ML20126K429
| ML20126K429 | |
| Person / Time | |
|---|---|
| Site: | Browns Ferry  |
| Issue date: | 12/30/1992 |
| From: | Williams J Office of Nuclear Reactor Regulation |
| To: | Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML20126K433 | List: |
| References | |
| TAC-M184161, TAC-M84162, TAC-M84163, NUDOCS 9301070119 | |
| Download: ML20126K429 (32) | |
Text
~
9 December 30, 1992
-Docket Nos. 50-259, 50-260 and 50-296 LICENSEE:
Tennessee Valley Authority FACILITY:
Browns Ferry Nuclear Plant, Units 1, 2, and 3
SUBJECT:
SUMMARY
OF THE DECEMBER 1, 1992 MEETING REGARDING A PROPOSED ANALOG TO DIGITAL UPGRADE OF RADIATION MONITORING EQUIPMENT (TAC NOS. 184161, M84162, and M84163)
On December 1, 199.2, representatives of the Tennessee Valley Authority (TVA) and the NRC staff met in Rockville, Maryland to discuss TVA's proposed upgrade of refueling floor and reactor building radiation monitoring equipment, including proposed revisions to the Browns Ferry Technical Specifications submitted in a letter dated July 23, 1992. TVA plans to replace existing analog equipment with digital components.
This upgrade is the first installation of a General Electric Nuclear Measurement Analysis and Control (NUMAC) system. Meeting attendees are listed in Enclosure 1.
A handout distributed by TVA is provided in Enclosure 2.
Note that TVA's handout includes references to other information which is not included because these references contain proprietary material.
TVA prepared the handout in response to issues raised by the NRR staff in preliminary communications prior to this meeting.
Meeting attendees discussed each question and response in detail to provide the staff the background information necessary for review. Attendees also discussed plans for an NRC audit of the equipment design and installation. This audit is currently planned for mid-January 1993.
Original signed by Joseph F. Williams, Project Manager Project Directorate II-4 Division of Reactor Projects - I/II Office of Nuclear Reactor Regulation
Enclosures:
1.
List of Attendees 2.
TVA Handouts cc w/ enclosures:
See next page OFC PDII-4/LA PDII-4/PM /s PDII-4/PM PDIIr4/PD NAME MSanders//u) JWilliandbh TRoss N N FNdd DATE
///SQ92
/A/30/92
/2./30/92
/L- //a/92
(> Ob I m
4' w.,
1070119 921230 p
ADOCK 05000259
{I PDR l
R111RIMUnti Docket file flRC & Local PDRS Bfff Rdg. File T. Murley/F, Miraglia 12-0-18 J. Partlow 12-G-18 S. Varga 14-E-4 G. Lainas 14-H-3 F. Hebdon J. Williams T. Ross M. Sanders OGC 15-B-18 E. Jordan Mf1BB-3701 L. P11sco 17-G-21 ACRS (10)
J. Stewart 8-H-7 E. Lee 8-H-7 E. Merschoff Ril B. Wilson RII i
l l
l l
l l
Browns Ferry Nuclear Plant CC:
Mr. John B. Waters, Chairman State Health Officer Tennessee Valley Authority Alabama Dept. of Public Health ET 12A 434 Monroe Street 400 West Sumit Hill Drive Montgomery, Alabama 36130-1701 Knoxville, Tennessee 37902 Mr. J. R. Bynum, Vice President Regional Administrator Nuclear Oper:tions U.S.N.R.C. Region 11 38 Lookout Place 101 Marietta Street, N.W.
1101 Market Street Suite 2900 Chattanooga, Tennessee 37402-2801 Atlanta, Georgia 30323 Mr. Charles Patterson Site Licensing Manager Senior Resident Inspector Browns Ferry Nuclear Plant Browns Ferry Nuclear Plant Tennessee Valley Authority U.S.N.R.C.
P.O. Box 2000 Route 12, Box 637 Decatur, Alabama 35602 Athens, Alabama 35611 Mr. O. J. Zeringue, Vice President Site Quality Manager Browns Ferry Nuclear Plant Browns Ferry Nuclear Plant Tennessee Valley Authority Tennessee Valley Authority P.O. Box 2000 P. O. Box 2000 Decatur, Alabama 35602 Decatur, Alabama 35602 Mr. M. J. Burzynski, Manager Dr. Mark 0. Medford, Vice President Nuclear Licensing and Regulatory Affairs Tennes'see Valley Authority SB Lookout Place Nuclear Assurance, Licensing and Feels Chattanooga, Tennessee 37402-2801 3B Lookout Place 1101 Market Street TVA Representative Chattanooga, Tennessee 37402-2801 Tennessee Valley Authority l
11921 Rockville Pike Mr. Kevin Graney, 8C7 l
Suite 402 Bechtel Rockville, Maryland 20852 9801 Washingtonian Blvd.
Gaithersburg, Maryland 20878-5356 General Counsel-l Tennessee Valley Authority ET llH l
400 West Summit Hill Drive l
Knoxville, Tennessee 37902 Chairman, Limestone County Comission P.O. Box 188 Athens, Alabama 35611
ENCLOSURE 1 ATTENDEES DECEMBER 1, 1992 TVA/NRC MEETING ANALOG TO DIGITAL UPGRADE OF RADIATION MONITORING EQUIPMENT
((AfiE ORGANIZATION Joe Williams NRR/DRPE/PD 11-4 Kevin Graney Bechtel - SERCH Licensing Jim Stewart NRR/DRCH/HICB Eric J. Lee NRR/DRCH/HICB Mike Hellums TVA Corporate Licensing James Ballard TVA Browns Ferry Nuclear Engineering Gaylon Hicks TVA Browns Ferry Nuclear Engineering Dave Reisel GE Nuclear Energy Greg Pierce TVA Browns Ferry Site Licensing w
ENCLOSURE 2 w
TVA Browns Feny Nuclear Plant l
Reply to NRC Request for AdditionalInformatJon Concoming BFN Units 1,2, and 3 RBVRM Upgrade Page 1 of 28 1.
Describo the (TVA system and GE component) purchase specifications. This should include the lasues that were addressed in the specifications, such as infant mortality screening for the non military Inte0 rated circuit components.
TVA TVA's purchase specification addressed component environmental and regulatory requirements for the proposed end uso.
GE Purchase of non-military integrated circuit components in avoided. Wimn non military integrated circuit components aro used they are purchased by GE to part specircations. Examples are the D/A and A/D Convertors (188C8083 and 188C8082 attachod) on ihe Analog Modulo card which aro purchased to the requirements shown on these drawings. When the Analog Module has completed its' manufacturing process and manufacturing QA inspections a Burn-In tost is run por OP 20.166 (attached) which is intended to locate infant mortality failures for correctivo action.
Failures after deltvery and installation are discovered by the NUMAC Setf Test system and corrected by utilizing TVA spare part inventories. Ropairs of the failed component are made at the GE Repair and Return Facility in San Jose. Soo response to question A for Mean Timo-Between-Fallure (MTBF) Information on various NUMAC components.
2.
LJst all the differences between the NUMAC RBVRM and other NUMAC product lines that have ben reviewed by the NRC and referenced NEDO-30833A and NEDO-31439A. Explain how the NUMAC RBVRM hardware, software, and operational functions are different.
The basic construction of all NUMAC instruments, including the RBVRM, Log Rad Monitor (LRM) (NEDO 30833 A) and Wide Range Neutron Monitor (VENM)
(NEDO 31439-A) is the same. Each instrument has the same chassis construction, cardfile, motherboard, power supplies, front panel (with either large or small display),
core set of electronic modules and software packages, and overall operating scheme.
What sets one instrument apart from another are the functions performed, and the signal conditioning modules, connectors and firmware (software imbodded in Road Only Mornory) nooded to support these functions.
