ML20082B921
| ML20082B921 | |
| Person / Time | |
|---|---|
| Site: | Prairie Island  |
| Issue date: | 07/10/1991 |
| From: | Parker T NORTHERN STATES POWER CO. |
| To: | NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM) |
| Shared Package | |
| ML20082B924 | List: |
| References | |
| TAC-68588, TAC-68589, NUDOCS 9107170159 | |
| Download: ML20082B921 (11) | |
Text
- _ _ _ _ _ _ _ _ _ _ _ _ _.
Northem States Power Company 414 Nicollet Mall Minneapoks. Minnesota bb4011927 Telephone (612) 330 $$00 July 10, 1991 10 CI'R 50.63(c)(d)
U S Nuclear Regulatory Commission Attn: Document Control Desk Washington, DC 20555 PRAIRIE IS!AND NUCLEAR CENERATING PLANT Docket Nos. 50 282 License Nos. DPR-42 50 306 D 'R 60 Reply to Questions on Design Report for tlw Station Blackout / Electrical Safeguards Upgrade Project (TAC Nos. 68588 and 68589)
References:
- 1) Letter from Thomas M Parker, Northern States Power Company, to U S Nuclear Regulatory Commission dated November 27, 1990 titled " Design Report for the Station Blackout /Elcetrical Upgrade Project"
- 2) Letter from Armando Masciantonio, U S Nuclear Regulatory Commission, dated lune 6, 1991 titled " Request for Additional Information - St.ation Blackout / Electrical Safeguardu Upgrade Proj ec t (TAC Nos. 68588/68589)
On November 27, 1990 ve submitted for NRC Staff review the design report (Reference 1.) for our project to add two additional safeguarda emergency diesel generators, to upgrade the safeguards electrical distribution system, and to upgrade #121 Cooling Water Pump to become a swing safeguards pump, on June 11,1991 the NRC Staff requested additional information (Reference 2).
We are providing the answers to those questions in the attachment to this letter.
Please conta t us if you have any questions related to the responses to the ques J
~,
Thomas Parker Manager Nuclear Support Services c: Regional Administrator Region lil, NRC Senior Resident Inspector, URC NRR Project Manager, NRC J E Silberg At tachment.s :
- 1. Response to Reg.est for Additional Information
- 2. Load Sequencer Programmable Controller Processor Specifications (2 pages)
- 3. Safeguards Load Sequencer Verification and Validation Plan (19 pages) 9107170159 910710 h
loor r!'a nooce o30002a2 ss\\(
l F
(
4 4
ATTACHMENT 1 NORTHERN STATES POWER COMPANY PRAIRIE IST AND NUCLEAR CENERATING PIANI STATION BLACKOUT / ELECTRICAL SAFEGUARDS UPGRADE PROJECT RESPONSE TO JUNE 6.1991 REOUEST FOR ADDITIONAL INFORMATION (TAC NO. 68588. 68589)
References:
1.
" Design Report for the Station Blackout / Electrical Safeguards Upgrade Project",, Northern States Power Company, November 27, 1990.
j 2.
ANS1/IEEE ANSt7 4.3.2 1982, "American National Standard, Application
]
Criteria for Programmable Digital computer Systems in Safety Systems of Nuclear Generating Stations".
OUEST10N 1:
Provide.the design information of the Unit 2 load sequencer programmable logic controller (PLC) (i.e., manufacturer, model number, etc.). Include the description of the devices used in the load sequencers. the load sequencer PLC programming language, compiler, type of microprocessors,
)
etc.
RESPONSE TO OUEST10N lt The load sequencer uses an Allen Bradley 1785 PLC 5 Programmable Controller as the main processor.
The programmable' logic controller-is provided with a n
battery for memory back up, as well as, an EEPROM n.emory module for non-l volatile storage of the application programs. Additional components of the load sequencer programmable logic controller includo-1771 P7 Power Supply 1771 0WN 32 Point Relay Output Module 1771-1AD - 16 Point 125 V.00 Input Module 1771+1D 8 Point 138 VDC Isolated Input Module Applicable product specification sheets are provided as Attachment 2 to this submittal.
J The-Allen Bradley programmable logic controller was programmed using:
'PLC 5 A.I.-Series-0FFLINE. Module Version 5.21 4
Catalog No. L5 140A
_ICOM Inc.
-This program is a tool to program the processor with the system ladder logic.
