ML20058N001
| ML20058N001 | |
| Person / Time | |
|---|---|
| Site: | Peach Bottom  |
| Issue date: | 09/30/1993 |
| From: | James Shea Office of Nuclear Reactor Regulation |
| To: | Office of Nuclear Reactor Regulation |
| References | |
| NUDOCS 9310070255 | |
| Download: ML20058N001 (23) | |
Text
8 .
p pRfG
- k UNITED STATES fh1 .3
- 1 gr f NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001
\ September 30, 1993 Docket Nos. 50-277 and 50-278 LICENSEE: Philadelphia Electric Company, et al.
FACILITY: Peach Bottom Atomic Power Station, Units 2 ard 3
SUBJECT:
PLANNED ANALOG TO DIGITAL EQUIPMENT RETROFIT MODIFICATIONS AT PEACH BOTTOM ATOMIC POWER STATION, UNITS 2 AND 3 On September 2, 1992, the NRC staff met with representatives of the Philadelphia Electric Company (PECo) to discuss installation of certain planned analog-to-digital retrofit modifications during the scheduled September 1993 Peach Bottom, Unit 3 refueling outage. The meeting was requested by PEco to discuss certain issues involved in replacing analog instrumentation with digital equipment.
The meeting opened with a brief discussion by PEco on the types of issues considered by PECo when making digital retrofits. PECo stated that they are closely following the interaction between NUMARC and the NRC staff on digital issues. PECo has developed internal guidance for its engineering organization that includes information taken from the NUMARC/NRC discussions and from interactions between the staff and other licensees. The licensee has developed additional internal guidance on the applicability of 10 CFR 50.59 to digital retrofits. Examples of this internal guidance are included as Enclosures 1 and 2.
The licensee then presented information regarding specific digital modifications and design equivalent changes (DECs). Each of the modifications and DECs are summarized in Enclosure 3. Certain specific technical issues drew staff questions during discussions of several of the modifications.
During discussions on software configuration control, the licensee stated that several of the modifications would use factory configured firmware which is less susceptible to inadvertent loss of configuration control. In response, the staff challenged the licensee to critically evaluate their onsite expertise regarding the software basis for the firmware. During discussions of the performance and operation of independent monitoring devices, the staff questioned the licensee's understanding of the failure modes of the watchdog devices. Finally, the staff suggested that the licensee evaluate their level of understanding of digital equipment vendor validation and verification programs.
The licensee discussed the challenge of reconciling the 10 CFR 50.59 screening l process with some of the technical issues posed by digital retrofits. As an example, a modification that replaces an analog component level device with a digital device that is designed to perform identical functions and have an identical response might not necessarily cause the screening process to ,
l l BPS 88s!!83ll;7 gpg p g E !' M G M pm i m
trigger an unreviewed safety question determination. The staff stated that .
the discussions underway between the industry and the staff regarding this digital equipment and the 10 CFR 50.59 process should reduce some of the uncertainty. In addition, the staff stated that, in the interim, the licensee's 10 CFR 50.59 process needs to consider the aspects of digital technology that are different from the well understood and reviewed mechanisms and failure modes of original analog equipment.
