ML20092C167
| ML20092C167 | |
| Person / Time | |
|---|---|
| Site: | 05000605 |
| Issue date: | 02/03/1992 |
| From: | Recasha Mitchell GENERAL ELECTRIC CO. |
| To: | Pierson R NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM), Office of Nuclear Reactor Regulation |
| References | |
| EEN-9212, MFN-025-92, MFN-25-92, NUDOCS 9202110316 | |
| Download: ML20092C167 (45) | |
Text
v-
$(
GF bdoar Energy
,- m i r.
['A 5
-a 9 a a February 3,1992 MFN No.025 92 -
' Docket No, STN 50 605 0
EEN 9212
~
Document Control Desk 4
U.S. Nuclear Regulatory Commission
. Washington, D.C. L 20555
~ Attention:-
LRobert C. Pierson, Director 1
Standardization and Non Power Reactor Project Directorate i
/
Subject:
lGE Responses to the Additional items Noted in the Draft SER for
- Chapter 7
Reference:
Ic D.M. Crutchfield to P.W. Marriott, Draft Safety Evaluation
- Report on the Advanced Bolling Water Reactor Design, dated -
T!
October 4,1991 (SECY-91294), MFN No.126 91
t Chapter 7, Proprietary information, dated 2/3/92, MFN No.
028 92 :
~
Enclosed hre thirty four (34) copies of the GE responses to the subject request. The responses are
' cross referenced with a summary item number corresponding to the review meeting held in San l
Jose on August 7 & 8,1991.
?
- Some of these responses contain information that is designated as General Electric Company proprietary information and~are primarily corrections or addition _s to earlier proprietary
- submittals. This information is being submitted under separate cover (Reference 2)._
lt is intended that GE will amend the ABWR SSAR with these responses in a future amendment.
. Sincerely,
-k C,
~
.. R.C. Mitchell, Actin,; Manager :
Regulatory and Ana ysis Services -
M/C 382, (408) 925-6948
- cc: - F. A. Ross
- (DOE)
. N. D. Fletcher
. (DOE)
C. Poslusny, Jr.
(NRC)
- J. Stewart l (NRC) -
s R; C. Berglund.
'(GE)
Q g
J. F. Quirk (GE) -
r 9202110316>920203
'PDR ADOCK 05000605--
A PDft
.. - _. - ~. - - - -. - -.- -
-1 CONCERN DSER Section: 7.1.3.2, Page # 7 6 (DSER Summary Item # 4.a
)
GE should provide. additional information for the following items required or discussed by the EPRI RD:
RG 1.106, RG 1.33, GL 83 08,10CFR$0.62 GDC 3 - CDC 17 CDC 26, IEEE 730, IEEE 829 IEEE 472, BTPCHEB9.5 1,10CFR APP B ISA 67 15, ANSI C96.1, NEMA, D0D 263, IPCEA 561402, NUREG CR4640, NUREG 0993, NUREG CR3958, NUREG CR4385, NUREG CR4386, NUREG CR4387, NUREG 0572, NUREG 0977, NUREG 1000, NUREG 0696, NUREG 1154, NUREG 985 NSAC+39, EPRI 2184+7, MILSPEC 338, MILSPEC 217E, MILSPEC 781, MILSPEC 472, EPRI NP3659 EPRI NP6209, EPRI $693. EPRI NP3448. EPRI NP3701, EPRI NP3659, AND EPRI RP27057.
CLOSURE PLAN The review of EPRI requirements will remain as an open issue in the SER. This item will be addressed in the final SER on the ABWR,
RESPONSE
Evaluation of the ABWR against the listed criteria is beyond the SRP/LRB certification requirements, GE will discuss wf f the NRC to determine the appropriate forum in which to address these issues.
CONCERN - DSER Section: 7,1.3.3 Page # 7 11 (DSER Summary Item # 5.a
)
GE should provide additional information to demonstrate its commitment to GDC 1 for the SSLC and EMS design. The staff noted that there was no evidence in the SSAR that current IEEE and other computer / electronics industry standards related to advanced technology had been considered in the design; for example, no standards were identified regarding electromagnetic compatibility, local area networks, communications protocols, and software design.
CLOSURE PLAN GE will review ANSI C37.90,2, Eil Specc 461 and 462, and ANSI C63.12 for application to the ABWR regarding EMC. Appendix 7A will be amended to address such standards (or others)-deemed appropriate following the review.
(See also Item 8.a.)
[ ACTION COMPLETED PER MODIFIED RESPONSE}
l (1
RESPONSE
(See Proprietary Information in separate submittal.)
o l
)'
CONCERN DSER Section: 7.'l.3.3, Page # 7-13 (DSER Summary Item 4 a
Prototype testing of new technology is required to confirm expec.ed_ safety performance, to confirm unforseen systems interactions, and allow the stuff to l
reach its safety determination on systems which may not have extensive operating experience.
Based on information currently available, the staff believen that prototypes will be needed to demonstrate acceptable performance of the interconnected RPS ESFAS, EMS, and SSLC systems.
,n r
nnn,-,
n,
e
,. i -
CLOSURE PLAN-CE will submit " scroll" flow chart consistent with DSER Summary Item 1.e.
NRC action to review / assess regulatory process (ITAAC + Q/A).
CE will propose up. front confirmatory steps which can be defined now, but be applied post certification.
[ ACTION COMPLETED PER RESPONSE AND RPS PILOT ITAAC EXAMPLE)
RESPONSE
CE submitted a flow chart during the CE/NRC meetings on DSER Chapter 7 concerns that illustrated CE's assessment of the regulatory process before and after certification. As a typical example of commitments that will be made for the inspection and test.of installed safety protection system equipment after certification, but prior to plant startup, the pilot ITAAC for the Reactor Protection System (RPS) is attached.
This ITAAC describes inspections and tests that are unique to-RPS.
However, since the RPS function is part of Safety System Logic and Control (SSLC) and the Essential Multiplexing' System (EMS),
portions of SSLC and: EMS are also verified to be acceptable during the performance of RPS procedures.
ITAACs for other safety functions will verify other portions of SSLC and EMS.
There will, however, be ITAACs that are specific to both of these systems.
These ITAACs will provide more detailed inspections and tests for specialized functions within SSLC and EMS, such as bypass, self test, data throughput-rate, error rate, and time response.
CONCERN. DSER Section: 7, 2.. I
, Page # 7 16 (DSER Summary Item # 1.b )
CE should.specify which periodic reactor protection system tests will be used to satisfy technical specification requirements.
CLOSURE PLAN CE will amend SSAR Section 7.2 to-state fault-detection diagnostic testing is not being used to satisfy tech spec requirements for surveillance.
[ ACTION COMPLETED PER MODIFIED RESPONSE AND MARKED.UP 7,2)-
RESPONSE'-
Fault. detection diagnostic testing is not being used to satisfy Technical Specification requirements for surveillance. All of the basic periodic RPS surveillance. tests will be' used to satisfy the these requirements related to RPS -
Jchannel and trip system operability.
.These periodic = tests shall include:
- a. Channel. checks on each shift or twice=per day to verify correspondence of the values of the several instrument channels for all analog type scram variables,
- b. Channel _ functional' tests'to verify operability and decision logic of the various instrument channels and tests of the output logic channels to verify operability of the actuating devices.
l
- c. Channel calibrations-to verify the r curacy of the channel trip decision
~1ogic.. These are primarily verifications of the required trip setpoints in the l
Digital Trip Modules (DTMs).
d.
Outage / Inspection tests conducted during scheduled refueling outages. These tests consist of:
(1) Total channel calibrations which include the channel transmitters or other detection devices as well as the DTMs; (2) Complete RPS logic system functional test.
This includes testing all coincidence (2/4) logic and non. coincidence (1/n) logic of the several instrument channels and the four trip systems, and the final actuating trip logic using the arrangement of load drivers to effect the final trip system (2/4) trip logic.
Functional tests include both the automatic and manual trip systems and testing of all interlocks related to operational and maintenance bypasses, trip seal in, reset permissives and trip reset logic, etc.; (3) RPS response time testing; and, (4) Other outage type inspection tests such as APRM simulated thermal power time constant verification and Reactor Mode switch operation functional tests.
CONCERN. DSER Section: 7.2.1 Page # 7 16 (DSER Summary Item # 2.a
)
GE should provide additionc1 information on the Reactor Protection System to address the electrical and physical separation between the four channels.
Because of the extensive use of multiplexors and software, the staff considers that itolation of information (error handling) to be an essential factor in its safety determination.
CLOSURE PLAN Same as DSER Summary item 1.e.
RESPONSE
The requested information was provided in the package described in the closure plan for Item 1.e.
CONCERN. DSER Section: 7.2.2.2, Page # 7 26 (DSER Summary Item # 1.d
)
The staff requests that GE formally submit (docket) its undocketed assessment of the loss of all four divisions of the ABk'R Essential MUX, which concluded that the plant could be safely shut down from the remote shutdown system.
CLOSURE PLAN GE will provide the NRC with a draft of Appendix 19R which includes the requested assessment.
RESPONSE
(See Proprietary Information in separate submittal.)
CONCERN - DSER Section: 7.2.2.2, Page # 7-27 (DSER Summary item # 1.e
)
GE should define the software architecture that runs in the EMS microprocessors.
In addition, GE should demonstrate how the decision logic, which in an analog design is a parallel process, would be implemented by the sof tware, which is usually a serial process. GE has provided high level block diagrams of the data signal paths; however, the software implied in the system block diagrams can mask much of the safety system's design complexity.
Since the software is an essential line element in the execution of the safety system functions, a definition of the software architecture is required for the staff to make its safety determination.
The architecture should include application specific software, operating system software and embedded software, i
CLOSURE PLAN CE will provide the 18 identified MPL documents under proprietary agreement (mechanics of transmittal to be worked out, i.e., by affidavit, etc., later),
{ ACTION COMPLETED PER THE FOLLOWING LIST)
- LIST OF DOCUMENTS SENT TO NRC VIA AFFIDAVIT (3 COPIES) ON AUGUST -16,1991 One copy each was sent to Dino Scaletti, Jim Stewart, and Charlie Miller (Central File / Mail Desk).
(Every page of each document.was stamped " GENERAL ELECTRIC CO.
PROPRIETARY INFORMATION")
Document Number CE Number Revision Arev. Title J; ages 23A6710 5.8.2 0
RPS H/S System Spec.
34 23A1317 1 B.14 1
SSLC Design Spec.
45 22A8477 5.6.1 1
NHS Design Spec, 71 299X700 070 5,18,2b 0/2
- NEMS Design Spec.
22 23A6327 5.2.4 0
EMS /SSLC Interface Req.
21 23A1302
.5.8.1 1
RPS Design-Spec.
61 23A6301 5.6.2 0
NMS H/S System Spec, 86 23A6229
-5,8.8 0
8 23A5759 5.1,5 A
Imp. Procedure for H/S 29 23A5761 5,1,10 A
MUX Application Proc.
14 23A6761 5,6.9 0
NMS V&V Criteria Spec.
30 23A6280.
5.2.1c 0
SSLC V&v Criteria Spec.
7 299X701 016 5,1,8 0/1
- Safety Sys. App, Proc.
8 299X701-015' 5,1.6 0/0
- Imp. Procedure for V&V H/S.17 299X700 071 5.18.2a 0/2
- EMS Design Spec.
22
-23A5727 5.1,1 1
Integration of C&I Design 23
.103E1805-5.2.1 (none)
SSLC Block Diagram.
5
" Scroll" Draft (N/A)
R910809 Design & Imp 1, Chart 11 App 19K Draft (N/A) 8/15/91 MUX Common-Cause Failure 21 DAL #1508-(N/A)
(none)
Codes and Standards 4
DAL #1512 (N/A)
(none)
U.S. ABWR Codes & Stds.
2 IF-R-389 L (FNEA)
(N/A)-
(none)
SSLC Reliability Analysis 192 Position Paper 5.2.2 0
A11ocacion of DTM to SSLC 13
- Second number is the corresponding revision of the original H/T document RESPONSE' (See Proprietary Information in separate submittal.)
1 e
4 -
._ CONCERN. DSER Section:~7.2.2.2, Page # 7 28 (DSER Summary Item # 1.f )
GE should-define the functional requirements of the EMS, the major parameters-that define the data transmission attributes, and the criteria for selecting the data transmission hardware. The staff recognires that the detail design of the EMS depends on the hardware that is selected; however, the functional requirements for 5 LMS as part of the ABWR safety systems are not hardware dependent.
l.
CLOSURE PLAN Same as DSER Summary item 1.e.
L
RESPONSE
(See Proprietary Information in separate submittal.)
