ML20035C603
| ML20035C603 | |
| Person / Time | |
|---|---|
| Site: | 05200003 |
| Issue date: | 03/12/1993 |
| From: | Kenyon T Office of Nuclear Reactor Regulation |
| To: | Liparulo N WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP. |
| References | |
| NUDOCS 9304080171 | |
| Download: ML20035C603 (21) | |
Text
__.
._m e,- ^ ur
'0k$5k[
'o,,
UNITED STATES 1M d
.>8 NUCLEAR REGULATORY COMMISSION
'd o
y<
J,
,i WASHINGTON, D. C. 20555 -
March 12, 1993
+
,g
)
Docket No.52-003 i
Mr. Nicholas J. Liparulo Nuclear Safety and Regulatory Activities Westinghouse Electric Corporation P.O. Box 355 Pittsburgh, Pennsylvania 15230
Dear Mr. Liparulo:
SUBJECT:
REQUEST FOR ADDITIONAL INFORMATION ON~THE AP600 l
As a result of its review of the June 1992, application for design certifica-l tion of the AP600, the staff has determined that it needs additional informa-tion in order to complete its review. The additional.information is needed in
[
the areas of inspections, tests, analyses, and acceptance criteria (ITAAC)
(Q100.9)* instrumentation and controls (Q420.9-Q420.93), and human factors engineering (Q620.51).
Enclosed are the staff's questions. Please respond to this request within 120 days of the date of receipt-of this letter.
You have requested that portions of the inform;iion submitted in.the June 1992, application for design certification be exempt from mandatory-public disclosure. While the staff has not completed its review of your' request in accordance with the requirements of 10 CFR 2.790, that portion of the submitted information is being withheld from public disclosure pending' the staff's final determination. The staff concludes that this request for additional information does not contain those portions of the information for which exemption is sought. However, the staff will withhold this letter from public disclosure for 30 calendar days from the date of this letter to allow l
Westinghouse the opportunity to verify the staff's conclusions.
If, after-that time, you do not request that all or portions of the information in the i'
enclosures be withheld from public disclosure in accordance with 10 CFR 2.790, this letter will be placed in the NRC's Public Document Room.
- The numbers in parentheses designate the tracking numbers' assigned'to the questions.
l t
nWnnnn PDP G? !C dMR!'OT"O GrMYf 9304080171 930312 adiu k f u
% c
.,2 a
'PDR-ADOCK 05200003 1
b-A PDR zQ
a
.l Mr. Nicholas J. Liparulo March 12, 1993 This request for additional information affects nine or fewer respondents, and therefore is not subject to review by the Office of Management and Budget review under P.L.96-511.
If you have any questions regarding this matter, you can contact me at (301) 504-1120.
Sincerely, (Original signed by)
Thomas J. Kenyon, Project Manager Standardization Project Directorate Associate Director for Advanced Reactors and License Renewal Office of Nuclear Reactor Regulation
Enclosure:
As stated cc w/ enclosure:
See next page DISTRIBUTION:
- Central File PDST R/F TMurley/FMiraglia DCrutchfield
- PDR WTravers RBorchardt TKenyon RHasselberg GGrant, ED0 JMoore, 15B18 MSiemien, 15B18 PShea TBoyce REckenrode, 10D24 JBongarra, 10024 MChiramal, 8H3 HLi, 8H3 ACRS (11) w/o encl.
OFC:
LA:PDST:ADAR PM:PDSI:.ADAR PM:PDST:ADAR
>SC:PAST:ADAR A
/
T PSheagh/
TKehoE:$g RHasspidg RBk/hardt NAME:
03/l{)93 03/p/93 Ah /93 03/1/93 1
DATE:
l OFFICIAL RECORD COPY:
g' Mr. Nicholas J. Liparulo Westinghouse Electric Corporation Docket No.52-003 AP600 cc:
Mr. B. A. McIntyre Advanced Plant Safety & Licensing Westinghouse Electric Corporation Energy Systems Business Unit P.O. Box 355 Pittsburgh, Pennsylvania 15230 Mr. John C. Butler Advanced Plant Safety & Licensing Westinghouse Electric Corporation Energy Systems Business Unit Box 355 Pittsburgh, Pennsylvania 15230 Mr. M. D. Beaumont Nuclear and Advanced Technology Division Westinghouse Electric Corporation One Montrose Metro 11921 Rockville Pike Suite 350 Rockville, Maryland 20852 Mr. Sterling Franks U. S. Department of Energy NE-42 Washington, D.C.
20585 9
Mr. S. M. Modro EG&G Idaho Inc.
Post Office Box 1625 Idaho Falls, Idaho 83415 Mr. Steve Goldberg Budget Examiner 725 17th Street, N.W.
Room 8002 Washington, D.C.
20503 Mr. Frank A. Ross U.S. Department of Energy, NE-42 Office of LWR Safety and Technology 19901 Germantown Road Germantown, Maryland 20874
REQUEST FOR ADDITIONAL INFORMATION ON THE WESTINGHOUSE AP600 DESIGN ITAAC 100.9 The staff has conducted an initial review of the inspections, tests, analyses, and acceptance criteria (ITAAC) submitted by letter dated December 15, 1992.
10 CFR 52.47(a)(1)(vi) requires that the i
applicant submit proposed ITAAC, which are necessary and sufficient to provide reasonable assurance that, if the ITAAC are performed and the acceptance criteria met, a plant that references the design will be built and operated in accordance with the design certification.
Westinghouse has proposed that only 40 systems out of the total number of systems in the design require ITAAC and, therefore, 2
treatment as certified design material.
Provide the rationale and criteria for selection of these systems, and describe how this proposal meets the requirements of 10 CFR 52.47(a)(1)(vi).
Instrumentation and Controls 420.9 Section 7.1.6 of the SSAR references IEEE Standards 279, 384, 603, and 796 for the design of the AP600 instrumentation and control systems.
These standards are hardware-related.
There is no reference to software-related standards.
Provide a discussion on conformance of the AP600 design to each of the following standards:
a.
IEEE Standard C63.12-1987 (ANSI), "American National Standard for Electromagnetic Compatibility Limits-Recommanded Practice."
b.
MIL-STD-461C (1987), " Electromagnetic Emission and Susceptibility Requirements for the Control of Electromagnetic Interference."
c.
MIL-STD-462 (1967), " Measurement of Electromagnetic Interference Characteristics."
d.
IEC Publication 801-2, " Electromagnetic Compatibility for Industrial-Process Measurement and Control Equipment, Part 2:
Electrostatic Discharge Requirements."
e.
IEEE Standard C62.1-1984, on impulse voltage, f.
IEEE Standard C62.41-1980 (ANSI), " Guide for Surge Voltages in Low-Voltage AC Power Circuits."
)
i g.
IEEE Standard C.62.45-2987 (ANSI), " Guide on Surge Testing for i
Equipment Connected to Low-Voltage AC Power Circuits."
h.
IEEE Standard 587, on surge protection.
i.
IEEE Standard 730.1-1989 (ANSI), " Software Quality Assurance Pl an s. "
a j.
IEEE. Standard 828-1990, " Software Configuration Management Plans."
k.
IEEE Standard 829-1991, " Software Test Documentation."
1.
IEEE Standard 830-1984 (ANSI), " Software Requirements Specifications."
m.
IEEE Standard 983-1986 (ANSI), " Software Quality Assurance Pl anni ng. "
n.
IEEE Standard 1012-1986 (ANSI), " Software Verification and Validation Plans."
o.
IEEE Standard 1016.1-1987 (ANSI), " Software Design Descriptions."
p.
IEEE Standard 1028-1988 (ANSI), " Software Reviews and Audits."
l q.
IEEE Standard 1042-1987 (ANSI), " Software Configuration Management."
r.
IEC (International Electrotechnical Commission) 880-1986,
" Software for Computers in the Safety Systems of Nuclear Power Stations."
s.
ANSI ASC X3T9.5-1988, " Fiber Distributed Data Interface (FDDI)."
t.
IEEE Standard 802.5-1985, " Token Ring Access Method and Physical Layer Specifications."
u.
ISO 7498-1984, "Open System Interconnection - Basic Reference Model. "
v.
IEEE Standard 802.2-1985, " Standard for Local Area Networks:
Logical Link Control."
