ML18163A392

From kanterella
Jump to navigation Jump to search
June 13-14, 2018, Meeting Slide Regarding DI&C-ISG-06 Revision 2 NRC Tabletop Example D.2.2 New System Architecture
ML18163A392
Person / Time
Site: Nuclear Energy Institute
Issue date: 06/13/2018
From: Odess-Gillette W
Nuclear Energy Institute
To:
Office of Nuclear Reactor Regulation
Golla J
References
Download: ML18163A392 (36)
v  d  e


Text

DI&CISG06REVISION2NRC TABLETOPEXAMPLE D.2.2NewSystemArchitecture WarrenOdessGillet(NEI)

[Emailaddress]

TabletopExampleforISG06AR D.2.2NewSystemArchitecture 4/5/2018

Page1 Table of Contents Introduction...............................................................................................................................................3 Architecture...............................................................................................................................................3 AllocationofFunctions...........................................................................................................................0 FunctionalArchitecture..........................................................................................................................1 Communications....................................................................................................................................3 TriconCommunications......................................................................................................................5 ALSCommunications..........................................................................................................................7 NonSafetyRelatedMWS...................................................................................................................8 TriconexCommunicationswithMWS.................................................................................................8 ALSCommunicationwithMWS..........................................................................................................9 TriconandALSconfigurations..........................................................................................................10 I/OModules.....................................................................................................................................12 ManualTripandReset.........................................................................................................................13 PowerSupply.......................................................................................................................................13 PlantPower......................................................................................................................................13 ChassisPower...................................................................................................................................13 I/OPower.........................................................................................................................................14 InterfacetoExistingControlBoardDisplayIndications........................................................................16 PPSTestingCapabilities........................................................................................................................16 FailureModesandEffectsAnalysis(FMEA)..........................................................................................18 PostAccidentMonitoring....................................................................................................................18 IEEEStd603andIEEEStd74.3.2Conformance...................................................................................18

Table of Figures Figure1:[Figure41]WECPressurizedWaterReactorRPSConcept..........................................................5 Figure2:[Figure31]Eagle21PPS.............................................................................................................0 Figure3:[Figure32]PPSReplacement......................................................................................................1 Figure4:[Figure44]TypicalReplacementProtectionSet.........................................................................0 Figure5:[Figure45]SimplifiedFunctionalArchitecture...........................................................................2 Figure6:[Figure33]PPSReplacementCommunications..........................................................................4 Figure7:[Figure413]PPSReplacementCommunicationsSingleProtectionSet....................................6

TabletopExampleforISG06AR D.2.2NewSystemArchitecture 4/5/2018

Page2 Figure8:[Figure47]TriconTripleModularRedundantArchitecture......................................................10 Figure9:[Figure48]GenericALSFPGAArchitecture..............................................................................11 Figure10:[Figure410]TriconexTripOutputDiagnostic.........................................................................15 Figure11:[Figure49]ALSDiversityArchitecture....................................................................................16

TabletopExampleforISG06AR D.2.2NewSystemArchitecture 4/5/2018

Page3 Introduction Thisisanexamplelicenseamendmentrequest(LAR)descriptiontoaddressthedraftISG06Revision2 SectionD.2.2,NewSystemArchitecture.ItisbasedontheDiabloCanyonPowerPlant(DCPP)Process ProtectionSystemLAR,ADAMSAscensionNumberML11307A332.Architecturerelatedtext,drawings, andtableswereaggregatedintoasinglesectionbasedontheD.2.2description.Anymissing informationwasidentified.

Architecture Throughoutthisdocument,mentionwillbemadeofProcessProtectionSetsandchannels.Itis importanttounderstandthesetermsasusedatDCPPbecausetheterminologyissomewhatdifferent fromthatusedatotherinstallations.Aprocesschannelisanarrangementofcomponents,modulesand softwareasrequiredtogenerateasingleprotectiveactionsignalwhenrequiredbyageneratingstation condition[FSAR)[xx]Section7.1].Redundantprocessinstrumentationchannelsareseparatedby locatingtheelectronicsindifferentprotection"sets".ThePPSatDCPPiscomprisedoffoursuch ProtectionSets.EachProtectionSetisfurthercomprisedofvariousprocess"channels".

TheexistingEagle21ProcessProtectionSystem(PPS)fourredundantProtectionSets,asshownin Figures41and31,willbereplacedwithfourredundantandindependentProtectionSets(Protections SetI,ProtectionSetII,ProtectionSetIll,ProtectionSetIV)thatreceiveinputfromsensorsandprovide outputtotwotrains(TrainAandTrainB)oftheSSPS.

Figure32containsanoverviewoftheReactorTripSystem(RTS)andEngineeredSafetyFeatures ActuationSystem(ESFAS)includingasimplifiedrepresentationofthePPSreplacement.ThePPS ReplacementProjectreplacesinitsentiretytheWestinghouseEagle21PPShardwarecurrentlyhoused inPPSRacks116asillustratedintheshadedportionofFigure32(correspondingtotheshaded portionofFigure41and31).EquipmentintheunshadedportionofFigure32isnotbeingreplaced ormodifiedbythisproject.

EachProtectionSetinthePPSreplacementcontainsasoftwarebasedTriconexTriconV10processor subsystemdescribedintheTriconexTopicalReport[xx]andadiversesafetyrelatedCSIALSsubsystem describedintheALSTopicalReport[xx].ThePPSreplacementisbasedontheTriconPLC,Version10, describedinTriconV10TopicalReportSubmittal[xx]andtheCSIALSdescribedin[xx].Theproposed projectreplacesinitsentiretythecurrentWestinghouseEagle21PPSwithanewPPSthathasimproved reliability,diversity,diagnostic,andtestingcapabilities.

Bothreplacementdigitalplatforms,TriconandALS,arelocatedinthesamecabinetsthathousethe existingPPS.Figure32showsthemaintenanceworkstation(MWS)locatedintheprotectionsetracks.

Commented [wog1]: j.physicallocation(s)ofexistingsystem equipmentintheplant

TabletopExampleforISG06AR D.2.2NewSystemArchitecture 4/5/2018

Page4 ThePPSreplacementisusedasadirectreplacementfortheexistingEagle21PPSandhasmostlythe samedesignbasisastheexistingEagle21PPS:

ThefollowingareotherchangestothePPSarchitectureinadditiontotheplatformchanges:

TheFeedwaterFlowsignalsandtheSteamFlow/FeedwaterFlowMismatchalarmsarebeing removedfromthePPSasdiscussedinthePPSreplacementConceptualDesignDocument(CDD)

[xx].ThefeedwaterflowsignalsarenonsafetyrelatedandwillbeinputtotheDigitalFeedwater ControlSystem(DFWCS),whichwillthengeneratetheSteamFlow/FeedwaterFlowMismatch alarms.

AsdescribedinthePPSreplacementCDD[xx],thespareRTDsinthethermowellofeachhotleg willnowbeactivatedforusebythePPSreplacement.EachthermowellcontainstwoRTDsand currentlyonlyoneineachthermowellisavailablefortheaveragingprocess.InthePPS replacement,awiringchangewillenabletheuseofall6RTDsforthisaveragingprocess.This shouldimprovemeasurementaccuracyforDeltaT/Tavgandincreasesconservatism.

Commented [wog2]: a)systemdesignfunctions Commented [wog3]: d)connectionsandinternalinterfaces withinthesafetysystem,includingcrossdivisionalinterfacesand interfacesbetweencomponents

TabletopExampleforISG06AR D.2.2NewSystemArchitecture 4/5/2018

Page5

Figure1:[Figure41]WECPressurizedWaterReactorRPSConcept

Figure2:[Figure31]Eagle21PPS

TabletopExampleforISG06AR D.2.2NewSystemArchitecture 4/5/2018

Page1

Figure3:[Figure32]PPSReplacement

EachProtectionSetisindependentoftheotherProtectionSetsandisprotectedfromadverseinfluence fromtheotherProtectionSets.ThePPSreplacementdoesnotutilizeorimplementinterdivisional safetytosafetycommunications.Withinaprotectionset,thePPSreplacementdoesincorporatesafety tononsafetycommunications.ThePPSreplacementarchitectureisdesignedtoensurethat communicationsbetweensafetyandnonsafetyequipmentthatresideswithintheProtectionSet adheretotheguidancedescribedintheISG4StaffPositions.