CONCERN. DSER Section: 7.2.2.2, Page # 7 29 (DSER Summary Item # 6.a
)
The staff requests that GE provide inforwation to clarify how the two DTMs in the EMS network arbitrate to determine which will be the MASTER loop.
The staff noted that the two EMS network loops are designated MASTER and STANDBY by the receiving fiber optic interface.
The designation of which loop is MASTER is on the basis of transmission errors and checksum errors, as well as the results of' self test. The hardware diagrams that the staff has reviewed showed that-each Digital Trip Module (DTM) in the SSLC has two fiber optic interfaces.
The design parameters of how'the MASTER loop is designated is important to the evaluation because it could address possible software failure modes like deadly embrace, lockup, and other contention issues that can disrupt communications
- EMS.
This designation is also applicable at the RMU level where ESF equipment actuation commands are received.
CLOSURE PLAN' Same as.DSER. Summary item 1.e.
-RESPONSE' The requested-information was provided in the package described in the closure plan for Item 1.o.
CONCERN
-DSER Section: 7.2.2.3, Page # 7-30 (DSER Summary Item # 1.g )
GE'should' provide information describing-in detail _the fault tolerant design features of:the SSLC system, In response to the staff request (Q420.49) to describe.the fault tolerant features of the SSLC system, GE responded that the system will be capable of error cortection of inputs cnd outputs, retty or rollback to last known' correct state on fault detection, restart without lockup on fault such es EMI, data transmission error correction, continued operation through transient fault, and continued operation through permanent fault.
GE's response should include additional information which describes the SSLC system design features that accomplish the capabilitia= occcribed above.
l l
CLOSURE PLAN CE will provide a fault. tolerance review of the specific items listed in the concern, consistent with its present level of definition, as an amendment to CE response 420.49 (or other appropriate area of SSAR if appropriate).
RESPONSE
The process of testing and verifying fault tolerant features will be discussed in the inspections, Tests, Analysis and Acceptance Criteria (ITAAC) for the Safety System Logic and Control (SSLC).
CONCERN. DSER Section: 7.2.2,3, Page # 7 30 (DSER Summary item # 7.a
)
The STS should be considered a safety grade system because it is embedded in the SSLC and interfaces directly with the safety system software.
The staff noted that when the STS has possession of the EMS token, a non-safety system (the STS) is in control of a safety system (the EMS), albeit only a short time. A failure of the STS to pass on the token would result in the EMS being disabled until the timeout for the lost token expired, and a new one would be generated.
Since the STS software was considered a non. safety system, it must be ascumed that the STS software will fail in any conceivable mode, including the mode whereby it keeps running tests. The staff also requests that GE provide information which describes how the STS would acquire the token to send an EMS message and specify the duration of the token timeout.
CLOSURE PLAN CE will amend Section 7.1.2.1.6(6) which now says "The self. test fuaction is classified as safety associated." to "The self. test function is classified ss safety related," Note this issue appears twice in the DSER; section 7.2.2.3 (page 7-30), and section 7.2.3.3 (page 7 43),
[ ACTION COMPLETED PER RESPONSE CHANGE AND TEXT MARR.UP)
RESPONSE
CE agrees that the self. test software is safety.related, Subsection 7.1.2.1.6(6) has been changed to state "The self. test function is classified as safety related."
However, note that the self. test implementation in the final SSLC design has changed from the concept discussed in the staff comments (see the response to item 1.q).
On line self. test is now a monitoring or diagnostic. type system embedded in the software of each microprocessor. based controller. Critical circuit nodes and program flow are continuously monitored for deviations from normal states. Thus, self. test is not actively involved with token passing or other aspects of multiplexing.
'r
1 CONCERN. DSER Section: 7.2.3 Page # 7 31 (DSER Summary Item # 3.a
)
CE should provide Failure Modes and Effects Analysis information in accordance with CDC 23, " Protection System Failure Modes."
This information should demonstrate that all postulated RPS and ESF failures result in a known safe state if conditions such as disconnection of the system, loss of energy or a postulated adverse environment are experienced.
CLOSURE PLAN Same as DSER Summary Item 1.e.
Note this issue is shown twice in the DSER; section 7.3.2 (page 7 52), and section 7.2.3 (page 7 31).
RESPONSE
...all postulated RPS and ESF failures..." would include vendor specific information dependent on the hardware and associated software employed.
However, a more detailed FMEA was provided in the package described in the closure plan for Item 1.e.
CONCERN. DSER Section: 7. 2. 3.1, Pa ge # 7 - 32 (DSER Summary Item # 8.a
)
GE should provide information which identifies the design bases and criteria for EHC and environmental qualification. The quality levels of the SSLC hardware, thermal design implementation limits and design practices or standards to limit possible EMI effects should also be provided. The lack of design control for these parameters could result in common mode failures for multiple divisions, from such failures as loss of HVAC, and electromagnetic interference pulses from uninticipated field effects common to all divisions The potential for disabling multiple RPS and ESF logic divisions is a sritical safety concern that requires additional review.
CLOSURE PLAN Item 8.a is closed based on resolution of 5.a.
In conjunction with 5.a. CE will review ANSI C37.90.2, Mil Specs 461 and 462, and ANSI C63.12 for application to the ABWR regarding EMC. Appendix 7A will be amended to address such standards (or others) deemed appropriate following the review.
[ ACTION COMPLETED PER REFERENCES IN RESPONSE]
RESPONSE
For a commitment to thermal design limits, see the response to Item 8.c.
For a commitment to criteria for EMC requirements, see the response to Item 5.a.
CONCERN. DSER Section: 7.2.3.1 Page # 7-33 (DSER Summary Item # 9.a
)
The staff requests CE clarify which RPS signals are multiplexed and which are not.
Figure 7A-1 in CE Document No. 23A1317 of undocketed MPL Document A32-4080, showed that many of the RPS related sensors are connected directly to the Digital Trip Modules (DTM) and do not go through the EMS.
This was contradicted by Figure 7.A.2-1 in SSAR Chapter 7A which showed all the sensor signals sent via the EMS.
4 CLOSURE P!AN CE will review and correct Table 7A.21 as requirs 1, consistent with the proposed closure response and CE document 23A1317.
CE will also submit expar.ded THEA on the same basis as DSER Sumcary Item 1.e.
[ ACTION COMPLETED PER ktSUB}i1TTA1, OF TAfil.E 7A.21 OhEA submitted earlier))
RESPONSE
The ic11owing signals are hard. wired directly from the instrument channel sensors output contacts to the Digital Trip Module input terminals
- a. Turbine stop valves limit switch signals;
- b. Turbine control valveo emergency trip system oil pressure monitoring pressure switch signale,
- c. Turbine first stage pressure monitoring transmitters 4 20 ot111 ampere analog value signals; and,
- d. Main steam line-isolation valves limit switch signals.
The outrut signals from the four Process Radiation Monitoring System panels in the control-room-are also wired directly to the DTMs.
llere, the DTMs are mainly used only _ to distribute _ the signals _ f rom each of the four PRRM perels to all four RPS automatic' trip systems, since any trip decisions have already been made by the PRRM System.--
In the case of the Neutron Monitoring System SRNM and APRM signals,-tFese two trip signals are sent from each NHS division, by 1:.olated wiring, to all four RPS Trip thgic Wits (TLUc);
The o ny instrument channel signals associated with the RPS that are multiplexed, and utilize the Essential Multiplexing System for signal transmission of sensor signala from the transmitters to the DTM input terminals are:
- a. Reactor vessel pressure transmitter signv a;
- b. Reactor narrow range waten level transmih r signals;
- c. Dr~well press Ne transmitter signais; and,
- d. CRD accumulator charging header pressure transmitter signals.
Criteria uaed in deciding which instrument channels should or could be hard wired from sensor outputs to the inputs of the RPS related equipment in the main control room included the following:
A. All turbine building originating variables would be hard wired. The primary reason being that no EMS remote multiplexing units would be located in the turbine building.
B. All variables with extremely fast instrument channel response time requirements should be hard wired.
-C. For instrument c.hannels where the trip decision is made by the remote sensing device, by itself, e.g., by valve limit switches, by pressure switches, or for
i i
I cases where t;*1p decistens are made by equipment of other supporting systems l
located in the main control room, these instrument channels could be hard. wired, j
4 I
CONCERN. DSER section: 7.2.3.1, page d 7 33 (DSER Summary item # 10.a )
CE should provide additional information which describes design features to preclude the comusu pode (nilure of software, including an analyses which demonstrates how the s8LC, EMS, ESF, and STS designs comply with RUREC.0493.
i Since the AR1 function and the SLCS instrumentation are subject ?.o the common mode failure of the EMS and SSLC systems for ef fects such as EMI or sof tware j
operational problems, the analysis should consider the detailed effects of such failures and how operation of the systems could continue.
The staff also noted the possibility that the LMS and NEMS would use the same sof tware modules and, therefore, upon a software error, could fail simultaneously.
This would l
represent a challen6e to def ense.in depth ar4 should be evaluated.
Sirae a i
detailed failure modes and effects analysis will not be performed for the STS l
system, it was also unclear to the staff how the SSLC design would e'icigate the i
results of a postulated common mode failure of the STS software (related open item no. 7).
CLOSURE PLAN CE will submit appendix to " Design Alternatives pvaluation Report" as part of DSER Summary item 1.e.
OE will submit information showing how NUREC.0493 was used in con 4 unction with designs for ATWS, SSLC, RSS (per mechanicsauf 1.e).
+
f control and anformation systems may also be added (CE's option) in support of
- the diversity'and defense in. depth argument. Note this issue is stated twice in
- the DSER section 7.2.3.1 (page 7 33), and section 7.4.2-(page 7.$9).
RESPONSE
An analysis to investigate ABVR compliance with NUREC.0493 is presently boing l
performed by Lawrence Livermore Laboratories (LLL), which will be reviewed by CE.
This issue should be closed based on the outcome of that study.
t i
CONCERN. DSER Section: 7.2.3.1, page # 7 34 (DSER Summary item # 1.h )
CE should provide additional inf or, nation which _ describes the bus protocol for '
the SSLC hardware design, bus data capacity, acconnodations for hardware level interrupts, size of the memory, speed and size of the microprocessor, format of j
the status panel, hardware bassd interlocks, type of display media, and the method of providing the TLU trip status to the operator, CLOSURE PLAN-i Same as DSER Summary item 1.e.
i
RESPONSE
The requested infwrmation was provided in the package described in the closure plan for Item 1.e.
-c----.+v--+-m,,-*s.e.h,
,,w.
oww e2,.,www-r*,n v y ~ v vv ++
v wy, -
wwvi-
-v-*e--me-o&m. v e.e
,=wviir,.v%mw,,.,,,,,vv..--,,m,wr
+,,, eve-*,wr
+"-www-,r
_ ~
.__.____m.._
...q.........................................................................
CONCERN. DSER Sectiont 7.2.3.1, Page # 7 34 (DSER Summary item # 1.1 )
l CE should provide information which describes the design approach employed for the SSLC software. CE should also demonstrate how the decision logic, which in an analog design is a parallel process, will be trplemented by the sof tware, which is a serial procces. CE should present design documentation of how the l
listed software elements will interact with each other and what considerations were given to ensure data integrity, error handlina, task priority, timing.
. variable representations, module structures, interrupt handling and fault i
tolerance.
k CLOSURE PLAN I
Same as 1.a.
In addition, CE will provide information describing the 10 millisecond time allowance window for 2/4 logic si nal arrivals.
6 i
i k
RESPONSE
l (See Proprietary Information in separate submittal,)
CONCERN. DSER Section: 7.2.3.1, Page # 7 35 (DSER Summary item # 1.j
)
A top level design of the SSLC softwar6 is required for the staff to make its safety determination.
Tt.e staff acknowledged CE's statements that the sof tware design for the SSLC was not availablo for review beca'ese it is hardware.
dependent and the hardware had not been selected.
The staff also reviewed the SSLC design description presented in the SSLC System Design Specification (SDS)
(undocketed).
The staff considered the documentation presented for the SSLC to be inadequate for design evaluation and not in conformance with the requirements p
for. level of detail.
Because software implements the functionality of comput er. based SSLC,. the top level design of the softwate is necessary for the staff-review.
CLOSURE PLAN Same as DSER Summary' Item 1.e.
Note this issue is stated twice in the DSER; section 7.2.3.1 (page 7 3b), and section 7.2.3.2 (page 7 42).
RESPONSE
The requested information was provided in the package described in the closure plan'for item 1.e.
CONCERN DSER Section:-7.2.3.1, Page # 7 36_ (DSER Summary Item # 1.k )
CE should' provide information, in accordance with IEEE Std 7 4.3.2, describing methods to be employed to verify an1 validate the development of the software which would implement the SSLC and EMS logic functions.
8
..w,,.em--e.ew,.w,m,-w,,-~.,..
s v
-.e.
