ML20059A971
| ML20059A971 | |
| Person / Time | |
|---|---|
| Site: | 05200003 |
| Issue date: | 10/08/1993 |
| From: | Kenyon T Office of Nuclear Reactor Regulation |
| To: | Liparulo N WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP. |
| References | |
| NUDOCS 9310270242 | |
| Download: ML20059A971 (57) | |
Text
Ahi
, '? . 7
/ IEg- UNITED STATES NUCLEAR REGULATORY COMMISS!ON
-n WASHINGTON D.C.20555 h.....[ October 8, 1993 Docket No.52-003 Mr. Nicholas J. Liparulo Nuclear Safety and Regulatory Activities Westinghouse Electric Corporation P.O. Box 355 Pittsburgh, Pennsylvania 15230 I
Dear Mr. Liparulo:
SUBJECT:
REQUEST FOR ADDITIONAL INFORMATION (RAI) ON THE AP600
. As a result of the August 10 and 11,1993, meeting with your staff on the AP600, the NRC staff has prepared the enclosed request for additional informa-tion on the AP600 instrumentation and control systems design (Q420.107-Q420.122). As stated in Q420.107, a copy of a typical software life cycle and a copy of the ABWR software ITAAC are enclosed (Enclosures 2 and 3, respectively) as examples for Westinghouse to use in preparing your response to the issues identified.
J.
You have' requested that portions of the information submitted in the June 1992 application for design certification be exempt from mandatory public disclo-sure. While the ' staff has not completed its review of your request in accordance with the requirements of 10 CFR 2.790, that portion of the submit-i ted information is being withheld from public disclosure pending the staff's final determination. The staff concludes that this request for additional information does not contain those portions of the information for which
! exemption is sought. However, the staff will withhold this letter from public disclosure for 30 calendar days.from the date of this letter to allow Westing-house the opportunity to verify the staff's conclusions. If, after that time, you do not request that all or portions of the infonnation in the enclosures be withheld from public disclosure in accordance with 10 CFR 2.790, this letter will be placed in the Nuclear Regulatory Commission's Public Document Rcom.
"The numbers in parentheses designate the tracking numbers assigned to g3-the questions.
- 9310270242 931oos Ih
"'" ^ '*
l "" Ps NBC RLE CENTER C8PY 22;in5
l Mr. Nicholas J. Liparulo October 8,1993 :
This RAI affects nine or fewer respondents, and therefore, is not subject to ;
review by the Office of Management and Budget under P.L.96-511. y If you have any questions regarding this matter, you can contact me at ;
(301) 504-1120. ;
Sincerely, (Original signed by)
Thomas J. Kenyon, Project Manager :
Standardization Project Directorate !
Associate Director for Advanced Reactors and License Renewal i Office of Nuclear Reactor Regulation j
Enclosures:
I As stated cc w/ enclosures:
See next page ,
i DISTRIBUTION:
"* Central File- PDST R/F TMurley/FMiraglia DCrutchfield ,
- PDR- WTravers RBorchardt RArchitzel i TKenyon RHasselberg TGody, Jr., EDO JMoore, 15B18 MSiemien, 15B18 HLi, 8H3 MChiramal, 8H3 PShea ACRS (11) w/o encl. ;
/
0FC: LA:PDST:ADA,R PM:MTVIDAR SC:PDST:ADAR m D:hST:AbAR !
NAME: PShea Q h' Tkeikon$sg RArchitzh RWBoMardt DATE: 10/k93 10/$/93 10/8/93 10/[/h) f
\
I OFFICIAL RECORD COPY: !
DOCUMENT NAME: HICB.RAI l t
I i
l l
1
Mr. Nicholas J. Liparulo Westinghouse Electric Corporation Docket No.52-003 AP600 :
cc: Mr. B. A. McIntyre l Advanced Plant Safety & Licensing Westinghouse Electric Corporation Energy Systems Business Unit P.O. Box 355 Pittsburgh, Pennsylvania 15230 Mr. John C. Butler Advanced Plant Safety & Licensing Westinghouse Electric Corporation '
Energy Systems Business Unit Box 355 Pittsburgh, Pennsylvania 15230 '
Mr. M. D. Beaumont Nuclear and Advanced Technology Division ;
Westinghouse Electric Corporation One Montrose Metro 11921 Rockville Pike .
Suite 350 Rockville, Maryland 20852 Mr. Sterling Franks U.S. Department of Energy NE-42 Washington, D.C. 20585 Mr. S. M. Modro '
EG&G Idaho Inc.
Post Office Box 1625 Idaho Falls, Idaho 83415 Mr. Steve Goldberg Budget Examiner 725 17th Street, N.W. .
Room 8002 Washington, D.C. 20503 Mr. Frank A. Ross U.S. Department of Energy, NE-42 Office of LWR Safety and Technology 19901 Germantown Road Germantown, Maryland 20874 i
i 1
i REQUEST FOR ADDITIONAL INFORMATION ON THE WESTINGHOUSE AP600 DESIGN INSTRUMENTATION AND CONTROLS 420.107 The staff has concluded that Westinghouse's February 9, 1993 response l to Q420.8 (regarding ITAAC for the protection system) is not accept-
~
abl e . SECY-92-053, "Use of Design Acceptance Criteria. During 10 CFR Part 52 Design Certification Reviews," dated February 19, 1992, describes the staff's approach for using design acceptance criteria (DAC). SECY-90-377, " Requirements for Design Certification Under 10 CFR Part 52," dated November 8, 1990, describes the level of detail required for design certification. The concept of requiring detailed design acceptance criteria would enable the staff to make a final safety determination, subject to satisfactory design implemen-tation and verification by the combined license (COL) licensee, through appropriate ITAAC. The staff believes that to ensure the high quality of the Instrumentation and control (I&C) systein in the i design certification, the following information should be provided in '
the Tier I submittal for the instrumentation and control systems of ;
the AP600:
- a. The instrumentation and control system architecture of the AP600. +
- b. A description of the configuration of the digital I&C equipment.
Block diagram type of information should be used to support the system description.
l
- c. A description of the hardware and software development process -
used in the design, testing, and installation of digital 1&C s equipment. As a minimum, the ITAAC submittal should address the software management plan, the configuration management plan, and ,
the verification and validation (V&V) plan.
- d. A description of I&C system qualification processes that include programs to mitigate the effects of electromagnetic interference, establish set points for instrument channels, and ensure the qualification of the installed equipment. ;
- e. The ITAAC/DAC for software quality that requires the following design stages (the software life cycle) with appropriate documen-tation for the development of both safety-related and non-safety-related software. No particular life cycle is endorsed; however, an example of these activities includes the following stages: ,
- 1. planning stage
- 2. requirement stage
- 3. design stage
- 4. implementation stage
- 5. integration stage Enclosure 1 l
.- . . - .. . . . - .. ~- -
}
f
. l
- 6. validation stage j
- 7. installation stage !
- 8. operation and maintenar.ce stage
]
The ITAAC/DAC should specify criteria (constraints and limits) ,
that describe the method for developing plans and procedures that '
guide the design process throughout the life cycle stages. The ,
activities and documentation that should be included are listed >
below: !
- 1. Planning activities result in a number of documents that are l used to control the development process. Six documents are _l recommended to be developed at this stage: a Software Man- !
agement Plan, a Software Development Plan, a Software Quality !
Assurance Plan, a Software Safety Plan, a Software V&V Plan, a Software Configuration Management (CM) Plan. These plans i are discussed in detail in the ANSI /IEEE standards IEEE-828, IEEE-1012 and IEEE-1033. l
- 2. There are six documents that are recommended to be developed [
during the requirements activities stage for the software system: the Requirements Specification, the Interface Speci- ,
fications, a Requirements Safety Analysis, a V&V Requirements i Analysis Report, a V&V Anomaly Report, and a CM Requirements :
Report. These documents will fully capture the requirements ;
of the software project, and relate these requirements to the overall protection system functional requirements and protec- 3 tion system safety requirements. !
- 3. Design activities include the recommended development of eight documents: the Unit Test Plan, the Hardware & Software i Architecture, a Design Specification, a Interface Design ,
Specification, a Design Safety Analysis, a V&V Design Analy- :
sis Report, a V&V Anomaly Report, and a CM Design Report. t 4
The Hardware and Software Architecture will describe the ,
computer system design at a fairly high level, including >
hardware devices and mapping of software activities to those devices.
I
- 4. Implementation activities include writing and analyzing the !
actual code using some programming language. Documents that !
should be developed include the actual Code Listings, a Code {
Safety Analysis, an Integration Plan, an Integration Test :
Plan, a V&V Unit Test Report, a V&V Test Anomaly Report, and i a CM Implementation Report. 'l l
- 5. Integration activities are those ac+ivities that bring soft- !
ware, hardware and instrumentation together to form a com- '
i plete computer system. Documents that should be developed at this stage include the System Build Documents, a Validation !
l Plan, a Validation Test Plan, an Integration Test Safety Analysis, a V&V Integration Test Report, a V&V Test Anomaly .
Report, and a CM Integration Report. t
- 6. Validation is the process of ensuring that the final complete ;
computer system achieves the original goals that were imposed- !
4 by the protection system design. The final system is matched !
against the original requirements, and the protection system i safety analysis. Documents that should be developed at this stage include the Installation Plan, an Installation Test ;
Plan, a Training Plan, an Operations Plan, a Validation Test Safety Analysis, a V&V Test Analysis Report, a V&V Test i Anomaly Report, and a CM Validation Report. .
- 7. Installation is the process of moving the complete computcr system from the developer's site to the operational environ- I ment. At the completion of the installation, the operator is provided with a documented operational computer system, l including tests following installation. Nine documents are !
recommended to be developed to support this stage: the i Operations Manuals, the Installation Configuration Tables, l Training Manuals, Maintenance Manuals, the Maintenance Plan, !
an Installation Safety Analysis, a V&V Installation Test !
Report, a V&V Anomaly, and a CM Installation Report. ;
t
- 8. Operations and maintenance activities involve the actual use of the computer system in the operating reactor, and making any required changes to it. Changes may be required due to errors in the system that were not found during the develop-ment process, changes to hardware, or requirements for addi- 7 tional functionality. Safety-analyses, V&V analyses and CM ,
activities are all recommended as part of the maintenance ;
process.
Implementation of the software ITAAC will be audited by the NRC to verify conformance with the requirements at several phases during the design process for the safety-related digital control ;
system. The documents that demonstrate satisfactory implementa- !
tion of the ITAAC will be available for inspection at the comple- ;
tion of each of the above stages. The audit phases and confor- -
mance review are shown in Enclosure 2 of this package, " Flow of l Documents through the Software Life Cycle," and correspond to the >
completion of the various design development stages. The COL applicant / holder will be required to satisfactorily complete each !
ITAAC phase and may proceed to subsequent stages without approval !
from the NRC audit. However, should the NRC audit indicate l failure to successfully complete a phased ITAAC, the COL appli- 3 cant / holder may be required to repeat an earlier ITAAC and/or change the system design. The NRC staff will conduct a confor-mance review and issue an inspection report for each phased ITAAC i
5
1 and identify any open issues which require resolution. Signifi-cant open issues which are not resolved could result in the NRC staff concluding that the ITAAC had not been satisfactorily completed. j At each phased ITAAC, the design development must be verified to ;
be in accordance with the certified design process, and must demonstrate that the detailed design developed (through that stage) meets the certified design. Upon completion of each phased ITAAC, the COL holder will certify to the NRC that the stage has been completed, and that the design and construction completed up through that stage is in compliance with the certi- ,
fied design. The COL applicant / holder will also provide a description of the next stage of design development and associated testing, analysis, and acceptance criteria in suffi- t cient detail that the NRC staff can determine whether or not the :
proposed design development and testing is consistent with the .
certified design process and the ITAAC. This phased process will continue until all ITAAC stages for the safety-related software are completed.
A sample of the ITAAC for the ABWR I&C system is provided in Enclo- ,
sure 3 as an example to consider while preparing the response to this question.
420.108 The staff has concluded that Westinghouse's May 28, 1993 responses to Q420.9 and Q420.10 (regarding industrial standards) are not accept-able. 10 CFR 52.47 requires that the application for design certifi- !
cation must contain a level of design information sufficient to enable the Commission to make its safety determination. Since the AP600 I&C system design is still in a conceptual phase, reference to ,
~
industrial standards is an appropriate method to describe the design approach. The staff regards the application of acceptable standards '
throughout the production process as an important element to demon-strate the quality of the design.
