Text

Safety Evaluation Supporting Amends 138 & 127 to Licenses DPR-39 & DPR-48,respectively
	ML20056C050
Person / Time
Site:	Zion File:ZionSolutions icon.png
Issue date:	06/09/1992
From:	; Office of Nuclear Reactor Regulation
To:	;
Shared Package
ML20056C048	List: ML20056C047; ML20056C049; ML20056C050;
References
	NUDOCS 9206160190
	Download: ML20056C050 (61)
	v • d • e

1 f* *

00q'c, e

UNITED STA?ES E

NUCLEAR REGULATORY COMMISSION

{

t WASHINGTON. D. C. 20%6 o

5

\\['.GM /

I SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NO.138 TO FACILITY OPERATING LICENSE NO. DPR-39 AND AMENDMENT NO. 127 TO FACILITY OPERATING LICENSE NO. OPR-48 COMMONWEALTH EDISON COMPANY ZION NUCLEAR POWER STATION. UNITS 1 AND 2 DOCKET NOS. 50-295 AND 50-304

/

QJ(){fl&0 Author / Principal Contributor: Garry Garten NRC/NRR/ DST 301-504-2931

a TABLE OF CONTENTS TABLE OF CONTENTS i

PURPOSE OF REVIEW.

iv REGULATIONS AND REVIEW GUIDANCE.

.T.

V SUKKARY.

1 BACKGROUND 2

GENERAL SYSTEM AND MODIFICATION DESCRIPTION.

4 A. General Description of the Eaale 21 Systen.

4

1. Input / Output Subsystem 4

2. Loop Processor Subsystem 5

3. The Tester Subsystem 5

B. General Descriotion of the Zion Station Modification.

6 TECHNICAL REVIEW

.7 I.

SOFTWARE 7

A. General Descrintion of the NRC Staff Peview Accroach 7

B. General Descriotion of the Vendor's Software Desian.

8 C. The Results of the NPC Staff Review 9

1. CECO / Vendor Interface 9

2. Verification and Validation Organization 10

3. Verification and Validation Program Review 10

4. NRC Thread Walk-through.

14 5.

Compiler Use 15

6. Configuration Management 16

7. Conclusion 16 II.

EQUIPMENT QUALIFICATION.

17 i

t I

l

~

t i

i A. Temeerature'and Humidity 17 B. Seismic i

19 i

C.

Electro-maanetic and Radio Frecuency Qpalification 20

.s w

1. NRC Assessment of the AEER Environment 21 5

2. Initial vendor and Ceco Qualification and i

NRC Review of that Qualification 22 1

3 '. Additional Ceco On-site Measurement and Vendor Assessment 24 4.

Resolution 25 D. Electro-static Discharoe.

26 E. Radiation 26 F-Conclusion.

26 III.

ISOLATION AND INTERACTION BETWEEN 1E AND NON-1E:

NOISE, FAULT AND SURGE WITHSTAND TESTING.

26 IV.

GROUNDING 29 V.

POWER 30

........... 4............

A.

Inverter Loadinc 30 B.

Power Ouality 31 C. The Effect of a Loss of Power.

32 D.

Conclusion 32 VI.

TESTABILITY 32 A. On-line Automatic Functions.

33 1

B. Man Machine Interface (EMI) Tester 33 1.

Software.

34 2.

Security of MMI Systan.

34

3. MMI Use 35 1

C. Channel BvDass and Trio Functions.

36 i

11

. ~.

i r

i 1

-t r

VII.

RESPONSE TIMES AND SETPOINTS.

37 i

VIII. DET."NSE IN-DEPTH.

37 I

r A. Reliability and Software Common Mode i

Failure Concerns 39 I

B. Resolution 41 l

C. Failure Modes and Effects /Sincle Failure 41 IX.

FACTORY AND ON-SITE TESTING 42 i

i X.

PRODUCT HISTORY 43 i

A. Generic Chin Problems 43 B.

Eacle 21 Soecific Failures 44 i

C.

Eacle 21 Users Groue 45 XI.

SYSTEM EFFECT ON RELATED LICENSING ISEUES 45

-XII.

TRAINING AND PROCEDURES 46 j

XIII. TECHNICAL SPECIFICATION CHANGES 47 E

XIV.

APPLICATION TO UNIT 2

- 48 XV.

FOLLOW-UP REPORTING 49 XVI.

STATE CONSULTATION.

50 i

XVII. ENVIRONMENTAL CONSIDERATION 50 CONCLUSIONS 51 4

REFERENCES 52 i

l I

l

(

i iii e

I I

I t

PURPOSE OF REVIEW This Safety Evaluation Report summarizes the NRC staff review of a Reactor Protection / Engineered Safety Features System modification at the Zion Station Units 1 and 2 that replaced the analog Westinghouse 7100 process protection system with the digital Westinghouse Eagle 21 process protection system.

l L

iv

I REGULATIONS AND REVIEW GUIDANCE l

10 C.F.R. Part 50.55a (1991) 51 i

.w 10 C.F.R. Part 50.59 (1991) 2 i

32,36 Regulatory Guide 1.47, " Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems" 32,36 Regulatory Guide 1.53, " Application of the Single Failure Criterion to Nuclear Power Plant Systems" 39 i

v

r Regulatory Guide 1.75, " Physical Independence of Electrical Systems" 27' Regulatory Guide 1.97, " Instrumentation for Light-Water-Cooled Nuclear Power Plants To Assess Plant and Environ'"

s Conditions During and Following an Accident" 6,45 Regulatory Guide 1.100, " Seismic Qualification of Electric and Mechanical Equipment for Nuclear Power Plants" 19,20 Regulatory Guide 1.118, " Periodic Testing of Electric Power and Protection Systems" 32,36 Regulatory Guide 1.152, " Criteria for Programmable Digital Computer System Software in Safety-Related Systems of Nuclear Power Plants"

. 3,7,9,14,15,16,51 Generic Letter 83-28, " Required Actions Based on Generic Implications of Salem ATWS Event" 46 IN83-83, "Use of Portable Radio Transmitters Inside Nuclear Power Plants" 21 NUREG 0493, "A Defense-in-depth and Diversity Assessment of the RESAR-414 Integrated Protection System" 39 NUREG-0800, Chapter 7,

"U.S.

Nuclear Regulatory Commission, Standard Review Plan, Office of Nuclear Reactor Regulation".

3 NUREG CR-3270, " Investigation of Electro-magnetic Interference (EMI) Levels in Commercial Nuclear Power Plants" 21 ANSI /IEEE-ANS-7-4.3.2-1982, " Application Criteria for Programmable Digital Computer Systems in Safety Systems of Nuclear Power Generating Stations" 7,8,9,10,14,15,16,34,38 vi

ANSI /IEEE Std. 603-1980, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations, Institute of Electrical and Electronic Engineers".

11,27,28,39 ANSI /IEEE Std. 1012-1986, "IEEE Standard for Softwarea*-

Verification and Validation Plans" 7

i IEEE 279-1971, " Criteria for Protection Systems for Nuclear Power Generating Stations" 27,28,32,42,51 IEEE Standard 323-1974, "IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations".

17,19 IEEE 338-1977, "IEEE Standard Criteria for Periodic Testing of Nuclear Power Generating Station Safety Systems".

32,36 IEEE Standara 344-1975, "IEEE Recommended Practices for seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations" 19,20 IEEE 379-1977, " Application of the Single Failure Criterion to Nuclear Power Generating Station Class 1E Systems" 39 IEEE 384-1977, " Criteria for Independence of Class 1E Equipment and Circuits".

27,28 i

IEEE 472-1974, " Guide for Surge Withstand Capability Tests" 27,28 IEEE 1050-1989, "IEEE Guide for Instrumentation and Control Equipment Grounding in Generating Stations".

29 ASME NOA-2a-1990, Part 2.7,

" Quality Assurance Requirements of Computer Systems for Nuclear Facility Applications, American Society of Mechanical Engineers".

7 vii

i i

MIL-STD-46L(A,B,C), " Electro-magnetic Emission and Susceptibility Requirements for the Control of i;

Electro-magnetic Interference" 21,24,25 t

MIL-STD-462, " Electro-magnetic Interference Characteristics Measurement" 21,24,25 MIL-STD-1399, " Interface Standard for Shipboard Systems, DC Magnetic Field Environment" 21,24 SAMA PMC 33.1-1978, " Electro-magnetic Susceptibility of Process Control Instrumentation" 21,22,24 f

a viii

1

SUMMARY

On December 26, 1991, Commonwealth Edison Company (CECO) submitted a proposal to amend the Technical Specifications (TSs) for the Zion Station Units 1 and 2.

The TSs amendment supports a repficament of the Westinchouse 7100 analog process protection system with the Westinghouse Eagle 21 digital process protection system.

The review topics are listed in the table of contents and although they are not all inclusive of the staff's questions and discussions with CECO, they do cover the major topic areas.

Two of the staff's primary safety concerns, are software common mode failures and assimilation of the digital system to the existing plant.

These topics are fully discussed in this report.

One positive aspect of this project, was CECO's pro-active role at various stages of system development.

CECO's invnivement included performing a 100%

walk-down of existing cabling and systems affected by the modification to ensure that the design input documents provided to the vendor were accurate, working with the vendor during the development of the software functional requirements and at various stages of system development and testing, and joining an Eagle 21 users group to discuss and monitor operating experiences and product changes.

This involvement not only contributed to a higher quality product, but also provided Ceco staff with a better technical understanding of the system.

i Ceco committed to supplying follow-up reports regarding start-up and post-installation testing, and system performance.

The specifics of these reports are clearly described in Section XV of this Safety Evaluation.

Based on the staff's review, the staff finds that there is reasonable assurance that the Eagle 21 system at the Zion Station conforms to the applicable portions of 10 CFR Part 50, and conforms to Regulatory Guide 1.152. Therefore, the staff finds the Eagle 21 replacement acceptable for the Zion Station Units 1 and 2.

1

+

t i

a BACKGROUND l

l i

a On November 26, 1991, representatives from Commonwealth Edison i

(CECO) and Westinghouse met with the NRC staff (hereafter' referred I

to as staff). Ceco requested the meeting to discuss the on-going i

replacement of the Westinghouse 7100 series analog process protection system with the Westinghouse Eagle 21 digital process

)

protection system at the Zion Station Units 1 and 2.

Ceco stated that they were performing the replacement under 10 CFR 50.59 and were not anticipating a staff review.

The staff reminded Ceco of l

the previous NRC position taken with Haddam Neck (reference 1) and l

D.C.

Cook (reference 2) that an analog to digital conversion of a safety system is an unreviewed safety question as defined in 10 CFR 50.59.

At Ceco's request, the staff articulated the staff concerns and a comprehensive list of the type of review information that the staff would require for a review or inspection of the system.

l On December 26, 1991, CECO submitted a proposal to amend the definitions section of the Technical Specifications (TSs) for the Zion Station Units 1 and 2.

The proposal provided comprehensive J

review information on the Eagle 21 modification, paralleling the I

November 26, 1991 discussions with the staff (reference 3).

{

4 The staff reviewed the submittal and forwarded a list of general topic areas and specific questions to CECO to facilitate a design j

audit (reference 4).

The design audit was conducted at the Rockville, Maryland, Westinghouse office the week of February 10, l

1992 with a follow-up site visit March 16-17, 1992.

At the conclusion of the audit, there were five open issues that were i

formally forwarded to CECO for a written response (reference 5).

The five open issues included the effects of electro-magnetic interference, sof tware errors and reliability, and defense-in-depth concepts.

Because cf the importance of these issues, senior NRC managemen' requested a meeting with Ceco and Westinghouse to l

discuss the Imc concerns and possible resolutions.

On March 20, 1992, the meeting was held and Ceco presented the staff with a basic response and answered staff questions.

Subsequently, CECO provided written responses on March 27, 1992 (reference 6) and April 3, 1992 (reference 7) explaining their position on these 1

2

+

issues.

A final response was provided on April 10, 1992' (reference B) discussing follow-up reporting commitments.

These additional submittals provided clarifying information that did not change the initial proposed no. significapt., hazards consideration notice published on January 16, 1992.

The staff reviewed the modification according to Chapter 7 of NUREG-0800, "U.S. Nuclear Regulatory Commission, Standard Review Plan, Office of Nuclear Reactor Regulation," and Regulatory Guide 1.152, " Criteria for Programmable Digital Computer System Software in Safety-Related Systems of Nuclear Power Plants."

The staff's evaluation and findings are presented below.

e l

l l

l 1

l 3

~

v frENERAL SYSTEM AND MODIFICATION DESCRIPTION The existing Westinghouse 7100 analog process protection system consists of four protection sets and within each protection set there are multiple racks. Each rack contains various anal,gg. modules I

that process system inputs including temperature, pressure, level, and flow. These racks provide inputs to the reactor protection logic for initiating reactor trip and Engineered Safeguards Actuation System (ESP) functions.

Ceco is replacing this system with the Westinghouse Eagle 21 digital process protection system on Unit 1 and is planning a similar replacement on Unit 2.

A.

General DescriDtion of the Eacle 21 System The Eagle 21 process protection system is a micro-processor based replacement for the analog process protection system.

The system is designed to be installed in the existing process protection racks once the analog electronics and internal rack wiring are removed and the cabinet structure is modified.

The Eagle 21 uses existing field terminal blocks minimizing the disruption of field cables and preserving the existing field interfaces.

The Eagle 21 processes the same inputs as the analog system and supplies inputs to the reactor protection logic for initiating a reactor trip and ESF functions, and to indicators, recorders, the plant computer and various control systems.

However, rather than using individual modules in each rack as in the 7100, each Eagle 21 rack is comprised of the following major subsystems that process all of the inputs to a, ven rack:

(1)

Input / Output Subsystem, (2) Loop Processor Subs) stem, and (3) Tester Subsystem.

1.

Input / output Subsystem The input portion of the I/O subsystem consists of customized Analog Input and Contact Input signal conditioning modules.

These modules provide signal conditioning, signal conversion, isolation, buffering, and termination. The modules can be configured to accept various process inputs including 10-50 milli-ampere current loops (active or passive), 4-20 milli-ampere current loops (active or passive), 0-10 volts DC, Resistance Temperature Detectors (RTDs) and field contacts. Both the Analog and Contact Input Modules provide signals to the Loop Processor Subsystem (LSP) and interface with the Tester Subsystem (TSP) for test and diagnostic purposes.

4

i I

The output portion o5 the I/O subsystem consists of Analog output, Contact output, and Partial Trip modules that receive data from the LSP and construct analog, contact, and trip logic output signals.

Class 1E isolation capability is provided for all analog and contact output signals.

2. Loop Processor Subsystes i

The Loop Processor subsystem (LSP) computes all of the algorithms and comparisons for the protective functions.

The LSP consists of a Digital Filter Processor, Loop Calculation Processor, Digital I/O Module, Digital to Analog (D/A) converter, and Data Link Handler.

The Digital Filter Processor receives analog signals from the Analog Input Modules and performs analog to digital (A/D) conversions and filtering operations on the input signals.

The Digital Filter processor then inputs the signal to the Loop Calculation Processor which performs calculations for protection channel functions, data comparison to setpoint

values, and initiation of trip signals.

The Digital I/O Module processes contact inputs, contact outputs, and trip logic output signals.

The D/A convertor module converts digital values from the Loop calculation Processor into analog values which are sent to the analog output modules for further processing.

The Data Link Handler collects information from the Loop calculation Processor and transmits it to the Tester Subsystem.

3. The Tester subsystem The Tester Subsycten is the interface between the Man Machine Interface (MMI) (see section VI of this report) and the Eagle 21 system.

Through the MMI and the Tester Subsystem, a technician can adjust set-points, tuning constants and perform surveillance tests on the protection system.

The Tester Subsystem consists of a Tr.st Sequence Processor, Communication Controller, Data Link Handler, D/A Converter Module, and a Digital I/O Module.

The Test Sequence Processor reads information from the Data Link Handler, Digital I/O Module, and the MMI for monitoring the status 5

of the Eagle 21 Protection Rack, performing self-diagnostics, and initiating surveillance testing.

It also providas information to

[

the Communication controller, Data Link Handler, Digital I/O Module, D/A Converter, and the MMI for status indication and creation of the Signal Injection and Response bus.

"@is bus is

[

distributed through the signal conditioning modules allowing the i

Tester Subsystem to control and test each module.

l The Communication Controller receives information from the Loop Processor subsystem Communication Controller which is then read by I

the Test Sequence Processor for monitoring the status of the Loop Calculation Processor.

The Tester Subsystem Communication Controller also provides a serial link to the Test Panel for information display and printing when connected to the MMI.

The D/A Converter receives information from the Test Sequence Processor and converts it into high resolution analog signals used for test injection via the Signal Injection and Response bus.

The Digital I/O module also receives information from the Test Sequence Processor and provides signals to the Contact Output Module.

B. General Description of the Zion Station Modification At Zion, Ceco will be removing the analog electronics and wiring harnesses in each of the existing racks and replacing them with the Eagle 21 system.

In each protection set, the instrument loops of one rack will be consolidated into the remaining racks to allow the permanent installation of a Man Machine Interface system in the emptied rack.

This will provide the plant with one permanently mounted MMI for each protection set.

Ceco is making minimal field wiring changes but will be removing the existing daisy chain power feed to the racks and adding a single power feed to each rack.

Because of inverter loading, CECO will be using an automatic sequencer for each rack to sequence power to the internal rack loads.

Other changes include upgrading the Condensate Storage Water Tank and Refueling Water Storage Tank level indication channels to comply with Regulatory Guide 1.97, " Instrumentation for Light-Water-Cooled Nuclear Power Plants To Assess Plant and Environs Conditions During and Following an Accident,"

incorporating Containment Pressure channels that are currently processed outside of the 7100 equipment into the Eagle 21, and using two cold leg and two hot leg Resistance Temperature Detectors (RTDs) from each loop to provide inputs to the Eagle 21.

6

TECHNICAL REVIEW I.

SOFTWARE The protection system must be designed to sense and automatically

.w initiate systems for anticipated operational occurrences and accidents, and to provide indication.

Ett 10 C.F.R Part 50, I

Appendix A, GDC 20 (1991).

The Eagle 21 provides this ability through the use of a micro-processor based system.

The primary focus of this section of the

report, is software and the interaction of the software and hardware.

A. General Descriotion of the NRC Staff Review Acoroach The importance of software reliability and a strong software development and maintenance program, cannot be emphasized enough when considering the potential for software initiated failures.

This section presas a summary of the NRC software review approach used for the Zion Station review.

The summary is not all inclusive of the questions asked and =aterial reviewed and referenced, but does cover the major areas.

Currently, the NRC uses Regulatory,. Guide 1.152,

" Criteria for Programmable Digital Computer System Software in Safety-Related i

Systems of Nuclear Power Plants" and ANSI /IEEE-ANS-7-4.3.2-1982,

" Application Criteria for Programmable Digital Computer Systems in Safety Systems of Nuclear Power Generating Stations" for guidance when performing reviews of software.

Although other software standards such as ANSI /IEEE Std. 1012-1986, "IEEE Standard for Sof tware Verification and Validation Plans," and ASME NQA-2a-1990, Part 2.7, " Nality Assurance Requirements of Computer Systems for Nuclear Facility Applications, American Society of Mechanical Engineers" were used for reference, the licensee was only held responsible for conforming to ANSI /IIEE-7-4.3.2-1982.

The review i

proceeded in the following manner.

First, the staff performed a detailed review of the system design process and the software verification and validation program.

At this stage, the staff was looking programmatically at the design process and making comparisons to the applicable review guidance.

Second, the staff reviewed available information'on the software and hardware history including previous software and hardware 7

failures.

Third, the staff reviewed the Zion specific plant application including any special features that were required.

Fourth, the staff reviewed the specific verification and validation performed on the software used in the Zion application.

This was a detailed review and included: (1) following the code development, (2) examining the vendor / licensee interface and feedback process, (3) reviewing software problem / error reports and resulting corrections, (4) comparing the V&V to ANSI /IEEE-ANS-7-4.3.2-1982, (5) interviewing personnel involved in the process, (6) verifying the independence of the software vesrifiers, (7) reviewing the development of the functional requirements and subsequent software development documents, (8) reviewing softwars life-cycle and future vendor / licensee interface, and (9) reviewing the verification and validation results.

Fifth, the staff performed a

" thread audit" which consisted of picking a sample of plant parameters and tracing the software implementation of these parameters from the purchase specification and development of the functional requirements to the writing and testing of the code.