,mv
,#.v.,..wm,,m b -,- %
_w., E-r e.. w _
~_,m,.
b-w r
,4,..-.,
,,, e
CLOSURE PLAN Same as DSER Summary item 1.e.
Note this issue is stated twice in the DSER; Section 7.1.3.3 (page 7 11), and section 7.2.3.4 (page 7 36).
RESPONSE
The general V6V plan methodology has already been given to the NRC.
(See Appendix 7A, items 7A.$(1) 6 7A.7).
Additional information was supplied in the packa5e described in the close plan for Item 1.e.
CONCERN. DSER Section: 7.2.3.2, Page # 7 37 (DSER Summary item # 1.1
)
CE should provide information which describes the EMS fiber optic local area network design requirements upon which the control standard, the software and hardware selection was based.
Since the EMS is central to the functionin5 of all safety systems for the ABVR, the staff has concluded that more detailed specifications of the LMS are required prior to making its safety determination.
CLDSURE PLAN Same as DSER Summary item 1.e.
RESPONSE
The requested information was provided in the package described in the closure
-plan for item 1.e.
CONL;RN. DEER Section: 7.2.3.2, Page # 7 37 (DSER Summary item # 1.m
)
A top level' design of the EMS software is required for the staff to make its safety deterLination. The staff acknowledges CE's statements that the software design for the EMS was not available for review because it is hardware dependent and the hardware had not been selected.
Ilowever, in the development of computer based systems, the staif considera it to be good engineering practice to have a top level design of the software as a criteria to be considered in the hardware selection.
CLDSURE PLAN Same as DSER Swnmary item 1.e.
RESPONSE-The requested information was provided in the package described in the closure plan for Iteu'1.e.
CONCERN DSER Section: 7.2.3.2, Page # 7 38 (DSER Summary item # 1,n )
The staff requests that CE clarify the design description presented for the EMS regarding synchronous communication of the local area network.
In SSAR Appendix 7A it stated that the "... systems are independent and will'run asynchronously..." (page 7A.2 2),'in the EMS /SSLC Interface Requirements (MPL-l A32 4080) it stated that the system timing will be asynchronous,. ", and [page l'
- 5) "all communications shall be asynchronous...". However, in the same document it stated that "... communications processing circuitry... will append l
l
l synchronizing end parity checking information" [page 14 Section 3.5.1; cnd sin 11arly in Section 3.5.3).
i CLOSURE PLAN CE will amend the SSAR with clarifications consistent with the proposed closure response.
[ ACTION COMPLETEL PER MARK.UP OF 7A.2 2) e
RESPONSE
I (See Proprietery information in separate submittal.)
i CONCERN. DSER Section: 7.2.3.2, Page # 7 39 (DSER Summary item # 1.o )
The staff requests that CE clarify the contradictory design information provided on the Control Hultiplexor Unit (CMU), an essential part of the EMS.
From the information in Appendix 7A, it was apparent that the EMS consisted of the Remote Multiplexor Unit (RMU)., the CMU, and the fiber optic cable connecting the RMU and CMU. Ilowever, in most of the drawings reviewed by the staff, the CMU was not shown as a separate component but as an implied part of the SSLC, although the RMU was_shown explicitly connected to the multiplexor system (of which the RMU was'a part),
t CLOSURE PLAN Same as DSER Summary item 1.e.
i RESP 0NSE
=(See Proprietary Information in separate submittal.)
-CONCERN. DSER Section: 7,2.3.2, Page # 7 39 (DSER Summary item # 2.b )
CE should clarify design information provided on the issues of electrical, data and control isolacion and separation. The manner of sending data to the plant computer was stated in general terms, and key design issues remained unclear..
CE stated that the sensor data is taken from the CMU and sent to the plant computer through a data buffer.
It was stated that the data buffer provided isolation between the plant computer and the safety system EMS, but no data'was provided about the location of the data buffer, how the read / write access was controlled, and which device cleared the buffer.
LCLOSURE PLAN Same as DSER Summary item 1.e.
RESPONSE
See the response to item 1.v.
t
CONCERN DSER Section: 7.2.3.2, Page # 7 40 (DSER Summary item $ 1.p )
The siaf f requests CE to clarify a discrepancy in the description of the major components of the EMS. The Multiplixing Control Units (HCU) is discussed in SSAR Section 15.B.4 although it was not discussed as a separate component in SSAR chapter 7, it was unclear whether this was an abstraction to facilitate the THEA or whether the EMS does indeed contain an element called MCU.
The MCU was described as the bridge between the optical and digital signals, with the stated purpose of providing control of the data transmission.
Other documentation stated that control of the fiber optic transmission medium was shared between RMUs and CMUs.
It was also unclear whether the MCU was the communications module in the RMU and CMU.
CLOSURE PhAN Same as DSER Summary Itta 1.e.
RESPONSE
The functions
! do
' de ' scribed in the Essential Hultiplexing Design Specification. A sid t >.c h cde that these functions may be allocated to the other MUX units fA4 a. c 3) Ir. the actual desiga. The final EMS design uses w
only RMUs and the cm,tactica.
CONCERN. DSER Section: 7.2.3.2, Page # 7 41 (DSER Summary Item # 11.a )
CE should provide an I6C failure analysis which includes outages due to 160 maintenance and a discussion of acceptable maintenance practices.
The staff noted that additional information provided in response to questions has not provided enough detail for the staff to evaluate the CE findings.
The staff also requests that CE clarify its maintenance requirements for Reactor Internal Pump (RIP) maintenance and the associated reliance, in part, on leak detection instrumentation to detect failures.
The clarification should also describe the availability of the leak detection system during shutdown maintenance on the RIPS.
CLOSURE PLAN NRC will review references relating to this concern.
RESPONSE
Maintenance on the ABVR Reactor Internal Pumps (RIP) does not depend on instrumentation for leak detection.
The RIPS have leak detection tubes for monitoring leakage during maintenance, These tubes are shown on the Reactor Recirculation System P&lD_ (please refer to Figure 5,4 4 of the ABVR SSAR).
The tubes, which are plugged during plant operation, are unplugged for RIP motor installation, Each tube connects to the space between a flat gasket and an
- o. ring which is outboard of the gasket. Thu tutes will detect leakage of the i
main gasket after the motor is reinstalled and filled with water.
This concept has been applied'to detect leaks from both the main motor cover and the smaller auxiliary _ cover located on the bottom center of the motor cover.
Use of these leak detection tubes.has been proven in European BVRs with internal recirculation pumps (Asca Brown Boveri plants).
In instances where-leakage was experienced due to improper installation, the leakage was detected through the leak.off tubes, and the gaskets were replaced prior to plant startup. ABB has
-_a
t n*ver experienced a leaking main gasket during plant operation. Thus, i
conventional leak detection instrumentation is not considered necessary for the ABVR R!ps.
[
CONCERN DSER Section! 7.2.3.3. page # 7 44 (DSER Summary Item $ 1.q )
The staf f requests CE to clarif y its design information on the Self Test System l
(STS). CE indicated that the STS must cycle from circuit.co. circuit very i
rapidly.
It is not clear to the staff what circuits are referred to since the SSLC is implemented using digital microprocessors. CE did not state if the STS would place the SSLE software in a special testing mode to allow very rapid cycling of the system test.
CLOSURE PLAN NRC staff will review the latest amendment of SSAR Section 7.1.2.1.6 (sixth test) in conjunction with the SSLC Design Spec (submitted per DSER Summary Item i
1.e).
RESP 0NSE (See proprietary Information in separate submittal.)
t CONCERN. DSER Section: 7.2.3.3, page # 7 44 (DSER Summary Item # 2.e
)
CE should provide additional information on the $TS and SSLC to-address the issue of data and control separation.
The staff noted that fiber optical data links will be-used to ensure electrical separation; however, the issue of information separation has not been addressed. CE should demonstrate that the STS and SSLC designs preclude adverse effects within the extensive data and control software considering the interconnection of STS modules in each division'
[
vithin the control room. CE should also examine the safeguards incorporated to provide isolation and separation according to IEEE.279.
t' CLOSURE pl>W Same as DSER Summary item 1.e.
RESP 0NSE Such information is provided in 7A.2(13).
Additional information was provided in the package described in the closure plan for Item 1,e.
i CONCERN l. DSER Section: 7.3.1.10, page # 7 51 (DSER Summary item # 8'c-
)
CE should provide additional information to address design limit (s) for HVAC equipment designs. The staff noted the HVAC cooling design provided in the SSAR represents traditional b4R cooling designs, but does not reflect consideration of any additional cooling required to limit the presence of hot spots due to L
higher current densities within the digital-chip designs employed in the ABVR.
l
-The staff also requests CE to comment on any additional HVAC controls and direct cooling requirements.
m-f t
i i
CLDSURE PhAN r
OE will add the requirement for 27 degrees r temperature rise into the ABVR $$LC i
design spec. The mechanics for reflecting this on the docket will be consistent 1
with DSER Summary item 1.e.
[
[ ACTION COMPLETED PER ADDITION TO RESPONSE)
RESPONSE
The design responsibility for limiting the presence of hot spots due to current densities within digital chips is with the vendor of the equipment utilizing the chips. The ABVR design specifies the ambient temperature within which the equipment mast function properly. The vendor deternines if forced cooling is l
required or if natural convection is adequate.
In either case, the cooling is i
obtained by use of ambient air from the surrounding room.
The digital chip designs for the ABVR should have lower current densities (CHOS) than previous designs. This only affects the sizing of the HVAC equipment, however.
A special ducted cooling system is provided for the reactor internal pump (Rip) power supplies because of the large amount of heat generated by them.
The room ambient temperatures are maintained stabic and within the. required limits by the use of HVAC systems in conjunction with chilled water systems.
The HVAC systems are described in SSAR Section 9.4.
The chilled water systems are described in 9.2.
The environmental limits, including ambient. temperature limits, are given in SSAR Appendix 31. These systems are conventional nuclear industry HVAC systems without special controls and are not peculiar to the BWR.
i
. In order te bound the requirements for HVAC equipment design in ABVR, the heat j
rise limits for the digital signal processing units included in Safety System i
Logic and Control (SSLC) shall he added to the SSLC System Design Specification,
~
CE Document No. 23A1317 Section 2.3.7, Envir,nmant, in a new paragraph, as follows:
- 2,3.7.3. The heat release by internal panel components shall not raise the'
' internal temperature of the panel to greater than 27 degrees r above external ambient temperature of the control room for electronic components within a chassis or within any printed circuit card file structure."
L Note that existing paragraph 2.3.7.1 limits the method of panel cooling to l
natural convection when qualifying safety.related equipment for Class 1E l
service.
Fans may be used to improve long term reliability, but no safety credit will be claimed.for forced air cooling in analyses for thermal design adequacy.
l
- ~ -,
a.__._.,m..-..-._..__
-s
i CONCERN. DSER Section: 7.3.1.2, Page d 7,47 (DSER Summary Item # 12.a )
The staff requests that CE clarify an apparent contradiction in the power supply
]
sources for the ADS and RCIC systems.
SSAR section 7.3.1.1.1.2 (2) indicateh that the ADS is powered from Divisions I 6 II.
HowsVFF, SSAR Figure 71?>l (Amendment 5) indicates that the ADS power supplies are fres Divistenk 1 and IV.
Similarly, the SSAR section 7.3.1.1.1.3 (3) indicates that the RCic it powered from Division I; however, Pigure 7.2 1 indicates that RCIC is powered from i
Divisions II and IV.
CLOSURE PLAN Closed based on Amendment 17. No further action required.
i
RESPONSE
r Pisure 7.2 1 was modified and submitted with Amendment 17.
The text descriptions referenced were correct for both ADS and RCIC, and are now consistent with Pigure 7.2 1 following that amendment.
....................................................................+.........
CONCERN. DSER Section: 7.4.1.1, Page d 7 57 (DSER Summary item # 1.c
)
The staff wants more detailed information on RPS and RC61S to make its safety determination. The staff will conduct detailed discussions with GE to specify the scope of required information.-
CLOSURE PLAN Same as DSER Summary Item 1.c.
P RESPONSE.
The RC61S is not a safety system, and should not be included in the staff's safety determination. However, CE' supplied the requested information in the package described in the closure plan for Item 1.e.
CONCERN DSER Section: 7.4.2-Page # 7 59 (DSER Summary Item # 13.a )
The staff requests that CE provide information which describes how the two Remote Shutdown Panels, which are to be located in separate areas. can be operated simultaneously or in a master / slave arrangement.
In addition, the staff requests CE to clearly describe in the SSAR how. data in transferred to the two remote shutdown panele in the event that the control room becomes unusable.
CLOSURE-PLAN CE will provide the clarification requested in Section 7.4.1.4.4, consistent j
l with this proposed closure response, and that of 1.r.
