Final Version of Fifth Transmittal to Application of Defense in Depth Principle to Reactor Instrumentation Sys.This Version Contains Changes to Hardware & Software & Clarification of Derived Variable Calculator

ML19259A866
Person / Time
Site:	05000572
Issue date:	10/04/1978
From:	Gallagher J WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP.
To:	Joyce J Office of Nuclear Reactor Regulation
References
NUDOCS 7901110103
Download: ML19259A866 (11)
v • d • e

Text

i -

U4 ~~ m i . . '

' THIS DOCUMENT CONTAINS

. POOR QUAUTY PAGES TO: J,. Joyce - NRC/ Division of System Safety g.

Instrumentation & Control Systems Branch Westinghouse NES October 2, 1978 (Rewrite of 5th Transmittal)

FROM: October 4,1978 (Final Version of 5th Transmittal)

APPLICATION OF DEFENSE IN DEPTH PRINCIPLE TO REACTOR INSTRUMEllTATION SYSTEMS 1.0 An .a consequence. of the review of RESAR-414 Integrated Protection System

' the NRC has identified the need for additional criteria for separation and diversity of Instrumentation Systems'to support the principle of defe.ise-in-depth. This transmitta] presents our comments on the proposedThe comments criteria supplied by the NRC at the meeting of September 26th.

are provided in the form of a rewrite of the NRC eriteria and as such do not constitute an agreement on the part of E that the criteria are cither necessary or that th'e7 represent final crituria for separation and diversity of. instrumentation and control for the design of the RESAR 414 Integrated Protection System.

They are These criteria are tentative with regard to the 414 IPS design.

based on discussions between E and the NRC which were limited to the 414 IPS design and in.many cases are formulation of design practices employed in some part by E in the development of that design. Neither E nor the NRC has performed the detailed analysis necessary to convert these design practices into general design criteria for a distributed digital processing. system.

Furthermore, very little work has been done to test these critc :1 against existing designs by E or by other vendors.

The tentative criteria contained in this document are based upon a few key assumptions that must be understood and agreed on as part of the process of developing the criteria.

1. These criteria are limited to defense-in-depth considerations which deal with interdependence between control and reactor trip and inter-dependence between control and cugineered safety features.

2. The approach to design and analysis documented in WCAP-7306 is acceptable for RESAR-414 for interdependence between Thecontrol and reactor acceptance trip and criteria for interdependence between control and ESF.

the diverse (backup) protective actions are less restrictive than those for the primary protection actions and shall be bounded by 10CFR100 In this regard the "robability of CMF's on a best estimate basis.

are considered to be lower than the probability for failures which establish the raquirement for the primary protective actions.

3. The consideration of CMF's as addressed by these criteria are based on CMF's associated with components system design and operation errora. considered a credible (both hardware and software components) are not

' cause for interdependence between the three echelons of defense because they canibe adequately dealt with by design verification and qualification testing programs.

For example, the use of' shared memory is permitted provided the verification program results are acceptable.

' 790111010 3 g -

7901110103 ' ,

y

s .

TO: J. Joyce - NRC/ Division of System Safety-Instrumentation & control Systems Branch Vestinghouse NES October 2, 1978 (Rewrite of 5th Transmittal)

FROM: October 4,1978 .(Final Version of 5th Transmittal) 6

4. Manual actuation of protective functions is acceptable as a backup to automation actuation provided the manual actuations meet specific established criteria.

5. Interdependence between reactor trip and ESF is outside the neope of this review of RESAR 414 because this is identical to the ATWT issue which is being treated as a separate generic issue.

NOIE: This final version (10/4/78) contains changes to the rewrite version of 10/2/78 in the folicwing areas:

1) Delete hardware and software Paragraphs 3.2b, 3.3.5, 3.4, and 3.6.4.

2) Modification to paragraph 3.3.3 third sentence which states dependence of output to input for failures in inputs.

3) Clarification of derived variabic calculator - paragraph 2.1.2..

O e

W D

4 e

9

-1A-

---

i---um-e em

\' .