The document that describes the standards and codes applicable to AP600 I&C systems design (referenced in Section 5.2, C&PGSTD-001,
" System Development / Implementation Process," of WCAP-13392, "AP600 Instrumentation and Control Hardware and Software Design, Verifica- l tion, and Validation Process Report") has not been submitted for staff review. Provide the information regarding the system development / implementation process with appropriate references to industrial standards. l 420.109 Clarify the statement in Appendix 1A of the SSA3 that describes the conformance of the AP600 with Regulatory Guide 1.152 (RG) " Criteria l for Programmable Digital Computer System Software in Safety Related l Systems of Nuclear Power Plants," as " Acceptable." Does the AP600 design conform to this RG7 RG 1.152 endorses American National Standard ANS-7-4.3.2,1982, " Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations." However,
t s
ANS-7-4.3.2 has been revised in 1992/1993. NRC will endorse the latest revision (Draft 8) in the near future. Will the AP600 design conform to this new draft standard? Identify exceptions, if any, that will be taken for the AP600 design.
420.110 The staff has concluded that Westinghouse's April 29, 1993 response to Q420.23 is not acceptable. The monitor bus is a major component l in the I&C system. The functional requirements should be defined '
during design certification rather than wait until the combined license stage. The design requirements documents should be made i available for staff review.
420.111 In the April 29, 1993 response to Q420.50, Westinghouse states that t the qualification methods for the qualified video display units used in the AP600 will be similar to the qualification methods described !
in Supplements EQDP-ESE-63A and EQDP-ESE-63B of WCAP-8587. Provide the specific qualification method for the qualified video display ,
system. If the qualification test results will not be available for design certification, then this system should be included in the ITAAC submittal.
420.112 Section 3.5.1, " Diverse Actuation System (DAS)" of the Tier 1 submit-tal for the AP600 states that the diverse actuation system serves no safety related functions. However, Section 7.7.1.11 of the SSAR states that the DAS provides a diverse :/:kup to the protection ,
systems. Based on WCAP-13633, "AP600 Instrumentation and Control ,
Defense-in-Depth and Diversity Report," the DAS serves very important safety-related functions. The statement in the Tier 1 submittal should be revised accordingly.
In WCAP-13633, Westinghouse states that the DAS diversity is achieved ;
by the use of a different architecture, different hardware implemen- .
tations, and different software from that of the Protection and Safety Monitoring System (PMS). Software diversity is achieved by running different operating systems and programming in different language. In the April 29, 1993 response to Q420.54, Westinghouse states that the DAS will be devised from the verificatiun and valida-tion processes performed for the PMS and PLS, and will be performed by different people. The design, verification, and validation process for the DAS consists of hardware verification, software verification, system verification, and system validation. The hardware verification consists of inspections and tests to verify that the hardware meets design specifications. The software verifi- ;
cation consists of functional tests to verify that the software meets design requirements at the module and subsystem levels. The system i validation test consists of a factory acceptance test to verify it i meets system functional requirements. These type of design commit- !
ments should be included in the ITAAC submittal for DAS.
1
i 4
l 420.113 The description of the inputs for the Diverse Actuation System (DAS) !
described in Section 7.7.1.11 of the SSAR, Appendix C12 of the PRA submittal, and Appendix B of WCAP-13633 conflict with each other. [
Provide the correct description of the DAS inputs in these documents. j i
420.114 Figure B-3.1 of WCAP-13633, " Diverse Actuation System Diverse Reactor Trip," indicates that the DAS reactor trip is initiated either by high pressurizer level or low steam generator level. Explain why !
these two parameters were chosen. The sensors are shared between the !
safety-related protection system and the DAS. Provide a defense-in- ;
depth analysis for potential common mode failure of these level !
sensors. ;
420.115 Figure B-3.4 of WCAP-13633 indicates that the Diverse ESF-Containment Isolation system is initiated by containment temperature measure-ments. Describe the actuation system design requirements to meet the functional requirements of containment isolation. How many sensors will be required? Where are the sensors to be located to meet the response time requirement?
420.116 The staff has concluded that Westinghouse's April 29, 1993 response to Q420.56 (EMI test on protection cabinet) is not acceptable. The electromagnetic interference qualification test performed for the South Texas Project (reported in WCAP-11341, dated November, 1986) does not address many concerns of EMI protection of the safety-related digital systems. The NRC is in the process of issuing a regulatory guide that describes the design, installation, and testing practices that are acceptable to the NRC staff for addressing the susceptibility of digital I&C systems to EMI/RFI in a nuclear power plant environment (The draft guide includes Military Standards MIL-STD-461C and -462 and IEC standard 801). IEEE Std. 1050-1989, "IEEE Guide for Instrumentation and Control Equipment Grounding in Generating Stations," provides guidance for grounding and shield practices for digital systems. It also provides guidance to control the susceptibility of digital I&C systems when these systems are exposed to interference sources. Discuss conformance of the AP600 design to IEEE Std. 1050-1989, and provide the interface requirements for EMI/RFI protection.
420.117 Westinghouse's April 29, 1993 response to Q420.31 references WCAP-8897, " Bypass Logic for the Westinghouse Integrated Protection System." That report was written in 1977 for the RESAR-414 applica-tion, and was not approved by the NRC. Westinghouse should revise that report to make the analysis applicable for the AP600 applica-tion. In addition to evaluating the bypass capability with respect to the single failure criterion, Westinghouse should address poten-tial software common mode failures in performing the evaluation. The evaluation should cover all modes of operation (start-up, full power, shutdown, etc.). Provide a software test plan and test results in the ITAAC to demonstrate that the analysis performed for the indefi-nite bypass can be verified.
i-4 i
420.118 Describe the digital metal impact monitoring system (DMIMS) that <
monitors the reactor coolant system for the presence of loose metal-lic parts. ;
420.119 Describe the program language to be used for the AP600 safety-related I&C systems. Justify why this language was chosen for the safety- .;
critical system application.
420.120 Describe the software system architecture planned for the AP600 (see also Q420.107). ,
In response to a question raised during the Aug_ t 11, 1993 meeting between the NRC and Westinghouse, Westinghouse stated that the ,
software system architecture for the AP600 will be basically the same t as that used for Sizewell B. Several items of concern regarding the software system architecture for the Sizewell B PPS were raised during the Forum on Safety Related Systems in Nuclear Applications, Royal Academy of Engineering, dated October 28, 1992. Items of concern discussed at the Forum included the use of pointers in ,
dynamic memory management. These pointers are used to link together :
the three major software blocks of the software architecture; the application software, the common function software, and the configu- ,
ration and calibration data.
i Describe the test methods and test tools that will be used to verify the design of the software program and code for this software archi- i tecture feature, and describe the test (s) performed on the program at run time to verify that it is correct.
As a general principle, the NRC staff believes that accepta' ole test .
methods and tools should exist to verify the acceptability cf the software system design with consideration given to all the features ;
employed in that design.
t 420.121 Describe the AP600 software development process. !
At the forum referenced in Q420.120, there was a criticism by a member of the British Computer Society regarding the Westinghouse coding standards being not on a par with the software development ;
process used by NASA, even thouoh the cost per line of code appeared to be equivalent. Discuss this statement and any improvements ibnned for the Westinghouse software development process for the AP6t/1 ;
The NRC is in agreement with the statement in Section 6.1.2.22 of Chapter 10 of the ALWR EPRI URD, which states:
The M-MIS Designer shall use modern software development tech- ,
niques and practices as appropriate to provide high integrity software. Modern software development techniques and practices include methods in the design process to reduce the chance of .
E i
errors, techniques in the V&V process to find errors, and soft-ware fault tolerant design features to prevent unfound errors from causing unacceptable consequences.
Provide a discussion regarding how Westinghouse maintains its soft-ware development standards to ensure that they are consistent with i those considered to be modern development standards for the design of r safety-critical software systems.
420.122 Describe the review and confirmatory supporting activities for Ap600 '
software design. j According to information presented at the forum referenced in Q420.120, there was considerable effort spent in fitness-for-purpose review and confirmatory supporting activities for the Sizewell B PPS software. Describe plans for similar activities for the AP600 software and the bases for the planned activities. The plans should include activities planned during the commissioning stages to demon-strate the correctness of the digital I&C systems. Show how these plans are incorporated into the life cycle activities that are proposed by Westinghouse in response to Q420.107.
i f
i
'l l
l
O N
<3 . 2 s*
et *
- s. se -a. 5
?. c.
2s. :s
.6 ~Lu =c -t 1s. . 53 4.
a.2> z i. -=X u
oms a. s um >m um zwo
.. r 3 E >. ltpnv i
manee saurwo6uo3 votis1}sisul ]
{ ( J 4
i.
li
-s 1
om Iem II.2 --
au
- 2. 3 s , t l
=, a 3 as= e. s2s .s a 2
=== = - 2 1. * . *I sm .e se .a 1 a 3. . m. >s.s >
a x ..ss:
d gg && s u A :.:s5 23 s:4 a&. > > u-zwo (
y,y
)
maa.g sauewo;uc3 uouspggeA
_k 3
( )
3 3 m a &b 2
- >. in J
3 3
as1 's. }2 I.Iari ~1 4 12$ 8 !
st15l=
~
g 55 joi l} f hl! si$ hiErt h 5 A id$ r upnv 3
- A8M.w m actuoo ,, .yogg,gagyg O
w
=
c g { o Q J =
V 3 _
2 g s .32 _. _e m 31 A1 i . i i :
. a. = is a_ .&
a .3 as 1
O = >
j f $ >4 $ f
.] g manag e:ww w o6WO3 uoqisiuswagd Upn g g
C e j aa -
e s 3 3 2 m Z
Q E C I. 1
. a. *2 "& 32
- ad .g j;E
.1 $ f Es - 5 E > 3
- ; 13 3 33 33 3 >
- . : 53 aso itf r ,
=ll: 3 a3 ..... . _ .. - u tipnY
,s E* ~ r
- L >
2 1 . 3 - 1
. s ,. .=
..i.."aa.
o . -
2 8 0 o" 1 11! 3d j! 11 H1 131 3-l el 3
3 3 134 il 3alsi esa sa3e ass r , ,,,3 1 O unessowcasomos stuewsmnD*W m .
. 2
, e >
i 3 3 >> 4e .t -
! =
3 11 e4 :e s 3i .
ta i d -
it :51 : lei si; sa 71
== il
- E=
r2 le : Sisaa r ,,,n,3
. .. . , . = ~m . m eu uu...
< J
~
m
=
o .
=
u 8
3 8: .g a,
a 5 .
o 33 e. e. e. m a 1 :
a sw B.g I W
D EEk *ska6
- Ej -
c azu 336 dd $b b eerts i
- t340 eld
ENCLOSURE 3 ;
25A5447 Stev. 0 ABWR onie conmeetin meeriot ,
3,4 Instrumentation and Control Introduction Subsection A provides a description of the configuration o ~ety-relate digital instrumentation and control (I&C) equipment encompassed Safety ystem Logic and Control (SSLC). Subsection B contains a description of the h e and software ;
development process used in the design, ting, and installation ofI&C equipment. l This includes descriptions of the processes d to establish programs that assess and mitigate the effects of electromagne 'nterfere e, establis setpoints for instrument channels, and ensure the qualifi tion o he ins equ' ment. Subsection C discusses the diverse features i plemente in I&C spt design to provide backup support for postt. lated worst e comm -mode failures of SSLC.
, i The devices addressed in this secu e electronic components of the ABWR*s safety- l related systems. These components are figured as real-time microcontrollers that ;
use microprocessors and her programmab ogic devices to perform data acquisition, data communications, an sy logic processing. These components also contain automatic, on-line self-diag ostic res to monitor these tasks and off-line test ,
capability to aid ' mainten ce and su illance. The operating programs for these i controllers are in' te the hardware as firmware [ software permanently ctored !
in programmable rea ly memory (PROM)]. A controller's operating sptem can permit field adjt stment o lected parameters under proper change control. i Adjusta arameters are sto in electrically alternate readenly memory (EAROM) ;
or equh ent. !
A. Safety Syste Log' and Co troi Design Des iption ' ;
[
S 'related m itoring and trip logic for the plant protection systems resides in SSLC i equipm t. SSLC tegrates the automatic decision-making and trip logic functions and manual o rator initiation functions associated with the safety actions of the safety- l related 'syste rms.SSLC genentes the protective function signals that acti ate reactor trip and provi safety-related mitigation of reactor accidents. The relationship between SSLC id systems for plant protection is shown in Figure 3.4a.
SSLC equipment comprises microprocessor-based, software <ontrolled signal processors that perform signal conditioning, setpoint comparison, trip logic, sptem initiation and reset self-test, calibration, and bypass functions. The signal processors associated with a particular saferv-related sptem are an integral part of that system.
