ML20127C024
| ML20127C024 | |
| Person / Time | |
|---|---|
| Site: | Prairie Island  |
| Issue date: | 01/04/1993 |
| From: | Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML20127C001 | List: |
| References | |
| NUDOCS 9301130260 | |
| Download: ML20127C024 (6) | |
Text
r
/
'o UNITED STATES
~,
[']3y h
NUCLE AR REGULATORY COMMISSION WASHINGTON, D C 20555
%, '...../
ENCLOSURE 3 SAFETY EVALVATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION AUDIT OF LOAD SE0VENCER IMPLEMENTAT10B
((0RTHERN STATES POWER COMPANY PRAIRIE ISLAND NUCLEAR GENERATING PLANT. UNIT NOS. 1 AND 2 FACILITY OPERATING LICENSE NOS, DRP-42 AND DRP-60 DOCKET NOS 50-282 AND 50-306
1.0 INTRODUCTION
The staff had previously reviewed the Prairie Island implementation of the safeguard load sequencer (SLS) and provided a Safety Evaluation (SE) dated April 28, 1992 which has been revised and is provided as Enclosure 2 of this letter.
As a result of this review, there were five open items discussed in the original SE.
The Instrumentation and Controls Branch (HICB) staff, with assistance from Region 111 staff, audited the licensee's implementation of the SLS hardware and software design. The purpose of this-audit was to review the information associated with the five open items and to confirm that the licensee:
(1) Assessed the software and hardware modifications to determine the acceptability of the load sequencer verification and validation (V&V) program; (2)
Isolated the non-Class IE systems from the Class IE portion of the load sequencer; (3) Dedicated the load sequencer commercial-grade components for safety-related use; (4) Verified that the electromagnetic environment qualification at the plant is enveloped by the vendor's tests; and (5)
Provided the control room operators with load sequencer bypass indications and inoperable state indications.
The staff's evaluation of the licensee's implementation of each of these items is addressed in the following sections.
9301130260 930104 PDR ADOCK 05000282 P
2-2.0 EVALUATION 2.1 ACCEPTABILITY OF THE LOAD SEQUENCER V&V PROGRAM The load sequencer at Prairie Island is a programmable logic controller (PLC) based system consisting of both hardware and software.
The hardware, PLC-5, is supplied by Allen-Bradley and the software is developed by Spectrum Technologies, Inc. (STI), a subcontractor to the Station Blackout / Electrical Safeguards Upgrade (SB0/ESU) Project prime contractor, Fluor Daniel. Spectrum Technologies, Inc. developed the ladder logic which was translated from system functional requirements, and compiled the ladder logic into machine language, usable to the SLS hardware, with an aid of a software tool, ICOM.
The staff audited the V&V program using guidelines provided in IEEE Standard 1012-1986, "lEEE Standards for Software Verification and Validation Plans,"
and the guidelines in Regulatory Guide (RG) 1.152, which endorses ANSI /IEEE-ANS-7.4.3.2-1982, "American National Standards, Application Criteria for Programmable Digital Computer Systems in Safety Systems of Nuclear Power Generating Stations." The load sequencer V&V plan satisfactorily follows the guidelines in the regulatory guidance as identified above.
In its initial review, the HICB staff found the V&V plan submitted by the-licensee to be -
acceptable.
The purpose of the staff's subsequent audit was to confirm that the contractor adequately implemented the V&V plan throughout the load sequencer development phases. This was accomplished by reviewing the development of system functional requirements, code and software development documents, V&V-results, and interviewing personnel involved. The staff also performed a " thread audit" in which plant parameters, such as undervoltage and load restoration, were picked and traced through the software life-cycle. The staff finds the implementation of the V&V program to be acceptable.
2.2.
ISOLATION OF NON-lE SYSTEMS FROM THE CLASS 1E PORTION OF THE LOAD SEQUENCER The purpose of auditing this item was to confirm that the non-Class IE systems are properly isolated from the Class IE portion of the load sequencer. The non-Class IE systems interfacing with the PLC are the inputs to: (1) plant computer, (2) plant annunciator system, and (3) main control board indicating lights. All inputs from the load sequencer, both Class IE and non-Class IE, are controlled by ASEA type RXMH2 auxiliary relays.
The coil of the relay is energized by the PLC. The eight pairs of contacts in each relay provide the output signals for breaker permissive signals idlich are Class-lE or for indication or annunciators which are non-Class 1E. All incoming signals to the load sequencer are Class IE and are buffered via optical isolaterr.
The staff found the isolation of the non-Class 1E systems from the load sequencer to be acceptable.
4 q
i r
T 3
w
-rm-4+-
4
r
- 2.3 DEDICATION OF LOAD SEQUENCER COMMERCIAL-GRADE COMPONENTS i
lhe SLS hardware was provided as a commercial-grade item by Allen-Bradley.
The commercial-grade item dedication of the SLS hardware and software was plant specific and was performed by STI through a contract with NSP.
