ML16342A124
| ML16342A124 | |
| Person / Time | |
|---|---|
| Site: | Diablo Canyon  |
| Issue date: | 06/02/1993 |
| From: | Peterson S Office of Nuclear Reactor Regulation |
| To: | Office of Nuclear Reactor Regulation |
| References | |
| NUDOCS 9306080336 | |
| Download: ML16342A124 (68) | |
Text
~PP RfCI
<c+
'Ip0 I
I~+"'
o
/p +***4 UNITED STATES NUCLEAR REGULATORY COIVIMISSION WASHINGTON, D.C. 20555.0001 June 2,
1993 Docket Nos. 50-275 and 50-323 LICENSEE:
Pacific Gas and Electric Company (PG&E)
FACILITY: Diablo Canyon Nuclear Power Plant, Units 1 and 2
SUBJECT:
SUMMARY
OF MAY 26, 1993 PUBLIC MEETING TO DISCUSS THE LICENSEE'S EAGLE 21 UPGRADE AND ITS DIVERSITY WITH THE ATWS MITIGATION SYSTEM On Nay 26,
- 1993, the NRC staff met with PG&E and Westinghouse in Rockville, Maryland to discuss the issue stated above.
Enclosure 1 is a list of attendees present at the meeting.
Also enclosed are the presentation slides used during the meeting (enclosures 2,
3 and 4).
PG&E submitted a license amendment request on September 21, 1992, regarding the installation of a Westinghouse Eagle 21 reactor protection system (RPS) upgrade.
During the staff review of this amendment
- request, several questions arose regarding the diversity between the Eagle 21 RPS and the existing anticipated transient without scram (ATWS) mitigation system actuation circuitry (ANSAC) at Diablo Canyon.
The purpose of this meeting was for Westinghouse to present additional technical information to the staff which they believe will assist the staff in reaching a conclusion concerning the RPS/ANSAC diversity issue.
The staff stated that this meeting would provide an opportunity for the participants to present additional details on the design and the specific issues involved with the design,
- however, the staff would not be making a final decision at this meeting.
Westinghouse distributed three handouts of slides, which are enclosed.
The first handout (enclosure
- 2) provided an overview of the Westinghouse Eagle 21 RPS and ANSAC designs and the differences and similarities between the designs.
The second handout (enclosure
- 3) specifically focused on the software diversity between the designs.
The first two handouts also presented Westinghouse's reasons why the similarities in the design meet the ATWS rule (10 CFR 50.62) and, therefore, should be acceptable to the staff.
The last handout (enclosure
- 4) presented a probabilistic risk assessment study performed by Westinghouse that compared the core melt frequencies of a totally diverse ANSAC and an AMSAC that is identical to the RPS.
The staff asked many questions to clarify particulat aspects of the presented material and discussed the issues which will need to be resolved to reach a
conclusion.
The issues involved are many and complex, and include the use of the same computer language, compilers and power supplies for the Eagle 21 RPS and ANSAC. It also appears that the position taken by the NRC on this issue will establish a precedent for other plants and vendors.
The licensee requested a scheduled date for the NRC decision.
The NRC staff informed the 9306080336 930b02 PDR ADOCK 05000275 P
PDR Q)F<
I
C p
'r
licensee that a date had not yet been set and that the project manager would inform them when a schedule (or a resolution) was established.
Mestinghouse and PG&E provided a description of their systems and their positions and interpretation of diversity as required by the ATNS rule.
The staff believes that they have enough information from the licensee to continue with the decision making process within the NRC.
Mestinghouse offered to supply any additional information needed by the staff.
Enclosures:
As stated Sheri
- Peterson, Project Nanager Project Directorate V
Division of Reactor Projects III/IV/V Office of Nuclear Reactor Regulation cc w/enclosures:
See next page
I
Pacific Gas and Electric Company Diablo Canyon CC:
NRC Resident Inspector Diablo Canyon Nuclear Power Plant c/o U.S. Nuclear Regulatory Commission P. 0.