Functions in common, such as self-test, calibra . ion, bypass control, power supplies and certain switches and indicators, belong to SSLC. However, SSLC is not, by itself, a system: SSLC is the aggregate of signal processors for several safety-related sptems.
SSLC hardware and software are classified as Class IE, safety-related.
Instrumentstion and Control 3.4- t
25ASt47 Rev. 0 ABWR oesign certmestion usterisi Sensors used by the saferv-related systems can be either analog, such as process control transmitters, or discrete, such as limit switches and other contact closures. While some sensor signals are hardwired directly to the SSLC processors, most sensor signals are transmitted from the instrument racks in the Reactor Building to the SSLC equipment in the Control Building via the Essential Multiplexing System (EMS). Both analog and discrete sensots are connected to remote multiplexing units (RMUs) in local areas, which perform signal conditioning, analog-to-digital conversion for continuous process inputs, change-of-state detection for discrete inputs, and message formatting prior to signal transmission. The RMUs are limited to acquisition of sensor data and the output of control signals. Trip decisions and other control logic functions are performed in SSLC processors in the main control room area.
The basic hardware configuration for one division ofSSLC is shown in Figure 3.4b. Each division runs independently (i.e., asynchronously) with respect to the other<livisions.
The following steps describe the processing sequence for incoming sen:or signals and outgoing control signals. These steps are performed simultaneously and independently in each of the four divisions:
(1) The digitized sensor inputs from RMUs are received in the control room at control room multiplexing units (CMUs), which associate sensor signals with their logic processing channel. These sensor signals are decoded by a microprocessor-based function, the Digital Trip Module (DTM). For sensor i
signals hardwired to the control room, the DTM also performs digitizing and signal conditioning tasks. For each system function, the DTM then compares these inputs to preprogrammed threshold levels (setpoints) for possible trip l acuon. The DTM provides a discrete uip decision for each setpoint compahson. ,
(2) For Reactor Protection System (RPS) trip and main steam isolation valve (MSIV) closure functions, trip outputs from the DTM are then compared, I using a 2-out of-4 coincidence logic format, with trip outputs from the DTMs l of the other three divisions. The trip outputs are compared in the trip logic unit (TLU), another microprocessor-based device. The logic format for the DTM and TLU is fail-safe (i.e., de energize-to-operate). Thus, a reactor trip or MSIV closure signal occurs on loss ofinput signal or power to the DTM, but, because of the 2-out-of-4 logic format in the TLU, a tripped state does not appear at the output of the TLU (for a single division loss of power). Loss of signal or power to a division's TLU also causes a tripped output state, but the 2-out-of-4 configuration of actuator load drivers prevents de-energization of the pilot valve solenoids.
i j
3.42 Instrumentstron and Controt l
l
2SAS447 Rev. O ABWR ossign c:rtwe:ti:n M:teri:1 3
(3) Trip outputs are sent from the TLU to the RPS and MSN output logic units (OLUs). The OLUs use non-microprocessor circuitry to provide a diverse (i.e., not software-based) interface for the following manual functions:
(a) Manual reactor trip (per division: 2+ut-of4 for completion).
(b) MSIV closure (pe division: 2-outef4 for completion).
(c) MSIV closure (eight individual control switches).
(d) RPS and MSN trip reset.
(e) TLU output bypass The OLUs distribute the automatic and manual trip outputs to the MSN pilot valve and scram pilot valve actuating devices and provide control of trip scal-in, reset, and TLU output bypass (divisioneut-of-service bypass). Bypass inhibits automatic uip but has no effect on manual trip. The OLUs also provide a manual test input for de-energizing a division's parallel load drivers (part of the 2-out-of4 output logic arrangement) so that scram or MSN closure capability can be confirmed without solenoid de<nergization. The OLUs are located external to the TLU so that manual MSN closure or manual reactor trip (per division) can be performed either when a dhision's microprocessor 1 >gic is bypassed or vhen failure of sensors or microprocessor logic equipment causes trip to be inhibited.
(4) Trips are transmitted actoss divisions for 2-out-of-4 voting via fiber optic data links to preserve signal isolation among dhisions. The TLU also receives ,
inputs directly from the tnp outputs of the Neutron Monitoring System, manual control switches, and contact closures from limit switches and position switches used for eqtiipment intenocks. In addidon, plant sensor signals and contact closures that do not require transmittal to other dhisions for 2-out-of-4 trip comparison are provided as inputs directly to the TLU. In this case, the TLU also performs the trip setpoint comparison (DTM) function.
(5) For Leak Detection and Isolation System (LDS) functions (except MSN),
emergency core cooling system (ECCS) functions, other safety-related supporting functions, and Electrical Power Distribution System functions such as diesel generator start and load sequencing, logic processing is performed as above, but in DTMs separate from the RPS/MSIV DTMs and in Safety System Logic Units (SLUs). The SLUs are similar to TLUs, but are dual redundant in each processing channel for protection against inadvertent initiation. Dual SLUs both receive the same inputs from the DTM, manual control switch inputs, and contact closures. Both SLU outputs must agree before the final tnp actuators are energized. The logic fonnat for the DTM and SLUs is fail-as-is (i.e., energize-to-operate) for ECCS and other safetv-related supporting ;
Instrumentstron and Control 3.4-3
25A5447 Rsv. 0 ABWR oesign certinestian uarist ;
functions. Thus, loss of power or equipment failure does not cause a trip or !
initiation action. However, containment isolation signals are in fail-safe format and cause an isolation signal output on loss of power or signal. Besides performing 2-out-ofd voting logic, the SLUs also provide interlock logic functions conforming to the logic diagram requirements of each supported safety system.
As shown in Figure 3.4b, a pair of SLU are located in each of two engineered safety feature (ESF) processing channels, ESF1 and ESF2. ESF1 processes initiation logic for functions which service the reactor vessel at low pressure ,
(e.g. RHR), while ESF2 provides the same support for the vessel at high pressure (e.g. Reactor Core Isolatiori Cooling (RCIC) System and High Pressure Core Flooder (HPCF) System). Associated LDS and ESF functions i are also allocated to these logic channels. ,
(6) For reactor trip or MSIV closure,if a 2-out-of4 tnp condition of sensors is j satisfied, all four divisions' uip outputs produce a simultaneous coincident trip signal (e.g., reactor trip) and transmit the signal through hardwired connections (and isolators where necessary) to load drivers that control the protective action of the actuators. The load drivers are themselves arranged in a 2-out-of4 configuration, so that at least two divisions must produce trip ,
outputs for protective acticn to occur.
(7) For ESF functions, the trip signals in three divisions are transmitted by the I
Essential Multiplexing System to the RMUs, where a final 2-out-of-2 logic comparison is made prior to distribution of the control signals to the final '
actuators. ESF outputs do not exist in Division IV. >
The DTM, TLU, and OLUs for RPS and MSIV in each of the four insuumentation divisions are powered from their respective divisional Class IE AC sources. The DTMs and SLUs for ESF 1 and ESF 2 in Divisions I, II, and III are powered from their respective divisional Class 1E DC sources. In SSLC, independence is provided between Class IE divisions, and also between Class IE divisions, and also non-Class lE equipment.
Bypassing of any single division of sensors (i.e., those sensors whose trip status is confirmed by 2-out-of4 logic) is accomplished from each divisional SSLC cabinet by j means of the manually operated bypass unit. When such bypass is made, all four dhisions of 2-out<>f-4 inputlogic become 2-out-of-3 while the bypass state is maintained. Dunng bypass,if any two of the remaining three dhisions reach trip level for any sensed input parameter, then the output logic of all four divisions' trips (for RPS and MSIV functions) or the three ECCS dhisions initiate the appropriate saferv system equipment.
14-4 Instrurnentetson and Control
lSAS447 nsv 0 ABWR ossign cenmcation Material Bypassing of any single division of output trip logic (i.e., taking a logic channel out of senice) is also accomplished by means of the bvpass unit. This type of bypass is limited to the fail-safe (de-energize-to-operate) reactor trip and MSIV closure functions, since removal of power from energize-tomperate signal processors is sufIicient to remove that channel from senie.
When a trip logic output bypass is made, the TLU trip output in a division is inhibited from affecting the output load drivers by maintaining that division's load drivers in an energized state. Thus, the 2-out<>f 4 logic arrangement of output load drivers for the RPS and MSIV functions effectively becomes 2eutef-3 while the bypass is maintained.
Bypass status is indicated in the main control room until the bypass condition is removed. An electricalinterlock rejects attempts to remove more than one SSLC division from senice at a time. .
ESF1 and ESF2 logic are each processed in two redundant channels within each divisional train of ESF equipment. In order to prevent spurious actuadon of ESF equipment, final output signals are voted 2eut-of-2 at the remote multiplexing units by means of series-connected load drivers at the RMU outputs. However,in the event of a failure detected by self-test within either processing channel, a bypass (ESF output channel bypass) is applied automatically (with manual backup) such that the failed channel is removed from senice. The remaining chanr.el provides 1-oute.f-1 operation to maintain availability during the repair period. Channel failures are alarmed in the main control room. If a failed channel is not automatically bypassed, the operator is able to manually bypass the channel by a hardwired connection from the main control room.
A portion of the anticipated transient without scram (ATWS) mitigation features is provided by SSLC circuitry, eth initiating conditions as follows:
(1) Initiation of automatic Standby Liouid Control System (SLCS) injection: High dome pressure and average power range monitor (APRM) not downscale for 3 minutes or greater, or low reactor water level and APRM not downscale for 3 minutes or greater.
(2) Initiation of feedwater runback: High dome pressure and startup range neutron monitoring (SRNM) not downscale for 2 minutes or greater. Reset permitted only when both signals drop below the setpoints.
These ATWS features are implemented in four divisions of SSLC control circuitrv that j are functionally independent and diverse from the circuitry used for the Reactor l Protection System (Figure 3.4c).
SSLC has the following alarms, displays, and controls in the main control room:
l (1) SSLC signal processor inopereve (INOP). j i
instrumentstron end Control 34-5 )
i
+
25ASd47 hv. O ABWR oasign conmestion storist (2) SSLC manual controls for bypass as described above.
l (3) Displays for bypass status.
(4) Divisional flat display panels that provide display and control capability for manual ESF functions. i t
(5) Display and control of calibration and off-line self-test functions.
Inspections, Tests, Analyses and Acceptance Criteria Table 3.4, Items 1 through 6, provides a definition of the inspections, tests and analyses, together with associated acceptance criteria, which will be undertaken for SSLC.
B. 1 & C Development and Qualification Processes .
Hardware and Software Development Process The ABWR design uses programmable digital equipment to implement operating functions ofinstrumentation and control (I&C) systems. The equipment is in the form of embedded controllers i.e. (a control program developed in software is permanentiv stored in PROM, and thus becomes pan of the controller's hardware). yj A quality assuranc e program encompassing software is employed as a controlled process for software development, hardware integration, and Snal product and system tesdng.
The development process for safety-related hardware and software includes a verification and validation (V&V) program. Non-safety-related hardware and software will be developed using a planned design process similar to the safety-related development program, but with periodic design reviews rather than formal V&V.
System functional performance testing for each system using the software-based controllers discussed herein is addressed in Section 2 system entries.
An overall software development plan establishes the requirements and methodology for software design and development. The plan also defines methods for auditing and testing software durir.g the design, implementation, and integration phases. These ,
phases are part of the software life cycle, a planned development method to ensure the quality of software throughout its period of usage. The relationship between '
components of the plan and I&C design activities is shown in Figure 3.4d.
As part of the design of software for safetv-related applications, the software development plan, at each defined phase of the software life cycle, addresses software requirements that have been defined as safety <ritical. Safety-critical is defined as those computer software components (processes, functions, values or computer program states) in which errors (inadvertent or unauthorized occurrence, failure to occur wher 1 required, occurrence out of sequence, occurrence in combination with other functions.
3.4-6 insmsmentstion and Control
2SAS W R:v.0 ABWR oesign canisestion Material or erroneous values) can result in a potential hazard or loss of predictability or control of a system. Potential hazards are failure of a safetv-related function to occur on demand and spurious occurrence of a safety-related function in an unsafe direction.
The overall software development plan comprises the following plans:
(1) A Software Management Plan (SMP) that establishes standards, conventions and design processes for I&C software.
A SMP shall be instituted which establishes that software for embedded control hardware shall be developed, designed, evaluated, and documented per a design development process that addresses, for safety-related software, software safety issues at each defined life <ycle phase of the software development. ,
The SMP defines the following software lifeqcle phases:
(a) Planning (b) Design definition (c) Software design d) Software coding ;
(e) Integration ,
(O Validation (g) Change control The SMP shall state that the output of each defined life <ycle phase shall be documents that define the current state of that design phase and the design input for the next design phase and the software products are developed using the SMP.