The l
dedication process, reviewed for the SLS only, was determined to be in accordance with the guidance provided in a report issued by the Electric Power Research Institute (EPRI), EPRI NP-5652, " Guideline for the Utilization of Commercial-Grade items in Nuclear Safety-Related Applications (NCIG-07),"
endorsed by both Generic Letter 89-02, " Actions to Improve the Detection of Counterfeit and Fraudulently Marked Products," and Generic Letter 92-05,
" Licensee Commercial-Grade Procurement and Detection Program." This determination was in respect to the SLS at Prairie Island and should not be considered a general indorsement of the hardware or software used.
It was necessary, as a part of the commercial grade dedication process, for the licensee to identify and verify the appropriate critical characteristics to provide reasonable assurance that the item received is the item specified.
Methods to identify the critical characteristics are prescribed in EPRI NP-5652.
The staff reviewed the contractor's selection of the load sequencer-hardware and software critical characteristics as part of the staff's audit of the contractor's commercial-grade item dedication of the load sequencer. The contractor selected a combination of EPRI NP-5652 methods 1, 2, and 4 to accept the specific commercial-grade load sequencer hardware and software.-
As a part of the load sequencer hardware dedication process, environmental qualifications of the load sequencer were considered.
The purpose of environmental qualification is to reasonably assure that, once installed, the load sequencer will not adversely effect the original qualification of the system.
The environmental parameters for dedication are as follows:
- seismic, thermal, radiation, and humidity.
The seismic tests were conducted at Wyle Laboratory, Huntsville, Alabama. The sequencer passed all performance and diagnostic tests before, during, and after the seismic tests with no anomalies. The staff finds the vendor's certification of equipment operability during design seismic conditions to be acceptable.
Although radiation aging test is not required for equipment located in a mild environment, the contractor, STI, witnessed the radiation test which was performed by an independent testing laboratory. No anomalies were reported during radiation aging or related functional test.
Thermal aging and humidity aspects of environtsntal parameters were not included in this dedication process because the sequencer is located in a mild environment.
The equipment is qualified for operation in a temperature of 40*F - 120*F, with a humidity of 20% - 70%.
After the above review, the staff finds the use of the commercial-grade SLS hardware components to be acceptable in this application due to the site--
specific testing performed.
However, the staff does not consider the Allen-Bradley PLC-5 hardware to be, in general, commercially dedicated.
l-Machine language utilized in the SLS hardware was developed through the use of ladder logic and the ICOM software. The ICOM software is not considered as a dedicated commercial-grade item due to the limited testings performed on this software.
The ICOM software is being used only as a tool to produce operational software, and is in itself not being used in the load sequencer.
Since ICOM is being utilized as a tool to interface with the ladder logic, specific functional requirements have been terted for this application of load sequencer.
Additionally, ST) performed extensive software unit and software / hardware integration testings which provided reasonable assurance that the end results produced by the ladder logic, the ICOM software, and the SLS hardware in this application will ilot produce unexpected system responses.
After the SLS software was produced in machine language for the PLC-5, STI used a separate and diverse software tool, TAYLOR, to disassemble the machine language and produce new ladder logic. The logic used as a source by ICOM was compared to the logic produced by TAYLOR to insure the binary code used in the PLC was an accurate compilation of the ladder logic. Due to the extensive testings and the V&V plan, it is acceptable for the SLS hardware and software to be used in the manner which the licensee intended for this specific application.
Therefore, the SLS software as written by STI is suitable only for use in this specific dedicated SLS hardware and any future modification to the system, such as a new use of the software tools or changes to the software, will require a similar review and testing process according to the V&V plan and system requirement.
The staff does not consider the Allen-Bradley PLC-5 hardware or software to be, in general, commercially dedicated, and finds that the programmable hardware and software is acceptable for safety-related use in the Prairie Island application only.
2.4 VERIFICATION THAT THE ELECTROMAGNETIC ENVIRONMENT QUALIFICATION AT THE PLANT IS ENVELOPED BY THE VENDOR'S TESTS The purpose of this portion of the audit was to confirm that the licensee has verified that the electromagnetic environment qualification at the plant was enveloped by the vendor's test.
The factory testing for electromagnetic interference / radiated frequency interference (EMI/RFI) susceptibility of the load sequencer was performed at Wyle Laboratory. Onsite verification of the electromagnetic environment was performed by a licensee contractor, Amador.
The factory tests at Wyle Laboratory were performed in September, 1991, and the results were documented in Wyle Test Report No. 42104-02, dated September 26, 1991.
The tests were conducted in accordance with SAMA Standard PMC 33.1-1978 and MIL-Std-461C/462. The EMI/RFI tests performed at Wyle Laboratory on the sequencer cabinets are as follows:
(1)
CS01 Conducted Susceptibility, Power Leads, 30 Hz to 50 kHz, (2) CS02 Conducted Susceptibility, Power Leads, 0.05 to 400 MHz, (3) CS06 Conducted Susceptibility, Spikes, Power Leads, and (4) SAMA Keying Test, Electric Field, 20 MHz to 1GHz.
