ML20056H392

From kanterella
Jump to navigation Jump to search
Operating Reactors Digital Retrofits,Digital Sys Review Procedures
ML20056H392
Person / Time
Issue date: 08/17/1993
From:
NRC
To:
Shared Package
ML20056H383 List:
References
NUDOCS 9309090244
Download: ML20056H392 (16)
v  d  e


Text

{{#Wiki_filter:. k 3 .i gb.s T( _ #g a version 1 OPERATIriG REACTORS DIGITAL RETROFITS DIGITAL SYSTEM REVIEt' PROCEDURES I. General Description of the NRC Dirital Systems Review Anoroach The importance of digital systems reliability and in panicular a strong software development and maintenance program, cannot be over emphasized when considering the potential for software initiated failures. This section presents a summary of the NRC criteria and review approach used for digital retrofit reviews. This description is not all inclusive of the questions asked and material reviewed and referenced, but does cover the major areas. Currently, the NRC uses Regulatory Guide 1.152, " Criteria for Programmable Digital Computer i System Software in Safety-Related Systems of Nuclear Power Plants" and ANSI /IEEE-ANS-7-4.3.2-1982, " Application Criteria for Programmable Digital Computer Systems in Safety Systems of Nuclear Powcr Generating Stations" for guidance when performing reviews of digital systems. Although other software standards such as ANSI /IEEE Std. 1012-1986, "IEEE Standard for Software Verification and Validation Plans," and ASME NQA-2a-1990, Part 2.7, " Quality Assurance Requirements of Computer Systems for Nuclear Facility Applications, American Society of Mechanical Engineers" are used for reference, licensees are generally held responsible for conforming to ANSI /IEEE-7-4.3.2-1982. 4 Tae staff performs a detailed review of the system design process and the software verification and validation program. At this stage, the staff is looking programmatically at the design i process and making comparisons to the applicable review guidance. The staff reviews available information on the software and hardware history including previous software and hardware failures. The staff reviews the specific plant application including any special features that were required. The staff reviews the specifiic verification and validation (V&V) performed on the software used in the application. This is a detailed review and includes (1) following the code development, (2) examining the vendor / licensee interface and feedback process, (3) reviewing software problem / error reports and resulting corrections, (4) comparing the V&V process to ANSI /IEEE ANS-7-4.3.2-1982, (5) interviewing personnel involved in the process, (6) verifying the independence of the software verifiers, (7) reviewing the development of the functional requirements and subsequent software development documents, (8) reviewing software life-cycle and future vendor / licensee interface, and (9) reviewing the verification and validation results. The staff also performs a " thread audit" which consists of picking a sample of plant parameters and tracing the software implementation of these parameters from the purchase specification and development of the functional requirements'to the writing and testing of the code. This review includes (1) reviewing actual sections of the code on a sample basis, (2) examining the various levels of software development documents and comparing them to the code, (3) examining 4 Page. 9309090244 930827 PDR ORC NREA __~ [

. < ~ Version 1 problem reports and verifying the corrections, (4) examining the engineering cross-discipline interfaces to ensure that nuclear specific needs were correctly incorporated into the code, (5) examining the licensee interface to ensure plant specific requirements are correctly incorporated, (6) ensuring that the verification and validation process is followed according to the vendor's plan, and (7) reviewing the final results of the process. Finally, the software and hardware are reviewed as a system looking for potential timing and software / hardware problems. At the end of the review, all of the information is collated to establish a benchmark for assessing the software safety system performance and reliability. t

1. Licensec/ Vendor Interface Experience with computer projects has demonstrated that the development of computer system functional requirements can have a significant impact on the quality and safety of the implemented system. (ANSI /IEEE ANS-7-4.3.2-1982, Sec. 3) In fact, there have been recent I

software failures attributed to software functional requirements and system specifications that did not accurately reflect plant specific idiosyncrasies. This has placed additional emphasis on the importance of the licensee / vendor interface during software development and is an important factor when assessing software reliability and quality. The staff considers the correctness of the functional requirements by reviewing the process for the development of these requirements, concentrating on the licensee / vendor interface, the changes that were made, and the qualifications of the personnel involved. Personnel from all relevant disciplines should have been part of the process. i

2. Verification and Validation Organization The verification group shall be independent of the design team and shall have technical qualifications comparable to the design team. (ANSI /IEEE ANS-7-4.3.2-1982, Sec. 7.1) The verification and validation (V&V) organization should be independent from the software development group with separate supervisory engineers and composed of persc A with compamble technical qualifications to the development group. The development gre g should submit the code to the V&V group after writing and debugging the code. The V&V group should then review the code according to the V&V plan and produces a V&V report.

Communications between the software development group and V&V personnel should be 3 documented in written, traceable reports. In order to be acceptable, the independence of the V&V gtoup and the V&V personnel should conform to ANSI /IEEE-ANS-7-4.3.2-1982. Additional guidelines for this portion of the review can be found in ANSI /IEEE 1012, "IEEE t Standard for Software Verification and Validation Plans" and IEC 880, " Quality Assurance Requirements of Computer System at Nuclear Facility Applications". t Page ;

4 _.a 4 + * - +- a I version 1

3. Verification and Validation Program Review The verification and validation (V&V) of the digital system is a formalized program that includes detailed procedures and policies for technical review and audit functions, software reviews and

[ audits, software test and analysis, dynamic system testing simulating normal and design basis events, and an independent stage-to-stage verification performed by knowledgeable individuals. (ANSI /IEEE-ANS-7-4.3.2-1982, Sec. 3.7) The vendors V&V program should be described in documentation submitted to the staff. The V&V group should perform several tasks before they approve the release of the software code including: (1) document code reviews; (2) test case development; (3) verification and validation testing; and (4) abnormal conditions review After the development group submits the code to the V&V group, each independent verifier should [ receive one or more modules on which a document code review and evaluation is performed. l The evaluation is based upon the module's conformance to the functional requirements and the design and coding standards. Although the verifier's primary focus at this stage is a comparison between the functional requirements document and the code, the software development documentution should also be verified for consistency and integrity starting from the functional requirement and including the system design requirement, the system design specification, and the functional decomposition j document. After completing the walk-through of the design documents and the source code walkthrough, the verifier develops two types of test cases, i.e. verification tests and validation tests. The method and rigor used for verification tests is a function of the safety 6assification of the ) software module as defined by ANSI /IEEE Std. 603-1980, "IEEE Standard Criteria for Safety j Systems for Nuclear Power Generating Stations, Institute of Electrical and Electronic j Engineers." By this standard, software associated with the actuation and/or implementation of reactor trips, engineered safety features, and information displays for manually controlled actions receives the highest level of verification. The verification tests are further partitioned into structural testing and functional testing. Guidelines for tesdng methcxh can be found in IEEE 829, " Software Test Documentation". The structural testing (whitebox) ensures that all source lines meet the intended design I specification. To determine the rigor and method of this testing, the verifier follows an established set of criteria based on the software uniqueness and complexity. After applying the criteria, the verifier should then read the code and derive the structural test cases that will exercise all of the statements. Next the verifier performs either manual structural testing or l computer emulation. For bounded input values, the verifier chooses values to exercise the lower i limit, the upper limit and at least one random intermediate value. Particular attention should be j given to out-of-range and other abnormal input variables such as negatives and zeros. The i Page ! s a t b