EachofthefourProtectionSetscontainsanonsafetyrelatedmaintenanceworkstation(MWS)forthe TriconandaMWSfortheALS.

TheNRCD3SER[x]determinedthatthedesignaddressesStaffPosition1ofISG02[x]adequately.

Allocation of Functions ThesameEagle21functionswillbeperformedbythePPSreplacement.Figure44showsthechannel assignments(inputsandprotectiveactionsignals)forasingleprotectionset.

Figure4:[Figure44]TypicalReplacementProtectionSet Commented [wog4]: c)Separationandindependence requirementswithinthesystem(e.g.,channels,trains,isolation)

d)connectionsandinternalinterfaceswithinthesafetysystem, includingcrossdivisionalinterfacesandinterfacesbetween components Commented [wog5]: g.connectionsbetweensafetyrelated andnonsafetyrelatedsystemsandidentificationofsignalanddata isolationdevices Commented [wog6]: g.connectionsbetweensafetyrelated andnonsafetyrelatedsystemsandidentificationofsignalanddata isolationdevices

Commented [wog7]: a)SystemDesignFunctions

TabletopExampleforISG06AR D.2.2NewSystemArchitecture 4/5/2018

Page1 Functional Architecture Figure45illustratestypicalfunctionalarchitectureforasingleEagle21replacementProtectionSet.

TabletopExampleforISG06AR D.2.2NewSystemArchitecture 4/5/2018

Page2

Figure5:[Figure45]SimplifiedFunctionalArchitecture

TabletopExampleforISG06AR D.2.2NewSystemArchitecture 4/5/2018

Page3 Communications Figure33providesasimplifiedrepresentationofthecommunicationsarchitectureforasingle ProtectionSet.

TabletopExampleforISG06AR D.2.2NewSystemArchitecture 4/5/2018

Page4

Figure6:[Figure33]PPSReplacementCommunications

TabletopExampleforISG06AR D.2.2NewSystemArchitecture 4/5/2018

Page5 Tricon Communications TherearenocommunicationspathsbetweenredundantProtectionSetsintheTriconportionofthePPS replacement.ThenonsafetyrelatedMWSwithineachredundantProtectionSetcommunicatesonly withthesafetyrelatedTriconPLCwithinthatProtectionSet.TheTriconCommunicationsModule(TCM) outputmediafromtheTriconisfiberoptictoprovideelectricalisolation.Amediaconverterconverts thefiberopticmediatoEthernet.

ANetOpticsModelPACUportaggregatortapdeviceisutilizedtoensurethatonlyoneway communicationtakesplacebetweentheTriconprocessorsandthePlantProcessComputer(PPC)

GatewayComputer.TheNetOpticsdevicepermitstwowaycommunicationsbetweentheTriconTCM andtheMWS,whilepermittingthePPCGatewaycomputerreadonlyaccesstotheTriconTCMandthe MWS.ThenonsafetyPPCGatewaycomputerissharedbyallfourProtectionSets.

ThePPSreplacementdesignincorporatestheNetOpticsModelPACUportaggregatortapdeviceshown inFigure413toensurethatonlyonewaycommunicationtakesplacebetweentheTriconprocessors andthePPCGatewayComputer.

Commented [wog8]: c)Separationandindependence requirementswithinthesystem(e.g.,channels,trains,isolation)

TabletopExampleforISG06AR D.2.2NewSystemArchitecture 4/5/2018

Page6

Figure7:[Figure413]PPSReplacementCommunicationsSingleProtectionSet TheportaggregatortapisahardwaredevicethatisinstalledbetweentheTriconprocessor,theMWS, andtheGatewaycomputers.PortsAandBoftheNetOpticsarerespectivelyconnectedtotheTricon Formatted: Font: Times New Roman

TabletopExampleforISG06AR D.2.2NewSystemArchitecture 4/5/2018

Page7 TCMfiberopticNET2portthroughafiberoptictocoppermediaconvertoranddirectlytotheMWS associatedwiththeTriconviacopperEthernet.ThePPCGatewayisconnectedtoPort1oftheNetOptics device,thusprovidingonewaycommunicationsfromthePPSreplacementsystemtothePPC.This designensuresthatnodataorcommandmessagescanbesentfromthePPCtotheMWS.

ThedatalinkprotocolfromtheNetOpticstotheMWSandtotheTCMmediaconverterisTriconex NET2.TheportaggregatortapcopiesallinformationthatisflowingbetweenPortsAandBtoPort1of thedataaggregator.NeitherPortAnorBoftheNetOpticscanreaddatafromPort1ofthedata aggregator,andPort1cannottransmitdatatoPortAorPortB.

ThereisnotransmittingcapabilityfromNetOpticsPort1backtoPortsAorB,whichensuressecurityof theTriconsafetyfunction.ThisNetOpticsdevicepermitstwowaycommunicationsbetweentheTricon TCMandtheMWS,whilepermittingthePPCGatewaycomputerreadonlyaccesstotheTriconTCMand theMWS.

Figure413onlyshowsoneTCMinstalledintheTriconMainChassis(Slot7L),thePPSreplacementwill utilizetwoTCMcardsineachmainchassis(Slots7Land7R).Thiswillprovidetwononsafetyrelated communicationpathstotheMWSandthePPCGatewayComputerfromeachProtectionSettoensure continuedcommunicationsifasingleTCMfails.

TheNetOpticsModelPACU/PADCU1PACUportaggregatornetworktapwasapprovedpreviouslyby NRCforasimilarapplicationintheOconeeRPSSERSection3.1.1.4.3[xx].TheNRCstaffdeterminedthat duetotheelectricalisolationprovidedbyuseoffiberopticcablesandthedataisolationprovidedbythe PortTapandtheMaintenanceandServiceInterface(MSI)intheOconeeRPS,therewasreasonable assurancethatafaultorfailurewithintheOconeeGatewaycomputerortheOperatorAidComputer willnotadverselyaffecttheabilityoftheOconeeRPStoaccomplishitssafetyfunctions.

TheP2PcommunicationcapabilityprovidedbytheTCMisnotusedforthePPSreplacement.

SpecificTriconMainProcessorandSystemBusPPSReplacementProjectcompliancewithISG04[x]is addressedinSections3.1and5.0oftheTriconexDCPPPPSISG04ConformanceReport[xx].

Reference2.5.35[xx]intheTriconV10TopicalReportSubmittal[xx]describestheTriconV10 conformancetoISG04[x].TheTCMhandlesallcommunicationswithexternaldevices,andithasbeen qualifiedundertheIOMAppendixBprogramfornuclearapplications.UpontotallossofallTCMs,the mainprocessorscontinuetofunction.

SpecificPPSReplacementProjectTCMcompliancewithISG04isaddressedinSection4.1and5.0ofthe TriconexDCPPPPSISG04ConformanceReport[xx].

ALS Communications TherearenocommunicationpathsbetweenredundantsafetydivisionsintheALSportionofthePPS replacementasshowninFigure33.ThetwoElectronicIndustriesAllianceEIA422standardALS communicationchannels(TxB1andTxB2)fromtheALS102ineachALSchassistotheGateway Commented [wog9]: Previouslyapproved(seebelow).Isit necessarytoprovidesuchdetailintheLARforanitemthathas regulatoryprecedence?

Commented [wog10]: c)Separationandindependence requirementswithinthesystem(e.g.,channels,trains,isolation)

TabletopExampleforISG06AR D.2.2NewSystemArchitecture 4/5/2018

Page8 computerandtheMWS,respectively,areisolated,serial,andoneway(transmitonly).The communicationschannelsdonotreceiveanydata,handshaking,orinstructionsfromtheGateway computer.TheALSprocessesreactorcoolantsystem(RCS)temperaturesignalsandtransmitsthe conditionedandscaleddatatotheTriconviaanalog420milliampere(mA)signals.

TheTestALSBus(TAB)communicationchannelprovidescommunicationsbetweenALSServiceUnit (ASU)maintenancesoftwareintheMWSandtheALSchassis.ThisElectronicIndustriesAllianceEIA485 standardcommunicationpathisnormallydisabled,withtwowaycommunicationpermittedonlywhen ahardwiredswitchisclosedtocompletethecircuitfromtheMWSbacktotheALS.Nocommunication isallowedontheTABiftheswitchisnotclosed.TheProtectionSetcontainingtheALSchassisremains functionalwithTABcommunicationsenabled.Theinformationiscollectedinanonobtrusivemanner anddoesnotaffecttheongoingoperationofthesystem.