/S/
Joseph W. Shea, Project Manager Project Directorate I-2 Division of Reactor Projects - I/II Office of Nuclear Reactor Regulation
Enclosures:
- 1. PEco Guidance on Digital Issues
- 2. PECo Guidance on Digital 10 CFR 50.59 Evaluations
- 3. Meeting Agenda / Modification Description
- 4. List of Meeting Participants DISTRIBUTION w/ Enclosure 4 DISTRIBUTION w/ Enclosures 1, 2, 3 and 4 TMurley/FMiraglia Docket File JPartlow NRC & Local PDRs '
SVarga PDI-2 Reading JCalvo EWenzinger, RGN-I MBoyle CAnderson, RGN-I M0'Brien PBonnet, RGN-I OGC JShea EJordan BBoger JMauck PLoeser ARamey-Smith ACRS(10)
VMcCree, ED0 17G-21 0FFICE PJM/($M PDI-2dd HISB/BC PDI-2/D ,
NAME $0'[rfenM JSh M N JWhel MBoyleh 0
DATE kN'/h93 Q/h93 9/h2/93 / ///93 __
0FFICIAL RECORD COPY '
DOCUMENT NAME: PB9-2.MTS l
t i
e-
[
trigger an unreviewed safety question determination. The staff stated.that the discussions' underway between the industry and the staff regarding this ;
digital equipment and the 10 CFR 50.59 process should reduce some of the uncertainty. In addition, the staff stated that, in the interim, the
' licensee's 10 CFR 50.59 process needs to. consider the aspects of digital ,
technology that'are different from the well understood and reviewed mechanisms '
and failure modes.of original analog equipment A \
JcsephW.Shea,ProjectManager- f Project Directorate I-2 i Division of Reactor Projects - I/II Office of Nuclear Reactor Regulation ;
Enclosures:
- 1. PEco Guidance on Digital Issues i
- 2. PECo Guidance on' Digital l 10 CFR 50.59 Evaluations .;
- 3. Meeting Agenda / Modification Description 1
- 4. List of Meeting Participants 9
'f i
9 l
t I
Philadelphia Electric Company Peach Bottom Atomic Power Station, Units 2 and 3 cc:
J. W. Durham, Sr., Esquire Mr. William P. Dornsife, Director Sr. V.P. & General Counsel Bureau of Radiation Protection Philadelphia Electric Company Pennsylvania Department of 2301 Market Street, S26-1 Environmental Resources Philadelphia, Pennsylyania 19101 P. O. Box 2063 Harrisburg, Pennsylvania 17120 Philadelphia Electric Company ATTN: Mr. D. B. Miller, Vice President Board of Supervisors Peach Bottom Atomic Power Station Peach Bottom Township Route 1, Box 208 R. D. #1 Delta, Pennsylvania 17314 Delta, Pennsylvania 17314 Philadelphia Electric Company Public Service Conmission of Maryland ATTN: Regulatory Engineer, Al-2S Engineering Division Peach Bottom Atomic Power Station ATTN: Chief Engineer Route 1, Box 208 231 E. Baltimore Street Delta, Pennsylvania 17314 Baltimore, MD 21202-3486 Resident Inspector Mr. Richard McLean U.S. Nuclear Regulatory Commission Power Plant and Environmental Peach Bottom Atomic Power Station Review Division P.O. Box 399 Department of Natural Resources Delta, Pennsylvania 17314 B-3, Tawes States Office Building Annapolis, Maryland 21401 Regional Administrator, Region 1 U.S. Nuclear Regulatory Commission Mr. George A. Hunger, Jr.
475 Allendale Road Director-Licensing, MC 52A-5 ,
King of Prussia, Pennsylvania 19406 Philadelphia Electric Company Nuclear Group Headquarters Mr. Roland Fletcher Correspondence Control Desk Department of Environment P.O. Box No. 195 201 West Preston Street Wayne, Pennsylvania 19087-0195 Baltimore, Maryland 21201 Carl D. Schaefer External Operations. - Nuclear Delmarva Power & Light Company P.O. Box 231 Wilmington, DE 19899
)
John Doering, Chairman Nuclear Review Board Philadelphia Electric Company 1 955 Chesterbrook Boulevard Mail Code 52C-1 Wayne, Pennsylvania 19087
ENCLOSURE 1 The NRC concerns regarding analog to digital can be summarized as follows: -
o Common mode failure by software:
- Similar or identical software running on identical hardware in multiple trains of
~
redundant instrumentation.
o Sensitivity of dicital based systems to plant environments:
- EMI/RFI, temperature, power quality and grounding.
O Possible lack of on-site experience: .
- In troubleshooting, problem recognition, and assimilation of system in plant. .
o Commercial dedication of hardware and software:
- There are few Appendix B Suppliers of digital based devices.
The following is an edited summary of NRC requests for additional information on digital upgrades performed at Brunswick (GE NUMAC) and Zion (Westinghouse EAGLE-21).
General Backerdund Information
- Provide design information of the digital device. Include the descriptions of the ,
devices used in the microprocessor, the programming language, compiler, type of microprocessor etc.
- Discuss the temperature and humidity qualifications of the digital device and how these qualifications meet normal plant and worst case accident conditions.
- Provide drawings and descriptions of the physicallocation of the replacement system in the plant.