420.10 Electromagnetic interference (EMI)/ radio frequency interference (RFI), including surge and electrostatic discharge, is an issue applicable to safety-related digital system design.
Provide a discussion describing how the AP600 design conforms to the following standards and cJidance (The response need not be limited to these items.) (Section 1.8):
a.
MIL-STD-461(A,B,C), " Electromagnetic Emission and Susceptibility Requirements for the Control of Electro-magnetic Interference."
l b.
MIL-STD-462, " Electromagnetic Interference Characterist.ics Measurement."
c.
MIL-STD-1399, " Interface Standard for Shipboard Systems, DC Magnetic Field Environment."
i i
i l
o
~
4
_3-d.
SAMA PMC 33.1-1978, " Electromagnetic Susceptibility of Process Control Instrumentation."
e.
NCR Information Notice IN 83-83, "Use of Portable Radio Transmitters Inside Nuclear Power Plants."
f.
NUREG CR-3270, " Investigation of Electromagnetic Interference (EMI) Levels in Commercial Nuclear Power Plants."
i g.
ANSI /IEEE Standard C37.90.1-1989, "IEEE Standard Surge Withstand l
Capability Tests for Protective Relays and Relay Systems."
h.
ANSI /IEEE Standard C37.90.2-1987, "IEEE Trail Use Standard Withstand Capability of Relay systems to Related Electromagnetic Interference from Transceivers."
i.
IEC Standard 801-1, " Electromagnetic Compatibility for Industrial-Process Measurement and Control Equipment-General Introduction."
j.
IEC Standard 801-3, " Electromagnetic Compatibility for Industrial-Process Measurement and Control Equipment-Radiated Electromagnetic Field Measurement."
{
k.
IEC Standard 801-4, " Electromagnetic Compatibility for Industrial-Process Measurement and Control Equipment - Electrical Fast Transient / Burst Requirements."
1.
IEEE Standard 1050-1989, "IEEE Guide for Instrumentation and Control Equipment Grounding in Generating Station."
m.
IEEE Standard 572-1985, "IEEE Standard for Qualification of Class IE Connection Assemblies for Nuclear Power Generating Stations."
n.
IEEE Standard 518-1982, "IEEE Guide for the Installation of Electrical Equipment to Minimize Electrical Noise Inputs to l
Controllers from External Sources."
o.
IEC Standard 801-2, "EMC for Industrial-Process Measurement and Control Equipment, Part 2: Electrostatic Discharge Requirements."
420.11 Using a block diagram similar to Figure 7.1-13 of the SSAR, describe the operation of the protection and safety monitoring system for a loss of feedwater event.
The description should trace the transmission of the initiating signals from the sensors through the integrated protection cabinets, the engineered safety features actuation cabinets, and the monitoring and controls at the control room workstation to the actuated devices. The diagram should include all major components such as the sensors, the signal conditioners, the isolation devices, the multiplexers, the data buses, the
indicators, the protection cabinets, through to the final passive residual heat removal system valves.
The diagram should show all channels and components, and interfaces. (Section 7.1.1) 420.12 Clarify the statement in Section 7.1.1 of the SSAR that "the protection logic cabinets provide the capability for on-off control of individual plant loads."
Is the plant control system performing automatic load control? What is the interface between the protection logic and the plant control systems?
420.13 Clarify the statement in Section 7.1.1 of the SSAR that "the integrated control cabinets and the control logic cabinets perform similar functions to the integrated protection cabinets and the protection logic cabinets."
Identify the differences in design, qualification, channel separation, software priority, and physical arrangement between the integrated protection system and the integrated control system.
420.14 Clarify the statement in Section 7.1.1 of the SSAR that "the control room is implemented as a set of compact operator consoles featuring color graphic displays and soft control input device." Figure 7.1-1 of the SSAR does not show the control switches.
Describe the manual
?
control signal transmission paths from the main control room to the redundant engineered-safety-feature-actuated devices.
Use block i
diagram-type information to illustrate the signal paths from redundant workstations through the engineered safety features actuation subsystem, the communication subsystem, and the multiplexer /de-multiplexer devices. The staff is interested in the interface arrangement between two workstations, and the signal from the integrated protection system to redundant ESF divisions (see also Q420.ll).
List all hard-wired control circuits available in the AP600 design.
420.15 Describe the design features of the graphic displays on the workstation. The description should include but not be limited to a comparison to the EPRI M-MIS requirements (Section 7.1.1).
420.16 Describe the design features of the advanced alarm system. The description should include but not be limited to a comparison to the EPRI M-MIS requirements (Section 7.1.1).
420.17 Section 7.1.1 states that "there are six sets of systems enclosed by the dotted line boxes (of Figure 7.1-1)."
However, there are only 5 systems described in Section 7.1.1.
Provide a discussion on the Special Monitoring System.
420.18 Section 7.1.2 references the IEEE Standard 796-1983 "IEEE l
Microcomputer System Bus" for the design of the data highway system of the protection and safety monitoring system.
IEEE Standard 796-1983 has not been referenced in the previously docketed nuclear plant instrumentation and control systems design.
Identify the key features of this standard and describe these key features with
i
! respect to the requirements of IEEE Standards 279-1971 and 603-1980, which are the regulatory bases for the protection systems. The key features should include but not be limited to the following (Section 7.1.2):
single failure criterion channel independence a
testability
=
reliability quality of components and modules
=
channel bypass or removal from operation
=
system repair isolation devices single random failure multiple failures resulting from a credible single event information read-out 420.19 An assessment of IEEE Standard 796-1983 "IEEE Microprocessor System Bus," was performed by the Lawrence Livermore National Laboratory (LLNL) for the NRC. A draft technical report is attached with this request for additional information (RAI). Address the following concerns that are raised by the LLNL report (Section 7.1.2):
a.
The bus design described by IEEE Standard 796-1983 is based on an 18 year old design standard.
Its computational capability is limited (1-4 million bus cycles per second).
Replacement parts availability is also a concern.
b.
The bus design described by IEEE Standard 796-1983 is sensitive to external noise and should be used in well-shielded enclosures with well-thielded power supplies only.
c.
Applications should be certified only for specific computer or computer-related PCBs located in specific slots.
Addition or relocation of PCBs in board cage slots will require recertification.
d.
The bus design described by IEEE Standard 796-1983 has minimum support for multiprocessing applications, and the software bears the burden for ensuring correct system synchronization.
This requires highly skilled programmers and is difficult to do correctly. Software errors in this area may result in common-mode failures extending over multiple systems.
e.
The bus width and address space limitation posed by IEEE Standard 796-1983 cause additional software complexity.
I f.
The bus described by IEEE Standard 796-1983 starts from'the least-significant byte first. Bit ordering would be a concern if processors of different bit order were intermixed on the bus.
r
e g.
Potential for conflict exists if PCBs are configured for incompatible bus master exchanges.
If a bus priority arbiter is used, it represents a single point of failure for the system.
h.
There are three opportunities for PCB configuration error in interrupt sequence settings.
- i. The lack of transmission line termination in the IEEE Standard 796 bus specification contributes to a delay in settling time.
- j. The bus described by IEEE Standard 796-1983 uses obsolete integrated circuit technology (TTL) and was designed at a time when transmission line theory was not being applied to microprocessor bus design.
k.
The bus described by IEEE Standard 796-1983 uses two obsolete connectors.
Edge connectors are more susceptible to contamination and mis-insertion than the two-part connectors for modern buses.
1.
The bus described by IEEE Standard 796-1983 has no parity or error correction.
420.20 Describe the electromagnetic interference (EMI) protection for the digital instrumentation and control system throughout the plant.
The description should not be limited only to the protection cabinets (Section 7.1.1).
420.21 Section 7.1.2.2.1 of the SSAR states that the reactor trip function is divided into two functionally diverse subsystems for accident protection.
Is the Reactor Trip Group 1 Subsystem always backup to the Reactor Trip Group 2 subsystem or vice-versa? Are they sharing the same hardware within each cabinet? What is the significance of the diverse subsystems with respect to the " partial trip" and " global trip" arrangement. There appears to be discrepancies between Section 7.1.2.2.1 of the SSAR and Section 4.1.2 of WCAP-13382 on subsystem lists for group 1 and group 2.