This review included reviewing actual sections of the code on a sample basis, examining the various levels of sof tware development documents and comparing them to the

code, examining problem reports and verifying the corrections, examining the engineering cross-discipline interfaces to ensure that nuclear specific needs were correctly incorporated into the code, examining the licensee interface to ensure plant specific requirements were correctly incorporated, ensuring that the verification and validation process was followed according to the vendor's plan, and reviewing the final results of the process.

Sixth, the software and hardware were reviewed as a system looking for potential timing and sof tware/ hardware problems.

At the end of the review, all of the information was collated to establish a benchmark for assessing the software safety system performance and reliability.

B.

General Description of the Vendor's Software Desian The description provided in this section will be limited and is l

only intended to familiarize the reader with the basic design j

process at Westinghouse and Westinghouse terminology.

The sof tware is developed according to-design standards established by Westinghouse that include: (1) use of high level logic, (2) no interrupts except during some uses of the MMI, (3) no re-entries, (4) coding standards for high level and assembly language programs, 8

l

and (5) all program's are single task (no multi-tasking).

The software is designed in a modular structure' with all executable code in a module or subroutine.

A module is comprised of smaller software units called Procedures which perform tasks such as math and logical operations.

The modules are executed in the sequence set by the main program.

The software is developed in a layered format consisting of the main program and support modules, general purpose modules, standard protection functions, and a layer configured for plant specific information.

These layers are than combined according to the requirements of the specific project.

Westinghouse uses the layernd approach to limit the amount of new code written for each project.

All executing software resides in Erasable Programmable Read Only Memory (EPROM) and technician adjustable tuning parameters are stored in Non-Volatile RAM (NVRAM).

4 C. The Results of the NRC Staff Review As described above, the staff uses the verification and validation (V&V) program as a benchmark for assessing the software.

The program is reviewed for compliance, to Regulatory Guide 1.152,

" Criteria for Programmable. Digital Computer System Software in Safety-Related Systems of Nuclear Power Plants" and ANSI /IEEE-ANS-7-4.3.2-1982,

" Application Criteria for Programmable Digital Computer Systems in Safety Systems of Nuclear Power Generating Stations."

Specific references to these standards will be made where appropriate throughout this review.

1. Ceco / Vendor Interface Experience with computer projects has demonstrated that the development of computer system functional requirements can have a significant impact on the quality and safety of the implemented cystem.

See, ANSI /IEEE-ANS-7-4.3.2-1982, Sec.

3.

In fact,-there have been recent software failures attributed to software functional requirements and system specifications that did not occurately reflect plant specific idiosyncrasies.

This has placed additional emphasis on the importance of the licensee / vendor interface during software development and is an important factor when assessing software reliability and quality.

9

e In the Zion Station application, the staff noted that CECO took a proactive role in the development of the functional requirements including a 100% walk-down of the as-configured plant to verify drawings, and providing feedback to Westinghouse on the accuracy of the functional requirements.

This proactive role by CECO had a i

positive effect on the process and provided the.s.taff with additional assurance that the assumptions, input ranges, default l

values and constants used in the software were conservative with t

respect to the Zion application.

2. Verification and Validation organization The verification group shall be independent of the design team and shall have technical qualifications comparable to the design team.

19g, ANSI /IEEE-ANS-7-4.3.2-1982, Sec.

7.1.

At Westinghouse, the verification and validation (V&V) organization is independent from the software development group with separate supervisory engineers and is composed of personnel with comparable technical qualifications to the development group. The development group submits the code to the V&V group after writing and debugging the code. The V&V group then reviews the code according to the Westinghouse V&V plan and produces a V&V report.

Communications between the software development group and V&V personnel are documented in written, traceable reports.

Therefore, the staff finds that the independence of the V&V group and the V&V personnel qualifications conform to ANSI /IEEE-ANS-7-4.3.2-1982 and are acceptable.

3. Verification and Validation Program Review The verification and validation (V&V) of the system is a formalized r

method that includes detailed procedures and policies for technical review and audit functions, software reviews and audits, software test and analysis, dynamic system testing simulating normal and design basis events, and an independent stage-to-stage verification performed by knowledgeable individuals. Egg, ANSI /IEEE-ANS-7-4.3.2-1982, Sec. 3.7.

The Westinghouse V&V program is described in WCAP-12374 and the CECO submittal dated December 26,1991 (reference 3),

and will only be summarized in this report to facilitate the reader's understanding of the staff review.

10

t in accordance with 'the Westinghouse V&V program, the V&V group performs several tasks before they approve the release of the code including: (1) document code reviews; (2) test case development; (3) verification and validation testing; and (4) Prudency review.

After ths development group submits the code to the V&V"cjkoup, each independent verifier receives one or more modules on which he/she will perform a document code review and evaluation.

The evaluation is based upon the module's conformance to the functional requirements and the design and coding standards.

The coding standards have been stable since the development of the Sequoyah Eagle 21 software and appear reasonable and conformable to standard industry practices.

Althcugh the verifier's primary focus at this stage is a comparison between the functional requirements document and the code, he/she also verifies the software development documentation for consistency and integrity starting from the functional requirement and including the system design requirement, the system design specification, and the functional decomposition document.

After completing the walk-through of the design documents and the

code, the verifier develops two types of test cases i.e.

verification tests and validation tests.

The method and rigor Westinghouse uses for verification tests is a function of the safety classification of the softwara module as defined by ANSI /IEEE Std. 603-1980, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations, Institute of Electrical and Electronic Engineers."

By this standard, software associated with the actuation and/or implementation of reactor trips, engineered safety features, and information displays for manually controlled actions receive the highest level of verification.

The verification tests are further partitioned into structural testing and functional testing.

1 The structural testing ensures that all source lines meet the intended design specification.

To determine the rigor and method of this testing, the verifier follows an established set of criteria based on the software uniqueness and complexity.

After applying the criteria, the verifier then reads the code and derives the structural test cases that will exercise all of the statements.

Next the verifier performs either manual structural testing or 11

^

i computer emulation. For bounded input values, the verifier chooses

)

values to exercise the lower limit, the upper limit and at least i

one random intermediate value.

Out of range values are caught by the hard coded boundary checks in the Eagle 21 software that

{

immediately flags and disallows these values upon entry.

The functional testing is similar to the structural testing except that the functional properties are the basis for the functional testing and are provided by the Design Specification.

When software errors or coding discrepancies are found, the verifiers generate either a Procedure Problem Report or a Generic Problem Report.

As stated above, each software module contains several procedures so that a Procedure Problem Report concerns defects in the smallest software unit.

A Generic Problem Report pertains to problems that cross module boundaries and involve multiple modules.

An electronic log of the reports is kept and their status is tracked by the V&V group.

The developer has the responsibility to resolve these reports and if a code modification is required, the verifier performs regression testing until the module satisfactorily passes the test.

The Lead Verifier ensures that no problem reports remain open upon release of the module.

Once the verification results are accepted, the software is installed in the target hardware and the verifiers check hexadecimal and check sum values for consistency.

The hardware / software is then validated.

Westinghouse's validation process emphasizes the syste.m functionality of the target hardware / software. The major phases of the validation testing are: (1) " top-down" functional requirements testing; (2) Prudency review of the design and its implementation; and (3) specific MMI testing.

The Validation Test Engineer derives test cases from the decomposition of the functional requirements into sub-requirements and looks for functional and abnormal conditions to test.

Once the tests are derived, a Validation Test Technician executes the tests on the verified software now residing in the final target hardware.

The Validation Test Engineer then reviews the test results.

12

~

Westinghouse also uses a Prudency review to ensure that the design operates properly under abnormal-mode conditions and to ensure that the system rejects unpermitted inputs (including out of range inputs).

The review is primarily directed at the internal structure of the Eagle 21 and is used to ccuplement the,, functional testing and evaluate integrated system integrity.

As part of the programmatic review of the V&V program, the staff reviewed sof tware development documents, interviewed V&V managers, and reviewed various V&V summaries and reports.

The staff also l

randomly sampled 56 problem reports out of a total of the 408 Problem and Trouble reports generated.

In the 56 reports reviewed, 222 defects were documented.

Out of the 222 defects, 42% were coding standards violations, and 37% were heading / comment errors.

The staff did not consider these errors to be significant but did consider the remaining 21%

of errors to have significant implications.

The remaining 21% consisted of the following errors: (1) one error was the use of a hard coded numbe.r instead of assigning a value to a variable; (2) seven were the implementation of items not in the design requirements including calls to the MMI, equations that do not match requirements and variables implemented incorrectly; (3) fif teen were logic defects; (4) fifteen were data handling defects; and (5) two were computational defects.

Examples of the last three categories include

'or' used instead of

'and',"

" divide by zero," "no range checking," "can exceed communication buffer," and

.t

" condition can never be resolved as true."

These errors raise two important points.

First, it is these types of errors that have raised the staff's concerns regarding the potential for common mode failures in digital electronics (see Defense-in-depth section below).

Second, given the nature of these errors, without a rigid V&V process these errors may not have been caught with a usual factory acceptance-functional type test.

Consequently, the staff expects the licensee and Westinghouse to maintain a rigorous V&V program mindful of ways to improve that program should the need arise.

The staff also asked Westinghouse how they assure that sufficient time and attention is given to V&V in the overall product development scheme.

Westinghouse indicated that verification 13

resources are allocated with emphasis on a quality product and not

~

schedu12, and that they evaluate the time spent through the use of a complexity metric.

Based upon the above review and comparison of the V&V Pxocess/ plan to ANSI /IEEE ANS-7-4.3.2-1982, the staff finds that the Westinghouse program as reviewed, complies with Regulatory Guide 1.152 and ANSI /IEEE ANS-7-4.3.2-1982.

To obtain a benchmark for evaluating V&V effectiveness and the Zion application, the staff perfor=ed a " thread audit."

4. NRC Thread Walk-through The staff conducted a " thread audit" walk-through of the OT-Delta-T algorithm and two walk-throughs of the high steam-line flow algorithms.

The OT-Delta-T algorithm is the same algorithm as was used in the Sequoyah Eagle 21 application and the steam line flow algorithms were part of the 39 new routines written for the Zion application.

As described

above, the

" thread audit" traces the software development of these parameters and includes reviewing the software

{

development documentation, sections of the code and comparing the software development documentation to the code.

While performing this review, the staff discovered the following errors taat had no corresponding problem reports and did not appear to be identified by the V&V program: (1) a coded logical statement that did not match the "P-spec" but did match the functional requirements; (2) an incorrect comment in the code that did not match the "P-spec;"

and (3) a data flow diagram that did not appear to match the code.

Although none of the errors compromised the functionality of the code, they did present the staff with two concerns.

The first is a question regarding verification thoroughness and effectiveness which is discussed in the Defense-in-depth section below.

The second is whether flawed development documents and comment errors could mislead a software writer during future code revisions.

Therefore, the staff forwarded a

set of questions to CECO / Westinghouse asking how these errors will be resolved, and for an analysis of the root cause of the errors (reference 5).

On March 27, 1992 CECO responded (reference 6) and acknowledged that Sof tware Design Specification and Software Design Requirements documents were conflicting and that the verifier had used the 14 i

higher level Functional Requirements Document and correctly written the code.

Ceco stated that the errors found were of no operational significance and that the multiple phases of design, verification, and validation assured proper functionality of the system.

Therefore, CECO concluded that no additional reviews of,,t,he already written code were necessary (reference 6).

Ceco characterized the root cause as a problem in the implementation of the V&V plan and not a problem with the plan itself.

Westinghouse also stated that procedure improvements will be made to clarify the reporting requirements for documentation anomalies and training on these requirements will be provided to

design, verification, and validation personnel.

The staff agrees that the problem was in the implementation of the V&v plan and not the plan itself.

Furthermore, the staff accepts the CECO / Westinghouse response and does not believe that these errors are sufficient to justify revisiting the already V&V'ed code.

A software /hardwer.e " thread audit" was also performed from the system input to the system output with emphasis on system architecture.

The staff.and Westinghouse personnel discussed the automatic gain adjustments and other software / hardware interactions as the system was traced out.

Based on the " thread audit" and the V&V program reviewed above, the' staff finds that the Zion application complies with Regulatory Guide 1.152 and ANSI /IEEE ANS-7-4.3.2-1982.

5.

Compiler Use The staff discussed the use and control of compilers at Westinghouse.

The staff's concerns include whether the compiled object code correctly reflects the intended software functions and statement ordering, how updated versions of the co=piler would i

effect revised code and known compiler idiosyncrasies, and how the

{

compiler affects sof tware that is comprised of software written for previous projects and software written for the current project.

Westinghouse has been using the same software language and compiler since the inception of the Eagle 21 product line.

Discussions with the verification staff indicated that they had considered the potential compiler problems and through experience with this 15

I 4

l

compiler, were familiar with the compilers idiosyncrasies.

Furthermore, WcsLinghouse made a con =cious decision to keep the same compiler to ensure a stable platform for sof tware development.

The staff also briefly discussed the use and control of " software tools." The Westinghouse approach in this area is simila,r, to their approach on compilers.

The staff is currently considering compiler and " software tool" safety and regulatory issues.

However, the Westinghouse approach is reasonable and the staff identified no safety concerns for the Eagle 21 project.

6. Configuration Management All of the executing software is supplied in EPROM with tunable parameters supplied in Non-Volatile RAM (NVRAM). Out of the 1179 software routines used in the Zion application, 39 were written and/or modified for the Zion application. The rest are from the Eagle 21 software base and are in use at other Eagle 21 installations. All software code and software documentation are kept under strict configuration management control by Westinghouse.

Any software changes other than tunable parameters, must be made through a

Ceco controlled modification program that has Westinghouse as the librarian to control changes to the code. When software is changed, Westinghouse executes an analysis tool to~

determine the side effects resulting from code changes and to evaluate the impact on the code.

Furthermore, all modified code will also be subject to verification and validation as described above.

The staff finds the configuration management control acceptable.

7.

Conclusion Based on the foregoing

review, the staff finds that the Westinghouse verification an validation plan / program complies with Regulatory Guide 1.152 and ANSI /IEEE ANS-7-4.3.2-1982 and that the Zion Station application of the verification and validation plan / program is acceptable and meets its functional and design requireuents.

16

i II.

EQUIPMENT QUAL'IFICATION The safety system must be designed to withstand the effects of natural phenomena and be qualified to operate in normal and postulated accident conditions. Sag,10 C.F.R Part 50, Appendix A, GDC 2 and 4.

The staff reviewed the following topiY areas to ensure that the Eagle 21 is capable of performing its intended safety function under environmental and seismic conditions:

(1) temperature and humidity; (2) seismic; (3) electro-magnetic and radio frequency interference; and (4) radiation.

A.

Tenoerature and Humidity The Westinghouse temperature and humidity tests and results are documented in WCAP-8687 Supplement 2, E69A, E69B, and E69C.

The staff used IEEE Standard 323-1974, "IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations,"

for review guidance. The staff reviewed the tests and compared the results to tha Zion application concentrating on the rack configuration differences between Zion and the test set-up, any anomalies that occurred, and the test results.

The staff also inquired about the heat load effect of the Eagle 21 on the existing room temperature profiles.

At the Zion Station, the Eagle 21 is installed in the existing process protection cabinets in the Auxiliary Electric Equipment Room (AEER).

The Zion Updated Final Safety Analysis Report (UFSAR)

Section 7.2.3.'), states that the reactor protection equipment in the AEER is designed to operate over the temperature range of 40 to 120 degrees Fahrenheit and in a relative humidity range of 15% to 95%

without a -loss of the protective function (for Station Blackout effects see section below).

There were three differences between the as-tested and as-installed configurations.

First, the testing was performed with two functioning power supplies and one power supply simulated by a heat source.

The Zion application only uses two power supplies and therefore, the third source added a measure of conservatism with respect to the Zion application.

Second, the Zion application uses fewer I/O boards than the test configuration thus generating less heat inside the cabinets.

Third, the Zion application has an Anticipated Transient Without Scram (ATWS) box located on top the Eagle 21 cabinets.

The staff examined the box mounting 17

configuration and determined that any air flow restriction or heat reflection that nay be caused by the box is not significant and raises no safety concerns.

The staff reviewed two anomalies: (1) a data link handler; and (2) a power supply shut down.

.,w The software in the Eagle 21 before the environmental test, included a feature that would cause the Test Sequence Processor to actuate the partial trips upon the loss of the Data Link Handler.

The Data Link Handler provides a non-process protection function of interfacing between the Loop Calculation Processor and the Test Sequence Processor.

The Test Sequence Processor is the interface between the MMI and the Eagle 21.

Before the environmental qualification tests, the Data Link Handler had been noted to periodically fail and thereby cause a partial trip actuation.

To ensure that a Data Link Handler failure would not prematurely place

'he system in trip during the environmental testing, the software was changed such that the Test Sequence Processor would not actuate the partial trips.

Westinghouse performed a safety assessment and determined that the Loop Calculation Processor would trip to the preferred failure if adversely affected by a failure of the Data Link Handler and therefore, the removal of this software function t

would not adversely affect safety.

Based on the staff's review of the architecture and discussions with Westinghouse, the staff accepts the Westinghouse determination.

During the temperature qualification testing, a power supply shut down because of over-temperature. Westinghouse determined that the over-temperature condition was caused by a solid metal plate that had been bolted above the power supplies to simulate a third power supply weight load for seismic testing.

This plate restricted the air flow and caused the failure.

Westinghouse replaced the solid plate with a perforated plate and reran a 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> segment of the test.

The power supply did not fail.

Since Zion does not use a third power supply and there is no air restriction in the Zion application, the staff considers the anomaly resolved.

All of the temperature qualification tests were performed with the i

rack blower in operation.

The staff asked CECO ho this blower will be maintained in order to preserve the qualification results at the higher temperatures (reference 5).

Ceco responded that they will maintain the blowers consistent with the Westinghouse maintenance recommendations and that the cabinets have a

temperature alarm that will alarm in the control room if the i

18

4 cabinets reach a temperature setpoint.

Ceco stated that this setpoint will be maintained sufficiently below the maximum qualification temperature to allow operator action (reference 6).

Ceco evaluated the heat load added to the room by tha. Eagle 21.

Ceco concluded that the impact would be minimal and would present no challenge to the room temperature profile (reference 3).

Based on the foregoing

review, the ste.ff finds that the Westinghouse temperature and humidity qualification envelopes the Zion temperature and humidity requirements.

Furthermore, the temperature and humidity tests meet the intent of IEEE Standard 323-1974.

Therefore, the staff finds the temperature and humidity quaJification acceptable.

B. Egismic The Eagle 21 Process Protection System rack and components were subjected to multi-axis, multi-frequency inputs in accordance with Regulatory Guide 1.100,

" Seismic Qualification of Electric ed Mechanical Equipment for Nuclear Power Plants,"

and IEEE Standard 344-1975, "IEEE Recommended Practices for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations."

The testing was documented in WCAP-8687,' Supplement 2, E69A, E69B and E69C. The staff reviewed the tests and compared the results to the Zion application concentrating on configuration differences between the Zion installation and the test set-up, any anomalies that

)

occurred, and the test results.

There were two notable differences between the as-tested and as-installed internal rack configurations.

First, the test l

configuration included a mass representing a third power supply which is not used at Zion.

Westinghouse analyzed this difference and found that the results were conservative with respect to Zion.

The staff reviewed and discussed the analysis with Westinghouse and concurred with the conclusions.

Second, the rack fill and layout in the as-tested configuration were fully populated.

In the Zion application, there are some empty I/O board slots.

Westinghouse determined that the effect of these empty slots was negligible on the test results and the staff concurs.

There were two differences between the as-tested and as-installed external rack configurations.

First, the test configuration i

19

L consisted of three connected cabinets.

The Zion application will have two sets of 16 cabinets bolted together.

Second, the Zion installation has an ATWS junction box mounted on top of the cabinet. For each case, Westinghouse performed an analysis of the differences and concluded that the as-tested configuration would envelope the Zion configuration.

The staff reviewed the Westinghouse analyses and discussed the interactions with the cognizant engineer.

Based on the review and the discussions, the staff finds that the conclusions are justified and the analyses are acceptable.

The only notable anomaly during the seismic testing was the failure of one of the I/O boards.

Westinghouse analyzed the failure and subsequently redesigned the board's plug edge.

The new board was retested without f ailure.

The new boards were then ordered for all subsequent Eagle 21 systems including Zion. The staff reviewed the second test and finds the Westinghouse resolution acceptable.

Since the qualification was performed to envelope a number of Eagle applications, the system was tested for an Operating Basis Earthquake and a Safe Shutdoan Earthquake in excess of the Zion application.

