ML16342A198
| ML16342A198 | |
| Person / Time | |
|---|---|
| Site: | Diablo Canyon  |
| Issue date: | 07/26/1993 |
| From: | Peterson S Office of Nuclear Reactor Regulation |
| To: | Office of Nuclear Reactor Regulation |
| References | |
| NUDOCS 9308130020 | |
| Download: ML16342A198 (44) | |
Text
~p,R RECT, Mp0 Cy
~c.
+**++
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON. D.C. 20555.0001 July 26, i993 Docket Nos.
50-275 and 50-323 LICENSEE:
Pacific Gas and Electric Company (PG&E)
FACILITY: Diablo Canyon Nuclear Power Plant, Units 1 and 2
SUBJECT:
SUMMARY
OF JULY 12, 1993 PUBLIC MEETING TO DISCUSS THE LICENSEE'S PROPOSED EAGLE 21 PROCESS PROTECTION SYSTEM UPGRADE AND THE DIVERSITY OF THE ATWS MITIGATION SYSTEM On July 12, 1993, the NRC staff met with the Pacific Gas and Electric Company (PG&E or the licensee) in Rockville, Maryland to discuss the issue stated above.
A list of the attendees present at the meeting is enclosed.
A copy of the licensee's presentation slides is also enclosed.
The proposed Westinghouse Eagle 21 upgrade at Diablo Canyon would replace the Westinghouse 7100 analog process protection equipment with digital equipment that is intended to improve the reliability and availability of the reactor protection system.
The Eagle 21 upgrade is the subject of a license amendment request (LAR 92-05) submitted to the staff by PG&E on September 21, 1992.
The meeting was held to discuss the diversity between the licensee's existing Westinghouse supplied digital anticipated transient without scram (ATWS) mitigation system (AHSAC) and the proposed Westinghouse Eagle 21 reactor protection system (RPS).
The ATWS rule (10 CFR 50.62) requires that the AHSAC system installed at Diablo Canyon utilize diverse equipment from the RPS from sensor output to the final actuation device.
At the meeting, the licensee discussed the safety significance of the diversity issue, PG&E's diversity perspective and proposed an ATWS mitigation enhancement.
Although the licensee described certain commonalities between the two 'systems, they believe that Diablo Canyon would continue to meet the ATWS rule after instal'ling the Eagle 21 RPS.
In its presentation, the licensee acknowledged that the Eagle 21 and Westinghouse digital AHSAC consist of a common software language and compiler.
The staff agreed that this was the single most important common aspect of the two systems, however, it was indicated that the staff has not yet decided that diversity of equipment for compliance with the ATWS rule requires different languages and compilers.
In addition, the licensee stated that the AHSAC system installed at Diablo Canyon is reliable and that they are not comfortable with the risks associated with changing any aspect of the existing AHSAC system in order to gain additional diversity.
The licensee referred to a draft WCAP on the diversity issue and the staff requested that the WCAP be finalized and submitted on the licensee's docket.
9308130020~ 93072hT' PDR ADOCH, 05000275 PDR-P Img 9>g I~TBIgIIPY (0L
t, C
Pacific Gas and Electric Company 2
Ouly 26, 1993 The licensee and the staff discussed the limiting event that requires AHSAC system diversity to initiate a turbine trip and auxiliary feedwater, as being an ATWS in conjunction with a loss of feedwater.
The licensee proposed to install an additional independent wide range steam generator level alarm in the control room and provide operator training, to provide additional assurance that operator action would occur to manually trip the turbine in the event a software failure occurs simultaneously with the limiting event.
The staff noted that manual action should not be relied upon when the action is required in a short time period, such as the approximate t'wo minutes required for this event at Diablo Canyon.
As a result, the staff stated that such an additional alarm would not be appropriate.
Since the staff has not identified any concerns with the Eagle 21 upgrade other than the diversity issue, the staff agreed to issue a safety evaluation (SE) in September.
The SE would address the acceptability of the Eagle 21
- upgrade, leaving the issue of diversity open and to be addressed in a
supplement when the level of diversity needed is resolved.
The staff noted that closing the open item regarding diversity may require some modification to Diablo Canyon's existing AHSAC system.
The staff referred the licensee to NUREG-0493, the RESAR 414 defense in-depth analysis, requesting that the licensee perform such an analysis on AHSAC and Eagle 21.
The staff requested that the licensee's analysis use the blocks for performing the analysis as a
means of defining common equipment, and identify what constitutes a reasonable level of diversity after failing the common blocks.
The staff noted that emphasis should be on the control signal path and the logic imposed on the signal.
The licensee agreed to address these issues prior to a working level meeting with the staff to be scheduled for the second week in August.
Original signed by Sheri R. Peterson, Project Manager Project Directorate V
Division of Reactor Projects III/IV/V Office of Nuclear Reactor Regulation
Enclosures:
1.
List of Attendees 2.