Is the pressurizer level in group 1 or group 27 Should the " low power range neutron flux" be "high power range flux low setpoint"? Correct these inconsistencies.
420.22 The definition of the "IEEE Standard 796 Bus" shown in the Chapter 7 figures is not clear.
In accordance with IEEE Standard 796, signals transferred over the bus have 5 classes (Section 7.1.2):
control lines address and inhibit lines
=
data lines
=
interrupt lines
=
bus exchange lines
Figures 7.1-3, 7.1-4, 7.1-5, 7.1-7, 7.1-8, 7.1-9, 7.1-11, and 7 1-12 of the SSAR all have the IEEE Standard 796 bus interfacing with various components. How is the bus function determined?
420.23 What is the design basis for the AP600 " monitor bus?" Provide a reference to an industrial standard that the AP600 monitor bus design will follow (Section 7.1.2).
420.24 Describe the level measurement arrangements for the pressurizer water level, the steam generator water level (narrow and wide range), and hot leg water level. Address concerns related to potential problems i
of non-condensable gases in the reference leg that have been raised -
in NRC Information Notice No. 92-54 " Level Instrumentation Inaccuracies Caused by Rapid Depressurization," and in Generic Letter 92-04, " Resolution of the I.ssues Related to Reactor Vessel Water Level Instrumentation in BWRs Pursuant to 10 CFR 50.54(f)."-(Section 7.1.2.8).
420.25 Describe the reactor coolant hot leg and cold leg temperature measurement arrangement from the sensor to the integrated protection cabinet. How is spatial dependency of the RTDs that are mounted 120 degrees around the pipe compensated? Describe how the T*, Delta T, Overtemperature Delta T setpoint, and Overpower Delta T setpoint software is developed. What type of adjustment is required during plant operation? Are the time constants in these equations allowed to be changed by the operator? What procedure assures that the trip setpoints are properly-maintained? (Sections 7.1.2.8 and 7.2.1.1.3) f 420.26 Describe the reactor coolant pump speed monitoring arrangement.
Since there is only one speed sensor on each reactor coolant pump, describe the failure mode of the speed sensor and its effect on the required pump trip protective function. (Section 7.1.2.8.3) i 420.27 Describe the arrangement of the fiber-optic data links for inter-cabinet communications.
Identify all the components (including i
power supply arrangements) to be used for inter-cabinet communications.
List all the data links between the integrated protection cabinets. (Section 7.1.2.9) i 420.28 Clarify the interfaces between the engineered safety features actuation cabinets (ESFAC), the protection logic cabinets, the mulitplexers, and the actuated devices.
Identify the following (Section 7.1.2.9):
a.
The total number of engineered safety features actuation cabinets in the plant.
b.
The total number of protection logic cabinets in the plant.
c.
The type of cable used from the logic cabinet to the actuated devices and to the multiplexers.
t
~
~
\\
' }
d.
Are there isolators being used from the logic cabinet through the multiplexer to the control room operator workstation?
i e.
The approximate number of dedicated control circuits that will be used in the plant.
f.
Is there any difference in the design of the " data highway" for the monitor bus and the " data highway" between the ESFAC and the logic cabinets?
420.29 Describe the status indication criteria for the containment penetration isolation valves.
Is the status of the containment isolation valves (open/ closed) indicated in the main control room during normal operation, shutdown condition, and accident condition?
(Section 7.3) 420.30 Describe the function of the " Remote VO Analog Cabinet" shown in the t
lower left corner of Figure 7.1-1 of the SSAR. (Section 7.1.2.9) i 420.31 Describe the channel bypass provision in the reactor trip logic.
The description should include the detailed design of hardware'and 1
software for reverting 2/4 logic to 2/3 logic, 2/4 logic to 1/2 logic, 2/4 logic to automatic trip, alarm provision, and the basis for permitting an indefinite period of time with one or two channels bypassed for testing maintenance.
Is the " channel bypass" limited to the same function (for example: high pressurizer pressure) or can it be applied to different functions (for example: one high pressurizer pressure and one low SG level)? Describe the relationship between channel. bypass and the " Global Trip" design. Describe the method of the bypass indication at the workstation in the main control room.
(Section 7.1.2.10) 420.32 Does the " Fault Tolerance" described in Section 7.1.2.10 of the SSAR include both hardware and software? Describe the methods used to achieve a " Fault Tolerance" design.
420.33 Figure 7.1-10 of the SSAR, " Engineered Safety Features Actuation Cabinet Block Diagram," does not provide sufficient detail to understand the system configuration. The information presented on Figure 7.1-10 is not consistent with Figure 7.1-1.
Why does the signal from the IPC to the ESFAC need isolation? What is the optical distribution center? Are the ESFAC and the protection logic cabinet located in the same cabinet? Which signals use hardwire transmission? (Section 7.1.2.10) 420.34 Figure 7.1-13 of the SSAR, " Protection Logic Cabinet Communication Diagram," indicates "2/3 voted outputs" at the bottom of the block diagram. Why is 2/3 voted instead of 2/47 Clarify the number of divisions, and number of trains in the system shown on Figure 7.1-13.
Is there any signal from division A to train B? (Section 7.1.2.10)
mm um j
~
l
_g_
420.35 Clarify whether the " optical coupling" is the only isolation device to be used in the AP600 I&C design.
Identify and describe any other isolation devices to be used in the design. (Section 7.1.2.11) 420.36 Identify and justify all the protection system actuated equipment that are not tested during reactor operation in accordance with the guidelines of Regulatory Guide 1.22. (Section 7.1.2.12) 420.37 Section 7.1.2.12 of the SSAR states that there are no built-in interlocks to prevent simultaneous testing of two integrated protection cabinets.
It will rely on operation procedures.
Since the reactor protection channel under test is bypassed, simultaneous bypass of more than one channel could place the plant in an unsafe condition. Modify the design with built-in interlocks to prevent simultaneous testing of more than one cabinet or justify the proposed design.
420.38 Clarify whether the multiplexer configuration shown in Figure 7.1.20 of the SSAR applies to each workstation.
How many control multiplexer cabinets will be used in the plant? (Section 7.1.3.2) 420.39 Clarify whether the only interface between the integrated protection system and the integrated control system is through the integrated control cabinets signal selector subsystem.
If this is not the case, identify and describe other interface methods. (Section 7.1.3.1.1) 420.40 Describe the I&C system design for the Technical Support Center.
(Section 1.2.1.5.3) 420.41 Describe (supported by detailed schematic diagrams) how the design meets the requirements of GDC 21 with two channels bypassed.
Discuss the periodic testing aspect of the design. How does the protective function initiate when the third channel fails? Describe the method for indication of bypasses to satisfy the IEEE Standard 279 r
requirements for continuous indication in the control room. (Section 7.1.4.2.11) 420.42 Describe (supported by detailed schematic diagrams) the capability of the reactor trip breaker bypass design.
Can the shunt trip components be tested during power operation? How often are they tested? (Section 7.1.4.2.11) 420.43 Describe the design of the bypass and inoperable status display in the main control room. Are the displays located on operator's workstation? Are they continuously indicated or do they need to be retrieved by the operator? Discuss the conformance of the design to Regulatory Guide 1.47, " Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems." (Section 7.1.4.2.13) 420.44 Describe the detailed design for transmission of-post-accident monitoring information from the protection system to the main control room.
Provide failure modes and effects analyses to demonstrate that i
I a postulated single failure (s'uch as data link component) will not disable the post-accident monitoring information. (Section 7.1.4.2.19) 420.45 Describe how the timing between four redundant divisions are synchronized, and how the noise spikes are reset without causing inadvertent trips. The description should trace the transmission of the initiating signals from the sensors through the signal conditioning units, A/D converter, reactor trip group 1 (or 2) subsystem, trip logic subsystems, dynamic trip bus, to the reactor trip switchgear (or other actuated devices). (Section 7.2.1)
I 420.46 Sheet 4 of Figure 7.2-1 of the SSAR indicates a permissive interlock P-18.
However, Table 7.3-2 of the SSAR, " Reactor Trip Permissive and Interlock," does not list P-18.
Describe the function of P-18 and correct the discrepancy between Table 7.2-3 and Sheet 4 of Figure 7.2-1.