Software for all NUMAC instruments is modutar and organized in functional files and routinos. Many of these files and routines do not change or require only minor modifcation when porte! from one instrument to another, such as me some display driver routinos, some sif test routines, key pad input routines, etc. However, many files and routines are required to be application spectre in order to moet the speelfe instrument functional requirements. All software used in a spectfc application, such as the NUMAC RBVRM, is subjected to the same validation testing regardless of whether d in has been previously utilized in another application or not.
\\.
l.
TVA Browns Ferry Nuclear Plant N
Reply to NRC Request for AdditionalInformation Concoming BFN Units 1,2, and 3 RBVPM Upgrade Page 2 of 28 The power supplies and electronic modules used by the three instruments are Ilsted below:
Module RBVRM LAM WRNM Low Voltags Power Supply 2
2 2
1 1
1 Computer 1
1 1
Display Controller i
i 1
Analog 16-Chan Analog Output 2
1 Open Drain 1/0 RS422/485 Communications 2
Dual High Voltage Power Supply 1
1 High Voltage Power Supply 1
Femtoammeter 1
1 1/0 Contact 1
Hi Current Hi Voltage PS 1
4 Channel Discriminator 1
MSV Module 1
GEDAC RS232 Communications The RBVRM's front panelincludes the targe display, the LRM and WRNM have small displays.
The rear connector brackets of the three instruments differ in size and types of interface connectors installed. The input signals to the RBVRM are data messages from Digital Sensor & Converters which contain Geiger Mueller tubes as the sensin0 olomont and microprocessor circuitry for control, data conversion and transmission, and self test. The LRM's input come from external non chambers near the main steam lines and the WRNM's input from in-core fission chambers.
The RBVRM confi0uration also includes an externalInterface Panel for input / output wiring and output relays, and extemal Signal Splitters that al'.ows two signal channels to utilize one set of existing signal cWes. The LRM does not utilize external components. The WRNM does not utilize extemal panels or signal splitters but does require a separate Preamplifier.
Are there any changes to the operating procedures as the result of these n.
changes (ditierences)?
The operating procedures for all NUMAC instruments, including the RBVRM,
"Tq WA - Browns Ferry Nuclear Plant i
Reply to NRC Request for AdditionalInformation C
Concoming BFN Units 1,2, and 3 RBVRM Upgrade Page 3 of 28 Log Rad Monitor (LRM, NEDO 30833A) and VMe Range Neutron Monitor (WRNM, NEDO 31439A) are basically the same. Each instrument has a keybck switch which permits selection of either the Operate or Inop mode. After an instrument is powered up, its main screen appears on the display. The screen is specific to the instrument and allows the user to perform or initiate instrument functions, view data, self test status and Help notes, initiate auto-caiibration, change setpoints under password control, etc. The manner is which function selection keys (softkeys), cursor keys and data entry keys are used is essentially the same in all instruments.
Differences in specific operating procedures arise from differences in instrument function For example, an RBVRM uses four signal channels where inputs are serial data messages. The LRM has a single direct current input in the picoampero range. Both instruments must be set up and calibrated accordingly. Thorofore, the displays and softkey functions requirod by each instrument will be different.
A user can set up the RBVRM (via front panel keyboard and display) to perform certain combinationallogic on indMdual signal channel triplatarm outputs. The LRM and WRNM, both single channelinstruments, do not have or require such capability.
WA Operating Instructions (Ols), Surveillance Inst.sctions (Sis), and maintenance instructions (SlMis) will be revised to reflect the installation of the NUMAC RBVRM.
3.
Describe the NUMAC RBVRM qualification test procedures and the results. This should include some samples of test procedures and the results.
The NUMAC RBVRM qualification consisted of seismic analysis, EMI/RFI testing, and environmentaltesting. The NUMAC RBVRM Qualification Report (NEDC-31974P) provides a complete description of the test procedures and results.
How does the NUMAC RBVRM meet the single failure criterU Provide a.
the failure mode analysis.
The NUMAC RBVRM consists of two independent dMslonalchassis, powered from Reactor Protection Systems buses A and B, respect}vety. Complete failure of a single chassis will not prevent the other from performing its design basis safety function. This redundant configuration and the protoction against common mode failures (See 3.b) ensures that the NUMAC RBVRM sub system meets single failure criteria.
Functionally, the NUMAC RBVRM willinitiate a downscale/inop trip when any
TVA Browns Ferry Nuclear Plant Reply to NRC Request for AdditionalInformation Conceming BFN Unita 1,2, and 3 RBVRM Upgrade Page 4 of 28 single detector in a channel is found downscale or inop, on any critical self test fault, and when the chassis keyswitch is place in the INOP position. Both the downscale/inop and high rad trip output relays are de-energized to trip. This ensures that on loss of power the safety function of the NUMAC RBVRM is not compromised.
b.
Describe how the NUMAC RBVRM is protected against common mode failure.
Source of Common Mode Failure Protection Used a.
Environmental and seismic Environmentally qualifies:f design b.
Component aging Components qualified for 40 year life, except as noted c.
Power supply transients Design withstands surge testing d.
Power failure Trip outputs go to predetermined conditions e.
Software Verification & Validation (V&V) procedure; watchdog timers f.
EMI/RFI EMI/RFI susceptibilitytesting DEFENSE IN DEPTH: Although protection against common mode failures is demonstrated by the above listed methods,in the unlikety event of a common mode failure of the NUMAC RBVRM system, there exists atternato instrumentation that will provido alarms and indication in the Main Control Room. The table below lists the radiation alarms and indications available in the Unit 2 Main Control Room. Units 1 and 3 are similar.
Indcator Ann Sensor Type Locatkri El.
Coord 2-RlMID 2 RAM 1A 2-RE 90-1 ARM RefuelFloor 6S4' R11-p 2-RI M 2B 2EE-90 2 ARM RefuelFloor 664' RIO u 241-90-38 24EM3 ARM RefuelFloor 664' Rios 2-RMM50 2AA-90 50A 24E-90 50 APM RebelFloor 664' R121 l
2-RMM55 2-REM 55 APM Rx Bldg 593*
Rio-t 24MM57 2 RE-90-57 APM Rx Bldg 565' R1H 2-RM 90 58 2-RE 90 58 APM Rx Bido 519' R14-t l
2-RMM250 2-RA-90 250A 2-RMM250 Gas RefuelFloor 664' R4-p 2-RI-90-4A 2-RAMID 2 RE-90-4 ARM RB MG Set Area 639' R10-s -
2 Rl M 9A 2-REM 9 ARM RB - RWCU Area 621' Ret
TVA. Br wns Ferry Nuclear Plant HI(L Reply to NRC Request for AdditionalInformatlon Concerning BFN Units 1,2, and 3 RBVRM Upgrade Page 5 of 28 Indcator Ann Sensor Type Locatkn EL Coord 24l M 13A 24EM13 ARM RB North RWCU koa 593' R9-p 2AI M 14A 24EW14 MM RB South RWCU Area 583' A9-s 2AI M 20A 24EM20 ARM RB WestCAD/HCU 565' A9-r 241 M 21A 2-REW21 MM RB. Eas1 CRD/HCU
%5' R13-r 2AI M 22A 2EEM22 ARM RB VP Rm 565' R12 p 2el M 23A 2aEM23 ARM RB VP Drive
%5' R12 p 2el M 24A 2 REM 24 MM RB HPCI Rm 519' RISu 24l M 25A 2EEM25 ARM RB. Wes1RHR 519' R&c 2al M 26A 24EW2e ARM RB Core Spray /RCIC 519' R&c 241 M 27A 2 REM 27 ARM RB. Core spray 519' R13o 2-RlM28A 2-REM 28 ARM RB East RHR 519' R1341 2-RlM29A 2-RE-90-29 MM RB Torus 519' R12 u 2
2 REM 30 ARM RB FuelPool 664' R12 p
. -RIM 30A
. ie RBVRM system performs the following functions by initiating a PCIS Group 6 isolat en signal.
a.