Box 369 Avila Beach, California 93424 Dr. Richard Ferguson, Energy Chair Sierra Club California 6715 Rocky Canyon Creston, California 93432 Hs.
Nancy Culver San Luis Obispo Mothers for Peace P. 0.
Box 164 Pismo Beach, California 93448 Hs. Jacquelyn C. Wheeler 3303 Barranca Court San Luis Obispo, California 93401 Managing Editor The County Telegram Tribune 1321 Johnson Avenue P. 0.
Box 112 San Luis Obispo, California 93406 Chairman San Luis Obispo County Board of Supervisors Room 370 County Government Center San Luis Obispo, California 93408 Hr. Truman Burns Mr. Robert Kinosian California Public Utilities Commission 505 Van Ness, Rm.
4102 San Francisco, California 94102 Diablo Canyon Independent Safety Committee ATTN:
Robert R. Wellington, Esq.
Legal Counsel 857 Cass Street, Suite D
Monterey, California 93940 Hr. Steve Hsu Radiologic Health Branch State Department of Health Services Post Office Box 942732 Sacramento, California 94234 Regional Administrator, Region V
U.S. Nuclear Regulatory Commission 1450 Maria Lane, Suite 210 Walnut Creek, California 94596 Hr. Peter H. Kaufman Deputy Attorney General State of California 110 West A Street, Suite 700 San Diego, California 92101 Michael M. Strumwasser, Esq.
Special Assistant Attorney General State of California Department of Justice 3580 Wilshire Boulevard, Room 800 Los Angeles, California 90010 Christopher J. Warner, Esq.
Pacific Gas
& Electric Company Post Office Box 7442 San Francisco, California 94120 Hr. John Townsend Vice President and Plant Manager Diablo Canyon Power Plant P. 0.
Box 56 Avila Beach, California 93424 Hr. Gregory H. Rueger Nuclear Power Generation, B14A Pacific Gas
& Electric Company 77 Beale Street, Room 1451 P. 0.
Box 770000 San Francisco, California 94177
1 j
ATTENDEES ENCLOSURE 1
MAY 26 1993 MEETING BETWEEN THE NRC STAFF WESTINGHOUSE AND PG&E NAH~
Sheri Peterson Paul Loeser Eric Lee Hulbert Li John Gallagher Jim Stewart Roger Johnson Larry Erin Bob Lint John Hefler Bill Miller David Theriault Andrea Wilford Robert Johansen Jim Doyle Hugh MurPhy FF ILIATION NRR/DRPW/PDV NRR/DRCH/HIC8 NRR/DRCH/HICB NRR/DRCH/H ICB NRR/DRCH/HICB NRR/DRCH/H ICB PG&E Licensing Westinghouse PG&E IIC PG&E I&C W
PCD W
PCD NRR/DRPW/PDV PG&E I&C W PCD W PCD
C 1
,C
dune 2, 1993 licensee tnat a date had not yet been set and that the project manager would inform them when a schedule (or a resolution) was established.
Westinghouse and PGRE provided a description of their systems and their positions and interpretation of diversity as required by the'TWS rule.
The staff believes that they have enough information from the licensee to continue with the decision making process within the NRC.
Westinghouse offered to supply any additional information needed by the staff.
Enclosures:
As stated cc w/enclosures:
See next page
.Original signed by Sheri
- Peterson, Project Manager Project Directorate V
Division of Reactor Projects III/IV/V'ffice of Nuclear Reactor Regulation DISTRIBUTIONw/o encl s-<2, 3, 4:
Docket File w/encls,".>
NRC Ilt Local PDRs w/enclsg TMurley/FHiragl i a JPartl ow EAdensam TQuay DFoster OGC (15B18)
NRC Participants ACRS (10) (P315)
- KPerkins, RV w/encl s'.~
- PLoeser, 8024 HLi, 8D24 36allagher, 8D24 PDV Reading Fil e w/encl s'-'.'Roe SPeterson w/encl s~-
EJordan (HNBB 3701)
JHitchell, EDO (17G21)
- ELee, 8D24
- OStewart, 8D24 OFFICE NAME DATE PDV LA DFoster 93 PDV PH SPeterson:mc N
93 HIC JWer iel 6293 PDV TQua 4
3.