(2) A Configuration Management Plan (CMP) that establishes the standards and procedures controlling software design and documentation.
A CMP shall be instituted that establishes the methods for maintaining, throughout the software design process, the design documentation, procedures, evaluated software, and the resultant as-installed software.
Instrumentation and Control M
25AS447 Rxv. 0 ABWR ossign ceniscation wrutar The CMP addresses:
(a) Identification of Chip software documentation (b) Management of software change control (c) Control and traceability of software changes (d) Verification of software to design requirements (e) Dedication of commercial software (3) A Verification and Validation (V&V) Plan that establishes verificadon reviews and validation testing procedures.
AV&V Plan shall be developed which establishes that developed software shall be subjected to structured and documented verification reviews and validation testing, including testing of the software integrated into the target hardw2re.
The V&V plan addresses:
f (a) Independent design verification (b) Baseline software resiews (c) Tesdng (d) Procedure for software revisions.
Electromagnetic Compatibility Electromagnetic compadbility (EMC) is the ability of equipment to function properly when subjected to an electrornagnetic emironment. An EMC compliance plan to confirm the level ofimmunity to electrical noise is part of the design, installation, and pre-operational testing ofI&C equipment.
Electrical and electronic components in the systems listed below are qualified according to the established plan for the anticipated levels of electrical interference at the ,
installed locations of the components:
(1) Safety System Logic and Control (2) Essential Multiplexing System !
(3) Non-Essential Multiplexing System (4) Other microprocessor-based, software controlled systems or equipment i
1 2,44 instrumentation and Control i
- SA5447 Rsv. 0 ABWR oasion certincation uatuist The plan is structured on the basis that EMC of1&C equipment is verified by factorv testing and site testing of both individual components and interconnected sptems to meet electromagnetic compatibility requirements for protecdon against the effects of:
(1) Electromagnetic Interference (EMI)
(2) Radio Frequency Interference (RFI)
(3) Electrostatic Discharge (ESD)
(4) Electrical surge (Suq;e Withstand Capability (SWC)]
To be able to predict the degree of electromagnetic compatibility of a given equipment design, the following information is developed: ,
(1) Characteristics of the sources of electrical noise (2) Means of transmission of electrical noise (3) Characteristics of the susceptibility of the system (4) Technique.i to attenuate elec:rical noise After these characteristics of the equipment are identified, noise susceptibility is tested for four different paths of electrical noise entry:
(1) Power feed lines (2) Input signal lines s
(3) Output signal lines (4) Radiated electromagnetic energy instrument Setpoint Methodology Setpoints for initiation of safety-related functions are determined, documented, installed and maintained using a process that establishes a general program for:
(1) Specifying requirements for documenting the bases for selection of uip setpoints (2) Accounting for instrument inaccuracies, uncertainties, and drift (3) Testing ofinstrumentation setpoint dynamic response (4) Replacement of setpoint-related instrumentation.
Instrumentation and Control 349
25A5447 Rn. O ABWR oesign caniscation umriat The determination of nominal trip setpoints includes consideration of the following factors:
Destgn Basis AnalyticalLimit in the case of setpoints that are directly associated with an abnormal plant transient or accident rialvzed in the safety analysis, a design basis analytical limit is established as part of the .afety analysis. The design basis analytical limit is the nlue of the sensed process variable prior to or at the point which a desired action is to be initiated. This limit is set so that associated licensing safety limits are not exceeded, as confirmed by plant design basis performance analysis.
Allowable Value An allowable nlue is determined from the analytical limit by providing allowances for the specified or expected calibration capability, the accuracy of the instrumentation, and the measurement errors. The allowable value is the limiting value of the sensed process variable atwhich the trip setpoint may be found during instrument surveillance.
Nominal Tnp Setpoint The nominal trip setpoint value is calculated from the analyticallimit by taking into account instrument drift in addition to the instrument accuracy, calibration capability, and the measurement errors. The nominal trip setpoint value is the limidng nlue of the sensed process variable at which a trip action will be set to operate at the dme of calibration.
SignalProcessing Devices in the Instnament Channel Within an instrument channel, there may exist other components or devices that are used to further process the electrical signal provided by the sensor (e.g., analog-to-digital converters, signal conditioners, temperature compensadon circuits, and multiplexing and demuldplexing components). The worst <ase instrument accuracy, calibration accuracy, and instrument drift contributions of each of these additional signal conversion components are separately orjoin tly accounted for when determining the characterisdcs of the entire instrument loop.
Not all parameters have an associated design basis analytical limit (e.g., main steamlin e radiation monitoring). An allowable value may be defined directly based on plant licensing requirements, previous operating experience or other appropriate criteria.
The nominal trip setpoint is then calculated from this allowable value, allowing for instrument drift. Where appropriate, a nominal trip setpoint may be determined l direcdy based on operating experience.
l 3.440 Instrumentation and Control
- 25AS447 Mtv. 0 ABWR oasip ccerme tin M:teri:t Procedures will be used that provide a method for establishing instniment nominal trip setpoint and allowable value. Because of the general characteristics of the instrumentation and processes involved, two different methods are applied:
(1) Computational (2) Historical data The computational method is used when suflicient information is available regarding a ;
~
dynamic process and the associated instrumentation.The procedure takes into account channel instrument accuracy, calibration accuracy, process measurement accuracy, primag element accuracy, and instrument drift. If the resulting nominal trip setpoint and allowable value are not acceptable when checked to ensure that they will not result in an unacceptable level of uips caused by normal operadonal transients, then more rigorous statistical evaluation or the use of actual operational data may be considered. ;
Some setpoint values have been historically established as acceptable, both for regulatory and operational requirements. These setpoints have non critical functions or are intended to provide trip actions related to gross changes in the process uriable.The continued recommendation of these historically accepted setpoint values is another method for establishing nominal trip setpoint and allowable values. This approach is only valid where the governing conditions remah essentially unaltered from those imposed previously and where the historical values have been adequate for their intended funcuens. ,
The setpoint methodology plan requires that activities related to instrument setpoints be documented and stored in retrievable, auditable files.
Equipment Qualification (EQ)
Qualification of safety-related instrumentation and control equipment is implemented by a program that assures this equipment is able to complete its safety-related function under the emironmental conditions that exist up to and including the time the ,
equipment has finished performing that function. Qualification specifications consider ,
conditions that exist during normal, abnormal, and design basis accident events in terms of their cumulative effect on equipment performance for the time period up to the end of equipment life. ,
The material discussed herein identifies an EQ program that addresses the spectrum of design basis emironmental condidons that may occur in plant areas where I&C equipment is installed. Not all safety-related 1&C equipment will experience all of these conditions; the intent is that qualification be performed by selecting the conditions applicable to each particular piece of equipment and performing the necessary qualification.
34-11 Instrumentation and Control
, 25A56a7 Rev. O ABWR ossion ceniEcstion Material As-built I&C components are environmentally qualified if they can withstand the environmental conditions associated with design basis events without loss of their safety functions for the time needed to be functional. Safetv-related I&C components are designed to continue normal operation after loss of HVAC. The environmental conditions are as follows, as applicable to the bounding design basis esents: Expected ume-dependent temperature and pressure profiles, humidity, chemical effects, radiadon, aging, seismic events, submergence. and svnergistic effects which have a signtficant effect on equipment perfonnance.
!&C equipment environmental qualification is demonstrated through analysis of the environmental conditions that would exist in the location of the equipment during and following a design basis accident and through a determination that the equipment is qualified to withstand those conditions for the time needed is functional. This determination may be demonstrated bv (1) Testing of an identical item of equipment under identical or similar ;
conditions with a supporting analysis to show that the equipment to be i qualified.
r
. (2) Testing of a simile.r item of equipment with a supporting analysis to show that the equipment is qualified.
(3) Experience with identical or similar equipment under similar conditions with !
a supporting analysis to show that the equipment is qualified. 1 (4) Anahsis in combination with partial type test data that supports the analytical assumpdons and conclusions to show that the equipment is qualified.
The installed condition of safety-related I&C equipment is assured by a program whose objective is to venfy that the installed configuration is bounded by the test configuration ]
and test conditions.
Inspections, Tests, Analyses and Acceptance Criteria Table 3.4, Items 7 through 15, provides a definition of the inspections, tests and .
analyses, together with associated acceptance criteria, which will be used to demonstrate compliance with the above commitments for hardware and software development, electromagnetic compatibility, instrument setpoint methodology, and equipment ,
qualificauon. l l
l C. Diversity and Defense-in-Depth Considerations ;
Subsection B discusses processes for developing hardware and software qualification programs that will assure a low probability of occurrence of both random and common- ;
mode system failures for the installed ABWR I&C equipment. However, to address the 3.4 12 Instrumentation and Control
25A5447 Rn. 0 ABWR ossign cenisestion stenet t
i concern that software design faults or other initiating events common to redundant. l multi-divisionallogic channels could disable significant portions of the plant's ,
automatic standby safety functions (the reactor protection system and engineered safety [
features systems) at the moment when these funcdons are needed to midgate an accident, several diverse backup features are provided for the primary automatic logic: ;
(1) Manual scram and isoladon by the operator in the main control room in response to diverse parameter indications. .
(2) Core makeup water capability from the feedwater system Control Rod Drive N2D) System, and condensate system, which are diverse from SSLC and the j EMS. l (3) Availability of manual high pressure injection capability. ,
(4) Long term shutdown capability provided in a conventionally hardwired,2- !
division, analog Remote Shutdown System (RSS); local displays of process variables in RSS are continuously powered and so are available for monitoring at anv, time. l Thus, to maintain protection sptem defense-in-depth in the presence of a postulated worst <ase event (i.e., undetected,4<iivision common mode failure of protection system :
t communications or logic processing functions in conjunction with a large break i
LOCA), diversity is provided in the form of hardwired backup of reactor trip, diverse display ofimportant process parameters, defense-in<iepth arrangement of equipment, and other equipment diversity as outlined in the following table:
Diverse Backup Support for SSLC Equipment Diverse Features of Functional Diversity Defense-in-Depth i Protection System in Protection System Configuration Equipment Dhcrsity t (1) 2-button scram H (2) Manual division H trip ,
(3) Reactor mode H switch placed in shutdown mode.
(4) Manual MSIV H closure (5) ATVS mitigation D 3 4-13 .
snstrumentatnon and Control I
t
25AS447 R2v. O
~
ABWR Dnig2 Cuti6c: tin M=ri:I Diverse Backup Support for SSLC Equipment (Continued)
Diverse Features of Functional Diversity Defense-in-Depth Protection System in Protection System Configuration Equipment Diversity (6) Fail-safe RPS D ,
and fail-as-is ESF in separate processing channels (7) Non-Essential D Muldplexing System (NEMS) independent ,
and diverse from EMS (8) OLUs divene H from software-based logic (9) Independent H Disclavs (a) Reactor water level (b) Reactor water level low alarm s (c) Drywell pressure (d) Drywell pressure high alarm (e) Reactor Water Cleanup System (CUW) isolation valve status (f) RCIC stream line isoladon valve status 3.4.sa Instrumentation and Control
2SA5W R:v. 0 ABWR c:sion certme:ti:n M:e i:1 Diverse Backup Support for SSLC Equipment (Continued)
Diverse Features of Functional Drversity Defense-in-Depth Protection System in Protection System Configuration Equipment Diversity (g) HPCF flow ,
(10) Containment, H Isolation (a) CUW line inboard isolation valve (b) RCIC ste: i line inboard .
isolation valve manual initiation (11)HPCF manual H start in loop C (Disision III)
(12)RSS with H continuous display of monitored process parameters
~
H = Function hardwired (not multiplexed) from sensor or control switch to actuator; controllogic,if needed,is diverse from that of the primary protection system.
D = Function uses logic diverse from primary protection system but is not necessarily hardwired.
Dis erse equipment can be in the form of digital devices, digital software-based desices, or non<ligital as long as these devices are not subject to the same common mode failure as the pnman protection system components.
Instrumentstson and Control 3415
25AS447 R2v. O ABWR oasion certisestica starial Inspections, Tests, Analyses and Acceptance Criteria Table 3.4, Item 16 provides a definition of the inspection, tests and analyses, together with associated acceptance criteria, which will be used to demonstrate compliance with the above commitments for diverse backup support SSLC.
N l
l l
l i
),4 16 Instrumentation and Control
1F b
N 2
SSLC M ANU AL CONTROLS N PROCESS SE450g IN M AIN CONTROL ROOM 3
o on TRIPIO9CisGNAgg hv f 7
- ?