s Version 1 functional testing is similar to the structural testing except that the functional properties are the i basis for the functional testing and are provided by the Design Specification. When software errors or coding discrepancies are found, the verifiers should generate either a Procedure Problem Report or a Generic Problem Report. Each software module contains several procedures so that a Procedure Problem Report concerns defects in the smallest software unit. A Generic Problem Report pertains to problems that cross module boundaries and involve multiple modules. A log of the reports should be kept and their status tracked by the V&V group. The developer has the responsibility to resolve these reports and if a code modification e is required, the verifier performs regression testing until the module satisfactorily passes the test. The Lead Verifier ensures that no problem reports remain open upon release of the module. Once the verification results are accepted, the software is installed in the target hardware and l the verifiers should check hexadecimal and check sum values for consistency. The hardware / software should then be validated. The validation process emphasizes the system functionality of the target hardware / software. The I major phases of the validation testing are: (1) " top-down" functional requirements testing; (2) ) Abnormal conditions review of the design and its implementation; and (3) specific MMI testing. The Validation Test Engineer derives test cases from the decomposition of the functional requirements into sub-requirements and looks for functional and abnormal conditions to test. Once the tests are derived, a Validation Test Technician executes the tests on the verified software now residing in the final target hardware. The Validation Test Engineer then reviews 1 the test results. ) An abnormal conditions review can also be used to ensure that the design operates properly under abnormal-mode conditions and to ensure that the system rejects unpermitted inputs 1 (including out of range inputs). This review is primarily directed at the internal structure of the system software and is used to complement the functional test?ng and evaluate integrated system integrity. As part of the programmatic review of the V&V program, the staff reviews software development documents, interviews V&V managers, and reviews various V&V summaries and reports. The staff also randomly samples problem reports. In the reports reviewed, defects are documented and analyzed for significance. Based upon the above review and comparison of the V&V Process / Plan to ANSI /IEEE ANS-7-4.3.2-1982, the staff confirms that the licensee / vendor program as reviewed, complies with Regulatory Guide 1.152 and ANSI /IEEE ANS-7-4.3.2-1982. To obtain a benchmark for evaluating V&V effectiveness and the licensee application, the staff then performs a " thread Page -4 2

i l i Version 1 l audit." Guidelines for this ponion of the software review can be found in ANSI /IEEE 1012 and IEC 880. l 4. NRC Thread Walk-through l The staff conducts a " thread audit" walk-through of a chosen parameter. The " thread audit" e traces the software development of the chosen parameters and includes reviewing the software development documentation, sections of the code and comparing the software development documentation to the code. The thread audit includes the validity test of the functional requirements and how they relate to the software requirements. While performing this review, the staff confirms that all errors have corresponding problem reports and appear to be identified by the V&V process.when applied to the functional code. If these problems are not identified by V&V, they present the staff with two concems. The first is a question regarding verification thoroughness and effectiveness which is discussed in the defense-in-depth section below. The second is whether flawed development documents and comment errors could mislead a software writer during future code revisions. Therefore, the staff should ask how these errors will be resolved, and for an analysis of the root cause of the errors. Based on the " thread audit" and the V&V program reviewed above, the staff confirms that the licensee application complies with Regulatory Guide 1.152 and ANSI /IEEE AN-7-4.3.2-1982. 5. Configuration Management All software code and software documentation should be kept under strict configuration management control. Any software changes other than tunable parameters should be made through a licensee controlled modification program that has a librarian to control changes to the code. When software is changed, the liccasee should execute an analysis tool to determine the side effects resulting from code changes and to evaluate the impact on the code. Furthermore, all modified code should be subject to verification and validation as described above. The configurations management plan should follow the guidelines of IEEE 828-1983, " Software Configuration Management Plans". i

6. Conclusion Based on the foregoing review, the staff will confirm that the licensee / vendor verification and validation plan / program complies with Regalatory Guide 1.152 and ANSI /IEEE AN-7-4.3.2-1982 and that the licensee's application of the verification and validation plan / program meets its functional and design requirements.

1 Page ;

l version 1 II. EOUIPMENT OUALIFICATION i Safety related system must be designed to withstand the effects of natural phenomena and be qualified to operate in normal and postulated accident conditions (10 C.F.R Part 50, Appendix A, GDC 2 and 4). The staff reviews the following topic areas to ensure that a digital retrofit is capable of performing its intended safety function under postulated environmental conditions: (1) temperature and humidity; (2) seismic; (3) electro-magnetic and radio frequency interference; l and (4) radiation. [ I i 1. Temperature and Humidity The staff uses IEEE Standard 323-1974, "lEEE Standard for Qualifying Class IE Equipment for l Nuclear Power Generating Stations," for review guidance on temperature and humidity. The j staff reviews the digital equipment (hardware) qualification test reports and compares the results j to the plant specific environment in order to confirm that the equipment is compatible with the plant. The staff also inquires about the heat load effect of the digital system itself on the existing room temperature profiles. { 2. Seismic The digital system rack and components should be subjected to multi-axis, multi-frequency seismic inputs in accordance with Regulatory Guide 1.100, " Seismic Qualification of Electric l and Mechanical Equipment for Nuclear Power Plants," and IEEE Standard 344-1975, "IEEE j Recommended Practices for Seismic Qualification of Class IE Equipment for Nuclear Power Generating Stations. The staff reviews the test reports and compares the results to the plant application concentrating on configuration differences between the actual installation and the test set-up. ] i 3 4 3. Electro-magnetic and Radio Frequency Interference (EMI/RFI) Qualification J The staff assesses the potential for adverse random and unpredictable effects on the safety system { produced by ambient EMI and RFI. Although there are no specifically endorsed NRC standards on this topic at this time, the staff uses the following standards and information for reference when conducting its reviews: i (1) MIL-STD-461(A,B,C), " Electro-magnetic Emission and Susceptibility Requirements for the Control of Electro-magnetic Interference," (2) MIL-STD-462, " Electro-magnetic Interference Characteristics Measurement," I, j Page a a 1

version 1 (3) MIL-STD-1399, " Interface Standard for Shipboard Systems, DC Magnetic Field Environment," (4) SAMA PMC 33.1-1978, " Electro-magnetic Susceptibility of Process Control Instrumentation," (5) IN83-83, "Use of Portable Radio Transmitters Inside Nuclear Power Plants," and (6) NUREG CR-3270, " Investigation of Electro-magnetic Interference (EMI) Levels in Commercial Nuclear Power Plants." The staff reviews the EMI/RFI qualification in the following manner. First, the staff evaluates the plant environment to identify potential EMI/RFI sources including the effect of open doors during surveillance, the types and strengths of plant radios, location and direction of microwave I sources, and the location and effect of other equipment within and immediately surrounding the installed location. Second, the staff reviews and evaluates the vendor test methodology, frequency susceptibilities based on the vendor tests, and vendor system modifications to compensate for these susceptibilities. This review includes comparing the as-tested and as-installed configurations. Third, the staff reviews the licensee's on-site testing and analysis to confirm the compatibility of the installation with the in-plant environment.

4. Electro-static Discharge Electro-static discharge (ESD) can cause damage to micro-electronic components and has been known to cause lock-ups of digital equipment if the discharge is large enough. If there are no specific ESD tests performed on the system, then precautions as specified in the vendor technical manuals which should be employed. These precautions include the use of ESD mats, and grounding straps. In addition, there should be no reported failures resulting from electro-static discharge at previous installations. The staff verifies that such measures are in place as necessary.
5. Radiation The license should determine the actual total integrated dose (TID) for the digital equipment room. The qualification limits should envelope the actual plant conditions.

i .III. ISOLATION AND INTERACTION BETWEEN IE AND NON-lE: NOISE. FAULT AND SURGE WITHSTAND TESTING The protection system shall be designed to ensure that the effects of normal operating and postulated accident conditions do not result in the loss of the protective function and that a failure of a control system does not adversely effect the protection system (10 C.F.R. Part 50, i Page %

Version 1 I Appendix A, GDC 22 and 24). The staff uses the following review guidance for assessing the Class IE and Class non-lE interactions: j (1) Regulatory Guide 1.75, " Physical Independence of Electricai Systems;" l (2) IEEE 384-1977, " Criteria for Independence of Class lE Equipment and Circuits, (3) IEEE 279-1971, " Criteria for Protection Systems for Nuclear Power Generating l Stations;" (4) IEEE 472-1974, " Guide for Surge Withstand Capability Tests; and (5) IEEE 603-1980, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations." j Noise sources and noise tests should be chosen to emulate expected and worst case noise conditions that may be present on the non-lE wiring in the digital system process rack. The tests performed should be a Random Noise Test (antenna coupled), a Cross-talk and Chattering Relay Test (antenna and direct coupled), the Military Specification MIL-N-19900B Noise Test l (antenna coupled), a High Voltage Transient. Noise Test (antenna coupled), and a Static Noise l Test (antenna and direct coupled). Fault tests should be performed using maximum creditable fault voltages. These voltages are usually in the range of 530 Vac,250 Vde,125 Vac, and 125 Vdc. The vendor should analyze the results and verify that the protective action and monitoring equipment of the system are not affected by noise conditions on non-lE circuits. The staff reviews the results of the tests and the design of the isolation devices. Based on this review, the 1 staff should confirm the adequacy of the isolation features. i IV. GROUNDING Grounding is important to ensure that (1) there are no ground loops created by the installation, (2) there is a low fault current retum path to minimize the effects of noise interferences by i providing common reference planes of low relative impedance, and (3) the effects of lightening l induced surges on equipment have been minimized. Although there is no specific NRC endorsed j guidance on grounding, IEEE 1050-1989, "IEEE Guide for Instrumentation and Control Equipment Grounding in Generating Stations," serves as guidance during the review. i B V. POWER Reliable power sources are fundamental to a highly reliable protection system. Given a loss of electric power, the protection system must fail into a safe state (10 C.F.R. Part 50, Appendix A, GDC 17,21 and 23). To assess the system power source, the staff reviews the inverter loading and system electronic power supplies to confirm the quality of the power supplied to the system, and the adequacy of the effects of a loss of power. Page.