93 OFFICIAL RECORD COPY I
DOCUMENT NAME:
DCMTG.SUH
Primary Objective
~
Provide diversity to the extent reasonable and practicable to ensure that in the unlikely event of a common mode failure...
AMSAC will actuate turbine trip and start Aux Feedwater, or RPS will initiate reactor trip and ESFAS 86310-93-7 28 I
Regulatory Guidance
- ATWS Rule
~
10 CFR 50.62 Equipment diversity to extent reasonable and practicable Minimize potential for common cause failures Permit use of shared...
Sense Lines Sensors Sensor Power Supplies Independence from RPS 86310-93-7 4
I
I
Diversity Basis 8 Consideration Hardware Selection Software Design 86310-93-7 25 I
Diversity Basis 5 Consideration Design Team Functional Design Failure Modes System Architecture Hardware Selection System Design Software Design 86310-93-7 26 I
4
AMSAC Design Process
~
Diversity of AMSAC from a digital based protection system was a recognized design issue prior to the design of AMSAC and Eagle 21.
~
Deliberate actions were taken to address this issue and provide diversity to the extent reasonable and practicable Separate design teams Differences in system function and design System Architecture Function design and failure modes
System Design
Unique hardware selection Diverse software design 86310-93-7 29 I
4
Organizational Diversity
~
Design Team independence and separation AMSAC Team EAGLE 21 Team D.N; Katz Project Manager C.E. Cori Project Manager W.L. Miller Project Engineer C.A. Vitalbo Project Engineer W.L. Miller Hardware Lead N.J. Musicante Software Lead C.A. Vitalbo Hardware Lead I. Kotovsky Software Lead T.C. Burlas J.P. Chizmar J.T. Gordon T.J. Kinney G.l. Mehta E.J. Miller J.M. Mussier R.J. Nero J.P. Doyle G.O. Barrett B. Germono R. Mischler K. Patrick J. Sutherland D.B. Keller N.J. Musicante T. Pike K. Taylor T. Hantz J. Swarc 86310.93-7 5
1
Functional Differences
~
Architecture
~
System functions
~
System response to failure modes 86310-93-7 8
I
Planned AMSAC/RPS Architecture Field Sensors E21 PPS IV E21 PPS III E21 PPS II E21 PPS i Input Buffers Isolator Processor Output Interface
~ Process Function
~ Setpoint Comparison AMSAC SSPS A
~ Setpoint Comparisons
~ Coincidence Logic
~ Output isolation/
Interface SSPS B
~ Coincidence Logic
~ Output Interface 86310.93-7 9
Trip Turbine 8
Start Aux. Fdw.
RT & ESFAS (including Turbine Trip 8 Start Aux. Fdw.)
I I
jl
AMSAC Functions and Architecture
~
Initiates turbine trip, start of Aux feedwater and S/G blowdown isolation on loss of heatsink Analog/Digital Input Modules Analog/Digital Inputs Analog/Digital Input Modules Analog/Digital Input Modules
~
Steam generator level logic
~
Blocked below 40% power
~
Fault tolerant architecture
~
Power required to initiate AMSAC functions Actuation Logic Processor <<I (3/4)
Test/
Maintenance System Actuation Logic Procossor <<2 (3/4)
Test / MTCE. Data 8us Majority (2/3)
Voter A Actuation Logic Processor
<<3 (3/4)
Majority (2/3)
Voter 8 Partial Actuation Outputs
~
Non-class 1E MPut K1
~
o
~
Ke Relays K'I
~
~
~
KB 86310 93-7 10
Eagle 21 Functions and Architecture
~
Initiates Rx trip and ESFAS
~
Redundant protection sets (I-IV)
~
Failsafe on loss of power
~
Class 1E To Trip LO91c To
- Control, MCB, Computers, etc.
