "failsafe" during a loss of power event. For more information on trip functions, refer to the UFTR Safety System Design Basis, /1/.

Non-Class 1E circuitry will not require electrical shielding in accordance with IEEE Std. 603 1998/ 5/

Electrical shielding because it is not essential for reactor shutdown. T-3000 will be kept at a safe distance from Class-IE circuitry associated with the other blocks.

Table C-2: Methods for logical failure containment in the T-3000 block Criteria for Logical Method of Containment Failure Containment Software module Block designation does not require software module separation separation.

No interaction through T-3000 does not share memory with other computer shared memories systems.

Unidirectional Unidirectional communication from TXS is achieved communication with through GW.

other systems The software continues to work regardless of MSI local area network faults All input data from other systems are Inputs are directly from manual control from operator.

qualified before use