ML19219A143
| ML19219A143 | |
| Person / Time | |
|---|---|
| Site: | 05200021 |
| Issue date: | 07/31/2019 |
| From: | Mitsubishi Heavy Industries, Ltd |
| To: | Office of New Reactors |
| Shared Package | |
| ML19219A187 | List: |
| References | |
| UAP-HF-19002 | |
| Download: ML19219A143 (30) | |
Text
Docket No.52-021 MHI Ref: UAP-HF-19002 Enclosure 3 Docket No.52-021 UAP-HF-19002 Supplemental Response to US-APWR DCD RAI No. 1097-8499 (SRP 07.01)
July 2019 (Non-Proprietary)
RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION 7/26/2019 US-APWR Design Certification Mitsubishi Heavy Industries Docket No.52-021 RAI NO.: 1097-8499 SRP SECTION: 07.01 - Instrumentation and Controls - Introduction APPLICATION SECTION: 07.01 - Instrumentation and Controls - Introduction DATE OF RAI ISSUE: 8/2018 QUESTION NO. : 07.01-50 (*1) (Watchdog Timer (WDT) Clarification Question-1)
In the response to Item 3 in RAI 8499, Question 07.01-48, MHI states "The WOTS are implemented on [Field Programmable Gate Arrays (FPGAs)] which include software, therefore, the WOTs within the [Protection and Safety Monitoring System (PSMS)] are .
identified as the software WOTs. However, the software of the WOTs is independent of the software to perform the safety functions (the software implemented on microprocessor of the [Central Processing Unit (CPU) Module). Therefore, the software of the FPGA based WOTs has enough diversity from the software to perform the safety functions. Therefore, the WOTs do not fail to operate if the microprocessor based CPU Module freezes and instructions are not processed. This is in compliance with the guidance of [Standard Review Plan (SRP)] Appendix 7.1-0. There is also no possibility of a software failure causing a jump to the reset function and thereby nullifying the effectiveness of the WOTs to comply with the guidance of SRPAppendix7.1-0."
The staff requests MHI to provide more design details on the FPGA-based WOTs, including the architecture and its interfaces to the CPU processors (including how the CPU processor retriggers the WOT). This information is necessary to support the staff's understanding of how the WOT functions to induce a fail-safe state of the PSMS.
- 1) MHI Note:
This question was provided by the NRC on August, 2018. The question number "07.01-50" is allocated by MHI.
ANSWER:
[
]
07.01-1
[
]
07.01-2
[
1 Impact on DCD There is no impact on the DCD Impact on COLA There is no impact on the COLA.
Impact on PRA There is no impact on the PRA.
Impact on Technical/ Topical Report There is no impact on the Technical/Topical Report.
07.01-3
RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION 7/26/2019 US-APWR Design Certification Mitsubishi Heavy Industries Docket No.52-021 RAI NO.: 1097-8499 SRP SECTION: 07.01 - Instrumentation and Controls - Introduction APPLICATION SECTION: 07.01 - Instrumentation and Controls - Introduction DATE OF RAI ISSUE: 8/2018 QUESTION NO.: 07.01-51 (*1) (Watchdog Timer (WDT) Clarification Question-2)
In the response to RAI 9466 (MHI believes RAI 7466 is correct), Question 07.01-46, the applicant proposed to modify Technical Report, MUAP-07005-P, "Safety System Digital Platform MELTAC," to include a Section 4.1.5.7.1.2, "Behavior of safety function operation after WOT timeout" The applicant described the behavior of the controller during normal state and abnormal state. This proposed section states that when the processor stops operation, the \/VDT of the Bus Master Module is not reset and timeout occurs. After WOT timeout, the WOT outputs a fail signal to the communication controller.
After receiving the fail signal, the communication controller of the Bus Master Module stops input/output (1/0) polling. Once 1/0 data polling has stopped, the WOT of the digital output (DO) module is not reset and timeout occurs. Therefore the WOT in the DO Module will send a fail signal to the communication controller of the DO Module. After receiving the fail signal, the DO module switches to a fail mode and outputs a pre-determined value.
The staff requests MHI to clarify and specify what types of signals are sent from the WOT to the communication controller (e.g. discrete signal or a data packet).