O hEUYRON MONr10Re80 m r- w system CitD k PROCE S5 R Aot AY10N
= SAFETY SYSTEM N_?,
9 "*",M7"** ' n R LOGIC AND CONTROL ggy g,p Scr.. nio, v. v. .
a
,} REACTOR PROMCilON m -
mm - r,.g,.. . - o, w o '
Scionoid Load Drivers feUCLE AR ' AOttE R I IEEIINI SACRUP ATACT04 FWIP Actuators for Sctom Air syst ras -
Header Dump Vetwee tE An mtEC ion A*O _ _ _ _ _ _ _ _ . _ _ _ _ _ . _ _
ISOLA te, $t $f E M 5
( I REssouAL HE AT 9 (Inittste Screm-Following%
C_ontro_l _Ro_d_R_u REMOvat systE M 5 _
RE ACTOR CORE ISOLAT10N cOOUNG $
system 7
- MSIV Pilot vetve *4 teOH PRES $URE CORE "
5 l Solenoid Load Ddvers FtOooER system - $.
o REACTORsuunNo COWTAfM&ffMT t 5 !!OtA F104 g,, y,,, g N COOUNo w ATER =
E I PCV lootetton Volves }
RE ACim seRysCE 7 7 ? ?
o HVAC EMERGE NCY s S E faggpsfNCy . M . rin.: Coni,ol si.meni. on IMESEL GENERATOR d -
CORf C00tWG r
g -
Engineered Safety Features ELECTRICAL POWER s _
OtSTRt9UT10M SY $f EM ST AND8V GAS s L 2 TREATMENT SYSTEM j ,j {
AYMOsPHE mC s ing,qi,,sionat
+
COH1ROL SYSTE M Segnal Transfer g For 2 out of 4 g HV AC (Safety Reeseq M q surrREssen POct TEurERATURE g MONETORING SYSTEM g 5.
. r1, e
h
=
otee:
- 1. No PCV leoistion trips or ECCS Initiation outputs in Divleton IV. g 9 E 2 Figure 3.4a Safety System Logic and Control (SSLC) ControlInterface Diagram i!-
~
~
4 6
6 6
i t
t E
t i
e 4
3 l
I, h
i F
'I*
s-1
..{'
v
' t.
i e
r 6
I
~!
r t.
t P
b 1
P b
e
?
-f :
P y
l
}
I-
-T e
k i
L t
i
.j
?
-4
' I
x N 4Bpy 25AS447 Rev. 0 oesion cortmestion storiet ABWR ,
+t' i sin 4 r!'!=!
l! s l-i . jil tt s CQ
!!-I,.d.)p II!!'Elbi!!b 1sil1 i!"b i u) 1si!1 !!s 9 -j 2* !
li Tb !!i 9 T
~
@i!! P' i !. y 9 ! 1 $
L i
- i. . ~
$ .e l-l" il r i.
_5 i
s -
=
o s 1:
e
! n 4!!! i ha s T ;q -
g a e
} e l.!
a %d 4'
~ ..T_h ,i lI si lIi
!! j* 5
[5, 5
as joJ y,
I gg 5 -
is i
m U) ;o as
~
i .
b!li 5 -
m im m ,
t-E il !
!sb=l ..
i _L m s
sin *!
p!
j! !s m,-
Lj .m sis 8:::
!R [ i[~I ~' l ke
,;. ,e
- is gI ' i{I' k[ _
Eg !.::
! a$ ,B .O v.
!s ,! , n ji kN e f , .
b.
!u.ha e
E &[ e ___
5 u) gjs!gij a li.5 i
i, ;.
I s
L___.._ I l _ _ ___ _ ___ ,_;
!!; i
- -i
- 2 sW e- I
- g! g l r.gi.!!eli l lr l >
a l N !h jtl ~
i i l
i l lIjg ir ,5lll ij
_I ....
IE 8 u is 1 l!!($) T~ l! @ j(= i I* t 1 b. _ _ _ _l g.
l@f C
Instrumentation a
~~~~'-'~s. *% ~%~Ns
L s h u
2 SSLC MANU AL CONTROLS IN MATH CONTROL ROOM N
3 PROCE55 5f M50R
- Os Tref 8OGX SIGNAL $
e t,.<_,_
m D
- 9 q
Sysites PROCESS R ADIAI1086 SSLC CRO w _"',
i
= SAFETY SYSTEM 9 **"';?,7 ' u 4
LOGIC AND CONTROL RUCTOR TN/P o Rf ACTOR PROTECfDON ' - Screm Pilot Valve
' Sv$ttM
- Papresents one or b ehs) "
Solenold Load Drivers Mutt E AR BOettR PROCESSES SAFETYIOGX TRIP DECISIONS BACKt/P REACTOR TRIP Actuators for Screm Air 5 -
Heeder Dump Velves tt Att Of TECitON ANO ISOL AT90N SYSit M 5 -------------%
Ii 1 Rf SIOUAL HE AT -9 (nitiate Screm-FoNowing REMOVAL SYSTE M S \ - - - - - - - ~ ~ -)- - - - " Control Rod Rutt-In vb RCIS I RE ACTOR CostE ISOLATtON COOLING $
SvSitu 7 teOn Pats $one CONE m MSIV Pilot Vahe 4 MOODER SYS TEM Solenold Load Drivere $
us CONTatNs*ENT *
- jD* m [ s 1508ATDN see Nur I E i PCV i.ot.noR v.tves
,,, A C,0,, S, ,,,,C , < _ _
7 : s
. A,t R r -
M -
o j S E u,.C COOu .u.tR.oAreR
,eC,
, . M . nn. Controi n-i. or
, ,., ,.,,cr,,
s DIESEL GENERATOR ELECTRfCAL POWER j tNSivuBU110N SYSTEI4 ST ANDeV GAS d L '
TREATMENT SYSTEas j ,j, g ATMOSPHE RIC / Interdivisional CONTROL STSTEM 4
Segnal Transfer p h HVACtSekty Re4eoe4 # For 2 out of 4 m Coenodence logC '
SUPept SSaON POOt.
d=
j titsPERATURE q tsONt10 RING SYST E M en E
=
Notes
g a
f Rgure 3.4a Safety System Logic and Control (SSLC) ControIInterface Diagram (
?
-9 )> +
te -
.-_.em-....-...m....
(TVP8 Cat FOR E acec yP tsort .e t.xsetetat g j E** 5 Pow.e. m .ceen i
us.m.....e .c
. ..m. n-e-*.e.a.%,
i, .n. _ l m,. =.*,t-i- =:,"eI ENw o ut s' ttte ore a artw even*
- -+
e
='user
'i r,
e b se soas t
i t 446 t' o' t' t s
- . * -- ,Io l e e
= .
l mau l
cuu -_,
DTM tau m
j-- },g
\
m._ , , *-- $.- , - - . ,
RPSMStV =
- _L._
\ ou, ~,
[~~
e
=
f* ._
. . . y a
. l l ,, .. - [ . . . .,_ .,,,,,,, l -- g,say;l ; y,=;
usutinateuro avveur '.two. ==v.. .
.A
, Data seignpect
- - .us mim , =no = vswwern..as w.or +
asmsons gg i
, toeoavm
., nuo *- Otu %
'~
i+ stu s N A+
M ---+ yP * --' ggp g gjg , _ , , , ,_ , ,
4%
>P - w r.--- -----..-~ ~ , m. .
._fl$
rv.
.et s u ntsse_s t** s
- waaar at,
_[
g seasons i ,=, m ....m -g,1
. .ev. . T y on est.c uwev ac ts
) / oren g
i .e e = = D.e,Ui. ! -
"+ stu a
- e- we +--*
y.
g l -
i
- .. - i_ .. {__ ..
- Etuatama
$. $. l 3 f<
" +~ ] esvitas O DIM <+ stua cuu nuu s ESF 2 = are +-* <- - o-mm .. m, ... . . . . , ,,,
m ...
m ... . ..
. . . . _. o. . . . -
> SLU 4
~
~" c, EMS - - - _ _
t samson vana ceCassam i
svstans ins oncesos m t cominot ouvruts g
- ==
. ,__.._.e.s...,,r.
SSLC EMS &.
E -.,0-.C=
.ND .eT E acomesEC tin 3
y' M Of1Eleus.sef eDSCort unfH.ess TwFat afts co stus tasus Ost maassOSEDFCftisF of suam apsD Casue we t or aass Dgserve
- 3 CUTPUT W DNesN3N fW Q
$ .stm E 3
e a Ot9PLAvt ouwvistes vo,anct.ss DE Dec fE Dc-rea FW9f R moptam.f 4C D a t.eus Q
.g 9 C Cose?8ett $witCMIN.PU19 ND P9HtA NOS YO S*ia C f*01 SHowBe SHOWIN O
4-g g o .INeurs evraoevFewme en#5 Devico.is.u.s=
r t mscome pecanoesuse reFn g
, n 3 a 3.
Figure 3.4b Safety System Logic & Control Block Diagram S
~
t 4
t mm.m.-- ---_-.o..m_ .m_ _._m_m._m m--a -. s .,r m.m.,,,_,mu,#,,..-mww,, e,..w.--,,--.,%.ei c.3g.,.,m., . , . . , , , - ,m,.1 . , , ,.,,..w.,,,. ,,,,,...~..,,,.,,%,,.,. . . , , ,,,y,.#
s-k-
MAIN CONTROL ROOM M
$ LOCAL AREA PLANT SENSORS AThS LOGIC & CONTROL h
9 a
9 RCIS Manual h
' art /FMCRD NMS Run-in I P ir r l ATWS LOGIC PROCESSORS
?
m.- ~._,
- Sensor Channel Trip Decision a ggg3 M b
- System Coincidence Trip Decision m I
- Control and interlock toge - , INITIATION e T SSLC - D ,sion# Sensors oypass e
toarc e Reactor Water Level b- ~~~-- 2 NDS Reactor Vessel Pressure Wic I processing p.---._, *
- * *"' e FEEDWATERl
= l RUNBACK e a LOGIC r- - - - - - 'l h ' ' L.-.~.-.
3 SSLCLogic l Processing l g for Other i g Safety Systems l k,
IPHEROfVISIONAL SIGNAL TRANSFER g n FOR 2eutel 4 COfNCIDENCE LOGIC % a d
R'
- to Notes: g.
- 1. Diagram represents one of four ATWS divisions. =
2 Remaining ATWS functions are processed as part of Recirculaton Flow Control System logic and Nuclear Boder System logc. it; w
Figure 3.4c Anticipated Transient Without Scram (ATWS) Control interf ace Diagram (
h HARDWARE AND SOFTWARE SOFTWARE QUALITY ASSURANCE III '
I DESIGN ACTIVITIES connoun Anon unwActuENT etAN trevi iaa coni et. cheava coaua')
VERIFICATION & VALIDATION SOFTWARE mANAGEuENT Pt_AN PLAN (SoMware Life-cycle rhetes) sf$rfNDis44$PECW7 car 704
"^***
uaurmurusasncuanon *~}i 4
r weam ' = 1
<ueuu nave.., e NenownMJsetTwAM i
" * *
- l <J mcram
,,N,,ss,,u
, i r novam , l l
... ..u .
l
, }
Mn0weRt NSIGM SM1wnM M5eGN O# ##U# : s091wAREQt5EGM 4 0 I
(11crafCAt WWIWC masuu , l r wan o rme , i ~
= l C t
<s...r n.,i.., a g I
- maowaar sorrwent I s onentanurArwe sannt w uranen 7 , ,, , ,g,, , l z-I I
I t
r umscanew ' I
= l
= unsnarwn = w E."Ime R*,i.w, l I
1
,, g
= ""'*^'** I se en ca I Ane sorswant noss encs i r wmam , , ,
i y 't g8.s.lme R view, {
L i
a
--- l ,A,,,,,,, l i
1 2
r vnuannou , g B.
l m
- n R.,%
= g 2
j g <s.wi i *
= l l l
, y :
,cunct coninot --- E n
am on,mi.,.m
.. m .-,. w aw.o g
.* g , g l [
Figure 3.4d Integrated Hardware / Software Development Process g l
'_ . _ . . , . _ . . - , _ . . _ . . _ . , _ _ . _ _ . . . _ - ~ . . . . _ . _ . _ . - _ . , _ - _ _ , , . _ - _ _ . , _ _ . - _ . _ _ . . . - , , _ , _ . _ . . _ . _ . . _ _ , , . _ . . _ _ , ._ _ _ _ _ _ . - _ . _ . - _ . _ _ , _ . , , . , . . . , _ . . . . . _ . - - ,
b .