Input / Output Subsystem Analog input Module Trip Output Module Analog Output Module SIR Bus Test Panel Card Cage Loop Processor Subsystem Tester Subsystem I
I I
Bit Bus 1
To Man.Machine-interlace Test Cart 86310-93-7 11 I
I 4
Failure Mode Response Eagle 21 AMSAC Failure Action Indication Action Indication Loss of input channel Inadvertent trip of affected channel or failure to trip affected channel MCR alarm and local Ind.
None, mitigative action provided if called for by other channels MCR alarm and local ind.
Processor halt All rack trips initiated MCR alarm and local ind.
None, mitigative action provided if called for by other processors MCR alarm and local ind.
Loss of power All rack trips initiated MCR alarm and local ind.
None, mitigative action not available MCR alarm and local ind.
Loss of output channel Inadvertent trip of affected channel or failure to trip affected channels MCR alarm and local ind.
None, mitigative MCR alarm action still possible and local ind.
86310-93-7 12
1
~
Hardware Selection and Design
~
Diversity to the module level
~
Computer boards selected with different micro processors
~
Common power supplies utilized based upon...
System power source guidance Failure modes of systems
~
Component level diversity shown to be impracticable due to broad use of industry standard devices 86310-93-7 30 I
t
~
q
~
Module Level Commonality Power Supply EAGLE 21 5
AMSAC 4
~
. Modules indicated are part of the trip or actuation path only
~
Eagle 21 input modules include only analog input module used for S/8 level measurement
~
Modules:
~Ea le 21 Power supply EAI-01, analog input board Digital Filter Processor (iSBC 88/40A)
Loop Calculation Processor (iSBC 286/12)
Digital-to-Digital Conv. (iSBC 519)
EPT-01, Partial Trip Output Board 86310-93-7 23 l
AMSAC Power supply High Voltage/current loop input board Actuation Logic Processor (iSBC 86/30/14 8 iSBX 311 Majority Voter Board Output Relays
e
~
'i I
Active Component Commonality EAGLE 21 279 Qw 56 AMSAC 102
~
Active Component Summary Input signal conditioning boards A/D Conversion & Processors Output Processing 8 Interface Boards Totals:
Eagle 21 50 246 39 335 AMSAC 28 Common 56 86310-93-7 25 t
(J I
I I
4
Active Component Commonality EAGLE 21 282 MOTOROLA 53 AMSAC 130
~
Active Component Summary Input signal conditioning boards A/D Conversion 5 Processors Output Processing 8 interface Boards Totals:
Eagle 21 50 246 39 335 AMSAC 28 Common 53 86310.93 7 24 t
I
l~
I I
~
IP
Software Design
~
Separate software design teams
~
AMSAC software designed and coded from ground up
~
No common software
~
Independent implementation of like functions resulted in...
Different code structure Functional differences Order of functions Predictable source code No interrupts Re-entrant code prohibited Continuous loop execution Parameter boundary checks Definition of all machine states
~
Side-by-side source code comparison confirmed structure, functional and sequence differences 86310-93-7 20 I
gt
~
C P
Software Tools
~
PLiM-86 programming language used for both systems Compiler Linker Locate r
~
Extensive industry use
~
Over 10 years of reliable operation in Westinghouse digital systems
~
Produces diverse object code from diverse source code
~
Separate libraries and configuration controls
I
~
J'
FTWARE DI ER ITY Diverse Design Team
~
No Common Software Modules Diverse Source Code Structure Diverse Object Code
47
MPILER A D MM N M DE N IDERATI
. ~
Westinghouse believes that compilers should be considered as a source of common mode failure.
~
Westinghouse explicitly chose reliability over diversity in the selection of the Language and Compiler.
~
Westinghouse feels that it is reasonable and practicable to use the same language/ compiler for both Eagle-21 and AMSAC considering the multiple levels of defense.
~
Westinghouse experience with PL/M-86 and the experience in unit test coverage with Eagle-2l and other Class IE Systems leads Westinghouse to believe that the PL/M Compiler is not a credible contributor to the probability of Common Mode Failure at the System =Level.