s version 1 i In this context, the staff uses the term power quality to encompass voltage and frequency variations, and the total ha,monic distortion before and after the digital installation. The staff's i concern is the effect of the existing power distribution system on the digital system and the effect i of the digital system on that same power distribution system. The staff also reviews the digital system response to a loss of power. The staff's review confirms that the power supply design i provides for appropriate digital system performance. VI. TESTABILITY The protection system shall be designed to be testabie during operation and shutdown as required, without loss of minimum redundancy and to provice appropriate indication to the operator of failures and losses of redundancy (10 C.F.R. Part 50, Appendix A, GDC 21). The staff reviews the digital continuous self test concept to determine (1) which + components are not being tested, (2) if those being tested are done so adequately and (3)if any safety related/non-safety related interface concerns exist. The impact of the self testing concept to the operational aspects of the system calibration techniques for the digital systems is also reviewed. Particular attention should be paid to accuracy and completeness. No component or action paths should be left untested. Techniques for the interfacing of automatic or manual testing devices are reviewed. Cross divisional testing concepts are also be reviewed. ] The staff uses the following criteria and standards for review guidance: f (1) IEEE 279-1971, " Criteria for Protection Systems for Nuclear Power Generating l Stations" (2) Regulatory Guide 1.22, " Periodic Testing of Protection System Actuation Functions;" l (3) Regulatory Guide 1.118, " Periodic Testing of Electric Power and Protection Systems;" (4) IEEE 338-1977, "IEEE Standard Criteria for Periodic Testing of Nuclear Power Generating Station Safety Systems; and (5) Regulatory Guide 1.47, " Bypassed and Inopemble Status Indication for Nuclear Power Plant Safety Systems." l VII. DEFENSE-IN-DEP'FH j i The protection system shall be designed with appropriate defense-in-depth by incorporating 3 quality and diversity to (1) achieve a high functional reliability, (2) ensure that the system fails into a safe state, and (3) ensure that normal operating, maintenance, and postulated accident conditions do not result in the loss of the protection function (10 C.F.R. Part 50, Appendix A, GDC 21,22, and 23). l Page l t b t

2 s l version 1 Any applicant for a digital reactor trip or reactor protection system (RPS) replacement should perform a " Defense-in-Depth and Diversity" analysis of the proposed instrumentation and control i 4 system to demonstrate that vulnerabilities to common mode failures have been addressed. The staff considers softwam design errors to be a credible common mode failure potential which l must be specifically included in the evaluation. If a postulated common mode failure is capable of disabling a safety function then a diverse means, that is unlikely to be subject to the same common mode failure, shall be required to perform either the same function or a different safety function. The diverse or different safety function may be performed by a non-safety system. The amount and types of diversity vary from design to design and will be evaluated on a case-by-case basis. Diverse and independent digital or non-digital systems are acceptable means. The specific set of equipment required will be evaluated on a case-by-case basis. Manual actions from the control room are acceptable if an analysis shows that information, not dependent on the computer system and adequate for diagnostics and plant shutdown is available to the i operator. Credit is usually given for the Anticipated Transient Without Scram (ATWS) mitigation system in this area. The reviewers should verify that there is true div rsity between the ATWS system and the Reactor Trip System. Both hardware and software diversity should l be included in the ATWS diversity review. 1 A Defense-In-Depth analysis is described in NCREG-0493, "A Defense-In-Depth and Diversity Assessment of the RESAR-414 Integrated Protection System", March 1979. The analy.cis should i show sufficient diversity within the design to demonstrate defense-in-depth for each event evaluated in the pLnt Accident Analysts, occurnng m conjunction with each postulated CMF. l i For the purposes of this evaluation, defense-in-depth will be considered to be a combination of system and intra-system diversity, redundancy, performance, and reliability with the goal of 1 achieving a high degree of safety and compensating for safety system weaknesses. j Defense-in-depth and common mode failure concepts appear in varying regulatory contexts j including 10 CFR Part 50, Appendix A, General Design Criterion 22, IEEE 603-1980, IEEE l l 379-1977, " Application of the Single Failure Criterion to Nuclear Power Generating Station Class IE Systems", endorsed by Regulatory Guide 1.53, " Application of the Single Failure l Criterion to Nuclear Power Plant Systems," and NUREG 0493 "A Defense-in-Depth and Diversity Assessment of the RESAR-414 Integrated Protection System". 4 s

1. Reliability and Software Common Mode Failure Concerns A discussion on the reliability of the digital system and comparison to the existing analog 4

process racks should be provided. Software experience both in and out of the nuclear industry indicate that V&V has its limitations and a defense-in-depth approach is warranted. As a result, the staff will request the licensee to demonstrate that there is sufficient defense against a digital system common mode failure for all of the analyzed plant transients and accidents. To assess I the licensee's defense-in-depth analysis, the staff will consider: l s Page ) 1 i n

Version 1 (1) the diverse back-up actuation that wil' not meet the safety analysis timing requirements if a common mode failure of the digital system is assumed; (2) the credit that the licensee gives to diverse indication in the control room that would facilitat manual actions if a common mode failure is assumed; (3) the staff findings regarding the software V&V program; (4) the expe+nces with previously approved similar software, ) (5) a '.calitative assessment for this application, that the probability is low for an f accident or transient coupled with a common mode software failure that does not fail into the preferred state. Based on this assessment, the staff will determine if there is reasonable assurance that if a software common mode failure occurs, there is a diverse means to safely shutdown the reactor.

2. Single Failure Criteria The purpose of this section is to review the failure modes and effects analysis without a postulated common mode failure. No single failure shall result in the loss of the protective function (13 C.F.R. part 50, Appendix A, GDC 21, and 23).

Licensees should perform a formal failure modes and effects analysis on the digital system according to IEEE 279-1971. The staff will discuss with the licensee on a sample basis how the system design copes with various postulated failures (system and electronic). In all cases reviewed, the analysis should show the ability to detect and/or place the system in the preferred state. Based on this revit.w. the staff should find that the single failure criterion (without postulating the common mode failures above) is satisfied. l 6 I VIII. FACTORY TESTING Factory acceptance testing should be performed by the vendor in addition to the validation testing described above. The testing verifies that the system meets the accuracy and functional i requirements as specified by the system functional specifications. The licensee should witness various portions of the testing. The staff will review the results of the factory tests. t IX. TRAINING AND PROCEDURES [ An important part of assimilating the digital system environment, is ensuring that all procedures effected by the modification are correctly updated and that the operators and technicians have j sufficient training in the use and repair of the new system. j Page ) I .( l

i t versicm A number of existing station procedures will usually need revision and new procedures will require development to accommodate the digital system. The effected procedures include l surveillance, channel calibration, annunciator response, and Abnormal Operating Procedures. These changes should be reviewed and approved by the plant Technical Staff. Once the procedures are changed, they are again reviewed by the cognizant engineer and sent to the On-site Review Committee for approval. The staff will perform an audit review of these procedure. I The vendor should provide detailed operation and maintenance manuals to the licensee. The l licensee should incorporate these vendor recommendations into their station procedures in j accordance with the licensees' commitments under Generic 12tter 83-28, " Required Actions Based on Generic Implications of Salem ATWS Event." The licensee should also ensure that appropriate plant staff are trained in the operation and maintenance of the digital system particularly when changes to the system are being implemented. X. FOLLOW-UP REPORTING The installation of the system and initial start-up testing is reviewed by the staff. The staff reviews the final test results and summary reports upon the completion of these tests. The reports reviewed by the staff are: (1) a summary of the power quality testing including the results, a comparison to the ^ system specifications and a summary of the analysis of the effect of any increased distortion created by the system on other plant instruments; (2) summaries of the response time testing including a description of the test, the i results with comparisons to the safety analysis, and any physical or analytical changes that may be required; l (3) results of the ground and power line continuity measurements and changes that were needed; i (4) summaries of the vendor and licensee on-site starton, sequencer, functional and system verification testing. l l 1 CONCLUSIONS In its review of digital system retrofits, the staff considers (1) the V&V process used for software development, (2) equipment qualifications, (3) defense-in-depth concepts used to compensate for software common mode failure concerns, (4) licensee ability to monitor and assess system performance through the follow-up reporting commitments, and (5) experiences with the digital system. Based on these considerations and the foregoing review, the staff Page i l I i

y . L. d 'y,,..<.,.,.t*"..!* r :.i..,.*,. ' -sg M.- '.... '.%, )',i.'f. ' *-{c. ' , % a+, ) l.;,{ ?. :.' S