Functional Diversity Be prepared to discuss in detail and provide support documentation on the effect of the digital device on functional diversity of the system. The discussion should follow design basis accidents and license commitments on the effects of replaced module consolidation and system architecture on instrument availability, technical specifications and safety systems.
Failure Modes and Effects Be prepared to discuss specific failure modes such as:
- Loss of input signal.
- High impedance ground on output.
- Out of range inputs.
- Bus voltage degraded beyond operating limits (including spikes, surges and sags).
- coordination of the self check and continuous monitoring modes with normal digital 3
.W Tt # ' & M T S
- o. -
t
. device operations.
- The steps requited to recover the digital device after a loss of power incident. -
l Fail Safe i
Be prepared to provide details on:
- Operation and design of watchdog timers. -
- Operation and design of any other circuits tised to place the digital device in its fail safe condition.
- Design of manual override circuits. .[
- Describe the memory-retention capability of the system. 6
- "Back-up" provisions to the digital device.
- Alarms for the loss of self-diagnostic features. l
- Potential failures for which the digital device is not capable of detecting during i functional testing.
Procedures
- Describe site acceptance / pre-operational testing: specifically address loss of power to ,
the digital device during standby and power operation. i
- Be prepared to discuss how digital specific issues have been incorporated into l proceduresrFor example: introduction of noise, potential grounding problems, electro-static discharge, and security requirements for rack and software entry (VIA MMI). !
- Be prepared to discuss the applicability of installation procedures including rack / panel ,
modifications (gasket installations, RFI mesh). Of particular interest, is whether the !
installation will correctly reflect the racks / panels as tested in the environmental !
qualification test, how wiring is bundled and how new wiring will be added.
' Grounding ,
i Be prepared to discuss digital device grounding. ;
- Are analog and digital grounds isolated?
- Are subsystems cases grounded to a common point? !
- What are the effects on the system if a problem occurs on the earth ground? !
- How are ground loops prevented? Is the digital device to be tested for ground loops !
< after installation? !
IiM1 Be prepared to discuss: ;
- The EMI specifications and justify the margin between the EMC specifications and !
expected plant EMI. !
- The process by which PECo will verify that the EMI environment at the plant is ;
enveloped by the digital device EMC test parameters. .
- If switching power supplies are used, what provision is made to control harmonic distortions in the digital device.
i s
c.
t l
An appropriate EMI specification is: ?
Military Standard, MIL-STD-461 " Electromagnetic Emission and Susceptibility Requirementsfor the Control of Electromagnetic Interference."
Military Standard, MIL-STD-462, " Electromagnetic Interference Characteristics Measurement".
Example:
"The signal strength of any emitted electrical noise shall not exceed those limits ,
stated in MIL-STD 461, Group A3 and measured by the guidelines stated in MIL-STD 462 " ;
" Equipment susceptibility to electrical noise shall be less those limits stated in MIL-STD 461, Group A3 and measured by the guidelines stated in MIL-STD 462."
Response Times 1 Be prepared to discuss response times of the digital device as compared to the previous device.
r .
Backup Batteries ,
- Does the digital device contain lithium backup batteries? If so, has the issue been addressed in the fire hazard checklist.
- Do the RAM backup batteries require periodic maintenance (i.e. do they need to be j exercised, or periodically replaced)?
- What effects od the backup batteries have on system RAM? !
Software Topic Ouestions and Documentation
- Describe the plans for performing the V&V of the digital device logic. If the V&V i has been performed, provide the documentation of the V&V plan. If the V&V has not been performed, describe the process by which PECo will ensure the adequacy of the software used in the digital device for class 1E applications. ,
- Provide acceptance criteria for hardware and software, and also discuss traceability of products at different development stages to their specifications.
- Provide the acceptance criteria and procedures for, and results of the
~
hardware / software integration testing.