~
(
. The EHl/RFI tests performed at the Prairie Island site in Bus Rooms 15,16, 25, and 26 were as follows:
(1) CE01 Conducted Emissions, Power and Interconnecting Leads, Low Frequency, 30 Hz to 15 kHz, (2) CE03 Conducted Emissions, Power and Interconnecting Leads, 0.015 to 50 MHz, and (3)
RE02 Radiated Emissions, Electric Field, 10kHz to 10 GHz.
The onsite surveys performed in the Safeguard Bus Rooms were to be compared with the sequencer cabinet EMI/RFI susceptibility tests performed at Wyle Laboratory.
The cabinets were not tested for the frequencies from 1 GHz to 10 i
GHz at Wyle Laboratory. The site operated microwave station operates at 6.775 GHz and 6.825 GHz.
It is apparent that the electromagnetic environment qualification was not enveloped by the vendor's testing for frequencies from 1 GHz to 10 GHz.
However, from Amador's site surveys, the data shows that the levels of EMI/RFI in the Safeguard Bus Rooms are less than 10 millivolts /
meters in the frequency range from 1 GHz to 10 GHz.
Although the cabinets were not exposed to this frequency range at Wyle Laboratory, the onsite test results provide reasonable assurance that the site operated microwave station will not compromise the safe operation of the load sequencer.
No further testing is warranted and the staff finds this portion of EMI/RFI testing to be acceptable.
Additionally, Amador's onsite testing did not include radiated frequencies from 30 Hz to 10 kHz.
Since much of the nearby equipment operates at 60 Hz, it is inconclusive that the electromagnetic environment qualification was enveloped by the factory testing. The licensee should provide assurance that the RFI levels in this range will not effect the load sequencer operation.
under the worst case conditions. The licensee has committed to performing additional test surveys from 30 Hz to 10 kHz in the bus rooms while performing the integrated safeguards test involving breakers closing and loads being applied to the bus. This data will be analyzed by the licensee to determine if any action is required.
The survey results and data analysis are to be submitted to the staff.
The staff finds this commitment to be acceptable.
In order to check for possible disturbances on the input power lines, the licensee installed a power line disturbance analyzer on the 120 VAC supply to ensure typical disturbances in the power supply for the load sequencer are within SLS hardware specifications.
Parameters monitored included overvoltage, undervoltage, frequency shift, surge, and impulse.
Transient monitoring was performed on Bus 25 and 26 for one week after the licensee entered the planned dual-unit outage on October 24,-1992. This transient monitoring was not completely valid because the reactor was not at power. The licensee has committed to installing the transient monitor on the 120 VAC supply for each PLC after the units are at power in order to obtain more meaningful data. The data recorded by the power line disturbance analyzer, and analysis thereof, is to be submitted to the staff. The staff finds this commitment to be acceptable.
~ _.
I
.. 2.5 PROVIDE THE CONTROL ROOM OPERATORS WITH LOAD SEQUENCER BYPASS INDICATIONS AND INOPERABLE STATE INDICATIONS The purpose of this audit was to confirm that the licensee has provided the control room operators with load sequencer bypass and inoperable state indications.
In the main control room there are six annunciator alarms for each.of the four sequencers, in addition, the sequencer provides the main control room information regarding its operation on a status light box at the-G panel.
Locally, each sequencer panel provides indication for testing and alarm message for testing.
The staff reviewed load sequencer drawings and performed walkdown inspections of the sequencer local panels.
The staff also observed several scenarios in the plant simulator, in which the control room annunciators indicated the failure status of each sequencer. The licensee also demonstrated in these scenarios that the loss-of-AC-power operating procedure can be carried out by trained operators in sufficient amount of time.
Based on the results of this review, the staff finds this installation to be acceptable.
3.0 CONCLUSION
S The staff reviewed the licensee's implementation of the load sequencer system at the Prairie Island Nuclear Station, Unit 1 & 2.
Of the five items reviewed by the staff, the staff has determined the acceptability of four, and considers those items closed. One open item remained, concerning the electromagnetic environment qualification for lower frequency range of 30 Hz to 10 Khz and the results of power line disturbance analyzer when the reactor is at power.
The licensee has committed to perform additional survey and analysis to ensure that the radiated frequencies from 30 Hz through 10 kHz will not effect the safe operation of the load sequencer under the worst case conditions. This survey will be performed in the bus rooms during the integrated safeguards test during which breakers are closing and loads are being applied to the bus.
The licensee will make the final confirmation that the load sequencer is qualified to operate in the electromagnetic environment at the site. -The staff finds this commitment to be acceptable such that Prairie Island may operate with the digital safeguard load sequencer installed and operating.
The licensee has also committed to installing the transient monitor on the 120 VAC supply for each PLC after the units are at power _in order to obtain more meaningful data. This is intended to insure that the level of power line disturbances in the 120 VAC-supply previously recorded and analyzed is consistant with that found when the plant is operating at power.
The licensee will also determine that the disturbances actually monitored in the 120 VAC supply for the load sequencer are within the SLS hardware specifications.
The data recorded by the power line disturbance analyzer, and analysis thereof, is to be submitted to the staff.
The staff finds this commitment to be acceptable and, as a result, the last open item is resolved.
Principal Contributor:
P. Loeser Date: January 4, 1993