ML19127A170

From kanterella
Jump to navigation Jump to search
Safety Related UPS Replacement
ML19127A170
Person / Time
Site: Hope Creek PSEG icon.png
Issue date: 05/07/2019
From: Tekia Govan
Public Service Enterprise Group
To:
Division of Inspection and Regional Support
Govan T, 415-6197, NRR/DIRS
References
Download: ML19127A170 (16)
v  d  e


Text

Hope Creek Safety Related UPS Replacement Application of RIS 2002-22 Supplement 1 to implement Digital UPS Systems Under 10CFR50.59 NRC Public Meeting May 9, 2019

Agenda

  • Introduction
  • Purpose of meeting
  • Scope of Project
  • Qualitative Assessment Overview
  • System Architecture
  • Failure Modes and Effects
  • Design Attributes
  • Quality of the Design Process
  • Operating Experience
  • Conclusion 2

Purpose of Meeting

  • Hope Creek plans to install Ametek NDPP Class 1E digital Uninterruptible Power Supply (UPS) systems under a 10 CFR 50.59 evaluation
  • A qualitative assessment was prepared using the criteria described in Regulatory Information Summary (RIS) 2002-22 Supplement 1
  • This meeting seeks to inform NRC staff of the results of the qualitative assessment
  • Application of RIS guidance
  • Technical approach to addressing design
  • Conclusion that the likelihood of failure is sufficiently low 3

Scope of Project

  • Hope Creek has 8 safety related UPS systems in four safety channels
  • Two UPS systems per channel
  • One UPS for Bailey Logic system (Main Control Room Interface)
  • Safety Function: Supply 120VAC power to downstream loads
  • All 8 systems will be replaced with Ametek NDPP UPS systems
  • System replacement will be 1 channel (2 UPSs) per outage
  • First installation scheduled for Spring 2021 4

Qualitative Assessment Overview

  • Application of guidance under RIS 2002-22, Supplement 1
  • Qualitative assessment & failure analysis of new design
  • Review focused on digital elements of the new UPS
  • Develop application-specific Failure Modes and Effects Analysis (FMEA) for digital elements the UPS
  • Identification of design attributes that serve to prevent or limit failures
  • Assessment of software design development, life cycle and quality assurance
  • Factory visit and thread sample of design documents
  • Review of Operating Experience (OE) from non-safety installations
  • Assessment of nuclear design against non-nuclear industrial models provided by Ametek 5

System Architecture

  • Double-Conversion UPS System
  • Three inputs - Normal 480 VAC, Bypass 480 VAC, Backup 125 VDC (Batteries)
  • Single 120 VAC Output
  • Major components
  • Inverter
  • Static Switch
  • Regulating transformer (no digital content)
  • Normal 480 VAC feed transformed to 120 VAC then rectified to 125 VDC
  • 125 VDC is diode auctioneered with emergency 125 VDC from batteries
  • 125 VDC bus feeds inverter which converts to 120 VAC
  • Upon loss of inverter - static transfer switch swaps to alternate 480 VAC feed via regulating transformer 6

System Architecture 7

System Architecture 8

Failure Modes of New UPS Design

  • Single Random Hardware Failure
  • Loss of Power
  • Effects of upstream power loss are identical to existing UPS
  • Does not cause a failure of the safety function
  • Systematic Failure of All UPSs Due to a Design Defect
  • Evaluates postulated failure modes of each of the four controllers (Alarm, Rectifier, Display, Inverter)
  • Provides justification that failure modes have no effect on safety function, or are of sufficiently low likelihood
  • Determination of low likelihood based on design attributes, quality, and operating experience per Section 3 of RIS 2002-22 Supplement 1
  • Design attributes evaluated using supplemental guidance from EPRI 3002005326 - Methods for Assuring Safety and Dependability when Applying Digital Instrumentation and Control Systems 9

Failure Effects

  • Single Random Hardware Failure
  • Failure effects evaluation assumes loss of 120VAC output
  • No change to failure effects described in the UFSAR
  • Systematic Failure Due to a Design Defect
  • Common Cause Failure (CCF) likelihood determined to be sufficiently low per results of qualitative assessment
  • Worst case CCF requires unlikely sequence of events
  • Complete loss of UPS function from a CCF can only happen when the 4kV safety buses are de-energized
  • 13-second window during diesel start and load sequence after LOP
  • CCF coping ability assessed despite sufficiently low conclusion
  • Loss of output evaluated concurrent with a LOP (during 13-second diesel start time)
  • Recoverable via manual starting of EDGs 10

Design Attributes

  • Internal diversity
  • An analog circuit can force a transfer to bypass on a gross failure of the inverter
  • Limited concurrent triggers
  • Loss of upstream AC on a Loss of Offsite Power is the only identified common trigger
  • Segmentation
  • Internal communications provide functional segmentation between sub-systems
  • Safety function processor is isolated from internal communications -

complies with DI&C ISG-04 staff position 11

Design Attributes

  • Self-test and diagnostics
  • Diagnostics cover initialization data, runtime checks of program memory and RAM, and timeouts for data link activity
  • Redundant communications messages
  • Watchdog timer monitors completion of inverter control function code
  • Diverse indication of failure
  • Independent transducers monitor battery voltage, output voltage and output current, and provide alarms in the main control room
  • Extensively tested safety function processor
  • Single loop operating system w/ fixed interval interrupt routine
  • Invariant execution
  • Programmed in Assembly, during testing register values are inspected to ensure correct execution 12

Quality of the Design Process

  • Sargent & Lundy Review
  • S&L, on behalf of PSEG, performed reviews of the Ametek software development processes
  • S&L concluded that Ametek has an effective V&V process
  • Review of phase summary and discrepancy reports showed effective identification and correction of issues
  • NRC Inspection Report 99901427/2017-201 [ML17135A403]
  • Included a review of Ameteks software development lifecycle
  • Later phases were in draft status
  • Concluded lifecycle activities satisfied the regulatory requirements of Appendix B
  • No findings were identified for digital I&C design control 13

Operating Experience

  • Ametek has extensive industrial and non-1E nuclear operating history on the DPP line of products
  • Ametek service database was reviewed
  • Hope Creek and Salem operating history of the DPP inverters was reviewed
  • Zero inverter failures identified that were attributed to a software defect
  • Applicability to the NDPP
  • NDPP is an evolutionary development from the DPP industrial product line
  • Removal of external digital communications and parallel output functions
  • Addition of runtime memory diagnostics and serial link redundant messaging 14

Conclusion

  • Conclusion is that the likelihood of systematic failure due to a design defect is sufficiently low
  • Evaluated per the criteria from Section 3 of RIS 2002-22, Supplement 1
  • Reduce the likelihood of a CCF caused by an operating system defect
  • Table A33-P3 - Demonstrate that a defect will not be activated when the SSC is needed to perform its required function
  • Table A33-P1 - Minimize potential for concurrent activating conditions, demonstrate an activated defect is self-announcing, and reduce defect potential through documented software quality.
  • Reduce the likelihood of a CCF caused by data communications
  • Table A39-P4 - Reduce the likelihood of a communication interface design defect 15

Hope Creek Vital Bus Inverter Replacement Questions?

16

Retrieved from "https://kanterella.com/w/index.php?title=ML19127A170&oldid=1909569"