TO: J. Joyce - NRC/ Division of System Safety Instrumentation & Control Systems Branch FROM: Westinghouse NES - October 2,1978 (Rcwrite of.Sch Transmittal)

October 4, 1978 (Final Version of 5th Transmittal)

APPLICATION OF DEFENSE-IN-DEPTR FRINCIPLE TO NUCLEAR POWER PLANT INSTRUMENTATION AND CONTROLS 2.0, The Instrunentation and Control Sys' tem Definition The Instrumentation and Control Systems can be considered to consist of three sequential systems. These are the Sense System, the Command System and the Execute System (See Figure 1).

2.1 Sense System That portion of the instrumentation and control system which transduces process parameters into electrical signals suitable for use b; the command system.

t The signals processed by the sense system may be representations of continuous variables or discrete state variables. Further, there are two classes of signals defined in the sense system: directly measured variable signals and derived variable _ signals. The latter are signals which represent operations on one or more measured variable signals to create a signal that represents a process parameter that cannot be measured directly.

2.1.1 Measured Variable Conditioner A collection of equipment, including the sensor, which transduces

. process parameters into measured variable signals suitable for use in the Direct Variable Calculators and/or command system.

[.

2.1.2 Derived Variable Calculator A collection of equipment that operates on one or c. ore measured variable signals to produce one or more derived variable signals *,

. for use in the command system. These signals represent process parameters which cannot be practically measured directly. A j

derived variable calculator may have several outputs which are

. functionally different.

2.2. Command System 5 That portion of the instrumentation and control system which operates on inputs from the sense system to generate outputs to the execute

. system. The command system consists of three sub-systems: Control,

- Rasctor Trip and ESF.

TO :' J. Joyce - NRC/ Division of System .afety

Instrumentation and Control Systems Branch FROM: Westinghouse NES - October 2, 1978 Rewrite of $th Transmittal)

October 4, 1978 Final Version of 5th Transmittal) i 2.3 Execute System

- The electrical and mechanical equipment that performs a function upon the receipt of a signal from the command system. The execute system l

is outside the purview of this document.

t 0

4 0

6 1

t 1

i l

l .

e 1

I 4

I k

~

s a

', October 4,1978 (Final Version of Sch Transmittal) j TO: J. Joyce - NRC/ Division of System Safety

' Instrufnenta'.lon & Control Systems Branch FROM: Westinghoust NES - October 2, 1978 (Revrite of Sch Transmittal) p ob Wf jl/ ' / A

@R I S yn l' 'll to 1 n 3

F y f J1 1 n 1.1.

m oV pa -

P

e. 'g 1 m 5 05 y 'A

1. 5 (si u 8-a < .

= ,

)[

i k Ju

}

Ok F3 53 23 13 O1 v v N

'\ 3 4 3

5 o a 5e Ct f-3 D o 3 $5

-N n

9' n 0$

s e 00

~ >

A 3 2 $

to tu A -

1 J J a 0 - '

3 2 > > 00 1 1 1 2 3 h u 1p l ,

TO: J. Joyce - NRC/ Division of System Safety Instrumentation & Control Systems Branch FR0k: Westinghouse NES - October 2,1978- (Rewrite of 5th Transmittal)

October 4, 1978 (Final Version of 5th Transmittal) 1 3.0 Criteria for Defense in Depth l 3.1 Criterion _1. General Separation Reouirements l The Command System of the Instrumentation & Control System shall be j separated into three subsy?tems, which comprise the three echeloa -

. of defense established by the principle of defense in depth: cc ...

l reactor trip, and ESF. Except as provided in Criteria 2. 3 and . ao electrical or signal interconoections are permitted among the three subsystems. The NSSS Safety System elements in terms of these three subsystems is shown in Figure 2.

l 3.2 Criterion 2. Requirement on Functional Interconnections l Interconnectifone among the three subsystems where coordination of i functions, is required, e.g. , reactor trip on safety injection actuation.

are permitted provided that:

l i a) Each interconnection shall be reviewed for its safety significance, l

taking into account CMF as well as single failures, and b) Each interconnection is designed so that no credible failure in ore subsystem can impair the functions in the other subsystem which are

- not related to that interconnection.