Isolate Reactor Zone Ventilation b.
Isolate Refuel Zone Ventilation c.
Initiate Standby Gas Treatment d.
Initiate Control Room Emergency Ventilation Isolate H 0, Analyzers and Trip Pumps e.
2 f.
Isolate Post Accident Sampling System g.
Isolate 2 RM 9()256 and Trip Pump h.
Close Drywell Air Compressor Suction Valves I.
Close Drywell and Torus Purge and Exhaust Vatves These functions may be manually performed by the operator in the Main Control Room based on information available from the above listed radiation indicators and alarms.
c.
Describe the NUMAC RBVRM power sources.
Each NUMAC RBVRM instrument utilized at TVA BFNP 1,2,3 contains two low voltage power supplies and a dual high voltage power supply. The low voltage supplies are used for powering the RBVRM circuits and certain portions of the sensor and convertor units (radiation detector) while the high voltage supply is
. ~..
1 l
TVA Browns Ferry Nuclear Plant lasaIllt --
Reply to NRC Request for AdditionalInformation i
Concoming BFN Units 1,2, and 3 RBVRM Upgrade Page 6 of 28 i
used only for powering the detectors (Geiger Mueller tubes).
The low vottage power supplies are diode auctioneered prior to their use by the voltage bus. The RBVRM and its respectNe sensor and convertors will continue to operate properly if one of the power supplies is either disabled or removed.
The high voltage power supply contains two sections which are auctioneered prior to their application to the Geiger Mueller tubes. The detectors will continue l
to operate properly if one of the two sections is disabled.
\\
If complete power failure occurs, i.e. all power removed to the entire chassis, both an inoperatNe trip and an upscale trip are generated. This action results in the initiation of system isolation. Upon restoration of power, all system functions assume the state dictated by the current RBVRM input status. No setup actions are requ! red to re initiallze the RBVRM.
l The NUMAC RBVRM is powered externally from Reactor Protection System buses A and B for Divisions I and 11 respectMety. The RPS busses provide regulated 120V AC with over voltage, under voltage, and under frequency protection. There are no provisions for automat 6cally switching the external power supplies to the RBVRM.
d.
Describe the actions upon power failure.
The NUMAC RBVRM has been tested and demonstrated the ability to withstand power loss transients of up to 20 milliseconds, once per second, without changing output status. Upon complete loss of external power, the NUMAC RBVRM output relays will de energize and initiate a channel trip.
e.
Describe the actions upon restart.-
The NUMAC RBVRM will re intilalized upon restoration of power to a state determined by the values of the current chassis inputs, Describe how failures in the non-safety systems or modules do not f.
prevent the anfety systems or modules from performing aafety functions.
The NUMAC RBVRM does not directly interface with any non-safety related equipment. The RBVRM directly interfaces with 1) R_PS power,2) recorder.
l output, and 3) sensor and convertors, All of these interfaces are with safety-related equipment.
tJst and describe the noise sources, accuracy, and instrumentation drift rates of 4.
the present system in detall.
l
.. ~.. _., _. _ _,, _ _ -
_.._,,m
~
'"^ ' ""' "Y "" '**'""'
PIlli Reply to NRC Request for Additional Information Concoming BFN Units 1,2, and 3 RBVRM Upgrade Page 7 of 28 The present RBVRM system is susceptible to EMI/RFI noise from nearby power and control cables, and internal noise generated by the analog circuitry. The inaccuracy and drift of the existinD components is mainly attributable to the time and temperature dependent characteristics of the analog components (resisters, transistors, etc.) that make up the existing system.
The known sources of RF energy at Browns Ferry are listed below.
Source Transmitter Recetver Frequency (MHz)
Frequency (MHz)
Repeater F1 172.025 162.025 Repeater F2 173.050 164.250 Repeater F3 173.7625 166.250 Repeater F4 172.450 '
164.750 Security On Site Repeater 171.3875 163.375 Security Off Site Radio 38.98 38.98 Security Sheriff's Radio 465.200 460.200 Paging Transmitter 172.425' NA T & CS Radio 411.825 417.825 Portable Radios 167.100 167.100 Explain why the NUMAC RBVRM drttt rate la lower than the previous one a.
In detall, including the bases for the callbration frequency calculation.
The NUMAC R8VRM drift rate is lower than the previous one primarily because the NUMAC: (1) imposes tighter tolerances on the detector power supply and (2) replaces the analog pulse and DC amplifiers and trip circuits with an instrument loop that includes digital based pulse discriminators and crystal controlled functional computers.
Reduced deviations for the internal power supplies result in less of a voltage change on the Geiger Mueller tube operating slope and thus exhibit less drift in output count rate. The replacement of the analog circuitry with a digitalized one allows the use of precision components that were' not utilized or available when the previous devices where designed 30 years ago.
The calibration frequency extension interval calculation was based upon a 1
'"^'"'"""Y""'""'
Hila Reply to NRC Request for AdditionalInformation Concoming BFN Units 1,2, and 3 RBVRM Upgrade Page 8 of 28 thorough examination of the portions of the RBVRM instrument loop that rnight contribute to the overall loop drift. These individual components were analyzed and a drift value assigned to them based on either original manufacturer data or as tested component data. After this sorting process was completed,it was observed that the critical parameters in allowing the calibration frequency interval extension was periodic examinauon and maintenance of the High Vottage Power to the Geiger Mueller tubes. By maintaining the voltage to the tubes within the specifkx! limits,in conjuncuon with NUMAC's automatically initiated self test feature, a calibration interval extension was analyzed and deemed acceptable, b.
Describe the current system's failure history. Is the NUMAC RBVRM subject to the same failures?
The existing RBVRM system (consisting of 4 detectors and 4 radlauon monitors per unit) has experienced 40 equipment failures, initiated 8 PCIS isolations, and has been the cause of 12 Licenseo Event Reports (LERs) in the last 4 years.
The majority of these failures have been due to equipment / component failures-and human error during maintenance / calibration ac0vities.
The NUMAC RBVRM is also subject to equipment / component failures and human error. However, the NUMAC instrument uses high reliability integrated components, which are purchased to military specifications or other high reliability standards in order to minimize component failure rates. The NUMAC built in self diagnostics and calibration procedures will reduce the temporary circuit modifications required for system calibration and simplify any system troubleshooting, thus reducing the potentialfor human error, stated that "The replacement GE NUMAC equipment is more c.
reliable, accurate, and less lik.ely to spuriously actuate than the existing equipment'. Explain why this statement is true and how the NUMAC RBVRM improved them in detall, The replacement GE NUMAC equipment is more reliablo, accurate and less likely to spuriously actuate than the existing equipment when compared to the previouc system components.
The NUMAC RBVRM mean time between failure (MTBF), based on observed failure rates, is greater than 7 years, while the existing analog device had a design MTBF of 1 year. Based on BFN operating history (See 4.b), the existing equipment has an actual MTBF of less than 1.5 years.
The design accuracy of the overa!I NUMAC RBVRM loop is less than 30 percent of point, while the previous analog loop had a design accuracy of approximately
A TVA Browns Ferry Nuclear Plant N
Reply to NRC Request for AdditionalInformation Concerning BFN Units 1,2 and 3 RBVRM Upgrade Page 9 of 28 100 percent of point. This reduction is primarily due to NUMAC's use of precision components and digitalized circuitry to minimize deviations in tolerance.
The NUMAC is less likely to spuriously actuate than the analog device because of the manner in which trip points are initiated. The input signal for NUMAC, which is digital,is compared against a digital trip reference point which reduces the inaccuracy of the trip, hence decreasing spurious trips. The older analog device in contrast, because of the nature of its analog input signal and trip mechanism, is more prone to spurious tripping. Additionally, because the NUMAC signalis converted to a digitalform at the detector, factors such as EMI RF have a much reduced probability of influencing the signallevel and thereby causing spurious trips.