[Sub-question NO.: W-Q-2-a] (*1)
The staff also requests MHI to clarify how the DO communication controller receives this signal (i.e. does it go to a specific memory location).
[Sub-question NO.: W-Q-2-b] (*1)
In addition, the staff requests MHI to clarify how the DO module processes this signal such that the output goes to a predetermined state. Similarly, clarify how does the WOT in the Bus Master Module stop 1/0 data polling of the communication controller.
[Sub-question NO.: W-Q-2-c] (*1) 07.01-4
- 1) MHI Note:
These questions were provided by the NRC on August, 2018. The question number "07.01-51" and the sub-question numbers 'W-Q-2-a, W-Q-2-b, and W-Q-2-c" are allocated by MHI.
ANSWER:
Answer to W-Q-2a
[
]
Answer to W-Q-2b
[
]
Answer to W-Q-2c
[
]
07.01-5
[
l Impact on DCD There is no impact on the DCD Impact on COLA There is no impact on the COLA.
Impact on PRA There is no impact on the PRA.
Impact on Technical/ Topical Report There is no impact on the Technical/Topical Report.
07.01-6
RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION 7/26/2019 US-APWR Design Certification Mitsubishi Heavy Industries Docket No.52-021 RAI NO.: 1097-8499 SRP SECTION: 07.01 - Instrumentation and Controls - Introduction APPLICATION SECTION: 07.01 - Instrumentation and Controls - Introduction DATE OF RAI ISSUE: 8/2018 QUESTION NO.: 07.01-52 (*1) (Data Communication Independence Clarification Question-1)
RAI 8499, Question 07.01-49, Item 1, requested MHI to describe the data flow from the 0-VDU to the central processing unit (CPU) module within the COM and how the data is sent rrom the CPU Module to the designated safety controller. MHI provided an updated Figure 4.3-8 to MUAP-07005 in Attachment-2 of "MHl's Response to US-APWR DCD RAI No. 1097-8499 (SRP 07.01)"<ML16236A066>.
The staff needs additional clarification on this figure. Specifically, the staff requests MHI to provide more details between steps (h) and (i), including what information is set the different data tables for each module.
[Sub-question NO.: C-Q-1-a] (*1)
In addition, the staff would like MHI to clarify how information such as permissive settings get to the FROM as input to the priority logic and how timing of changes to these settings are addressed.
[Sub-question NO.: C-Q-1-b] (*1)
- 1) M HI Note:
This question was provided by the NRC on August, 2018. The question number "07.01-52" and the sub-question numbers "C-Q-1-a and C-Q-1-b" are allocated by MHI.
ANSWER:
Answer to C-Q-1-a
[
]
07.01-7
[
]
07.01-8
Answer to C-Q-1-b
[
]
Impact on DCD There is no impact on the DCD Impact on COLA There is no impact on the COLA.
Impact on PRA There is no impact on the PRA.
Impact on Technical/ Topical Report There is no impact on the Technical/Topical Report.
07.01-9
RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION 7/26/2019 US-APWR Design Certification Mitsubishi Heavy Industries Docket No.52-021 RAI NO.: 1097-8499 SRP SECTION: 07.01 - Instrumentation and Controls - Introduction APPLICATION SECTION: 07.01 - Instrumentation and Controls - Introduction DATE OF RAI ISSUE: 8/2018 QUESTION NO.: 07.01-53 (*1) (Data Communication Independence Clarification Question-2)
The staff requests MHI to clarify whether the 0-VDU send control signals to the Reactor Protection System (RPS) or are there only maintenance commands sent (e.g. bypass, test, and maintenance trip, etc.).
- 1) MHI Note:
This question was provided by the NRC on August, 2018. The question number "07.01-53" is allocated by MHI.
ANSWER:
[
]
07.01-10
Impact on DCD There is no impact on the DCD Impact on COLA There is no impact on the COLA.
Impact on PRA There is no impact on the PRA.
Impact on Technical /Topical Report There is no impact on the Technical/Topical Report.