Note this issue is stated L
- twice-in the DSER; section 7.4.2 (page 7 59), and section 7.5.2 (page 7 64).-
[ ACTION COMPLETED PER hAST PARAGRAPH ADDED 10 RESPONSE) y ge.rw y
.y
_m,y v.w,,
,.m,
._-y%.,,
,p
,oym%,_,,.
-.,__,y,,%
y y
,,y,
...,y,,,,w,m 3.__,,.,_,.,,,,
y%..
..,ym...w..,
,rc.,,m_-e,__.,
I I
RESP 0 hse Two Remote Shutdown System (RSS) panels are provided to interface with equipment
[
in two plant mechanical / electrical divisions.
Complete divisional separation is maintained between the two panels.
During operation from the RSS, equipment in both divisions will be operated in parallel (i.e., the operator will use controls and indicators provided on both panels).
The panels are located in one
-remote shutdown area with a fire barrier separating them, as shown on the i
attached diagram. A sliding door forms a part of the fire barrier. The door j
can be opened during RSS operation to allow the operator to move easily between the two RSS panels. With the door opened, the operator has a clear view of both panels.
RSS control of interfacing systems equipment is accomplished by actuating manual transfer switches on the RSS panels.
These transfer switches override the signals from the main control roem and transfer control to the RSS.
Both equipment control signals and process sensor signals are transferred in this manner. Operation of the transfer switches will initiate an alarm in the main control room.
-An addition was made_to Section 7.4,1.4.4 of the SSAR, in association with Response 1.r which clarifies the transfer of control to the remote shutdovn panels.
CONCERN
- DSER Section: 7.4.2
, Page # 7 60 (DSER Summary Item # 1.r
)
The staff requests CE to clarify design information which describes how the transfer of sensor transmitter outputs Vould occur without the loss of the calibration data updates. The staff notes that the calibration data updates would be stored in the SSLC system microprocessors which would presumably be disconnected from the readouts.
CLOSURE PLAN CE will review SSAR Section 7.4.1.4.4 (Remote Shutdown System description) and revise, as necessary, to clearly state the system's independence from the SSLC (i.e., fully hard wired interfaces) following transfer.
[ ACTION COMPLETED PER ADDITION TO 7.4.1.4.4(1), AND A' NOTED IN THE ADDITION TO THE PREVIOUS RESPONSE)
. RESPONSE l
CE assumes this comment relates to transfer of sensor transmitters to the l
. alternate signal path of the Remote Shutdown System. Within SSLC, automatic calibration is applied only_to the analog.to. digital converters in the RMUs.
Vhen transfer is made to the Remote Shutdown System, the direct 4 20 mA outputs of the transmitters are routed to the analog trip units of the RSS instrument channels.
Calibration of sensors and transmitters is performed by conventional, manual means.
The following clarification is added to Section 7.4.1.4.4(1):
Control and process sensor signals are interrupted by the transfer devices at the hardwired,- analog loop.
Sensor signals which interface with the remote shutdown' system are routed from the sensor, through the transfer devices on the remote shutdown panels, and then to the multiplering system remote multiplexing l
units (RMUs) for transmission to the main conrol room.
Similarly, control signals from the main control room are routed from-the RKUs, through the remote shutdown transfer devices, and then to the interfacing system equipment.
i Actuation of the transfer devices interrupts the connection to the RMUs and l
transfers control to the remote shutdown system, t
j CONCERN. DSER Section: 7.5.1
. Page # 7 62 (DSER Summary item # 1.s
)
I GE should provide design information to demonstrate the manner in which safety related data will be processed and displayed, and describe dependencies on the supporting hardware and software.
The staff acknowledges that GE has provided a comprehensive list of variablev that were considered ess.ential for providing safety related information to the operators.
Explicit tables of conformance and specific exceptions to RC 1.97 were provided in the SSAR, and functional requirements for display of data were provided in the process system descriptions in the SSAR.
CLOSURE PLAN i
Same as DSER Summary Item 1.e.
RESPONSE
The reo,uested information was provided in the package described in the closure plan for Item 1.c.
6 CONCERN'. DSER Section: 7.6.2
. Page # 7 69 (DSER Summary item # 1.t
)
GE should provide design documentation to demonstrate that conformance to appropriate standards will be achieved. The staff acknowledges CE's commitment t
in the SSAR which states that interlock systems important to safety (i.e.,
Neutron Monitoring System, Process Radiation Monitoring System, High Pressure / Low Pressure Interlocks, Fuel Pool Cooling and Cleanup System, Drywell Vacuum Relief System, Containment. Atwosphere Monitoring System and Suppression Pool Temperature Monitoring System) are in conformance with the appilcable CDCs, cRegulatory Guides and Branch Technical Positions; however, GE has not provided
- design information to confirm that these commitments will.be manifest in the design.
CLOSURE PLAN NRC will re examine the concern on the basis of a docket submittal of the V6V (VISION) documents and DSER Summary Item 1.a.
The mechanics of that submittal will be consistent with DSER Summary item 1.e.
RESPONSE
It_was our understanding that when full conformance to criteria is met, a simple 1 declaration of such conformance is sufficient for the analysis sections, because
~
elaborations would tend to be rndundant to information already provided in the description sections. However; clarifications. justifications, or exceptions to criteria are elaborated in the analysis sections.
CDNCERN. DSER Section: 7.7.1.15 Page # 7 77 (DSER Summary item # 8,d )
CE should define the sensitivity of safety computer systems to electromagnetic ficids and provide information to identify acceptable radiation levels and frequency ranges for plant co.amunication transmitters and receivers. Controls, test programs, field measurements and operational descriptions should be employed to implement EMC and avoid effects such as spurious actuation of safety related equipment.
CIDSURE PLAN Same as 8.a/5.a with additional enphasis on installation procedures, site test
. procedures, and vendor testing (i.e., site survey data). This is a possible SSAR Chapter 3 amendment.
(ACTION COMPLETED PER MODIFIED RESPONSE)
RESPONSE
(See Proprietary Information in separate submittal )
j E
CONCERN. DSER Section: 7.7.1.3, Page # 7*71 (DSER Summary item # 1,u
)
CE should provide additional information on the 16C design of the Rectre Flow control System to facilitate an assessment of possible single failure points of the design such as manual control, automatic speed control input, the j
interprocessor communication links and load demand signal from main turbine pressure regulator.-
t i
CLOSURE PLAN CE will provide inforeation illustrating single failure potential is negligible for the Rectre Flow control System.
The mechanics of that submittal will be consistent _with DSER Summary item 1.e, (ACTION COMPLETED PER MODIFIED RESPONSE)
RESPONSE
The description of the Recirculation Flow Control System (RFCS) presented in Section 7.7 has been augmented with the following subsequent information packages sent to the NRC:
- a. " Postulated All RIP Trip Event due to Common Cause Failure," Attachment to transmittal from J.N. Fox ~ to D.C. Scaletti, dated March 20, 1991, b " Additional Information on Recirculation Flow Control System and RIP Power Supplies," Attachment C. to transmittal from J.N. Fox to D.C. Scaletti, dated-May 8,L1991, The'following additional information is provided in accordance with the closure
' plan determined at the: August, 1991, meetings:
The primary design goal-for the RFCS is to ensure that any single active component failure will not result in a loss _of_ system function.. The RFCS Design Specification includes the following requirements regarding-single failure t
pointo end system fault tolerance:
[
a l
- 1. The RFCS controller shall ensure that no single active component f ailure within the RFCS process sensing, control, or commun14stions equipment shall result in a loss of continuous validated demand signals to the RTCS critical operetbr displays and reactor recirculation system (RRS) actuators.
- 2. Under normal conditions, no single equipment failure in either the RFCS or RRS shall. result in loss of more than three of the recirculation pumps.
(Note that loss of three pumps has been onalyred as a normal ABWR transient event.)
I i
- 3. No single equipment failure in either the RFCS or the RRS shall cause more than one of the recirculation pumps to run out.
l The attached figures provide information to support an assessment of possible single failure points within the RFCS. These diagrama emphasize the key areas of. interest identified by the NRC staff during the August 768, 1991, meetings
{
the load demand error input signals from the pressure regulator and the speed demand output eignals to the recirculation pumps.
Figure 1 shows the RPCS controller design. The RFCS is implemented on the trip 11cated, microprocessor. based fault tolerant digital controller (PTDC). The ABVR feedwater control system and steam bypass & pressuro control (SB&PC) system are also based on the standardized FTDC design. The FTDC includes three identical processing channels, each of which contains the hardware and firmware necessary to perform the system control calculations in parallel, and three identical interface units, which provide the interface with the trip 11cated 4
non essential multiplexin6 system (NEMS) network and other dedicated data links.
Interprocessor communication links are provided to exchange data between the FTDC processing channels in order to prevent divergence of outputs.
The FTDC channels are powered by redundant power supplies.
Figure 1 also shows the interface between the RFCS and the SB&PC system.
This interface is supported by three dedicated data links between the two system controllers. Through these data links, the RFCS and SB6PC system exchange the signals needed for automatic load following operation.
When the RFCS is placed in the automatic _ load following operating mode, redundant signala are sent over the. data links to initiate the SB&PC pressure actpoint adjustment logic. The SB&PC system provides redundant load demand error signals to the RFCS for load following control. In addition, the SB&PC system supplies redundant, validated, vide range dome pressure signals through these data links for une in the RFCS pump trip logic.
Figure 2 shows the RFCS interface with the recirculation pumps..The three demand signals generated by the three FTDC processing channels are sent over the triplicated NEMS network to remote, fault. tolerant, output voters.
The voters
- perform a mid.value selection on continuous output _ signals (e.g., recirculation pump speed demand) and two.out of three voting on discrete outputs (e.g.. pump trip). This voting scheme assures that an erroneous demand signal resulting from a single failure in the FTDC or the NEMS will not be selected as the final demand signals sent to the actuator. Thus, any-mingle failure in the FTDC or NEMS will not affect the process.
A~ separate voter is provided for each recirculation pump, so that a voter failure will only impact the control of a single pump.
In the event of a voter failure, the RFCS controller will automatically compensate by adjusting the speed demand signal-to the other pumps.
In addition, a "ringback" feature is l
provided in which the critical voter output signals are sent back to the FTDC channels in order ~to detect a voter failure, t
i z.- --
.The fault. tolerant architecture of the RPCS design assures that no single active i
co::ponent f atture with ths sensing, control, or communications equipment will result.in a loss of system function.
.i i
I
................................................................e.............
j CONCERN. DSER Section: 7,7.2
, Page # 7 78 (DSER Summary Item # 2.c
)
CE should provide design information to address the issue of safety system connectivity to non. safety systems.
It appears to the staff that the Non. Essential Multiplexing System (NEMS) is directly connected to the EMS through the CMU of the IMS.
Since the LMS is used to carry safety syntete sensor data and to activate the control ESP systems, a failure in the EMS would disable l
a division. A failure of the NEMS or plant computer could challenge or adversely affect the operation of the EMS, unless the broadcast software had design features that would make such failure propagation improbable.
In particular, the staf f was concerned with sof tware tailures in the NEMS that could lead to undetected sof tware failures in the LMS.
l l
CEOSURE PLAN Same as DSER Summary item 1.e.
RESPONSE
See the response to Item 1.v.
j CONCERN. DSER Section! 7.7.2
, Page # 7 79 (DSER Summary Item # 1.v )
GE should provide additional information to facilitate an evaluation of the EMS /NEMS connection and how it addresses the isolation requirements of IEEE 279.
CLOSURE PLAN Same as DSER Summary. Item 1,c.
i RESPONSE-l (See Proprietary _Information in separato submittal.)
CONCERN.. bSER Section: 7.8
, Page # 7 80 (DSER Summary item # 1.v )
CE should provide additional information which demonstrates that equipment design and installation standards are incorporated to prevent electrostatic discharge (ESD) at keyboards, keyed switches and other exposed equiph.ent s
components.
- i I
CLDSURE PLAN CE will amend the response to-402.90 to include a referenco to IEC 8012, or other_' appropriate' standard (s)..
[ ACTION' COMPLETED PER MODIPIED RESPONSE)
-1
RESP 0NSE The response to_RAI 420.090 discussed several precautions to be taken against electrostatic disc.,arge (ESD) in electronic assemblies, and also described typical circuit design and equipment grounding methods to prevent component i
- damage, i
l The following response is added to the response of RAI 420.090.
The additional material includes a reference to industry standards that verity conformance to l
ESD requirements.
i Hieroprocessor. based control equipment for ABVR is designed under the assumption that users will have taken no precautions against static charge buildup before i
attempting to operate the equipment. The equipment is designed to tolerate an electrostatic discharge without damage, partly by employing insulation (with no j
air gaps) over exposed metallic components, but primarily by providing an alternative path for_ current flow other than through sensitive circuit paths.