- Provide procedures and results for the startup testing.
l
- Provide a listing of all software errors and their ensuing corrections. )
i
- Be prepared to discuss the plan to describe interface for configuration management, software changes, error reporting, etc.
i
F
. The most recent guidance was summari:ed in NRC Information Notice 93-57: Software . :
Problems involvine Digital Control Console Systems at Non-Power Reactors: i "An effective verification and validation (V&V) plan for software that performs a safety function can help ensure acceptable design and implementation. Some acceptable V&V l plans are listed in Regulatory Guide 1.152, Criteria for Programmable Dieltal ;
Computer Software in Saferv-Related Systems at Nuclear Power Plants, and in j ANSillEEE Standard 1012-1986, IEEE Standard for Software Verification and ,
Validation Plans. Guidancefor determining design specyications that are to be venfied and validated is available in ANSillEEE Standard 830-1984,1EEE Guide to Software ;
Reauirements Specification." *
"Another key element related to digital systems is the control of software configuration changes. Guidancefor software configuration change control is available in .
ANSillEEE Standard 282-1983, IEEE Standard for Software Configuration ,
Management Plans."
MMI .
- Discuss the MMI and how it interacts with the digital device.
- Discuss the process of altering setpoints through MMI or other means, I.e. password protection,2dministrative control, etc. ;
lE and Non-lE Isolation
- Provide a detailed description of the devices used to accomplish electrical isolation i between the IE and non-lE systems and describe the specific testing performed to I demonstrate that the devices are acceptable for this application. !
- Provide data to verify that the maximum credible faults applied during the tests discussed in the above question were the maximum voltage / current to which the i device could be exposed, and explain how the maximum voltage / current was determined.
- Verify that other faults were considered (i.e.,open and short circuits).
i i
Commercial Grade Item Dedication (Is the system beine procured at a safety-related 6
system?) +
- Provide the procurement documentation for the digital device. ;
- Provide the mean-time-to-failure and the mean-time-to-repair information for the .
digital device.
- Provide standards and procedures used to dedicate the digital device.
- Describe the criteria that governed tlic successful completion of the V&V commercial j grade dedication of the digital device.
- Identify the methods and acceptance criteria for verifying the critical characteristics.
1
.. _ _~ . - -
--.. A
i ENCIDSURE 2
- The following is the most recent draft of this guidance and includes the NRC conunents. >
SUPPLEMENTAL GUIDANCE FOR 10CFR50.59 EVALUATIONS ,
OF DIGITAL UPGRADES The following provides items to consider in answering each of seven questions. If any of these questions is answered "yes", the change is an unreviewed safety question. It is iraportant to ensure that all items are addressed fully and that all valid potential unreviewed safety questions are identified.
(1) May the proposed activity increase the probability of occurrence of an accident evaluated previously in the Safety Analysis Report (SAR)?
Areas that should be addressed in responding to this question include the following: l (a) Does the replacement system exhibit performance characteristics, or have design features, that give an increased probability of a system malfunction resulting in an accident? The assessment of a change in probability may be made on a qualitative basis, particularly for systems or components which rely on software since there does not currently exist a consensus method for quantifying software reliability- Common mode and common cause failures of software shall be considered. 1 (b) Does the system exhibit performance characteristics that require additional operator intervention for continued normal operation (e.g., lockup, halt)? It should also be noted that lockup or halt may be a new type of malfunction and should be addressed under item 6 of this section.
(c) Is the system qualified for the installed environment (e.g., temperature, humidity, )
electromagnetic fields, airborne particulate) such that system performance will not be degraded compared to the original system?
(2) May the proposed activity increase the consequences of an accident evaluated previously in the SAR?
The following areas should be addressed in responding to this question to determine if the activity results in an increase in radiological releases above the licensing limit: ;
(a) Does the replacement system exhibit a response time beyond current acceptance limits (e.g., because of sample period, increased filtering)?
(b) Does the system perform adequately under high duty cycle loading (e.g., :
computational burden during accident conditions)?
(c) Does the architecture of the system exhibit a single failure that results in more ,
severe consequential effects (e.g., reduced segmentation due to combining previously separate functions, several input channels sharing an input board, i central low processor for many channels)? i (d) Does the man-machine interface design introduce constraints on the operator's ability to adequately respond to an accident such that there are more severe consequential effects?
- ,- . w r,N---
4 1 I
)
. (3) May the proposed activity increase the probability of occurrence of a malfunction of equipment important to safety evaluated previously in the SAR?
. l Areas that should be addressed in responding to this question include the following:
(a) Does the modified system meet the required plant environmental and seismic l envelopes? -
(b) Is the replacement system qualified for the electromagnetic fields at the installed location? What effect does plant equipment operation have on the system (e.g.,
walkie talldes, motors, switchgear, etc.)? )
(c) Have potential interactions between safety-related and nonsafety-related systems i been addressed?
