ML20012C394
| ML20012C394 | |
| Person / Time | |
|---|---|
| Site: | Prairie Island  |
| Issue date: | 03/13/1990 |
| From: | Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML20012C390 | List: |
| References | |
| NUDOCS 9003210188 | |
| Download: ML20012C394 (4) | |
Text
_ _ _... _...
.c ENCLOSURE 1 SUPPLEMENT TO THE SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENTS NOS. 87 AND 80 TO FACILITY OPERATING LICENSES NOS. DPR-42 AND DPR-60 NORTHERN STATES POWER COMPANY PRAIRIE ISLAND NUCLEAR GENERATING PLANT, UNITS NOS.1 AND 2 DOCKETS NOS. 50-282 AND 50-306
1.0 INTRODUCTION
By letter dated April 3, 1989 from Dominic C. Dilanni to D. M. Musolf the design of the Median Signal Selector (MSS) and the ensuing Technical Specification changes were found to be acceptable by the staff. However, this acceptance was conditional in that the staff had not reviewed the verification and validation procedures that were in place for the software associated with the tiSS.
In other words, the final acceptance of the MSS was contingent upon the staff finding an adequate verification and validation program in place during a forthcoming staff audit at the vendor's site.
2.0 SOFTWARE DESCRIPTION The Westinghouse MSS is programmed using the grephics Process Control Language.
This high level language will enable the programmer to use menu-driven screens and interactive editing to configure process control loops, create a data base of input / output points and display the loops as configured during operation.
The graphics language is comprised of four subsets. These subsets include Data Base Generation, Standard Pedulating Control, Ladder Logic Control and Customer Control Schemes.
The MSS employs signal validation for input signals in order to reduce the probability of a spurious input signal (failed sensor or surveillance test error) which would cause an upset in the plant. A complete signal algorithm is applied and the signal validation algorithms use multiple measurements of each level variable. This validation rejects a failed channel where three channels are operational which is the normal condition for the level inputs to the MSS.
Where only two channels are available, an arbitration signal selection method is~used.
If.the two channels disagree significantly, then the determination as to which is correct is made by comparing them to another signal that is related to the primary measurements. The MSS is fault tolerant-to any single channel failure. As a result of distributing redundant measurements across input cards, the signal validation algorithms also provide fault tolerance to an input card failure.
In the event of multiple failures, selection of the proper value,
, cannot be assured. Therefore, the MSS has been designed to automatically switch to the manual mode if multiple failures of an input variable are detected.
This will prevent the failure from propagating to a disturbance of an output.
An alarm / annunciator is actuated if any channel failure is detected. A separate alarm / annunciator is also actuated for an automatic switch to the manual mode which is indicative of a multiple failure.
9003210189 900313 DR ADOCK 0500 2
- e. - 3. 0 REVIEW DISCUSSION The primary objectives of the MSS-are to eliminate the need for the low feedwater flow reactor trip and to enhance the reliability of the Feedwater Control System.
These are both accomplished by preventing a failed instrument channel from
. causing a control system to fail which would initiate a planned transient that may require a protection system action.
Prairie Island and the vendor (Westinghouse) state that since no adverse control system action may now result from a single, failed protection system as would otherwise have taken place for the old design, IEEE Std 279-1971 need not be considered for the MSS design.
Because of the importance of the MSS software performing its function in the correct manner which is to totally eliminate the control / protection system interaction concern, the staff concluoed that an audit of the verification and validation process utilized by the vendor for MSS software development should be performed by the staff.
The staff performed the verification and validation audit on July 13 and 14, 1989 at the Westinghouse site.
During the staff audit of the verification and validation plan and its implementation, the advanced digital feedwater control system (ADFCS) requirements and the functional diagrams were reviewed by the staff.
The actual requirements reviewed were included with the Revision 2 version dated October, 1988.
The documents reviewed that were incorporated by the functional requirement were the following: Input Signal Validation, Feedwater Flow Controller-High/ Low Power Modes, Cv Demand Calculation, Control Valve Sequencing and Tracking Logic and the Median. Signal Selector Logic, Arbitrator Signal Select Logic, and the Index of Symbols for ADFCS Functional Diagrams.
The staff reviewed a process that was part of the software flow chart which was
. called the Configuration Certification Programs.
Configuration Certification is a formal activity devised to minimize design errors and provide an overall assurance that the specified functional requirements are implemented in the hardware and software as a system.
Configuration Certification is accomplished through:
- 1. software development through a structured process using documented procedures, 2. independent review of design documentation to ensure that the median. signal selector functional requirements are adequately translated to support design requirement, and 3. independent testing and evaluation to demonstrate median signal document decomposed the functional requirements into detailed sub-requirements.
For each sub-requirement, a test or series of tests were identified to ensure that the specific sub-requirement was satisfied.
The median signal selector design basis was reviewed along with the software development program which included the design cycle and the maintenance cycle.
An overview of the median signal selector testing program was performed.
This overview included testing in a dynamic simulation lab, factory acceptance testing and the generic algorithm testing that was performed.
A summary of the testing discrepancies and their resolutions were presented to the staff.
The staff concluded that adequate attention and depth had been maintained during the testing and the resolution phase of the software development program.