The appropriate.progranaable logic controller commands are entered into the system as rungs-of a ladder. This ladder logic format is read by the programmable logic controller and interpreted into programmable logic
__ controller commands.
i r,m:;
A_,---.-_..
_,._,~__....,,.~m._---,_.m._,--.m..,m,,,,....-
.,_,,e _,,_ _ _ _.,.- -
i Attachnent 1 I
July 10, 1991 Page 2 of 8 I
1 OUEST10N 2:
NRC Regulatory Guide 1.152, which endorses ANSI /IEEE-ANS b4.3.2 1982 (Ref. 2), is not referenced in the Northern States Power Company (NSPC) submittal (Ref. 1).
Provide documentation f the acceptance criteria for the load sequencer system, and justify differences between the NSPC acceptance criteria and the Ref. 2 criteria.
Describe the plans for performing or reviewing the verification and validation (V6V) of the programmable logic controller (PLC) load sequencer logic to be implemented on Unit.2.
If the V6V has been performed, provide the documentation of the V6V plan.
If a V6V plan has not been developed, describe the prccess by which NSP will ensure the adequacy of the PLCs for 7
.1E applicatione.-
j l'
RESPONSE TO.OU?STION 2:
t The load sequencer programmable logic controller system "crification A validaticn (V6V) plan has, been implemented in accordance with ANSI /IEEE-ANS 7-4.3.2 1982.
A copy of the Safeguards Load Sequencer Verification and Validation Plan is providod as Attachment 3 to this submittal.
Since the load sequencer syster.i is still under development and testing, the verification &
i' talidation program is ongoing.
Software validation and software acceptance testing is.in progress.
k' hen that is completed, the hardware /sof tware integration testing will be performed by the vendor, and witnessed by NSP, to demonstrate thf adequacy-of the interface, A final. Verification 6 Validation Report will be submitted to NSP which -will summarit:e the results of the system validation testing and will show how the system is in compliance with the original system requirements.
QUESTION 3:
l l
Describe the acceptance criteria for checking control cabinet instruments and control logic.
-RESPONSE T0___OUEST10N 3:
L^
I The control-cabinet instruments and control logic functions will be fully tested during the verification 6 validation testing-phases. This includes i
module testing'and integrated testing.
In addition,-scenario testing vill be performed to demonstrate satisfactory load sequencer response to simulated plant events. The~ scenarios to be tested-include: 1) A safety injection
=followed 30 seconds later by a degraded soltage; 2)-A safety injection with a simultaneous loss of offsite power; and,- 3) A loss of offsite power, e
I Attachnent 1 July 10,1W1 Foge 3 of 8 OUEST10N 4:
Describe site acceptance /preoperational testing; specifically address loss and restoration of power to the PLCs, during standby and power operation.
Also describe the memory retention capability of the PLC.
RESPONSE TO OJfSTION 4:
Site acceptance testing of the load sequencers will demonstrate that the system will respond correctly during simulated emergency conditions. The progratmtable logic cont roller logic will be functionally tested during the integrated preoperational testing of the new emergency diesel generators.
The load s,equencer performance will be verified for tripping of load breakers, starting the emergency d'esel generators, selection of a source for the emergency bus, and sequential loading of the bus after source selectica.
Upc1 loss of power to the programmable logic controller, an EEpROM memory module installed in the programmable logic controller will contain a copy of the operacing program which can be downloaded to the programmable logic controller memory on every power up cequence. When power is restored to the programmable logic controller, the operational software will determine whether the unit is in the test trode or the operating mode, and the sequencer will resume operation at that point.
QUESTION 5:
provide the frequency at which the PLC load sequencer algorithm will be tested, and discuss coordination of this testing with normal load sequencer operations.
B,fSPONSE TO OUEST10N 5:
The programmable logic controller load sequencer algorithm will be verified during monthly surveillance testing.
This verification will include n'anual scenario testing to demonstrate that. the sequencer will respond correctly to simulated inputs and that the output relays respond correctly.
Blocking relays are energized while all of this testing is performed so that inadvertent operation of the safeguards equipment is avoided.
While in the test mode, the load sequencer logic is desigied to recognize an actual degraded voltage condition or a valid safety injection signal. When either or both of these conditions is detected, the test mode is exited and the operational software resumes.
The time required to reset from a test, after a valid input is received, is dependant upon the tiac required to deenergize the blocking relays and to reset program titters. The time is expected to be less than or equal to 250 milliseconds.