(d) Are the electrical loads associated with the replacement system addressed in the design?
(e) Does the plant HVAC have adequate capacity for the thermal loads of the replacement system? !
(f) Does the replacement system meet applicable requirements for separation, l independence, and grounding? '
(g) Does the microprocessor-based system have adequately qualified cabinet cooling? !
(4) May the-proposed activity increase the consequences of a malfunction of equipment important to safety evaluated previously in the SAR?
Areas that should be addressed to determine if the activity could result in an increase in the radiological releases above the current licensing limit include the following: j (a) Does the replacement system exhibit the same failure modes affecting radiological releases as the analog system (e.g., fail low, fail high, fail-as-is, diagnostic failures)? If the failure mode is different, are the consequences increased beyond what was evaluated previously in the SAR7 (b) Since a software common mode failure (CMF) is a credible failure mode, are the consequences mitigated by the hardware design or system architecture? If not, is the probability of a software CMF in conjunction with other concurrent events assumed in the safety analysis judged to be sufficiently high that the consequences of a malfunction previously evaluated are increased? Are the consequences bounded by other events evaluated in the SAR7 (c) Does the replacement system have the same failure mode as the analog system on .
loss of power? If the failure mode is different, are the consequences increased beyond what was evaluated previously in the SAR7 *
(d) Is the response of the replacement system on restoration of power different from that of the analog system being replaced? :
(e) Does the man-machine interface (MMI) introduce failure modes different from those of the existing analog system? Is there an equivalent to the MMI in the ,
system being replaced, or does the existence of a new type of equipment create a new type of failure?
(5) May the proposed activity create the possibility of an accident of a diferent type than any evaluated previously in the SAR?
4
.m .. a v.., .z_--_ t + t _
. Areas that should be addressed in responding to this question include the following:
(a) Have assessments of system-level failure modes and effects for the ,
microprocessor-based system identified any new types of failure modes that could cause a different type of accident than presented in the plant SAR?
(b) Are the consequences of a software common mode failure mitigated by the >
hardware design or system architecture? Could the failure cause a different type '
of accident than presented in the SAR7 (c) Plant SAR analyses were based on credible failure modes of analog equipment.
Dces the replacement system change the basis for the most limiting scenario?
(6) May the proposed activity create the possibility of a malfunction of equipment important to safety of a dgerent type than any evaluated previously in the SAR?
This question is asking if the digital equipment could lead to a failure mode of a different type than types evaluated in the SAR. In answering this question, the types of failure modes of the analog system being replaced that have been previously evaluated in the SAR and that are affected by the replacement are identified. Then types of failure modes that the digital replacement system would create are identified.
Comparing the two lists can provide the answer to the question.
l7) Does theproposed activity reduce the margin of safety as defined in the basisfor any technical specification?
A review of the bases and assumptions for the Technical Specifications and acceptance limits spelled out in the NRC SERs should be made to support this determination. The areas to be addressed include the following:
(a) Has,the replacement I&C system decreased the channel trip accuracy beyond the acceptance limits?
(b) Has the replacement I&C system increased the channel response time beyond the acceptance limit?
(c) Has the replacement I&C system decreased the channelindicated accuracy beyond the acceptance limit? l (d) Does the new control system cause a plant parameter for any analyzed event to fall outside of acceptance limits?
. . y ae* +- a + we a e e-, e m + =W e' + e - y9erP * . fe v-
AGENDA
- INTRODUCTION. 1
- GENERIC APPROACH TO DIGITAL '
UPGRADES. .
- DISCUSSION OF 3R09 i MODIFICATIONS. l CLOSTNG REMARKS.
r l l
4 s
4 l
! +-
PECo Analog to Digital Upgrades for PB 3R09
~
SUMMARY
~
> Evaluated on a case by case basis.
- Actively tracking NRC/NUMARC resolution of j issues on Proposed Generic Letter: 1 Analog-to-Digital Replacements Under the .
10CFR50.59 Rule. )
- Adapted NUMARC " Supplemental Guidance for ,
10CFR50.59 Evaluations for Digital Upgrades" !
(With NRC comments of July 1993).