  • i. a.-

.y',:Q_,;",,**.'.1'. z,.'. ~.,.,. y* ; :, '.f'.*.f. s..-.* ', . 3 " *.i -. h'", "' *,'}.,' f' ':' i,,fg,?. l,,.i V,,;,,'J,'v", 'f*' u'*}' ^ l3 '..,~'j.:.<'...a.'c'r.

e. v h -:

, f. 8-' (:M. I

  • \\

'.,'::4 'C. s.,.' Nro... a.

., Y '.

g'.*' ' ' ,...,r. ep.. ,,....... :V

>;'o f* s
    • . '.,y, f '.*s..

h< 3.,,.w Q +- m ,',-u

  • ..,.,,. 7 ". J, f.,.

l*r u .3 s ,'..::....,e .,#..,.e.. 1 s ar.' A,

..e g...
s. :.: >..

..,.,r ,e .,- :.i , + A "v., e 5,.. ,..'4 W,.

  • g'. '., M,... e
  • N...,

. g. ' g.%, s..y 4..., ^,,.,,... ' ; 4..,[:.. j :f. ','a'.,,, E, y-,, t j2:.,d',./

,,,:~.....,-

..,.s.- Q ..a., '..; ;, g c n. 3... f.; f y ; m - - 2,..,,- " j; 1,

r ' s

-4 -:e ',, ..y,, g' :,',,8O E ~ ' [], Q.,". i ' 5l?., f T hs,':,j! y,?'. ;.dt,.c. f, g q., < :',.:,'/,*..;.4.,. 2 ,"..*.'( ,,1, f '., L. *.', 9, e.. ,I,

?,'?

... - ' Q& .:f,, #,.( f:&)-l,* *

  • d :h,,.

' p Y.','- ~ D ~ ':v::. E. l',r y *. I" -.]l (..l.

' \\ W W *: ': .'.' \\', ': :h^h t

-' : :. E.^5 ) Y ' ~ '.;s' '..l

f:b!'

' y ' :":;;. J [i. '.5T...,:..:.vX.'s :g}.~. '. l.;j.,. j.,Q, q.;.g ;.R..,,, %..,._ Q...,'..Q-2 .j. ^. - i., ; f. h'.:".* *'.- {., ',' .. Jl. P J A

s g.

.. = s ~%~,..........y,. .s. .c.... f.' . <..,".,v. a.- . M;:...

  • n'...

, ~-,, ". ' ' .2 f, ..g.. ...,. m.m m..., %; * <. ..,g.. :.

.. tz.. s...,,- < -

p ..,e 9 ? 3'. s.

.e.. ;'?.

e' m '.,,.. (.,<.. %' ~Q,. ,."y; %. c. '. - 2,.. n.} 4,i;. ",'s,~.v ,'y.(. f. . *.g.,. Q * '~

o. :, i s R:,.

. t.- 'e**'~., .-o

  • ,,* * ~.

,.'...;"'f., ,.1,y' %,,v' f,:~.,.,,..9.',,'.. ; p l-l, ', < *.. ; *;. - ' a l. 'k ^y.,, nc. .,f.,.s ,.?.,,, .e, g. ',.. ;;, y' y..,,4 .-,.,,.- a ' g :..'.. n..,l. ,.s '?::. .+;.

  • v:

+ l l '.

  • a

-,+, ,,,s... /- i ~ ,e ' -h,[, .,..,_, N, .,'U;.'rY: ... T'.,' u, n 3..' /., J e,!, "'.+ ?., i. 5.r .-[,,.k ' I'.'. '* v[ r[+O,.- 4 ,.. '.., ...:q,<. ' + 'y: m '..',:, '*u,s' ., x' f.., .a

  • '4 1,. i +. "a-'.

f# n j[' 4 -t , u ,'T '("'.-*,.,<'.I '[. M. ~,,', *. : -l y ;L[ ;4 ' .I... '..([', h h $ ~. 'w. g q<' A *, *:.. ';L '..'.,' ' 'i '. '. '.',Y..

l. ! '~. '.. !'

- 2. ;% rI. Y, , P ,',',.'n'.'M8- '. S ! t h, '[: '*,,. '. g'M

&.:. '. ~

T v a y f, p b, ' ...r~ ,'::. - <-x. 3, . *. :<,, g .: p s.

o,,

..G _.',e'.x.. . \\ . u.. ..,.s...'a..~..,. '; "-

v k

~.:v, ..u g :.s, .,l ' ... ~...,. ', r = * - -'c..,,r. .;n.. -,. 4',:. ?' ,.. - ' '.., ',v.:,., '?.. ;.,i, 4 :...,, 4,.,. : ;;w .~. ; n :,..,..'.~, m', ::n '. :. > ~. a - _ *; a " i: -' ',:'.. t.. ' :,: n '- :.:. ;-

..v.

, ' f Q,S ' - N:.'{l',. ' .r....< v.. - -,", i - ;~.9, ..~. .. ; - :f,,,.... '.. ,.,, *,4 ,..-r . y.. w ..m

,...s, -

,y 9.y.., 3- .. p:,.;; ,..';.,,.4,, i~ ,, ~, 3 . '..J,.,,- .... - f. 4 ..z Il,' }.

  • . '.l. I'. '_ ;.. -
  • k* 'h {

u-' --'* ',{ ' k;." ^,. -l: ', ' l$ ?.', stl[, l.g ',.l :' c, . j. I. '.;. '.. :. s ~ o- /~.+.,- f.. " -kp' .

  • 5'- ' '... :. /[ j.I,

'-'[ , ',( d., ./ *.k,$ g. n..,j *. '. ~,..[:, ? ! ' l, ,\\ ' f,}. ' f. L - ' %~ '

  1. ,.c. Q, 'a

. ~~ , 9... v .....y..... -,,.....l,.'..'1..k ' y : ~. c . -l.:. ~ ~. E 'f. ; jf.. p :.*,.N.!..,.Y. '. '. 4l ).,..,. 2 : !'.& '. [.. * :..h '.. ~,,, ... k; l., 1 ':

  • '2.... Gi.

.r 'N ...,,,,,.,.'~-*kl.'".,,, i;: A e. < s'. : . ',l',:.,.,..,'.:, u. .c ,.4 .,,..;n. ..,6.4,... .....,.3 ...o. -{, ,. ;;.u. .s ..a, 3 i-- .,c,,,u p sI,. - -;..-. ..,,,s, ..., 4 ,'t. i.,: ..,,a m M,,, ~;....,;,..,..,' ~- ,.< l \\,.,, ,. ',..,.,....., ',..a-l ', [.,., # ,, ;, as;,, .#,. ~.. .'l ^p' ".: .

  • 3. l.

..,.,i,}..-. ,. y:.a s. e,,......., ',., ' j: y .m, * * ' '... 1.-, .s. ..,,e.,... "..,y,. ..,.,..,*i. ..,4. - *- ,/ ...,'a's...'., q;,, g,.,:.*~,. ,.{ %.,,..,., ':.-.;..; '*3 s'-',.4,,.. *. s. %'*.^.L. Q"' o.- 5,'- a.. p ~ v f* ' ' *, 'A.,. : .'J.,,,"-

n. -,

,,y .: ps... .l .,;l.,.... '. ->y,,. ,.. ;. 's.s* ,e. . _. <.. ~ ~ = -...,, i o.