3.3 Criterion 3. Signals used in more than one subsysten (signal Diversity)

It will be pecmissible to share the signal from a measured variable-conditioner or derived variable calculator to provide inputs to nore than one of the subsyntams, provided that the following requirements are met:

3.3.1 'For each safety function which uses a shared signal there shall be signal diversity for the cases defined in criterion 5.

3.3.2 The safety functiocs to which 3.3.1 applias are given by the list of anticipated cperating occurrences and accidents in RESAR 414, Amendment 12. Table 031.31-1.

3.3.3 The signal f rom one or more measured variable conditioner nay be operated on by a derived variable calculator before being divided to provide inputs to the separate subsystems. The derived variable calculator may receive signals from several measured variable conditions and may include facilities for calibration or function generation but may not receive signals from other sources to carry out its function. Failure of any input to the DVC shall cause failure of all outputs of the DVC which are functionally dependent on that input unless special provisions are made to identify the failure (external to the derived variable calculator) and take a safe corrective action

-(Laternal to the derived variable calculator) . ,

~

I a 3ENSE { C ottMAu> l Execure

l .

a  : -

h 1 -

5 @-

n -u Iuresero , =:

1. (.,0WTA4b

, ( $  %

Conran -

oc,,c. l J jj Cae.ust CA8 ust  ; r l

8,

• n=

f4m- - l SArtrY j > 9

-94 3 I$

bYSTEMS I i "E n-

. p' i 8

l (ONTJ(6L k2 Oh l .TNTEGAATED (eNTAdL by5 TEM  ; Auo4r.4s eaa=

1 1

$$ ."yE a

=- -

b - -- - - - - - pg i i n's l 8 GG BR

• a l yy .

A?

O w. n ReAeron nn AFErY INTtsRArp ~ TA'f

...-- ...-- .. >, a-bYSTEMS Peterscrev  ;$

Y Q CA8wt'T INTEGRATEb fNGe9EEtED hR I Lo&rc $Afgry Iu bAtsNEr l FsAram "$

g

l a i . 4E l 1 $N l 'EursGAArso Psorecrea Sysrse  ! bractive Act,.u iE

i.  ! SY.5TEff 3

. . p Fusvas 2. Rear on or Turauranrsreen 4 Cour.m Srsrees

• e # ,

TO: J. Joyce'- NRC/ Division of System Safety Instrumentation & Control Systems Branch FROM: Westinghouse NES - October 2, 1978 - Rewrite of 5th Transmittal October 4, 1978 (Final Version of 5th Transmittal) 3.3.4 It must be shown that the risk of common mode failure between measured variable conditioners, derived variable calculators, and interconnecting cabling and piping for which signal diversity is claimed is acceptable. Some examples of abnormal conditions which must be considered as possible causes of common mode failure are:

a) Design or programming errors and common maintenance or modification errors, particularly in equipment of novel type.

b) High or low voltage in electrical supplies and high or low pressure in air supplies c) High or low ambient temperatures or pressures d) Excessive humidity, spray or flooding e) Mechanical damage, shock or vibration Means to show this acceptability shall include the design verification test program (for items a and b) and rhe equipment qualification test program (for items c, d and e) .

3.3.5 The signal paths from a shared measured variable conditioner or derived variable calculator must be so designed so that no credible failure downstream of the conditioners or calculators can disable the input from these conditioners or calculators to other subsystems or derived variable calculators.

e e I -

o e

1

TO: J. Joyce - NRC/ Division of System Safety .

Instrumentation & Control Systems Branch FROM: Westinghouse NES - October 2, 1978 - Rewrite of 5th Transmittal)

October 4,1978 (Final Version of 5th Transmittal) 3.4 Criterion 4. Information_ Output from Reactor Trip and ESF Information may be transmitted from the reactor trip and ESF subsystems to the plant monitoring system, composed of the plant computer, the plant control board, and the post-accident monitoring system, which are not part of the plant protection system, but serve essential. safety-related functions.

The information paths chall be ' isolated as required to prevent credible failures in the, plant monitoring system from significantly affecting the reactor trip or ESF subsystems.