- EMI Map scheduled for areas to comply with i EPRl/ Utility Working Group recommendations.
l
- Evaluated concerns on EMI, MMI, and failure .
modes (DEC).
- High confidence " Catalog Type" single l function items (DEC).
l
9 MODIFICATION 5281 MCR VENT RMS UPGRADE -
Reo acement o ooso e:e instrumen~:a: ion :
& ogic mociica: ion '
> Radiation Monitor (RIS) is a microprocessor.
- FUNCTION:
-Converts analog signal to digital indication.
-Simple principal, compares signal to predetermined setpoint. ,,
-Provides appropriate input signal to CREV.
-> DESIGN ASPECTS:
-EMI/RFI MIL-STD 461-C, 462-C and SAMA PMC 33.1.
-Factory configured firmware. '
-V&V by manufacturer (on PECo EVL).
ANSI /IEEE-ANS 7.4.3.2 and ANSI /ANS 10.4
-Watchdog circuitry. -
Envelopes critical failure No additional operator intervention.
Provides failure signal to system level. l
-Response time within acceptable limit of existing equipment.
-System less prone to instrument failures.
.. -.... - .- . .. .. . .w
MODIFICATION 5287 DRYWELL VENT RMS UPGRADE Reo acemen~: o" oaso e:e ins':rumenta: ion l l > Radiation Monitor (RIS) is a microprocessor.
- FUNCTION:
-Converts analog signal to digital indication.
-Simple principal, compares signal to predetermined setpoint.
-Provides appropriate annunciation to operators.
- DESIGN ASPECTS:
-EMI/RFI MIL-STD 461-C,462-C and SAMA PMC 33.1.
-Factory configured firmware.
-V&V by manufacturer (on PECo EVL).
ANSI /IEEE-ANS 7.4.3.2 and ANSI /ANS 10.4
-Watchdog circuitry.
Envelopes critical failure No additional operator intervention.
Provides failure signal to system level.
-Response time within acceptable limit of existing equipment.
-System less prone to instrument failures.
- * * * ~ ~
-u
MODIFICATION 5236 TORUS HARDENED VENT Ins:alla: ion o" NRC Vlanda:ec Moci"ication
- Radiation Monitor (RIS) is a microprocessor.
- FUNCTION:
-Converts analog signal to digital indication.
-Simple principal, compares signal to predetermined '
setpoint.
-Provides appropriate annunciator to operators.
- DESIGN ASPECTS:
-EMI/RFI MIL-STD 461-C, 462-C and SAMA PMC 3 3.1. -
-Factory configured firmware.
-V&V by manufacturer (on PECo EVL).
ANSI /IEEE-ANS 7.4.3.2 and ANSI /ANS 10.4
-Watchdog circuitry. l Envelopes critical failure j No additional operator intervention.
l Provides failure signal to system level.
l l
1 I
1 l
. , . . . _ . _ ~ , - , , , _ . . . .. _ _ _ , _ _
l MODIFICATION 5274 -
1 CAD /CAC H2/02 REPLACEMENT Re a acemerr: of o osoLe":e ins":rumen":a": ion whiLe imaroving oeriormance & reLiabiity
- Analyzer is a microprocessor based instrument.
- FUNCTION:
-Converts analog signal to digital indication.'
-Provides appropriate H2/02 levels to operators to make dec,isions.
- DESIGN ASPECTS:
-EMI/RFI Testing performed by manufacturer.
-Factory onfigured firmware.
l
-V&V by manufacturer (on PECo EVL).
j
-Watchdog circuitry.
Provides failure signal to system level.
-System less prone to instrument failures. l
-Two fully independent analyzers. l
-Only CAD portion of system is required to be 1E.
e
.. ...: g . _}
MODIFICATION 887 .
REACTOR RECIRC FLOW CONTROL UPGRADE Re3 acement o" oaso e:e ins:rumentation & ,
ocic moci"ica: ion
- Controller is a microprocessor based device.
- FUNCTION: ~
-Provides analog signal to control reactor recirc.
system pump.
-Speed, open loop manual control.
-Performs pump speed runback functions. )
-Provides appropriate input control signal to M-G set scoop tube positioner.
- DESIGN ASPECTS:
-Digital controller shielded.
-Factory configured firmware.
-V&V by manufacturer.