Presentation Slides cc w/enclosures:
See next page DISTRIBUTION w enclosure 2:
Docket File NRC 8 Local PDRs PDV Reading File
- KPerkins, RV SPeterson
~ Il THurley/FHiraglia, 12G18
- JPartlow, 12G28 EAdensam
P-315 JRoe DFoster-Curseen
- AThadani, SE2
- JWermiel, SD24
- CThomas, 10H5
- RLatta, 9A2 JHitchell, 17G21 TQuay
- EJordan, 3701 OPC PDV/LA)-~
PDV/PgP NAME DFoster-Curseen SPeterson DATE 7 /gf/93 7/I/933 OFFICIAL RECORD COPY HI
/BC PDV/D~
DRPW/
JW mi el TQuay JRoe 7//1/93
(/g/93 L/4'93 DOCUMENT NAME:DCHTGSH.712 DT ADP "1'usse 1
J artfow
/)'VI /93 4'p
II II I I
IIl
Pacific Gas and Electric Company 2
The licensee and the staff discussed the limiting event that requires ANSAC system diversity to initiate a turbine trip and auxiliary feedwater, as being an ATWS in conjunction with a loss of feedwater.
The licensee proposed to install an additional independent wide range steam generator level alarm in the control room and provide operator training, to provide additional assurance that operator action would occur to manually trip the turbine in the event a software failure occurs simultaneously with the limiting event.
The staff noted that manual action should not be relied upon when the action is required in a short time period, such as the approximate two minutes required for this event at Diablo Canyon.
As a result, the staff stated that such an additional alarm would not be appropriate.
Since the staff has not identified any concerns with the Eagle 21 upgrade other than the diversity issue, the staff agreed to issue a safety evaluation (SE) in September.
The SE would address the acceptability of the Eagle 21
- upgrade, leaving the issue of diversity open and to be addressed in a supplement when the level of diversity needed is resolved.
The staff noted that closing the open item regarding diversity may require some modification to Diablo Canyon's existing AHSAC system.
The staff referred the licensee to NUREG-0493, the RESAR 414 defense in-depth analysis, requesting that the licensee perform such an analysis on AHSAC and Eagle 21.
The staff requested that the licensee's analysis use the blocks for performing the analysis as a
means of defining common equipment, and identify what constitutes a reasonable level of diversity after failing the common blocks.
The staff noted that emphasis should be on the control signal path and the logic imposed on the signal.
The licensee agreed to address these issues prior to a working level meeting with the staff to be scheduled for the second week in August.
Enclosures:
1.
List of Attendees-2.
Presentation Slides Sheri R. Peterson, Project Nanager Project Directorate V
Division of Reactor Projects III/IV/V Office of Nuclear Reactor Regulation cc w/enclosures:
See next page
Pacific Gas and Electric Company Diablo Canyon CC:
NRC Resident Inspector Diablo Canyon Nuclear Power Plant c/o U.S. Nuclear Regulatory Commission P. 0.
Box 369 Avila Beach, California 93424 Dr. Richard Ferguson, Energy Chair Sierra Club California 6715 Rocky Canyon Creston, California 93432 Ms. Nancy Culver San Luis Obispo Mothers for Peace P. 0.
Box 164 Pismo Beach, California 93448 Hs. Jacquelyn C. Wheeler 3303 Barranca Court San Luis Obispo, California 93401 Managing Editor The County Telegram Tribune 1321 Johnson Avenue P. 0.
Box 112 San Luis Obispo, California 93406 Chairman San Luis Obispo County Board of Supervisors Room 370 County Government Center San Luis Obispo, California 93408 Hr. Truman Burns Hr. Robert Kinosian California Public Utilities Commission 505 Van Ness, Rm.
4102 San Francisco, California 94102 Diablo Canyon Independent Safety Committee ATTN:
Robert R. Wellington, Esq.
Legal Counsel 857 Cass Street, Suite D
Monterey, California 93940 Hr. Steve Hsu Radiologic Health Branch State Department of Health Services Post Office Box 942732 Sacramento, California 94234 Regional Administrator, Region V
U.S. Nuclear Regulatory Commission 1450 Maria Lane, Suite 210 Walnut Creek, California 94596 Hr. Peter H. Kaufman Deputy Attorney General State of California 110 West A Street, Suite 700 San Diego, California 92101 Hr. Hark Urban Deputy Attorney General State of California 1515 K Street Sacramento, California 95814 Christopher J.
- Warner, Esq.
Pacific Gas
- 5. Electric Company Post Office Box 7442 San Francisco, California 94120 Hr. John Townsend Vice President and Plant Manager Diablo Canyon Power Plant P. 0.
Box 56 Avila Beach, California 93424 Hr. Gregory M. Rueger Nuclear Power Generation, B14A Pacific Gas and Electric Company 77 Beale Street, Room 1451 P.O.