420.47 Sheet 3 of Figure 7.2-1 of the SSAR and some other sheets show manual block control functions (momentary block or momentary reset).
Where are these manual control switches located?
If these controls are performed from the operator workstations, describe the detailed control and status indication capabilities.
420.48 Sheets 4, 5, 16, 21, 22, 23, 25, and 27 of Figure 7.2-1 of the SSAR show many time constants (Tau 1 through Tau 55). Where in the SSAR are these time constants defined? Are they addressable constants?
What assures that correct values were entered into the protection and control systems?
l 420.49 Describe the " Reset Reactor Trip (not redundant)" function shown on the left side of Sheet 13 of Figure 7.2-1 of the SSAR. How does it work in each division? Does it reset the 2/4 logic or reset the reactor trip breakers?
Questions 420.50 through 420.69 are related to WCAP-13382, "AP600 Instrumentation and Control Hardware Description."
420.50 Describe the qualification methods and test results of the " qualified video display units". (Section 1.2.1 of WCAP-13382) 420.51 The AP600 protection and safety monitoring system performs surveillance testing via a portable tester. How many portable testers will be provided for the plant? Is there any interlock to prevent testing more than one channel at the same time? During a channel test, the bistable output to the logic circuitry is interrupted and causes that portion of the logic to be actuated, accompanied by a channel trip alarm in the control room and the status lights indication on the cabinet test panel.
Can the operator get the status indication at his workstation? What type of messages will the operator receive during a channel test, maintenance, or removal from service? (Section 2.4 of WCAP-13382)
~
~
420.52 Describe the extreme environmental and energy supply conditions that the AP600 protection and safety monitoring system is designed to withstand. These conditions should include but not be limited to (Section 2.3 of WCAP-13382):
maximum and minimum temperature range maximum humidity range
=
maximum and minimum power supply voltage and frequency total loss of HVAC smoke or fire in the area the environment during a station blackout event EMI/RFI, surge and electrostatic discharge seismic vibration a
420.53 All instrumentation and control cabinet outputs will de-energize during a loss of power event.
Provide a failure modes and effects analysis (FMEA) for the integrated protection cabinets power supply arrangement inside the Nuclear Island / Annex building. (Section 7.1.2.10 of the SSAR and Section 2.9 of WCAP-13382) 420.54 Describe the hardware and software design verification and validation process for the Diverse Actuation System. (Section 2.11 of WCAP-13382) 420.55 Provide a failure modes and effects analysis to demonstrate that inadvertent actuation of the DAS does not result in an additional plant transient, plant trip, or ESF actuation. (Section 2.11 of WCAP-13382) 420.56 Provide test results to demonstrate that the " Standard EMI Seismic Cabinet" can provide shielding for electromagnetic interference and the seismic effect. The test plan should include the basis for the magnitude of the EMI and seismic forces. (Section 3.1.1 of WCAP-13382) 420.57 The Analog Input Process Board (M40) and the D/A Conversion Board (MDA) have different bits of resolution to achieve the_ required accuracy. M y are they different? How are these extra bits being handled in the signal process? The IEEE Standard 796 bus processes the least-sicatficant byte first. How is the system operation affected when an 8-bit bus master reads 16-bit data in the lower eight data line? (Section 3.2.8 & 3.2.10 of WCAP-13382) 420.58 There are two types of erasable programmable read only memory (EPROM and EEPROM) being used in the AP600 design. What is the criterion or guidance that permits using EEPROMs, which can be rewritten from the console without removing it from the board. (Section 3.2.9 of WCAP-13382) 420.59 Define the maximum field parameters considered for the electromagnetic interference (EMI) and radio frequency interference h
i (RFI) protection for the I&C cabinets.
How is the environment to be verified at the site where the cabinets will be located? (Section 4.0.6 of WCAP-13382) 420.60 Describe the operating experience of the isolation transformer at the power feeders to minimize EMI/RFI effects.
If this is effective for nuclear instrumentation inputs, why is it not used for other process parameter inputs in the integrated protection cabinets? (Section 4.0.6.2 of WCAP-13382) 420.61 Provide the results of the prototype cabinet temperature and humidity limit test when it is completed.
Justify the temperature limits specified for the shipping environment which are larger than the normal operating environment. (Section 4.0.8.1 of WCAP-13382) 420.62 Describe the mechanism of the cabinet cooling assembly power supply arrangements.
Section 4.0.8.2 of WCAP-13382 states that cabinet cooling is used after loss of on-site AC-power. How does the cooling assembly function after a power loss?
420.63 Describe the automatic calibration feature that detects a mu~1tiplexer i
failure. (Section 4.0.10.1 of WCAP-13382) j 420.64 The communication subsystem provides information to alarm and monitoring systems external to the integrated protection system, such as cabinet entry status, cabinet temperature, DC power supply voltage and subsystem diagnostic status.
Provide an analysis to demonstrate that no single failure (including failures such as overheating due to loss of cabinet cooling) will prevent the diagnostic status from being provided. (Section 4.1.10 of WCAP-13382) 420.65 The automatic tester subsystem injects signals by disconnecting the normal input signals and replacing them with simulated test signals.
During test injection for the nuclear instrumentation signals, the automatic tester subsystem will switch off the high voltage supplies of the nuclear instrument detectors. Describe the mechanism to restore the normal status once the test is completed.
Provide an analysis to demonstrate that the automatic tester will neither cause i
inadvertent actuation nor prevent the trip capabilities. (Section 4.1.11 of WCAP-13382) 420.66 Define the scope of the automatic surveillance testing of the integrated protection cabinets and the ESFAS cabinets.
Identify the tasks tested by a portable tester and the tasks tested by the built-in circuit in the protection cabinets. Are the test circuits in the protection cabinet fully qualified as Class-IE components?
(Section 4.2 of WCAP-13382) 420.67 Describe the software development process of the portable tester.
Is the verification and validation process for the portable tester the same as the protection and safety monitoring system? (Section 4.2 of WCAP-13382)
i e
. 420.68 Describe the physical protection of the data highway for the i
protection and monitoring system and the plant control system. Are the data highways routed inside electrical conduits?
I i
420.69 There is a discrepancy between Section 7.1.2.2 of the SSAR and Section 4.1.1 of WCAP-13382. How many microprocessor-based subsystems are in the integrated protection cabinet. Are there 8 or 97 420.70 WCAP 13383, "AP600 Instrumentation and Control Hardware and Software-Design Verification and Validation Process Report," describes an engineering approach to aid the development of hardware, software, and system design. Provide a formal design implementation process with a phased inspection, test, analysis and acceptance criteria-(ITAAC) for design development. The detailed process description should be non-proprietary.
The information presented in WCAP-13383 should be included in a submittal of the design description and ITAAC under " Hardware and Software Development." The description of the development plan should include details of the hardware and software management plan, the configuration management plan, and the verification and validation plan.
420.71 Section 7.4.3.1.1 of the SSAR states that the remote shutdown workstation is designed to allow safe shutdown of the plant following i
an evacuation of the ccntrol room coincident with the loss of offsite
~
power and a single active failure. Describe the method to achieve safe shutdown if the single active failure is the remote shutdown workstation itself.
i 420.72 Provide a list of controls and instrumentation to be located on the remote shutdown workstation.
If the controls include both the safety and the non-safety circuits, describe how the design satisfies the separation criteria of Regulatory Guide 1.75. (Section 7.4.3) 420.73 Describe the design of the transfer switch (s) that transfers the control capabilities from the main control room to the remote shutdown workstation. The design should address all the interfaces l
with the protection and safety monitoring system and plant control 7
system. Address the fire protection and human factors engineering aspects of the design. Describe the design of the displays at the remote shutdown station.
Do the displays remain available at the i
main control room when the control functions are transferred to the remote shutdown workstation? (Section 7.4.3) 420.74 Describe the design that allows the plant to be brought to cold shutdown from the remote shutdown workstation and other local controls. (
Reference:
Section 4.9.3 of the EPRI ALWR Utilities Requirements Document) (Section 7.4.3 of the SSAR) 420.75 Describe the design of the remote shutdown workstation with respect to preventing inadvertent lockout or inadvertent actuation. (Section 7.4.3) l m
. 420.76 Discuss the accessibility of the remote shutdown station to the operator without the use of security devices, such as keys or key cards and without electrical power. (
Reference:
Section 4.9.1.2.3 of Chapter 10 of the EPRI ALWR Utilities Requirements Document) (Section 7.4.3 of the SSAR) 420.77 The AP600 SSAR defines a " Type F" variable which is not defined in Regulatory Guide 1.97.