5.
Describe the EMI/RFI qualification criteria. This should include test plant, procedures, test equipment, test results, and expected noise sources and frequencies.
The NUMAC RBVRM was subjected to and passed the following EMI/RFI test criteria:
Equipment must operate within acceptance limits for 300 Vp-p oscillations at a.
l 1/2 to 1 Hz repetition rate with a damped oscillation of 6 to 7 Hz at 100,200, 300, 400 and 500 kHz (power leads), (see 249A1238, EMI SusceptibilityTest Guide).
b.
Equipment must operate within acceptance limits for 5 Vp-p oscillations from 0.5 to 100 MHz at a rate of 1 to 5 MHz/Sec (power leads), (see 249A1238, EMI SusceptibilityTest Guide).
Equipment must operate within acceptance limits when six (6) one shot c.
transients (from a model 510 Surge Transient Generator set to 2500 Volts) are applied to AC input line and to relay contacts of TB 1.
d.
Equipment must operate within acceptance limits for 300 Vp-p oscillations at 1/2 to 1 Hz repetition rate with a damped oscillation of 6 to 7 Hz at 100,200, 300, 400 ard 500 kHz (signalleads), (see 249A1238, EMI SusceptibilityTest Guide).
Equipment must operate within acceptance limits for 5 Vp p oscillations from e.
O.5 to 100 MHz at a rate of 1 to 5 MHz/Sec (signal Leads), (see 249A1238, EMI SusceptibilityTest Guide).
f.
Equipment must operate within acceptance limits when subjected to an electric -
field of 65 V/M, 20 to 990 MHz (something like SAMA PMC 33.1 1978, Class 3, except a probe is used rather than a fixed antenna, and no digital modulation or keying is used).
In addition, other NUMAC instruments, similar in general design to the NUMAC RBVRM, was subjected to and passed the following EMI/RFI test criteria:
L-
' " ^ ' ' ' " " ' ' ' " " " " ' ' ' ' " ' ' " '
Rllt Reply to NRC Request for AdditionalInformation Concoming BFN Units 1,2, and 3 RBVRM Upgrade Page 10 of 28 a.
With no signal or power leads attached, sequences of +/ 3 KV pulses are applied via capacitors to power input and other selected I/O points. After each application, signalleads are attached, power is applied and equipment tested to specification. Pulses are applied between power leads, between power leads and chassis ground, and between power leads and signalleads, b.
With power on and with external circuits simulated by impedances, a 250 voit sinusoid is applied at selected I/O points. The equipment must meet specification with the interfering signal applied. Sinusoids are applied between output leads, between output leads and chassis ground, and between chassis grounds of connected equipments.
With power on, bursts of short (up to 50 nS) sawtooth transients, +/ 2 to 4 KV, c.
are simultaneously applied (via 2 meter long wires) to selected signal and power 1/O points, to selected chassis ground points, and to selected cable and chassis ground points. The equipment must meet speerfication with the interfering signal applied, d.
With power on, a damped 1 MHz sinusold (1 KV or 0.5 KV max) at a repetition rate of 300 to 500 per second are simultaneously applied (via 2 meter long wires) at selected signal and power 1/0 points, and at selected chassis ground points. The equipment must meet specification with the interfering signal applied.
With power on, a 10 V/M (min) electric field over a frequency range of 27 to e.
500 MHz is applied (via a probe) to the instrument, especially where there are connectors, openings, seams, joints, etc. The equipment must meet specification with the interfering signal applied, f.
The output of a electrostatic discharge simulator set to test levels of 2,4 and 8 KV is applied to various accessible portions of the equipment being tested. The equipment must meet specification with the interfering signal applied, What is the input range of the NUMAC RBVRM7 la it different that the a.
existing (RBVRM)?
The input range for the NUMAC RBVRM extends from 0.1 counts per second to 1.52E5 counts per second. These values are translated to radiation units of 1E-1 to 1E+3 mR/hr for the Reactor Zone Vent and 1E+1 to 1E+6 mR/hr for the Refueling Floor Zone. These do not differ from the existing radiation monitors now in place.
b.
Ust and describe the grounding standards and/or methods used for installing the NUMAC RBVRM system to minimize the ground loops, low fault current retum path, and circuit loop area.
The NUMAC RBVRM sensor and converter wiring is grounded at the NUMAC chassis, and the recorder output wiring is grounded at the recorder. The e,.,
c
4
]
TVA Browns Ferry Nuclear Plant Reply to NRC Request for AdditionalInformation d.
Concoming BFN Units 1,2, and 3 RBVRM Upgrade Page 11 of 28 NUMAC chassis itself is connected to the existing panel ground bus. The NUMAC RBVRM internal grounding is controlled by GE Design Specircation 23A4977 (attached).
c.
Describe the precautionary steps taken by TVA to minimize the electro-static discharge (ESD).
The NUMAC RBVRM Operation and Maintenance manual (GEK 97130) provkfes information on how to avoid electrostatic vottage damage to vulnerable modules while servicing the instrument cards. These include such precautions as:
Always using grounded work surfaces a.
b.
Grounding all tools and test equipment Having the technician connect himself to ground using a conductive c.
bracelet d.
Not wearing clothing made of nylon or other static generating material Never removing or inserting a card in a card file with power applied to e.
the card d.
Describe the precautionary stops taken by TVA to prevent damages caused by dust and smoke.
The NUMAC RBVRM chassis are located in the Units 1,2, and 3 Main Control Rooms Given the controlled environment in the control rooms, dust and smoke are not deemed to be a concern.
6.
Describe the NUMAC RBVRM factory and site acceptance test criteria, and provide test results.
Of the many tests run at the factory the Validation Test is the most meaningful since this is a system test with both hardware and software. This Validation test is described by the NUMAC Plans 23A5161,23A5162 and 23A5163 which were applied to the WA RBVRM Job. The actual Validation Test and Test Report (GE DRF A00-04032) for the TVA RBVRM is attached.
The site acceptance test consis5 of a post modification test. The post modification test ensures that all components have been installed correctly and verifies that the NUMAC RBVRM operates correctly and accurately. Test scoping document PMT 230 is attached, Describe the infant mortality screening criteria for the non-military n.
Integrated circuit components.
See reply to question 1.
. ~. -
.~
_, _ ~.. _ ~
sua TVA Browns Feny Nuclear Plant E Ull Reply to NRC F'.equest for AdditionalInformation Concerning BFN Units 1,2, and 3 RBVRM Upgrade Page 12 of 28 7.
Software:
a.
Ust all the software requirements that are different from the software requirements and commitments reviewed in the NEDO31439NUMAC WRNMS SER.
The requirements for the RBVRM software design process are the same as described in and committed to in NEDO 31439-A. The functional requirements for the software as, of course, offferent since the RBVRM performs different functions that the WRNM.
b.
Explain how the NUMAC RBVRM meets the RG1.152/ ANSI /IEEE 7-4.2.3.2 requirements. This should include V&V summaries and reports, the description of procedures and policies for technical review and audit functions, software reviews and audits, software test and analysis, dynamic system testing simulating normal and design basis events, and an Independent stage to-stage verification. Also explain the procedures following the detection of software erTorn or coding discrepancies.
~
NEDO 31439-A, Appendix E. Section E2, ' Software Verification and Validation (V&V)', including Table E 1, *NUMAC Design Process Compliance with ANSI /IEEE 7 4.3.21982 (Reg Guide 1.152), applies directly to the NUMAC RBVRM.