The actual time will be determined during system testing.
k l
July 10, 1991 i
Page 4 of 8 OUEST10N 6!
Describe the acthods by which a loss of load sequencer function is detected and taltigated, including the steps required to recover the load sequencer function.
RESEDNSE TO OUEST10N 6:
The programmable logic controller processor contains a watchdog timer which will alarm if the programmable logic controller sof tware does not cortplete a cycle in a predefined timo period.
In addition, the programmabic logic controller logic will alarm in the Main Control Room on the loss of AC or DC control power,-or if the sequencer is placed in manual.
The load sequencer programmable logic controller is ' reset' by cycling AC power to the L
programmable logic controller.
This action will perform a restart of the sequencer. Manual control of the load and source breakers can be assumed _by 7
placing the load sequencer control switch on the main control board to the MANUAL position.
OUEST10N 7:
provido the PLC Surge Withstand Capability (SWC) specifications, and' justify the margin between the SWC and expected surges.
Include the pbC power sources.
RESPONSE TO OUEST10N 7:
The programmable logic contro11ers' logic power supply requires a 120VAC external source of power. This. external 120VAC will be supplied from 120VAC uninterruptable power supplies which will provide _a regulated and filtered source of power.to the units.
According to Allen Bradley product literaturo, the PLC 5 family of programmable logic controllers has been tested for noise immunity in accordance with ND4A pubitcation ICS 2 Section ICS 2 230.
In addition, the PLC-5 family's surge withstand capability was tested in accordance with ANSI Standard C37.90a 1974 (IEEE Standard 472-1974).
Both of the above mentioned industry standards deal with solid state equipment instelled in industrial and L
utility environments similar'to that present at prairie Island.
OUEST10N 8:
provide the PLC Electromagnetic Compatibility (DIC) specifications, and.
~
justify the margin between the EMC specifications and the electromagnetic interference.
RESPONSE TO OUESTION 8:
I
'There are no strong sources of radio frequency interference (RFI) in the vicinity of prairie Island which are not under plant control (such as-
..4,._-.,-
.....a.-
_ _. _,__--._ _ _ -- _ __. - _ _ _. ~
Attechnent 1 M y 10, 1991 Page 5 of 8 c
commercial radio or television transmitters).
A radio frequency interference survey of the control rod drive rooms conducted in 1985 conitrmed this when levels less than 100 mV/ meter were measured.
Therefore, the source of objectionable radio frequency interference is primarily from the use of hand held walkie+ talkies near susceptible solid state equipment.
To ensure that the programmable lor,1c controllers within the load sequencer are sufficiently inmune to the expected electromagnetic interference at the Prairie Island sito, the equipment will be tested for radiated and conducted susceptibility in accordance with SAMA Standard PMC 33.1 1978, and MIL Standard 461 and MIL Standard 462. MIL Standard Test Methods CS01, CSO2 and t
CS06 will be the basis for the conducted-susceptibility test.
The Prairle Island site falls into Class 2 for radiated susceptibility as defined by SAHA
~
Standard PMC 33.1 1978, since hand held transmitters are the primary source of
- objectionable electromagnetic interfrrence.
The equipment will therefore be j
tested for a 10 Volt / meter radiated field strength. An electromagnetic interference survey of-the D$/D6 Building will be conducted to confirm this t
Class 2 field strength designation.
QUE$110N 9!
Provide a detailed description of the device (s) used to accomplish electrical isolation between IE and non-1E systems and describe the specific testing performed to demonstrate that the devices are acceptable for this application.
This description should include elementary diagrams to indicate the test configuration and how the maximum credible faults were applied to the device (s).
RESPOSSE TO OUESTION 9:
i ASEA Type RXMH2 auxiliary relays are used for IE vs. non 1E isolation l
purposes. These relays have heavy duty contacts which are rated to carry 10 amperes of 125VDC current continuously and 135 amperes for 200 milliseconds-for an aircady closed contact (fault duty).
The.non safety related circuits which are connected to the contacts of these isolation relays fall into three categories; 1) plant computer inputs which
- are-wired to a remote multiplexor unit (RMU), 2) inputs to the plant's annunciator system, and 3) contacts that control main control board indicating
- lights which have been classified as non 1E.
The same quality class of cable
- is used -for this -non safety related wiring as is used f or. the safety related wiring in the. plant.
This wiring is also routed in control raceways which do not contain any power (480VAC or-4160VAC) circuits.