-Provides failure signal to 'control room annunciator.
-Response time within acceptable limit of existing equipment.
-System less prone to instrument failures.
DEC 93 ~0001,3 OFFGAS RAD MONITC'RS REPLACEMENT .
> Function
-Converts analog signal to digital signal for alarm and indication only -
- Microprocessor based, compares signal to predetermined setpoint
-No changes to system function or failure modes
- EMI/RFI
-GE has performed numerous EMI/RFI tests on NUMAC equipment
-EMI mapping planned for 3R09 outage
- Validation & Verification (V&V)
-Same program that was approved by NRC in NEDO 31439-A -
- Man-Machine Interface ( MMI )
-Keylock and password protected i
- Software
-Factory configured firmware !
- Watchdog" circuitry l
1
DEC 93-0004,5,6,7. .
MAIN STEAM RAD MONITORS REPLACEMENT
> Function
-Converts analog signal to digital signal for alarm, indication and trip functions (scram, Group I isolation) ,
-Microprocessor based, compares signal to predetermined setpoint
-No changes to system function or failure modes :
- EMI/RFI
-GE has performed numerous EMI/RFI tests on NUMAC equipment .
-EMI mapping planned for 3R09 outage
> Validation & Verification (V&V)
-Same program that was approved by NRC in NEDO 31439-A ,
- Man- Machine Interface ( MMI )
I
- Software:
-Keylock and password protected Software
-Factory configured firmware
- Watchdog" circuitry e-ee - w s a w ww w v. , +, p , e - - , m w = . . - , sp= w p 4 -+,7
DEC 93-001186 _
FC-3-23-108 REPLACEMENT
- Description -
Replaces obsolete GE analog controller with new MOORE Mycro 352 digital controller
> Function
-Controls HPCI flow
-Converts analog signal to digital, processes information via microprocessor and converts digital output to analog signal .
-No changepto system function or failure modes
- EMI/RFI
-Equipment qualified and tested to EPRI Guideline TR-102323 which uses MIL STD 461C and 462
-EMI mapping planned for 3R09 outage
> Validation and Verification ( V&V )
~
-V&V by NUTHERM (on PECO EVL) to the intent ANSI /IEEE-ANS 7.4.3.2 and ANSI /ANS 10.4
- Man-Machine Interface (MMI)
-Mode select pushbuttons protected by cover
- Software
-Factory configured firmware
- Watchdog" timer
^ --
n^. . a 41.*rhAhe e*wm_% .m.
q*;g y ; my e
e DEC 93-001187 FC-3-13-91 REPLACEMENT
- Description Replaces obsolete GE analog controller with new :
MOORE Mycro 352 digital controller
> Function
-Controls RCIC flow
-Converts analog signal to digital, processes information via microprocessor and converts digital output to analog signal
-No change,s to system function or failure modes
- EMI/RFI
-Bquipment qualified and tested to EPRI Guideline TR-102323 which uses MIL STDS 461C and 462
-EMI mapping planned for 3R09 outage
- Validation and Verification ( V&V )
-V&V by NUTHERM (on PECO EVL) to the intent ANSI /IEEE-ANS 7.4.3.2 and ANSI /ANS 10.4
- Man-Machine Interface (MMI.)
-Mode select pushbuttons protected by cover
- Software
-Factory configured firmware
-" Watchdog" timer
=* - =4 y , to 4, *9r=*,F
f i
4 ENCLOSURE 4 MEETING BETWEEN NRC AND PHILADELPHIA ELECTRIC COMPANY ,
ON DIGITAL INSTRUMENTATION AND CONTROL MODIFICATIONS AT PEACH BOTTOM ATOMIC POWER STATION. UNITS 2 AND 3 September 2. 1993 NAME ORGANIZATION ;
M. Kray PECo T. Niessen PEco R. Di Sandro PEco J. McLaughlin PEco F. Cook PEco D. Keene PECo J. Menge PECo E. Wenzinger NRC/RGN-I/DRP P. Bonnet NRC/RGN-I/PBAPS J. Mauck NRC/NRR/HICB P. Loeser NRC/NRR/HICB i
M. Boyle NRC/NRR/PD I-2 A. Ramey-Smith NRC/NRR/0EDO J. Shea NRC/NRR/PDI-2
-