ThePPSreplacementapplicationdoesnotutilizetheALS601CommunicationsBoarddescribedinthe ALSTopicalReportSubmittal[xx].Two(2)independent,dedicated,serial,transmitonly(nohandshake)

EIA422communicationchannels(TxB1andTxB2)providedbytheALS102providesinformationto externalsystems[Figure46].TheALS102transmitsapplicationspecificinputandoutputstatesand valuescontinuouslytotheMWS(whichperformsthefunctionoftheASUviatheonewayRS422 communicationchannelTxB2ontheALS102).Thesecond,onewayRS422communicationschannel TxB1ontheALS102transmitsapplicationspecificinputandoutputstatesandvaluescontinuouslyto thenonsafetyPPC.

Non-Safety-Related MWS SeparateMWSareusedtoviewdatafromtheTriconandtheALSandtomaintaintheTriconandthe ALSinagivenprotectionset.OnenonsafetyrelatedMWSisusedtomaintainandconfiguretheTricon andtoviewdatafromtheTricon.AnotherMWSisusedtoviewdatafromALS.WhentheTABhasbeen placedinserviceasdescribedabove,theMWSisusedtoperformthemaintenancefunctionsassociated withtheASU.

AMWSmayaccessdataonlywithinitsownProtectionSet.CommunicationofanyMWSwithanyother ProtectionSetsisnotpossible.TherearenomeansofconnectinganyProtectionSettoanotherMWS withoutreconfiguringtheProtectionSetcontrollersandcommunicationscabling.Thereareno communicationsswitchesinthearchitecturethatcouldallowinadvertentconnectionofaMWSorother devicetoaProtectionSet.

Triconex Communications with MWS UnderoperatingplantconditionstheMWSsimplydisplaysplantparametersanddiagnosticinformation.

Thecontrolsforaccesstofunctionsbeyonddisplayingdataissecurityrelatedinformationper10CFR 2.390andwillbeprovidedinaseparatelettertotheNRCstaff.TheMWSwillbeusedforinjectingtest valuesandmodifyingTriconsafetysystemparameters.UseoftheMWSisinaccordancewithsite specificadministrative(procedural)andphysicalaccesscontrols.

Commented [wog11]: b)Service/TestFunctions Commented [wog12]: c)Separationandindependence requirementswithinthesystem(e.g.,channels,trains,isolation)

Commented [wog13]: c)Separationandindependence requirementswithinthesystem(e.g.,channels,trains,isolation)

TabletopExampleforISG06AR D.2.2NewSystemArchitecture 4/5/2018

Page9 DataisolationbetweenthesafetyrelatedTriconcontrolprocessorandthenonsafetyMWSis performedbythesafetyrelatedTCM.FiberopticcableelectricallyisolatestheTriconfromexternalnon safetyrelateddevices.

TheTriconapplicationsoftwareutilizesthesafetycriticalTriconlibraryfunctions"GATENB"and "GATEDIS"tocontrolMWSaccesstotheTriconinRUNmode.Toupdateaparameter,thetechnician placesthesafetyrelatedinstrumentloopspecificoutofserviceswitchintheclosedposition.TheTricon willactivatethepreprogrammed"GATENB"and"GATDIS"functionstoopenadatawindowoflimited range.PriortoupdatingtheparameterintheTriconcontrolprogram,thenewvaluewillbestagedon theMWSscreenforacknowledgement.Afterthechangeshavebeenmadeandthemaintenance technicianhasplacedtheswitchintheopenposition,thesafetyrelatedcontrollogicwillclosethedata windowtopreventfurtherchanges.TheMWSinterfacewillalsohaveprotectivemeasuresbuiltin,such aspasswordprotectedlogon,rolebasedsecurityfunctionstoensureonlyauthorizedindividualshave theabilitytoupdatetuningparameters.Iftheoutofserviceswitchisdeactivatedbeforethechangeis made,thesafetyrelatedcontrollogicwillreturntheinstrumentlooptonormaloperationautomatically.

Asimilarseriesofrequest/confirmactionsisusedtodirectmaintenanceandtestfunctionsfromthe MWS,alwaysundercontrolbythesafetyrelatedTriconapplicationprogram.

CommunicationbetweenasafetyrelatedTriconcontrollerandanonsafetydeviceasshownin Figure413isdiscussedinSections3.2and5.0oftheTriconexplatformISG02andISG04compliance document[xx]andSection4.1and5.0oftheDCPPISG04compliancedocument[xx].Section4.0of Appendix1totheTriconexplatformconformancetoDI&CISG02andISG04[xx],"NonsafetyVDU CommunicationtoTRICONExample",discussestheuseoftheMWSand"GATENB/GATDIS".The GATENB/GATDISfunctionsarealsodiscussedinSection4.1andSection5.0,Point3oftheDCPPspecific evaluationofconformancetoDI&CISG04[xx].

ALS Communication with MWS CommunicationsfromtheALStotheMWSareviathetransmitonly(nohandshake)ALS102 communicationchannelTxB2.TheTxB2communicationschanneldoesnotreceiveanydata, handshaking,orinstructionsfromtheMWS.

TwowayTABcommunicationsbetweenASUapplicationsoftwareintheMWSandtheALSchassisare usedtoperformALSmaintenanceandcalibrationfunctions.ThisEIA485communicationpathis normallydisabled,withtwowaycommunicationspermittedonlywhenahardwiredswitchisclosedto completethecircuitbetweentheMWSandtheALSchassis.CommunicationsontheTABarenot possibleiftheswitchisopen.

TheEIA422communicationschannelsontheALS102,asdiscussedinSection3.9ofthe600261202 ALS102DesignSpecification[xx],areelectricallyisolatedandinherentlyoneway;thereforetheuseof theNetOpticsdeviceisnotrequired.

Commented [HD14]: Ifthisiscoveredbythetopicalreportit wouldnotbeintheLAR.

Commented [wog15]: c)Separationandindependence requirementswithinthesystem(e.g.,channels,trains,isolation)

TabletopExampleforISG06AR D.2.2NewSystemArchitecture 4/5/2018

Page10 Tricon and ALS configurations TheDCPPConceptualDesignDocument(CDD)[xx],FunctionalRequirementsSpecification(FRS)[xx],

InterfaceRequirementsSpecification(IRS)[xx]andControllerTransferFunctionRequirements Specification[xx]specifytheoverallfunctionalrequirementsofthePPSreplacement.

TheTriconsubsystemofthePPSreplacementutilizesthreesafetyrelatedModel3008NMainProcessor modulestocontrolthethreeseparatelegsofthesystemshowninFigure47.A32bitprimary processorineachMainProcessormodulemanagesexecutionofthecontrolprogramandallsystem diagnosticsattheMainProcessormodulelevel.Betweentheprimaryprocessorsisadedicateddual portrandomaccessmemory(DPRAM)allowingfordirectmemoryaccessdataexchanges.Allexternal communicationisthroughseparatemicroprocessors,locatedonseparatemodulesinstalledintheMain Chassis.ThedualmicroprocessorarchitecturestructuredescribedabovethuscomplieswithPosition4 ofDI&CISG04[x]byexecutingthecommunicationsprocessseparatelyfromtheprocessorthat executesthesafetyfunction,sothatcommunicationserrorsandmalfunctionswillnotinterferewiththe executionofthesafetyfunction.

Figure8:[Figure47]TriconTripleModularRedundantArchitecture TheALS102CoreLogicBoard(CLB)istheprimarydecisionmakingboardintheALSfieldprogrammable gatearray(FPGA)system,andcontainsalltheapplicationspecificlogiccircuitsthatdefineandcontrol theoperationofagivensystem.Figure48showstherelationshipoftheCLBwiththerestoftheALS configuration.