Based on the foregoing review, the staff finds that the testing complies with Regulatory Guide 1.100 and IEEE 344-1975 and that the seismic qualification is acceptable and envelopes the Zion application.

C. Electro-naonetic and Radio Frecuency Oualification The intent of this section of the report, is to segregate from the overall electro-me.gnetic interference (EMI) and radio frequency interference (RFI) qualification, some of the specific actions CECO and Westinghouse had to perform in concert to demonstrate that the Eagle 21 is compatible with the Zinn Station environment.

As such, the overall qualification should be considered to include this section of the report, and Sections II.D, III and IV.

The principal safety concern of the staff, is the potential for random and unpredictable effects on the safety system produced by ambient EMI and RFI.

Although there are no specifically endorsed NRC standards on this topic at this time, the staff uses the following standards for reference when conducting its reviews:

20

k i

h

+

(1)

MIL-STD-4 61TA, B,C),

" Electro-magnetic Emission and Susceptibility Requirements for the Control of Electro-magnetic Interference,"

(2)

MIL-STD-462,

"?lectro-magnetic Interference Characteristics Measurement," (3) MIL-STD-1399, " Interface Standard for Shipboard Systems, DC Magnetic Field Environment," (4) SAMA PMC 33.1-1978,

" Electro-magnetic Susceptibility of Process control Instrumentation," (5) IN83-83, "Use of Portable Radio Transmitters Inside Nuclear Power Plants," and (6) NUREG CR-3270, " Investigation of Electro-magnetic Interference (EMI) Levels in Commercial Nuclear Power Plants."

The staff reviewed the EMI/RFI qualification in the following manner.

First, the staff evaluated the plant environment to identify potential EMI/RFI sources including the effect of open doors during surveillance, the types and strengths of plant radios, location and direction of microwave sources, and the location and effect of other equipment within and immediately surrounding the installed location.

Second, the staff reviewed and evaluated the vendor test methodology, frequency susceptibilities based on the vendor tests, and vendor system modifications to compensate for these susceptibilities.

This review included comparing the as-tested and as-installed configurations.

Third, the staff reviewed CECO's on-site testing and analysis.

Finally, the staff assessed the system EMI/RFI qualification based on all of the above mentioned reviews and evaluations.

1. NRC Assessment of the AEER Environment i

The staff independently reviewed the blue-prints of the AEER, surrounding rooms and the cable spreading room to assess potential EMI/RFI sources (these were later confirmed during a site visit).

The staff also discussed with CECO and Westinghouse the cable routing practices at Zion, conduits and cable trays, and the location of cables (power and otherwise) in relation to the l

Eagle 21.

The staff identified the following EMI/RFI sources.

First, there are relay racks located directly next to the Eagle 21.

Second, there are power cables directly below the Eagle 21 racks in the cable spreading room.

These cables are in close proximity to the analog boards that demonstrated EMI/RFI susceptibility as discussed below.

Third, there are battery chargers and inverters located in the AEER and in close proximity to the Eagle 21.

Finally, the surrounding rooms contained the station batteries, 1

21

large motor control centers, a radio antenna, and areas where radios are permitted.

2.

Initial Vendor and Ceco Qualification and NRC Review of that Qualification d *'

Although the vendor tests were reviewed in detail, only a brief description will be provided in this Safety Evaluation for proprietary reasons.

The vendor performed tests in an anechoic chamber which provided 20 to 30 db shielding over the frequency range of 20 MHz to 160 MHz. The antenna systems used for the tested range were a Broadband Biconical antenna and a Log Periodic antenna. The tests were conducted in accordance with SAMA Standard PMC 33.1-1978, " Electromagnetic Susceptibility of Process control Instrumentation," with field strengths of 3 V/m and 10 V/m over the frequency range of 20 MHz to 1 GHz.

There were two types of tests performed.

First, a modulation test was performed consisting of a sweep of the signal generator over the frequency range for multiple data points.

Second, a keying test was performed to simulate the keying of a transceiver. - Tha t'uts woreccoeutuoted--with-the cabinet doors open and closed and Westinghouse concluded that the front of the cabinet is the most susceptible side.. Therefore, Westinghouse targeted the front of the cabinet during testing.

The test and test results are documented in WCAP-11733.

The Eagle 21 experienced problems at approximately 188 MHz resulting in errors in the output data. Subsequently, Westinghouse modified the front of the cabinet with wire mesh over the vents,

{

installed metal door gaskets and recommended that radio transceivers be prohibited in the Eagle 21 e.uipment room.

l Westinghouse concluded that the analog input / output processing and protective functions were affected by the tests but that the system fully recovered upon the removal of the RFI. Westinghouse considers the system operational while exposed to RFI (See WCAP-11733).

The staff first compared the RFI qualification test configuration to the Zion Station configuration.

There were minor electronic component changes between the as-tested rack configuration and the Ceco rack configuration.

Westinghouse reviewed these changes and concluded that there was no significant effect on the RFI qualification. In addition, Westinghouse and Ceco evaluated the Zion application and verified that the front side of the cabinet is the most susceptible side to EMI/RFI. The staff reviewed and 22

)

I I

I discussed the changes and analysis with Westinghouse and Ceco personnel.

Based on this review, the staf f accepts Westinghouse's l

conclusions regarding the as-tested and as-installed j

configurations.

l The staff next reviewed and evaluated the EMI/RFI testing. This review raised two concerns.

First, the tests were conducted over r

the 20 MHz to 1 GHz range neglecting other frequencies.

Second, the system was sufficiently affected during the tests for the staff to conclude that the system is not qualified in a radio frequency environment.

CECO and Westinghouse essentially acknowledge this i

fact and state that the tests were not intended to demonstrate PSI immunity (reference 3, WCAP-11733).

i Ceco performed a site survey of the RFI field strengths in the AEER and stated that over the radio frequency ranges used at the Zion-Station, the field strengths in the AEER were significantly lower than 3 V/m.

Therefore, CECO concluded that the system would be qualified in the AEER environment (reference 3).

In addition, Ceco I

stated that they already prohibit the use of radio transceivers in the AEER (reference 3).

The staff reviewed the initial CECO site survey and assessment and found it unacceptable for the following reasons: (1) it covered only the 20 MHz to 1 GHz range; (2) the test equipment used had a large error f actor of +/- 16%; (3) there were a number of questions regarding the duration of the test and the manner in which it was conducted creating doubts regarding the data obtained; and (4) it did not sufficiently address the sources identified by the staff.

Based on this review the staff could not determine whether the Eagle 21 was qualified for its environment.

The staff formally forwarded its concerns by letter dated March 10, 1992 (reference 5).

In addition, the staff asked Ceco whether there vare any microwave i

and/or radar sources in the area that would effect the Eagle 21 (reference 4).

The staff's principle concerns are that the Eagle 21 may be affected by the normal operation of these sources i

and that misuse of these types of sources could create a security issue.

During the design audit, Ceco stated that the closest microwave antenna is located approximctely 120 feet from the AEER, is pointed away from the AEER with a beam divergence of 1.5 i

23 i

degrees.

The output of the transmitter is 5 watts and operates between 1

and 2

GHz.

CECO indicated that this microwave transmitter could not effect the Eagle 21 and that there are no other micm ve or radar installations of cc,ncern in the area.

The staff accepts CECO's evaluation of this issue.

.w

3. Additional Ceco On-site Measurement and vendor Assessment In response to the staff's concerns, CECO performed additional site testing and Westinghouse performed an analysis to demonstrate that the Eagle 21 is qualified for the fields measured at the Zion Station.

The test procedure and results were submitted by letter dated March 27, 1992 (reference 6).

The staff's review and evaluation of these results is summarized below.

There were six tests performed at the Zion Station following MIL-STD-461C, MIL-STD-462 and SAMA Std. PMC'33.1-1978.

These tests wore; (1) Conducted Emissions Test CE01 30 Hz to 15 KHz; Egg MIL-STD-462; (2) Conducted Emissions Test CE03 15 KHz to 50 MHz; Egg MIL-STD-462; (3) Radiated Emissions Test in the DC Magnetic Field REXX, Egg MIL-STD-1399; (4) Radiated Emissions Test in the AC m gnetic fisld RE01; Hg.g MIL-STD-462; (5) Radiated Emissions Test from 14 KHz to 1 GHz REO2; Egg MIL-STD-4 61C; and (6) Radiated Emissions, Hand Held Radio Profile; Egg,in Dart, MIL-STD-462.

The radiated tests were performed in "X",

"Y",

and "Z" axis to address concerns regarding field canceling and testing accuracy articulated by the staf f when discussing site testing with CECO.

The tests were conducted with substantially more accurate equipment than the first CECO tests and were conducted under controlled circumstances with the Unit at 92% power (reference 6).

To determine the effect of field strength surges created by large loads powered from the power cabling in the cable spreading room directly below the Eagle 21 racks, the 2500hp Service Water Pump was started and stopped during the testing.

In addition, radios were keyed in rooms outside the AEER and the axis orientation was varied to determine worst case field strengths.

Field strength graphs were generated and calcular. ions were performed all of which were provided to the staff.

The staff reviewed and evaluated the site testing in detail.

As a result of this review and evaluation, the staff has the following findings and observations regarding the on-site testing.

First, 24 l

the staff considers the CECO site testing to be comprehensive and positive attribute t.o the Eagle 21 project.

Second, the statf performed independent calculations on the site data and on balance, these calculations agreed with the CECO results. Where the results did not agree, the differences were not significant an othe staff i

attributes them to ambiguities in the documented test data. Third, based on the mathematical analysis of the data provided, the staff noted one area of potential concern in the RE02 test.

At locations ICB50 and ICB26, the results indicate the values of 31.6 V/m (peak) and 29.8 V/m (peak) respectively. The results are still within the guidelines of MIL-STD-461C and MIL-STD-462 but are very close to the maximum limits. Although there is no staff concern at this time, if CECO implements plant changes that effect these fields (and any others), the staff expects CECO to assess the impact on the AEER to ensure that the staff findings remain valid.

Based on the Zion Station data, Westinghouse performed an analysis to substantiate that the Eagle 21 is qualified for the Zion Station environment.

The staff did not review this analysis in detail, but in the sections reviewed, the staff does not fully agree with some of the assumptions and assertions made in the analysis.

However, these areas of disagreement are not significant enough to justify additional testing and analysis.

4.

Resolution Based on the foregoing review, the staff accepts the Ceco and Westinghouse conclusions that the Eagle 21 is EMI/RFI qualified for the Zion Station environment.

However, this finding warrants the following observations and conditions. First, CECO's comprehensive and well performed on-site testing gave creditability to the measured field values and did not indicate significant field strengths at the Eagle 21 cabinets.

Second, the staff gives some credit to the Sequoyah Eagle 21 experiences but the staff also recognizes that EMI/RFI is site specific.

Third, the staff's acceptance does not indicate that the staff considers the Eagle 21 to be qualified to the MIL-STD-461C or MIL-STD-462 standards.

Fourth, Ceco must maintain the prohibition of radios and portable telephones in the AEER.

Finally, the staff gave a fair amount of deference to Westinghouse on the final assessment of the affects of the Zion Station environment on the Eagle 21.

If the Ceco system performance reports (reference 8) indicate problems due to EMI/RFI, this staff finding will require additional consideration.

25

l l

D. Electro-static Discharoe In general, electro-static discharge (ESD) can causa damage to micro-electronic components and has been known to cause lock-ups on digital equipment if the discharge is large enough.

The,r,e were no specific ESD tests performed on the Eagle 21.

However, there are precautions specified in the Eagle 21 technical manuals which CECO is incorporating into their surveillance and maintenance procedures (reference 3).

These precautions include the use of ESD mats, and grounding straps.

In addition, there have been no reported failures resulting from electro-static discharge at the Sequoyah Eagle 21 installation.

Based on CECO's commitment to incorporate electro-static discharge precautions and the Eagle 21 experiences, the staff accepts CECO's approach to this issue.

E.

Radiation The historical requirement of Total Integrated Dose (TID) for a mild environment exceeded the threshold for the type of integrated circuit chips used.

As a result, CECO decided to determine the actual TID for the AEER room.

The determined TID is substantially lower than the historical value and was compared to the Westinghouse Qualification limits documented in WCAP-8587 Supplement 1,

EQDP-ESE-69, Rev.

i.>

The qualification-limits envelope the actual plant conditions and therefore, CECO determined.

that there would be no adverse impact on the Eagle 21 equipment.

The staff finds the radiation qualification acceptable.

F. Conclusion Based on the foregoing review and evaluation, the staff finds that there is reasonable assurance that Eagle 21 system as applied to the Zion Station, is designed to withstand the effects of design bases natural phenomena and is qualified to operate in normal and postulated accident conditions, f_qg 10 C.F.R. Part 50, Appendix A, GDC 2 and 4.

i III. sISOLATION AND INTERACTION BETWEEN 1E AND NON-1E: NOISE, FAULT AND SURGE WITHSTAND TESTING The protection system shall be designed to ensure that the effects of normal operating and postulated accident conditions do not 26

l I

~

result in the loss of the protective function and that a failure of a control system does not adversely effect the protection sy. tem.

Sgjlt 10 C.F.R. Part 50, Appendix A, GDC 22 and 24.

The staff uses the following review guidance for assessing the Class 1E>end Class non-1E interactions:

(1)

Regulatory Guide 1.75,

" Physical Independence of Electrical Systems;"

(2) IEEE 384-1977, " Criteria for Independence of Class 1E Equipment and Circuits;"

(3) IEEE 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations;"

(4) IEEE 472-1974, " Guide for Surge Withstand Capability Tests;" and (5) IEEE 603-1980, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations."

1 The Eagle 21 was designed to be installed in older plants where the separation between IE and non-1E wiring is not necessarily maintained in accordance with Regulatory Guide 1.75 and IEEE 384-1977.

To demonstrate that the Eagle 21 would not be degraded by the 1E/non-1E interactions, Westinghouse performed a number of qualification tests.

These tests are documented in WCAP-11733 and include three basic categories: (1) noise tests; (2) fault tests; and (3) surge withstand tests.

i The noise sources and noise tests were chosen to emulate expected and worst case noise conditions that may be present on the non-1E wiring in the Eagle 21 process rack.

The tests performed were a Random Noise Test (antenna coupled), a Cross-talk and Chattering.

j Relay Test (antenna and direct coupled), the Military Specification MIL-N-19900B Noise Test (antenna coupled), a High Voltage Transient Noise Test (antenna coupled), and a Static Noise Test (antenna and direct coupled).

Westinghouse analyzed the results and concluded that the protective action and monitoring equipment of the Eagle 21 are not af fected by noise conditions on non-1E circuits.

The staff reviewed the results and discussed the isolation devices and testing with Westinghouse engineers.

Based on this review, the staff concurs with Westinghouse and finds the tests and isolation devices acceptable.

The fault tests were performed using maximum creditable fault voltages determined by Westinghouse.

These voltages were 580 Vac, 250 Vde, 125 Vac, and 125 Vdc.

During the fault testing of the contact output and partial trip output boards, failures in the transient suppression devices caused damage to parts of the Eagle circuitry.

The boards were subsequently modified and retested.

Westinghouse analyzed the retest results and determined that the 27

i Eagle 21 is not affected by the injection of the test fault voltages into the Class 1E isolators.

However, since tha coards were modified after the seismic and environmental testing.

Westinghouse had to perform additional analysis to demonstrate tP the board modifications did not alter the previously performed tests.

The staff reviewed the Westinghouse analysis, test and retest results, and finds the analysis and isolation devices acceptable.

Westinghouse performed a surge withstand test on the isolation i

devices.

All system inputs and outputs were tested including the system power supply input circuitry.

The test was performed in accordance with IEEE 472-1974 and consisted of an oscillatory wave i

shape and characteristics test at a surge frequency of 1.25 MHz and a crest voltage of 2.5 Kv. The test lasted 2 seconds and did not exceed the 2.5 KV crest voltage even though the system is designed for a 3 KV spike without damage to any component.

During the testing, no component failures occurred and there were no changes in channel calibration. The staff reviewed the tests, test results and discussed the testing with Westinghouse engineers.

Based on j

this review, the staff finds the testing and results acceptable.

l To ensure that the fault and surge values used in the Westinghouse i

tests enveloped the Zion Station application, Ceco evaluated the Zion Station cable separation, cable routing practices, and w wst case expected fault voltages.

CECO concluded that the worst case values for Zion are enveloped by the Westinghouse testing (reference 3).

The staff did not review this evaluation in detail but did discuss the evaluation and Zion cable separation and routing practices during the staff assessment of the EMI/RFI environment (see above).

The staf f and Westinghouse also discussed the common-mode rejection ability of the Eagle 21.

Westinghouse indicated that a common-mode rejection analysis had been performed using " lessons learned" documents and an analysis of the Eagle 21 system.

Westinghouse indicated that based on this analysis and the use of isolation amplifiers for each channel, common-mode rejection was adequately addressed and represents an improvement over the existing system.

1 j

Based on the foregoing review and evaluation, the staff finds that there is reasonable assurance that:

(1) the isolation devices conform to IEEE 279-1971, IEEE 384-1982, and IEEE'603-1980, (2) the 28

Eagle 21 is qualified for the EMI/RFI environment at Zion (see 4

Section II.C), and (3) the protection system will not lose its protective function under normal operating and postulated accident conditions or with a failure of a control system.

IV.

GROUNDING Grounding is important to ensure that there are no ground loops created by the installation, that there is a low fault current return path, to minimize the effects of noise interferences by providing common reference planes of low relative impedance, and to minimize the effects of lightening induced surges on equipment.

Although there is no specific NRC endorsed guidance on grounding, IEEE 1050-1989, "IEEE Guide for Instrumentation and Control Equipment Grounding in Generating Stations," was referenced during the review.

The grounding for Zion Eagle 21 application, was established by Zion in conjunction with Westinghouse.

In developing the grounding procedures for the installation, CECO physically walked down all of the associated cabling related to the Eagle installation to verify that the Plant in Place drawings are accurate, that terminations were correctly designated and that the shields, if tied to ground, would be tied to one point to eliminate ground loops.

The staff considered this walk down and licensee / vendor interface to be a positive attribute to the Zion Eagle 21 installation.

The procedures called for Westinghouse to locate a ground bus in each cabinet, to re-terminate all of the shields that presently attach to the ground bus, and to ground the subsystem cases to a common point.

The subsystem cases will be grounded to the grounding grid as provided by the present configuration located in the auxiliary building floor.

Westinghouse and Zion were still developing grounding procedures for the signal and control cables during this review.

The staf f also inquired about the effect on the Eagle 21 system of a shift in ground potential.

Westinghouse had studied the effects of a ground potential shift and determined that a shift, if it was a significant shift, would trip the Eagle 21 into the preferred mode.

CECO further stated that a shift in the Auxiliary Building ground could not occur.

29

t The staff reviewed the existing grounding schematics, the proposed grounding configuration, the available grounding procudures, tho l

Eagle 21 isolation scheme, and the Westinghouse study on the effects of a ground shift.

Based on this review, discusaions with CECO and Westinghouse, and in consideration of the 100% CECO walk down, the staff finds that there is a reasonable assurance that the Eagle 21 grounding scheme adequately accounts for Zion specific conditions and will minimize if not eliminate potential grounding problems. Furthermore, Ceco and Westinghouse will be performing an Eagle 21 performance test after installation and prior to plant start-up.

This test should identify most ground loop problems if i

they exist.

V.

POWER l

A reliable power source is fundamental to a highly reliable protection system and given a

loss of electric power, the protection system must fail into a safe state. Egg 1C C.F.R. Part 50, Appendix A, GDC 17, 21 and 23.

To assess the Eagle 21 power

source, the staff reviewed the inverter loading and Eagle 21 i

electronic power supplies, the quality of the power supplied to the Eagle.1 system, and the effects of a' loss of power.

A.

Inverter Loadina 1

To calculate the post modification loading on the inverters, Ceco used field measurements of pre-modification inverter loads in conjunction with Westinghouse Eagle 21 specifications. The results of these calculations are as follows: (1) the inverter supplying bus #111 will be at 77% of its continuous capacity; (2) the inverter supplying bus #112 will be at 64% of its continuous capacity; (3) the inverter supplying bus #113 will be at 54% of its continuous capacity; and (4) the inverter supplying bus #114 will be at 65% of its continuous capacity.

CECO also determined that the increased in-rush current created by powering up three Eagle racks simultaneously, would exceed the over-current protection setpoints. Therefore, Westinghouse modified the Eagle 21 AC distribution system to include time sequencing of I

rack loads. This sequencing limits the additional bus in-rush current to less than 30 amps such that the most limiting case inverter loading will be below the over-current trip setpoints.