Box 770000 San Francisco, California 94177
I'
ENCLOSURE 1
~TTENDEES JULY 12 1993 MEETING BETWEEN THE NRC STAFF AND PG&E TO DISCUSS THE LICENSEE'S PROPOSED EAGLE 21 PROCESS PROTECTION SYSTEM UPGRADE AND THE DIVERSITY OF THE ATWS MITIGATION SYSTEM NAME Sheri Peterson Ashok Thadani William Russell James Partlow Jared Wermiel Jack Roe Cecil Thomas Robert Lattia Bob Webb Roger Johnson Klemme Herman Warren Fujimoto ORGANIZATION NRR/PDV NRR/DSSA NRR/ADT NRR/ADP NRR/HICB NRR/DRPW NRR/DRCH NRR/DRIL PG&E PG&E PG&E PG&E
EAGLE 21 AND AIVISAC DIVERSITY NRC Meeting Rockville, MD July 12, 1993 foal IC)
(Jl m
Pl
Agenda
~ Introduction and Background
~ PG8 E approach for Diablo Canyon
~ Safety significance and PGLE's diversity perspective
~ Defense-in-depth analysis
~ Conclusions Page 2
r
Introduction
~ Issue-Does Eagle 21/AMSAC meet 10CFR60.62 diversity requirement?
~ Purpose-Discuss safety significance, PG8 E's perspective and proposed ATWS mitigation enhancement
J ~
Historical Information
~ AMSAC started/installed
~ Eagle 21 started/installed
~ Eagle 21 LAR
~ WCAP-1 2813" including Defense-in-Depth Analysis
~ WCAP-Sl/NA(93)-160 (Draft) on Diversity 1985/1988 1988/1994 September 1992 June 1993 (Rev 3)
May 1993
" "Summary Report, Eagle 21 Process Protection System Upgrade for Diablo Canyon Power Plant Units 1 and 2 "
Eagle 21/AMSAC Comparison
~ Programming language and compiler
~ Micro processors
~ Active components
~ Design team members
~ Power supplies
0
/
~
Digital 18 C Upgrades
~ NRC comment to NUMARC IKC Upgrade Guideline:
".... The most notable of these concerns is the use of software in safety related systems."'....4.1.2.1 Since it is considered impossible to prove that software is error free, software failure is deemed to be credible."2
References:
J.S.Wermiel, NRC,letter to Alex Marion, NUMARC, NRC Staff Comments on "Draft Guideline for Licensing Digital l8 C Upgrades, " June 2, 1993, page 1-2 Ibid., page 4-3 Page 6
PGB E Approach for Diablo Canyon
~ Detailed diversity evaluation for Eagle 21/
~ Defense-in-depth analysis (NUREG 0493)
Assume Eagle 21 failure One FSAR Chapter 15 event relies solely on AMSACfor mitigation
~ Propose enhanced ATWS mitigation and diversity through independent operator information and action
PG8 E Eagle 21IAMSAC Diversity Perspective
~ Safety significance
~ What was done
~ PG8 E's diversity views
I ~
SAFETY SIGNlFICANCE
~ Eagle 21/AMSAC diversity very low safety significance
~ ATWS CDF contribution with AMSAC:
2.1 E-07 assuming complete diversity 2.8 E-07 assuming AMSACfails with every Eagle 21 failure
~ Overall GDF for internal events:
8.8 E-05
~ Increased CDF with no AMSAC diversity:
0.08%
r
What Was Done
~ Separate design teams
~ Different functional requirements
~ Different system architecture
~ Different hardware at the module level
~ Software differences from different functional requirements ~ different source code
~ different abject code
Software Tools
~ PLM-86 programming language, compiler
~ Different source code ~ different object code
~ Steam generator narrow range level code for Eagle 21 and AMSAC are different Page 11
0
~ ~
Microprocessors
~ AMSAC - Intel 8086 microprocessor
~ Eagle 21 - Intel 80286 microprocessor
~ Common instruction set, but instruction execution different
~ Differences Physical Architectural Processing/Data Handling Page 12
~ ~
7
~
Active Components
~ AMSAC/Eagle 21 Active Components AMSAC'58 Eagle 21:
335 Common:
56
~ Example Motorola MVME-based {68000 processor) AMSAC/Eagle 21 Active Components M-AMSAC:
183 Eagle 21:
335 Common:
53
~ Foxboro Spec 200 Micro uses an 8086 processor and support devices
~ Active components are a commodity
~h
~
S
Design team members
~ 36 primary design team members over life of both systems
~ 3 common individuals (2 design, 1 technician) 1 individual led hardware design on AMSAC, no design responsibility for Eagle 21, current product manager for Eagle 1 individual led software design on AMSAC, minor work on Eagle 21 diagnostics Page 14
Y
Power Supplies
~ Power supplies are common
~ Power supplies are commodity items
~ Safety function not compromised:
Power Su l
On Fail Low Output Ripple AWlSAC TIIp No Trip No Trip Ea le21 TIIp Tnp Trip Page 15
~ WCAP 12813", Rev 3, June 1993 (NUREG 0493)
Loss of normal feedwater requires AMSAC Consistent with Zion SER
~ Enhanced ATWS mitigation diversity Add SIG level alarm independent from Eagle 21 and AMSAC "Summary Report, Eagle 21 Process Protection System Upgrade for Diablo Canyon Power Plant Units 1 and 2 "
C-'~ g
PG8 E Perspective
~ Very low safety significance
~ Eagle 21/AMSAC are reasonably diverse
~ Defense-in-depth and common mode software failures
~ ATWS mitigation enhancement
~ Risk in modifying AMSAC
'l