TabletopExampleforISG06AR D.2.2NewSystemArchitecture 4/5/2018

Page11

Figure9:[Figure48]GenericALSFPGAArchitecture

TabletopExampleforISG06AR D.2.2NewSystemArchitecture 4/5/2018

Page12 I/O Modules AsshowninFigure47,TriconTMRinputmodulescontainthreeseparate,independentprocessing systems,referredtoaslegs,forsignalprocessing(InputLegsA,B,andC).Thelegsreceivesignalsfrom commonfieldinputterminationpoints.TheTriconexI/OmoduleslistedinTable46,votingprocesses, andfaultdetectionprocessesaredescribedinSection2.1.2.7oftheTriconV10TopicalReportSubmittal

[xx].TheseI/OModuletypesareusedinthePPSreplacementandaredescribedinReference2.5.30of theTriconV10TopicalReportSubmittal[xx].

TheALSInputBoardsperformsensorsampling,signalconditioning,filtering,andanalogtodigital conversionoffieldinputsignals.InputBoardsperformspecificinputfunctions,suchas24Vor48V digitalcontactsensing,420mAanaloginputs,010Vanaloginputs,resistancetemperaturedetector (RTD)inputs,orthermocouple(TC)inputs.TheALSInputBoardsusedinthePPSreplacementarelisted inTable47anddescribedinSection2.2oftheALSTopicalReportSubmittal[xx].

TheALSOutputBoardsprovidesignalstocontrolfielddevicessuchasactuators,indicators,andrelays.

Theoutputmodules,faultdetection,configurationanddatavalidationprocessesaredescribedin Section2.2oftheALSTopicalReportSubmittal[xx].TheALSInputBoardsusedinthePPSreplacement arelistedinTable47.ALSOutputBoardsareusedtoprovide420masignalstotheTriconinthesame ProtectionSet.

ThedesignspecificationslistedinTable47describeI/Oboardfaultdetection,configuration,anddata validationprocesses.

TabletopExampleforISG06AR D.2.2NewSystemArchitecture 4/5/2018

Page13

Manual Trip and Reset ThesystemlevelmanualtripandactuationfunctionsarehardwiredandarenotaffectedbythePPS replacement.Onceinitiated,protectiveactionsruntocompletion.Resetoftheprotectiveactionmust beinitiatedmanuallyaftertheinitiatingcauseisnolongerpresent.

Power Supply Plant Power ThePPSissuppliedvitaluninterruptibleACpowerfromfourelectricallyindependentandphysically separated120VACdistributionpanels.Thisisunchangedandoutsidethescopeofthemodification.

Eachdistributionpanelissuppliedfromaseparate,dedicatedinverterandfromabackupcommon 480VACvitalbus.Aninvertercanbefedfromthe125VDCvitalsystemorfromthe480VACvital system.

Chassis Power TheTriconexPPSsubsystemutilizestworedundantTriconexpowersupplymodulesineachchassis.The powersupplymoduleshavebeenqualifiedbyTriconexpertheTriconV10TopicalReportSubmittal[xx]

andoperatefromtheredundantuninterruptible120VACsafetyrelatedinstrumentpowersupplyused topowertheexistingEagle21PPS.Eachpowersupplymoduleisratedfor175watts,whichissufficient tosupplythepowerrequirementsofafullypopulatedchassis.Twodifferentpowersupplymodulescan beusedinasinglechassis.ThePPSreplacementutilizes120VACmodules.TheTriconexpowersupply modulesaredescribedinSection2.1.2.5oftheTriconV10TopicalReportSubmittal[xx].

ThepowersupplysystemineachALSsafetysystemcabinetiscomprisedoftwoqualified,independent AC/DCpowersupplies(suppliedbyPG&E).Eachpowersupplyisdesignedtoprovide150percentofthe cabinetload,andoperatesinaredundantconfiguration.Theyareredundant,hotswappable,and capableofbeingreplacedwhilethesystemisoperationalwithoutinterruptionofpowertotheALS chassisorothersafetysystemcomponents.The48VDCfromtheredundantcabinetpowersuppliesis fedtotheALSchassis,wheretheyarediodeauctioneeredtoprovideasinglelocal48VDCsupply.The powersuppliesaremountedinthesamecabinetastheALSchassis.EachALSPPSsubsystemchassisis poweredviatheBackplaneAssemblyfromanexternaldualredundantpowersupplysystem.The Commented [wog16]: e)connectionstohumansystem interfaces Commented [wog17]: i.interfacewithsupportingsystems (e.g.,electricalpowersupply)

ThereisnodiscussionofHVACintheLAR.

TheSyRSaddressestheHVACandelectricalpowersupporting systems.

TabletopExampleforISG06AR D.2.2NewSystemArchitecture 4/5/2018

Page14 cabinetloadconsistsofallALSplatformcomponentsandperipheraldevices.TheALSAandALSB subchannelsaresuppliedbythesame48VDCpowersupplies(typicalforeachProtectionSet).TheALS powersupplyanddistributionwithintheALSchassesisdescribedinSection2.6.2oftheALSTopical ReportSubmittal[xx]andinSection4.2.1oftheALSPlatformSpecification[xx].

  • SeparateI/OpowersuppliesareprovidedandqualifiedbyPG&Eduringdetaileddesignforthe TriconexandALSsubsystems.*Itisunderstoodthatthiswouldneedtobeprovidedaspartofthe LARfortheARprocess.*

I/O Power TheTriconandtheALSsubsystemineachProtectionSetareprovidedwithitsownpairofsafetyrelated adjustableredundantlooppowersuppliescapableofpoweringall420mAinstrumentinputloops associatedwiththatsubsystem.*Operatingvoltagewillbeselectedduringdetaileddesigntopower instrumentloopswithoutexceedingvoltagelimitationsofinstrumentloopsensors(transmitters).-It isunderstoodthatthiswouldneedtobeprovidedaspartoftheLARfortheARprocess*

DeenergizetotripdiscreteTriconexoutputstotheSSPSandauxiliaryrelaysutilizethe120VACsafety relatedPPSinstrumentpowersupply.EnergizetotripdiscreteTriconexoutputstotheSSPSandauxiliary relaysarepoweredbysafetyrelatedredundant24VDCpowersupplies.OtherdiscreteTriconex outputsarepoweredbytheexternalsystem.

Triconexdiscreteinputsarepoweredbyredundant24VDCpowersupplies,excepttripoutputloopback signals,whicharepoweredbythe120VACdiscreteoutput(DO)[Figure410].Triconexanalog420rnA outputloopsarepoweredbyredundant24VDCpowersupplies.TheTriconexqualificationrequires thatseparatepowersuppliesbeusedforanaloganddigitalI/O.

Commented [wog18]: GapthatwouldbeincludedinanAR LAR.

Commented [wog19]: GapthatwouldbeincludedinanAR LAR.

TabletopExampleforISG06AR D.2.2NewSystemArchitecture 4/5/2018

Page15

Figure10:[Figure410]TriconexTripOutputDiagnostic AlldiscreteALSoutputstotheSSPSarepoweredbysafetyrelated120VACProtectionSetpower.Other discreteALSoutputssuchasoutputsignalstotheMainAnnunciatorSystem(MAS)arepoweredbythe externalsystem.DiscreteALSinputsarepoweredbysafetyrelatedredundant48VDCpowersupplies.

AnalogALS420rnAoutputsarepoweredbytheALSinternalpowersupply.Thefeedbacksignalsshown inFigure49arepoweredbytheredundant,safetyrelated48VDCdiscreteinputpowersupply.

Commented [wog20]: f.connectionsbetweensafetyrelated systems

TabletopExampleforISG06AR D.2.2NewSystemArchitecture 4/5/2018

Page16

Figure11:[Figure49]ALSDiversityArchitecture FailureofanyTriconorALSI/OpowersupplyisalarmedonthecontrolroomMAS.

Interface to Existing Control Board Display Indications TheALSSystemRequirementsSpecification[xx]andtheTriconexSRS[xx]definetherequirementsfor interfacingwithexistingDCPPcontrolboardindications.

PPS Testing Capabilities ThePPSreplacementpermitsanyindividualinstrumentchanneltobemaintainedandcalibratedina bypassedcondition,andwhenrequired,testedduringpoweroperationwithoutinitiatingaprotective actionatthesystemlevel.Thisisaccomplishedwithoutliftingelectricalleadsorinstallingtemporary jumpers.ThePPSreplacementpermitsperiodictestingduringreactorpoweroperationwithout initiatingaprotectiveactionfromthechannelundertest.

ExternalhardwiredswitchesareprovidedonallPPSreplacementtripandactuationoutputs.The switchesmaybeusedforSSPSinputrelaytestingortotriporactuatethechannelmanuallyifneeded.