Use of the plant computer to monitor ths status of the plant protection system must not reduce'the reliability of the protection syste, nor add significantly to the complexity of the protection system.

The design shall be such that failure in the plant monitoring system would not directly affect the operation of the reactor trip or ESF systems. The design should also address the possibility that failure or misoperations of the plant monitoring system might lead the operating staff to make adjustments in the reactor trip or ESF systems, or in plant operating parameters, that could cause plant operation

, outside safety limits or in violation of the limiting conditions for operation. .

3.5 Criterion 5. Diversity The requirements for diversity among subsystems are govered by the

, functional design and the design-basis events for which the systems must function. It must be shown (by the design verification program and equipment qualification testing) that the risk of connon mode failure between identical hardware or software elements used in the three subsystems is acceptable. -

/

TO: J. Joyce - NRC/ Division of System Safety

. Instrumentation & Control Systems Branch FROM: Westinghouse NES - October 2, '.978 - Rewrite o,f 5th Transmittal October 4, 1978 (Final Version of Sch Transmittal) 3.5.1 Control-Reactor Trip _

For the case where a common mode failure can result in a plant transient that requires reactor trip and at the same time impair the ability of the protection system to provide that trip a

. diverse means for trip, not subject to the same common mode failure, shall be provided. ,

3.5.2 Control-ESF For the case where a co= mon mode failure can result in a plant transient that requires ESF actuation and at the same time impairs 'the ability of the protection systen to provide that ESF actuation a diverse means for ESF actuation, not subject to the same common mode failure, shall be provided.

Manual actuations of ESF subsystem functions shall be acceptable as diversity provided that: -

a) The postulated failure shall not defeat the capability to perform those actuations, b) Sufficient information shall be provided, independently of the postulated failure, to the operator so that he ,

may decide to take-action, and c) Sufficient time is available for the operator action.

3.5.3 Reacto_r Trip - ESF Sufficient separation and diversity shall be provided so that ESP subsystems can be relied on to mitigate the consequences of AIVI should ATWT be determined to be a credible event.

f Om'

.. s' ~

J. Joyce - NRC/ Division of System Safety TO:

Instrumentation & Control Systems Branch FROM: Westinghouse NES October 2, 1978 . Rewrite of 5th Transmittal October 4, 1978 (Final Version of Sch Transmittal) 3.6 Criterion 6. Bypasses and Testi_ng 3.6.1 Periodic testing shall be applied to detect failures in redundant protection subsystems and components. Testing facilities shall not reduce significantly the protection system reliability or add significantly to its complexity.

3.6.2 Removal or failure of testing facilities shall not induce failure or more than one echelon of de'fense.

3.6.3 on-line centine. self-checkine. manirarine and siimilar daaien features shall not significantly complicate the protection function.

3.6.4 Bypass facilities are required for testing and maintenance, but shall be designed so that failure of the bypassing facilities, including credible CMF's, do not induce failure -

of more than one echelon of defense.

2 J. & CALLAGRER, JR.

CONSULTING ENGINEER CONTROL & ELECTRICAL SYSTEMS I'

I

./Am Mcg% UNITED STATES

• l's ,t NUCLEAR REGULATOFtY COMMISSION f1 j WASHINGTON, D. C. 20555 2,TL61 / /,

< ' 44

,5, -

MDf0RMTEM FOR: TIRA Corp.

FROM: US NRC/TIOC/ Dis:ribution Services 3 ranch SU3JICT: Special Dccu=ent Handling Requirenen:s I !1. Please use the following special distribution list for the attached docu:nent.

Rec, s:tLe ore e0EL.

-[sb, SYs BR 40 cc.ne Raur Svs tiR V E

'Tkbesco Re4e M 8" [

kAJAL.V$l$ OS fyg@aEAWA W

2. The attached docu=ent requires the forloving special considerations:

Do not send oversize enclosure to the :3C PDR.

Caly one oversine enclosure was received - please return for Regulatorv File storage.

Proprie:ar/ infornation - send affidavit only :o the NRC PDR O c:her: csvecir7) s k

00 OS3 Files TICC.'DS3 Au:horized Signa .e b