- Table 3.4 Instrumentation and Control D3 E
j inspections, Tests, Analyses and Acceptance Criteria inspections, Tests, Analyses Acceptance Criteria Design Commitment Safety System logic and Control "g 1. The as built SSLC conforms with the The equipment comprising SSLC is 1. Inspections of the as-ouilt SSLC will be 9 1. description in Section 3.4(A). Diverse j
defined in Section 3.4(A). The equipment comprising diverse backup support conducted.
backup support equipment for SSLC conforms with the description in Section functions for SSLC is defined in Section 3.4 (C).
3.4 (C).
- 2. A test report exists which concludes that Safety related monitoring and trip logic 2. Tests will be performed on as-installed 2.
SSLC using sim alated input signals. the SSLC design basis performance for the plant protection systems resides in requirements are met.
SSLC equipment. SSLC integrates the System outputs will be monitored to automatic decision-making and trip logic determine operability of safety-related functions and manual operator initiation # functions. N functions associated with the safety $
actions of the safety-related systems. t SSLC generates the protective function signals that activate reactor trip and
{6 provide safety-related mitigation of reactor accidents.
- 3. 3.
- 3. The DTM, TLU, and OLUs for flPS and MSIV in each of the four instrumentation a. Tests will be performed on SSLC by a. The test signal exists only in the Class divisions are powered f rom their providing a test signal to the I&C 1E division under test in SSLC.
respective divisional Class 1E AC sources. equipment in only one Class 1E The DTMs and SLUs for ESF 1 and ESF 2 division at a time.
m Divisions I,11, and ill are powered from b. In SSLC, physical separation or $
- b. Inspection of the as installed Class 1E their respective divisional Class 1E DC divisions in SSLC will be performed. e!ectrical isolation exists between j' sources. In SSLC, independence is Class 1E divisions. Physical n provided between Class IE divisions and separation or electrical isolation exists E between Class 1E divisions and non-Class 1E equipment.
between these Class 1E divisions and non-Class 1E equipment.
f g.
=
l =
l t i!-
4
y Table 3.4 Instrumentation and Control (Continued) b+ (
4 tti inspections, Tests, Analyses and Acceptance Criteria Design Commitment inspections, Tests, Analyses Acceptanco Criteria Safety System Logic and Control
- 4. SSLC provides the following bypass 4. Tests will be performed on the as-built 4. Results of bypass tests are as follows:
functions: SSLC as follows:
- a. Division-of-sensors bypass a(1) Place one division of sensors in a(1)No trip change occurs at the voted trip bypass. Apply a trip test signalin output of each TLU and SLU. Bypass
- b. Trip logic output bypa",
place of each sensed parameter that is status is indicated in main control
- c. ESF output channel bypass bypassed. At the same time, apply a room.
redundant trip signal for each parameter in each other division, one division at a time. Monitor the voted trip output at each TLU and SLU.
llepeat for each division. .,
E.
v a(2)For each division in bypass, attempt a(2)Each division not bypassed cannot be t to place each other division in placed in bypass, as indicated at OLU s division-of-sensors bypass, one at a output; bypass status in main control I time. room indicates only one division of sensors is bypassed.
t2 E E.
E a e s a n E E , E
= -
o .-
N i
3.
P
. - . . . . - . ~ . -.
Table 3.4 Instrumentation and Control (Continued) b
[a CD g inspections, Tests, Analyses and Acceptance Criteria 3
Design Commitment inspections. Tests, Analyses Acceptance Criteria
{g l, Safety System logic and Control
=
- 4. (continued) 4. (continued) 4. (continued) h
$ b(1) Place one division in trip-logic-output b(1)No trip change occurs at the trip E
bypass. Operate manual auto-trip test output of the RPS OLU ur MSIV OLU, switch. Monitor the trip output at the respectively. Bypass status is RPS OLU. Operate manual auto- indicated in main controf room.
isolation test switch. Monitor the trip output at the MSIV OLU. Repeat for each division.
b(2)For each division in bypass, attempt b(2)Each division not bypassed cannot be to place the other divisions in trip- placed in bypass, as indicated at OLU logic-output bypass, one at a time. output; bypass status in main control ,
room indicates only one trip logic D output is bypassed. [
o c(1) Apply common test signal to any one c(1) Monitored test output signal does not pair of dual-SLU signalinputs. change state when power is removed Monitor test signal at voted 2 out-of-2 from either SLU. Bypass status and output in RMU asea. Remove power loss of power to SLU are indicated in from one SLU, restore power, then main control room.
remove power from other SLU.
Repeat test for all pairs of dual SLUs in each division. y c(2) Disable auto-bypass circuit in bypass c(2) Monitored test output signal is lost n unit. Repeat test c(1), but operata when power is removed from either E manual ESF loop bypass switch fo,r SLU, but is restored when manual $
each affected loop. bypass switch is operated. Bypass E.
status, auto-bypass inoperable, and E loss of power to SLU are indicated in $
y main control room. j U E
25A5447 Rev. 0 ABWR orsiga cenmestion uutenar ,
C 0 0 O e
,e i
O C .O C , . = d
- J U m 2 =g C 2 5*
~
5222 e 2 C0 EE=M. mO 0g 0
u aO 'E'e c. m e e =* x 2 8 .O C O v .e -
< E <a. cm g z Oi C 5 -
Or5s M .O oC- =O .gw 2m eor" .. Ud Cmaem m O .O c 0 g W Q 4 g. a
.*~ ;y aNm O ~C CMO-M M e to - .c g- k (m 33 5 5 g W .6 O
-lll;
- O .C j
.y to m '
s C. Om 3 8 E 8 ,$ $ .6 m *4 O C. O e w Eo E 3sEv3 DO DC -
M y C *M M- 3 ,C .C O2O o a8 m m .. g M N ::o3 moC 3 -
OO NG M m@
m E0 30 MEO- E.Oa == O a C- O . O O D -@ O OoooO mcu e e u
o y2C O ct3g3 g 63 13 um QVW 0
- oO- OO .O_ g um m ue .O _7 O m 'M _a V >S e "
C e c g .9 C EC g E hem C C O % E $ $ 5% E C$C N d *%'"
8 O 3 g 4 U.m,0.9= - gCOO e O "O g .9 O O C .9 E T CI M E w
m
$ .C -
tC a ucy- ~oo y 6Octo 2 V .6 4
.O
< .O V
, g C *U .
C
sn @
- C '
C e Sm O u t O C *M
- E
- e ae .-
3
- c. %3- .5_ . =O O
a- e y
ee .E_.m_ - e=m m Cc9 e eg.C O ,
C m
- e>
3 ", e 3 Va ;a Q o 4 m C e u-a O t C ;s E . '5S5 EE g C 4 3c OC
-#m m C
- d- eoa 2 -Q duy e3 25 o s 10 M e e m -
o e .O e,g m O M C o F se g,
. E o
==
3 m
. em C-C 3Eo O a
,O t o ao C g h hO w 4E 9*
- === RE *-
C G
4 -us @
j'eEo c 3gea y
m C 0
,0 2 E
e n
- m
=
._a > t .mO* C -
0 M 3 M C $ m .O C o E .9
-UCO o--
w a -
.m. s t M
a p, m O. G ., m aC-a O " O~ OO g
,,,, M
>= ._C 3 m e .Q- % .C U U C
W .
b *c
- e o m ,_ y
- O cp CO OO e O
f
- C 2 C ,s cJ U202 2m OC
-J C3 mOE *-
}Cc S
- C N G m
~
.O d r "C
^
C
- X * 'O C y eC C= -
O g . . M <g & < ci gmzc,ea O> C 's a
C * "5 UJ C ,O y ,Om cWO o m e 5 ,.,
g .$ E zm
!! h
'O ~EO@S*mma
'o 9 x e e- C o ya-u 5mO .9 35*2 sCB ro 3 > Cr .
C ;is
~
Q
- eE- %m C o 2oC .*
C C
'E O :
liGiQm 'a O E E 8 'EO ImE D3 3EtO~!
- MO O w C ;C = am e e $m m $x# ~o E' U C O CM=
- 3 5*
EO .W $0 8-QO'".O OO EoOa O?
C E O._ .y m *. g At O O O O 7
C M
( .C~
O -t g4 C cV3g3 g 6 3 a$
O O .C O O g3m ggYO g CN$ ^h .[ C$ m EC8 'k C5 3 O,h C 0*
- c O3 g s 2 3._3OsecQC o .O 3 -
> ;C uO o JQVMT O -M4VC3 O O g C O CD 9
M c 5 a s,, 'E C M
<335 to .ci 285 ei a:i s
2.4 24 Inetrumentation and Control
25AS447 Rott. 0 ABWR oesion cmmestin wearisi
- - m il I o E -
--E .E o .Ecd o C o , e mtom -m u -
m c = = o .m : 3., m e m em -c o~
3o>
"o .>c.t -c mc, m
- =e
.o ca e e e aeo
- ra
. mc .-
m* -e: - m et
- >m E .u- m om e a _- o a e E c .ei l 3m c-eeoa meo
-E c
c-
=c
=
es co=
c 3 =o ..=o
=-
-eE3 o r c e m
- - 3. =* .E tm-e*6t
- o ae ei m3
- Q- m ~
C *e* "t II E EoolUEC E e" 8' g I I E E[e *E$5'5 $ N k
- 5c-=- IS S
t os
o- =.-o =.c- oc ? t= a o -m 3 *= c 2a o*o-u s: a c .m E e W3 o=ot 3 oo Cl -Vhg3 O
(p $-
d OV o r0 = = m Q E g, o U oC
.5 S$ 1min.5 ID .
.g g.
a 3 =o C
- m gN -3C u =m E m *" *
- C m o ui ceo e =
- o e-ej u o = =- E -
e a m3 .O o er c3a 7 f5 fc *> ==. m g E a t ec E =7, m = g =g a % m g,m g 3 ;.
g fu C oo-5 o 5 c E =3 2 t c-=. 3 -
C oCeEo=o onm e 2e 9 oC ,g
= =U ;c- ,g E 89*u to o .*::
e u > CD e m O 3 y
u m a ea ~~
g o . c ; & c =. 3. = c C3 =C eo* C o~O
- 4, mOV - In 3,,,. =c D o < fD eSe 3 o t>"oO o.g,'~ m C .a ot .* o f
>,0 t
-- s a u- =- Ma O
f0 m = o . . O mU=
en
= = m c ~D . en C
- a = @ o ? 5 m m 3.
to y
& "IDm f .Cc).c 2 u 2" m@ 2 'c r0Oo ="
.: e u H .o e O
- c :: m 0 ,c co m g
g
- C g
< =-mogg .- ooo e u>t:D t
et = e m
.o 3 .T
.C.
. y" N d e
C O t e C U - O g
- O : 23 -
~ * =* To 1
=m 0 g e o >o u
u y @ C C e=*
- vg C U > cc
- =O -
O A 1 O t c 5
- =S m E t
C C
- * ". >m
-e E
c
- =- to E M m mm a C h 3 3
- t 9
0 > ~m -o 5 ,
4 g c
- oa 2 C .o- ,. m o E U h 5 o . e - m > .
- m c.: c f5 7
=t0 C ** m o C- i w o S. =E m 3 y H :D 0 o5 l
.=
m
. = c
- . =f v C b
- o U o = -
O - - o 1 -
t 3 gV~ o 3. o
.Q m
Q, en a C 7 g *o *go - S .ot H
m e m r ee oem -
C -
- n. t : oe m .o E a o
gm=
e > s = .E e E e" E S s 2 m =2 =m> E e 22c sg S o c
a c o =m c -m3 5 m o E o c E E 5:3 o egj W
a!D gC 3D -g y :cW-C. =o 0 C3*-o g, 5u3 y. . O m uy .g C= * =
i
- O m o.g E .o a o o) .C m m 2 8 *C" =m - CD c 'O cC o 80 5 om 3 6 g. =a= E a= 5 .
e o m o, {me t .C .mm = c o .o em C
uQ g*m
,m o 3 m> Ect cV ogeoma C mc yc c* m=
u- ete a v =- o m o.e t ea C
- 0. e3 eomo m m-y e .=! .o m o o> mo e e
- 3-@a cl o e CD e ug C -
o o E, oet 0 c, mi g .es. os m .c o ==2 e 7l0 Q *-
=$a
$ m 3, E tD -
5 E t-o$6EG G -g tp m em oO
'O -
3t=
- C mcc m
a7 cL. c= C ." y Q' m3 emt - e. c) -
>cQ c co f5 3 gD gM -Q E
ua* b *- m3 Q C my .
g t a ptEje l
- E E =o S a =oc% =E= = ow-ce Sino c ae =o u= g a
. 2 : oro- >m =mo>2a o
- cocoC = mD 4 .(oeeo=cc m m :
C - = to o - -
< cut = eo t m .E! = t- oo== l l
N. cc 1
3.4-25 j Instrumentstuon and Control i i
1
t Table 3.4 Instrumentation and Control (Continued) b ,
4 tti
- Inspections, Tests, Analyses and Acceptance Criteria Design Commitment inspections Tests, Analyses Acceptance Criteria HardwarejSoftware Development
- 8. (continued) 8. (continued) 8b. (continued)
(3) Incorporate into the software design the safety critical software functions specified in the software requirements specification (4) Identify in the coding and test of the developed software, those software modules which are safety-criteria I (5) Evaluate the performance of the y developed safety-critical software $
modules when operated within t the constraints (including the s effects of potential unintended I functions) imposed by the established system requirements, software design, and computer hardware requirements (6) Evaluate software interfaces of safety-critical software modules (7) Perform equipment integration and validation testing that $
demonstrate that safety-related j' functions identified in the design p 3 input requirements ero - E
's @
[!
operational.