07.01-11
RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION 7/26/2019 US-APWR Design Certification Mitsubishi Heavy Industries Docket No.52-021 RAI NO.: 1097-8499 SRP SECTION: 07.01 - Instrumentation and Controls - Introduction APPLICATION SECTION: 07.01 - Instrumentation and Controls - Introduction DATE OF RAI ISSUE: 8/2018 QUESTION NO.: 07.01-54 (*1) (Data Communication Independence Clarification Question-3)
The response to Item 4 in RAI 8499, Question 07 .01-49, requested the applicant to describe the data communication or message authentication status signals exchanged between the RPS trains. The response states data communication or message authentication status signal indicates correctness of the data communication function and normally this status is "OFF". If a data communication failure or a data message error is detected by the self-diagnostic function of the PSMS, the data communication or message authentication status signal is turned to "ON".
The staff requests MHI to clarify whether this is a separate message that will be sent to indicate a failure or is this just a flag sent with regular bi-stable output signals to indicate the data within this message should not be used.
[Sub-question NO.: C-Q-3-a] (*1)
The staff requests MHI clarify what self-diagnostic features will detect the failure such that the message authentication status signal will change to indicate a failed state.
[Sub-question NO.: C-Q-3-b] (*1)
- 1) MHI Note:
This question was provided by the NRG on August, 2018. The question number "07.01-54" and the sub-question numbers "C-Q-3-a and C-Q-3-b" are allocated by MHI.
ANSWER:
Answer to C-Q-3-a
[
l 07.01-12
[
]
Answer to C-Q-3-b
[
]
Impact on DCD There is no impact on the DCD Impact on COLA There is no impact on the COLA.
Impact on PRA There is no impact on the PRA.
Impact on Technical/ Topical Report There is no impact on the Technical/Topical Report.
07.01-13
RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION 7/26/2019 US-APWR Design Certification Mitsubishi Heavy Industries Docket No.52-021 RAI NO.: 1097-8499 SRP SECTION: 07.01 - Instrumentation and Controls - Introduction APPLICATION SECTION: 07.01 - Instrumentation and Controls - Introduction DATE OF RAI ISSUE: 1/2019 QUESTION NO.: 07.01-55 (*1) (Additional Question-1 relative to WDT Clarification Question-1/2 "Question NO.: 07.01-50 and 07.01-51 ")
Architectural diagrams of the WOT. Also, if the FPGA-based WOT runs a state-machine, please showthe state-machine diagram.
- 1) MHI Note:
This question was provided by the NRC on January, 2019. The question number "07.01-55" is allocated by MHI.
ANSWER:
[
]
Impact on DCD There is no impact on the DCD Impact on COLA There is no impact on the COLA.
Impact on PRA There is no impact on the PRA.
Impact on Technical/ Topical Report There is no impact on the Technical/Topical Report.
07.01-14
RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION 7/26/2019 US-APWR Design Certification Mitsubishi Heavy Industries Docket No.52-021 RAI NO.: 1097-8499 SRP SECTION: 07.01 - Instrumentation and Controls - Introduction APPLICATION SECTION: 07.01 - Instrumentation and Controls - Introduction DATE OF RAI ISSUE: 1/2019 QUESTION NO.: 07.01-56 (*1) (Additional Question-2 relative to WOT Clarification Question-1/2 "Question NO.: 07.01-50 and 07.01-51 ")
Relative to the WDT Questions 1 and 2 (Question NO.: 07.01-50 and 07.01-51" and the diagram provided in Attachment 1, it is still not clear how the WDTs all function together and how the WOT timeout function and the fail-safe output it generates and received by the various modules are independent from both basic and application software.
- 1) MHI Note:
This question was provided by the NRG on January, 2019. The question number "07.01-56" is allocated by MHI.
ANSWER:
[
]
07.01-15
[
1 Impact on DCD There is no impact on the DCD Impact on COLA There is no impact on the COLA.
Impact on PRA There is no impact on the PRA.
Impact on Technical/ Topical Report There is no impact on the Technical/Topical Report.
07.01-16
RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION 7/26/2019 US-APWR Design Certification Mitsubishi Heavy Industries Docket No.52-021 RAI NO.: 1097-8499 SRP SECTION: 07.01 - Instrumentation and Controls - Introduction APPLICATION SECTION: 07.01 - Instrumentation and Controls - Introduction DATE OF RAI ISSUE: 1/2019 QUESTION NO.: 07.01-57 (*1) (Additional Question-3)
Relative to the timing analysis performed for operating MSIVs using the 0-VDU versus only the S-VDU in Appendix I of MUAP-07004-P, [
] However, in the response to RAI 992-6999, Question 07.09-26, the applicant stated that the results of the timing analysis show that the time required to complete these actions is reduced
[ ] using only 0-VDUs for both safety-related and non-safety monitoring and controls, compared to using both 0-VDUs and S-VDUs. The staff requests MHI to explain where the almost half time reduction claim comes from?