, a 1

s ..,:r,..:,...- .l A' -l *."- :: A - I '. fj,'o.- -* i..' ' ' '., ',.,,..,.- ...'.;.'e~;.- '.,. + .:, A ' ',l a : ',._

  • * : > ~- n. + W~- * -. A..r.e

+. -..,.,.. ...-:..,.~.,?, y e ~, i;'.' *'-.,.; - a;; a.,*.\\ z y_ s.. s s ,l,,,.,,..,,,., "4. c -.*"! ,, < u. .<.-,,'j.-,.. '. 3,.-.' w,~ s- '.'h

  • ,.. =:, -. '. L: '.

(.y' . ' ', ' c,.

  • vj, '

'.., ',, ;:-..,j,.~.,- .,, -*( '- **- * ' ',, ' *. - ..,,3,,

p <s.,,' '..,,,,,.

e.- ,, s,-'.- :.. r*.._

.
',.t-

.: n...-.. .s.. . p .o,....,* .+..2., ..s . 4. ...s a,.. . ' ~. * ..'..*1 <, -ye.. .,i... *,. -.. '.,, ~,* e'.. - l p .. p, y %.,,,.,3.,,, ', ' '..,,. _g ,,-,. _. ",2,..3,,, ',.,v, '.,,.'.,t,. 8,,.,~.i s... *.: ~

y- -,. -

g W, ...-.g ,...y.- y,, .c , ;,. ~ l'. y . > r 3,_. '~ ".. -".:... L .s.". .,.;g . g. 's.,., .. ' <, ~.. .., :,. :.r,. ~, -au - : __ a n .,0 ,..s*r.f, .,.,,.. _..-A ,.v 4 -d.. - ::p~. ::- :... n........'.~. ,.....'..z....: ..:f. s.. ... ^ :,- ,9 ,..i... r r. .-r 2.....',,, l

y,f s<.
'. '

/.,*.,e'..'ft* ., - -v : c, ,_, f; a' , ~', ..,a. -, ~, e

p' s"..

y. p. 's ..... v,,: a .e

*,,;,,, -, b..,. 9. -
,..r. -,. v..,,

+ ..yM, ,. b,.. w.- - '..4.,-'. ' ', ,.,'2,'...,8'.. cl,... '.,.*.,.,, ',,,,....,. -,..,.. -,, " _ _,., ' - ' " ' ' ',y , p, .y,* '},,,,, g ' -.... g/ 4...

p., 4{,. -4 g i. ",;,-

.e .,.. pf...,:..,,- ,,.1-. ,a..=.', '=. -'.,, ,8 ,f',',",.'.,^";,.

  1. 1

-z.." _L.. ,.,,',;,.*-'r' ?

  • . ', ~ _, ', ',., ',

..Y .s'" ',',.,.f,fo-..W.. ' ; ', ',; -,.J. s,.e'.. .. - ', '.n.%',,. 4 ~ * .j,,a ', "...,. ' '. * *..i.,; *, c. . '-:,, '. - n -

  • g-

't :, a1 , ?.,[,... .a' j.."..,.... --..; f p; > ; i., C. 'i,,', i. p..,, './.....'1;- ,..,'?*gi,., ". . I; ',, ','*,.. ..s* g; -,',... $..' e..... ?... -.l;.. ',,. l ~. v, . t .w .,, ~,,,.,,, "... v. s~.,-' s,.. e i .'o.: i." c ,, :. ~. i. ' '..,... ',.... I,,., .I .t..,' y* .. }d '.,< ,.6 g. ,y 4

y.,..., '= f

..,g....,

nl ;,

],_,, s. ,',.,y, .','2*'.:l '. Y

{- N _* hslf i *,,

..,f., . it ',, ,,, ' f;,.. j,.,,f,,' ' . l, N ?*'. 5-s j

  • e

.,...,'_;,.~.;f,,..~'.o,. ,, f... lf ' ',. ?; I;. 'E.. ^h ' ?. -,. 'rs',f :. - -. =..-. ,,[ a ..,. _... i. '.Q. h'. s*. 1 .'i... ?,^ *.l f,l.,: l ,p,',.,i,..-.- ,. *., ' ::.i : .....,.:4 .x

p j.*,,. :'i

'. wr. Ne q My. /.;dv^,4 dy'-5'4 f M '. ' e,y *y '., -'^' a

  • -,,, (

,A. ".',.,, -.,.. ',,,,,......'.,1 s. ..s . i,,.,, * ' <* ,. i,3

  • 4-

,, J 6'.. t.,'....,s s ... :' ' d a-

  • / -,, =_,.,,,.,......,. '. '.

,, '.,...,.. ) - t. +v. k s 3 7 s' r- \\ ..+;-.'....z.,#-.,:2

y. 4 e.,...'

y..~ .j.,...".l. - j.,g.%,j.g p s. qp.'. ';.,.w.....si..,,.

  • _, v

..,....a,-e'e.r. er j t_,' 4 s (..., ; -4'? ' d',8 .n -A-./ ". "e_.W t' .,d'-',.V ... i .c...,r,..,'.'.r.,*.,,'If ",:.,,...,.-4..".; to - - s,.. -

,,.. - ~.,

,4. ,..r s. ~ o ,s 6,....... -. e.',,..,,,,, -, : ~.,....,-.,(- ~-'.t,,. 4., ,, ',,...T... ' _:'. _...'.._..;.,:._...,. ..c, g .^ ._.7..

. ~'.,.

.,..g:,. g'.y * ",. ;.., :. ..,. ; v.,. ~-,...,,.....,s.,,. 3.. -,v- .~,:-.l ,.'u,;._,.: -.,,.,.... -.. :s - <, ? '; ' - a l, .* n.-..y..,. x'......'.. 7 7 'l a. ."a',..f ^ . ' '. N.*- '... ' ' ' ; ~

  • (.<

r: ,r~. '.-',. '..,'_:.i-nQ2 _.,i. _ ; _, _4. :..

  • 1., ; !,,

' - ~'M

  • .' ^:... -

,,...e.- .-1 r=,'. ', ',.n. .,,-a .,..1..,,',,.-. 5:.,. ' ~: ".,.,.... -... ,,*t. ,d, l e;...

  • ,g

..-. =. + * *. .._.;*,,f f -) '~... s, . - a -.,.,.i L: 1'. n.. q.. . 3 .s_ y..:.- -;\\~...y

',
.\\... ;. g

.L. ;. '.. '.. -..:..: ', ',..'. '.:..' l ;:.. ?...,. : i ',.,.,. -. .. ;.'...,.,<:.. y '%. '?

.. !.
  • '...V;.._.~__.e'...'

....'c:..,4..- ';.;' y *......,.....,.,. O... . 5 -). -.... n ; ' _ '.

~ r, ' ' ' ::"* ';'. s., ;

.;...<.',.:. '. s.. n. cr

l'.

.* C ~

.s'..,,

? :. ' - -: '. ',. '.. \\,. ;. <..v q f(.., ': ~ ".[

'.,. g'. ',' J. * -'.'.. i ;'.i Q,...; q..' ;

4 ;;, ".. 7 f - - '. :,.c+ '. - y ~ .3 :; j ' _, .::,V: ',... z... ~,L.

n

.s..'p*.'..,..J.y '. ) ?.a. -.2-.~.,.'.".:;

w; g: '

if .L -a h.._,..,,.. ;. _as.:(., -

;. g
.,,.,.'.v. ':.., ;_ q. y _.,. ;1.,. :,..., -.,...j '....

-.,s',,....,. .. ;, y . '. + 'l -'r:..~! ,,y_:,. s.. .y .. g: n . '. 9 :.... . Y.. ',;,. m., ,. '~, g 9..Q ,..a +: ..: ^

s. ;J;.,..

.r..- .,.,s n i s

p

,;<.._,-.a,,,.(' '.g..,;~..., ..y .m'm...,.~..,'-f. ~ ?.,.~.,.,.., c_ e 6:.._ z,.,-'.',...'u...,,t.,v:4., ,s y ..e,:..,s,..,'.... ~,. .,..r.....g.. .~ ' f.. 'j>,;;y.,;., ).. ;- .z.e.._..,...,,...,. c . s.. >..e...;,,,,:.a..- ao + .;- j.,...... ....,,.. ~.,., 5 .: %;1. p > <; ;.. ,,,1 4 y ..q .' %./ '... l:. *. <.,4.,.. ;,. l., -' -.: y ,4,._'e.]'..._.