The MSS design incorporates a self-diagnostic testing feature.
The self-diagnostics are automatically executed during normal operation of the system and do not disrupt the real time performance of the process.
The major diagnostic features are as follows:
- 1. if a signal is out of range the trouble alarm is actuated and the median of the three level input signal is used for control
.4 2 purposes.
2.
the input / output cards have status lights on their card edges to aid in trouble shooting and a test card is available to provide additional diagnostics on the I/O bus controller.
- 3. should an active DPU failover to the i
backup, a trouble alarm will be generated.
The MSS is provided with the capability for on-line testing.
Signal selector testing consists of monitoring the three steam generator level input signals and the selected median signal at an engineering work station.
Comparisons for correctness can then be made.
The MSS can be tested concurrently with the protection system inputs.
As the protection system input signal is varied, that
- instrument channel which represents the median signal will also be altered allowing the technician to ensure that an improper signal is not passed through the MSS.
The required frequency of testing of the MSS is identical to other control instrumentation which is every refueling outage.
However, the licensee has stated that the MSS is presently tested concurrently with the monthly required testing of the steam generator level channels.
Satisfactory results are based on observing that an intentionally failed channel is not selected by the MSS for control. 'The MSS function is checked for both the high and low failure of the input signal.
The staff agrees with these voluntary monthly testing actions associated with the MSS.
The staff strongly recommends that these monthly testing actions be undertaken for several cycles of operation due to the importance of the MSS design.
In addition the staff recommends that the licensee maintain a log that will list the troubles encountered during this testing period.
This log should also be used to document the changes trade to the MSS dur,ing these initial cycles of operation.
This more formal means of documentation and tracking log will provide an aid for evaluating and maintaining the reliability of the MSS design.
4.0
SUMMARY
Since the MSS is within the feedwater control system which is a non-safety-related system, the staff had concluded that the guidance provided in the American National Standard ANS/IEEE-ANS-7.4.3.2.-1982, " Application Criteria for Programmable Digital Computer System in Safety Systems of Nuclear Power Generating Stations", did not have to be followed in its entirety.
- However, by employing the MSS design, the licensee was able to delete a reactor trip that had been initially placed in the Prairie Island design to ensure that IEEE 279-1971 requirements were met.
Taking this into consideration along with the relative importance of the feedwater control system that (even though it is not relied on to perform safety functions following anticipated operational occurrences or accidents) does control a plant process which has a significant impact on plant safety, the staff established a review objective.
The objective of the verification and validation audit was to confirm that there was assurance that an acceptable level of ANSI /IEEE-ANS-7.4.3.2 was followed by the licensee and the vendor.
The staff position was that verification and validation independence was not necessary, however the remaining guidance of this standard should be followed or adequate justification provided.
i
I,.
<c4 4 4
On the baris of our review of the interface between the MSS and the reactor protection system, the staff concludes that the system satisfies IEEE-279 with regard to control and protection system interaction.
Therefore, the staff finds that GDC 24 is satisfied.
Furthermore, the staff concludes that there was an acceptable structured and extensive verification and validation plan in place that would detect errors and oversights in the software and the plan was sufficiently broad in scope to address discrepancies that could have occurred in the design process.
The documentation reviewed was structured and provided an adequate measure of traceability.
Therefore, on the basis of our review of the software design and its verification and validation process, the staff concludes that the MSS meets an acceptable level of the guidelines provided in ANSI /IEEE-ANS-7.4.3.2 and Regulatory Guide 1.152, " Criteria for Programmable Digital Computer System Software in Safety-Related Systems of Nuclear Power Plants".
In summary, we conclude that the MSS meets all of the applicable guidelines and regulations and that its utilization as discussed in the previous safety evaluation is acceptable.
Therefore the staff concludes that the licensee has demonstrated an acceptable verification and validation program and the technical specification TS 2.3.A.3 (c) dealing with reactor trip initiated by " Low Steam generator water level,15% narrow rangg instrument in coincidence with steam /feedwater mismatch flow 1.0 x 10 lbs/ hrs" may be deleted.
The staff recommends the following:
- 1. The monthly testing actions proposed by the licensee and recommended by the vendor be continued for several cycles of operation.
- 2. The licensee should maintain a log that lists the troubles encountered during the above testing period and the modifications made to the MSS during these initial cycles. This log should be maintained by the licensee so that a basis will be provided for an ongoing evaluation of the reliability of the MSS.
5.0 ENVIRONMENTAL CONSIDERATION
Pursuant to 10 CFR 51.21, 51.32 and 51.35, an environmental assessment and finding of no significant impact was published in the Federal Register on April _3, 1989 (54 FR 13445) which is applicable to this supplement.
Accordingly, based upon the environmental assessment, the Commission has determined that issuance of this supplement to amendments Nos. 87 and 80 will not have a significant effect on the quality of the human environment.
6.0 CONCLUSION
We have concluded, based on the considerations discussed above, that (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, and (2) such activities will be conducted in compliance with the Commission's regulations, and the issuance of the amendments will not be inimical to the common defense and security or to the health and safety of the public.
Principal Contributor:
Jerry Mauck Date: March 13, 1990 t
'