. S.
9 it
- =
n I
$ n.
u E Y
r Table 3.4 Instrumentation and Control (Continued) b 3 to a
g inspections, Tests, Analyses and Acceptance Criteria a
y Design Commitment inspection , Tests, Analyses Acceptance Criteria
=
O Hardware / Software Development f
- 8. (continued) 8. (continued) 8. (continued) h
= c. The sof tware engineering process, k which is composed of the following life-cycle phases:
(1) Planning (2) Design Definition (3) Software Design (4) Software Coding
?
(S) Integration g (6) Validation k t
(7) Change control ~
- d. The Planning phase design activities, I which shall address the following system design requirements and software development plans:
(':) Software Management Plan (2) Software Configuration Management Plan (3) Verification and Validation Plan p (4) Equipment design requirements {
(5) Safety analysis of design &
requirements $
n (6) Disposition of design and/or 3, documentation nonconformances E identified during this phaso $
it 9
1 Table 3.4 Instrumentation and Control (Continued) b.
t tb 4
- Inspections, Tests, Analyses and Acceptance Criteria Design Commitment inspections. Tests, Analyses Acceptance Criteria Hardware / Software Development
- 8. { continued) 8. (continued) 8. (continued)
- e. The Design Definition phase design activities, which shall address the development of the following implementing equipment design and configuration requirements:
(1) Equipment schematic (2) Equipment hardware and software performance i specification (3) Equipment user's manual .
(4) Data communications protocol, t including timing analysis and test ?
I methods. $
~
(5) Safety analysis of the developed 1-design definition
.i (6)' Disposition of design and/or documentation nonconformances identified during this phase 2
s v
5 a
e=
g-
=
=
4 g
9
- - 1 -
m.
1 1
~e . ,,uv, ,m. .- ,,e, . . ~
m ., . , -e N--,.N-.e. v -~ ~n.. ., . - , - , , . -... , , , , . , . . . -
5 Table 3.4 Instrumentation and Control (Continued) b
$ to g inspections, Tests, Analyses and Acceptance Criteria 3
Design Commitment inspections Tests, Anelyses Acceptance Criteria o
$ Hardware / Software Development ii 8. (continued) p 8. (continued) 8. (continued)
- f. The Sof tware Desi in phase, which g shall address the d esign of the software architecture and program structure elements, and the definition of software module functions:
(1) Software Design Specification (2) Safety analysis of the software y design (3) Disposition of design and/or ..,
documentation nonconformances E identified during this phase
{
- g. The Software Coding phase, which ?
shall address the following software $
coding and testing activities of individual software modules:
(1) Software source code (2) Software module test reports (3) Safety analysis of the software coding ts (4) Disposition of nonconformances E identified in this phase's design 1 documentation and test results D
- h a.
9
- ~
p Table 3.4 Instrumentation and Control (Continued) b -
w (23 Inspections, Tests, Analyses and Acceptance Criteria Design Commitment inspections, Tests Analyses Acceptance Criteria Hardware / Software Development
- 8. (continued) 8. Icontinued) 8. (continued)
- h. The integration phase, which shall address the following equipment testing activities that evaluate the performance of the software when installed in hardware prototypical of that defined in the Design Definition phase:
(1) Integration test reports
/ (2) Safety analysis of the integration test results y (3) Disposition of nonconformances I identified in this phase's design s documentation and test results I o
- i. The Validation phase, which comprises the development and implementation of the following documented test plans and procedures:
(1) Validation test plans and procedures (2) Validation test reports E.
3- *
- (3) Description of as-tested software p" 2
3 (4) Safety analysis of the validation {
g u test results O g - e.
g (5) Disposition of nonconformances a g identified in this phase's design $
o documentation and test results it a :a.
E E
yTkW o bmq% eE% DB?E $=:3E l r la e ot f
o h p f n n s o s e o h s n e c eme i c n s dt n nana i
edo ih f s et g i a t t
l m i il g l
o wo st eat a a n P e b a s e n g in e sei om t
nr d nh n t
s is n c ig r e n a t
s io di ec e y :
o afr se dt auc i
a r
n o at d
av h le d yl ae lame r m s . omt r le p e d ot no e c e n d pp g ob s e o t n er t
s ed i
C t
r e
g n d lo n r o ,esr nls pw . na ma umf s t t a cc l r t ia ie lp n i a n wo guig emn duilp nu ar e a a n c gi oioe t a p is a
g f i aoe t
ncs d e du M op og t c h s ,
nvh n e oeiet oan hdd r
p a it f i e e a
t c
er u eht Cht se rpd t
nsh co e on s an b d ici iz o o y st ee c
scr ee ums p r it ad gt o al a f t i n c f c a a e i r t c
c t wec nint awoseb rp a r u ich e c a gre ds nedo uc cr it ef w A
f oro h st iagwet e at sl o g r a o oteft owh d Pd Pis n o
) pi r o r d
esp Cni d n r if n sh ewef t t I
u) e gl af e t n i
h eah oh o oCn :o h e Tto Th o
) ) )
3 it n6 ( Tbvcst c ef i s M( 2 1
( (
) a n h e d
i r o .
Td a. b c
e c J e (
u i t
i i
n C r B 9 t l n e la o c h '
C n s
( a n l
t p l a
o e se P r c t t
c s n n A l y e o a m C d n e g
d n A a n a s ,
n a s s t a n e e s T M
o y n i s o
t a
l a n it a.
t n o it r
ud n A c )
ge e , e p
d e iw s u f
ne m t s u s n in oiv r e i t
n Ce t
T er s o h e I
n s
(
c Tb 4 n i
o 8 i
9 3 t e c )
e l e P ht b p M et dd a s T n C
( hu nt elle n tsho gutaas t
i n
e l a egs l i
m p Phs u e vi an _
t o
t iod e s-nl r e , a n l ebh h se e
e at t v mt ,t n m
it D e e s g e g s,r u a t _
at aninsdl m e ee u m
r a nhi at aoo cc r re sr _
o w Md nppe t
C t n
f o nt eian , h _
g nt i
g S i oumiod tati r t
si n s
e /er a de
)
r s o e aa t D u g inf ser dt n ee , ,
w u ied e rr dr n nb ol o h amaa f
a H no it Ca hef l
t t wuww cf f t t
(
c Asmsdo ooo ss 8 9 59g!O2E p2d 9m e. _
Table 3.4 Instrumentation and Control (Continued) b -
t 123 6
- Inspections Tests, Ar.alyses and Acceptance Criteria g Acceptance Criteria %
Design Commitment inspections, Tests, Analyses Hardware / Software Development
- 9. (continued) 9c. (continued)
- 9. (continued)
(4) Process corrective actions to resolve deviations identified in sof tware design and design documentation, including notification to end user of errors discovered in software development tools or other software (5) Maintain status of design interf ace documentation and developed g software design documentation g (6) Designate and control software O revision status. Such methods shall require that software code {b listings present direct indication of the software code revision status.
- d. Methods for, and the sequencing of, reviews to evaluate the compliance of software design activities with the requirements of the CMP.
- e. The configuration management of p tools (such as compilers) and g.
{2 software development procedures. =
l f. Methods for the dedication of k S
- commercial software for safety-related usage.
{g.
3 *
.k n #
S, a k
k
T Table 3.4 Instrumentation and Control (Continued) b I =
g Inspections, Tests, Analyses and Acceptance Criteria 3
Design Commitment inspections. Tests Analyses Acceptance Criteria ~~~~~^ ~ ~~~~~ ~~
O
~
Hardware / Software Development
& 9. (continued) p 9. (continued) 9. (continued)
- g. Methods for tracking error rates 3 during software development. such as E
the use of software metrics.
- h. The methods for design record collection and retention.
- 10. A Verification and Validation Plan (V&VP) 10. The Verification and Validation Plan shall 10. The Verification and Validation Plan shall shall be developed which establishes that be reviewed. define:
developed software shall be subjected t 7
- a. That baseline reviews of the software structured and documented verification development process are to be o reviews and validation testing, including conducted during each phase of the j testing of the software integrated into the software development life cycle. t target hadware.
- b. The scope and methods to be used in the baseline reviews to evaluate the
{o implemented design, design documentation, and compliance with the requirements of the Software Mana0ement Plan and Configuration Management Plan.
- c. The requirements for use of commercial software and commercial development tools for safety-related a applications and that such use is a {
controlled and documented p procedure. &
E'
' s.
a l $
l u
~
- u l
y Table 3.4 Instrumentatian and Control (Continued) b -
tC Inspections, Tests, Analyses and Acceptance Criteria
%q Design Commitment inspections. Tests, Analyses Acceptance Criteria _
Hardware / Software Development
- 10. (continued) 10. (continued) 10. (continued)
- d. That verification shall be performed as a controlled and documented evaluation of the conformity of the developed design to the documented design requirements at each phase of baseline revicw.
- e. That validatiora shall be performed p
through controlled and documented testing of the developed software as %
installed in the target hardware that k demonstrates compliance of the t software with the software 5 I
requirements specifications and compliance of the device (s) under test with the system design specifications.
- f. That for safety-related software, verification reviews and validation testing are to be conducted by personnel who are knowledgeable in the technologies and methods used in the design, but who did not develop S E the software design to be reviewed 5 k and tested. K 3
S
=.
3
?
9 -
a.
8 a 2
D .
= .
!r Table 3.4 Instrumentation and Control (Continued) b tis 3 Inspections, Tests, Analyses and Acceptance Criteria 3=
Design Commitment inspections. Tests, Analyses Acceptance Criteria
{
Hardware / Software Development fa
- 10. (continued) 10. (continued) 10. (continued) p
=
! g. That for safety-related software, design verification reviews shall be conducted as part of the baseline reviews of the design material developed during the Plannin0 through integration phases of the software development life-cycle (as defined in Critorion 8b, above), and y
that validation testing shall be conducted as part of the baseline h review of the Validation phase of the software develooment life-cycle.
{
- h. That validation testing shall be I conducted per a documented test plan and procedure.
- i. That for non-safety related software development, verification and validation shall be performed through design reviews conducted as part of the baseline reviews completed at the end of the phases in the software 58
< development life cycle. These design 5-reviews shall be performed by Q personnel knowledgeable in the E technologies and methods used in the $
design development. E E
=
9 s Is-
i 4
y Table 3.4 Instrumentation and Control (Continued) b tb
- Inspections, Tests, Analyses and Acceptance Criteria Design Commitment inspections, Tests, Analyses Acceptance Criteria Hardware / Software Development
- 10. (continued) 10. (continued) 10. (continued)
- j. The products which shall result from the baseline reviews conducted at each phase of the software development life-cycle; and that the defined products of the baseline
' reviews and the V&V Plan shall be documented and maintained under configuration management.
?
- k. The methods for identification, %
closure, and documentation of design $
and/or design documentation t-nonconformances. p
- l. That the software development is not I complete until the specified verification and validation activities are complete and design documentation is consistent with the developed software.
- 11. Software development shall be 11. Review software development results. 11. Software development has been _;
performed in accordance with the completed as defined in the SMP, CMP, a software management plan, configuration and V&VP. 3 3
management plan, and verification and Noncompliance with the SMP, CMP, and I
-g validation plan. V&VP may occur during implementation E g
of these plans, provided that corrective h
.j l
- action is taken for any such g, -
g noncompliances. 3.