30

o t

I The Eagle 21 electronic power supplies are supplied by Westinghouse and are sized to handle the system loads.

These power supplies vere qualified with the Eagle 21 system as discussed above.

The staff independently reviewed the data and '"the load calculations.

Based on this review, the staff finds the loading, t

and Westinghouse sequencer modification acceptable.

However, because of the loading conditions on the inverters, any loading changes on the inverters must be closely monitored and evaluated i

by Ceco to sustain the staff finding.

B.

Power Ouality l

The staff reviewed and discussed with Ceco, the quality of the power source to the Eagle 21.

In this context, the staff is using the term power quality to encompass voltage and frequency variations, and the total harmonic distortion before and after the Eagle 21 installation.

The staff's concern ~is the effect of the existing power distribution system on the Eagle 21 and the effect of Eagle 21 on that same syrtem.

CECO conducted tests on the four, inverter fed instrument power buses that will be supplying the Eagle 21 protection sets.

The tests were conducted at 100% power with the loading on the instrument buses at its normal level.

The data collected indicated voltage ranges from 116.5 volts to 117.2 volts, frequency ranges from 59.5 Hz to 60.2 Hz, and the largest total harmonic distortion of 8.3%.

CECO reviewed the data and determined that the power supply was within the Eagle 21 specifications (reference 8).

CECO further stated that the Eagle 21 is " extremely tolerant of total harmonic distortion" (reference 8).

However, Ceco must also l

address the effects of an operating Eagle 21 on the power system i

and other instrumentation connected to the same bus.

CECO committed to perform additional testing when the Eagle 21 is on-line and to provide the staff with an assessment of the effect of the Eagle 21 system (reference 2).

Based on discussions with Westinghouse and

CECO, the staff accepts Ceco's assessment.

However, if the summary results provided to the staff indicate problems, additional staff review may be required.

I 31 i

i I

D gg l

p C. The Effect of a Loss of Power k

~

/

The staff reviewed the system response with a loss of power andD found that the Eagle 21 reacts in the f llowing manney, (1) all partial trips from the affected rack revert to the preferred failure mode; (2) all analog outputs go t!o zero (indicators); and (3) a trouble, channel set f ailure, bypassk and RTD indicator alarm is initiated in the control room.

The operator vill then take actions in accordance with the Abnormal Oparating Procedures.

Tunable constants are maintained by the thium battery-backed 4

j NVRAM and will be available when power is returned.

If the NVRAM i

were to fail, the Eagle will automatically use default values stored in EPROM which will also result in a Protection Set Channel Set Failure alarm in the main control room.

Again the operator will take actions according to Abnormal Operating l

4 Procedures. Therefore, the staff finds that the system will fail into a safe state with a loss of power and can successfully recover from the transient.

P D. Conclusion i

i Based on the foregoing evaluation, the staff has a reasonable assurance that a

reliable power source is provided to the protection system and given a

loss of electric

power, the protection system will fail into a

safe state and can be I

successfully recovered.

l VI.

TESTABILITY The protection system shall be designed to be testable during operation and shutdown as required, without loss of minimum i

redundancy and to provide appropriate indication to the operator of failures and losses of redundancy. Eg_e 10 C.F.R. Part 50, Appendix e

A, GDC 21.

The staff uses the following standards for review i

guidance: (1) IEEE 279-1971; (2) Regulatory Guide 1.22, " Periodic s

Testing of Protection System Actuation Functions;" (3) Regulatory Guide 1.118, " Periodic Testing of Electric Power and Protection Systems;" (4) IEEE 338-1977, "IEEE Standard Criteria for Periodic Testing of Nuclear Power Generating Station Safety Systems;" and i

(5; Regulatory Guide 1.47,

" Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems."

i 32 i

A The Eagle 21 uses on-line automatic testing and a Man Machine Interface (MMI) Tester for technician testing.

These are briefly explained below as part of the staff review.

A.

On-line Automatic Functions The Eagle 21 has a continuous on-line self calibration of the analog input signals.

Fixed precision, high and. low reference values are processed through the A/D convertors and compared by the Loop Calculation Processor (LCP) to stored values.

If there are any errors introduced by the A/D conversion, the LCP compensates the gain and offset coefficients accordingly.

The Eagle 21 continuously monitors itself for malfunctions including high rack temperatures, improper trip signals, out of range inputs and computer failures.

When a failure is detected, the Eagle 21 provides control room trouble alarms, LED panel indications and can down load information to an MMI for diagnostics.

If the failure results in a loss of protective functions the outputs are placed in the preferred failure state.

These on-line functions wore not reviewed in detail by the staff, but were discussed with Westinghouse and Ceco personnel.

The staff noted that the software that performs these functions was V&V'ed as i

part of the Eagle 21 V&V process discussed above and is in use at other Eagle 21 applications.

Based on that review and the Eagle experiences, the staff finds them acceptable.

B. Man Machine Interface (MMI) Tester In the Zion application of the Eagle 21, there will be one MMI permanently mounted next to each protection set for use with that protection set (i.e. four MMIs).

The MMI is connected to the Eagle 21 through an external cable and is used for testing, parameter updates and diagnostics.

The staff evaluated the Eagle 21/MMI interaction to determine how intrusive the MMI is into the Eagle 21 system, and to evaluate the integrity of the MMI/ Eagle 21 software interaction (see section on product maturity below).

l 33

3 i

i 1.

Software The MMI provides the technician with a number of capabilities including the ability to:

(1) perform automatic or manual surveillance tests, calibration verification, and reNionse time measurements; (2) display and modify setpoints and tuning constants; (3) obtain diagnostic information, (4) obtain a hard copy printout of test results; and (5) display input and output values.

The MMI uses a touch screen to prompt the operator and is essentially menu driven.

The staff reviewed a number of the MMI functions, the system effects of these functions, the MMI ch'eck and hold points on technician errors and data entry, and the Zion procedural controls. Although the full scope of the staff's review will not be articulated in this report, the following points are worth noting.

First, the software for the MMI has undergone the same V&V as the Eagle 21 system.

Second, the MMI hardware is not Class 1E and CECO l

stated that they consider the MMI to be equivalent to normally used test equipment except for the V&V'ed software.

Third, the l

technician cannot change software operating code or alter algorithms.

Fourth, although it is possible that some incorrect setpoint and tunable constant values could be entered into the system, the MMI checking functions, the coded software checking functions, and the Zion Station administrative controls will minimize this possibility to a comparable level with the technician interaction in an analog system.

Finally, if a failure (MMI or system) occurs during a surveillance, the MMI will abort the test

]

and place the system in the pretest state.

Based on the staf f review anc. evaluation of the MMI software and its interactions with the Eagle 21, the staff finds that the MMI software complies with ANSI /IEEE ANS-7-4.3.2-1982.

2.

Streurity of MMI Systaa The principal staff concerns in control of the MMI, are to prevent unauthorized entries and alterations of the Eagle 21 system and to minimize the possibility of unintended technician software changes.

i As stated above, the technician cannot change operating code or re-configure algorithms.

From a safety perspective, this is a positive attribute.

In addition, the following controls are in 34

i i

place for MMI use:

(1) n ainistrative controls for protection system testing and service; (2) keys are required for opening the protection rack; (3) keys are required for gaining access to the MMI keyboard; (4) keys are required to actuate the test panel l

selector switch; (5) a password is required to enter ti$ie'MMI; l

(6) upon entry, an alarm is sounded in the control room;

}

(7) additional passwords are required at various stages of MMI use i

to change parameters; and (8) after a test is performed, the

{

technician will provide a printout for senior analyst review that j

)

automatically flags changed values.

f 4

Because of the limits in the MMI/ Eagle 21 interactions and the MMI a

controls, the staff identified no safety concerns and finds the l

l Zion approach acceptable.

3.

MMI Use j

As stated above, the MMI is connected to the Eagle 21 through an external cable.

The MMI can be used to monitor the input and j

output values of the Eagle 21 system.

CECO proposed to use this monitoring function to perform RTD cross-calibrations, high precision calorimetrics, and for some trouble shooting schemes. To 2

use the MMIs in this fashion, CECO proposed to simultaneously operate each of the four MMIs connected to their perspective

[

protection set.

The staff took the position that if CECO intends to operate in this configuration, they rust demonstrate that this I

configuration will not adversely effect the Eagle 21 system i

(reference 5).

The staff had two principal concerns:

(1) the j

]

possibility of an external event (example: EMI/RFI) creating a common mode f ailure to each protection set, and (2) the interaction between a 1E system and a non-1E system connected together for extended intervals.

CECO responded to these concerns during the audit, in writing (reference 6), and during the meeting on March 20, 1992.

The response included a description of the MMI interface and tester I

subsystem architecture, a

discussion on the MMI Eagle 21 interaction, and a discussion on the AEER environment.

The staff l

reviewed the architecture and evaluated the CECO responses weighing the potential gains in RTD calibration and calorimetric accuracies and the significance of the staff's concerns.

Based on this review I

and evaluation, the staff finds the monitorina scheme acceptable under the following conditions: (1) the amountsof time that the i

e 35

i MMIs are connected in this configuration must be limited to reduce the possibility of unforesean externa 3 influenc s; (2) when in this configuration, the operators must be notified of the test conditions and expected duration of' the monitorineff' (3) the monitoring must be controlled by Station Procedures; (4) special care must be provided to ensure that no radios and/or portable radio-telephones are used in the AEER or within a close enough range to induce a random effect in the Eaglw system; and (5) s?"-

i must ensure that the MMIs are not used such as to violate minint:

operable channel redundancy requirements.

C. Channel BvDass and Trio Functions The Eagle 21 design permits individual channels to be placed in trip or bypass while testing the channel.

The Zion Technical Specifications allow only the Containment High-High Pressure channels to be placed in bypass while in modes 1, 2, and 3.

The bypass can only be initiated through the MMI subject to the MMI security controls discussed above.

The bypass is implemented through the tester subsystem which sends a control signal to the partial trip output board holding the relay logic in the normal, non-tripped state. When a channel is in bypass, continuous control room indication is provided and if the signals from the tester subsystem are not received, the bypass is removed by a deadman timer unique to the bypass function.

The channel trip is manually activated by a toggle switch on the partial trip output board.

Access to these switches is restricted by administrative controls and a lock on the cabinet door.

When in

trip, indication is provided to the control room along with indication to the technician on the status of the channel.

Based een ' n c %ff's review and evaluation of the Eagle 21 system features and controls, the staff finds that there is reasonable assurance the system meets the intent of Regulatory Guide 1.22, Regulatory Guide 1.47, Regulatory Guide 1.118 (with the restrictions noted above in Section 3),

and IEEE 338-1977.

Therefore, the staff has reasonable assurance that the Eagle 21 system installed at Zion is testable during operation and shutdown without a loss of minimum redundancy and provides the appropriate indication for bypass, trip and inoperable status.

16

f

'I i

i i

VII.

RESPONSE TIMES AND SETPOINTS l

The current Zion Station Technical Specifications (custom type) do f

not list the response times of the 7100 Series Analog egg {pment and

{

do not require response time testing. However, Ceco estimates that the 7100 response time is 100 milliseconds.

Westinghouse determined that the worst case response time for the Eagle 21 would l

be 309 milliseconds.

CECO stated that they will be testing the

.{

portion of the overall response times affected by the Eagle 21 and i

the overall response times of the channels (including the Eagle 21) i to ensure that the accident analysis assumptions will be maintained i

(reference 3).

At the time of the staff review, the response time i

testing procedures were being written and were not yet available i

for staff review. However, CECO indicated that they did not expect j

any problems with the response time testing and that they expected

[

sufficient margin to exist to accommodate the increased Eagle 21

{

process time.

In addition, CECO committed to providing the staff with follow-up reporting on the tests and the results within thirty days of plant start-up (referance 8).

Therefore, the staff finds the response time testing acceptable under the following conditions: (1) that the follow-up reports are provided per the

{

Ceco commitment; and (2) if the response times do not meet the accident analysis, then the staff expects Ceco to contact the staff and provide justification to demonstrate that the system meets the licensing basis and the assumptions in the accident analysis.

i Setpoint revisions were not included as part of this license amendment.

However, there are changes in uncertainty values associated with the Eagle 21.

These changes are incorporated with

{

the vantage 5 fuel upgrade submitted to the NRC by letter dated November 27, 1991 (reference 9).

Therefore, the setpoint changes j

will be reviewed as part of that license amendment.

i VIII. DEFENSE-IN-DEPTH A

The protection system shall be designed using techniques such as

{

diversity, diversity in component design, and the principles of operation to the extent practical, to achieve a high functional l

reliability, to ensure that the system fails into a safe state, and to ensure that normal operating, maintenance, and postulated 37

t h

'4 t

accident conditions do not result in the loss of the protection function. Sig 10 C.F.R. Part 50, Appendix A, GDC 21, 22, and 23.

i The staff has voiced well known concerns regarding the application of digital electronics to operating nuclear power plant safety systems.

The staff concerns include digital susceptibilities to existing plant environments, the commercial dedication of digital hardware and software, on-site expertise for problem recognition and troubleshooting, the potential for common mode failures 4

introduced by software errors and unintended functions, and software / hardware interaction problems.

These concerns have been i

reenforced by nuclear and non-nuclear failures both nationally and l

internationally.

I t

i Two notable concerns, are the potential for software errors, and software / hardware interaction problems that would not be found

{

through normal factory acceptance testing and functional testing.

In fact, many of the software failures that have occurred to date, l

were latent and hence differentiable from the well known and somewhat predictable failure responses of the analog systems. Such a latent error creates the possibility of a common mode failure among redundant safety trains and affects assumptions'regarding the

{

multiple layers of defense in existing safety systems.

Although there is no firm consensus among world experts regarding software reliability and the most effective software design processes, these issues are the focus of various national and international, l

industry and regulatory groups in an effort to develop software design standards.

Currently, the staff endorses ANSI /IEEE ANS l 4.3.2-1982 as a minimum set of guidelines for minimizing the possibility of software errors and complements this standard with l

staff reviews.

However, with the difficulties in establishing a i

sufficiently high level of software reliability, and varying software design and system development processes, the staff looks to other plant systems and actions that can compensate for digital i

system weaknesses when they exist i.e. a Defense-in-depth approach i

to safety.

For the purposes of this evaluation, Defense-in-depth will be

[

considered to be a

combination of system and intra-system diversity, redundancy, performance, and reliability with the goal of achieving a high degree of safety and compensating for safety system weaknesses.

The concept of Defense-in-depth and staff l

concerns regarding common mode failures are not new.

In the late i

38 l

1960's the staff discussed the potential for common mode failures with Westinghouse.

Westinghouse responded with WCAP-7306 which represents an early Defense-in-depth type analysis for the analog process protection safety system. Defense-in-depth and c,qamon mode failure concepts also appear in varying regulatory contexts including 10 CFR Part 50, Appendix A, General Design Criterion 22, IEEE 603-1980, IEEE 379-1977, " Application of the Single Failure Criterion to Nuclear Power Generating Station Class 1E Systems,"

endorsed by Regulatory Guide 1.53,

" Application of the Single Failure Criterion to Nuclear Power Plant Systems," and NUREG 0493 "A Defense-in-depth and Diversity Assessment of the RESAR-414 Integrated Protection System."

Early in the staff's review of the Eagle 21 system for the Zion Station, the staff articulated the software common mode failure concern and two additional concerns specific to the Eagle 21 and the Zion application (references 4, 5, and during the November 26, 1991 meeting).

First, the Eagle 21 system architecture uses one

" computer" (proprietary concerns necessitate the use of this term) to process all inputs to a given rack.

Therefore, a failure of a certain co=ponents in this " computer" would result in the loss of all functions processed by that rack (i.e. the remaining redundant channels are still available if a common mode failure is not postulated).

This affects single instrument loop integrity when compared to the individual analog modules that comprised the old system.

Second, CECO consolidated racks such that some functions that are diverse of each other are located in the same rack and processed by the same

" computer."

These architectural and consolidation changes reduce the level of system defense and may affect some of the assumptions used in probabilistic risk and equipment failure analyses.

However, for this application, a software common mode failure is the limiting case.

Therefore, the i

next two sections concentrate on this aspect of the overall issue.

A. Reliability and Software Common Mode Failure Concerns CECO provided an extensive discussion on the reliability of the Eagle 21 system and co=parison to the existing 7100 analog process

{

racks (reference 3).

Many of the points raised by CECO in this i

assessment are quite valid. The staff agrees with Ceco that the hardwar.g is at least as reliable and in some cases more reliable than the existing analog hardware.

Furthermore, the staff agrees 39 j

i i

i 1

that some of the operational and surveillance capabilities of the new system offer a qualitative safety gain.

However, Ceco did not address the central question of a software common mode failure nor l

was CECO able to define a quantified software reliebri'lity for i

comparison to the existing system reliability. For this assessment, the staff only has the CECO assertions that these failures are not credible (reference 7) and the Westinghouse assertions that the robustness of their V&V program should allay staff concerns regarding software ccamon mode failures.

i First, to eddress the CECO assertions, although there are other industry indicators available, the software errors that were not identified by the V&V program for the Sequoyah and Turkey Point Eagle 21 applications, certainly indicate that such errors are indeed credible (see product history section below).

Specifically for the Zion application, the errors found by the staff during the

" thread audit" (see V&V review above) serve to re-enforce the overall concern.

While the staff agrees with the CECO that the cause of these errors is tied to the implementation of the process and not the process / plan itself (reference 6), whether it is the process implementation or the process / plan, the effect is the same and must be considered.

i Second, to address the Westinghouse assertions, the staff agrees to some

extent, that the Westinghouse V&V process is robust.

However, software experience both in and out of the nuclear

industry, failures specific to the nuclear industry and Westinghouse's own experiences, indicate that VEV has its limitations and a Defense-in-depth approach is warranted.

As a result, the staff requested CECO to demonstrate that there is sufficient defense against an Eagle 21 common mode failure for all of the analyzed Zion transients and accidents (reference 5).

On April 3, 1992, CECO responded with an evaluation of the existing levels of defense at the Zion Station (reference 7).

CECO classified the transients and accidents (events) into three groups.

First, those events for which the primary and/or back-up protective function is not processed by the Eagle.

For these safety system actuations, CECO stated that a common mode failure of the Eagle 21 would not prevent an automatic protective action but that in most cases, the back-up automatic actuation would exceed the safety I

analysis timing requirement.

Second, those events for which an-automatic protective action is not credited in the safety analysis.

iva

4 e

)

For these events, Ceco stated that some would have back-up cutomatic actuations independent of the Eagle 21 and the rest would have indicators independent of the Eagle 21 by which manual actions (manual actuation is independent of Eagle 21) would *bt taken according to emergency procedure guidance. Third, those events for which the primary and back-up automatic protective actuations are processed by Eagle 21.

This group consists of Feedwater Malfunction, Loss of Load Without Turbine Trip, Loss of Normal Feedwater, Loss of Coolant Accident, Steam Line Break, Locked Rotor, and Steam Generator Tube Rupture.

For all of these events, Ceco stated that sufficient indication diverse from the Eagle 21, and sufficient procedural guidance exists to permit the operator to take manual actions to mitigate the transient.

For the Loss of Normal Feedwater transient, CECO credited the ATWS mitigation system as a back-up and committed to increased administrative controls to ensure its reliability.

B.

Resolution To assess Ceco's Defense-in-depth analysis, the staff weighed the safety implications of:

(1) the diverse back-up actuations that will not meet the safety analysis timing requirements if a common mode failure of the Eagle 21 is assumed; (2) the credit that CECO gives to diverse indication in the control room that would facilitate manual actions if a common mode failure is assumed; (3) the staff findings regarding the software V&V program; (4) the experiences with the Sequoyah software, the majority of which is idontical to the Zion Station software; and (S) a qualitative assessment for this application, that the probability is low for an accident or transient coupled with a common mode software failure that does not fail into the preferred state.

Based on this assessment, the staff accepts Ceco's response and finds that there is reasonable assurance that if a software common mode failure occurs, there is a diverse means to safely shutdown the reactor.

However, the staff is considering the digital common mode failure qu stion on a generic basis.

If the staff determines that additional action for operating reactors is warranted, CECO will be notified through the generic process.

C. Failure Modes and Effects /Sincle Failure Tho purpose of this section is to review the failure modes and offects analysis without a postulated common mode 'ailure.

No f

i single failure shall result in the loss of the protective function.

Egg 10 C.F.R. Part 50, Appendix A, GDC 21, and 23.

.w -

The Eagle 21 is the signal processing portion of the safety system.

It has the ability to perform self diagnostic checks and classifies the errors as fatal or non-fatal.