As discussed previously, this means that all exposed metallic components of the system must be grounded.
Low inductance multipoint grounds are used where ESD current flow is desired and single. point grounds where discharge flow is not
- wanted, The low power requirements of ABWR control equipment ensure that the integrity of the equipment enclosures is not compromised by large ventilating holes or slots.
Special attention is given to hingos, joints, and seams so that the continuity of shielding is maintained.
l In the. system configuration, where shielded cables transfer data between the equipment enclosures, the cables must be prevented from propagating ESD currents and voltages between system units.
For ABWR safety systems, the problem has been minimized by using fiber optic cables as the transmission medium for most critical signals. While the cables may contain metallic supporting members or protective shields,-these will not be electrically connected.to any equipment or circuit..For certain functions where hardwired cable is required, solid grounding of cable shields to the equipment chassis and bypass capacitors at all' inputs and outputs shall be used to divert ESD currents to ground.
These hardware solutions shall be supplemented with firmware ESD solutions to i
protect against potential upsets'such as system lockup if ESD noise causes memory or data flow-errors. The methods used are discussed as part of the fault tolerance issues included in items 1.g and 1.1.
'The susceptibility of ABWR control equipment to electrostatic discharges shall
.be established using the test procedures included in IEC publication 801 2,
- l l
Electromagnetic Compatibility for Industrial + process Measurement and Control i
. Equipment, part 2: Electrostatic Discharge Requirements.
The test procedures of
. paragraph 8 of this document shall be performed up to and including Severity bevel 4 as defined in the document.
The following acceptanco criteria shall be usedt
- 1. No change in trip output status'shall be observed during the test.
t t
I
-.,-u._,
, _ _. ~...... _ _ _ _ -.. _ _., -. _
_...._.__,r_,_
+
- 2. Equipment shall perf orm its intended functions af ter the test.
9 Note that the safety system control equipment for ABVR has inherent protection against transient ESD effects in that data is continually refreshed throughout the system, including trip, display and indicator status, purther protection is provided by the asynchronous, four. division, 2.out of.4 channel configuration.
Temporarily corrupted data in one division cannot cause an inadvertent trip or permanently disable a required trip. When bad data or equipment damage is
)
detected, the affected divisten can be bypassed until repaired.
In the Reactor 4
Protection System (RPS) and Main Stears isolation Valve (MSIV) channels, where l
the final trip outputs are also in a 2.out of.4 coniiguration, both the sensor input and trip output sides of each equipment division can be bypassed, thus 1
preventing failuro from any cause in one channel from inhibiting or
)
inadvertently causing a trip.
CONCEPJ1 DSER Sectiont 7.6
, page # 7 80 (DSER Summary item # 8 b )
-The staff concluded that ESD should not be considered a site specific concern and recommends that it be removed as an interface requirement from Section 7.8 and Table 1.9 1.
C1;0SURE PIAN -
CE will delete
- Interface
- comment per NRC recommendation.
[ ACTION COMP 1,ETED PER RISp0NSF, CHAdCE AND TEXT MARK.Up) i r
RESPONSE
The interface defined in 7.6 does not require the methods be generated by the applicant, but was intended to be confirmatory of the methods presented in RAI l
420.90. However, the interfaces have been deleted in Table 1.9 1 and Section 7.8.2 as requested.
CONCERN. DSER Section: 7.8
. Page # 7 81 (DSER Summary item # 2.d )
CE should provide information in Section 7.8 of the SSAR to specifically address non. safety information interfaces, that is, information transfer between safety and non. safety systems. The staff acknowledged that CE performed a study of each of the 160 systems included in Chapter 7 of the SSAR and deterinined that there are no safety related electrical signal interfaces and therefore no interface requirements for the utility applicant.
However, the SSAR did not address inforination transfer to equipment outside of the scope of the SSAR, CLOSURE ptAN Closed based on interfaces
- definition in proposed closure response,
_i Flectrical' interfaces are being addressed per 2.a,b.c, and c; but will not be reflected in Section 7.8, since they are within CE scope and do not affect the utillty/ applicant.
- -. _...-... - - _ -.- -,- -,-.. - ~ _. ~.. _ _. _
RESP 0NSE The intent of Section 7.8 is to provide a consolidated listing of actions
+
required by the utility / applicant (i.e., " interfaces *) to complete the licensing pre:ess.
Electrical interfaces between Class 1E and non. Class 1E circuits; and between redundant divisions of Class 1E circuits are accomplished through fiber. optic cable links, as described in other sections.
DSER open issues relating to isolation of corrupted data, error handling, etc.,
will be addressed in conjunction with open items 2.a,b,c, and e.
O L
f I
l l
-e,-,---,,....,~,...,--,
..m..
_. - -..,......... ~.. _..
..4
.-4
..,--.. -.... -. -. ~.
ABWR nacim4s j
we Sinndard Plant Table 1.91
SUMMARY
OF ABWR STANDARD PIANT IhTERTACES l
WITH REMAINDER OF PLA.ST (Continued)
I
! TIM INTIRTACE NO.
StWICT TYPE SUBSECT10N f
3.2 '
Converdon ofladicators Procedural
$16.2
$3 Fractute Toughness Data Confmatory
$3 4.1
$.4 Materials and Survei!!ance Capsule Confmatory
$14.2 i
6.1 Protealon Coatings and Orpale Materhis Confirmatory 6.111 6.2 EmernalTemperature Confmatory 6.4.7.1 63 Meterology(X/Os)
Confmatory 6.4.7.2 6.4 Toxic Gases Confmatory 6.4.73 j-7.1 Effects of Sation Blackout en HVAC Cordrastory 7.8.1 b*
' 7.2.
E M wenese % a ;p = 4 :At C. 2-_ =;*
1:e.2 l
,4
=.a-__m c. -. m (p,ref,g) 6 Cor.fmuory 7.8.3 7.3 Localized High Heat Spots in Semiconductor -
Material for Computing Devices 4
8.1 Stability of offsite power system Contmatory 8.1.4.1 8.2 Diesel Generatot Reliability Procedural 8.1.4.2 83 ClusIE Feeder Circuits Design 6.23 1 8.4 Non clau IE Feeders Design 8.23.2
[
8.3 Specific ABWR Standard Plant / remainder of plant Dedgn S.23.3 power sysytem interfaces 8.6.
Interupting Capability of Electrical Confmatory 83 4.1 Distribution Equipment 8.7 DieselGenerator Desip Detalb Confmatory 83 4.2
.8.8 Certif2ed Proof Tests on Cable Samples Corarmatory 8343-
.B.9 Electrical Penetration Assemblic1 Confmatory 834.4 S.10 -
Analpis Testieg for Spatial Seperation Confmatory 8343 per IEEE 348 394 ArnenomeM 16
.-.,-,,a-..
ABWR s==
rE !!
SandMd Pbut (6) The sistb test is an integrated self test Self diagnosis includes monitoring of prosition built into the snicroprocessors oserall program flow, reasonableness of witbin the safety s) stem logic and control process suiables, RAM and PROM condition.
(SSLC). It consists of an on line, and serification of 2/4 coincidence logic continuously operating, self diagnostic and desice interlock logic. Testing monitoring network; and an off line includes continuous error checking of all semi autornatic (operator initiated, but transtnitted and recthed data on the serial automatic to completion), end to cod data links of each SSLC controller; for suneillance progr am. Iloth on line and eaarnple, error checking by parity check, off line functions operate independently checksum, or cyclic redundancy checking within tub of the four divisions. There (CRC) techniques, are no multi cidalonal interconnettions associated with self testing.
A fault is considered the discrepancy bctwett' 4e espected output of a perroissise Tbc primar) purpose of the self test is to circuit and the tutting present state.
Imprese the asailabilty of the $$LC by optimiring the tirne to detect and deterraine Actuation of the irlp function is not the location of a failure in the functional performed during this test. Tbc self test sy st e m.
It is not intended that self test function is capable of detecting and leggir:g eliminate Ibe ered for the other fne ruanual intermittent f ailures without stoppies tests. Howeser, most faults are detected system operation. Nottual surveillance b) more quickly than with macual testing alone.
plant personnel will identify these f ailures, sia a diagnostic display, for The selht,e,54 unction is classified as presentive maintemance, f
Y saf e t>[dwm*d' Hms g s h a r dw a r e and software are an integra part of the Self test f ailures (except intermittent I
SSLC and, as sutb. are quahfied to Class 1E failures) are annunciated to the operator at standards.
the main control room console and legged 19 the process computer. Taults ar e The hierareby of test capability is presided indentified to the replacement board cr to eraute mamum coserage of all EMS /$5LC module lesel and positisel) indicated at the functions, including logic functions and failed unit.
data communications links. Testing shall The continuous surstillance monitoring ale include:
includes power supply voltage leseli.
(a) On4me Contmucus Testing card.out of file interlocks, and batter) voltage lesels on batter) backed memor)
A self diagnostic program monitors each c ar ds (if use d). Out of.toler anc e signal processing module from input to conditions will result in an inopertne output. Testing is automatic and is (out of. service) condition for that performed periodically during norrnal particular system function.
operation. Tests will verify the basic integrity of each card or module on the Automatic systern self testing occurs durin; moctoprocessor bus. All operations are part a portion of every periodic transmisr>
of normal data processing intervals and will period of tbc data cornmunication networi mot affect system response to incoming trip Since exhaustive tests cannot be performed or initiation signals. Automatic initiation during any one transmission intersal, the signals frorn plant sensors will override an test software is written so that sufficient automatic test sequence and perform the oserlap coserage is provided to prose system required safet) function. Process or logic performance during tests of portions of tbr signals are not changed as a result of circuilt), as allowed in IEEE 338.
self test functions.
i m
me n
AllWR n e ar SlalldaLiPldut it.]
1J.1.1.11 Control Room Cabineis and ' (belr lhe cooling (ventilating) sptems imporiant 10:
proper operation of RPS equipment ate described in Contents Seetion 9.4 The SSLC logic cabinets, which contain the RPS, for Divisions 1, 11, 111, and IV include a vertical 7.2.1.2 Design 11ases tard for each division. The seitical boards contain digital and solid state dhcrete and integtsted circuits Desi n bases information requested by ILLE 2M is f
used to condition signals transferred to the $$tC discuued in the following paragraphs. T hese IEEE from the cuential multiples system (EMS). They also 279 design bases aspects are considered separate!)
contain combinational and sequential logic circuits for from those more broad and detailed design bases for ihe initiation of safely actions and/or alarm this systeto cited in Subsection 7.1.2.2.
annunciation.
'alors for electrical and physical separatior af d cults used to trautnit signals (1) Conditions between redundant safety sys, mi or between safety and nonsafety sptems, and system support circuits Generating station conditions requiring RFS pro.
such as power supplies, automatic testig ;ltcuits, tective actions are defined in tbc Technical etc. Load drivers with solid state switching outputs Specifications, Chapter 16.
for actuation solenolds, motor control centers, or switchgear may be located in the control room c' (2) Va,lables throughout the plant.
The generating station variables whkh are moni.
The principal console contaln the reactor roode tored cover the protective action conditions that switch, the RPS manual scram push button twitc.hes, are identified is Subsectioa 7.2.1.21.
the RPS scram reset switches aba the bypass switches for the low RCS accumulator charging (3) Sensors preuure.
A minimum number of LPRMS per APRM are
?.2.1.1.12 Test Methtds that Enhance RPS tequired to provide adequate protective action.
Reliability This is the only variable that has spatial dependence (IEEE 279, Paragraph D).
Sur~etlance testing is performed periodically on the RPS during operation. This testing includes (4) Operational Limits sensor calibration, response time testing, trip channel actuation, and trip time toensurement with Operationallimits for each safety.related vari, simulated inputs to individual trip roodules and able trip set 1og are selected with sufficient sensors. The sensor channels can be checked during margin to avoid a spurious scram, it is then operation by comparison of the associated control verified by analysis that the release of radioactive room displays on other channels of the same material following postulated gross failure of the I
tariable. D M N NI'[/e arJrse testg fuel or the reactor coolant pressure boundary Ted t d e
- ec h rs din Ye Ne
. 'f d #"
kept within acceptable bounds. Design basis P{
7.2$.I.13 Interlock Clkvulta to inhibts operationallimits in chapter 16 are based on e e Rod Motion operating esperience and constrained by the safety design basis and the safety analpes.
Interlocks between the RPS and RC&lS inhibit iod withdrawal when the CRD charging preuure trip (5) Margin Between Operational Limits bypan switch is in the *!WPASS' position. These in, terlocks anure that no rods can be withdrawn when The margin between operationallimits and the conditions are such that the RPS cannot re ictert limiting conditions of operation (scram) for the rods if neceuary, reactor protection system are in Chapter 16 Technical Specifications. The margin includes 7.2.1.1.14 Support Cooling System and ifVAC the maximum allowable accuracy error, sensor Sptems Descriptions response times, and sensor setpoint drift.
