Text

g November 19, 1993 James H. Taylor Licensing Services B&W Nuclear Technologies 3315 Old Forest Road P.O. Box 10935 Lynchburg, VA 24506-0935

Dear Mr. Taylor,

On July 19, 1993, B&W submitted Topical Report BAW-10191P, " STAR System Components for Reactor Protection System Digital Upgrades." This has been reviewed with great interest, and the staff feels your approach has significant merit.

If correctly implemented, the STAR system could alleviate many.of the current concerns about common cause software failure and electromagnetic interference / radio frequency interference (EMI/RFI) susceptibility. While we understand from the 7 October meeting that the design of both the hardware and software are not complete, we do have some questions. These questions are in Enclosure 1.

It may be that you are already planning to address these issues in the additional submittals after the design and verification and validation (V&V) are completed, but if not, we feel these are items which will need to be addressed.

We look forward to the additional design details requested, as well as any other information you may wish the staff to consider in the process of performing the safety evaluation. Should you need any clarification on any of the questions, or wish to discuss other matters, please call me at (301) 504-2821 or Paul Loeser of my staff at (301) 504-2825.

Original signed by:

Jared S. Wermiel, Chief Instrumentation and Controls Branch i

Division of Reactor Controls and Human Factors

Enclosure:

I"TP Wgpmmm i

ec

.c As stated D :: 1 OL1;

Contact:

Paul Loeser, HICB 490800 504-2825 DISTRIBUTION gg.f.4(MAM'jiI

'[UY Central File HICB R/F ug f.;

P. Loeser

~.g g y 4 a OM/ )

l PDR

~

i J. Mauck i

HICB SCAJIL?

BC:BICB:DRCH

[

PLoeser:lsh h JN[Il JWerhl I

t 11/11/93 11////93 11/19/93 DOCUMENT NAME:

STAR.RAI h#

9312100012 931119 f

PDR TOPRP ENVBW

/

C PDR

(

l

}

ENCLOSURE 1 Additional Questions

]

STAR Module:

1.

Provide a description of the microprocessors used in the STAR Module (e.g. vendor, number of bits, etc.).

2.

Provide a description of the codes used in the safety function processors (e.g. version of "C," number of ' lines of code, system and application software used, etc.).

3.

What safety function processor routines are programmed using assee ler i

modules?

l 4.

Provide a description of the compilers.

i 5.

It is stated that repetitive program stall occurrences such as an incorrect read operation result in a trip of the module. How many faults such as this are tolerated before a trip occurs?

t 6.

Is there a firmware memory board dedicated to each safety function processor?

Is each protection function programmed into the module using separate firmware boards?

{

t 7.

Provide a description of the components used in the filter portion of j

the analog input circuitry including-the error and drift attributed to j

these components?

l 8.

What type of Analog to Digital Converter and Multiplexer are used?

-l Number of bits?

'l 9.

What is the type and rating of the optical _ isolators used in the discrete input circuitry?

j 10.

Provide a description of the latches Lsed including the method used for diagnostic testing.

11.

How fast is the main program cycle including the generation of a trip output? How does this compare to the RPS protection function channels j

response time requirements?

-j 12.

How often are the self-diagnostic tests run? Expli.in how a fatal fault' detected by a diagnostic test will result in a reactor trip.

.?

13.

Are inere any tests that verify the STAR module system response to a loss of power or safety function processor inoperability?

14.

Provide the results of the environmental testing (temperature, humidity, vibration, EMI/RFI, etc.) when available.

-l t

i l

I

l 1 SMC and CTC:

15.

Provide a description of the compilers, computers, and software (vendor) that.are used in the System Monitor Computer (SMC) and the Calibration l

and Test Computer (CTC)?

16.

How often is the STAR module tuned and calibrated? Are all tuning l

constants and calibration setpoints that are entered by the user compared to an predetermined allowable range of values? When calibration is performed, are the values for each pP loaded and verified i

separately? Is there the possibility of the same wrong values being i

inadvertently put into each of the diverse systems?

i I

17.

Describe the hardware interlock that is used to prevent replacement of tuning constant data in the module EEPROM unless the mode selector switch in placed in the TUNE position, j

18.

What are the typical results of the trip accuracy and response time tests? How often are these tests performed and what are the acceptable results?

19.

Explain how the correct transmission of data from the CTC such as calibration setpoints and tuning constants are checked by the STAR w

modules.

L i

Communication Processor:

20.

Provide a description of the communication processor (e.g. vendor, programming language, software, etc.).

-l 21.

Can a failure of the communication processor propagate a faiiure of the

[

STAR module?

f 22.

Serial Data Bus Isolation Module - How does this work?

Is this a

.,oftware isolation, where the Star module is not supposed to read data, l

or is this a hardware isolation, and something is disconnected? How does the serial data bus work if the control signals (RTS, DTR, etc.)

l are not received.

l General

]

23.

Provide a copy of the V&V plan, test plans, Configuration Control Manual, and hardware and software functional requirements.

Does the V&V-plan conform to IEEE 7.4.3.2.- 19937 j

24.

Provide copies of the V&V reports and test reports when completed.

25.

Has the effect of input consolidation been taken into consideration.

If a STAR module is processing four protective functions simultaneously, i

what has been done to insure that one of those functions is not the backup for another of these functions?

[

5 26.

It is stated that use of low error and drift components in the filter portion of the ADC eliminates the need for separate calibration of individual channels.

Please explain this in greater detail.

i 27.

Explain how connection of the analog outputs of the ADC to the Multiplexer permits diagnostic testing.

28.

The operation of the Deadman timer in the I/O interface board is unclear.

Provide additional details. Since this appears to be purely a digital timer, is there also a hardware Deadman or Watchdog?

29.

Please provide details on how the Keylock switch works, and how functions are inhibited, i-.e., reading of RAM data in " Operate" or trip in " Tune" or " Calibrate." Are these software or hardware driven, and in either case, how?

30.

Please provide additional details on the Electrical /EMI testing, including whi h standards are referenced, which test methods are used, and which li ;ts are considered acceptable.

Include the frequency range to be tested, and a justification of the upper and lower limits.

31.

Does the SQAP meet the guidance of ANSI /IEEE Std. 730-1989, or is it as stated in section 5.3, where the format is in accordance with ANSI /IEEE l

Std. 730-19897 I

a i

l 1l I

i l

l l

-