Section 7.5.2.1.6 of the SSAR defines " Type F" varia' oles as those that provide the information to allow the operator to take manual actions using non-safety-related systems to prevent tne unnecessary action of safety-related systems, and to monitor the performance of the non-safety system.
Discuss the features that minimize human errors due to any misleading information from " Type F" variables, including any problems or concerns with the instrument qualification. The staff considers that the draft international standard IEC 1226, "The Classification of
+
Instrumentation and Control Systems Important to Safety for Nuclear Power Plants," has addressed the appropriate requirements for this type of instruments. How will the design comply with the requirements and guidance given in both IEC 1226 and IAEA 50-SG-D8,
" Safety-Related Instrumentation and Control Systems for NPP's." (The latter document provided the safety principles for the IEC standard.)
The selection process for Type F variables appears to be incomple'.e.
For example, there are no spent fuel pit cooling system variables included in Table 7.15-9 of the SSAR; however, the spent fuel pit i
cooling system is listed as a defense-in-depth system in Section 2.3.1.3 of Chapter 3 of Volume III of the EPRI ALWR Utilities Requirement Document. This would indicate that some of the spent fuel pit instrumentation given in Figure 9.1-8 of the SSAR should be Type F.
Clarify your reason for not including any of them in the design.
420.78 Regulatory Guide 1.97 specifies t'at the steam generator water level should be a Category 1 variable.
Sheet 1 of Table 7.5-1 of the SSAR indicates that this indication is a Category 2 variable (1/SG).
Justify this deviation from the Regulatory Guide.
420.79 Regulatory Guide 1.97 specifies that the neutron flux instrument r
range should be 10-6% to 100%. Sheet 1 of Tab e 7.5-1 of the SSAR indicates the range of the AP600 design is 10'}% to 200%.
Justify this deviation.
t 420.80 Regulatory Guide 1.97 specifies that the RCS boric acid concentration range should be 0 to 6000 ppm.
Sheet 3 of Table 7.5-1 of the SSAR indicates that this range is N/A.
Provide ranges for this variable.
420.81 Regulatory Guide 1.97 specifies that the condenser air removal radiation instrument range be 10'6 to 10*5 pCi/cc.
Sheet 11 of Table 7.5-1 of the SSAR indicates that the range is 10-6 to 10" pCi/cc.
Justify the deviation. Also, justify the ranges for the control room air radiation and the steam generator blowdown radiation instruments.
s 1
.I
l T 420.82 Section 18.9.1.1.4 of the SSAR states that the video display units will be seismically qualified and provide post-accident monitoring capabilities in accordance with Regulatory Guide 1.97.
This section states that the hard-wired system level control switches are discussed in Subsection 18.9.7.3.3.
However, there is no Subsection 18.9.7.3.3 in the SSAR. Should the reference be Section 18.9.7.3.2?
The control functions described in Section 18.9.7.3.2 of the SSAR are to bring the plant to safe shutdown.
Are the variables on the -video display units categorized as " Type A" variables in accordance with Regulatory Guide 1.977 Provide detailed information on " Safety Panel" displays which provide guidance to the operators to use the dedicated controls.
420.83 Section 18.9.2.3.8 of the SSAR states that the alarm system is not a contributor to plant unavailability.
However, Section 18.9.2.4.1 states that the alarm system is a monitoring system required to be operating for normal and abnormal plant conditions.
Clarify the discrepancy between these statements.
Discuss the plant emergency procedures for a loss of the alarm system, 420.84 Section 18.9.2.4.2 of the SSAR states that no special requirements exist for the protection of the alarm system.
Provide a discussion on the effecte on the alarm system from environmental conditions due to high tempe'ature, high humidity, and smoke.
420.85 Nuisance alarns have been a common problem in existing plant alarm systems.
De,cribe the features in the AP600 alarm system design to minimize the potential for nuisance alarms.
The design should ensure that the spe cific method chosen for each alarm will not prevent occurrence af the alarm when it is actually needed.
Section 18.9.2.4.7 of the SSAR lists some conditions when the alarm system will not be available. Without the alarm system support panel displays, the control room operators do not have access to the queues of alarm messages.
What is the alternate to support plant operation under these conditions?
i 420.86 The AP600 alarm system includes 5000 input alarms, and 40 support workstations. Describe the software design that can achieve a 2-second time response even during the avalanche of alarms during an upset condition. (Section 18.9.2.4.16) 420.87 Paragraph 4 of Section 4.4.1 of WCAP-13382 states that each multiplexer is connected to each workstation. Does this mean every workstation has 8 logic bus connections (i.e., Logic Bus 1 and Logic Bus 2 for each of the four divisions)?
If so, is there a single failure or common-mode-failure potential that one workstation can prevent ESF actuation? For example, the workstation may fail in a mode such that it continually sends out "stop and close" signals to the ESF equipment.
Since the workstations interface to the Logic l
Bus, which is downstream of the ESF system initiation signal coming
l e
. from the Integrated Protection Cabinets (IPC), the workstation signal i
can override the IPC's ESF signals. Thus, the workstations may prevent initiation of the ESF system when needed, t
420.88 The "Ist Stage ADS valve" signal is shown initiating a reactor trip.
It is not listed as a trip initiator in the SSAR or WCAP 13382 or shown on the Process Block Diagrams.
Provide detailed information on this trip initiation. (Sheets 2 and 15 of Figure 7.2-1) 420.89 Describe how the Trip-Normal-Bypass (TNB) switch, the Auto Bypass, the Global Bypass, and the Auto Global Bypass work.
Provide a table that shows the inputs (i.e., partial trips, TNB switch, auto bypass, global bypass, auto global bypass, and all other inputs needed for a i
trip) versus the outputs (i.e., Partial Trip; A, B, C, or D Division Trip; Reactor Trip). (Section 7.1.2.2.3.3) 420.90 Clarify which units are involved in generating the "S" signal.
There are two cases of interest: the "S" signal that goes to reactor trip l
group 1, and the "S" signal that is used in ESF actuation. (Section 7.3.1.1.3) 420.91 Clarify whether all ESF equipment trains are initiated by all four divisions of the ESFAS.
The staff's current understanding is that four divisions, each containing two groups of ESF detection i
instrumentation, apply identical output signals to two (Al & A2) identical ESF actuation subsystems replicated in four divisions of the ESFAC cabinets.
The two (Al & A2) ESFAS subsystems drive two
" logic buses" per division, resulting in eight logic buses going (among other places) to the four protection logic cabinets (PLCs),
where they are applied to two " functional logic processors" per protection logic cabinet.
In each division, the logic buses appear j
to be separated - logic bus 1 applied to functional logic processor l
1, and logic bus 2 to functional logic processor 2.
The functional logic processors drive and sense ESF equipment through three field buses attached to various 2/3 voting power interface cards.
Confirm or clarify the following (Section 7.3.1.1):
a.
Divisional breakdown occurs at the ESFAC cabinets.
Each ESFAC division drives a single division of the PLC and can control only l
the equipment attached to that PLC division.
b.
The breakdown of the ESF equipment attached to each PLC division is unknown, but different among divisions.
t Provide the breakdown of the ESF equipment attached to the PLC divisions and explain the maintenance provisions and bypasses at this level. Asymmetry of available ESF equipment in certain maintenance configurations may make the reactor more vulnerable to certain accident consequences.
I 420.92 Section 15.4.6.2.5 of the SSAR states that any reactor trip signal will isolate unborated water From the demineralized water system l
- -. 1
t-(
i l
_ 17 -
(DWS).
However, there is no signal shown on the reactor trip logic diagram.
Explain how the reactor trip functions to isolate the unborated water from the DWS. (Sections 7.2 and 15.4.6.2.5) 420.93 WCAP-12648, "AP600 Incore Instrumentation System Electromagnetic Interference Test Report," describes the test program that was conducted to investigate EMI concerns in the proposed AP600 Incore Instrumentation System (IIS).