The actions taken upon the discovery of software errors depend on where in the process such errors are detected. in general, when a software error is detected and corrected, sufficient prior testing is repeated to confirm the validity of the correction and to insure that the correction itself did not introduce additional errors.
What software language la used? Explain the reasons for selecting this c.
l language, la software programmed using object oriented programming concepts? If not, explain why.
The high level language used for the RBVRM's functional computer (which performs the instrument's safety related functions) is PUM 86, and that for the display controller is PASCAL The reasons PlJM 86 and PASCAL were used are the following:
a.
Suitabilityand applicabilityof the languages b.
Same languages used in all previous NUMAC designs Availability of compilers for use with GE's software development stations c.
d.
Familiarity of GE software designers with these languages
t TVA Browns Ferry Nuclear Plant i
Reply to NRC Request for Additionalinformation Concoming BFN Units 1,2, and 3 RBVRM Upgrade Page 13 of 28 All of the coding done for the Digital Sensor and Converter as well as a limited amount of coding for the functional computer and display controller was performed in Assembly Language. The assemblers used depend directly on the microprocessors invoked.
d.
Are there any changes to NEDO-30883 since the NRC reviewed and wrote the SER7 There have been no changes in NEDO-30883 A since its issue in January,
- 1987, Explain the NUMAC RBVRM's defense against common mode failure.
e.
See response to 3.b.
f.
Explain the NUMAC RBVRM's Interrupts and endless looping protection.
(Upon) detection of an endless loop,is re' start possible without causing damage to the system?
There are watchdog timers on the Computer Module and the Open Drain 1/0 Module which must be periodically reset. Should the functional computer go into an endless loop these timers will not be reset. Timeout of the Computer Module's timer will cause the RBVRM to reset. Time out of the Open Drain 1/0 Module's timer will cause trip outputs to go into the trip (safe) state.
Whenever an interrupt is executed, the contents of all computer registers (i.e.,
the computer's current state) are remembered by placing them on the computer's ' stack' (a location in memory). When the interrupt is over, the computer la returned to the state it was in when interrupted. This procedure is also followed when there rJe interrupts cf interrupts. The use of interrupts does not exempt the resetting of the watchdog timers.
The NUMAC functional computer responds to a maximum of nine interrupts, six of which are used in the RBVRM design. The six valid RBVRM interrupts are l
listed below, a.
IROO Watchdog Timer l
b.
IRO1 Bus Timeout IRQ2 Sensor and Converter Communication and Calibration l
c.
d.
IRO3 NM86 Operating System Timer l
e.
IROS Display Communication L
f.
NMI Power Failure The NM86 operating system ensures that the main processing loop executes l
l
[
a nm TVA Browns Ferry Nuclear Plant Hila Reply to NRC Request for AdditionalInformation Concerning BFN Units 1,2, and 3 RBVRM Upgrade Page 14 of 28 every 200 milliseconds.
g.
For software modificatJons, how much retast la requirsd? Describe the software modification process.
Software modifications are performed utilizing the same process and software management plans that are used to create the original software. The amount of retest is dependent on the type and extent of the software modification. The software design engineer is responsible for determining the amount of retesting and that determination must be verified by an independent software engineer.
In the past, most changes (even minor enanges) have resulted in a complete retest in order in ensure that there were no adverse impacts due to the change.
6.
Describe the compiler and the other tools used by the NUMAC RBVRM. Explain why this particular compiler is selected. Describe the compiler's operating history. Were there any failures or rnodificatlorts? Explain in detall. Describe the procedures for updating the compiler. This should include the description
- of rotest.
See response to 7.c.
Besides compilers and assemblers, tools used to develop RBVRM software include a.
Loaders - determine where in memory compiled and assembled programs are to be placed.
b, Linkers bring together the various sub-programs that constitute the overall program c.
In circuit emulators - used during code development to allow programs to reside in external Random Access Memory (RAM) rather than in Erasable Programmable Road Only Memory (EPROM). This RAM is part of a larger piece of development equipment which allows for a more convenient way to change and recompile/ reassemble high level coding, perform trouble shooting, read and analyze data stored in memory, etc.
d.
Library routines - software packages used to perform floating point arithmetic l
that comes with compilers and are made part of the RBVRM's software
(
j in the case of the functional computer, GE uses the compiler, support software and software development station made by the manufacturer of the computer's microprocessor. On rare occasions, errors will be found in the compiler (i.e., incorrect performance of software is traced to a fault in the compiler). When this happens, a workaround in the software is performed and the software ' bug' is recorded so that the erroneous portions of the compiler can be avoided in the future. Updated versions of the compiler are not used since such updates might introduce further errors.
i TVA Browns Ferry Nuclear Plant ma nlli Reply to NRC Request for AdditionalInformation Concoming BFN Units 1,2, and 3 RBVRM Upgrade Page 15 of 28 The case of the display controller is the same except that the compliar, support software and software development station is made by someone other than the i
manufacturer of the computer's microprocessor.
9, is the configuration management plan the same as the plan reviewed in the NEDO-31439 NUMAC WRNMS SER7 The Configuration Management Plan used for the RBVRM is the same as the one reviewed in NEDO 31439-A.
10.
Describe the software and hardware Integration test summaries. This should include samples of some test plants, procedures, list of test equipment, and test results.
The NUMAC RBVRM Validation Test and Test Repori (GE DRF A00-04032) for the TVA RBVRM is attached.
11.
Microprocessor:
Describe the word formats used by the NUMAC RBVRM in detall. What a.
were the reasons for selecting these fonnats?
The data format for communications between the Sensor and Converter microprocessor and the NUMAC chassis functional microprocessor is governed by the Digital Sensor and Converter Performance Specification 23A5071 (attached). The data format for communications between the functional microprocessor and the display microprocessor is specifieci by specification 23A5211 (attached). These formats were selected based on hardware requirements and engineering experience, b.
What happens if lilegal words or Invalid words are detected? Explain in
- detall, lilegal and/or invalid words are detected and ignored. To accomplish this, for example, the Sensor and Converter microprocessor will generate a message string as defined on page 22 of 23A5211. This message string contains a unique 16 bit checksum number calculated by the Sensor and Convertor microprocessor for that particular message string. When the NUMAC functional microprocessor recetves the message string it also calculates a 16 bit -
checksum number for the message string and compares it to the embedded checksum number, if the checksum numbers do not agree, the message is discarded, if five invalid messages in a row are recetved, a self test error is initiated causing a downscale/inop trip to be generated, intemal NUMAC RBVRM messages strings are validated similarly (see 23A5211).
TVA Browns Feny Nuclear Plant Reply to NRC Request for Additjonal Information Concerning BFN Units 1,2, and 3 RBVRM Upgrade Page 16 of 28 12.
Calibration & Self Test:
Describe the callbration and self test procesa in detall using engineering a.
schematics.
The NUMAC RBVRM calibration process will consist of placing the Sensor &
Converter units in a known radiation field and verifying instrument accuracy, setpoints, and operability. Regular Surveillance Instructions similar to Post-Modification Test PMT 230 will be developed to accomplish this.
t The term 'self testing' applies to NUMAC test features that occur automatically without user intervention (except for requesting status displays). The term
' calibration'is used to describe those test features that are initiated manually by the user. The NUMAC RBVRM is equipped with a self test system that allows it to automatically test itself and report any failures resutting in the loss of a safety related function. At a minimum, the following is self tested.
The detector polarization output voltage is checked, with a voltage a.
exceeding 210% of setpoint considered as a critical failure, causing an INOP trip.
b.
Each output voltage of each power supply is tested. For redundant diode auctioneered power supplies, the resulting end voltage is'also j
tested. Any voltage out of specifkation which could cause the loss of a i
safety related function will cause an iNOP trip.
Trip output circuits are tested to ensure that each can be set to both the c.
tripped and untripped states. The inability set / reset a trip output circuit is considered a critical failure and causes and INOP trip.
d.