Fatal errors prevent the system from performing its intended safety function.

When a fatal error occurs, the partial trip outputs of the Eagle 21 are driven to their preferred failure state by a deadman timer, all analog outputs fail as-is, and annunciation is provided to the control room.

A non-fatal error does not result in the loss of the protective function and provides control room indi

tion when detected.

A deadman timer for each partial trip output provides the fail safe protection for the Eagle 21.

A mono-stable vibrator is used for the timer and requires a 120 milli-second pulse to maintain the outputs to the Relay Logic System energized.

With a loss of power, loss of the pulse signal from the Loop Calculation Processor (LCP),

or an LCP generated trip signal, the outputs to the Relay Logic System will be driven to the preferred state.

t Westinghouse did not perform a formal failure modes and effects analysis on the Eagle 21 electronics, but did perform the analysis on the protection system according to IEEE 279-1971.

In addition, no control /IE system boundaries or 1E/1E boundaries were changed with this modification at the Zion Station.

The staff discussed with Westinghouse on a sample. basis, various postulated failures (system and electronic).

In all cases reviewed, the Eagle 21 was able to detect and/or place the system in the preferred state.

Based on this review, the staff finds that the single failure criterion (without postulating the common mode failure above) is satisfied.

IX.

FACTORY AND ON-SITE TESTING Factory acceptance testing was performed by Westinghouse in addition to the validation testing described above.

The testing verified that the system met the accuracy and functional requirements as specified by the system functional specifications.

CECO witnessed various portions of the testing and reviewed a nsa

4 L

random sample of deficiency reports and their resolutions.

Ceco found them acceptable.

The staff reviewed the Westinghouse procedures for addressing failures and anomalies and identified no safety concerns.

.,w Westinghouse and Zion will be performing on-site testing once the equipment is installed.

The staff reviewed a sample of thc Westinghouse procedures and identified no safety concerns. As part of the close-out of this review, CECO committed to send the staff a summary of the on-site tests and the results within 30 days of plant start-up (reference 8).

X.

PRODUCT HISTORY The staff reviews product history to assist in developing a benchmark for assessing system reliability and potential problem areas.

The staff reviewed three general topic areas for this review: (1) generic chip problems experienced by the unb-vendor of the primary components; (2) past system failures specific to the Eagle 21 system; and (3) user / owner follow-up groups that provide interfaces and vendor feedback on product failures and changes.

A. Generic Chio Problems The principal concern for this portion of the review was tne effect of generic chip problems on the Eagle 21 installation at the Zion Station.

The errata of the microprocessor was discussed in detail with Westinghouse.

The microprocessor boards are tested by Westinghouse and the manufacturer for errata, timing problems, and general failures.

The chips used are controlled by batch number and Westinghouse confirmed that the chips used were not part of the chip batch that had experienced errata problems.

Based on the Westinghouse and manufacturer verification and testing of the chips, the staff considers the errata question resolved.

Westinghouse has procedures for burn-in and stress analysis on all associated electronic boards used in the Eagle 21.

In addition, Ceco will be operating the system for approximately two months before power ascension.

The staff finds these are acceptable indicators for chip / board problems and has no safety concerns in this area.

However, CECO has committed to notifying the staff of any Eagle 21 failures and system problems that occur (reference 8).

43

B. Eacle 21 Soecific Failures There were three prominent hardware failures that occurred at other Eagle 21 applications that required analysis and/or replacement for future Eagle applications including Zion.

First, The Test Sequence Processor (TSP) and the Loop Calculation Processor (LCP) oxperienced intarmittent timing problems and halts.

Westinghouse resolved the failures by replacing the clock.

Westinghouse verified that the TSP and LCP boards for the Zion application contain the replacement clocks.

Second, Westinghouse identified unusually high failure rates of the DC/DC convertor modules used in the Eagle 21 systems.

To ens.ure that these failures would not effect the Zion application, Westinghouse determined that the modules used at Zion either have been replaced with modules that have passed a Westinghouse screening test or have been modified by the manufacturer to preclude degraded operation at elevated temperatures.

Third, the AC/DC power supplies experienced capacitor failures which adversely effected the Eagle 21.

Westinghouse replaced these capacitors to eliminate this problem and therefore, it is not a concern for the Zion application.

There were two notable software failures that occurred in operating Eagle 21 systems. First, the equations that compute the Comparator trip setpoints in the automatic surveillance tester were found to be in error.

In particular, uncertainties exhibited by system hardware were incorrect and the over-temperature and over-power setpoints did not incorporate all the contributing terms.

These errors were not identified by the V&V process and were not discovered until after Sequoyah Units 1 and 2 were at power and operating with the Eagle 21 system.

Westinghouse corrected the errors and implemented changes to the V&V process to minimize the possibility of recurrence.

These V&V changes were in place for the Zion Eagle 21 project.

Second, Turkey Point attempted to input tuning constants into the Eagle 21 for the Axial Flux Difference calculations.

However, the Eagle 21 would not accept these values because they were out of range of the hard-coded range adjustment. To resolve this problem, Westinghouse modified the code to include a wider range adjustment.

The root cause of the problem was attributed to the use - of a generic range value that was not applicsble to the Turkey Point Eagle 21 application.

This error was not caught by the V&V program cnd was not discovered until plant power ascension.

For the Zion an

i application, CECO took a pro-active role in software functional requirement dcvelopment. As part of this involvement both Ceco and Westinghouse verified that plant specific values were correctly incorporated into the Zion software.

Based on the staff's assessment of these failuros, the staff finds that the specific failures were addressed for the Zion Station Eagle 21.

Furthermore, CECO's proactive involvement in the coftware development provides additional assurances that plant specific softwarc needs have been correctly incorporated into the Eagle 21.

C. Eaole 21 Users Groun CECO voluntarily joined an Eagle 21 users group to discuss operating experiences and concerns, help identify, prioritize and expedite the resolution of Eagle 21 issues, and to develop working relationships with other utility members.

The group held the first formal meeting in September, 1991 with representatives from Westinghouse and four utilitics. The staff considers this group to be a positive attribute to the Eagle 21 system and to Ceco's commitment to maintaining a reliable system.

This type of group will allow the user / owners to discuss' abnormal system occurrences and failures and could lead to earlier diagnoses of potential problems.

XI.

SYSTEM EFFECT ON RELATED LICENSING ISSUES The staff inquired about the system's impact on three related issues:

(1) Regulatory Guide 1.97, Instrumentation for Light-Water-Cooled Nuclear Power Plants To Assess Plant and Environs Conditions During and Following an Accident;" (2) Station Blackout (SBO) 10 CFR 50.63; and (3) Anticipated Transient Without Scram (ATWS) 10 CFR 50.62.

CECO stated that the Eagle 21 system would not alter existing Regulatory Guide 1.97 commitments for channels currently processed by the 7100 analog equipment.

However, Ceco will be incorporating two level channel indicators into the Eagle 21 to fulfill cdditional Regulatory Guide 1.97 commitments. The two channels are Refueling Water Storage Tank Level and Condensate Storage Tank Level.

G9

4

)

The staff asked CECO to evaluate the effect of the Eagle 21 load on the instrument busses and the tcmperature effects of the Eagle 21 during an SBO.

Ceco stated that the bus will remain below full load and will not invalidate the loading assumed for thWour hour SBO duration.

Ceco also stated that the Eagle 21 will not alter the temperature profile for the AEER during the SBO and that the temperatures will remain below maximum Eagle 21 qualification temperatures.

Ceco's ATWS system will remain unaffected by the Eagle 21 replacement and is diverse from the Eagle 21 system. However, Ceco has committed to increased administrative controls on the ATWS system as part of the Defense-in-depth analysis (reference 8).

Based on the staff's review of these issues and Ceco's responses, the staff finds the impact on these issues acceptable and has no cdditional safety concerns.

XII.

TRAINING AND PROCEDURES An important part of assimilating the Eagle 21 to the Zion Station environment, is ensuring that all ' procedures effected by the modification are correctly updated and that the operators and technicians have sufficient training in the use and repair of the new system.

As expected, a number of existing station procedures will need revision and new procedures will require development to accommodate the Eagle 21.

The effected procedures include surveillance, channel calibration, Annunciator Response, and Abnormal Operating Procedures.

Zion Administrative Procedure (ZAP) 3-51-1B for plant modifications, requires the Technical Staff Engineer (TSE) to initiate procedure changes related to the modification which are then reviewed and approved by the Technical Staff Supervisor.

Once the procedures are changed, they are again reviewed by the TSE and sent to the On-site Review Committee for approval.

Wastinghouse is providing detailed operation and maintenance manuals to Ceco.

Ceco will incorporate these vendor rocommendations into their station procedures in accordance with the Ceco commitment under Generic Letter 83-28, " Required Actions Based on Generic Implications of Salen ATWS Event."

The m

incorporation of these recommendations is administrative 1y controlled by the Vendor Equipment Technical Information Program documented in ZAP 6-52-5.

.w -

A sample of draft procedures were available for review.

The staff reviewed these procedures end based on that review and the cdministrative controls stated above, the staff finds the CECu approach acceptable.

Ceco and Westinghouse developed a training program for the Instrumentation Maintenance Department, Tcchnical

Staff, Engineering Department, and Operations Department. Ceco's staff is trained and examined on the new system and refresher courses will be held as needed.

The specifics of the program are described in the " Zion Eagle 21 Licensing Report" (reference 3).

Based on the Licensing Report and discussions with CECO, the training appears comprehensive and is acceptable to the staff.

The staff and Ceco alu discussed human factors aspects of the Eagle 21 installation.

The staff noted that the MMI is easily used and understood and that the only change to the control room is the cddition of annunciator windows for Eagle 21 status indication.

The staff has no safety concerns on this subject.

XIII. TECHNICAL SPECIFICATION CHANGES Ceco proposed an amendment to the Technical Specifications of Facility Operating Licenses DPR-39 and DPR-48 to address the Eagle 21 installation.

CECO proposes adding the following Digital Channels test definition to the Channel Functional Test definition (reference 3):

c. Digital Channels - The injection of a simulated signal (s) into the channel as close to the sensor input to the process racks as practicable to verify OPERABILITY including alarm and/or trip j

functions.

The staff finds the proposed definition acceptable and consistent with the Eagle 21 design.

47

I b

XIV.

APPLICATION TO UNIT 2 This Safety Evaluation will apply to both Unit 1 and Unit 2.

A brief comparison between the two Units is provided belowv Unit 1 and Unit 2 share a control room and are mirror images of each other.

The AEERs are also mirror images of each other and contain the same equipment.

The procedures are predominantly the same and the operators and technicians work in both Units.

The Unit 2 installation is scheduled to begin in the September, 1992 time frame and the installation for Unit 2 vill be handled by the same CECO personnel as Unit 1.

Like Unit 1, there will be a 100%

valk-down of the cabling and terminations that interface with the Eagle 21.

The hardware and software for both units are the same with minor coftware changes to accommodate the Unit differences.

Therefore, the staff review of software, equipment qualification (see below for additional discussion on EMI/RFI),

isolation devices, and testability is applicable to both Units.

To sustain the staff's finding on grounding, power, Defense-in-depth, and system effect on related licensing issues, CECO will have to verify that the staff bases stated in this report, is applicable to Unit 2 accounting for any Unit differences.

As statad in Section II, CECO performed additional EMI/RFI testing and analysis to demonstrate that the Eagle 21 is qualified for its environment.

By letter dated March 27, 1992, CECO stated that there was ample margin between the worst case noise in the Unit 1 AEER and the noise susceptibility of the Eagle 21 electronics (reference 6).

CECc then compared the Unit 1 AEER and environment to the Unit 2 AEER and environment.

CECO stated that (1) the AEER is an almost exact mirror image of the Unit 1 AEER with the same equipment and laycut; (2) the construction of the room walls is identical; (3) the proximity of the cables in the cable spreading room below is similar to Unit 1; (4) the loads on the cables in the Unit 2 cable spreading room should have no effect on the Unit 2 AEER environment based upon the testing in Unit 1; (5) the only DTI/RFI anomalies noted in Unit 1 were directly in front of the DC meters and therefore, the same is expected for Unit 2.

Based on this comparison, Ceco stated that there was sufficient justification for not performing field EMI/RFI measurements in the Unit 2 AEER.

GR

i 1

1 Although the staff does not fully agree with all of the Ceco / Westinghouse assertions and assumptions on this issue (see Section II of this report.), the staff does agree that there is cufficient justification for not performing additional EMI/RFI j

field testing in the Unit 2 AEER. However, if the periodic system l

performance reports indicate otherwise (see next section),

I cdditional CECO / Westinghouse analysis and staff review may be required.

Based on the foregoing comparison, the staff finds that this Safety

{

Evaluation Report does apply to Unit 2 under two conditions.

J First, CECO must fulfill its commitment to send the staff a follow-up report (reference 8) summarizing the Unit 2 installation and on-site test results (start-up, response times, etc.).

Second, CECO I

must verify that the bases for the staff's findings in this report are applicable to the Unit 2 installation.

If during the course of CECO's comparison and/or Unit 2 installation Ceco determines that f

the staff findings in this report are not valid for Unit 2, then j

CECO must notify the staff and additional review may be necessary.

i XV.

FOLLCW-UP REPORTING The installation of the Eagle 21 and initial start-up testing were underway during the preparation of this safety Evaluation Report.

Since the final test results were not yet available, the staff asked Ceco to supply summary reports upon the completion of these tests to further substantiate the staff findings in this Safety Evaluation Report.

CECO committed to supplying these reports in a letter dated April 10, 1992 (reference 8).

The reports expected by the staff are:

(1) a summary of the additional power quality testing including the

results, a

comparison to the Eagle 23 specifications and a brief summary of the analysis of the effect of any increased distortion created by the Eagle 21 on other plant instruments; (2) summaries of the response time testing including a description of the test, the results with comparisons to the safety analysis, and any physical or analytical changes that may be required; (3) results of the ground and power line continuity measurements and changes that were needed; (4) summaries of the Westinghouse and CECO on-site start-up, sequencer, functional and system verification testing.

49

l i

The staff expects these same reports for the Unit 2 installation f

with the addition of a summary of the Ceco analysis of the cpplication of the bases for the staff's Unit 1 findings to Unit 2.

CECO also committed to providing system performance repggts every 4 months for the first operating cycle (reference 8).

The reports will describe any system failures, maintenance problems, unusual occurrences, end anomalous indications (reference 8).

These reports are one of the f actors that the staff considered to off-set the digital system uncertainties in the Zion Station Eagle 21 replacement project.

XVI.

STATE CONSULTATION In accordance with the Commission's regulations, the Illinois State official was notified of the proposed issuance of the amendments.

The State official had no comments.

XVII. ENVIRONMENTAL CONSIDERATION 1

The am2ndments change a

requirement with respect to the installation or use of a facility component located within the restricted area as defined in 10 CFR Part 20.

The NRC staff has determined that the amendments involve no significant increase in the amounts, and no significant change in the types of any effluents that may be released off-site, and that there is no significant increase in individual or cumulative occupational radiation exposure.

The Commission has previously issued a I

proposed finding that the amendments involve no significant hazards consideration, and there has been no public comment on such finding (57 Fed. Reg. No. 11, 1930). Accordingly, the amendments meet the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22 (c) (9).

Pursuant to 10 CFR 51.22 (b), no environmental impact statement or assessment need be prepared in connection with the issuance of the amendments.

50

i CONCLUSIONS The staff considered the safety implications of operating with an aging analog system, the V&V process used for software development, the review as stated in this Safety Evaluation Report, the ~ Defense-

)

in-depth concepts used to compensate for software common mode failure concerns, the commitment of CECO during this modification to ensure that the system is fully and correctly implemented at the i

Zion Station, the staff's ability to monitor and assess system performance through the follow-up reporting commitments, and the experiences with the Sequoyah Eagle 21.

Based on these considerations and the foregoing review, the staff's finds that there is reasonable assurance that the Eagle 21 system at the Zion Station conforms to 10 CTR Pace 50, Appendix A, GDCs 2, 4, 20, 21, 22, 23, 24 and 25, Sec.50.55a(h) with respect to IEEE Std. 279, and Regulatory Guide 1.152.

Therefore, the staff finds the Eagle 21 t

modification at the Zion Station acceptable.

The staff also notes that the system is capable of various upgrades of varying magnitudes.

Some of these system changes may invalidate portions of the staff's review.

Therefore, it is incunbent upon CECO to carefully analyze any future modifications to this system to ensure that the staff's finding remains valid.

Based on the considerations discussed

above, the Commission concludes that: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed

manner, (2) such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance l

of the amend =ents will not be inimical to the common defense and security or to health and safety of the public.

Author / Principal Contributor: Garry E. Garten NRC/NRR/ DST 301-504-2931 Contributors: Brain McDermott NRC Scott Matthews NRC Consultant Greg Miller NRC Consultant Eric Yarger NRC Consultant Dated:

June 9, 1992 51

1 REFERENCES 1.

Letter from J. F. Stolz, Nuclear Regulatory Commission, to E.

J. Mroczka, Connecticut Yankee Atomic Power Company, dated March 21, 1990, "Haddam Neck-Reactor Protection System Up grade."

2.

Letter from B. A.

Boger, Nuclear Regulatory Commission, to E.E. Fitzpatrick, Indiana Michigan Power Company c/o American Electric Power Service Corporation, dated August 22, 1991,

" Analog-to-Digital Instrument Replacement Under 10 CFR 50.59-Donald C. Cook Nuclear Plant Units 1 and 2."

3.

Letter from S. F. Stimac, Commonwealth Edison Company, to T.

E. Murley, Nuclear Regulatory Commission, dated December 26, 1991, " Zion Station Unitz 1 and 2, Application for Amendment to Facility Operating Licenses DPR-39 & DPR-48, Appendix A, Technical Specifications NRC Docket Nos. 50-295 and 50-304."

4.

Letter from J. B. Hickman, Nuclear Regulatory Commission, to T.

J. Kovach, commonwealth Edison Company, dated March 10, 1992, " Eagle-21 Review for Zion Station, Units 1 and 2."

5.

Letter from J. B. Hickman, Nuclear Regulatory Commission, to T.

J.

Kovach, Commonwealth Edison Company, dated March 10, 1992, " Request for Additional Information in Support of the Eagle-21 Review for Zion Station Units 1 and 2."

l 6.

Letter from S. F. Stimac, Commonwealth Edison Company, to T.

E. Murley, Nuclear Regulatory Commission, dated March 27, 1992, " Zion Station Units 1 and 2, Application for Amendment to Facility Operating Licenses DPR-39 & DPR-48, Appendix A, Technical Specifications,

Response

to NRC Request for Additional Information, NRC Docket Nos. 50-295 and 50-304."

7.

Letter from S. F. Stimac, Commonwealth Edison Company, to T.

E. Murley, Nuclear Regulatory Commission, dated April 3,

1992, " Zion Station Units 1 and 2, Application for Amendment to Facility Operating Licenses DPR-39 & DPR-48, Appendix A, Technical Specifications,

Response

to NRC Request for Additional Information, NRC Docket Nos. 50-295 and 50-304."

58

e j

i I

.c_. _.

?

-l i

j 8.

Letter from S. F. Stimac, Commonwealth Edison Company, to T.

E. Murley, Nuclear Regulatory Cc:nmission, dated April 10,

-l 1992, " Zion Station Units 1 and 2, Application for Amendment i

to Facility Operating Licenses DPR-39 & DPR-48, Appndix A, j

Technical Specifications,

Response

to.NRC Request for-(

Additional Information, NRC Docket Nos. 50-295 and 50-304."-

9.

Letter from S. F. Stimac, Commonwealth Edison. Company, to T.

E. Murley, Nuclear Regulatory Commission, dated November. 27, i

1991, " Zion Station Units 1 and 2, Application for Amendment to Facility Operating Licenses DPR-39 & DPR-48, Appendix A, 5

Technical Specifications, NRC Docket Nos. 50-295' and 50-304."

t 1

[

l

't 4

i i

r l

l l

l i

53

June 2,1953 Mr. Alex Marion, Manager Technical Division Nuclear Management ano Resources Council Suite 300 1776 Eye Street, N.W.

Washington, D.C.

20006

Dear tir. Marion:

The purpose of this letter is to thank you for your cooperation with the NRC staff on issues regarding digital instrumentation and control system upgrades, and to transmit the NRC staff comments on the draft " Guideline for Licensing Digital I&C Upgrades." The enclosed coments are in the form of strikeouts and redline of the original draft.