" R n I S a e n -
- 9. -
. _ .- .,,...._,m _..__ - ,-. . --,..,,.m . . . . _ . , - - , - . . - . , - . , . - . _ . , . _ . , . - . , . . . .-~,,a,_....;_,,. , . . . _ . _ . . . . . . . . , . . _ _ , , _ . - , _ . , , .
r Table 3.4 Instrumentation and Control (Continued) b ig m Inspections, Tests, Analyses and Acceptance Criteria 3
Design Commitment inspections, Tests, Analyses Acceptance Criteria fg
,, Electromagnetic Compatibility E 12. An EMC compliance plan is in place. The p 12. Electrical and electronic components in 12. The EMC compliance plan will be the systems listed below are qualified for reviewed. plan requires, for each system qualified.
3-E the anticipated levels of electrical system documentation that includes interference at the imf alled locations of confirmation of component and system the componenta according to an testing for the effects of high electrical establishea plan: field conditions and current surges. As a minimum, the following information is
- a. Safety System logic and Control documented in a qualification file and
- b. Essential Multiplexing System subject to audit:
- c. Non-Essential Multiplexing System / a. Expected performance under test conditions for which normal system %
- d. Other microprocessor-based, software controlled systems or operation is to be ensured. $
84"I P **"I b. Normal electrical field conditions at k the locations where the equipment d' Tne plan is structured on the basis that must perform as above. $
elect romagnetic compatibility (E MC) of l&C equipment is verified by factory c. Testing methods used to qualify the testing and site testing of both individual equipment, including:
components and interconnected systems (1) Types of test equipment.
to meet EMC requirements for protection against the effects of: (2) llange of normal test conditions.
- b. Radio Frequency interference (RFI) environment. u,
- c. Electrostatic Discharge (ESD) 'a
- d. Electrical surge ISurge Withstand k Capability (SWC)) ,
E it:
9 I
~
E-
~
_ - , - --r- . - - . - . , . . , , , m . .- .. - -- . ..
Table 3.4 Instrumentation and Control (Continued) b -
!r m i Inspections, Tests, Analyses and Acceptance Criteria 3
a inspections Tests, Analyses Acceptance Criteria
$ Design Commitment -
o l Electromagnetic Compatibility
& 12. (continued) 12.(continued) p 12. (continued) (4) location of testing and exact 3 configuration of tested E components and systems, including interconnecting cables, connections to electrical power distribution system, and connections to interfacing devices used during normal plant operation.
1
- d. Test results that show the component o or system is qualified for its $
l application and remains qualified t after being subjected to the range of g normal and abnormal test conditions ;
specified above.
The plan establishes separate test regimes for each element of EMC, using the following approaches:
or system identified in the design n commitment includes tests to ensure l that equipment performs its functions T i
in the presence of the specified p EMt/RFI electrical noise environment, it.
l including the low range of the EMI $
! spectrum, without equipment $
I damage, spurious actuation, or inhibition of functions.
{
P, w Q
~
W
=
i l
Table 3.4 Instrumentation and Control (Continued) b 2
[ CI3 g Inspections, Tests, Analyses and Acceptance Criteria a
Design Commitment inspections, Tests, Analyses Acceptance Criteria Electromagnetic Compatibility
- 12. (continued) 12a. (continued) h 12. (continued) As part of the pre-operational test R
E program, the EMC compliance plan calls for each system to be subjected to EMl/RFI testing. Tests cover potential EMI and HFI susceptibility over four different paths:
(1) Power feed lines (2) Input signallines (3) Output signallines .,
m (4) Radiation $
The test program includes sensitivity ;
of components identified in the ;
design commitment to radiation from o plant communication transmitters and receivers.
- b. ESD Protection. An EMC compliance plan for each component or system identified in the design commitment includes tests to ensure that equipment performs its functions in a the presence of the specified ESD E.
environment without equipment 3 damage, spurious actuation, or D inhibition of functions. $
0 E.-
en 9 =
b E-
~
d
" Table 3.4 Instrumentation and Control (Continuedl b -
l L
m l
l Inspections. Tests, Analyses and Acceptance Criteria q Acceptance Criteria %
! Design Commitment inspections. Tests, Analyses
! Electromagnetic Compatibility
- 12. (continued) 12. (continued) 12b. (continued) l The plan is structured on the basis
' that ESD protection is confirmed by factory tests that determine the susceptibility of instrumentation and control equipment to electrostatic discharges.
The EMC compliance plan includes standards, conventions, design considerations, and test procedures to f
ensure ESD protection of the plant g instrumentation and control P,;
equipment. $
The plan requires test documentation confirming that, for each component
{a tested, the following conditions have been met:
(1) No change in output signal status was observed during the test.
(2) The equipment performed its normal functions after the test.
ta E :.
i e a
a, 3.
" it:
!t 9 E.
i m.
l-
i M
^
a Table 3.4 Instrumentation and Control (Continued) b n
g a
p, inspections, Tests, Analyses and Acceptance Criteria 3
Design Commitment inspections, Tests, Analyses Acceptance Criteria Q
G~
$ Electromagnetic Compatibility E
- 12. (continued) c. SWC Protection. An EMC compliance p 12.(continued) plan for each component or system 3
a, identified in the design commitment includes tests to ensure that equipment performs its functions for the specified SWC environment without equipment damage, spurious actuation, or inhibition of functions.
The EMC compliance plan includes
/ standards, conventions, design considerations, and test procedures to %
l ensure SWC protection of the plant k instrumentation and control t equipment. y s
The plan is structured on the basis o that SWC protection is confirmed by factory tests that determine the surge withstand capability of the plant instrumentation and control equipment.
The plan documents the level of compliance of each system with the a grounding and shielding practices of 3 the standards specified under this j' certified design commitment. p
- =
h 3.
E 9 !
t t
9 Table 3.4 Instrumentation and Control (Continued) b '
I tn
- Inspections, Tests, Analyses and Acceptance Criteria Design Commitment inspections. Tests, Analyses Acceptance Criteria Setpoint Afethodology
- 13. Setpoints for initiation of safety related 13. Inspections will be performed of the 13. The setpoint methodology plan is in functions are determined, documented, setpoint methodology plan used to place. The plan generates requirements installed and maintained using a process determine, document, install, and for:
that establishes a plan for: maintain instrument setpoints. a. Documentation of data, assumptions,
- a. Specifying requirements for and methods used in the bases for selection of trip setpoints.
documenting the bases for selection of trip setpoints b. Consideration of instrument channel iriaccuracies (including those due to
- b. Accounting for instrument inaccuracies, uncertainties, and drift ,
analog-to-digital converters, signal conditioners, temperature %
- c. Testing of instrumentation setpoint compensation circuits, and j dynamic response multiplexing and demultiplexing t d.
Heplacement of setpomt related components), instrument calibration s instrumentation. uncertainties, instrument drift, and E uncertainties due to environmental The setpoint methodology plan requires conditions (temperature, humidity, that activities related to instrument pressure, radiation, EMI, power setpoints be documented and stored in supply variation), measurement retrievable, auditable files. errors, and the effect of design basis event transients are included in determining the margin between the trip setpoint and the safety limit.
I c. The methods used for combining J.
=
uncertainties.
E 2 3
8
- d. Use of written procedures for a preoperational testing and tests N' 3
performed to satisfy the Technical !.
g Specifications. g 2
9 E.
4 e.
a
9 Table 3.4 Instrumentation and Control (Continued) b b W Inspections, Tests, Analyses and Acceptance Criteria Design Commitment inspections Tests Analyses Acceptance Criteria Setpoint Afethodology l
j 13. (continued) 13. (continued) 13. (continued)
- e. Documented evaluation of replacement instrumentation which is not identical to the original equipment.
Equipment Qualification
- 14. Qualification of safety-related 14. A review will be conducted cf the 14. An l&C equipment qualification program instrumentation and control equipment is equipment qualification program. is in place. Documentation for the I&C EQ implemented by a program that assures ,
program is recorded in a product this equipment is able to complete its qualification file that includes a list of I&C y safety-related function under the safety-related equipment accompanied by y environmental conditions that exist up to the following equipment information: '{
and including the time the equipment has a. Performance specifications under 5 finished performing that function, conditions existing during and af ter I Qualification specifications consider design basis accidents. These include conditions that exist during normal, voltage, frequency, load, and other abnormal, and design basis accident electrical characteristics that assure events in terms of the,ri cumulative effect specified equipment performance.
on equipment performance for the time period up to the end of equipment life. b. Environmental conditions at the location where the equipment is installed. These conditions include:
o y (1) Number and /or duration of a g equipment functional and test T cycles / events D g
$ (2) Process fluid conditions (where k
[o '
applicable to the l&C equipment) h, o
(3) Voltage, frequency, load, and g p other electrical characteristics of g g the equipment g
-- -- _ _ - - --- - . . - - . - - - _ - ~ ~ . , , w
Y 9 Table 3.4 Instrumentation and Control (Continued) b I W
" Inspections, Tests, Analyses and Acceptance Criteria Design Commitment inspections, Tests, Analyses Acceptance Criteria Equipment Qualification
- 14. (continued) 14. (continued) 14b. (continued)
(4) Dynamic loads associated with seismic events (5) Dynamic loads associated with hydrodynamic conditions (6) System transients and other vibration inducin0 events l
(7) Pressure, temperature, humidity
/ (8) Cnemical and radiation environments db i (9) Electromagnetic compatibility I
{y (10) Aging x
(11)Submeroence (if any) o (12) Consideration of synergistic effects (13) Consideration of margins for unquantified uncertainty.
- c. One (or a combination) of the following testing methods used to qualify the equipment: g l 9 (1) Testing of an identicalitem of Y
$ equipment under identical or 2
! similar conditions with a k 3
- supporting analysis to show that E, l
the equipment to be qualified is [
g acceptable. g h
~
1.
- G sr Table 3.4 Instrumentation and Control (Continued) b C3 E inspections, Tests, Anaiyses and Acceptance Criteria g
3 Design Commitment inspections, Tests, Analyses Acceptance Criteria y
l Equipment Qualification E 14c. (continued) p 14. { continued) 14. (continued)
(2) Testing of a similar item of g equipment with a supporting analysis to show that the equipment to be qualified is acceptable.
(3) Experience with identical or similar equipment under similar conditions with a supporting i analysis to show that the equipment to be qualified is %
acceptable. k (4) Analysis in combination with =.
partial type test data that supports the analytical assumptions and
[
o conclusions.
- d. Documented results of the qualification that show the equipment performs its safety function when subjected to the conditions predicted to be present when it must perform its safety function up to the end of its a qualified life. g,
. O
. C
=
- a t E
_ , . , , , , - _ ,_ _ _ . _. . _ . . . ~ . , ., _ ,_r.= - - - -- -- _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ - _ _ _ _ . _ _ _ _ - . _ . - _ _ . _ -
s 9 Table 3.4 Instrumentation and Control (Continued) b i I
tn
- Inspections, Tests, Analysce and Acceptance Criteria Design Commitment inspections Tests Analyses Acceptance Criteria Equipment Qualification
- 15. A program exists whose objective is to 15. A review will be conducted of the 15. A program for as-built verification of verify that the installed configuration of program established for as-built safety related I&C equipment is in place safety related l&C equipment is bounded verification of safety-related I&C and contains requirements for a by the test configuration and test equipment. documented evaluation that the installed conditions. configuration is bounded by the test configuration and conditions or that an analysis exists which concludes that any differences will not affect the safety function of the I&C equipment.
- 16. Diversity is provided, as described in 16.
16 7 Section 3.4C,in the form of hardwired a. Tests will be performed using a. Item 5. Sec11gn3dC: Refer toltem 4 of @
backup of reactor trip, diverse display of simulated input signals for items 5,9. Table 3.4 for results of A'lWS tests. I important process parameters, defense" 11emSJiectionJJ: Each independent D '
and 11 in Section 3.4C. For items 9 in-depth arrangement of equipment, and equipment diversity.
and 11 only, turn off power to SSLC display indicates its specified parameter or responds to its specified
[
o equipment in four divisions.
alarm setpoint as tabulated in Section 3.4C.
[ tem 11. Section_3J: HPCF system initiation signals that duplicate those produced by SSLC are produced at the outputs of the hardwired, diverse ,
signal path.
es y b. Inspection of the as-installed b. The features listed as items 1,2,3,4 E configuration of items 1,2, 3, 4, 6, 7, 8, 6,7,8,10, and 12 in Section 3.4C, are 1 l
3 10, and 12 in Section 3.4C, will be implemented as hardwired, diverse, D y performed. and independent of SSLC, as specified d in the table. 2 g- '
E-
=
= $
!?
3.
4 n.
a
._ . . . . . _ _ _ . . v -,%,-, ,, _
__ . .. . - _ ,_