ActivationoftheexternaltripswitchesisindicatedinthecontrolroomthroughtheSSPSpartialtrip indicators.Actuationofbypassswitches(ALS)andoutofserviceswitches(Tricon)isindicatedthrough theMAS.

Commented [wog21]: f.connectionsbetweensafetyrelated systems Commented [wog22]: e.connectionstohumansystem interfaces Commented [wog23]: a)Service/TestFunctions

TheLARdoesnotgothrougheachselfdiagnosticfeature.This isagap.

IntheDCPPcaseTSSRsdidnotchange.IfTSSRsarechanged, thediagnosticcoverageandhookstoapplicationwouldneedto bedescribed.

TabletopExampleforISG06AR D.2.2NewSystemArchitecture 4/5/2018

Page17 TheTriconexportionofthePPSreplacementcontinuouslyperformsdiagnosticfunctionsasdescribedin theTriconV10TopicalReportSubmittal[xx].SpecificPPSreplacementtestandcalibrationfunctions andapplicationdiagnosticsaresupportedbytheplatformbutimplementedintheapplicationprogram.

AnexampleofsuchadiagnosticisamismatchcheckthatcomparesthetripdemandfromthePPStoa feedbacksignal.Amismatchoccursifthetripdemandsignaldoesnotagreewiththefeedbacksignal,as showninFigure410above.TriconexselftestmethodologyisdescribedinSections2.1.2.6(Main Processormodule),2.1.2.7(I/OModules),and2.1.2.8(TCM)oftheTriconV10TopicalReportSubmittal

[xx].

Ifonlinetestingisrequiredfortroubleshootingmaintenance,thePPSreplacementdesignallowsfor thistestingwithoutdisconnectingwires,installingjumpers,orotherwisemodifyingtheinstalled equipment.Simulatedsignalinputsintoachannelcanbeappliedusingmeasuringandtestequipment.

DuringperformanceoftestingormaintenanceofthePPSreplacement,itmaybenecessarytoplacethe individualchannelintothebypassmode.

BoththeTriconexandtheALSplatformsmakeextensiveuseofwatchdogtimersinperformingbuiltin selftests.TheTriconexoperatingsystemprovides"hooks"totheapplicationtoenabletheapplication totakeappropriateactionuponwatchdogtimertimeout.Referto:

TriconV10TopicalReportSubmittal[xx]Section2.1.2.6,2.1.3.1,2.2.10 AppendixBtoTriconV10TopicalReportSubmittal[xx]Section3.9.A,3;9.8,5.3.V ALSTopicalReportSubmittal[xx]Section2.3 ALSSystemRequirementsSpecification[xx]Section2.7.2,2.7.3 ALSSystemDesignSpecification[xx]Section5.2.5 TheTriconexapplicationprogramprovidesthemeansforperiodictestandcalibrationofinputsensors andoutputdevices.TriconexPPSreplacementapplicationdetailsareprovidedintheTriconexSRS[xx].

Sections3.0,5.0,and6.0.

Section3.1.1.3oftheALSTopicalReportSubmittal[xx]separatesfaultsintocategoriesanddescribes ALSplatformdiagnosticsandactionstakenuponfailuredetection.Section3.2oftheALSTopicalReport Submittal[xx]describestheALSdesigntosupportperiodicsurveillancetesting,channelcalibrationand maintenanceonaparticularchannel,whileretainingthecapabilitytoaccomplishtheintendedsafety functionsontheremainingchannels.

Section3.4oftheALSTopicalReportSubmittal[xx]describestheALSdesigntosupportcalibrationofan analoginput/outputchannelusingtheASUortheMWS(specifictothePPSreplacement)andcalibrated externaltestequipment.

Atroublealarmisgeneratedupondetectionofaninputfailureoranoutofrangeloworoutofrange highinputconditionat5percent(low)and105percent(high)ofspan.

TabletopExampleforISG06AR D.2.2NewSystemArchitecture 4/5/2018

Page18 Failure Modes and Effects Analysis (FMEA)

TheplatformlevelFMEAandreliabilityanalysesfortheTricondigitalplatformhasbeenreviewedand acceptedbytheNRC.IntheTriconV10TopicalReportSubmittal[xx],Section2.2.12"Reliabilityand Availability,"bothreliabilityandavailabilitywerecalculatedwiththeassumptionthatperiodictesting willuncoverfaultsthatarenotnormallydetectedbytheTriconsystem.Fortestperiodsrangingfrom6 to30monthsthecalculatedreliabilityandavailabilityweregreaterthan99.9percentwhichexceedsthe EPRIrecommendedgoalfoundinEPRITR107330[xx],Section4.2.3"Availability,ReliabilityandFMEA."

Foraperiodictestintervalof18monthsthereliabilityis99.9987percentandtheavailabilityis99.9990 percent.

TheFPGABasedALSPPSEquipmentintheALStopicalReportSubmittal[xx],reliabilitynumberswere calculatedforsevendifferenttypesofmodules.Thesecalculationscanbefoundinthefollowing documents:600210212ALS102FPAFMEAandReliabilityAnalysis[xx],600230212ALS302FPAFMEA andReliabilityAnalysis[xx],600231112ALS311FPAFMEAandReliabilityAnalysis[xx],600232112 ALS321FPAFMEAandReliabilityAnalysis[xx],600240212ALS402FMEAandReliabilityAnalysis[xx],

and600242112ALS421FPAFMEAandReliabilityAnalysis[xx].

  • ThesystemlevelPPSreplacementFailureModesandEffectsAnalysis(FMEA)willbecompleted duringPhase2.-ItisunderstoodthatthiswouldneedtobeprovidedwiththeLARfortheAR process*

Post-Accident Monitoring PostaccidentmonitoringcapabilitiesareenhancedwiththePPSreplacement.Withtheexceptionof steamflow,reactorcoolantflow,andtemperature(loopwiderange,loopTavg,loopDeltaT,and Pressurizervaportemperature),allprovidedPPSprocessindicationsarefromthetransmitterinput(via qualifiedisolationdeviceswhererequired)andarenotprocessedbythedigitalPPSreplacement equipment.Thetemperature,steamflow,andreactorcoolantflowanaloginputsrequireprocessing (RTDconversionorsquarerootconversion)areperformedinthePPS,asiscurrentlydoneinthe Eagle21PPS.

Criticalindications,suchasthoserequiredforpostaccidentmonitoring(PAM),arederivedfromraw instrumentloopsignalsatthefrontendoftheReplacementPPS,independentofanydigitalprocessing.

Isolationofnonsafetyrelatedsignalsfromsafetyrelatedsignalsisperformedbyqualifiedisolation devices.RefertothePPSreplacementFRS[xx]andIRS[xx]forrequirements.

NotethatFigure45identifiesClass1BPAMfunctionsandtheirsignalsareacquireddirectlyfromthe ClassIinputsignals.Noisolationisnecessarybecausetheinputloopisthecorrectclassification.Details areprovidedintheIRS.

IEEE Std 603 and IEEE Std 7-4.3.2 Conformance TheclausesofIEEEStd603,IEEEStandardCriteriaforSafetySystemsforNuclearPowerGenerating Stations,andIEEEStd74.3.2,IEEEStandardCriteriaforProgrammableDigitalDevicesinSafety Commented [wog24]: FMEAwillbepartoftheLAR.

TabletopExampleforISG06AR D.2.2NewSystemArchitecture 4/5/2018

Page19 SystemsofNuclearPowerGeneratingStationspertainingtosystemarchitectureareaddressedinthis section.

IEEEStd603Clause5.7:Capabilityfortestingandcalibrationofsafetysystemequipmentshallbe providedwhileretainingthecapabilityofthesafetysystemstoaccomplishtheirsafetyfunctions.The capabilityfortestingandcalibrationofsafetysystemequipmentshallbeprovidedduringpower operationandshallduplicate,ascloselyaspracticable,performanceofthesafetyfunction.Testingof Class1EsystemsshallbeinaccordancewiththerequirementsofIEEEStd3381987[x].Exceptionsto testingandcalibrationduringpoweroperationareallowedwherethiscapabilitycannotbeprovided withoutadverselyaffectingthesafetyoroperabilityofthegeneratingstation.Inthiscase:

(1)appropriatejustificationshallbeprovided(forexample,demonstrationthatnopracticaldesign exists),

(2)acceptablereliabilityofequipmentoperationshallbeotherwisedemonstrated,and (3)thecapabilityshallbeprovidedwhilethegeneratingstationisshutdown.