The primary NRC staff concern, as discussed in our meeting on the 15th of April and as reflected in our comments, is the need to clearly establish a threshold for NRC staff review of certain digital I&C system upgrades, primarily based on the impact of software reliability and electromagnetic environment on the current plant safety analysis.

We look forward to future interactions with NUMARC, and are prepared to meet with you as.necessary to discuss the proposed draft guideline at a mutually convenient time.

Please feel free to contact me at (301) 504-2821 or Paul Loeser at (301) 504-2825 should you have any questions or comments.

Jared S. Wermiel, Chief Instrumentation and Controls Branch Division of Reactor Controls and Human Factors

Enclosure:

DISTRIBUTION As stated Central File HICB R/F PDR P. Loeser J. Mauck J. Wermiel B. Boger W. Russell HICB SC;MICIT/

BC:W GH,

D:DRCH 4. A 4'y Ploeser:lsh7k b!4aN JWerrnhN BBogerM 6/ 2./93 b 93 6/1/93 6/ v/93

/

Document Name: NRC-UPDT.LTR h

5 Y

f.

t s

P TABLE OF CONTENTS SECTION PAGE Section i IN A RODUCTION.................

........fr 1-1

1.1 BACKGROUND

1-1 1.2 PURPOSE 1-2 1.3 CONTENT OF THIS GUIDELINE.

1-3 Section 2 DEFINITIONS AND TERMINOLOGY.

2-1 i

Section 3 THE EXISTING 1.1 CENSING PROCESS AND 10CFR50.59.....

3-1 3.1 WHEN 10CFR50.59 APPLIES 3-1 3.2 REVIEW FOR POTENTIAL TECH SPEC CHANGES 3-1 3.3 PERFORMING THE 10CFR50.59 SAFETY EVAI.UATION 3-3 3.4 APPLICATION OF THE EXISTING LICENSING PROCESS TO DIGITAL U PG RA DES..........................................

3-4 Section 4 GUIDANCE ON ADDRESSING DIGITAL UPGRADE ISSUES........

4-1 4.1 SOFTWARE..

4-2 4.1.1 Software Design and Quality Assurance 4-2 4.1.2 Software Common Mode Failures and Defense in Depth........

4-3 4.2 EQUIPMENT QUALIFICATION INCLUDING EMI 4-6 l

4.3 M AN-MACHINE INTERFACE (MMI) 4-9 4.4 COMMERCIAL GRADE ITEM DEDICATION..................

4-10 4.5 DESIGN, SPECIFICATION, AND IMPLEMENTATION PROCESS 4-10 4.5.1 Definition of Systems, Interfaces, and Design Requirements........

4-11 4.5.2 Plant-Specific Configurations and Optional Features................

4-11 4.5.3 Design Specification 4-11 Section 5 SUPPLEMENTAL GUIDANCE FOR 10CFR50.59 EVALUATIONS OF DIGITAL UPGRADES.........

5-1 Section 6 REFERENCES 6-1 i

t Section 1 INTRODUCTION l

f I.I BACKGROUND i

N" clear utilities are mv nitr':'ing their ~isting.nalog instrumentation and contr,o,1,(I&C). systems.

The upgrades are being driven primarily by the growing problems of obsolescence, difficulty in obtaining parts, and increased maintenance costs of the analog electronic systems. There also is great i

incentive to take advantage of modern digital technologies which offer potential performance and reliability improvements.

i To assist the utilities in these upgrades, the Electric Power Research Institute (EPRI) has undertaken a i

number of activities as part of an overall Integrated I&C Upgrade Program. Preparation of this i

guideline is one of the activities. EPRI and the Nuclear Management and Resources Council (NUMARC) are coordinating industry interaction with the Nuclear Regulatory Commission (NRC) in providing guidance for licensing digital I&C upgrades. The goal of these activities is a well-defined, stable, and predictable regulatory framework which enstres that digital I&C system upgrades are accomplished in a safe and effective manner.

A number of issues have been identified related to the use of digital computer-based equipment in safety systems. These include the use of software and the potential for common mode failure resulting from software errors, the effect of electromagnetic interference on digital computer-based systems, the use and control of configuration equipment, and the commercial dedication of digital equipment including software. The most notable of these concerns is the use of software and potential software common mode failures.

The industry and NRC have recognized that it is important for digital I&C upgrades to go forward.

Analog systems are continuing to become obsolete and difficult to support as vendors are discontinuing their lines of analog electronic equipment. Modern digital systems offer the potential to provide greater system reliability through the use of reliable digital components and features such as automatic self-testing and diagnostics. Assessment of system reliability should consider the effects of both the reliability enhancing features and the potential failure modes. When properly implemented, digital I&C upgrades can improve the safety of operating plants.

l l-1 1

i

1,2 PURPOSE De purpose of this document is to provide guidance that will assist utilities in accomplishing digital 1&C upgrades within a stable licensing environment. De basic approach is tc fc!!;w de caidag Ec.ig pm= g=ned by 10CFR50.59.' establistia threshold,'above which'the digital upgrade is expected to fail the criteria of 10 CFR~50.59, therefore requiring prior Commission approval. For digital systems below the threshold, the utilities may determine, using the criteria of 10 CFR 50.59, that there is no unreviewed safety question, and no prior Commission approval is required. Some concerns stem from the design characteristics of the digital electronics which cottpf result in new I

failure modes and system malfunctions that are considered unreviewed safety questions. 'Ihese concerns include but are not limited to the use of software, the effect of electromagnetic interfereiihi}

the use and control of configuration equipment, the effect that some digital designs have on diverse trip functions, failures specific to digital hardware, effective system 'mtegration, man-machine interface, and the commercial dedication of digital electronics.Je most notable,of these concernsjis i

the use of software in a safety-related syste.m.

The threshold concept does not alleviate the responsibility or authority of the licensee'to perform'an evaluation against 10 CFR 50.59 in every case of equipment upgrade or modification, nor does it predetermine the outcome. It is possible inat in cases where one digital system is replacing another digital system, for example, that these issues have already been reviewed, and are therefore included in the licensing basis. It may also be that there is sufficient diversity in both hardware and software within a system that when a common mode software failure is assumed, diverse channels will cause the system to perform its intended function. In each case, it is the responsibility of the licensee to perform the 50.59 evaluation, and take action as appropriate.

It should be noted that for those cases where a licensee 15 proposing a modification to idesign previously approved by the Commission, or references a design previously approved by a topical report evaluation, the scope of the NRC staff review would most likely be significantly reducedQIn such cases, the NRC staff review would focus on plant specific issues (e.g. environmental effects, quality control plans, and any operating experience) and not reopen those generic concerns (e.g.

software quality) previously reviewed and approved.

He w a, his supplemental guidance is provided to facilitate the safety evaluation process for upgrades that use digital computers and software. This document provides guidance for:

Performing and documenting 10CFR50.59 evaluations for digital upgrades, and I

Addressing the issues, noted above, that are associated with digital upgrades in safety systems.

The intem is that, if the utility follows the gaidance provided in this document, the upgrade will i

satisfy licensing requirements with respect to the issues identified above, and the design will uhimately provide a safe and reliable system whether or not implemented with prior Commission approval is required.

j 1-2 i

i I

1.3 CONTENT OF T111S GUIDELINE Section 2 provides defmitions for key terms used in the guideline. Section 3 describes the existing i

licensing process which is followed when making plant modifications, including evaluation for changes to the plant Technical Specifications and performing safety evaluations required by 10CFR50.59.

Section 4 describes the special considerations that apply to the licensing process for digital upgrades I

in safety eystems. 't pro' dies r;%nce 'b - 'dtssing the ans of software eleggomagnetic i

interference, man-machine interfaces, and commercial dedication. Section 5 provides supplemental guidance for performing a 10CFR50.59 safety evaluation for a digital upgrade.

Section 6 provides a list of documents which are referenced in this guideline and which provide supporting information and guidance. Appendix A provides additional background and examples in i

the form of case studies.

9 i

i i

1-3

I i

Section 2 i

DEFINITIONS AND TERhflNOLOGY His section gives definitions for key terms as they are used in this guideline. When the defmition is j

tab imm vn+ae +:-? + wrce 4 noted in brack: !'

i

.w -

k Commercial grade item. An item which:

i (a) is not subject to design or specification requirements that are unique to nuclear facilities; (b) is used in applications other than nuclear facilities; and,

?

(c) is to be ordered from the manufacturer / supplier on the basis of specifications set forth in the manufacturer's published product description.

i Commercial grade item dedication. A process of evaluating, including testing, and accepting commercial grade items to obtain adequate confidence in their suitability for safety application.

Computer. See programmable digital computer.

Computer program. A schedule or plan that specifies actions that may or may not be taken, f

expressed in a form suitable for execution by a programmable digital computer. [ ANSI /IEEE-ANS 7-l 4.3.2-1982]

Configuration control. An element of configuration management consisting of the evaluation.

coordination, approval or disapproval, and implementation of changes to configuration items after formal establishment of their configuration identification. [ ANSI /IEEE 610.12-1990]

Data. A representation of facts, concepts, or instructions in a formalized manner suitable for

(

communication, interpretation, or processing by a programmable digital computer. [ ANSI /IEEE-ANS l

7-4.3.2-1982]

1 Digital computer. See programmable digital computer.

Electromagnetic compatibility (EMC). De ability of equipment to function satisfactorily in its electromagnetic environment without introducing intolerable disturbances to that environment or to I

other equipment. [IEC 801-3-1984]

Electromagnetic interference (EMI). Electromagnetic disturbance which manifests itselfin i

performance degradation, malfunction, or failure of electrical or electronic equipment.

[IEC 801-3-1984]

r Firmware. The combination of software and data that resides in readenly memory.

l Integration tests. Tests performed during the hardware-software integration process prior to 2-1

[

~

computer system validation to verify compatibility of the software and the computer system hardware.

[ ANSI /IEEE-ANS 7-4.3.2-1982)

Microprocessors. See programmable digital computer.

Programmable digital computer. A device that can store instructions and is capable of the execution of a systematic sequence of operations performed on data that is controlled by internally i,tored imtructions. IANSI/IEEF-ANS 7-4 3.2-19821 i

Radio-frequency interference (RFI). A form of electromagnetic interference (EMI). EMI is a broader definition which includes the entire electromagnetic spectrum, whereas RFI is more restricted to the radio-frequency band, generally considered to be between 10 Khz and 50 Ghz. This term has been superseded by the broader term EMI.

t Safety related. See safety systems.

l' Safety systems. Rose systems that are relied upon to remain functional during and following design basis events to ensure (i) the integrity of the reactor coolant pressure boundary, (ii) the capability to shut down the reactor and maintain it in a safe shutdown condition, or (iii) the capability to prevent or mitigate the consequences of accidents that could result in potential offsite exposures comparable to the.10 CFR Part 100 guidelines. [IEEE 603-1991)

Software. Computer programs and data. [ ANSI /IEEE-ANS 7-4.3.2-1982)

Verification and Validation (V&V). The process of determinmg whether the requirements for a system or component are complete and correct, the products of each development phase fulfill the requirements or conditions imposed by the previous phase, and the final system or component complies with specified requirements. [IEEE 610.12-1990]

i I

{

i 1

2-2

I Section 3 TIIE EXISTING LICENSING PROCESS AND 10CFR50.59 l

As part of making a change to a nuclear power plant, the utility performs the necessary reviews and evaluations to ensure that the change is safe, verifies that the change meets the applicable regulations, determines the cL.. of the 1.t..ge on the plant's wa>ing basis, and determinemether licensing review or approval of the change is needed from the NRC. An important regulation that governs changes to a licensed nuclear facility is 10CFR50.59. This regulation gives the utility the prerogative to make changes to the plant without prior NRC review or approval, as long as a safety evaluation is performed and several conditions are met as spelled out in the regulation.

Specincally, under the provisions of 10CFR50.59 the licensee is allowed to (a) make changes in the i

facility as described in the Safety Analysis Report, (b) make changes in the procedures as described in the Safety Analysis Report, and (c) conduct tests or experiments not described in the Safety Analysis Report without NRC review and approval prior to implementation, provided the proposed change, t

test, or experiment does not involve a change in the Technical Specifications or is an unreviewed safety question. A proposed change, test, or experiment is considered to involve an unreviewed safety question (1) if the probability of occurrence or the consequence of an accident or malfunction of equipment imponant to safety previously evaluated in the Safety Analysis Report may be increased, or (2) if the possibility for an accident or malfunction of a different type than any previously evaluated in the Safety Analysis Report may be created, or (3) if the margin of safety as defined in the basis for any Technical Specification is reduced.

Figure i shows the process that typically is followed in performing safety reviews and addressing the licensing aspects of a proposed change. The figure is taken from NSAC-125,

Guidelines for 10CFR50.59 Safety Evaluations.*'

3.1 WIIEN 10CFR50.59 APPLIES NSAC-125 provides detailed guidance for determining if the subject system is included in those for which 10CFR50.59 is applicable. As discussed in NSAC-125,10CFR50.59 requires safety evaluations only for changes to the facility that affect the design, function, or method of performing the function of a structure, system, or component (SSC) described in the Safety Analysis Report (SAR) either by text, drawing, or other information relied upon by the NRC in granting the license.

The intent is to require a safety evaluation for any modification that could affect the safety analysis.

NSAC-125 provides examples for this determination and discusses issues such as distinguishing bet,veen a maintenance activity and a design change.

3.2 REVIEW FOR POTENTIAL TECII SPEC CIIANGES i

The determination of whether the upg,de involves a Technical Specification change can be made by a 2NSAC-125 is an industry guideline that has been used widely by utilities to develop their specific procedures for compliance with 10CFR50.59.

i 3-1 i

)

I i

i l

~

i, This chart is unchanged, and will be j

used as in NSAC-125

?

l I

i I

i t

i l

i 1

1 i

t i

)

i 1

Safety Review Process (From NSAC-125) figure 1 3-2 1

1 1

l

review of the Technical Specifications relative to the planned upgrade. The review should cover the items listed below:

i Safety limits, limiting safety system settings, and limiting control settings. These are e

limits upon important process variables that are found to be necessary to reasonably i

protect the integrity of certain of the physical barriers that guard against the uncontrolled release of radioactivity.

'imiting conditionsfor operaG: nesa w he functional capab,ilities or performance levels of equipment required for safe operation of the facility.

i Surveillance requirements. Rese are requirements relating to test, calibration, or e

inspection to assure that the necessary quality of systems and components is maintained, that facility operation will be within the safety limits, and that the limiting conditions of operation will be met.

Designfeatures. Design features to be included are those features of the fa..ity such as time response and channel accuracy which, if altered or modified, could have a significant effect on safety.

Administrative controls. These provisions relate to organr72 tion and management, procedures, record keeping, review and audit, and reponing necessary to assure operation of the facility in a safe manner.

He review should address the bases for the Technical Specifications and applicable plant Safety l

Evaluation Reports (SERs) to determine if any changes are needed. Il should consider in particular any parameters or assumptions that may have been unique to the analog system and no longer apply with the digital upgrade. It should also in'clude consideratioriiof psamners or ass'umptions tmique 13 digital systems that were not required for analog systems;;and therefore need to be added.

If the planned upgrade involves a change to the Technical Specifications, then the licensee must submit a request for amendment to the facility license in accordance with the provisions of 10CFR50.90. The NRC must approve the Technical Specification change prior to implementation of the plant modification. The submittal should concentrate on those aspects of the modification that result in the Technical Specification change.

3.3 PERFORMING TIIE 10CFR50.59 SAFETY EVALUATION NSAC-125 provides general guidance for preparation of a safety evaluation when it is required by 10CFR50.59. See Figure 1. The three questions posed by 10CFR50.59 are broken down to seven questions in NSAC-125 that are inore specific and somewhat easier to address. The seven questions are explained and guidance is given on how to address them and determine whether the change involves an unreviewed safety question.

The possibility of a malfunction not previously evahzated 16the final safety 2dalysis spbrtfand a possible reduction in the current safety margin, calls into question the performance of an analog-to-dW61 modification of a safety system under the 10 CFR 50.59 rule. Therefore, for digital upgrades involving the Reactor Protection System (RPS), the Engineered Safety Fermres JESF) control and 3-3

P actuation systems ar(systems which fall intoLthe Post' Accident Monitoring (PAM) bategoryLI. Items l

as defined in Regulatory Guide 1.97, application of 10 CFR 50.59 would lead to an unreviewed safety question and thus prior Commission approval of the change is requiredJibis position is bEed upon the understanding that with the possibility ot common mode software failure and increased sensitivity to t!.c electromagnetic environment, and the high degree of importance to safety of these systems, an evaluation based on the 10 CFR 50.59 rule will show that new failure modes and thus ab unreviewed safety questica exists. Modifications to systems other than those mentioned above are f

below the threshold because of theirlesser safety significance, and that after an evaluation against'10 CFR R S 3..l.Ju *s done, it may be that no Comndu appmval is required prior to implementation of the change. This determination will depend upon the outcome of the spefifiF10 CFR 50.59 e aluation, If the change is determined to involve an unreviewed safety question, the licensee must request review and approval from NRC prior to implementation. The submittal should concentrate on those aspects of the change that result in the unreviewed safety question.

3 3.4 APPLICATION OF TIfE EXIVI'ING LICENSING PROCESS TO DIGITAL I

UPGRADES The process described above - determining when 10CFR50.59 applies, whether a modification involves a Technical Specification change, and whether it involves an unreviewed safety question based on the questions in 10CFR50.59 - applies to digital I&C upgrades as it does to other plant modifications. However, there are some additional special considerations that should be addressed when making digital I&C upgrades to safety systems. These special considerations address issues such as use of software and the potentia! for software common mode failures. The special considerrions for digital upgrades are dis ussed in Section 4. Guidance for addressing them, within the context of the existing licensing process described above, is given in Sections 4 and 5.

In general, software cannot be thought of as~an' electronisc~omponent similar tiother compo&nts

~

installed in redundant channels that are physically and electrically separated from,each other as'wis done with previouslylicensed analog design Once a final software package is' developed; this"er.act same package (component) may be installed in each redundant channel including any errors and failure mechanisms that may be induced by the software itself. With the same software component installed in each redundant channel or train of a safety systems the potential exists for a simultaneoss failure in multiple safety trains.: Such a failure would affect the ability of the safety system to perform its intended safety function. This concern is compounded by the use of portable configuration equipment that can aher the software in the field.J As a resalt; the concern yields questions regarding the application of the single failure, independence, and separation criteria that were inherent in the original safety analysis. Furthermore, since some digital system designs use 4

common information highways or can handle multiple input functions, a single digital equipment failure in one train could affect a number of the available trip functions thereby reducing.the availability and functional diversity of existing designs.

i 3-4 l

~

P i

Section 4 l

GUIDANCE ON ADDRESSING DIGITAL UPGRADE ISSUES i

t Section 1 listed several issues that have been identified with digital I&C upgrades in safety systems.

Tuese issues should be given special consideration in the design, specification, evaluation, and implementation of saferv svetem digital urgrades. Specifically-a.-

[

The design and use of software should be given special attention, including i

verification and validation (V&V) and configuration management for software and the i

potential for software common mode failures.

i Qualification of computer-based equipment and demonstration of its compatibility with the environment should include consideration of electromagnetic interference (EMI) susceptibilltp and emissions.

The potential for errors or inadvertent or unauthorized changes to be introduced via a man-machine interface (MMI) for computer-based equipment should be considered (e.g., via a configuration terminal, operator interface, or maintenance technician interface).

- iTr'ininji7Persomielijtialifications a

Commercial grade item dedication to qualify commercial grade digital equipment for use in safety systems should include consideration of software as well as hardware.

nFunctional Dpersity ea 7SysMDissisitifegsifeniM{[QTWS)

This section describes how each of these issues can be addressed. Thiexistirifdesign bsis isiiflis from previous analog equipment which are applicable;(i.ei;RAJseismic qualifications, redundancy, etc.) also need to be addressed; In many cases it draws on existing standards, regulatory i

requirements, and other sources of technical guidance, providing a summary or roadmap to these sources of guidance and discussing options the utility has for addressing the issues. Section 5 provides guidance on answering the 10CFR50.59 questions regarding potential unreviewed safety questions. It supplements the guidance that already is provided in NSAC-125, providing detailed questions that should be considered to address specifically the issues associated with digitalI&C upgrades.

Section 3 discussed briefly the submittals that are required when the licensee determines that a modification involves a Technical Specification change or an unreviewed safety question. Note that it can be beneficial to inform the NRC early in the process, prior to determining what formal submittals may be required, about the intention to make a digital upgrade to a safety system. This can be informal, and it can help avoid misunderstandings and facilitate useful and timely interactions between i

the utility and NRC, potentially leading to a smoother licensing process for the upgrade.