I i
Arnendment 5!!R 7N2 l
1
ABWR anemt fillDdAld Plant mA leaving Ibc main control room if ibis was pression pool by relieving steam pressure not possibit, the capability of opening the through the automatic acthation of rehef RPS logi taput power breaners from outside valves. Reactor water intentory will be t h e sn ai; onttvi roora can be useo as a maintained by tbr }{PCF system. Durieg tha backup ir,ns to achieve initial re actor phase of shutdown, the suppression pool reactivity shutdown, will be cooled by operating the residual best retnovel (RilR) spte m in the
(?) Tbc main turbine pressure regulators snay be cupptession pool cooling mode, controlling reactor pressure sia the b) pass vahes. lloweset,in the interest of demon.
(4) Manual operation of the relief vahes will strating that the plant can accommodate esen tool the reactor and reduce its pressure at loss of tbc turbine controls, it is assumed a controlled rate until reactor pressure that this turbine generator control panel lic.comes so low that ilPCF sptern operation function is also lost. Therefore, ruain is dacontinued.
sicaroline isolation is assumed to occur at a specified low turbine inlet pressure and (5) The RilR sptem will then be operated in tbt reactor pressute is ieliesed Ibrougb tbe sbuidows coohtig mode usirig the RiiR system relief vahes to the suppretaion pool.
beat encharm r in the teactor water circuit to bring is e reactor to Ibe cold low (6) The reactor feedwater sptem which is not.
pressure condition.
mally asallable is also assumed to be in-operable, Reactor *ater is made up by the 7.4.1.4.4 Remote $buidown Capability Controls llPCT sptem.
and Instrvmentation.1:quipment, Panels, and Displan (9) It shall be assutned that the event causing the esecuation will not cause any failure of (1) MaiaControlRoom. Remote $butdownCapabi-p' tbc DC or AC control power supphen to the bry lot e r conne ction De sign Consid e r a t ions remote shutdown panch of an) failure of the DC or AC power feeds to the equipmerit whose Some of the existing sptems used for not.
functions are being controlled from the mal reactor shutdown operations are also remote shutdown panels.
utihred in the remole shutdown capability to shut down Ibc reactor from outside the The abose initial conditions and associated main control room. Tbc functions needed assumptions are very sesere arid conservatisely for remote shutdown control are provided bound any similar postulated situation, with manual transfer devices which oserride controls frorn tbc main control room and 1.4.1.4.3 Remote Shutdown Capabilit's transfer the controls to the remote shut.
Description down control. tall necessary power suppl circuits are also transferred to other ' d
- l, (1) The capability described presides remote sources. Remote shutdown controlis not control for reactor spiems needtd to carry possible without actuation of the transfer out the shutdown function from outside the devices. Operation of the transfer devices main control room and bring the reactor to causes an alarm in the main control room.
cold condition in an orderly fashion.
The remote shutdown control panels are located outside the main control room.
(2) It provides a variation to the normal sptem Access to this point is administrativel) used in the main control room permitting the and procedurally conttolled, shutdown of the reactor when feedwater is unavailable and the normal best sinks (tur.
Instrumentation and controls located on the bine and condenser) are lost, remote shutdown control pancis are shown in instrument and electrical diagram figure (3) Reactor pressure will be controlled and core 7.4 2.
I decay and sensible beat rejected to the sup-
- 1 Amwomm :
i cnsdij j
g p
r m
, h assumes f comment te estotrabster/
s nsor t, tans i rs to tie r
alNnate'gnahpat%of
. e'Itse/to Shite
'Syst'em, fith g %. autoosti celibh on is applie nlytd/heanal
. digital o-rtgr <in the l>MI,,
A ie dirfet 20 pW outp ts When aqfor is ins' to_ he R mote td vn ystem,f to of yhe 7
1p'p'f itistrumen j
- of/ e craw altte are r'o ed tos ana og e
c inals. Calib ation of se ' ors And trahamitt s1 performe b9 iv gg al,
,/
nuni means.
/
[
j
,The'following,clarificatio is added t9 sectio'i 7.
1.4.4 1)
G/
'd J
%./
l w
j- - %.
1 centrol and process sensor signals are interrupted by the transfer devices at s
j
'i the hardwired, analog loop.
Sensor aignals which interface _with the remote shutdown system are routed from the sensor, through the transfer devices on the rc::ote shutdown panels, and then to the multiplexing system remote multiplexing i*y units (RMUs) for transmission to the main conrol room.
Similarly, control signals from the main control rooin are routed from the RMUs, through the-remote
[ shutdown $9nsferdevices,andthentotheinterfacingsystemequipment, s
{
- 1. Actuation ot'the transfer devices interrupts the connection to the RMUs and
' trcnsfers control to the reinote shutdown system.
l g 'l " -
t i
C t
i, t
[
i h
t
[
f t
i i
- r
.. ~,,
..-,.,,w.n,
,__,.n
,,,,-.n,.nn_.n,,_,-,._
ABWR momr nv n Etandndflant 7AlhTERFACES safety.related electrical signal interf aces for any of these systems which extend beyond the
~
7.8.1 Effects of Station Blackout scope definition.
on the IIVAC A temperature best rise analysis shall be performed for the station blackout srecario applied to the control room on ecosideration of the environinental temperatures unique to the plant locs; ion. l See Chapter 20, NRC Question 420.14 and Subsection 7.1.2.3.9)
,7,8.Lkle<[rostalle Discharged 1 E hsed 8-( Pele f ed
, fiialpment Companplits l
/The tr[ pons NRp'Ouestion 420.90 provide >d
/ecommendsty a fo/limi%g the, keyboards,i 41fects,of q'
' electrosatatir discharge JE5D)dulpment:
at keyed switche's and4ther atposed e Tbc e 6
applicant'sba){ proy(de ansprance lbst the' groundicg and,4bleldipt techniq'ues are /onsistect witb tbese,tecorgmendaLions, or ptevide'an acctplable,iltersyslive piti for coalrolling,,E$D 5ee Chapter 27, NRC. Question '420 90]<'
7.8.3 !.ocalized High lient Spots in Semiconductor Materials for Computing e-Devices s
Tbc response to NRC Ouestion 420.92 provides recommendations for limiting high cuurent densities whigh could result in localized beat spots in semiconductor materials used in computing devices. Tbc applicant shall provide usurance that thes; recommendation are followed, or an acceptable alternative is preser.ted, by the selected equipment vendor (s). To ensure that adequate compensation for best rise is incorporated into the design, a thermal analysis shall be performed at the circuit board, instrument and panel design stages. [See Cbspter
?^,iSC Omtion 420.021 7,SA Safety.Related C&I Interfaces Each of the systems addrened in Chapter 7 were reviewd for safety.related C&1 (signal) interfaces which extend outside the scope of the ABWR Standard Plant. Since tbc scope of the ABWR Standard Plant includes all of tbc reactor building, the turbine building and the control building, the study determined there are no 781 Arnensment 11
ABWR wum Standard Plant y
I RESPONSE 420.90 If appropriate countermeasures are not taken, then electrostatic discharge (ESD) can cause damage to electronic components. High ircredance devices using MOS (metal oside semiconductor) technology are particularly subject to damage. The discharge from an electrically charged butnan body, when certain area of electronic equipment are touched (Leypads, switches), may open the junctions of CMOS devices or other semiconductors.
However, modern CMOS and other MOS components have internal protection against ESD in the form of diode clamping arrap and current limiting resistors that conduct the discharge away from tbc junction, in addition, good circuit desip practices willinclude the use of other devices such as transient suppressors (for exunple, toetal oxide varistors (MOVs), Zener diodes) across critical circuit inputs and outputs that are direetly crposed to external transients.
Other precautions against the effects of ESD tale the form of adequate Lsulation or proper pounding.
Keypads generally have insulating materialin the form of a thick plastic covering over the metallic switch contacts. Toggle switches and other controh should have insulating knobs, Various metallic chauis componen's (front panel, bandles, deck, connector shelh) should be solidly pounded to each other (the effects of painted and plated surfaces should be considered), and the chanis should be pounded to the appropriate panel or instrument pound but by metallic pound straps. Panel and instrument mounting bardware should not be depended upon for solid grounds. Printed circuit boards must base the sipal commons and ground plane commons properly 7
connected tp the common bunes and to the low vohage logic power supplies.
[ pg " M Act
-)
QtTSTION 420.91 6
Most of the 1&C spiem microproccuor equipment is likely to be located in a mild environment, but suniubility requirements or limitations on the voltage potential buddup by bumidity control or other menures is not discuned. Also, the data concentrators are provided at remote locations where tbc ennronmental control is not clearly described. Identify the criteria, desip limits and testing propam for this area of ESD controls. (7)
RESPONSE 420.91 The ensironmental qualification requirements for spiems and equipment are described in Secton 3.11 and in the design docutuents referenced in Subsection 1.L3 (in particular, BWR Requirements. Equipment EmironmentalInterface Data and the Safety Sptem LoF c & Control Design Specification).
i Voltage potential buildup will be limited by proper grounding of equipment and use of appropriate static control materials and dielectric barriers to ensure that high potentials cannot be coupled to sensitise semiconductor desices (see the response to Question C0.90). Humidity controls are provided by the normal and emergency HVAC sptems; wben relative humdity is restricted to the ranges specified for the mild environtnent locations wbere the microproccuor equipment will be installed, there will be no unusual static charge Fulldup.
The ibermal design emironments for the SSLC panels themschts are diseuned in the response to Question CO.008. The Remote Multipleting Units (i.e.,' data concentrators *) of the Euential Multiplexing Splem are located within the ' clean' areas of the Reactor Buildieg outside the secondary containment. Tbc panels containing this equipment will be etnironmentally quahfied and tested in accordance with Regulatory Guide 1.89 and IEEE 3:3 for the areas in which they are located.
1&C microprocenor equipment will be required to meet the requirements of IEC Standard Publication 5012, *Electromapetic Compatibility for Industrial Process Measurement and Control Equipment, Part 2 (Electrostatic Discharge Requirements)". Test equipment shall base the following minimum capabilities:
M W1 Amenome ni 9
' ocordOB8ER lii 23 The response, o RAI 420.090 incussedsevk.ral precaut ons to b[ takeh agalunt
\\
lectrostat.Ac scharge(E$D)\\inelectronicsassemblies,andAlsodescribed x
t pleal circuit sign,and equi ment grounding methods that'should be _us'ed to
'(
prezent component amage.
/
s N
x s
1
\\,The fo owing respons isaddedtoheresponseofRAI 420.090.
The addittotal
' materiafginciddes a re crence to ind%try standards \\that verify Mnformance to\\
ESD requfrvtoents,_A__._ yg
/g
/
\\
\\v, n.-
/
s Wh Q' Microprocessor based control equipment for ABVR is designed under the assumption that users will have taken no precautions against static charge buildup before attempting to operate the equipment. The equipment is designed to tolerate an
\\.E electrostatic discharge without damage, partly by employing insulation (with no air gaps) over exposed metallic components, but primarily by providing an alternative path f or current flow other than through sensitive circuit paths.
As discussed previously, this means that all exposed metallic components of the system must be grounded.
1.ow inductance multipoint grounds are used where ESD current flow is desired and single point grounds where discharge flow is not wanted.
The low power requirementa of ABVR control equipment ensure that the integrity of the equipment enclosures is not compromised by large ventilating holes or slots.
Special attention is given to hinges, joints, and seams so that the continuity of shielding is maintained.
In the_ system configuration, where shleided cables transfer data between the equipment enclosures, the cables must be prevented from propagating ESD currents and voltages between system unita.
For ABVR safety systems, the problem has been minimized by using fiber optic cables as the transmission medium for most critical signals.- While the cables nay contain metallic supporting members or protective shields, these will not be electrically connected to any equipment or circuit.
For certain functions where hardwired cablo is required, solid grounding of cable shields to the equipment chassis and bypass capacitors at all inputs and outputs shall be used to divert ESD currents to ground.
These hardware solutions shall be supplemented with firmware ESD solutions to protect against potential upsets such as system lockup if ESD noise causes memory or data flow errors. The methods used are dist:ussed as part of the faulteolerance issues included in Items 1,g and 1.1.
The susceptibility of ABVR control equipment to electrostatic discharges shall be established using the test proceduren included in IEC Publication 8012, Electromagnetic compatibility for Industrial Process Measurement ano Control Equipment, part 2: Electrostatic Discharge Requirements.
