ML19282A826
| ML19282A826 | |
| Person / Time | |
|---|---|
| Site: | 05000572 |
| Issue date: | 02/08/1979 |
| From: | Joyce J Office of Nuclear Reactor Regulation |
| To: | Satterfield R Office of Nuclear Reactor Regulation |
| References | |
| NUDOCS 7903070141 | |
| Download: ML19282A826 (5) | |
Text
!
(/
![....%
UNITED STATES r'%
NUCLEAR REGULATORY COMMISSION E
W ASHING TON, D. C. 20555 0
,d' O
MEMORANDUM FOR:
R. M. Satterfield, Chief, Instrumentation and Control Systems Branch, DSS FROM:
J. Joyce, Instrumentation and Control Systems Branch, DSS M. Srinivasan, Section Leader, Section B, Instrumcatation and Control Systems Branch, DSSk THRU:
SUBJECT:
SUMMARY
OF SEPTEMBER 11, 1978 MEETING TO DISCUSS THE ADDITIONAL REVIEW EFFORT FOR THE RESAR 414 INTEGRATED PROTECTION SYSTEM A meeting was held with members of Westinghouse on September 11, 1978 at the Westinghouse Industry Systems Division in Pittsburgh, Pennsyl-vania. The purpose of the meeting was to discuss the extended review of the RESAR-414 Integrated Protection System (IPS). The attendees are listed on Enclosure 1.
The topics to be discussed at the meeting were identified as follows:
1.
Westinghouse clarification of IPS architecture.
2.
Westinghouse presentation of their approach to defense-in-depth in developing IPS.
3.
Clarification of staff concerns regarding defense-in-depth with respect to IPS.
Westinghouse presented a revised hardware functional block diagram of the IPS. Differences between this figure and that prepared by the staff at the September 6 meeting were noted. The basic operation and functions of the IPS were described. The methods for sharing signals between scram, control and ESF functions atid the development of per-missives were reviewed. The interfaces provided with the main' control board and for test and maintenance were described. Westinghouse noted that the operator adjustments to the IPS from the main control board were restricted to selected manual permissives and that the interactions between the operator and the IPS at the local cabinets were minimized for periodic testing due to the use of the automatic test module.
790307014l
R. M. Satterfield Following this, Westinghouse presented their approach to defense-in-depth for reactor instrumentation systems. This presentation is summarized as follows:
Tne genera'. principle of defense in depth is to first design to prevent unwanted events from occurring; second include systems to terminate these events should they occur; and third include systems that will mitigate the consequences of these events.
For nuclear reactor instrument. tion systems, these three prin-ciples are implemented by (1) the control and surveillance features which are designed to prevent unwanted events; (2) the reactor trip system which is designed to terminate unwanted events; and (3) the engineered safety features (ESF) which are designed to mitigate the consequences of unwanted events.
Westinghouse's design objective is to make each of these sys-tems as reliable as possible. Minimizing the probability of systematic failures is an important factor in achieving highly reliable systems. Westinghouse considers three classes of sys-associated with (1) the external architecture, (2)ystems - those tematic failures for the reactor instrumentation s the internal architecture, and (3) human errors.
Redundant systems are provided to minimize the probability of systema-tic failures in the external architecture (i.e., the single failure criterion). In addition, Westinghouse makes a special effort to simplify the external architecture interfaces required to integrate the reactor instrumentation systems with the plant systems and equip-ment. A factor in this approach is to minimize the extent of non-safety grade sensors and instrument piping inside the reactor contain-ment, thus improving separation reducing the potential adverse effects of external events on redundant instrumentation inside the containment.
The reliability of the hardware and sof tware are the principal factors for achieving internal architecture reliability. For the IPS, the software development procedures, modularization of hardware, asynchro-nous, distributed processor architecture and a hardware reliability data bank are methods for achieving highly reliable hardware and software. Failure modes and effects analyses are also being used to evaluate internal architecture failures.
To reduce the human error potential, the IPS design minimizes the extent of operator interactions with the system. The automatic testing performs the periodic functional tests upon command. There are no special test switches or tes:: equipment which must be connected.
The bypass logic has also been automated to preclude operator error in bypassing channels or trip functions. Self checking features are included to continuously check for hardware failures.
R. M. Satterfield During the presentation the staff asked Westinghouse to identify the reliability goals which were established for the IPS and the bases which were used to determine the self-checking features to be imple-mented. Westinghouse responded that the IPS reliability goals were as follows:
-6 1.
Unavailability of trip for each function: 6 x 10 per demand.
2.
Unavailability of trip overall:
3 x 10-7 per demand.
less than twice per month (i.e.,
3.
Total System Maintenance:
2 failures per mo per four channels).
In implementing self checking features, Westinghouse stated that func-Self checks tional timing requirements received first priority.
Engineering were implemented so as not to affect system time 7 2sponse.
judgement regarding which self checks seem reasonable and how much self-checking is required was also used.
Based on the information presented by Westinghouse, the staff identified several areas where additional information and evaluation would be re-quired to determine if the IPS design was acceptable with respect to These areas are sumarized as follows:
the defense-in-depth concept.
The extent of subdivision between various IPS functions, parti-1.
cularly those involved in trip, control and ESF functions.
The extent of functional diversity.
2.
3.
Effects of multiplexor failures.
Sharing of common hardware and software modules.
4.
5.
The extent of channel independence.
The complexity and effects of on-line self-checking.
6.
Effects of failures in the automatic tester.
7.
The operation of the signal selector with respect to signal 8.
symmetry, potential for generating new, unbounded transients, ar.d in transfer from 4 pump to 3 pur..p operation.
The staff stated The meeting concluded with a review of the schedule.
that it was continuing with the development of defense-in-depth guidelines (Task 2 on the schedule reviewed at the Septembtr 6 meeting).
R. M. Satterfield The staff requested that Westinghouse submit their coments on defense in depth by September 14. Based on this submittal date, the next 18, 1978.
It was agreed that meeting was scheduled for September the meeting place and agenda would be developed by Septenber 14.
( ': (* M ' v "..
(...
J. Joyce Instrumentation and Cont-ol Systems Branch Division of Systems Safety O
List of Attendees Westinghouse J. Gallagher E. Steinheim E. Madera M. Hitchler G. Remley J. Mesmeringer D. Call NRC Consultants J. B. Bullock - ORNL J. Anderson - ORNL E. Siddal - CANATOM NRC J. Joyce L. Beltracchi R. Frahm R. Naventi S. Hanauer