4-1

}

4.1 SOFTWARE i

4.1.1 Software Design and Quality Assurance i

The design of digital computer-based I&C upgrades should place a high importance on software reliability and should include a well-defined process for software development, quality assurance, and i

configuration control.

Wote that there may be several different types or categories of software involved in the upgraded l

system, with different organizations responsible for each. For example, the computer-based system i

may include:

Base software delivered with the system (often as embedded firmware), developed by

{

r the vendor and (nSysndors - typically the vendor carries out the quality assurance, i

verification and validation of this software (e.g., for a programmable controller, the l

base software that implements the controller algorithms typically is unchanged from application to application);

Application-specific software, including configuration information - if the utility is responsible for developing this software, it has the responsibility for its verification l

1 and validation (e.g., configuration data or software settings that configure selected

, algorithms of a programmable controller to implement the panicular control application).

N t

7he repriPi::= duties for development, V&V, and configuration control of the different portions of the software should be clearly specified. Also, required interactions between the utility and vendor in the development, review, and testing of the software should be specified. The utility should ensure that plant-specific or application-specific information needed by the vendor is adequately communicated and documented. Responrib'tlity for the co@.implementati6n and operation of the software rests on the ikusee.

Standards, methods, and guidelines are available that allow the utility and the vendor to assure adequate software design, quality assurance, and verification and validation. Guidance for computer

{

software development and integration of hardware and software for safety systems is provided in ANSI /IEEE-ANS 7-4.3.2. The 1982 revision of this standard was endorsed by Regulatory Guide 1.152, " Criteria for Programmable Digital Computer System Software in Safety-Related Systems of J

Nuclear Power Plants.'

The following additional standards also can be used for guidance:

ASME NQA-2a-1990 Part 2.7 Quality Assurance Requirements of Computer

{

Software for Nuclear Facility Applications ANSI /IEEE 730-1989 IEEE Standard for Software Quality Assurance Plans ANSI /IEEE 828-1990 IEEE Standard for Software Configuration Management Plans 4-2 i

i

l 1l i

ANSISEEE 830-1984 IEEE Guide to Software Requirements i

Specifications l

ANSISEEE 1012-1986 IEEE Standard for Software Verification and Validation Plans i

ANSISEEE 1016-1987 IEEE Recommended Practice for Software I

Design Descriptions ANSISEEE 1028-1988 IEEE Standard fcr Software Reviews and Audits 1

ANSISEEE 1063-1987 IEEE Standard for Software User l

Documentation IEC 880-1986 Software for Computers in the Safety Systems of Nuclear Power Stations 4.1.2 Software Common Mode Failures and Defense in Depth i

Software reliability is a key element in the design of a digital computer-based I&C upgrade.

[

Re2[uirements and guidance provided in ANSISEEE-ANS 7-4.3.2 should be followed as discussed above to ensur'e that the software that is produced is of high quality and therefore reliable. Also, features such as automatic self-testing and diagnostics which are provided by modern software-based l

systems should be recognized for their potential to enhance system reliability. At the present time, l

however, there is a lack of consensus on methods for quantifying software reliability, panicularly at the levels required of a safety system. As a result, there remain questions, particularly for relative'v complex software-based systems, on the reliabill:p ofIridividual coinputsslarid tiie potential for a

~

software common mode failure to cause a situation that is detrimental to plant safety.

The pc:en:::! f= : Software failures, including common mode failures, chou!d :;ba!) be considered in i

the context of the overdi assessment of system failure modes and the consequences of failures.-M*e

{

Si; z;c:,me. ; cf failu:: neds theu!d b: eendue::d :: $ y::e= !:v:!;.:::cd nc: b; ; den.!!cd

[

c.:Ju=n of ndividad h::dare er ;cf: =: c:=per=: fa!!ar= = 'cng = i ;y:.:::- !:vd fai'urc l

z;s;n.:n: beuni $: :: d:b!: f 1?u:: mads for $: ;y;;;m = ; -hc!: (e.g., fai? h!;h, f;I! Icu, c:

fai! = ::. fer ;y;::: cu:put).

A process that can be used to address software common mode failures is outlined below. Figure 2 i

provides a flowchart illustrating this process.

l For each software failure that is considered:

i 1.

.h:-c; " he$c-de Siri5eift is considsred ifnpossible to prove 'that softWEs is[Erpfrbe, software failure is deemed to be credible:

i For simple systems wh% have extensive experience (both hardware and software),

i the measures taken to ensure software quality combined with successful operating experience gained with the system may be such that a software common mode failure 4-3

+

i 1

i

4 E

r si o

11 v

g k

f d{

I 4

!j

[I

,lllIll f

IllQ

'.j 11!!!I e

E E

'h O

le ll i

Il i I

!Ef k

I' I

jf ih E"

3

[

'lj l

g'r!

[,3 I

g a

v Figure 2 Addressing Software Common Mode Failure 4-4 l

l t

is r": comid=ed redib!* less likely,' butlis itill credible ~ Nc:: $=, fa p=:= icn sy===. 6: pen e, of S: =frv=: $= n n.:ied te d: :y== p='=Hng it =fe:y t

f= ::cm a =r d!y v=y d=p!: b :== 10 f=Mic=.: pe-fer= =: d=p!:

(=mprir, of ; dgnd :: : :::pein:, simp!: :ig=! =ndi::cFag, :::.).

For more complex systems or systems that have not seen extensive operating experience, software common mode failure may be ec=id=ed =:dib!: more probable and, if so, should be given further evaluation (below).

.w.

2.

h= de p chdtli:y of 2: =R :: fd!=, =rP=d <!i pechdi!! != cf cir ev== de d= mun =:= (if =y) f= i;== que== cf 10 fd!=c :e be dgciE:=:

F===p!:, if de svu= =d= : vier n : b=Eup sy== i= mun p=f=

c;!y 33.= : nda ev==

cc =, den : :-efr:c=: fd!=: i-d= :y:e:.

impan=: cnly ":: =u!d c==

i=id= vsh the cS===t p cd=ing d: red fer i b=kup synem h nimp;n=::c = = 1

=

"=J picbdi'i:;c :c p!=: de fd!=: 51: approp:!=: ::==: =d deed = uhed= 1:

...~.....,c..1 U de p=Sdt!!::= = dgniS:=: =d := =: funha==id==?=, $= $;==cqu== cf S fdlum Pauld b;== d (bdcrc).

2.,

Assess the consequences of the software failure, assuming it does occur. Determine whether the consequences of the software failure represent== rip; cf :yM= !:vd fd!=: 2:b=

re: p:=.c=!y bec==id=edf an' accident or tnilfunctidriof s~different type thin evaluated previously. It should be re' embered that there is no guidance for quantitatively assessing m

software failure probabilities at this time. If the system under review is a backup syst,em that must perform only when certain events occur, then a software fallure in that_ system is important only if it could occur coincident with these other events producing the need for tiie backup system.

If the consequences of de f ilum =: r e ; =d d:::dy h=: h=n add:= d a softwaie failure of this' type has already been evalu~ated and documenfed inLthe safety analysis report, then this particular failure ceed not be considered further. It would not represent an unreviewed safety question per 10CFR50.59.

However, if it is concluded that this is a new type of eyM= !=d failure, then protection against the consequences of the failur: Sce!d shall be considered (below). Note that this typi=1!y would mean the change involves an unreviewed safety question per 20CFR50.59 and NRC review and aoproval would be required prior to implementation.

i 43.

Assess the defense in depth that is provided which would mitigate the effects of the plant l

design basis :ccidents-even if the upgraded system suffered the software common mode failure. There are several options for demonstr N dequate defense in depth:

Demonstrate that there is defense in depth with existing systems, procedures, and training which is adequate to mitigate the effec *s of the design basis accidents-even if the upgraded sy:; tem suffers the software common mode failure of concern - this may include taking credit for operator action under dermed circumstances, and it may include the use of nonsafety-related equipment, K.viding in either case, operator 4-5

action or nonsafety equipment, the actions meet thejafety anatub response time requirements and are independent and diverse from theyroposedhstem design; or.

Provide diversity within the upgraded system itself(e.g., diverse hardware and software in redundant portions of the system); or, Provide a separate backup system that gives adequate protection in the event of software common mode failure in the upgraded systera.

.S H '

Provide a diverse monitoring system which willIfferfas[tlis'il,k~elili6ixij)fMklj identifying'+dentify the occurrence of the common mode failure of the upgraded system, and provide guidance to the operators on teir response to this failure.

4.2 EQUIPMENT QUALIFICATION INCLUDING EMI 10CFR50 Appendix A (GDC 2 and 4) requires that safety systems be designed to withstand the effects of natural phenomena and be qualified to operate in normal and postulated accident conditions.

Environmental conditions that should be considered include temperature, pressure, humidity, seismic conditions, radiation, and electromagnetic interference (EMI).

As,noted earlier, electromagnetic interference has been identified as an issue associated with digital I&C upgrades., ne purpose of this section is to provide guidance and acceptable methods for addressing the EMI issue. It draws onTnumbd of publifationsptich]siIEEE!Std l0503filf5fd461 z

and 462, and en guid== :== !y devdopd by EP"J =d centined in EPRI TR-102323:, "C;id: c E!=::cmagnc::: In:crfer== (EM!) Su=ep;iPi:y T=:ing for Digi:d Safc:y Equipm=: i.- Nu:!;.:

Pav. = P!en M The EMI environment should be considered as part of the design basis conditions for the upgraded safety system. It should be shown that the equipment insta!!ed with the digital I&C upgrade will operate satisfae:orily in the environment in which it is to be located. Key aspects cf this evaluation are (1) knowledge bf the plant EMI environment inlwhich tii(5quipiiEest ishpected t6 ops; ate,1(2)

~

the execution of an appropriate set of tests to assess the vulnerability or susceptibility of the new equipment to EMI, (23) the range of frequencies and test levels covered by the equipment susceptibility tests,-end (34) methods for demonstrating that the equipment is compatible with the EMI environment in which it will be installed, and (5finstallation~using prbperground.infand'ihielding technilq6es. Each of these is discussed below.

R :=: m Sod; sp=ifi d in !EC S0! 3, i, =d 5 ";ich =v

==p;ib!'!:y :c adie:d fidd, doctried f=: '==ient, =d :=gs, supplemem;d by a !c faqu= y =nd cd :==p:ibi!!:, :st such = MIL SE 41C, CS 01, : ec=ida:J =mp ch:=:v: =: cf:== =d = ::= pub!:

medad fc: cenducing EMI ;==p;ibi'ity : :ing. A!:=ne: :== =: id=:ified in Td's ! n=:

d;e = co,id:::J c=cpub?. "c=mm=ded,ignd !;vd: cd f:cqu=:y r=g= for 6 :=0 =e p crid:J in EPPd ".1022:3.

4-6

i P...

. 1 u v u..~w :.. U,..,1s_,...D_...v-..

h t,..

u u.

w..v

..,.u u g_.. _.s 4 C

.m._r. : L. :1 I.,. T. m,...C._,._A_ rag

.1 m_

r n. n i T..n.

t. A-1 S S. $ 1 veu u.

.u v.-

-f g,.. ~m,-.. m. !. m i.+t erence D,.1. m. a..,.J.

.C,..m-.,.

L ! !. !. s.,.'.P.,,. a m..

.u Ca m.,a n A

wo. u e s l'-...mw s w.,.

ss >

.,..s

1. *,. L inf9%

n..,11, :.m.trryL,..i.

(

,,11, ; m, vv... u n.m M. _,.1 g gf f cT. n 4 f f r* p,n n==n3

.m.

2 r.

a u

xa_

...p v

g

,, 4. ~:m.

1.m...,._.._~,:..,.

r.i.m,..A. 7 cm m

l m...m.

s.

..v.

........g, 1!.rs, ee 1. 1_,.. L m - zm. s.sw w..f 4 TN.~ :

1

/N m.. -

v.vv..w

. u u n.w. v....

iu-

yumuw, Yr f'_ CA1 S

.. T ET*C

_t m

,v.

m

("* / S 19 / /'.. ! A, 4 U CY.

ii

-s g v su.

I"*..:-......,

1 Dm A:

.m.. 1

f' O A 1 u.s..

-..m w....:k....m, vu u y s..

l i,ff. P'f*N 4fi.f*.

t uv u.aus we

.qw y

. s

.u.. u w.. v.

ug 2-1 s

u 1..

.,vu.-..

. a k m.

.m m L 1 m,..,m A

n e n1 YL If t'i m A7 x.

i u.

v..

.m..

uv.w

.b'.'"r','".#',.

+e * * * . h

's A...

1.

E m.*- _

m-.

^= t'*,,"..-4

1.. 4.mo cw'6"""*"

'"*d

. u.m

...nm, ww r' M " ' F ' ','.* '.',..'. ' Y. r.. r' ' c'A 1 -

u.

1. :..

f a

..v.

v.

u. -

fl -. :....... m, L ! a k t, m....mm r..

,!. m.. m - m r

.m A..,m, 1,,. L 1 m.

I fff eTr% A f t t' I'c A9

/**1,.,,,

ss..

us

b'"M"',

g,g g' ' * 'g' = "f,., J.., '. m~.'""*..w.. A.1..,~m

,A. 'l T._N.. :... -..

a v*

vv

=v'3'*"w

'u~

w=uod

- 1:

/*,..

m.v A

y..r

.. ~

__. m i. :.. g,. c. m._n :m-.1 TN. ?.t. t. i. w,,,,

m.

1sff. C T. N. 4 /1 N.

-7 m

.vuy v

g.~

. u u

v.

i

[

%i,.m m

A,A. /' I -. <. w m.

/,

O 114 f*1m,,

,A. 7 I*3uiyu..u.

.wm,

_~

w

- i w. u.as

. f%. ~w. - A r. u m :n1.m.

m.

.. m L. *.. g,.

, : L wo m

g..

.y.

u v v uw

..w, v.

f rr* C A 1 f In.. m i. T,.. Yrr r, u s.

. ii,.

w w 6, I t'.. ! -f r U CT r'f 7 1'+* gu u.w i,

A --

ss c

C...,.s,

/L i o.L T ! _, L. _ * - m m.

mm. m fr. 1.

1 (if CTN # f 1 f'*

f*C fif

(*1m,,

Tibf3.m. m m.,

" ' 6 ".4

\\6'

,_.z.u.

g' ' b ' '. ". " ' ' 6 V '

m....l'".."

'r ' ' :'

' - ~ * ' ' ' ' ' '

r-.

,A,.:,u.. : k,'. m*

,4. 5

f. m..

.,y_...r.......

(N. v~ _ a

.m.,13.,

m.

_m m..v.,

..~.

.~

A

,..m.. _..

.mm..m _m 11.,.

mit'.:m,.

m.

1 i f. f.

O T. N. A f 1 N, 3

gy m u

.w

.y

.4..

....uw, v.

v t

t, '.* e, 1 f f r'.f _s,.,- -

47 IN... :..1. u.

w u 3=.y

. i..,

t r%.v,..

A E.m.,211.. h,.

m.

. v uuw...

0, v.

f r f' OA1 C., vm f r rg

,m mm.,

A U C I f'f *f 4 C.

u..

r., _. m

., : _m..i_

.r.._ _c. L...*s

_c....u...,a. < _,

..a -. :.. a i m. m eT.n. 4fi.n. c dr

._.um.

v.

.... _..., ~.....

m t:

,m

..-.1,,

/1...

.m.

m.3,..

, : 1.m....

.m

,.,..,.,m m.. re.1.,. *..,._m 1 m.

D, m. n _r.

t c n7

/*.1_,.,,

.A. S

..r.

1 y.

v.

p.,__... o, r -

2.. _.. :.

_e_,#,..

r,... : _ _ _. :. c. m.. - 4

.~

1

..r........

m..~

eff. s s.,.r r _,.. _..

A. _,. _

A r., m:1. :. L,, m c. f. f.

,6m 1f CT m. T.T 4 l' 1. n.,

..r..~

.....w, v

......m,... L.. m i.,.

f' O 1 1. C r'1..m.,~,.A.1 TN.. : m y..rm...

. s...

m.

... c m 4 r. u..u.1, u. w, v a

m v.~

m Y. r t' O n i -4

%p..a..m.m,._.m._.A. :., m t. _.

m <r e ns, m i

f _A. :. _a.m... _~_.... ~._.u.u.....,-r..,.._ t w=

im.m..

.. r, _,.., u

.v r.

V-

. m A.. 4 _~..

..m.

4 m_

Jo, I'.. ! A

. _.. ~....

.m

_..m.:~ _4... w4r.. I_* r S e, e

..~m._.-ft.,.. n.,,...~

1

. L. m. r,_e n I.,,.m m.

"* c c.v r..

v

. ~.

emu :. f. m_4

... _m1 : L t. _,.. _ _ _ _ 4.m t..,. :1....m* t '.m.e. m.

T_* C N

m...,.

,,~

.w.

,L...

1..A.

t.~ _m,' A m.. _m A.m,, c mf.

,..v

~.

v

~

~.

g.. : - -.....g : u,... L. _.., _r _..,q :,. _ u.. _.. a... ~4,... :........

m.. r.,. :~ _a.

L r.r.

.,.. ~

.m

.m There are a number of standards and test methods, which if propedy applied, will prov.ide satisfactory 47

1 Eesults!"Among these~de'the IEC E01 ~ series ~and MICSTD 461~snd MIL-STD"462.77he MIDSTD 461C susceptibility requirements are shown in the table below. o ln any of theseicare must be taken to insure the entire frequency spectrum is covered. Ideally, frequencies considered should cover.from i

30 Hz to 20 GHz.130 Hz is the first subharmonic of both the 60 Hz generated power and_the supply voltage for most of the plant equipment, r While this has a very long wave length, on the order of 3000 miles, and as such there is a low incidence of coupling,60 Hz is the most common frequency in the plant, and therefore even a small degree of coupling can cause problemsi 60 cycle hum on ground lines is not an unusual problem.220 GHz is the opper end of the microwave spectrumfand may be med for point to point communications systems, both on: site and off site., Ae power levels in this frequency are usually much lower _but the short wavelengths may make even short wires a good antenna. The spectrum between 10 GHz and 20 GHz need be considered only if microwave systems using these frequencies are in the proximity _of the plant There must beiustification for 2

any other frequencies not considered.

Ap'plicable31IU STD-461C susceptibility reduffemerits for~ digital equipmeiil Requirement?

Description CS01 Co6 ducted ^suscspribiliti, p6wEleidsF30~Hz to 50 kHz CS.02 Condubted susceptibility lpowEi5d linefboniiecting control leads,50 kHz to'400 MHz CSOS C6hdacted sshptibill:p?~spik^6sipoWElsids RS01 Radiated shsispiibiliffiiriijrieti6tfi~eldi30 Hz id 50 LRs RS02 Radia!ed sdice;itibiliffTsigiie0cluid'elsEhis fields; spikes and power frequencies RS03 Radiat'ed susceptibilitp, eleetric fieldT14 kHfto'20 GHz

.C = conducted, R = radiated, and S s:Trisceptibility.

Site specific' problems should be considered 3ese miy'initude the frequency ~of any niicrowave ' systems installed on-site, or which is offsite but geographically close. : Of specific interisi is the handheld radio communicahons devices used by plant personnel. In addition, radar frequencies should be considered, both from local airports and shipboard radars for sites close to large bodi.es.of water. Sites close to military bases should consider those radars; i

In demonstrating that the equipment is compatible with the EMI environment in which it will be installed, there are several options:

1.

U i g $ 0 :02.: Sed; di :uz d abcve, gudify $; cqu;pm=: :c Oc=:rv=iv: ! vd de := bc :hc r c b; gred:- S=

he ;; c :dib!: fc: $ irta!!:d =nrenm=:, c

{

!c=! :::: ;ursey :: rm ec" ed 5 di: :=:

EPR! ? 102323 := be cc=u!: d te c tablin 2: !:vt it: ::Weg 3:: di:,==;cr bdc=), c:,

i 4-8 i

1

t 2.

De=c=::::: S= $ =b;in;; equip==: b s :u;=p !bb S= de new equip==:

c 5: !=:d!cd ;<!i 6: up;md;

==: :== =b:ing =deg !===

!cn he greater-se;=ptibill:y :o EMI i= 2 mad =, digi:d equi;==: 2:

!=dkd i-i=

ph::,' :;r, 3.