,3

..S.~ " :."....'..- g,,._ 3.; e. ?. ;..,. ,e,r. + 'n. ' p. C -; p : l .4 1

.z.......

-;: : l. c.'a;. ,.... j

a (.
y c.

,, ';uh Y...g '..;, :,.;.? ' C g +., c.. cs '. '.".s ...s. ..,;:.p -,a: ~ 8 ...a'_ y,.%.,... y

t z y

...,. - ; L.. . 1 .a. - eq,...-..,;. *. :,.s r......, ~. s ',.'r....;-.,s;. ,.r - ' +. ,. -.... - q,. r e c.. ~ -. - i ... se..,. :>..1. g. c./,.s...,,

\\ _..

g.'I, -.,'. J e... .c ; w. 9,,. ..z.. .. a.

,e t...,,..
  • y

.l.,~j..... ,,;. e t...., .t.. .-s.<. .c,, ~ :,,..,,.. .*4,. 1..,,;,$.,.,

,,..-a......

',,9... .., 3 3 e, ..:%.v..,.,;e,. r'.5..,,

  • .,,s,

,o 3, g

,-. g y

'y. ... j: e 7.. A p. e, i a... .e -*s-s .,L ..f .c.;'.'.e'-a;,.s_ * ;' 3,. * ',. ...,'s.;,'" ... 4. e.,* ..,..+..v '.~Y ' 1: '.y'.'i'o'.".:.. .h.,'.' M' e- ..:: & ' '.H ' ; '.. :.

, '.; n.. :' e,-

'n'. ~i '.1 , y,..- ?.... .,;,,.~,'.. .5i . ' 4: '. c,, ?',.,~ - * + '.'"", ' -? ':? ~ ' ?'-'l". s :!....*.. 't5" . s ' (s.+ '.q. ' y -. :.. J ~ l' $.h,.. '..'.k... '

7
;-. b t '. !,..' ; L, -

.r ~,;,;." ',1. a;;';.,,. :.,. - -: .k, r,*. e,. . ~=.g.--... ' ^ 9: :; ; ; .-'n..' ~.:, 7 j-1 g 2;, v

]: $'.h.lg. ~.?;l,;",' '.? ~-l. f \\

s... g ^ .'.; }_ ".?,wy :.:N.,:.-S...; : D :s h;4: $. ;...,.l !:f.' [ l: f if. '. :....l?:l :$ f '.C' &......; - }. '..,..;. '.l,l' { 9N ',^!.,.. . g.4. ~ - p.: .h,' . ( q."'- l% 5. I: l < *' Q ' ;..l ' -j.l f ; 2-c ,e, v.p.. p; z v,; u _ a. n: 7. n.'.. v ;.. i.f ^ 9. ~]. N'. l:,; ' '{ ?-l.'.'l. '.a.: N,l":. s.M : 'R E.!. :.{. '*? ? N .f....... {. i ' ~ 4'.,'.q..b% O ?;.. .. c. . 3 ,..... Q :. ::'- ~. L i.' .c.. .e- .i.. -c ....o.. 9., # .i ,. ~....,....... .s .f,.,..,.,... :..,-. ~.c e... A.... .q.,.-., f..: q. _ _ - e._.- ....y ,.- -,..,..-....., - '. L : :. '. ...y:n ....w i m..., ,n., m 4 . y,. y *.%.. . w.. . w .- o. :,,, - . p,,.&.- . ; -. :n--.,,. ?,. 4.n.:.. :. r

s....... :

.<,.v..~,-...i. s..... s: ... ~. -.-.'.-.,.).;. _. q c.., "}. v.. ...g ...,.v......i.u ' '..,.'.,_.g,.Y,,.,,;;;..,.-'~....;,::... .g-c-

i. -.

Q.,* g ' ',;..,_,.. g-y *:. .',v...1

  • g. :j v.,;:. i ", ;.

..g. -.'..,.;- ..,,",;'.2.,,.,).,. 3,... ,-. ~ - ,.,1. ', ':y, a' c...- .q ; h.,; n.. . r..,;.. ":L. ;.

  • .. Q.

g.,,., *, .a,*,: ...<..h.*". m, ,t v "c,*j; q,. ' 4( ',.-..., - :.

  • .g-

, y :- l. :_,..'....'.N .. '. '- ; g ::," - - 4 s' .. " '..,*: ' *.. ' ".';.,...,:3. . t. . f 2 6W .

  • s -:.

,.' 3;'...: y-' _./.. -..,.. 4_ :* 'r : es e_ .- 9 ' i c s w...~ ,.', N ['; 1[ 2.b.1 ?' J '.1 ,,~s,'"s.? [ */ - k h /.. ;.' "2, !.'.. ' '..S.[ *:'. '. - '. ' h' T.E :. ;, : '.f' d,- 4 .-<. i. I. l5 'a. .h., ;. U, p(h. fh'&.. k.. ' ' ' ' N '. ' ' s ' [. '. l, h. I.. . p. '? s, bt). ' ' *

.. ":, 'A h

,.,',.r'.'..- a ,.;. %. 1.g.. - .'..'..~9..d ,.t.'*,_,,. 4: .... '. '.,.. - *; - 1,4.. **(._..- g.,..~.*,':

T f,', ' l. *f
  • _ f i^ '.. R ' (,' l.! & ' ' *. f. .. '.,

..a ..s..;," l

.,",y,,. :, *.. ; r i.

..,;..)C*- ., s .u ..s e,,.'.:.,..... g ; ":h 4, .,.':.t.. ....y- .r. , :\\ f.,1f*k,f.k h:..h.. '2.. O.' '.*.p. 'lc '.?. n. jj, 'p. f,','..l _'...' ~.. ql' :' ;l,. .7,',r..._"._..: ..j. - _' .l )'l,..; y, ' h ', %.., 2,ys. 4, "as.'.,".y.p q;.., ;,. ;; *. '..,. le ,.t :;. ' ; 'M.:.."]. E %f.s.L.Q. y:. .,;w,:, .r.e ..R ^ ^"./.; i n. ' a by g ;. K..,.., 'Q' $,'. '.;.(,E. ,* !;. <,%. ', '. ' W,y.' . ; ).?.... A. ;,;:: ?.. - J. '. j g;-.,. ?, *.i:4 f'. '- '.. %g ^ L.

'.. 'i

....~:....'./.f g.',,.,.',t .'e..9" a, , :..n.,, '.e.., ",:. + ,..,g,..1...r.pe ....$y.,,,..,,.

  • - <..s.:--.- .

a.'.,.g._-, g%. ; 3 C.,.,,..pe,..; g- ..*..,.:, ;,.3.o ; ;u, q ....,y ,7.., c i a.. .,f ...e . Mg ,.,.,,, -->,#....-2.,-..'.*o,.

~.
,..,s..,,

.....q'.'..'..'. .;?- 1...- . e ,.. ;t, c ';,y. n, i. '; s_ u;o". ..V,. .. ;s- .,.,........,'.:.,.."r..- ;...-. s:.',, Y ;:~ :.:...y: :.....?s4.. a.r ;)o.'. Q,. ?;,;,. . M u, ..tm,.- ,e.,..- 1, 1.. v -._ v. - (! : ' 'yu v -.. - .g e n..., ' f g. ~. ?.eY?'. ;..,..% ^^* y ::.l' ' ' ?,,*[ '?l, ' r*l '., e. :u 7..-.:%. .r 't 'o" ] ^T-,f' ' 4' - - ') L 1'

c. /. ?':N' '

',.-:.,e,__ ...c ..., _,.-.. ~.,. < i. ; *. s. ;". '. .,;:.T., ' ' ;. )...f,?..', l.'. ]. n ' ', ':^. '. ; :,  ;. c : l. ' _

  • :. ' tl:

,?.' o"...,..,,.a .v ,;.? % 'i. ' '.: '.y ';

  • _'?".,". : i ';.. ' a ).y. l ' f 'q.Q _,;i j' I ' '.n:%% W
:l -
r,
", ;+,*,,.'
:$..".>n,

..~'O...'_.,'d+y'... p "~. e. e, .s. ;v"..,x -.;; r n..,.", r e. .,..::. l: v' ' ", ~.... * --..,.., -~~ e.~....F...~n, .ns. : d' .; ~ ....3.%..'** G.* ...,-,1...,,...r.- w:: p s. .. ', t.1.), - .n., 't c s '"., e- -:.s - : : " t w e.:.; ..:<. v. :.. e t ,'.....c, a.. .; a t . : :,, h..,- je,,~,...r-.., ; m " n'r - ~ y;,.....

y:* :

'. u.:~ .,.e n... u ;. ;. ' '.;...,. J.-.. r2 s - d .v- . -.... *p _ ~< ~ .1,..,.- ?.- u, .,.....n...*.:n.,;. +- : a.. -r .. -.. -. -..e-- .. r;.. :. a' u. a. m.. y- ,..r ,l:....., : ge,., .,,..,..,, ; r- . v; ; - - ,,.f v y.,,.,. y f, a.* f. ,.,./, r; ,7, J. v' ly .N. :. I' l 3_'.'.,.f ; ~ ' k _ '. ' Q,, j "'.L. .,, ; '. p,., o-..._..o." ..,..n,, ..p.,,.<; [I ?,,". :- l' _sl. '.._ ' : ' f '.lf ' T ~.'f":

e..
  • k.