Software checksums are calculated by self test and compared to actual checksums. Any discrepancies detected will result in an INOP trip.
t When the instrument is in the operate mode, testing does not cause any trip output to change state. Testing that would cause a change of state of trip outputs is only performed with the instrument in the INOP mode. The circuitry that must be tested in the INOP mode has been kept to a minimum.
To the extent possible, the operation of the instrument from front end to trip circuit is tested. Testing may be performed on piecewise basis provided there is sufficient overlap.
The self testing function of the NUMAC RBVRM will not inhibit instrument performance in either the OPERATE or INOP mode, nor cause erroneous trip when in the OPERATE mode.
Self testing will cover at least 90% of all hardware circuit components
i TVA Browns Feny Nuclear Plant Reply to NRC Request for AdditlonalInformation Concoming BFN Units 1,2, and 3 RBVRM Upgrade Page 17 of 28 performing safety related functions. When in the OPERATE modo, self testing is automatic and a complete self test is conducted at least once every thirty minutes. When in the INOP mode, self tottirg la performed on a user demand basis. The results of self testing are reported as follows, When one or more failures have been detected, that fact is indicated on a.
all displays for the duration of the failure (s). The NUMAC RBVRM is capable of displaying each detected failure and its location to at least the module level upon request by the user if it is not possible to locate a failure to a given module (e.g., a failure of a bus line) a best estimate analysis is provided. If more than one failure occurs, the failures are displayed in approximately chronological order.
b.
Trip output status is provided, The NUMAC RBVRM is capable of providing a separate self test trip.
c.
The specific requirements for the incorporation of this operation are dependent on the specific application:
All self test software is stored on EPROM which is not afterable by the NUMAC instrument and will not be lost by a power failure. The self test software accesses RAM to comp.
user settings to actual values, b.
What Information la stored in the static memory and non-static memory?
2.1.1 Essential Microcomputer Explain the purposes of resetting the timer circuit. Why is it done by a.
software?
The (watchdog) timer is a way for software to communicate to hardware the state of the software's health.
The timer is a circuit containing a capacitor which, if allowed to charge to a predetermined voltage level, will cause a reset pulse to be sent to the functional computer. If, for some reason, software becomes ' lost
- such a reset will enable the computer to restart a specific, controlled way, important parameters, such as setpoints and other channel parameters, will have been stored in the computers non-volatile memory (EAROM) and woud not be lost during the restart process.
As long as software is executing property (i.e., it is not lost), it will provide for pulses to be sent to the watchdog timer on a regular basis (the interval between reset pulses is not fixed because of the event driven nature of the computer).
Each reset pulse to the timer cause the capacitor to discharge and start
k TVA Browns Ferry Nuclear Plant i
Reply to NRC Request for AdditionalInformation Concerning BFN Unita 1,2, and 3 RBVRM Upgrade Page 18 of 28 rocharging from zero votts. Thus, as long as pulses are receked approximately every 100 milliseconds, the capacitor will never charge to the predetermined voltage level and the computer will not be reset.
b.
Explain how the NUMAC RBVRM trip relays go to their default state (tripped state) If they are not reset by the essential microcomputer approximately every 120 milliseconds.
Another watchdog time is found on the Open Drain 1/O module which, under direction of the functional computer, physically controls the tuming on and off of coil current to the trip relays. If the voltage on the timer's capacitor is allowed to reach a predetermined voltage level, the module's circuitry will force the relays to their tripped states.
c.
Explain why the trip setpoint drtit is non-existent due to the digital nature of the system.
In the old RBVRM, there was drift both in the mR/hr reading (pulse to analog converter circuit in the Sensor & Converter and signal amplifier in the Indicator
& Trip Unit) and in the trip unit (trip comparator circuit). Thus there was drift in both the mR/hr reading and the trip point.
In the NUMAC RBVRM, there is a (negligible) drift in the signal circuit (all digital) and no drift in the trip unit (algorithms and trip values stored in the computer do not change with time or ambient conditions). Thus, there is negligible drift in the mR/hr reading and no drift in the trip point.
2.1.3 High Speed Parallel Data Bus a.
What are the purposes of using a parallel data bus?
Data such as input count rates, power supply voltage values, output status values, etc., flow on this bus. The parallel bus is used to connect the internal instrument modules, such as the processor module, the communications module, etc. A parallel bus is used because it provides for faster data transmission than a serial bus. -The relative difference in speed between a parallel bus and a serial bus is approximately enual to the number of lines in the parallel bus (16 for the NUMAC RBVRM's data bus). The need for speed is important in real time computers such as those used in the NUMAC RBVRM and other NUMAC instruments, b.
What controls the bus lines? Explain how it controls the bus lines.
Describe the actions upon detection of data error. Describe the actions
I zum TVA Browns Ferry Nuclear Plant Ellli Reply to NRC Request for AddluonalInformation Concoming BFN Units 1,2, and 3 RBVRM Upgrade Page 19 of 28 upon detection of command word error (Illegal or invalid command words)?
GE's NUMAC Bus Specifica6on determines such items as bus design, bus control, protocols, voltage levels, timing, etc. The program determines what addresses, data, control signals, etc are placed on the busses and other control lines at any given time. Environmental qualificauon testing is used to demonstrate that modules meet the bus specification. The V&V procedure is used to demonstrate proper operation of the software and proper software / hardware integra6on.
Since the NUMAC RBVRM runs from a fixed program imbedded in read only memory, illegal or invalid instructions (or addresses) should not be encountered. If, somehow, an incorrect instruction or address is placed in the computer's registers due to ' noise", one of several things would happen: (1), a bad computation is performed, the effect of,which will be minimized due to integration; (2), an alarm or self test error would occur; or (3), the program will get " lost' and a watchdog timeout will occur.
2.1.4 Serial Data Unk a.
What controls the bus lines? Explain how it controls the bus lines.
Describe the actions upon detection of data error. Describe the actions upon detection of command word error (lllegal or Invalid command words)?
Two types of serial data link are encountered in the RBVRM, one between Sensor & Converter and RBVRM Chassis (via a signal splitter), the other between the functional computer and the display controller within the RBVRM
- chassis, For each type of serial data link, a bus specification determines such items as i
bus design, bus control, message structures, protocols, voltage levels, baud l
(data transfer) rate, etc, The program determines what data are placed on the busses at any given time. Environmental qualification testing is used to demonstrate that modules meet the bus specifications. The V&V procedure is used to demonstrate proper operation of the software and proper l
software / hardware integration. In both cases, received messages are checked l
for transmission errors, if too many occur in a given period of time a en6 cal l
fault is announced in the case of the Sensor & Converter to RBVRM link, and a communication fault error is announced in the case of the internal RBVRM link.
Command words are not transmitted over serial data links.
l L
_ ~ _
i TVA Browns Ferry Nuclear Plant ma 11111 Reply to NRC Request for AdditionalInformation Concoming BFN Units 1,2, and 3 RBVRM Upgrade Page 20 of 28 b.
Describe the data communicatlon method used. Explain the tsasons for selecting this method.
Serial data communication between the Sensor & Converter and the RBVRM chassis is in accordance with industry standard RS 485. This protocol was chosen for reliability of communication over the existing cabling.
Serial data communication within the RBVRM chassis (between functional computer and display controller) is not to any particular industry standard because all communication is internal to RBVRM and all aspects of it are within the control of the RBVRM's designers. Serial communication was chosen in order to' minimize the impact of failures in the display controller (which does not perform any safety related functions) upon the functional computer (which does). This arrangement allows for the complete independence of microprocessors, memories, and control and data busses of these two devices.
2.1.5 Instrument Power Supplies How long la the system Interrupted when the power supply is switched a.
from the main power supply to the alternative power supply in the event of a main power supply fallure? Are they Independent?