The test procedures of paragraph 8 of this document shall be performed up to and including Severity Level 4, as defined an the document. The following acceptance criteria shall be used:
- 1. No change in trip output status shall be observed during the test.
y yy[
(cn( pq r
s %" (h
(
.p?
iy
- 2. Equip:ent shall psrforn its intend 2d functions citer th) test.
f Note that the saf ety system control equipment f or AWR has inherent protection i g, J against transient ESD effects in that data is continually refreshed throughout l'
the system, including trip, display and indicator status.
Further protection is provided by the asynchronous, four. division, 2.out of.4 channel configuration.
Tenporarily corrupted data in one division cannot cause an inadvertent trip or permanently disable a required trip.
When bad data or equipment damage is detected, the af fected division can be bypassed until repaired.
In the Reactor Protection System (RPS) and Main Stearn 1 solation Valve (MSIV) channels, where the final trip outputs are also in a 2.out of.4 configuration, both the sensor input and trip output sides of each equipment division can be bypassed, thus preventing failure from any cause ir one channel frors inhibiting or inadvertently causing a trip.
i
ABWR oestgn Document (E('5 i TA A C (l a) 2.2,7 Reactor Protection System lhe reactor protection astem (RPS) for the Advanced floiling Water Reactor
( AllWR) is a war ning and trip sptem where initial warning and trip decisions ate implemented with sof tware logic installed in microproc ewors. The priman-functions of this sptem ar e to: (1) make the logic decisions related to warning and trip conditions of the individualinstrument channels, and (2) make the decision for spiem trip (emergency reactor shutdown) based on coinciden(c of instrument channel trip tonditions.
The RPS is clawified as a safety prote(tion sptem (i e., as differing from a rea(tor (ontrol system or a power generation system). All functions of the RPS and the components of the spiem are safety related. The RPS and the electrical equipment of the sptern ate also classified as Safety Class 3, Seismic Categon I and as ILLE electrical category Clao IE liasic Sutem Parameters are:
Number ofindependent disisions of equipment 4
a.
h.
N!inimum number of sensors per trip variable 4
(at least one per division)
Number of automatic tiip spiems (one per division) 4 c.
d.
Automatic trip logic used for plant sensor inputs 2-out of-l (per disision)
Separate automatic trip logic used for division 2-o u t-of-l c.
trip outputs f.
Nurnher of separate manual nip spiems 2
g.
Stanual trip logic 2-out-of 2 The RPS consists ofinstrument channels, trip logics, trip actuators, manual controls and scram logic circuitry that initiates rapid insertion of control rods (scram) to shut down the reactor for situations that could result in unsafe reactor operating conditions. The RPS also establishes the required trip conditions that are appropriate for the difTerent reactor operating modes and prosides status and control signals to other systems and annunciators. The RPS telated equipment includes detectors, switches, microprocessors, solid-state logic cir cuits, relay type contactors, relap, solid-state load drivers, lamps, displays, signal transmission routes, circuits and other equipment which are required to execute the functions of the system. To accomplish its overall function, the RPS utiliies the functions of the essential multiplexing system (E.\\1S) and of portions of the safety system logic and control (SSI.C) sptem.
l 22.7
-1 v1rg2
ABWR oesign occument As shown in Figure ".".7a, the RPS interf aces with the neutron monitoring sutem (NSIS), the process radiation monitoiing (PRiot) system, the nuclear boiler sutem (NBS), the contial rod dine (CRID sutem, the rod control and i
informa,m system (RC&lS), the recirculation flow control (RFC) system, the procen(omputer nstem and with other plant sptems and equipment. RPS components and equipment are separated or segregated from process control n stem sensors, circuits and f unctions such as to minimire contr 01 and pr ote(tion sutem interactions. An) necessary inicrlocks from the RPS to control systems are through isolation demes.
The RPS is a four dhision sutem which is designed to proside reliable single-failure proof capability to automaticalh or manually initiate a reactor scram while maintaining protection against unnecessary scrams resulting from single faduresin the RPS. The RPS remains single failure proof even when one entire disision of t hannel sensors is bypassed and/or when one of the four automatic RPS trip logic systems is out-of senice. All equipment within the RPS is designed to failinto a trip initiating state or other safe state on loss of power or input signals or disconnection of portions of the system. The system also includes uip bspasses and isolated outputs for display, annunciation or performance monitoring. RPS inputs to annunciators, rec orders and the computer are electrically isolated so that no malfunction of the annunciating, recording, or cornputing equipment can functionalh disable any portion of the RPS. The RPh related equipment is dhided into four edundant disisions of sensor (instrument) channels, trip logics and trip actuaton, and two dkhions of manual scram controh and scram logic circuitn. The automatic and manual srram initiation logic sutems are independent of each other and use diserse methods and equip nent toinitiate a reactor scram. The RPS design is such that, once a full reactor wram has been initiated automatically or manually, this scram (ondition seals in such that the intended fast insertion of all control rods into the reactor core can continue to completion, After a time delav, deliberate operator action is required to return the RPS to normal.
Figure 2 2.7h shows the RPS dhisional separation aspects and the signal Dow paths from sensors to sciam pilot vahc solenoids. Equipment within a RPS related sensor channel consists of sensors (transducers or switches),
multiplexers and digital trip modules (DThis). The sensors within each channel monitor for abnormal operating conditions and send either discrete bistable (trip /no trip) or analog signals dir ectly to the RPS related DThi or else send analog output signals to the RPS related DT51 by means of the remote multiplexer unit (RN1U) within the associated division of essential multiplexing sniem (DIS). The RPS related histable switch type sensors, or,in the case of analog channels, the RPS software logic, will initiate reactor trip signals within the individual sensor channeh, when any one or more of the conditions listed below exist within the plant during different conditions of reactor operation, and willinitiate reactor scram if coincidence logic is satisfied.
Turbine Stop Vahes Closure (above 40% power lesels) (RPS) a.
1M7 92 22]
2
r k
ABWR oeslan occument h.
Turbine, Control Valves Fast Closure (above 40% power levels) [RPS)
NNIS monitored SRN.1 and APRh! conditions exceed acceptable limits
\\
c, (N.\\1S) d.
High Niain Steam Line Radiation [PRRA1 System)
High Reactor Pressure (NBS) e.
f.
Low Reactor Water Level (Level 3) [NBS) g.
High Dywell Pressure (NBS) h.
N1ain Steam Lines isolation ($1SLI) (Rur; mode only) {NBS)
Low Control Rod Drive Accumulator Charging Header Pressure [CRD) j.
Operator initiated 51anual Scram [RPS)
The system monitoring the process condition is indicated in brackets in u.e list above. The RPS outputs, the NhtS outputs, the PRR.1 system outputs and the
\\
51SLI and manual scram outputs are provided directly to the RPS by hard-wired or fiber <>ptic signals. The NES and the CRD system proside oth :r sensor outputs through the EhtS. Analog to digital conversion of these latter sensor output values is done by Eh!S equipment. The DThi in each division uses either the discrete bistable input signals, or compares the current values of the
.ndividual monitored analog variables with their trip setpoint values, and for each variable sends a separate, discrete histable (trip /no trip) output signal to
- the trip logic units (TLUs) in all four divisions of trip logics. The DThis and TLUs utilized by the RPS are microprocessor components within the SSLC system.
RPS related equipment within a RPS disision of trip logic consists of manual control switches, bypass units (BPUs), trip logic units (TLCs) and output logic units (OLUs). The manual control switches and the BPUs, TLUs and OLUs am components of the RPS partions of the SSLC system. The various manual switches provide the operator means to modify the RPS trip bgic for special operation, maintenance, testing and system reset. The bypass units perform bypass and interlock logic for the 9 9 division of channel sensors hypass function and for the single division TLU bypass function. The TLUs perform the automatic scram initiation logic, normally checking for two out of-fot>r coincidence of trip conditions in any set ofinstrument channel signals coming from the four division DThis or from isolated bistable inputs from all four divisions of NNIS equipment, and outputting a trip signalif any one of the two-out-of four coincidence checks is satisfied. TLU trip decision logic in all four RPS TLUs becomes a check for two-out-of-three coincidence of trip conditions if any one division of channel sensors has been bypassed. The OLUs perform the division trip, seal-in, reset and trip test functions. Trip signals from the OLUs within a single division are used to trip the trip actuators, which nre fast response.
2.2.7 1/17/92 l
ABWR oesign oocument bistable, solid state load drivers for automatic scram initiation, and are trip relavs for air header dump (back up scram) initiation. Load driver outputs toggled hv a disision OLU interconnect with load driver outputs toggled by other disision OLUsinto two separate arrangements which results in twomut of-four scram logic,i.e., reactor scram will occur ifload drivers associated with any two or more disisions receise trip signals.
bistable, sohd state, high The isolated ac load drivers c fast respons<
1 current interrupting devkes. The operation i
.oad driversis such that a trip signal on the input side will create a high impsance, current interrupting condition on the output side, The autput side of each load driver is electricall>
isolated from its input signal. The load driver outputs are arranged in the scram logic circuitry, between the scram pilot valves'solencias and the solenoids ac power source, such that when in a tripped state the load drivers will cause deenergiration of the scram pilot vahe solenoids (scram initiation), Normally closed relay contacts are arranged in the two back-up scram logic circuits, between the a r header dump valve solenoid and air header dump valve de i
solenoid power source, such that when in a tr pped state (coil deenergized) the i
relayswill case energization of the air header dump valve solenoids (air header dump initiation). Associated dc voltage relaylogic is also utilized to effect scram reset permissives and scram-follow (control rod run in) initiation.
The RPS design for the AIMR is testable for correa response and performance.
in over lapping stages, either on line or offline (to minirnize potential of unwanted uips). Access to bypass capabilities of trip functions, instrument channels or a trip system and access to setpoints, calibration controls and test points are designed to be unci:r administrative control.
Inspection, Ten Analyses and Acceptance Criteria Table 2.2.7 provides a definition of the visualinspections, tests and/or analpes, together with associated acceptance criteria, which will be used by the RPS.
2.2.7 1!17/92
~
'9*
!Tatde 2.2.7:MACTOR PROTECTION SYSTEM
~%
inspections, Tests. Analyses and Acceptance Criteria Certified Desegn Commitment '
Inspections. Tests. Anefysts Acceptance Criteria 1.
RPS safety.related software, which is '
.1; : See Generic Software fievelopment
- 1. L ee Generic Software Development utilized in effecting individual sensor
- verification activities 01A).
h;eptance Criteria (AC).
channel trip decisions and trip system -
coincidence trip decisions, has been -
developed and verified, the firmware implemented and validated and then integrated with hardware; all according to a formal documented plan.
2.
Certain process signals utilized by the RPS '
2.
See the Essentian Multiplexing System
- 2. See the Essential Multiplexing System -
are transmitted to RPS sensor channel
- verification activities (ITA).
Acceptance Criteria (AC).
signal processing equipment by means of four separate divisions of Essential Multiplexing System equipment.
3.
Critical parameter trip setpoints are based
- 3. See Generic Setpoint Methodology 3.
See Generic Setpoint Methodology upon values used in analyses of abnormal.
verification activities (ITA).
Acceptance Criteria (AC).
T operational occurrences. Documented instrument setpoint methodology has been used to account for uncertainties (such as instrument inaccuracies and drift)in order I
to establish RPS related setpoints.
l-
- 4. ' RPS equipment is designed to be protected 4.
See Ger eric ISMI/SWC Oualification 4: See Generic EMI/SWC Ouatercation from the effects of noise, such as verifica*cn activities (ITA).
Acceptance Criteria (AC).
electromagnetic interference (EMI), and has adequate surge withstand capability 4
(SWC).
5.
RPS equipment is qualified for seismic 5.
See Generic Equipment Qualification 5.
See Generic Equipmen* Qualifcation loads and appropriate environment for.
verification activities UTAl.
Acceptance Criteria (AC),
locations where installed.
$8
.ee 9
w
..a F
Table 2.2.7:- REACTOR PftOTECTION SYSTEM (Continued) -
M.
J
. Inspections, Tests. Analyses and Acceptance Criteria Certified Design Commitment.
Inspections, Tests. Anotyees Acceptance Critwie 6.
RPS components and equipment are kept
. 6.. Visual field inspections and analyses of
- 6. - RPS equipment installatic rceptab;e if separate from equipment associated with relationship of installed RPS equipment inspections, analyses an'h ! tests confirm process control systems.
and of installed equipment of interfacing that any failure in process control systems
-ncess control systems (and/or tests of can not prevent RPS safety functions.
o test to confirm appropriate isolation metrw.1 used to satrsfy separation and segregatron requirements..
7.
Fail-safe failure modes result upon loss of.. ' 7.
Field tests to confirm that tr, conditions
. 7 Acceptable if safe state conditions result power or disconnection of components.
and/or bypass inhibits result upon loss of -
upon loss of power or drsconnection of power or disconnection of components.
portrons of the RPS.'