.c'.,...'..c. ', ,'[ !'\\.*$ f. ' ' :. '.;{.?:.".' r z.. r..- l- -. b. L ', ' < :__-(,'l.: u .4.** g' ' '. ='., y 'l ', _; *( f.: ^ \\ -.. Y  :. s'~- 5 c.. '. - i l, ';'{ .g. %,.,.,, y,:.. c. , e.', ise.g -g p..., ',:.. 4,.we., u. p' s. _, :.p. - ....T, ~V e .. ~ ~

41

"'.g',,'.~.,.;,p..,- ..., y....: f :.,,p,..'.,.,3-g., j,9 -,,..4.,: '-,, g ?...:,,;.,,..7 .,.;..._.,,,,,'.. a.n ,.,,s a : r ; ' - 1. ".. -..r - {.a.. q '..;,.--g.,. . '.s ; - y, N.. e.. ,._,'.,,,N- . e y; ... - f 7. _ _... ..o 6 v-

,, i, ;...

..,..f.2 ".. -j,.<.;...9,p;- ,,u - s,

f. ',,,.- g:

3 c., }a_.;,,, ..,.y ','.. ' *:'....*i... .4,.. . ' 8 t, ,. {,3' ' { -,. i.ia - i.g,l, ',

c. -

..r ',;.- ,- g. 7. - :.. ', ',,., - ..>,.[., -,, ;V..., * ;, ._,. '. [ ' - } f, '.; ~ ~ . "... f..; '.: 7, - (, - ; 9...,. - ', ',.~:'

  • - ~. *

.:,1,.c. m. 3 Q.k l; ,u ~- ],. :;. ;,.. :,, ; sa..; ...:~ :: "..- _ .y .,.2 .jd',, y "p -,-4,. .,,1 Lc ....'.,.J,..,,.,;;..,....'.. - ~. ,,a .., '. < -...;.. j......... s,.. ,,p. n '.; ',.:+,.,,',.. %...,,*'.'g' x,:,;....,,..;,:. i.t .-,..v ~ , q g s.. >9.,. ,y ,... a, R.. :a.-.. - );. _ ..,..yy..,..,n,. .y .-.y_.,. e ,.v, g s .,u.. 3,,..,, '... -^_:":,,, ..;_.;,,;..~:,.:.,,...c......G, '.6 . _ <. G,.,q. l - 1

,,,~_,:,,. _

.,., ',-p..i.3e.',. -l q......... _. ..s ....g,-

. - _.'..,.:,': ;w g ? '_;',.,.i.. f, '...,'q -;. '. < ; ;; ':y ' 4,.,.'-

i. .:n.v.- .,.. Q : '.;,,. -

' '. ;; g._
' i...

y:g- +'.:8... .w ,,., i.l. q ..,,;;,.._, *"t.,'.,: [; ~ i :. s. .,: ;,.. [...;. ,._.~_.4..,. -D O. -s.,;. p..,y. c <.'c.',.

;e...
..,p...,~.:.,..,.a.

.,,., a

.....t Nc,.. ;....,...... _

..p_. .......,.s _..,,.,..,,u,... m.e. o _ ,., u _ n ; %, g'- ... t,. n:. - ( m.:

.., -'. < *. 4p n, ;-v,..,n...

,v::,.s-....;.,. ,s.,.%_,..,,,,a.,_.f.A.,,.. - ...;;,,.,._...+-e, a s -s-1o. .e. v y. i. ...s . : -A..;.:.;...,.*- , r.w .,Ag....- w ' D ;

v' :. -,.

n.. ....e .a .e.- w c s.' .:e - ' d;_ : )..... '.c. e' { ;,l ' N ,k..,u+..'- n., ".,.. #. " %...l':.% ~. q '. m. :. '* p....".....~.

- T,i..

. m z. ..',v, a ,,.....m.v,.....,t; ~.....:. ...r- . 1'. :e~- ..!,"-,,....n..., ...... ',....)..... ',, L "w ,; 1 ':. ' ~ . l.:f"ll:1

r. ",i...,v: (7

,:.n -,... ' ' f%..

  • ; : p l. '.'_ d ' Q;..' L.i.

'y" . ~,..,;.l;,,..l:: ,...f.. . D..." 4,>-

v..

r. . a, n.,, r - 4 ., (g. <. - .4.. , '. ; i ';<.i.. T..,.1.,:,:,.l T,:'.,,.-l '. ;, L h ';,' Q,. c c , ' 'A..f ',,"..,:' ".G,. ' 1 .... ',..,w 'y > - f. ' *. :...~ ;, v.,, '. '.:., '..L :, 9 a -l' 7 m :_.- 1' ', ' , '.f;.

..:. y. T 7..-

r ;.. - .. : c:; t4: ,s -,;sn ~... #4..* ..e..'... A..,, :m. .....,.,,;+.;. :p ; s, ~., J '.. *: .,,,"<.%,.n,f;.....

.a 'p*..

r ...J.1.,*,'-', .,;.,;...-Q,,...s<.,-~- s., =;." '3 3,. 4 -'s,.:. .'..y- .::i ..a..1

4. s.../

/e 3.:. ,... m5 u,,: .s -s .r- .~. y. ,i . ".. r.);...' ;.., _ qis.. 2,;, ~.,j,r,.k ;.c: ,a r n... .k ; <.e

i i '..

..:.,.. o; ' y ':.. l' .t '..,.. s *. ; k;..; g. h. *.. '? -...;,.:!...".:,......,...r. ~^

k. ' :

~... , ".;..e.:., y,

r ;.';.

b ::.,. , e.y 4.. . : c, u <r 4 .r, ..;*... m. l'-;, ',':, e:,, m me.: s. . M r '. u. :,5% v.;. c 1 s.-.. .K.:.g : c: : A' p u:, s .,. - *&. ;v;,., "... %. _ :.

  1. '. gl:. <
..A.;;g?';..,.' f ;. 4:.::he. v..

d.;., '.., L .y ' s.; ~... '-c. \\:..l..'. N.. u b'. .w. ': :...

v...... M.J

'j::.P' m 1 ' * ' 2 '.: *. ': s: H, a

o .

y.'[l. j i;;';.y7. $....., QT-"9..'*: 1..N ?) }:s:: ' t'. ', ~' '"".; s J... ~., .!..", : :_ :].w

&'h}

e -w ... '

  • L n.L,'1" :.l ; '7v 6,.:..,,

.. ~ % <,.

's,.. h

..w v; v :.. li..p./."'. ', : ^ . w"\\.,;;~.. : s . n a,.: ... ~ z

s. s r..c < -

s . ~

, p,;^'u.f _, b (
-y;j -yy._ [.,;l';:

.l p ' _:.,[. b - u> v. < 4 %;',:c;j..-*,;.i'}:_; p' jj ;* y.y.;, :'sln.c' 3 }:::. ig f.;;,:_g y, * :. n <. .g' q.,,['., ;,, g _9 x..g,p ;;.;..a ::,:i.',s;;.;.;(:g:' '. n ::,n::g

T '

.. y.:1.,; 3 ..l,'. .;l;r..n9p*..:.;:,.l%y.:9;.,. y, 3, t t c.

y....