Both instrument power supplies within the RBVRM chassis are left 'on' at all times. The +5 Vde, +15 Vdc and 15 Vdc outputs of those supplies are auctioned by means of steering diodes and there is no time involved in switching from one of the +5 Vdc outputs to the other, etc.
The two instrument power supplies are independent. Of course, they both receive their input power from the same source.
2.1.8 Digital Sensor and Converter (Detector)
What is the required response time (reset 100 ma, re-Initialization 120 ms).
a.
What information la stored in the EPROM an RAM 7 Explain in detall.
The Digital Sensor & Converter keeps track of the total number of pulses counted and the current time and sends these data to the RBVRM when requested (every 200 milliseconds).
i The computer program uwd to perform the Digital Sensor & Converter's functions are stored in its EPROM. The contents of the EPROM are never-change. The results of computation and self testing, intermediate data, and time varying data needed to operate the computer are stored in RAM. The contents of RAM are volatile and change with time.
~
7q TVA Browns Ferry Nuclear Plant i
Reply to NRC Request for AdditionalInformation Conceming BFN Units 1,2, and 3 RBVRM Upgrade Page 21 of 28 b.
What is raw count rate?
From a knowledge of a Sensor & Converter's currently transm!ttod pulse count and time and as well as the previously transmitted pulse count and time, the RBVRM's functional computer can compute what is referred to as the raw count rate (the pulso count difference divided by the timo difference).
Due to counting statistics, the raw count rato can vary widely from one computation cycle to the next, especially at very low count rates. Therefore, the
- ,_ _r w count rato is filtered by the process computer. The fittered dose rato is a linct function of the dose rato except at high count rates where it falls off due to pulso pilo up. The process computer adds a correction for this. The filtered and pulse pilo up-correctedvalue of the raw count rate becomes the dose rate used for making trip comparisons.
In the statement 'A watchdog timer circuit is utilized to provide a hardware c.
roset of the micro controller if it is not pulsed on a regular basis", explain*
the definition of regular basis.
The watchdog time on the Digital Sensor & Convorter is similar to the one on the Functional Computer Module and the Open Drain 1/0 Module (see response to 2.1.1a). The Sensor & Converter's software is designed so that its sends a pulse to the watchdog timer at least every 100 milliseconds. If the timer does not recetvo a pulse within 100 milliseconds,it causes the Sensor &
Converter's computer to reset.
d.
When does it get Initialized? Explain more on a paitlai power up soif test of power, EPROM, and RAM.
The Digital Sensor & Converter's computer is initialized whenever power is applied, when the watchdog timer timos out, and when commanded by the RBVRM. It takes approximately 1 second to initialize.
2.2.1 Essential Microcomputer Software Explain the self test functions. It should include the following: 1) Explain a.
the selected voltages and registers that are being read during the test,2)
How does it operate,3) what units are tested, in the Operate Mode, self test is a continuously running task running in background. In the Inop Mode, it only operates in the foroground when requested.
Setf test checks the status of each module in the RBVRM that perform
WA Browns Ferry Nuclear Plant N
Reply to NRC Roquest for Additional Information Concoming BFN Units 1,2, and 3 RBVRM Upgrade Page 22 of 28 safety related tasks. The checks performed depend on the module tested.
Some typical test performed are the following (not a complete list):
On the Open Drain 1/0 Module, an analog measurement of eac? digital a.
output to verify correctness.
8 b.
Analog outputs of the Analog Module are also measured to verify correctness. The Analog Module's A/D converter is tested by having it measure a known signal.
The Communications Modules are tested by sending test data to them c.
and having them retumed for verification of correctness. Messages sent/ received via the modules have their check sums calculated and compared at each end of the transmission.
d.
On the Cornputer Module, RAM is checked by performing read / write tests and EPROMs and EAROMs are checked by calculating their check sums and comparing results to stored values, The output volteqes of the two high voltage power supplies are c.
measured.
f.
Self test measures the +5 Vde, +15 Vdc and 15 Vdc output voltages '
from the two instrument power supplies as well as the output voltages of
+5 Vde, +15 Vdc and 15 Vdc diode auctioning circuits (a total of nine voltages).
Several of the modules have imbedded in their circuitry (hardware) a code which klentifies the module's type. This coding is read during self testing. The modules are designed to reside in specific locations in the RBVRM's cardfile, if cardfile location and module type coding do not match up during self testing, a critical fault exists and downscale trip will be issued.
A list of all self tests performed can be found in the RBVRM User's Manual. A copy of the User's Manual may be found in the RBVRM O&M Manual, Are there any alarms or wamings which wam the operator from setting the b.
trip too low or too high?
Software in the RBVRM prevents a user from setting upscale trip points above the selected meter scale or downscale trips below the scale. No checks are made of setpoints within meter scales.-
Explain how the trip output circuits are not tested in the Operate Mode.
c.
Explain it with the Engineering Schematic.
Trip outputs are measured using tha Analog Module. The results are compared against expected values.
TVA Browns Ferry Nuclear Plant i
Reply to NRC Rarquest for AdditionalInformation Concoming BFN Units 1,2, and 3 RBVRM Upgrade Page 23 of 28 2.2.2 Display Microcomputer Software a.
What are the software's responses to the detection of software errors?
Can the NUMAC RBVRM tolerate some software errors? How does software detect hardware failures?
No checking for software errors, per se, is performed. Firmware installed in the RBVRM (1.o., imbedded in EPROMs) will have been developed using the established V&V proceduro, in the RBVRM, the checksums of the various EF"10Ms are continuously calculated (as part of the self test process) and compared against their values as imbedded in the EPROMs. In this way, changes in the EPROMs containing the software can be ustected. A checksum error is a Critical Fault and will result in a downscalo trip.
If software gets ' lost *, a reset will be performed.
Software detects hardware faults by olther by directing the RBVRM's built in Nottmeter" (the Analog Modulo) to take measurements which can then be compared by the functional computer against expected values, or by causing signals to be injected into parts of the instrument and observing results.
2.3.2 What is input count? Explain in detall using engineering schematics. Also I
explain how and why they are generated.
Soo the response to 2.1.Ba.
2.3.3 Uct the 16 input keys.
The sixteen input keys consist of ten numeric keys (0 through 9), a clear entry (CE) key, an accept entry (ENT) key, three math function (+,, EXP) keys, and a decimal point (.) key.
2.4 Solf Tost isolation Ust and explain the circuit voltages and the registers that are being read a.
during the self-test.
See the response to 2.2.1a b.
How does the microcomputer accomplish memory check, and an inventory of Instrument hardware?
Soo the response to 2.2.1a
-.+1
-_.._,y r-1
' " ^ ' " ' " " ' ' ' " * " " * ' ' ' ' " ' ' " '
IVfil Reply to NRC Roquest for Additionalinformation Concoming BFN Units 1,2, and 3 RBVRM Upgrade Page 24 of 28 3.3.6 a.
Describe and provide the following: 1) all EMI/RFI standards followed by the RBVRM, 2) test procedures,3) test setup,4) test equipment, and 5) test data.
Soc the response to 5.3.3.6b b.
What were the reasons for not taking normal meter fluctuation of the meter and the bug source into account when establishing the baseline acceptance values? Explain in detall.
During EMI testing, radioactive sources were so arranged that normal (baseline) readings would be well upscale. If this were not done (eg, normal bug sources were used) readings would fluctuate due to normal counting statistics and this mignt tend to mask fluctuations caused by the EMI.
3.5.1 What are the reasons for the refuel zone rango change from five decades from' 1E+1 to 1E+6 mr/hr and the reactor zone change from 1E 1 to 1E+3 mr/hr?
The NUMAC RBVRM refuel and reactor zone ranges are the same as the existing RBVRM ranges.
(
l 3.5.4 Response Time a.
Explain more.