- 1) MHI Note:
This question was provided by the NRC on January, 2019. The question number "07.01-57 is allocated by MHI.
ANSWER:
[
]
As shown in Appendix I of MUAP-07004-P, display navigation and hyperlinks between CBP (computer based procedure) and the 0-VDUs contribute to operator's task reduction (for S-VDU operations, operators have to navigate each train's S-VDU display).
07.01-17
This task efficiency supported by computer aided operator support functions, such as display navigation function, contributes to avoiding potential human error and reducing workload.
- Table 1-1 Comparison of Sequential Time Line of Actions between 0-VDU Operations and S-VDU Operations (Sheet 5 of 5)
Impact on DCD There is no impact on the DCD Impact on COLA There is no impact on the COLA.
Impact on PRA There is no impact on the PRA.
Impact on Technical/ Topical Report There is no impact on the Technical/Topical Report.
07.01-18
RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION 7/26/2019 US-APWR Design Certification Mitsubishi Heavy Industries Docket No.52-021 RAI NO.: 1097-8499 SRP SECTION: 07.01 - Instrumentation and Controls - Introduction APPLICATION SECTION: 07.01 - Instrumentation and Controls - Introduction DATE OF RAI ISSUE: 3/2019 QUESTION NO.: 07.01-58 (*1) (Additional Question-4 relative to WDT Clarification Question-1/2 "Question NO.: 07 .01-50 and 07.01-51 ")
Explain how the safety analysis is affected if an incorrect WDT timeout value is set from the processor software of the CPU Module.
- 1) MHI Note:
This question was provided by the NRC during the public meeting {ML19053A792) held on March 5, 2019. The question number "07.01-58" is allocated by MHI.
ANSWER:
[
]
Impact on DCD There is no impact on the DCD Impact on COLA There is no impact on the COLA.
Impact on PRA There is no impact on the PRA 07.01-19
Impact on Technical/ Topical Report There is no impact on the Technical/Topical Report.
07.01-20
RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION 7/26/2019 US-APWR Design Certification Mitsubishi Heavy Industries Docket No.52-021 RAI NO.: 1097-8499 SRP SECTION: 07.01 - Instrumentation and Controls - Introduction APPLICATION SECTION: 07.01 - Instrumentation and Controls - Introduction DATE OF RAI ISSUE: 1/2019 QUESTION NO.: 07.01.59 (*1) (Additional Question-5 relative to WDT Clarification Question-1/2 "Question NO.: 07.01-50 and 07.01.51 ")
Explain the WDT is independent from the software that performs the safety functions on the microprocessor on the CPU Module.
- 1) MHI Note:
This question was provided by the NRC during the public meeting (ML19053A792) held on March 5, 2019. The question number "07.01-59" is allocated by MHI.
ANSWER:
[
]
07.01-21
[
]
Impact on DCD There is no impact on the DCD Impact on COLA There is no impact on the COLA.
Impact on PRA There is no impact on the PRA.
Impact on Technical/ Topical Report There is no impact on the Technical/Topical Report.
07.01-22
RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION 7/26/2019 US-APWR Design Certification Mitsubishi Heavy Industries Docket No.52-021 RAI NO.: 1097-8499 SRP SECTION: 07.01 - Instrumentation and Controls - Introduction APPLICATION SECTION: 07.01 - Instrumentation and Controls - Introduction DATE OF RAI ISSUE: 1/2019 QUESTION NO.: 07.01-60 (*1) (Additional Question-6 relative to WDT Clarification Question-1/2 "Question NO.: 07.01-50 and 07.01-51 ")
Explain whether it is possible to detect any incorrect fail safe value set due to an unexpected behavior of software that perform the safety function on the CPU Module, caused by hardware failure.
- 1) MHI Note:
This question was provided by the NRC during the public meeting (ML19053A792) held
- on March 5, 2019. The question number "07.01-60" is allocated by MHI.