The power supplies associated with 1) and 2) above are power limited, and cannot deliver currents-in excess of 2 to 3 amperes even with a bolted fault across the power supply output.
1 vm..-.,,,-._-mm_m-,,.~..,,__
-,_._...-~.,.*~-mm.-,.~_
m
+
Attachnent 1 July 10, 1991 Fage 6 of 8 The non 1E main control board indicating lights (Category 3 above) are supplied from non 1E 125VDC.
The most likely seismic induced failure mode of the indicating light is an open circuit of the lamp filament.
In the unlikely event that a light module shorts out, the combined cable resistance of the DC j
feeder from the battery to the load sequencer and control circuit from the load sequencer to the main control board sill limit the fault current to less than 100 amperes. Five ampero fuses locatet in the load sequencer cabinet will
{
interrupt this fault current in less than the 200 millisceand short time duty of the contacts.
Based on the above, we have concluded that the ASEA RXMil2 relay is a suitable isolation device, and no additional testing is required.
QUESTION 10:
1 Provide data to-verify that the maximum c edibic faults applied during the test (s)- discussed in Question 9 were the maximum voltage / current to which the device could be exposed, and defino how the maximum voltage / current was determined.
RESPONSE TO Ot1ESTION 1Q1 A discussion of the maximum credible fault on the non 1E side of the isointion device is contained in our response to Question 9 above, j
QUESTION 11:
Provide data to verify that the maximum credible fault was applied to the output of the device in the transverse mode (between signal and return) and to verify that--other-faults were considered (i.e., open and short circuits).
RESlaNSE TO OUESTION 111 Electruechanical. relays are used to isolate the 1E and non 1E circuits-through soil to contact or contact to contact separation.
There is no common return path between the IE and non 1E side of the isolation relay circuits.
The re fore, there is no transverse mode fault mechanism, I
Short circu;ts are discussed in our-response to Question 9 Because relays are used as isolation devices, open circuits on the non 1E wiring connected to
[
the isolation relay contacts have no effect on the _1E side of the device.-
.u
. -., - ~ ~.. _. - - - - _ _ -. ~ ~ ~ - - - ~. - - -
- _ - _ - - -.. _ ~. -. - - -
4 4
't l
I i
Attach:ent 1 July 10, 1991 Page 7 of 8 OUESTION 12:
Define the pass / fail acceptance criteria for each type of isolation
. device, RESPONSE TO OUESTION 12.:
r As stated in our response to Question 9 above, ASEA Type RXMil2 relays provide the isolation between the 1E circuits and non 1E monitoring and indication signals. This relay was selected because of its rugged desi n and high 6
momentary current capability of its contacts.
QUESTION 13:
Discuss the process by which NSPC will verify that_the electromagnetic environment _at the plant site is enveloped by the PLC manufacturer's EMC test parameters.
RESPONSE TO OUESTION 13:
- As stated in our response to Question 8, an elec*romagnetic interference-site
- survey will be conducted, and the results of this survey will be compared to e
the electromagnetic interference test intensities to ensure that the test envelopes the measured _ values.
OUESTION 14:
Describe the. configuration control plan for the Unit 2 load sequencer.
RESPONSE TO OUESTION214!
' During the software development and verification 6 validation testing phases, the configuration control of the programmable logic controller ladder logic and data files is administered by load sequencer vendor in accordance with 4
their QA Manual and the Software Configuration Management document. This document delineates lthe responsible individual.for control of the software in each phase of development - The Software Configuration Management document L
also. addresses control of documentation and testing data.
l u
After'the load ~ sequencer is delivered to NSP, responsibility for configuration
[
control is transferred to the Electrical Systems Engineering group at the:
plant site. Control of the system will be ace'omplished in three areas-and in-accordance with the Prairie-Island Quality Assurance Manual.
First, all-functional testing will be done in accordance with the Surveillance Proceduto program.
Second, any troubleshooting, without changing ladder logic or data
- files, will be_done in accordance with the Work Control program.
Finally,-any changes to the hardware or software will be done in accordance with the Uniform' Modification-Process, including 10 CFR Part 50 Section 50.59 reviews.
n
.-J. ---.
.-.-,..,_.,-..--.,-.___.---.a..
i Attachaent i July 10,1971 f'ege 8 of 8 QUISTION 15:
Provide the Menn Time-To-Failure (MTTF) and the Mean-Time To Repair (MTTR) information for the PLCs, RESPONSE TO OUFSTION 15:
The Mean-Time To Failure (MTTF) is derived from Allen firadley field performance data only, and uses the product installed base and product repair information. The Mean Time To Repair (MTTR) is the timo required to replace the faulty module and return the load sequencer to service, but does not include personnel mobilization time.