The response time of the NUMAC RBVRM instrument loop is defined as that elapsed period from the exposure of the local detector to radiation until the i
control room chassis provides its trip output.
This time intervalis dependent upon the following factors: (1) the decade in which the signal originates (background), (2) the magnitude of the changing radiation signal and (3) the upscale setpoint location.
I In order to minimize the statistical uncertainties in count rates at low levels, the NUMAC RBVRM is programmed with a varying response time as the decades change. At the bottom decade, the overall instrument loop is provided with a 150 second time constant. This value changes as the decades increase until, at the highest decade, it reaches a 2.5 second response time.
When the detectors are subjected to the radiation levels associated with the Fuel Handling Accident (see BFNAPS3-015 ' Safety Umits for the Reactor Building Ventilation Exhaust Radiation Monitors"), the magnitude of the source
TVA - Browns Ferry Nuclear Plant N
Reply to NRC Request for AdditionalInformation Concoming BFN Units 1,2, and 3 RBVRM Upgrade Page 25 of 28 term is sufficient enough to provide a step increase into the decade with the fastest time retponse.
in the case of the NUMAC RBVRM for TVA BFNP 1.2,3 with a background of approximately 1 mR/hr, setpoints of 72 mR/hr and an instantaneous Fuel Handling Accident greater than 1000 mR/hr, the resultant exponential signal increase results in total elapsed time of less than i second.
3.8 & 3.9 Calibration & Self test Explain'the calibration and self test process in detall using engineering a.
schematics.
See Question 12.
b.
Where does the NUMAC RBVRM stors the calibration and set point values?
Calibration and setpoint values are stored in EAROM and are not affected by power bss.
4.1.1 Does the definition of software include firmware?
a.
Yes. The term ' software' is applied to computer programs (whether in source, object or machine code format) that are not directly usable by the functional computer or display controller. The software is only directly usable when it is in machine code format and loaded ready to execute in the memories associated with these computers. In the RBVRM, integrated circuits (hardware) called EkK:trically Programmable Read Only Memory (EPROM) are used to hold this ready to execute code. Once entered into EPROMs at the factory, coding cannot be changed by the circuits in the RBVRM. These EPROMs are termed 1rmware', hardware circuit elements that contain software, Describe the organization and show that the softwam design team and the b.
verification and validation team are Independent. This should include the chain of command for the organization.
The technical verification reviews are done by qualified indkiduals or groups not directly invoNed in the design. Personnel selections are made using procedures and criteria developed for other nuclear safety related verifx:ation work to assure both a reasonable level of Independence and technical
TVA Browns Ferry Nuclear Plant M
Reply to NRC Request for AdditionalInformation Concoming BFN Units 1,2, and 3 RBVRM Upgrade Page 26 of 28 competence. The selections include organizationally independent reviewors when that can be reasonably achieved.
For additionalinformation on V&V Independence refer to GE letter MFN-053 90, dated May 23,1990, from David J. Robare to J.C. Stewart, Nuclear Regulatory Commission (attached).
A.
Describe the NUMAC RBVRM operating history and the failure history in detall.
The f ailure history should include the reasons for fallures an their corrective action (s).
The following 15 a summary of all reported failures of modules found in the RBVRM.
These modules are, of course, not unique to the RBVRM and may be found in various NUMAC instruments. The summary includes failures through December, Ift91. For purposes of discussion, the chassis (less front panel, modules, and power supplies) and the front panel are, in themselves, considered
- modules'.
Module Ooeratina Hours Failures MTBF (Hrs)
Low Voltage PS 16,791,640 11 1,526,531 Computer 8,395,920 8
1,049,490 Display Control 8,395,920 7
1,199,417 Analog 8,493,840 19 447,044 16-Ch Analog Out 195,640 0
Open Drain 1/0 642,240 1
B42,240 RS422/485 Comm 224,640 0
Dual HVPS 159,840 0
Chassis 8,395,920 4
2,098,980 Front Panel 8,395,920 3
2,798,640 The first four modules are found in all NUMAC instruments and, with exception of the Analog Modute, all have a Mean Time Between Failure (MTBF) exceeding 1 million hours. The MTBF of the Analog Module, though lower than those of the other three, is nevertheless acceptable. Over the years, design Improvements have been incorporated in the module and the reliability grades of components improved, when such improvements became available. The Analog Module is currently being redesigned.
The three I/O modules and the High Voltage Power Supply (HVPS) are not as widely used as the first four modules and there has only been one failure recorded among them.
.rm.wv-y
--r
..m..
TVA Browns Ferry Nuclear Plant A
Reply to NRC Request for AdditionalInformation Concerning BFN Units 1,2, and 3 RBVRM Upgrade Page 27 of 28 As expected, the MTBFs of the chassis and front panel are high (in excess of two million hours) because they contain few actNe components, it should be noted that the above data include both failures incurred during operation and failures incurred on laboratory benches during testing.
I B.
What digital component (s) In the RBVRM chassis is (are) rnost likely to fall?
What steps are taken to detect the failure (s) and what steps are taken to prevent the f ailure(s)?
In general, there have been few problems with the digital components in any NUMAC instrument ano self test has been successfulin detecting them. Severe problems with digital components (those requiring immediate redesign and retrofit) have not occurred. The main causes OF failures of any kind are the following:
Miswiring at/to an instrument's input / output ponnectors. Newer designs a.
improve the protection given at these points, b.
Mishandling and/or improper installation of instruments.
A single cause of failure (eg, random component or I/O failure) may have a c.
ripple effect and take out components on various modules.
C.
la there a warning if one channella bypassed?
The RBVRM system is designed in accordance with Sections 4.11 through 4.14 of IEEE 2791971 that address bypasses.
D.
Ust all the locations that RBVRM components will be residing, and list the environmental conditions of each location.
The NUMAC RBVRM chassis are located in the Units 1,2, and 3 Main Control Rooms.
The Sensor & Converter (detector) assemblies and signal splitters are located on the RefucI Floor. Environmental Parameters are shown below.
l EnvironmentalConc9tions Componont Location Temp (oF)
Press RolHum Radiation (TID)
Units 1,2 and 3 Mn 60 Mh 12 pela Mh 10%
f NUMAC RBVRM Main Control -
Norm 76 Norm Atrn Norm 50%
Norm 200 R Chassis Rocen Max 104 Max Atm Max 90%
Acc 500 R NUMAC RBVRM Mn 54 Mh 12 psia Mh 10%
Sensor & Converter Norm 80 Norm Atm Norm 55 %
Norm 700A (detector)
RefuelFloor Max 100 Max Atm Max 90%
Acc 1.9E4 R 1
l
-=
t N
TVA - Browns Feny Nuclear Plant Reply to NRC Request for AdditionalInformation Concoming BFN Units 1,2, and 3 RBVRM Upgrade Page 28 of 28 EnvironmentalCcnditicns Ccsnponent Location Temp (oF)
Presa Rol Hum RaC.afon (TID)
Mb 54 Mn 12 psia Mn 10%
Norm DO Norm Atm Norm 55 %
Norm 700 R NUMAC RBVRM Ggnal Spirtter Refuel Floor Mar 100 Max Atm Max 90%
kc 1.DE4 R Describe the training program for this new system. This should explain who is E.
being tralned on what.
An orientation Seminar will be provided by a GE RBVRM Design Engineer. The seminar will bo directed toward personnel who must interact with the NUMAC electronics or need to understand its operation. The seminar will be conducted twice and has the following content:
Familiarization with the des'gn a.
b.
Description of the operation Seti Test system description and use c.
d.
Error diagnostics System inputs and outputs e,
f.
Set up instructions Use of NUMAC options and features g.
h.
Calibration 1.
Changing set points and testing sotpoints The test for the Orientation Seminar will be the O&M Manual. The Orientation is not a formal class room training by a cortified instructor.
1