ANSWER:
[
]
Impact on DCD There is no impact on the DCD Impact on COLA There is no impact on the COLA.
Impact on PRA There is no impact on the PRA.
Impact on Technical/ Topical Report There is no impact on the Technical/Topical Report.
07.01-23
ATTACHMENT-1: RESPONSE TO RAI 1097-8499 QUESTION NO. 07.01-50/51/56 (1/2)
Figure A-1-1: The System Architecture of WOT Function (Supplemental Information of Figure 4.1-21 of MUAP-07005-P Rev.10 Markup)
- RESPONSE TO RAI 1097-8499 QUESTION NO. 07.01-50/51/56 (2/2)
[
]
ATTACHMENT-2: RESPONSE TO RAI 1097-8499 QUESTION NO. 07.01-52 (1/1)
Figure A-2-1: Processing by the Control Network 1/F Module in the Receiving Process
ATTACHMENT-3: RESPONSE TO RAI 1097-8499 QUESTION NO. 07.01-52 (1/1)
Figure A-3-1: Processing by the CPU Module in the Receiving Process from the Control Network
ATTACHMENT-4 : RESPONSE TO RAI 1097-8499 QUESTION NO . 07.01-53 (1/1)
Table A-4-1 : Manual Command Signals from 0-VDU to PSMS Attachment-12 to Amended Response to RAI 1076-7368 (2/2)
- 7. INSTRUMENTATION AND CONTROLS US-APWR Design Control Document Table zZ:6 Manual command s;gnafs trom 9-YPY to P§M§ DCO 07Q9.
27S01 Milnu;d Command Ptscription of Mt1nu;,I Comm:aod Ptrmi$$iYt Be:etiYtd SY$ttrn Sign~! Comm~nd ~ from S-VOU {Safdy-Rel~ted System)
Bypass and Reset Bypass command lor ~ Required RPS-A/8/CIO ooeranna bypass l&.llm ~
Bypass and Reset Bypass command for Ma111lenang: ~ RPS-A/8/CIO maintenance bypass l&.llm ~
Exdus,on and CpmmaQd Jo exdude b:1a11tcoaor-e &:auuf:11
&::id failed sm;ors tor 1be ~
average calcsdattAD of core exit terooeran<<
Block and Bm Command to block shunt f!!~in~aog: ~ RPS-A/BIC/0 trip fuocbon of the ~ (111a COMl reactor tnp breaker lnterlod< Bypass Command 10 bypass Ma111~ang: ~
safety-rela1ed sianal ror l&.llm component level control Slop Lock Lock command lor pump Lock .8egu!!l:!! SLS-A/BIC/0
~
Q.E.E.J..iii;k I ock coarnaod fpr l.!D &:auuf:11 $1 $-AIBIC/0 beater/breaker .(laa.CQMl
.L22S Lock con;maod for valve Lock ~ SLS-AIBIC/Q
~
Reset (Block) Reset (block) command ~ ~ RPS/ESFAS-A/81 of reactor tnp or ESF QQ am!i!!.l9!l ~
Milimeaance loo CommaucJ to set htstahfe ~ Not Bemncest wrth oartml tno state Reador tno or fSE Command to m,w,te ~ ~01 BtsJI urt::d RPSIFSfAS-A/8/
.adualiml reactor trio or ESE .c.m aaualW .ooa..CQMl OoeraboQ command for ~ Not Regy red SLS:A/BIC/Q l!!J!!!l! ~
Operat,oo command for ~ Not Reg,ured SLS..AIBICI()
heater/breaker ~
Ooeo !Open Operatt9Q command {gr ~ Not Beovoced St S,A(B(CIQ Peanisst90} Cki:;e :iillla: ~
Au1ll Operanoo command to ~ Not Bro urPd St S...A(B(CnJ erobte automahc si9aals ~
ModeSelect Operabon command 10 ~ Not Required SLS..A/BIC/0 transfer control mode (via COM)
Tier 2 7.7-28 Reul& l8R 4
ATTACHMENT-5: RESPONSE TO RAI 1097-8499 QUESTION NO. 07 .01-55 (1 /1)
Figure A-5-1: Architectural diagram of the WOT Explanation of each block
[
]