4
~
~
r
DEFENSE FROM COMPILER ERRORS Multiple levels of Defense against compiler errors:
I) Experience
- 2) Coding Standards
- 3) Unit Level Testing of Object Code
LEVELS OF DEFENSE - EXPERIENCE
~
lO+ Years in the Field
~
Safety Systems (Part 2 l Environment)
Eagle-2l (9 Installations)
QDPS
(
I Installation)
RVLIS/ICCM ( 27 Installations)
( I Installation)
PSMS (2 Installations)
ASIS
( I Installation)
NFMS (I Installation)
~
Non-Safety Systems AMSAC (l6 Installations) 0 No Compiler Errors have been experienced in the field.
~
t C
LE EL F DEFEN E -
A E TANDARD
~
Bounds Checking for Arrays, Expressions, Loops, and Case statements.
~
Data Type usage.
~
Real Number Stack Usage.
~
Real Number Exceptions.
~
Coding Standards Address Known Compiler Errors
~
Compensate for Language Weaknesses
~
Enforces Fault-Tolerant Programming Techniques
~
Provides Design for Testability.
t'
~
k V
LEVEL F DEFEN E -
~
Coverage Criteria
~
Tests are Executed on Compiled Object Code
~
No Compiler Error has been discovered as a Part of Unit Testing.
~
Testing Assures that the Compiler Output is Correct for Eagle-21 Applications.
~C' I
~
~~
HY PL M-F R
AFETY LA Y TEM
~
~
Industry Standard Systems Implementation Language.
~
Language was developed hy Intel the Microprocessor Chip Manufacturer.
~
A Close Mapping Exists between the Language Structure and the Microprocessor Resources.
The Source Code Maps in a straight-formward manner to the Object Code.
~
Not a Complex Language or a Complex Compiler.
4
~r
~
~ I lt
R E
F P IBLE MPILER ERR R
~
Fundamental Data Types.
~
Call and Return Conventions.
~
Implicit Type Conversion.
~
Language Libraries.
~
Language Implementation Standards/ Ambiguities.
~
Target Computers/ Code Translation.
~
Optimization.
~
Operating System Interaction.
4
~ '
~
Acceptable use of a common compiler involves both understanding and evalution of the compiler and langauge intself in conjunction with detailed demonstration of correct compiler performance.
~
Having provided multiple levels of defense, there is a reasonable and practicable assurance that common compiler errors will not cause Common Mode system level failures of the Eagle-21 and AMSAC systems.
A
Ea le 21 AMSAC Diversit PRA Assessment
Purpose:
Demonstrate that the commonalities between Eagle 21 and AMSAG pose no significant degradation to plant safety and that the ATWS target core damage frequency of 1E-05 is met.
Approach:
Use an ATWS model representative of DCPP to assess the impact of diversity on core damage frequency (DCPP PRA does not credit AMSAC)
Assess the core damage frequency for ATWS event assuming
- 1) complete diversity and 2) no diversity between Eagle 21 and AMSAG No attempt is made to evaluate the "degree" of diversity (common failures)
Ea le 21 AMSAC Diversit PRA Assessment Cont'd Key Assumptions:
No diversity between Eagle 21 and AMSAC Eagle 21 is as reliable as the system it is replacing Reactor may be tripped via the RPS, OA to trip the plant, or OA to interrupt power to the MG sets (consistent with DCPP PRAI No diverse reactor protection system signal available
4
+v, a>
Ea le 21 AIVISAC Diversit PRA Assessment Cont'd Results:
ATWS core damage frequency contribution with AIVlSAC (W DCPP representative model):
assuming complete diversity = 2.1E-07 assuming no diversity = 2.8E-07 increase in core damage frequency = 7.0E-08 percent increase
= 0.074 (based on DCPP PRA core damage frequency of 9.5E-05 for internal events)
Based on the DCPP IPE submittal, the contribution to core damage frequency from ATWS events is 7.0E-07 (no AMSAC credit)
==
Conclusions:==
The increase in core damage frequency is negligible Conservative assessment assuming no diversity between Eagle 21 and AMSAC ATWS target core damage frequency is met