Provide clarification on the test configuration, test results, and Westinghouse's conclusions to respond to the following concerns:
- a. - According to the Electric Power Research Instituted (EPRI) study, about 80 percent of EMI problems are due to the conducted EMI generated within the facility. Only 20 percent comes from radiated interference. Westinghouse's test configuration is only modeled for radiated interference.
Provide justification for not considering the EMI effect from conducted EMI.
b.
The test configuration should be close to the actual plant configuration.
If configurations are different, then an analysis should be performed to address the factors affecting the test results. Describe the differences between the test configuration l
and the AP600 plant configuration, including the circuit grounding arrangement.
For example, the FID assembly consists of a thimble tube approximately 50 feet, but the test configuration used only 6 feet of Mineral Insulated (MI) cable.
Is this a fair i
representation?
i c.
Justify not analyzing the effects of noise susceptibility of the i
FID signal ground as one of the reasons for interference.
d.
Describe the location of the rod position indication detector-coil and the CRDM power cable relative to the FID cables.
What are the characteristics of these signals?
e.
What are the conductivity and the permeability of the CRDM coil housing metal? What is the thickness of the housing metal?
i f.
At what range of frequencies is the FID signal most vulnerable?
y.
What is the noise tolerance level of the.FID and thermocouple l
signals?
l h.
Describe the reasons for selecting the test monitoring equipment.
i What are the input characteristics of the monitoring device?
What does 1 mv represent in Figures 7 through 15?
- i. What is the reason for displaying test results in a time domain instead of a frequency domain? Provide the test results in a frequency domain.
j.
The actual design of the FID circuitry has low-pass filters to eliminate high frequency interference. What is corner frequency of this filter? How effective is it against the EMI from the CRDM coil?
Human Factors Engineering 620.51 Provide a matrix to identify or map the information contained in Chapter 18 of the SSAR and other applicable SSAR chapters with the 8 i
elements and specific components of each element described in the document "HFE Program Review Model and Acceptance Criteria for Evolutionary Reactors," that was transmitted to Westinghouse by letter dated September 16, 1992.
s i
b L
e f
4 c
ATTACHMENT 4
Assessment of IEEE Standard 796-1983, "IEEE Microprocessor System Bus" Technical Letter Report D raf t G. G. Preckshot 4
January 15, 1993 i
t x FESSP Fission Energy and Systems Safety Program Lawrence Livermore National Laboratory.
g
s
~
a l
4 Disclaimer i
This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Govemment nor the University of Califomia nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, prod uct, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States t
Government or the University of Califomia.The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Govemment or the University of Califomia, and shall not be used for advertising or product endorsement purposes.
I i
e Work performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under Contract W-7405-Eng-48.
F 9
1 f
i
+
w
e Assessment of IEEE Standard 796-1983, "IEEE Microprocessor System Bus" Technical Letter Report i
Draft G. G. Preckshot Manuscript date: January 15,1993 O
4 l
u
CONTENTS
...................................1 Sumrnary................
- 1. Introduction...
.........................................2
..............................3 1.1
- Approach........
2.
Standards Process.....
............................................3
.... 3
- 3. History of IEEE 796.
....................4
- 4. Subsequent IEEE Bus Standards.............................
- 5. Technical Basis for Recomrnendations...
.....4 5
....._.4 5.1 Bus Width and Address Space..
5.2 Bit Ord er.......
..4 5.3 Bus Protocols..
.......5
.. 5 5.4 Interrupts and DMA......
...............5 5.5 Termination and Noise Immunity.
.... 6 5.6 Bus Drive Capability.
5.7 Obsoleteness...
.. 6 5.8 Mixed Synchronization and Function (RD' & WR*).....
... 6
.7 5.9 Separate I/0 Space...
5.10 Connectors..
........7 5.11 Bus Error Detection.......
.7
..7 5.12 Interoperability.
............ 7 5.13 Domain of Application....
..7 5.14 Multiprocessor Features.
i
.......9 References....
I I
.!ll f
f
't
i Assessment of IEEE Standard 796-1983, "IEEE Microprocessor System Bus" Summary The following is a summary of the important technical issues covered by this letter. The subject of the letter is recommended guidance for IEEE 796-1983 computer backplane bus systems used in AP-600
{
nuclear reactor protection systems or in systems important to reactor safety. Additional technical basis information and references are provided in the latter part of this letter.
IEEE 796 Description The IEEE 796-1983 standard describes a computer backplane bus to be used to connect computer printed circuit boards (PCBs) together in a printed circuit board cage. Physically, the bus consists of two rows of PCB edge connectors spaced at 0.6-inch intervals and soldered to a backplane PCB (motherboard) that carries the bus conductors, usually in parallel, between the PCB connectors. The maximum length of this backplane bus is 18 inches. 'Ihe standard defines acceptable di.mensions for plug-in PCBs and the connector types to be used.
In addition to physical descriptions, IEEE 796-1933 describes the number, naming, and purpose of the bus conductors. The bus is designed for 16-bit computer systems. Since timing is crucial to the reliable transmission of data, the standard defines timing, timing waveforms, and bus interaction protocols for data transmission, bus arbitration (choosing the bus master), interrupts, and system initialization.
L Voltage levels, supply currents, and impedance levels are also defined.
Purpose are History The purpi. of IEEE 796-1983 is to define technical specifications so that independent suppliers of computer or computer-related printed circuit boards can build compatible products that can be combined
{
in an IEEE 796-1983 printed circuit board cage to make working computer systems. IEEE 796-1983 is a i
formalization of Multibus (now called Multibus 1), a commercial computer backplane bus designed in 1975 by Intel Corporation. It was the second of two computer backplane buses standardized by the IEEE.
Intel Corporation undertook the standardization effort solely to enhance its competitive position. Most l --
of the technical decisions about Multibus I were made by Intel, with little input being allowed from independent members of the IEEE Microprocessor Standards Committee (MSC), Task 796 Working l
Group.
f i
l i
I I
~
Current Status Although IEEE 796-1983 continues to be used in process control applications, it is an obsolete computer backplane bus. The standard has not been updated by 5-year review, which is current practice with IEEE standards. Subsequent bus standards have both described and alleviated the defects of IEEE 796-1983, probably rendering further work on this obsolete design low priority. In applications in nuclear power plants, obsolescence may have an impact in future years by making the integrated circuit technology used to design the bus unavailable.The bus design is now 18 years old.
Recommendations This bus will work for nuclear power plant safety applications of moderate computational capability (no more than 6 million 16-bit bus cycles per second)in non-hazardous locations. It is i
sensitive to external noise and should be used in well-shielded enclosures with well-shielded power supplies only.
In view of the history of incompatible products on Multibus I, all safety applications should be reviewed by a technical organization having expertise in computer backplane bus performance, preferably independent of nuclear system vendors or owner / operators. Alternatively,if the Multibus I computer system vendor has complete control of all boards in the system, a submission of detailed bus performance data as described further in this recommendation would be adequate. Applications should be certified only for specific computer or computer related PCBs located in specific slots. Additions of new PCBs or relocation of PCBs in board cage slots should require recertification, especially if additions or relocations are done independently by owner / operators in later system upgrades or modifications.
Bus performance reviewers should confirm positive noise and timing margins at specified PCB positions, and should ensure that all PCBs use compatible bus protocols and cannot be reconfigured by casual maintenance to use incompatible protocols or timing.
If the bus is used for multiprocessing applications (more than one processor has access to the bus) enhanced review of software is recommended. This bus has minimal support for multiprocessing applications, and software bears the burden for ensuring correct system synchronization. This requires highly skilled programmers and is difficult to do correctly. Software errors in this area may result in common-mode failures extending over multiple, supposedly independent IEEE 796-1983 systems.
- 1. Introduction This technical letter report is intended to satisfy work item 3 of Task 11, FIN L-1867 between NRC and LLNL The requirement reads " Perform an assessment on IEEE standard 796-1983, 'lEEE Microprocessor System Bus' with respect to the technology of the distributed digital system that could l
be used in the AP600 design." lEEE Standard 796-1983 is a computer backplane bus of 18 inches maximum length used as an internal data path inside computers comprised of separate computer printed circuit boards. The bus can be extended to additional PCB cages with bus repeaters and short multi-conductor
(!at cables, but with reduced performance and noise immunity. It is not used for inter-computer L
IThis is an absolute maximum number based on address setup, data hold, and XACK' relaxation time during a data transfer cycle. Other cycles and on-board logic delays should reduce this number f the range of 1-4 million bus cycles per second in practical systems.