ThePPSreplacementisadigitalreplacementfortheexistingdigitalEagle21PPSatDCPP.Thecapability fortestingandcalibrationofthePPSreplacementisnotsignificantlydifferentfromthatoftheexisting Eagle21PPS.ThePPSreplacementprovidesenhancedselftestinganddiagnosticfunctionsthatreduce likelihoodofundetectedfailuresinboththeTriconandALSsubsystems.However,theexistingEagle21 technicalspecificationsurveillancerequirements(SR)donotrequirerevisionasaresultofthisproject.

Therequirementforperiodictestingisaddressedbychannelcalibrations.Thechannelcalibrationsare performedonlineusingthebypasscapabilityofthechannelorduringrefuelingoutageswhenthePPSis notrequiredtobeoperable.Calibrationandtestingwillbeperformedaccordingtoapproved proceduresthatestablishspecificsurveillancetechniquesandsurveillanceintervalsintendedto maintainthehighreliabilityofthePPSreplacement.

Ifonlinetestingisrequiredfortroubleshootingmaintenance,thePPSreplacementdesignallowsfor thistestingwithoutdisconnectingwires,installingjumpers,orotherwisemodifyingtheinstalled equipment.Simulatedsignalinputsintoachannelcanbeappliedusingmeasuringandtestequipment.

DuringperformanceoftestingormaintenanceofthePPSreplacement,itmaybenecessarytoplacethe individualchannelintothebypassmode.

AdministrativeprocedureswillprovideappropriateguidanceintheeventaportionofthePPS replacementisinbypassorismanuallytripped.Theseproceduresareaugmentedbyautomatic indicationatthesystemlevelthatthesystemisinbypassorthataportionoftheprotectionsystem and/orthesystemsactuatedorcontrolledbytheprotectionsystemistripped.

BoththeTriconexandtheALSplatformsmakeextensiveuseofwatchdogtimersinperformingbuiltin selftests.TheTriconexoperatingsystemprovides"hooks"totheapplicationtoenabletheapplication totakeappropriateactionuponwatchdogtimertimeout.Referto:

Commented [wog25]: b.service/testfunctions

TabletopExampleforISG06AR D.2.2NewSystemArchitecture 4/5/2018

Page20

  • TriconV10TopicalReportSubmittal[xx]Section2.1.2.6,2.1.3.1,2.2.10
  • AppendixBtoTriconV10TopicalReportSubmittal[xx]Section3.9.A,3;9.8,5.3.V
  • ALSTopicalReportSubmittal[xx]Section2.3
  • ALSSystemRequirementsSpecification[xx]Section2.7.2,2.7.3
  • ALSSystemDesignSpecification[xx]Section5.2.5 TheTriconexapplicationprogramprovidesthemeansforperiodictestandcalibrationofinputsensors andoutputdevices.TriconexPPSreplacementapplicationdetailsareprovidedintheTriconexSRS[xx].

PlatformcompliancewiththisclauseisdiscussedinTriconV10TopicalReportSubmittal[xx]Section2.1 andTopicalReportAppendixBSections3.0,5.0,and6.0.

Section3.1.1.3oftheALSTopicalReportSubmittal[xx]separatesfaultsintocategoriesanddescribes ALSplatformdiagnosticsandactionstakenuponfailuredetection.Section3.2oftheALSTopicalReport Submittal[xx]describestheALSdesigntosupportperiodicsurveillancetesting,channelcalibrationand maintenanceonaparticularchannel,whileretainingthecapabilitytoaccomplishtheintendedsafety functionsontheremainingchannels.

Section3.4oftheALSTopicalReportSubmittal[xx]describestheALSdesigntosupportcalibrationofan analoginput/outputchannelusingtheASUortheMWSspecifictothePPSreplacement)and calibratedexternaltestequipment.

Section12.1.8oftheALSTopicalReportSubmittal[xx]describestheALSplatformcompliancewiththis clause.

ForboththeTriconexandALSsubsystems,theplatformselftestsandtheapplicationspecifictestand calibrationfunctionswillbeperformedduringtheFATtoverifythatthesafetyfunctionisnotadversely affectedbyperformanceofeitherbuiltinorapplicationspecifictestandcalibrationfunctions.

IEEEStd74.3.2Clause5.5.2:Testandcalibrationfunctionsshallnotadverselyaffecttheabilityofthe computertoperformitssafetyfunction.Appropriatebypassofoneredundantchannelisnotconsidered anadverseeffectinthiscontext.Itshallbeverifiedthatthetestandcalibrationfunctionsdonotaffect computerfunctionsthatarenotincludedinacalibrationchange(e.g.,setpointchange).

V&V,configurationmanagement,andQAshallberequiredfortestandcalibrationfunctionsonseparate computers(e.g.,testandcalibrationcomputer)thatprovidethesoleverificationoftestandcalibration data.V&V,configurationmanagement,andQAshallberequiredwhenthetestandcalibrationfunction isinherenttothecomputerthatispartofthesafetysystem.

V&V,configurationmanagement,andQAarenotrequiredwhenthetestandcalibrationfunctionis residentonaseparatecomputeranddoesnotprovidethesoleverificationoftestandcalibrationdata forthecomputerthatispartofthesafetysystem.

Commented [wog26]: b. service/test functions

TabletopExampleforISG06AR D.2.2NewSystemArchitecture 4/5/2018

Page21 ThePPSreplacementpermitsanyindividualinstrumentchanneltobemaintainedandcalibratedina bypassedcondition,and,whenrequired,testedduringpoweroperationwithoutinitiatingaprotective actionatthesystemlevel.Thisisaccomplishedwithoutliftingelectricalleadsorinstallingtemporary jumpers.ThePPSpermitsperiodictestingduringreactorpoweroperationwithoutinitiatingaprotective actionfromthechannelundertest.

ExternalhardwiredswitchesareprovidedonPPStripandactuationoutputs.Theswitchesmaybeused forSSPSinputrelaytestingortotriporactuatethechannelmanuallyifneeded.Activationofthe externaltripswitchesisindicatedinthecontrolroomthroughtheSSPSpartialtripindicators.Actuation ofbypassswitchesisindicatedthroughtheMAS.

ForboththeTriconexandALSsubsystems,theplatformselftestsandtheapplicationspecifictestand calibrationfunctionswillbeverifiedduringtheFATtoensurethattheProtectionSetsafetyfunctionis notadverselyaffectedbyperformanceofeitherbuiltinorapplicationspecifictestandcalibration functions.

a)TriconBasedPPSEquipment Figure410inthisLARillustratestheTriconDOloopbackfeature,whichenablesthePPStodetermineif theexternaltripswitchisopen,oriftheDOchannelisproducinganerroneousoutput.APPStrouble alarmisgeneratediftheinstrumentloopisnotoutofserviceandifthecomparatoroutputistrue (commandinganenergizedoutput)andthedeenergizeto.tripDOloopbackissensedasdeenergized.A PPSfailurealarmisgeneratedifthedeenergizetotripDOloopbackissensedasenergizedandthe comparatoroutputisfalse(commandingadeenergizedoutput),whetherornottheinstrumentloopis outofservice.

OnlinetestingintheTriconiscontrolledbythenonsafetyrelatedMWSandbysafetyrelatedlogic enabledviaanexternalsafetyrelatedhardwiredoutofserviceswitch.

Whentheoutofserviceswitchisactivated,thesafetyrelatedlogicintheassociatedProtectionSet allowstheassociatedinstrumentchanneltobetakenoutofservicewhilemaintainingtherestofthe instrumentchannelsintheProtectionSetoperable;thatis,anindividualoutofserviceswitchonly removesanindividualinstrumentchannelfromserviceandnootherinstrumentchannel.Iftheoutof serviceswitchisreturnedtothenormalpositionduringtest,thesafetyrelatedlogicautomatically restorestheinstrumentchanneltosafetyrelatedoperation.

ThetestandcalibrationfunctionsareinitiatedbythenonsafetyrelatedMWS,butarecontrolledbythe safetyrelatedTriconexprocessorapplicationprogram.ThereisoneMWSperProtectionSettoensure thatatestorcalibrationfunctionononeProtectionSetwilltakeplaceonlyontheProtectionSetfor whichtheactionisintended,andthatonlyoneProtectionSetcanbeaffectedbyactionstakenatany singleMWS.TheMWSfromoneProtectionSetcannotcommunicatewithanyotherProtectionSet.