EOUIPtil21I tEIf lit.IE 1785 LT (Processor) 377,614 lirs.
1 lir.
1771-IAD (Input Mod) 4,004,797 lirs, 1 lir.
1771-ID (Input Mod) 5,778,240 lirs.
1 lir.
1771 0WN (Output Mod)
NO DATA 1771-0W (Output Mod similar to 1,638,031 Ilrs.
1 lir.
1771 0WN) 1771 P7 (Power sply) 907,435 lirs.
1 lir.
chaser
.y- ~
ig ATTACllMENT 2 Processor Specifications Processor Specifications System Configuration (typical)
- 1. slot
- 1. local chassis - PLC-5/10 any mix of 8 and 16-pt and PLC-5/12 modules,32-pt modules 1 local chassis and up to must be VO pairs 12 remote UO chassis 1/2-slot (3 logical rack numbers)-
any mix of 8,16 and 32-pt modules PLC-5/15
- 1 local chassis and up to Communication
( 1(g c L al - standalone (PLC-5/10) r ek num
)-
PLC-5/25 s
e to a supervisor (PLC-5/12, -5/15, -5/25) 6K (PLC-5/10, -5/12 and -5/15)
Scenner 13K (PLC-5/25) local and remote I/O (PLC-5/15 and -5/25);
1/0 Capacity 10,000 cable-ft max for Bulletin 1771 UO including remote UO 8,16, and 32 point I/O and
- Data Highway Plus intelligent modules 10,000 cable-ft max
- PLC-5/10 Data Highway via 1785-KA 256 UO with 16-pt modules 512 UO with 32-pt modules Mary ConCguradon PLC-5/12
- up to 1000 program files 256 UO with 16-pt modules
- up to 1000 data files 512 UO with 32-pt modules
- user configurable
- PLC-5/15 Memory Modules (optional) 512 UO, any mix 512 inputs and 512 outputs
- 4K RAM expansion,1785-MR using 16 or 32-pt modules (PLC-5/15 and -5/25)
PLC-5/25 8K RAM expansion,1785-MS 1024 I/0, any mix (PLC-5/15 and -5/25)
N 1024 inputs and 1024 outputs
- SK EEPROM backup,1785-MJ using 16 or 32-pt rr.odules (all PLC-5 processors) 16K EEPROM backup, 1/0 Hardware Addressing 1785-MK (PLC-5/25 only) oga m Scan mix of 8-pt modules, 16-pt modules must be I/O
- 2 ms/K words (bit logic) pairs, no 32-pt modules
- 8 ms/K words (typical)
L
4 Processor Specifications Discrete !!O Scan (typical)
Compatible Supervisory 1 ms/localI/O rack
= 10 ms/reinote I/O rack number PLC-2/30 PLC 3,-3/10
' mi. ' ne Current PLC-5/15 -5/25 PLC-5/250
- A backup Batiery CompatibleI/O Adapters Remote UO Adapter Module
- self-contained lithium battery (1771-ASB)
(1770-XY)
Single-Point I/O Adapter 1-year memory life without ac Assembly (1771-JAB)
Time-of Day Clock and Calendar
- PLC@-5/10. -5/12 processor in adapter mode maximum variation at 60* C:
. PLC@-5/250 Remote Scanner 3 minutes per month (5150-RS2) typical variation at 20 C:
. Direct Communication Module
+ 20 seconds per month (1771-DCM)
- ummg accuracy:
PLC Interface Module one progmn scan (3500-NA1) for digital AC and DC drives Environmental Conditions
- Remote I/O Adapter for operating temperature:
Bulletin 1336 drives 0 to 60* C (32 to 140 F)
(1336-MOD-G2) storage temperature:
Serial Port Connector
-40 to 85" C (-40 to 185* F)
(MOD-SI) relauve humidity RediPANEL Pushbutton and 5 to 95% (without Keypad Modules condensktion)
(bulletin 2705)
- Option Module (1784-F30D) for the T30 Plant-Floor Certification Terminal (UL and CSA) 8600 CNC with remote I/O adapter option (8600-2058K)
Class 1, Division 2 CVIM set for adapter mode Groups A, B, C, D (5374CVIM)