2
- y 2.l communications over longer distances. For these reasons,it is assumed in this letter that use of IEEE 796-1983 in the AP-600 design is confined to PCB motherboard-style computer backplane3 inside PCB r ges.
Westinghouse AP-600 SAR paragraph 7.1.2 confirms this assumption.
1.1 Approach LLNL's approach to assessing the IEEE 796-1983 computer backplane bus was to review relevant historical documents that were published during the standardization process to determine the technical criteria used. Since IEEE 796-1983 was only the second computer backplane bus so standardized, the history of the effort is significant because it can be expected that the standards committee may have committed oversights that current committees would not now commit. A review of subsequent standards efforts was enlightening because frank discussion of earlier defects occurred during committee proceedings. In a sense,later standards committees performed the required assessments for LLNL and revealed the results in comments and in improved bus characteristics. LLNL then reviewed the technical issues in light of the proposed architecture of the AP-600, as revealed by Chapter 7 of the q
AP-600 SAR. In view of the specific nature of the statement of work under which this assessment was undertaken, caution is advised in applying our conclusions to other uses of IEEE 796-1983.
- 2. Standards Process The IEEE standards process is a consensual process that of ten involves technical personnel from organizations having significant financial interests in the outcome of standards debates. This occurs in part because members of the IEEE committees are unpaid volunteers whose employers are unlikely to l
l support standards work for merely altruistic reasons. Such committee members who are in@ pendent must be convincing to persuade their confreres in cases where technical excellence is pitted against commercial advantage. The results, albeit imperfect, have yielded continuously improving standards products, although earlier standards exhibit the kinds of defects that might be expected.
- 3. History of IEEE '796 The first microcomputer bus to be considered for standardization was the MITS Altair computer bus in 1977. At this time the Microprocessor Standards Committee (MSC) was formed, under whose aegis IEEE project P696 was authorized later in 1977 to standardize the MITS bus as the S-100 bus. The objective of this effort was to improve compatibility of computer PCBs that would supposedly (but often did not) work together on the MITS bus (Stewart 1986). As an example of the technical level at this time, the S-100 bus uses 100-pin PCB edge connectors not because engineers planned the usage of conductors, but because MITS acquired a quantity of 100-pin connectors at a good price.
l In 1978, in parallel with P696, IEEE project P796 was authorized to standardize Intel Corporation's Multibus computer backplane bus. Intel's motivation was commercial advantage, since the bus favors Inte! ntegrated circuits, and an increase in sales of computer PCBs using Inte! integrated circuits was an expected outcome of greater PCB compatibility on a standardized bus.1he approval of P796 as IEEE Standard 796-1983 was a ratification of a defacto proprietary commercial backplane bus with cosmetic l
changes (Allison 1986). The degree of control Intel had over both Multibus I and Multibus 11 was made l
t 3
6 a
u.
i clear by Kirrmann (1985) in a report on the Paris Multibus 11 meeting. Kirrmann's report is astounding for the degree of frankness and censure (of Intel) that appears in a refereed technical journal.
- 4. Subsequent IEEE Bus Standards i
P796 finally reached standards approval, but the consensus of many involved was that it was standardized in spite of deficiencies. Two other standardization projects, P896 (Futurebus) and P1296 (Multibus II) are c. specially interesting in light of what they reveal about P796. P896 was initiated concurrently viith proceedings on P796, and the P896 committee included people who were dissatisfied i
with both Multibus I and the S-100 bus (P696). The issues addressed by Futurebus reveal a lot about the i
issues that were not addressed by Multibus 1. Even Intel Corporation felt the constriction of Multibus 1.
Multibus !! represents Intel's attempts to overcome the deficiencies it perceived in Multibus 1.
Consequently, comparisons of both Futurebus (P896) and Multibus 11 (P1296) with Multibus I (IEEE 7%).
are very instructive. These comparisons are made in the following development of technical bases for assessment of IEEE 796-1983. As a matter of note, P696, P896, and P1296 eventually became IEEE standards as well.
- 5. Technical Basis for Recommendations Background technical data of the time when IEEE 796-1983 was under consideration (1978 to 1983) can be obtained from Borrill (1981) and Gustavson (1984). References to IEEE 796 can be found in IEEE (1983) and Boberg (1980). Additional references are cited below where they are appropriate.
t 5.1 Bus Width and Address Space IEEE 796-1983 has 16 data lines and 24 address lines, which are consistent with early Intel 16-bit
[
processors (e.g. 8086 and 80286) and later 32-bit processors with 16-bit interfaces (e.g.,80386SX). Other manufacturers' 16-bit processors have also been used with the bus. The original Multibus specification was expanded from 20 address lines (Boberg 1980) to 24 to accommodate the rapidly increasing memory a
requirements of microprocessors of the time. By comparison, current high+nd microprocessor systems have 32 bit address spaces and high-enu system users are pushing for more.There is no reason to believe that current plans for the AP-600 protection system cannot be accommodated within the processor and address space limitations posed by IEEE 796-1983 bus width. There would, however, be some cause for r
i concern if there were significant increases in complexity of software or attempts to use 32-bit processors with 32-bit interfaces. Additional software complexity could have adverse effects because of address space and bus bandwidth limitations. Using 32-bit processors with 32 bit interfaces requires significantly more complicated bus interface circuitry.
5.2 Bit Order i
The 796 bus is nominally a "little-endian" bus (least-significant byte first (Cohen 1981)), although for most purposes this has little effect if processors of similar bit order are connected to the bus. " Big-endian" processors can be accommodated by simple bus crossover routing in th& printed circuit board interface wiring (James 1990). One area of practical implication is the byte-swap function, by which an 8-bit bus master may read 16-bit data in the lower (least-significant byte) eight data lines. The order of reading is least-and then most-significant byte, controlled by the AO' address line. Bit ordering 4
, ~
would be a concem if processors of different bit order were intermixed on the bus. There is no information -
at this time to indicate that the AP-600 design does this.
5.3 Bus Protocols The 796 bus is an asynchronous bus, by which is meant that data transfers take place by a two-party interaction called a " handshake." In this interaction a data receiver does not accept data until it receives confirmation that data is valid, and a data sender does not remove valid data from the bus untilit receives confirmation that the data has been received. Data transfers are under control of a " bus master," which initiates bus transactions.
Mastership can be exchanged by two priority mechanisms that assign mastership to the highest priority bus requester. Potential for conflict exists if PCBs are configured for incompatible bus master exchanges. If a bus priority arbiter is used,it represents a single point of failure for the system.
Later bus standards use a distributed arbitration scheme (Taub 1984). While this scheme may be -
faster, there is no evidence that it is more reliable.
5.4 Interrupts and DMA Direct Memory Access (DMA)is a technique by which data is transferred directly to memory without involving the processor. There are two techniques for doing this, both involving bus master exchanges. The first uses distributed DMA controllers (one on each DMA-capable peripheral) which acquire bus mastership to transfer one or more bytes of data to or from memory.The second utilizes a central DM A controller which acquires bus mastership and mediates data transfer between a data source and a data receiver. Intel appears to prefer the latter approach (they sell central DMA controller integrated circuits) but nothing prevents the former approach. In fact, it is necessary if multiple processors share the 796 bus.
Interrupts, like bus master exchanges, can be signaled by two potentially incompatible protocols.
Both methods use eight prioritized interrupt request lines with a handshake on a single interrupt acknowledge line. In non-bus vectored interrupts, no interrupt vector address is transferred over the 796 data lines. In bus vectored interrupts, either one or two bytes of interrupt vector are transferred on 7%
bus data lines. There are therefore three opportunities for PCB configuration error in interrupt sequence settings.
5.5 Termination and Noise Immunity In handshaking asynchronous data transfer systems such as IEEE 796-1983, it is necessary to ensure i
that data is stable on the data lines when a receiver receives the handshake signal, and furthermore, that data remains stable while the receiver locks the data into a register. This is also true for other bus operations, such as bus master exchange and interrupt sequencing. Consequently, buses of the 796 type specify setup and hold times for data, vectors, and master identifiers relative to rising and falling edges of the bus control signals. The time during which non-control signals are unstable is called the
" settling" time. The " noise margin" is the amount (usually in volts) by whici) the received signal exceeds the transition voltage (from 0 to 1 or vice versa) at the settling time.