8.
Provisions exist to limit access to trip 8.
Visual field inspections of the installed RPS 8.
The RPS hardware!firmware will be setpoints, calibration controls and test '
equipment will be used to confirm the considered acceptable if appropriate i
poims.
existence of appropriate administrative methods exist to enforce adminrstrative controls.
control for access to sensitive areas.
h 9.
The four redundant divisions of RPS
. 9. Inspections of fabrication and installation
- 9. Installt.d RPS equipment will be '
equipment and the four automatic trip records and construction drawings or determined to conform to the documented '
systems are independent from each other
visual field inspections of the installed RPS description of the design as depicted in except in the area of the required.
equipment will be used to confirm the Figure 2.2.7b.'
coincidence of trip logic decisions and are
. quadruple redundancy of the RPS and the both electrically and physically separated efectrical and physical separation aspects from each other. Similarly, the two manual of the RPS instrument channels and the trip systems are separate and independent '
. four automatic trip systems as well as their of each other and of the four automatic trip -
diversity and independence from the two i
systems.
manual trip systems.
f l
t
?
?
t d
i
?
E y-~
s-y a
r n
e-i<%
m-
I:j;i
- 1
,[;
- l[!
[(ilfi[lijf[I[{i!;ll f ! i !![ r
- i rI 1
r c
)
S od ni af sia s
l t
et sn o P
oe r
)
e e
aive e.
l s
o,
v nm ms R
wt iphc d "n utce on a
t s
emio
.l
- e. s a o o r u. ti c
r er c
ai dva e
o w n er cet t t t
n o el t
e i
ci awmo sr t i
i u pipt t
at l
yusna ao is t
notoda pusr d mroir a r
s s
).
soyuc wfl n n a (s l
wninS nptot d pTr e r
t r l
ssf mlaoo i
l a
o e n e
ir pi lse uolepoP i
n f
u r
r ch nd. ob gmi ai r
r f
do c
t t
n uieb st smp R smt as annf li t
icwie v
/e dna eu ai u t
f i
aoye t
a r
e l
e "e ic i ad r
ct e
Sar eoaytsy ssn i
t r
nr hh r
r aPu eh t nt pf i
a nmoaa a
t t
l st c o
iRnht aie e s t
i i
i o
o sf f C
o,e i
dispcp nc r
r sl wiech v it e
t lpdr yb o e n
at mla rplst cb t t f
n nf a eh ihmf oeme u i
f ni e
oi g a i
r d yr t n i
i t
i o
ct t s o a q n.
t c
r r
an st ni me h nf mo h rd u
r o e h o n
ot f
f e egntoieo eb oe a scieo nol taos Sop :s Scpom m seiwies t
r e
a c
t c
n o p )r e
r t
d n oda t
t t
ir p ecn P w
P ipt eu ymt sibel miot o n c
y adnom cr e
r, ore t
a o
cr a t
s sf t p eiorpio hl R r c t s s
e nia eieimt d osrein snsalet c
ni dg pt o r t i r s
t s
c dlesot et lo ds d
t e edgt o
n e lahdf le e adih l
A la a las as laaionr h a ano n o s r a s
eimph io yon pa micet l
neicr y t
t t
l n
c ladeotct s
coeme r
r t
i r t t piing-nn acmw nr espwi n oyr wo ip ntseis spes oop t
t pi t
susr t
t d
ingnogn siuo oi p
s t f t t i t
r ic a o i
r csasp Tt al cO r
I i I
t daut t I
)
ii f
endpt s s e e
h onu e u
a Tcast d M
b c
d i
n r
e 0
i
. t t
1 n
ir o
C C
se' e
b t
4
(
s s e
c o
en h h 4
M n
t d
t t it eg d
st a E
a e
ecc h w
,t n
si t i deeg T
p c sl gsef it t
t vownct g S
e s u aaotsl neo Y
c e dhnl eoseda abl s
ncot t v e snl d S
c y
ouin ndt A
csc emioanein t
l l
a N
nidal miotcinwad n
eguc l
O d A bnf n ricwgssoiasye t i n
it l i s T
a s i seos sns omheam I
l lpi l
i r
t t
a o C
s s wtencdst c
n s s dt isf T
s T sma, oe ni n
. E e
e ek h sr t cawdo t
h nl c
t e
t
,c se s
et coo sSoil s n
. O y
ePl wat o e
. R a n t s, it tr l
r ysanhR es nsib P
n o
l oet ask r t
t nt cb oTf neit al l
i A
c oa ele c
.oI dt r icw a
i R
e h addn or on O
s p
it h
at cceeo nmpenn e sus T
s n emleeimio t
s l
r r
t i r os no a
i nn lat o s
C e
ps nnpour i
r a
r i
at a
t ce c
. A T
of f
ohhneimpet pdn e naadr e ah E
yn u r
s Pcccapsor obaf R
n o
0 7
i 1 ~
tc 2
e 2
p e
s e
n i
f n l
i ol m
ba sf nt
- t e f
T n oesm t
n o
y dmse e
it mcaranu ps' t
t i
t iyr miest i
f s
r nn) l ei ba i
n l l t
v - a o
n n
o t
u st C co t
u d s )C hi e n
dt ivt d g nodl s ob a n' i
n e c n a
, i D o s) oss t
nait t
t ss d
of c ee leiont ie t
t f
iba ul l
i r sf aa t
s enl nn r
spaeoo e
o C
po enii isSmnt t
cc ann P yh uu t Rb cf f t
0 1
Ca h
e8 l
.i
!i i
C Table 2.2.7: REACTOM PROTECTION SYSTEM (Continued)
~
- Inspections, Tests,' Analyses and Acceptance Criteria Certified DesnJn Commitment inspections, Tests Analyses.
Acceptance Criteria
- 10. IContinued) e.
Installed system energizes both air header dump (back-up scram) valves of -
the CRD hydrautec systern, and initiates
' CRD motor run-in, concurrent only with t
a full scram condition.
f.
When not bypassed, trips result upon loss or disconnection of portions of the
. system. When bypassed, inappropriate trips do not result.
g.
Installed system provides isolated status and control signals to data e
logging. display and annunciator h
systems.
h.
Installed system demonstrates j
operational interlocks (i.e., trip inhibits or permissives) required for different I
conditions of reactor operation.
i I
}
i' C
.H.
t
- Tatde 2.2.7: REACTOR PROTECTION SYSTEM (Continued) a Inspections, Tests. Analyses and Acceptance Criteria Certified Design CommitmentL Inspections, Tests. Analyses Acceptence Cri' erie
- 11. The RPS design provides prompt
- 11. Preoperational tests will be conducted to
- 11. The RPS hardware /firmware response to protection against the onset and measure the RPS and supporting systems imtiate reactor scram will be considered consequences of events or conditions that response times to: (1) monitor the variation acceptable if such response is threaten the integrity of the fuel warrier, of the selected processes;(2) detect when demonstrated to 1:e sufficient to assure trip setpoints have been exceeded; and (3) that the specified acceptable fuel design execute the subsequent protection actions limits are not exceeded.
when coincidence of trip conditions exist.
Velidation Attributes:
Total trip system response, from time when sensor input is beyond setpoint to time of.
scram pilot valve solenoids deenergiration:
NMS APRM s 0.090 sec.-
Reactor pressure s 0.55 sec.
Reactor water level s 1.05 sec..
y
-. Turbine stop valve
- 50.060 sec.
closure
- Turbine control valve s 0.080 sec.
fast closure Main steam lines s 0.060 sec.
isolation a
1 1
'd O
N Figure 2.2.7a REACTOR PROTECTION SYSTEM N
-a LOCAL AREA AP4M W 76 Wmat-MAIN CONTROL ROOM RPS LOGIC & CONTROL PLANT SENSORS C51
=S C71 C71 C71 C71 C7t C71 flypinsed (nod tewed R 8"S RPS Si1Nu %dmn 1 b Upwa6a RPS
- M M
M h pw tre Shao s Sheet ENmnd Marusef Dew 1m MArafAt MANUAt Pa**d ik=N IND8" cutsguns NOP eth SCRAM SCHAM Summ fest Mnds-Ca*nts Se
, n og g y pypansed (,wse kggw.4 ss*as e anaf vesme A'
9 Mturs ki Jb db 1
g PRw ost u,s.m 1
hv wW C71 e flit 1r 1r RPS e
MAfAIAt I
SSLC RPS LOG!C PERFORMS.
ggy AS
~ C- '- t-H, S,,
7 r
- Sygsme Conna+n& im Decrerm (E12-3S
-c-~os- ~ **
- r uma te im Cno C12 Cno.Cu "'"
~
<CR D Chargirig Headar ihmise E
2 l_
~ = = =
ted h
g3,,s,, y,,,,,,,c, p,,,g,
,p H h H23 M
C
.C # -
s,. %
o w ram t w.i v ave o,y. p,ess,,,
B21
'kado' wa'er tw S
wna a
>rt res C71 RPS LOGIC NBS RE72'_ hE'.snw;_, _ _ _ __ _
REACTOR DTM
.m, n.in r n m usrv Pcseen S=ectws
^"""'S I'
- k"* ^ "
1 PROTECTION TtU r
7 Twtme Sam vaive Simeus 3YSTEM OLU Ik-aiter ihm.p Vaters a -
twtww r av Sc4m.d vasve saius i
U "I #
I C71 Twtzne His Od thesswe Nomdoa aaLiL i
RPS iwtww 1s Stage Pressure nummme SN C E *9
Sa smic Actwey pro &sseg f%ocessmg
<r essgnene go, ce,,,
r C11 humas. SersnF<* =co 6m 3,,,,,, 3
,RC&lS (CW Horf 8ha*>9 in tot 1 e
GLOSSARY AN*
(Nff MD4YtS80NAL SIG8.AL TRAPf5FI 51 CRD - Cueol Hod Onwa d4 M
LOG 8C T
EOC.IndOsCyue EMS - Isw'Wel MtMerng System HCU. Ilydraubc Coreof Und C11 RCES Hod WWhdrawal OkxD Vpien (Mans Sweth Fer CND HTS. 6tydrau6c Tm Sysem C9sergeg Haasdre 4ow SW im as e W 5%sainn pg MCRp. Mam Careal Hosn Panph C81 RFC 8bcut:adaarm fine Cer*te Syoem f OC HPI Command t
seps t y and h,
wSty. Main Seam hikrum Valve
> <aks Des ays, thea Logsng r
,,,.,,,m, s
wSt - Man Sacares g y, C9f Process CnrTt**e Ng3. N>stA*ar Hoder Sysem H11 MCRP-1 Crearet Cas'ths - 0~ 1hs Dc544ys -~ --
tct== *E m rDr7 NWS. Neutron uansormg Sycam R42 e n
, se.- a + =--
PRRW FNocess 8tedtaren unremng Syss.
RC&tS. Ibd Coreos & h=m System RFC. Haurculatum flow Coreal Sycem ReS. nemen, vnn-a m Symm "Dwnram is Trpical For One Of Thur flisisiorts**
Apr.. r*.c omenon ewre i m
~
SnNM - seame tance **ne umex s
T SSLC - Safe'y Sf1* 8 *,pr & Comme d
UPS - U urnams*t* tw Nssdy 8
ABWR oesign Document Figure 2.2,7b REACTOR PROTECTION SYSTEM Division 1 Division 2 Division 3 Division 4
'ensor sensor ensor
'ensor A
B C
D I
I I
i i
i i
i Division 1 Raceway Divison 2 Raceway Division 3 Ra:ew ay Division 4 Racewa)
DTM DTM DTM DTM B
C D
A k k.L~.
.)
% k..J) k
-U,)
.-g.
.g '~._%- ~/,
s s,,s
.L (.
%,,s'
'g
%, 5,-
X
%.A,x s.
\\%. g-C./
s e
s
/y.-
s
,y ss
~:7 s e
i I
I I
I I
i Devnen 1Hact way Div:1 on 2ftatoway Divityon 3 ha oway Div:1 on 4F a:oway TLU A TLU B TLU C TLU D I otu A I I otu s 1 I otu e l I otu D 1 i
I l
i ggop;c an__
_I I
1 i'
Ii I
I i
I I
I I
I RPS G1, l Raceways l
l l
l l
I Ii I
l l
1 I
output output I
Same i
Same i
Same i
I circun circun I
as G1 I
as G1 1
as G1 I
Group 1 ( A)
Group 1 (B) g l
l
{
g l
Div. 2 Div, 3 l
l l
l l
l l
l l
Sotened A potenod l Vent
[
(Manual trip Of test logic interiaCes not Shown)
't i
inst. Air %;-~
w a
o scram Exhaust M T
_y valve 1/17/92 2.27
_