Perform local tests or surveys to measure the actual environment in which the equipment will be installed, and compare this to the results of the vendor or laboratory tests of equipment susccptibility; show that the equipment testing envelopes the installed environment.

s 1_ TPerform'ah ahal 515 bsiWodpsi65fl651Teits3FisrvefiTand the^knoWeiniisioHi of any equipment added since that test; and compare this to the results of the vendor or laboratory tests of equipment susceptibilitpishow that.the equipment. testing'~

envelopes the installpd environment.

E: EPRI Guide, '". 102323, ecn:d= qud Sc=ica :=: cp::c= =d ::: :?gnd chrn:= bus, n& din;; f cqu= y :=g =d =gni:ude, b= d on==imum =p=::d in: -fc== b& de: -- =d by =dy, =d :: : H: EPRI Cuide cen:ri= upp= bount fx 17: d== b& for d! i; EMI cen;a= rated in Tabk 1 =d b applinbh te =y =d= pcwn p!=:

Experience in previous upgrades has shown that wiring practices followed in installation of the equipment (e.g., routing, shielding, grounding, termination) are very important in minimizing EMI susceptibility and should be addressed in the design and implementation of the upgrade. IEEE 1050-1989 provides guidance in this area.

4.3 MAN-MACHINE INTERFACE (MMI)

The man-machine interface includes all interfaces between the digital I&C system and plant personnel, 1

including:

operators - alarms, status displays, control interfaces, etc.

maintenance technicians - test and calibration interfaces, diagnostic information displays, data entry termina4 for setpoints, etc.

engineering personnel - configuration workstations or terminals, etc.

The principal concern related to the man-machine interface is the possibility of system failure due to human error, or due to unauthorized entries or alterations of the system through a maintenance, test, or configuration interface. Human factors considerations should be addressed in the design of all man-machine interfaces associated with the upgrade in order to minimize the possibility for human error in using the interface. IEEE 603-1991 discusses the application of human factors considerations in the design process for safety systems. General guidance for human factors considerations is provided in numerous IEEE, EPRI, and NUREG documents on this subject.

Adequate administrative controls and security should be provided tc gurd agai=: pfEht unauthorized changes being introduced through a man-machine interface. Note that this is similar to 4-9 1

i i

k the situation that is faced now with existing equipment and the associated administrative controls and security (e.g., authorization to open cabinets, use of keylock controls, restrictions on vital area access, etc.). IEEE 603-1991 provides guidance on access control and human interfaces.

Administrative controls and design features should specifically address software access in addition to typical equipment access provisions, 4.4 COMMERCIAL GRADE ITEM DEDICATION The responsibilities for qualifying, or perkming commercial dedication, of equipment for use in a safety system should be specified. His include; software as well as hardware. Note that, depending on how the roles are defined, the utility may need m. cess to the source code for the vendor software.

If so, this needs to be worked out up front (schedule, terms, etc.) so that the necessary reviews or dedication activities can be supported in a timely fashion.

The process used for commercial grade item dedication should identify the principal performance requirements necessary to provide adequate confidence that the safety function can be achieved. The hardware and software design should be compared to the applicable design criteria for nuclear qualified equipment,. id =ceptic= :d= whr in r: cia ecmp==:ing faeters-(wbr de=m=:cd craating c,pri== in

i.-i!= app!!=: icn, = cddi:ic=' vrifi=:ic: =d vdidnen puformed N d;v&p adeq=:: =,fid==). While~documsnisd^6psstihisperistihisan bissid E~i

- ~ ~

factodo commercial grade dedicatiori/it is in itself insufficient as; proof of acceptability for applications important to safety. Acceptance typically will be based on cd=;=:: a high_degieE'6f confidence that the product will not only perform its intended functionsi but alsEthat no unintended

~

futictions wili~occEr.TE'e'dsdie of confidehbeireiiiifsd'will bid 6ishiensurateilth tis safety -

l function the hardware and software is required to perform.1Since for any reasonably large softwne package the number of inputvariables makes dedication by" testing alone a Very difficult propositW. a;

~

the only viable alternative is to verify and validate the code itself, in addition to tes In 'a proprietirj software product, the vendor may be reinctant to make the code listings available/1For this,reasch; commercial. dedication of sofiware remains a limited option. Documentation and software required to maintain the commercial grade dedication-shotdd shall be placed under configuration managernent.

EPRI NP-5652, " Utilization of Commercial Grade items in Nuclear Safety Related Applications."

provides guidance on commercial grade item dedication.

4.5 DESIGN, SPECIFICATION, AND IMPLEMENTATION PROCESS For digital I&C system upgrades, it is particularly important to establish early in the process the roles, responsibilities, and interfaces among the utility, equipment vendor, and other organizations that may be involved in the change. When the upgrade involves computers and software, responsibilities for verification and validation (V&V), testing, and configuration management for the different types of software (e.g., vendor-supplied firmware, software configuration data, etc., as

~

j discussed in 4.1.1 above) should be established up front. Ths ultimateie5ponsibility for th'e correct operation of the system"cannot,"of course, be delegated, and as such, remains;withithe licensee.

Exp:rience in previous digital upgrades and lessons learned from software development and use in general have shown that proper specification of the requirements for the software is a key element in assuring adequate performance of the system. Most problems with digital systems occur in specifying the system, not in implementing the system or the software. he process should be very thorough in 4-10 i

1

i establishing the requirements for the upgraded system, identifying all interfaces and all the applicable design basis requirements, and the utility should ensure that it adequately communicates to the vendor the plant-specific requirements and information needed to implement the system.

i NSAC-105,

Guidelines for Design and Procedure Changes in Nuclear Power Plants." provides general guidance on design and implementation of plant modifications. IEEE B3019847*GuideYor Software Requirements Specifications.* p'rovides more detailed guidance on the p,rocess of generating the software seguirements specifications. Additional guidance related to specification of digital I&C mpdee 9 given below, supplementing the guidance contained in NSAC-105.

l 4.5.1 Definition of Systans, Interfaces, and Design Requirements The systems that will be involved in the upgrade should be clearly defined. This includes defining:

l Obiective(s) of the modification. For example, is this a functionally equivalent replacement or is additional functionality to be provided as part of the modification?

This can have a significant impact on the safety evaluation.

i System (s) to be modified. What systems will be modified to support the objectives?

e Other systems affected. What are the effects from this raodification on other systems?

What interfaces are affected?

Systems desien basis and licenJnc basis. What are the design and licensing bases for

[

o the systems to be modified and for those that may be affected by the modification?

System design documentation, design basis requirements, applicable sections of the Safety Analysis Report (SAR), Technical Specifications, and other design informaticn should be used as appropriate.

t 4.5.2 Plant-Specific Configurttions and Optional Features i

The utility should specify the particular options, features, and plant-specific configurations that are to be implemented for the particular design. The flexibility and power of computer-based systems allow a wide range of optional features and capabilities that the utility may or may not want in a particular application. In some cases, it may be desirable to disable or remove unnecessary optional capab!!ities, particularly if they open up the possibility of new types of malfunctions or misoperations i

that impact the safety evaluation.

I Also, the utility should understand what actions it must take to properly implement the desired capabilities. An example is the area of self-testing, diagnostics, and fault detection. The equipment may support these features, but the vendor may rely on site-specific or customer-specific wiring or inte-faces to fully implement them (e.g., the equipment provides a contact output that signals failure of a processor, and this contact must be wired to a separate system or other equipment to provide operator notification or maintenance action). Communication between the utility and the vendor is important in ensuring that these items are properly addressed in the design and installation.

1 4.5.3 Design Specification j

i 4-11

l Section 2 of NSAC-105 and IEEE'1016-1987,

Recommended Practice for, Software Design i

Descriptions"; provides guidance on preparation of a design specification. As nota:1 above, the i

specification is a key element in ensuring adequate performance of the upgraded system. The specification should cover:

Design objectives Functional requi~ranu Codes, standards, and other design basis documents Design requirements Analysis and testing requirements Acceptance criteria l

9 J

l i

4-12 i

~~._ _.

r i

b Section 5 SUPPLEMENTAL GUIDANCE FOR 10CFR50,59 EVALUATIONS i

OF DIGITAL UPGRADES 4

i i

NSAC-125 provides a set of seven questions commonly used to determine if a modification involves one or more unreviewed safety questions in accordance with 10CFR50.59. If tiiPinodification involves an unreviewed safety question, NRC review and approval must be obtained prior to implementation.

i It is imponant to remember that the 10CFR50.59 Safety Evaluation does not determine whether or not a proposed change is safe. A determination that a proposed change involves an unreviewed safety j

question does not mean that the change is unsafe. It simply means that NRC review and approval is necessary prior to implementation of the change.

3 The following provides items to consider in answering each of the seven questions referred to in NSAC-125. They are expressed in the form of supplemental questions. I: b impc= ::c Exp in i

pad i:: = =:= cf *y=" c: *nc* :: g!cen q =::cn des c; =::=:kr."y m = $ : $=: b ::

g

= r: = urec;;wed =f :y qu=tica n=: =: i::= :c Oc=!dr. =: b=!;=. Alz, ac:: i : fc:

p=: !:;!= upg::de,== cf de !::= !b::d =y b; =c:: :pp:cp:h::!y dd:==d : dr : d!5=:=

qu= tic c: in rc= ! cf1 qu=dc=. If any of these"gifestions~isianswered]fes*, the change Is"as unreviewed safety tjuestion)(S6ctioti"4.2 of NSAC-125); It is important to ensure that all items are addressed fully and that all valid potential unreviewed safety questions are identified.

l (1)

May the proposed acridty increase the probability of occurrence of an accident evaluated previously in the Safety Analysis Report (SAR)?

Areas that should be addressed in responding to this question include the following:

)

I (a)

Does the replacement system exhibit performance characteristics, or have design features, that give an increased probability of a system malfunction I

resulting in an accident? He assessment of a change in probability may be made on a qualitative basis, panicularly for systems or components which rely on software since there does not currently exist a consensus method for i

quantifying software reliability. C66unoninbdel6nd 66midon.causs faildres;bf software;shall bicohsidsred! Section 3.4 of NSAC-125 provides guidance on the use of qualitative probability assessments.

(b)

Does the system exhibit performance characteristics that require additional operator intervention for continued normal operation (e.g., lockup, halt)? It should als6 bs s6ted that 16ckujibr halt niay be new lypes of malfunctions l and sbould be addressed under item 6 of this section; i

(c) is the system qualified for the installed environment (e.g., temperature, humidity, electromagnetic fields, airborne particulates) such that system performance will not be degraded compared to the original system?

l 5-1 i

1 i

-r~

.~#

c.

i (2)

Afay the proposed actisity increase the consequences of an accident actuated praiously in the SAR?

ne following areas should be addressed in responding to this question to determine if the activity results in an increase in radiological releases above the licensing limit:

(a)

Does the replacement system exhibit a response time beyond current acceptance limits (e.g., because of sample period, increased filtering)?

(b)

Does ate system pettorm adequately under high duty cyde loading (e.g.,

computational burden during accident conditions)?

(c)

Does the architecture of the system exhibit a single failure that results in more severe consequential effects (e.g., reduced segmentation due to combining previously separate functions, several input channels sharing an input board, central loop processor for many channels)?

(d)

Does the man-machine interface design introduce constraints on the operators' ability to adequately respond to an accident such that there are more severe consequential effects?

(3)

Afay the proposed actisity increase the probabilin' of occurrence of a malfunction of equipment imponknt to safety naluated praiously in the SAR7 Areas that should be addressed in responding to this question include the following:

(a)

Does the modified system meet the required plant environmental and seismic envelopes?

(b)

Is the replacement system qualified for the electromagnetic fields at the l

installed location? What effect does plant equipment operation have on the system (e.g., walkie talkies, motors, switchgear, etc.)?

(c)

Have potential interactions between safety-related and nonsafety-related systems been addressed?

(d)

Are the electrical loads associated with the replacement system addressed in I

the design?

(e)

Does the plant HVAC have adequate capacity for the thermal loads of the replacement system?

(f)

Does the replacement system meet applicable requirements for separation, independence, and grounding?

(g)

Does the microprocessor-based system have adequately qualified cabinet i

cooling?

I e

d 5-2 1

P t

P (4)

May the proposed activity increase the consequences of a malfunction of equipment imponant to safny nuluated previously in the SAR?

Areas that should be addressed to determine if the activity could result in an increase in the radiological releases above the current licensing limit include the following:

l 4

(a)

Does the replacement system exhibit the same failure modes affecting radiological releases as the analog systern (e.g., fei! ?ca, fei! high, fe!! ce n, diegr.a::c d! uran d the failure mode is different, are.the consequences increased beyond what was evaluated previously in the SAR?

(b) is Sinde a software common mode failure (CMF) is a credible failure mode?-

M+e, ur the consequences mitigated by the hardware design or system architecture? If not, is the probability of a software CMF in conjunction with i

other concurrent events assumed in the safety analysis judged to be sufficiently l

high that the consequences of a malfunction previously evaluated are

(

increased? Are the consequences bounded by other events evaluated in the i

SAR?

(c)

Does the replacement system have the same failure mode as the analog system l

on loss of power? If the failure mode is different, are the consequences increased beyond what was evaluated previously in the SAR?

(d)

Is the response of the replacement system on restoration of power different i

from that of the analog system being replaced?

i (e)

Does the man-machine interface (MMI) introduce failure modes different from i

those of the existing analog system?

Is there an el sivalent to the MMI in the l

system being replaced,'~or does the' existence of a new type of equipment ~^

l create a new type of failure?

i (5)

May the proposed caivity create the possibility of an accident of a dgerent type than any nuluated previously in the SAR7 Areas that should be addressed in responding to this question include the following:

B (a)

Have assessments of system-level failure modes and effects for the microprocessor-based system identified any new types of failure modes that could cause a different type of accident than presented in the plant SAR?

j (b)

E e 2::::: ec=m rode fe!!urc c credib!c fe?!;:c rade? If =, care the consequences of a software common mode failure mitigated by the hardware design or system architecture? Could the failure cause a different type of accident than presented in the SAR?

(c)

Plant SAR analyses were based on credible failure modes of analog equipment. Does the replacement system change the basis for the most

)

2 Gen;idemden; in de:cmining ; he$c ; mf:=rc common mode failure is credib!c inelude (!) Se ccmp!cxi:y of $c compu:cr ptem de:ign, (2) $c number, ; ice =d j

ecmp!cxt y of $c sof: ware program; involved, and (3) experience w:$ $c compulcr sy;;cm d 2;,=.

i 5-3 i

e N

limiting scenario?

(6)

May the proposed activity create the possibility of a malfunction of equipment important to safety ':: :': me!)i;nc:lc i: of a dgerent type than any evaluated previously in the SAR?

Sne =cz :hould bc :.dd:=: d in :=pending :^ 1: quz::en-(c)

":v; =: zment cf sy:,::= kvel fd!u:: med: =d cff=t"c i:

mincp ce:ne-bred ;y20.T id=:ified =y =; :yp= cf failu:: S ;;cu!d

=u!: i; cffect ac: p::vic=!y==idned in 1: SAR' (b)

E : ;cf:.= cc=m. n =cd: fd!u:: =cdibb fd!=: =cd:? !'00, ;;cu!d ':

=uh in effect ac: p=v.c=Iy==id=ed I, i: SAR'

(:)

C=!d de ="i c;m=: In ",hkh 10 :-incp:ces;= bred equip==: cp===

== ; = :ype of fd!= (e.g., d=::cm gned: :==p::b"i:y)? Ceu!d i:

==;ynem =:=: = =.:enm=: -hid ;dvn:,dy aff== cS= =;uip==:

=d dudy==:= de pazib"!:y cf ; diff==: :ype of mdfun=cn' (d)

V: S: ;y= = d=ign, vn5=:!c =d vdiddien, =d =dyd: meicds ec=;n=: i$ ind=:ry==d=d;?

Wis question is asking if the digital equip'meiit could lead to a faifeie ~ mod (6f a different type than the types evaluated in the SARO in answering this question / thi types of failure modes of the analog system being replaced that have been previousif evaluated in the SAR and that are affected by the replacement are identified.? Hen types of failure modes that the digital replacement system could creat'e are identi5edh Comparing the two lists can provide the answer to the question (NSAC 1251ff.2A (7)

Does the proposed activity reduce the snargin of safety as defined in the basisfor any technical specspcation?

A review of the bases and assumptions for the Technical Specifications and acceptance limits spelled out in the NRC SERs should be made to support this determination.

The areas to be addressed include the followirg:

(a)

Has the replacement I&C system decreased the channel trip accuracy beyond the acceptance limit?

(b)

Has the replacement I&C system increased the channel response time beyond the acceptarce limit?

(c)

Has the replacement 1&C system decreased the channel indicated accuracy beyond the a;ceptance limit?

(d)

Does the new control system cause a plant parameter for any analyzed event to fall outside of acceptance limits?

5-4

1 Section 6 REFERENCES t

The following lists standards, guidelines, and other documents that are referred to in this guideline.

N EPRI Instr tmentation & Control Requirements and Standards (ICRS) database, distributed by EPRI's Electric Power Software Center, can be consulted for more information oi ~ standards, regulatory documents, and guidelines related to I&C upgrades in nuclear power plants.

1.

ASME NQA-2a-1990, Part 2.7, " Quality Assurance Requirements of Computer Systems for Nuclear Facility Applications," American Society of Mechanical Engineers.

2.

ANSISEEE-ANS-7-4.3.2, " Application Criteria for Programmable Digital Computer Systems in Safety Systems of Nuclear Power Generating Stations."

3.

ANSI /IEEE 384-1977, " Criteria for Independence of Class IE Equipment and Circuits."

{

4.

ANSISEEE 603-1991, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations."

5.

ANSISEEE 610.12-1990, " Glossary of Software Engineering Terminology."

6.

ANSISEEE 730-1989, " Software Quality Assurance Plans."

7.

ANSISEEE 828-1990, "IEEE Standard for Software Configuration Management Plans."

8.

ANSISEEE 830-1984, *IEEE Guide to Software Requirements Specification."

9.

ANSIHEEE 1012-1986, *IEEE Standard for Software Verification and Validation Plans."

10.

ANSISEEE 1016-1987, *IEEE Recommended Practice for Software Design Descriptions."

11.

ANSISEEE 1028-1988, "IEEE Standard for Software Reviews and Audits."

12.

ANSISEEE 1050-1989, *IEEE Guide for Instrumentation and Control Equipment Grounding in Generating Stations."

13.

ANSISEEE 1063-1987, "IEEE Standard for Software User Documentation."

14.

EPRI TR-102323, " Guide to Electromagnetic Interference (EMI) Susceptibility Testing for Digital Safety Equipment in Nuclear Power Plants." To be published by Electric Power Research Institute.

15.

IEC 801-3,1984, " Electromagnetic Compatibility for Industrial Process Measurement and 6-1 t

f.

['

1 Control Equipment Part 3: Radiated Electromagnetic Field Requirements.'

16.

IEC 801-4,1988, " Electromagnetic Compatibility for Industrial Process Measurement and Control Equipment Part 4: Electrical Fast Transient / Burst Requirements.*

17.

IEC 801-5, Draft, " Electromagnetic Compatibility for Industrial Process Measurement and Control Equipment Part 5: Surge Immunity Requirements."

4 18.

IEC 801-6, Draft, " Electromagnetic Compatibility for Industrial ProcessReasurement and Control Equipment - Part 6: Immunity to Conducted Radio Frequency Disturbances Above 9 kHZ."

19.

IEC 880-1986, " Software for Computers in the Safety Systems of Nuclear Pcwer Stations."

20.

IEEE 279-1971,

Criteria for Protection Systems for Nuclear Power Generating Stations."

21.

NSAC-105, ' Guidelines for Design and Procedure Changes in Nuclear Power Plants."

i 22.

NSAC-125, " Guidelines for 10CFR50.59 Safety Evaluations."

23 Regulatory Guide 1.152,

Criteria for Progranunable Digital Computer System Software in s

i Safety,Related Systems of Nuclear Power Plants.*

24.

Regulatory Guide 1.75,

Physical Independence of Electrical Systems."

25.

Regulatory Guide 1.153,

Criteria for Power, Instrume station and Control Portions of Safety Systems.*

i 26.

Title 10 of the Code of Federal Regulations, Part 50.59,

Changes, Tests, and Experiments.*

~

27.

Title 10 of the Code of Federal Regulations, Part 50.90, " Application for Amendment of License or Construction Permit."

6-2 7

~

. - - - - -. - l

ML20056C050

Contents

Text

SUMMARY

Response

Response

Response

Dear tir. Marion:

Enclosure:

1.1 BACKGROUND

Navigation menu

ML20056C050

Text

SUMMARY

Response

Response

Response

Dear tir. Marion:

Enclosure:

1.1 BACKGROUND

Navigation menu

Search