Contributing to the delay in settling time is the lack of transmission line termination in IEEE 796-l 1983 specifications. At high signal speeds, bus lines act like high-frequency transmission lines. If not terminated in their characteristic impedances, reflections result, and this is exacerbated if bus driver capability is too small to drive the transmission line impedence. Later backplane bus standards 5
(Futurebus (Balakrishnan 1984)) considered this question extensively. The technique of waiting for bus lines to settle before strobing data eliminates the effect of reflections caused by intentional bus Mansitions in unterminated systems but cannot compensate for random externally generated electrical transients because these occur at unpredictable times.The 796 bus may therefore be more sensitive to externally generated noise than buses with mechanisms for dissipating noise energy, such as bus line l
characteristic impedance terminations. Provided that sufficiently long setup and hold times are maintained (at the expense of performance), the 796 bus should be insensitive to crosstalk and other i
synchronous intemally generated noise.
5.6 Bus Drive Capability At the time Multibus was designed, the dominant digital circuit technology was Transistor-t Transistor logic (TTL). Bus drivers were sized to drive static loads (bus transceiver inputs), with some allowance for transceiver input capacitance. However, study soon revealed that signal voltage swing (high minus low logic voltage) and line impedance were the controlling factors for bus drive capability (Balakrishnan 1984) if bus speeds were to be increased to electrical propagation delay times for backplane lengths. The nominal drive capability for IEEE 796-1983 is not sufficient to support these high speeds, although it has and should work well as long as bus settling times are not underspecified.
This assumes that distributed capacitance along the bus does not exceed drive capability after the minimum settling times.
5.7 Obsoleteness IEEE 796-1983 is obsolete. It uses obsolete integrated circuit technology (TTL) and was designed at a time when transmission line theory was not being applied to microprocessor bus design. Connectors (mentioned later) are also obsolete.
i 5.8 Mixed Synchronization and Function (RD' & WR*)
IEEE 796-1983 bus treats Intelintegrated circuits more favorably than those of other manufacturers because the bus essentially repeats signals directly from Intel integrated circuit pins. This is not a feature limited to Intel Corporation, but is practiced by other manufacturers in their own proprietary backplane buses.
One place in particular where this occurs is in the RD' and WR' (also the LOR
- and the IOW')2 memory read and write bus control signals. These signals combine both function indication (read or write) with data strobe (synchronization). An alternative method that is claimed to be better (Borrill 1981) utilizes a function line R/W. to indicate the read or write function and a separate data strobe line (L325 or LDS) to perform synchronization.The issue is only significant when processors from one manufacturer are used on a proprietary bus from another manufacturer, in which case care must be taken to ensure that interface circuitry correctly converts processor synchronization protocols to the Intel protocol.
5.9 Separate I/O Space Excluding special I/O processors and " channels," there are two main ways to connect peripheral interfaces directly to microprocessors. The first is to consider peripheral registers to be memory devices 2 n IEEE 796-1983, these lines are called out as MRDC', MRWC',10RC', and 10WC', respectively.
1 6
y
i and simply to include peripheral registers somewhere in the memory address space of the microprocessor. The second is to have a separate address space for I/O devices.The second approach is taken by IEEE 796-1983, although the first is still possible. This is compatible with Intel 80X86 family of microprocessors, which has separate I/O instructions for this purpose. He LOR
- and IOW* bus control lines are provided to distinguish 1/0 address space from memory address space.
He only effect that a separate I/O space has is to complicate software. Additional instructions must be generated by compilers and provided for in high-level source languages. Also,1/O instructions f
have restrictions that memory-referencing instructions do not (at least in Intel architectures).
5.10 Connectors IEEE 796-1983 uses two obsolete connectors. One is a PCB edge connector of 0.156-inch contact spacing while the other is a PCB edge connector of 0.100-inch contact spacing.
PCB edge connectors have been replaced in modem buses by two-part "euro" connectors. The newer connectors do not require gold-plated " fingers" on the edge of the PCB, but have square pins that mate to spring-loaded receptacles. Edge connectors are more susceptible to contamination and mis-insertion than t
two-part connectors. Higher pin density is also possible with euro-connectors.
5.11 Bus Error Detection IEEE 796-1983 has no parity or error correction. A bus watch-dog timer is often used to detect access to non-existent (or failed) memory or 1/O devices, but any memory Error Correcting Code (ECC) must be done without bus involvement. ne bus is therefore non-redundant and cannot be considered a high-reliability bus. Reliability of 796 systems must be achieved by other means, such as multiple, l
independent 796-based systems in a redundant architecture.
5.12 Interoperability At the time of standardization, there were several ways to configure bus mastership, interrupt sequencing, and I/O and memory space mapping. The standard is a defacto recognition of the methods that had enough economic weight at the time to make their presence felt. Potential interoperability problems still exist and are a concern with every IEEE 796-1983 design that uses components from different suppliers, or sometimes from the same supplier. He problem, however, is manageable.
5.13 Domain of Application IEEE 796-1983 is used mostly in industrial control systems, where it has given way to the newer Multibus !! (IEEE 1296) and VMEbus (IEEE 1014) standards. VMEbus has been and continues to be the leader in such applications. IEEE 796 does not have much presence in workstations or personal computers, nor is it likely to in the future.
5.14 Multiprocessor Features IEEE 796-1983 has rudimentary multiprocessor features, notably bus master exchange and the.
LOCK
- signal. Bus master exchange has already been mentioned. The LOCK
- signal allows a bus '
master to retain control of the bus during a " read-modify-write" cycle (which means exactly what it says) so that a variable in shared memory can be updated without interference from other processors sharing the bus. Ris is the minimum hardware support required for most multiprocessing schemes, and throws most of the burden for multiprocessor coordination upon software. The software skill level required to do this correctly is high.
7
9 e
a e
Subsequent standards (IEEE 896 (Borrill 1984) and IEEE 1296 (Rap and Tetrick 1986)) have extended message passing and interrupt capabilities to support multiprocessors. The defects of IEEE 796 for multiprocessing use are well described by papers on the later standards. Caution and careful software review should be used when IEEE 7% is used in multiprocessor applications.
(
l t
t 8
1
i e
ws References Allison, Andrew, December 1986,"IEEE Standards During The Great Bus Wars - Another View"in Letters, IEEE Micro, pp. 82 83.
Balakrishnan, R. V., August 1984, "lhe Proposed IEEE 896 Futurebus-A Solution to the Bus Driving Problem," JEEE Micro, pp. 23-27.
Boberg, Richard W., October 1980, " Proposed Microcomputer System 796 Bus Standard," Computer, pp.89-105.
Bouill, Paul L., February 1981, " Microprocessor Bus Structures and Standards," IEEE Micro, pp. 84-95.
Borrill, Paul L., August 1984,"An Advanced Communication Protocol for the Proposed IEEE 896 Futurebus," JEEE Micro, pp. 42-56.
Cohen, D., October 1981, "On Holy Wars and a Plea for Peace," Computer, pp. 48-54.
Gustavson, David B., August 1984, " Computer Buses-A Tutorial," IEEE Micro, pp. 7-22.
IEEE,1983, IEEE Standard Microcomputer System Bus, IEEE Std 796-1983.
James, David V., June 1990, " Multiplexed Buses: The Endian Wars Continue," JEEE Mictv, pp. 9-21.
Kirrmann, Hubert, August 1985, " Report on the Paris Multibus II Meeting," in "MicroStandards,"
IEEE Micro, pp. 82-87,89.
Rap, Michael D., and Tetrick, R. Scott, June 1986, "P1296: The interprocessor Communication Standard," in "MicroStandards," JEEE Micro, pp. 72-77.
Stewart, Robert G., August 1986, "MicroStandards," IEEE Micro, pp. 66-74.
Taub, D. M., August 1984," Arbitration and Control Acquisition in the Proposed IEEE 896 Futurebus,"
IEEE Micro, pp. 28-41.
o e
T 9