, 9', x y# :.. j : ;':. ".,N;::% ; K u.,:,2 M _.#;.:7'.,,.,3 .....: ;;l p.. ',4 5+n.',If;g.;. g @ m M :" g'C,.g ..:. c,; + a. r;:.,.m. .... ]' j l h$ f % t 7; e. '.... '. f s tN m ' a 1 w # . - l. ' ;, C 4. J' .-." 4,:,, '.. '.4:;< '.'.- f <.,.. g : ':. '. g. , s ' 2 - :. ' - ~ ,x.. ~v p; ~. ;:., .c.. :.,.. 2,,1..::y..,..a.,, lg;. '. u,.,.p. 9..:.,.yr.,..,x.. : :.,',:; :s..r..:.".,e: wi f"$

3.g.;g;&.,
..;. ;;,3, e:. ;;t. ;;xp s. :- h' W>.:?,:.q..,.K: 9

,, s. ;.. . a : ty.... :.:..e s s;, .. $... e s.. '. o... ~ f. o :. :;. c: v ..,..y. ? .>..a ;. ,....., x. 4....v. n.n m,... +

i..

.c.. ...a

w......, o m.

i-c. m. :..,.,, r -..., ...E ('. ; l.N'l" :.*Q "f l.$ y.. :, ;:< ?;l l ;l ' \\ &'s..d ; 'v'._-'.l. i.d;, W".,4 '. O... Y= '?h.h,'. ?.% T - ~ m ; ll. p,. *. y; e '. Y- ? ^ b',... v

.w f.'..;. ^ '..... :

..h.'il_ j.) [, ^.,^'_ L;ll : ~., Wf I.4 "Dlll- ',lr R". .f..;;; % ' ? d _ 1 .h,.?' -;N

Version 1 confirm compliance with the requirements of 10 CFR Part 50, Appendix A, GDCs 2,4,20,21, 22,23, 24 and 25, Sec.50.55a(h) with respect to IEEE Std. 279, and the guidance of Regulatory Guide 1.152. The staff also verifies that the system is capable of upgrades of varying magnitudes. Some of these system changes may invalidate portions of the staff's review. Therefore, it is incumbent upon the licensee to carefully analyze any future modifications to this system to ensure that the staff's safety finding remains valid. i l 1 l Page..,, -~ t

version 1 REGULATIONS AND REVIEW GUIDANCE 10 C.F.R. Part 50, Appendix A, G.D.C. 2 i 10 C.F.R. Part 50, Appendix A, G.D.C. 4 10 C.F.R. Part 50, Appendix A, G.D.C.17 10 C.F.R. Part 50, Appendix A, G.D.C. 20 10 C.F.R. Part 50, Appendix A. G.D.C. 21 i 10 C.F.R. Part 50, Appendix A, G.D.C. 22 10 C.F.R. Part 50, Appendix A, G.D.C. 23 10 C.F.R. Part 50, Appendix A, G.D.C. 24 10 C.F.R. Part 50, Appendix A, G.D.C. 25 Regulatory Guide 1.22, " Periodic Testing System Actuation Functions" Regulatory Guide 1.47, " Bypassed and Inoperable Status Indication for Nuclear Power Plant Regulatory Guide 1.53, " Application of the Single Failure Criterion to Nuclear Power Plant Systems" Regulatory Guide 1.75, " Physical Independence of Electrical Systems" Regulatory Guide 1.97, " Instrumentation for Light-Water Cooled Nuclear Power Plants To Assess Plant and Environs Conditions During and Following an Accident" Regulatory Guide 1.100, " Seismic Qualification of Electric and Mechanical Equipment for Nuclear Power Plants" Regulatory Guide 1.118, " Periodic Testing of Electric Power and Protection Systems" t Regulatory Guide 1.152, " Criteria for Programmable Digital Computer System Software in Safety-Related Systems of Nuclear Power Plants" i Page -i

Version 1 L Generic Letter 83-28, " Required Actions Based on Generic Implications of Salem ATWS Event" IN83-83, "Use of Portable Radio Transmitters Inside Nuclear Power Plants" NUREG 0493, "A Defense-in-Depth and Diversity Assessment of the RESAR-414 Integrated Protection System" I NUREG-0800, " Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants", Chapter 7, Instrumentation and Control t NUREG CR-3270, " Investigation of Electro-magnetic Interference (EMI) Levels in Commercial Nuclear Power Plants" ANSUIEEE-ANS-7-4.3.2-1982, " Application Criteria for Programmable Digital Computer Systems in Safety Systems of Nuclear Power Generating Stations" ANSI /IEEE Std. 603-1980, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations, Institute of Electrical and Electronic Engineers" l ANSI /IEEE Std. 1012-1986, "IEEE Standard for Software VeriEcation and Validation Plans" I IEEE 279-1971, " Criteria for Protection Systems for Nuclear Power Generating Stations" IEEE Standard 323-1974, "IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations" l IEEE 338-1977, "IEEE Standard Criteria for Periodic Testing of Nuclear Power Generating Station Safety Systems" l IEEE Standard 344-1975, "IEEE Recommended Practices for Seismic Qualification of Class IE Equipment for Nuclear Power Generating Stations" J IEEE 379-1977, " Application of the Single Failure Criterion to Nuclear Power Generating i Station Class IE Systems". l IEEE 384-1977, " Criteria for Independence of Class IE Equipment and Circuits IEEE 472-1974, " Guide for Surge Withstand Capability Tests" IEEE 730-1989, " Software Quality Assurance Plans" IEEE 828-1983, " Software Configuration Management Plans" a Page i l

i Version 1 i IEEE 829-1983, " Software Test Documentation" i IEEE 1050-1989, "IEEE Guide for Instrumentation and Control Equipulent Grounding in Generating Stations" IEC 880, " Quality Assumnce Requirements of Computer System at Nuclear Facility Applications" i r AShfE NQA-2a-1990, Part 2.7, " Quality Assurance Requirements of Computer Systems l for Nuclear Facility Applications, American Society of hiechanical Engineers AflL-STD-461(A,B,C), " Electro-magnetic Emission and " Susceptibility Requirements for i the Control of Electro-magnetic Interference" MIL-STD-462, " Electro-magnetic Interference Characteristics hieasurement" MIL-STD-1399, " Interface Standard for Shipboard Systems, DC hiagnetic Field Environments l SAhiA PhfC 33.1-1978, " Electro-magnetic Susceptibility of Process Control i Instrumentations i i i i Page ;

e 'Q , ;&n ~. ew I ~ ; 7 s ~ ,q a gM b;,,4 i M@bn l 1 g ~ t

  1. w 1

4 mix.. 2 d ~d j t '"h

q. [ * '.

h i .y C$ w, or p' y + , t :L f k

  • [y

?4f'k@ lL f) qg.- g v.v}. ? '- lt ; *f * ~j( j i .t f IA.Y ~ y i' qi ';q

n. :

DA* q.y - us ?:2L.. ?., ? l r,sy ' 4#[ E'I # g p-tM R ,.p.. QyyjQ.f* ,MYhhk e$ - ~., wsauy.?mhtsbx$ Y I e-; ,V> y ~g; y 7. e u ;g- .g wgy m_, e/~.d $[jy f,, ' ' ( A i w. ,.g ',g,*m:;c7;.C?O,%r%.;;;;&g;fq&qgp h Myiffgpagb s Wf 3 83 @q @g M e y gg.;.w. nwmm,shise w

4. -

s !!!NNihti C = = - - -__ com:y e -_ m,smryerc:;emer-wrvrumm , [ p *k '.. ,, (-..,'Y,N.l'.f f )r ).*, d*/,*j* QQ 9' mV A Y Y V, V.f~N ' ' ' (.,,;g 1' ; + c 5?? y _.;; V.Q,?.,3,?c. 4,f, l,W &.. < ;> ;t. >7.f;p._x,// ' f*W/;<,<..s:.._ f.f, esp 4;sl<;<; ...;,,. 7. '; r..?.; q L. A ,, j;i

  • j.

r, d c ',-} '. s .

  • c,g,

, r';, f f ~." /,,... , s. 4

3.. s

.,e ,t y ,}}

Retrieved from "https://kanterella.com/w/index.php?title=ML20056H392&oldid=4480710"