DataisallowedtobereceivedbythesafetyrelatedProtectionSetfromthenonsafetyMWSonlywhen thechannelisoutofservice.Thechannelistakenoutofservicebytakingmultipledeliberateactions:

TabletopExampleforISG06AR D.2.2NewSystemArchitecture 4/5/2018

Page22 (1)activatingahardwareoutofserviceswitchlockedinacabinet;and(2)activatingasoftwareswitch ontheWorkstationrequiringpasswordaccess.Inaddition,feedbackisprovidedtotheuserontheMWS thattheoutofserviceswitchforthelooptobetestedhasbeenactivated.Ifthesafetyrelatedhardware outofserviceswitchisnotactivated,nonsafetyrelatedactionsorfailurescannotadverselyaffectthe safetyrelatedfunction.

ThenonsafetyTriconexMWSsoftwareisdesigned,developedandtestedundertheTriconexsoftware developmentprogramsdescribedintheTriconV10TopicalReportSubmittal[xx]toaddresstheClause 5.5.2requirementforV&V,configurationmanagement,andQAshallberequiredfortestand calibrationfunctionsonseparatecomputers(e.g.,testandcalibrationcomputer)thatprovidethesole verificationoftestandcalibrationdata.Triconexplatformcompliancewiththisclauseisdiscussedinthe SoftwareQualificationReport[xx]Sections4.0and8.0,theCriticalDigitalReview[xx]Sections1.0,2.0, 3.0,4.0,andAppendixBandtheTopicalReportSubmittal[xx]Section2.1andAppendixBSection3.0.b)

FPGABasedALSPPSEquipment TheALSprovidestestandcalibrationcapabilityasdescribedinSection2.3.2andSection3oftheALS TopicalReportSubmittal[xx]andSections10.2and10.3oftheALSSystemDesignSpecification[xx].

EachProtectionSethasoneASUassociatedwiththeALSsubsystemsinthatset.TheTABallowsthe nonsafetyrelatedASUfunctionperformedbythePPSreplacementMWS)tointeractwiththeALS componentsfortestandcalibrationonlywhentheTABRS485communicationswitchdescribedin Section5.3.3oftheALSTopicalReportSubmittal[xx]isclosed.ALSplatformcompliancewiththisclause isdiscussedinSection12.2.13.2oftheALSTopicalReportSubmittal[xx].

InthePPSreplacement,theMWSdescribedinSection4.2.4.5ofthisLARisthehardwareplatformon whichtheASUfunctionisimplemented.ThenonsafetyrelatedASUsoftwareisdesigned,developed, andtestedundertheCSIsoftwaredevelopmentprogramtoaddresstheClause5.5.2requirementthat V&V,configurationmanagement,andQAshallberequiredfortestandcalibrationfunctionsonseparate computers.

IEEEStd74.3.2Clause5.5.3:Computersystemscanexperiencepartialfailuresthatcandegradethe capabilitiesofthecomputersystem,butmaynotbeimmediatelydetectablebythesystem.Self diagnosticsareonemeansthatcanbeusedtoassistindetectingthesefailures.Faultdetectionandself diagnosticsrequirementsareaddressedinthissubclause.

Thereliabilityrequirementsofthesafetysystemshallbeusedtoestablishtheneedforselfdiagnostics.

Selfdiagnosticsarenotrequiredforsystemsinwhichfailurescanbedetectedbyalternatemeansina timelymanner.Ifselfdiagnosticsareincorporatedintothesystemrequirements,thesefunctionsshallbe subjecttothesameV&Vprocessesasthesafetysystemfunctions.

Ifreliabilityrequirementswarrantselfdiagnostics,thencomputerprogramsshallincorporatefunctions todetectandreportcomputersystemfaultsandfailuresinatimelymanner.Conversely,selfdiagnostic functionsshallnotadverselyaffecttheabilityofthecomputersystemtoperformitssafetyfunction,or Commented [wog27]: b. service/test functions

TabletopExampleforISG06AR D.2.2NewSystemArchitecture 4/5/2018

Page23 causespuriousactuationsofthesafetyfunction.Atypicalsetofselfdiagnosticfunctionsincludesthe following:

Memoryfunctionalityandintegritytests(e.g.,PROMchecksumandRAMtests)

Computersysteminstructionset(e.g.,calculationtests)

Computerperipheralhardwaretests(e.g.,watchdogtimersandkeyboards)

Computerarchitecturesupporthardware(e.g.,addresslinesandsharedmemoryinterfaces)

Communicationlinkdiagnostics(e.g.,CRCchecks)

Infrequentcommunicationlinkfailuresthatdonotresultinasystemfailureoralackofsystem functionalitydonotrequirereporting.

Whenselfdiagnosticsareapplied,thefollowingselfdiagnosticfeaturesshallbeincorporatedintothe systemdesign:

a)Selfdiagnosticsduringcomputersystemstartup b)Periodicselfdiagnosticswhilethecomputersystemisoperating c)Selfdiagnostictestfailurereporting a)TriconBasedPPSEquipment TheTriconisafaulttolerantcontrollerasdescribedinSection5.7oftheTriconexSystemDescription

[xx].Assuch,itisdesignedtoruncontinuousdiagnosticstodetectandmaskoroverridefaults.

Diagnosticresultsareavailabletohostdevicesviacommunicationmodulesandalarmcontactsonthe MainChassis.ThealarmcontactsonMainChassisPowerModulesareassertedwhen:

1. Thesystemconfigurationdoesnotmatchthecontrolprogramconfiguration
2. ADigitalOutputModuleexperiencesaLOAD/FUSEerror
3. Amoduleismissingsomewhereinthesystem
4. AMainProcessor,I/OorCommunicationmoduleintheMainChassisfails
5. An110orCommunicationmoduleinanExpansionChassisfails
6. AMainProcessordetectsasystemfault
7. Theinterchassis110buscablesareincorrectlyinstalledforexample,thecableforLegAis accidentallyconnectedtoLegB
8. APowerModulefails
9. PrimarypowertoaPowerModuleislost
10. APowerModulehasaLowBatteryorOverTemperaturewarning ExtensivediagnosticsvalidatethehealthofeachMainProcessoraswellaseachI/Omoduleand communicationchannel.Transientfaultsarerecordedandmaskedbythehardwaremajorityvoting

TabletopExampleforISG06AR D.2.2NewSystemArchitecture 4/5/2018

Page24 circuit.Persistentfaultsarediagnosed,andtheerrantmoduleishotreplacedoroperatedinafault tolerantmanneruntilhotreplacementiscompleted.

MainProcessordiagnosticsdothefollowing:

1. Verifyfixedprogrammemory
2. VerifythestaticportionofRAM
3. Testallbasicprocessorinstructionsandoperatingmodes
4. Testallbasicfloatingpointprocessorinstructions
5. VerifythesharedmemoryinterfacewitheachI/0communicationprocessorandcommunication leg
6. VerifyhandshakesignalsandinterruptsignalsbetweentheCentralProcessingUnit(CPU),each I/Ocommunicationprocessorandcommunicationleg
7. CheckeachI/Ocommunicationprocessorandcommunicationlegmicroprocessor,ROM,shared memoryaccessandloopbackofRS485transceivers
8. VerifytheTriCiockinterface
9. VerifytheTriBUSinterface AllI/Omodulessustaincomplete,ongoingdiagnosticsforeachleg.Failureofanydiagnosticonanyleg, activatesthemodule'sFAULTindicator,whichinturnactivatesthechassisalarmsignal.TheFAULT indicatorpointstoalegfault,notamodulefailure.Themoduleisdesignedtooperateproperlyinthe presenceofasinglefaultandmaycontinuetooperateproperlywithsomemultiplefaults.

TMRDigitalInputModuleswithSelfTestcontinuouslyverifytheabilityoftheTricontodetectthe transitionofanormallyenergizedcircuittotheOFFstate.TMRHighDensityDigitalInputModules continuouslyverifytheabilityoftheTricontodetecttransitionstotheoppositestate.

EachtypeofdigitaloutputmoduleexecutesaparticulartypeofOutputVoterDiagnostic(OVD)forevery point.Ingeneral,duringOVDexecutionthecommandedstateofeachpointismomentarilyreversedon oneoftheoutputdrivers,oneafteranother.Loopbacksensingonthemoduleallowseach microprocessortoreadtheoutputvalueforthepointtodeterminewhetheralatentfaultexistswithin theoutputcircuit.

ADCvoltagedigitaloutputmoduleisspecificallydesignedtocontroldevices,whichholdpointsinone stateforlongperiods.TheOVDstrategyforaDCvoltagedigitaloutputmoduleensuresfullfault coverageevenifthecommandedstateofthepointsneverchanges.Onthistypeofmodule,anoutput signaltransitionoccursduringOVDexecution,butisdesignedtobelessthan2.0milliseconds(500 microsecondsistypical)andistransparenttomostfielddevices.

Theresultsofalldiagnostictestsareavailabletoahostdeviceviaeachinstalledcommunication module.Individualdiagnosticflagsareasserteduponanymodulefaultwithinanychassis,DOloadfuse oroutputvoterfault,printerfault,matherror,scantimeoverrun,Triconkeyswitchoutofposition,host communicationerror,programchange,andI/Opointdisabled.

TabletopExampleforISG06AR D.2.2NewSystemArchitecture 4/5/2018

Page25 TheTriconPlanningandInstallationGuide[XX]providedescriptionsofthemainprocessorandI/O modulesdiagnostics.

b)FPGABasedALSPPSEquipment Asdescribedin[theALSTopicalReport]Reference[xx],Section3,theALSplatformincorporates advancedfailuredetectionandisolationtechniques.Theoperationofthesystemisdeterministicin natureandallowsthesystemtomonitoritselfinordertovalidateitsfunctionalperformance.TheALS platformimplementsadvancedfailuredetectionandmitigationintheactivepathtoavoidunintended plantevents,andinthepassivepathtoensureinoperablesystemsdonotremainundetected.The systemutilizeslogictoperformdistributedcontrolwherenosinglefailureresultsinanerroneousplant eventwhilemaintainingtheabilitytoperformitsintendedsafetyfunction.

TheALSplatformincorporatedselfdiagnostics,applicationspecificdiagnosticsandselftestfeatures intotheinputboards,buscommunications,CLBs,andoutputboards.

Inaddition,systemleveldiagnosticsareincorporatedasdividedintofourcategories:fatal,vital,non vital,andundetectable,asdescribedin[theALSTopicalReport]Reference[xx]Section3.1.1.

IEEEStandard74.3.2Clauses5.4.1and5.4.2addresscomputersystemtestingandqualificationof existingcommercialcomputers,respectively.

NoteIEEEStd603,Clauses5.8.1and5.8.4neednotbeaddressedinaccordancewiththeARprocess thatstates,Ifthedesignaffectsindicationsusedbytheoperatorformanualcontrol,theLARshould describehowthosemodificationsaffecttheabilityoftheoperatortoimplementmanualactions,in accordancewithIEEEStd603,Clause5.8.1.ANDIfthedesignaffectsindicationsusedbythe operatorformanualcontrol,thestatusindications,orthebypassedindications,theLARshould describehowthemodificationssupporttheabilityoftheoperatortousetheindications,in accordancewithIEEEStd603,Clause5.8.4.

IEEEStd603,Clause5.8.2:SystemStatusIndication.Displayinstrumentationshallprovideaccurate, complete,andtimelyinformationpertinenttosafetysystemstatus.Thisinformationshallinclude indicationandidentificationofprotectiveactionsofthesenseandcommandfeaturesandexecute features.Thedesignshallminimizethepossibilityofambiguousindicationsthatcouldbeconfusingto theoperator.Thedisplayinstrumentationprovidedforsafetysystemstatusindicationneednotbepart ofthesafetysystems.

Thedisplayinstrumentationthatindicatesandidentifiesprotectiveactionsofthesenseandcommand featuresandexecutefeaturesisunchangedbythePPSreplacement.Thisinstrumentationisprimarily associatedwithinputsandoutputsoftheSSPS,whichisnotaffectedbythePPSreplacement.In addition,thestatusofallactuatedcomponentsisindicatedonthecontrolboardstogetherwiththe controlswitchesthatareprovidedfortheindividualcomponents.

Commented [wog28]: Tabletopnotaddressingclauses5.8.1 and5.8.4becausetheDCPPLARdidnotchangetheindications usedbyoperatorsformanualcontrol.

Commented [wog29]: ISGARstates,TheLARshoulddescribe theinterfaceandcontrolsassociatedwithstatusindicationand bypassindication,inaccordancewithIEEEStd603,Clauses5.8.2, 5.8.3,5.8.3.1,5.8.3.2,and5.8.3.3.

TabletopExampleforISG06AR D.2.2NewSystemArchitecture 4/5/2018

Page26 AbistablestatuslightpanelontheControlBoardprovidesbistablemonitoringinformationinthe ControlRoom.A"postagestamp"indicatorlamponthepanelilluminatestoindicatethataprotection channelhasbeenactivated.ThispanelispartoftheSSPSandisnotaffectedbythePPSreplacement.

Displayinstrumentationthatindicatesandidentifiesthestatusofprotectiveactionsofsenseand commandfeaturesisspecifictotheapplication.

a)TriconBasedPPSEquipment TriconexPPSreplacementapplicationdetailsareprovidedintheTriconexSoftwareRequirements Specification(SRS)[xx].PlatformcompliancewiththisclauseisdescribedinTriconV10TopicalReport Submittal[xx]Section2.1andtheTriconexDI&C02and04ComplianceReport[xx]Section3.0.

b)FPGABasedALSPPSEquipment ALSapplicationdetailsareprovidedintheDCPPSystemDesignSpecification[xx]Section5.3.3.4andthe ALS102FPGARequirementsSpecification[xx].TheALSTopicalReportSubmittal[xx]Section12.1.9.2 discussescomplianceoftheALSplatformwithIEEEStandard603Clause5.8.2.

IEEEStd603,Clause5.8.3:Iftheprotectiveactionsofsomepartofasafetysystemhavebeenbypassed ordeliberatelyrenderedinoperativeforanypurposeotherthananoperatingbypass,continued indicationofthisfactforeachaffectedsafetygroupshallbeprovidedinthecontrolroom.

PPSReplacementFRS[xx]paragraph3.2.1.3.3requiresstatusindicationsignalsthatsatisfythe requirementsofRG1.47[xx]beprovidedtothecontrolroomfromeachProtectionSetforindication thataprotectionchannelhasbeenplacedinaninoperablecondition(e.g.,bypassed).

Displayinstrumentationthatindicatesandidentifiesthestatusofprotectiveactionsofsenseand commandfeaturesisspecifictotheapplication.

a)TriconBasedPPSEquipment TriconexPPSreplacementapplicationdetailsareprovidedintheTriconexSRS[xx].Platformcompliance withthisclauseisdescribedinTriconV10TopicalReportSubmittal[xx]Section2.1andtheTriconex DI&C02and04ComplianceReport[xx]Section3.0.

b)FPGABasedALSPPSEquipment ALSSystemRequirementsSpecification[xx]requiresindicationofpartialtripoutputbypassestobe providedlocallyatthecabinet.ThisrequirementisimplementedinALSSystemDesignSpecification[xx]

Section11.3,whichrequiresindicationthataninputchanneloroutputchannelhasbeenplacedintoor removedfromabypassmodeoranoverridemodeanddescribesmeansbywhichtheinformationis madeavailablefordisplayinthecontrolroom.TheALSTopicalReportSubmittal[xx]Section12.1.9.2 discussescomplianceoftheALSplatformwithIEEEStandard603Clause5.8.2.ALSapplicationdetails Commented [wog30]: DCPPLARdoesnotseparatelyaddress subclauses5.8.3.1-5.8.3.3

TabletopExampleforISG06AR D.2.2NewSystemArchitecture 4/5/2018

Page27 areprovidedintheDCPPSystemDesignSpecification[xx]Section5.3.3.4andtheALS102FPGA RequirementsSpecification[xx].

IEEEStd603,Clause5.8.3.1:Thisdisplayinstrumentationneednotbepartofthesafetysystems.

Retrieved from "https://kanterella.com/w/index.php?title=ML18163A392&oldid=4982305"