ML20128L199
| ML20128L199 | |
| Person / Time | |
|---|---|
| Issue date: | 10/08/1996 |
| From: | Advisory Committee on Reactor Safeguards |
| To: | |
| References | |
| ACRS-T-2076, NUDOCS 9610110347 | |
| Download: ML20128L199 (322) | |
Text
. _ _ . - . _ _ - . . . . . . . .. _ - - _.-.
OfficicI Trcnscript cf Prsceadings O NUCLEAR REGULATORY COMMISSION ACRST c2c)% i l
Title:
Advisory Committee on Reactor Safeguards Instrumentation and Control Systems and Computers and Electrical Power Systems Subcommittees Joint Meeting l l
TRO4 (ACRS)
RETURN ORIGINAL TO BJWHITE Docket Number: (not applicable) s/S T-2E2s 415-7130 THAMKS!
l l
Location: Rockville, Maryland O l l
Date: Tuesday, October 8,1996 Jyo11ggg7961ooa T-2076 ppy Work Order No.: NRC-870 Pages 1-237 n r'3 -
V lOIl NEAL R. GROSS AND CO., INC.
110051 Court Reporters and Transcribers 1323 Rhode Island Avenue, N.W.
Washington, D.C. 20005 O^ * (202) 234-4433 A:lS Office Copyl Re ain J0" :'e _ife Of the Commsbee 7
O DISCLAIMER PUBLIC NOTICE BY THE UNITED STATES NUCLEAR REGULATORY COMMISSION'S ADVISORY COMMITTEE ON REACTOR SAFEGUARDS OCTOBER 8, 1996 The contents of this transcript of the proceedings of the United States Nuclear Regulatory Commission's Advisory Committee on Reactor Safeguards on OCTOBER 8, 1996, as reported herein, is a record of the discussions recorded at the meeting held on the above date.
This transcript has not been reviewed, corrected and edited and it may contain inaccuracies.
i l
O NEAL R. GROSS COURT REPORTERS AND TRANSCR8ERS taas RHoOE ISLAND AVENUE, NW (202) 234-4433 WASHINGTON, D.C. 20005 (202) 234-4433
1 l
1 UNITED STATES OF AMERICA f^ 2 NUCLEAR REGULATORY COMMISSION k
3 +++++
4 ADVISORY COMMITTEE ON REACTOR SAFEGUARDS S JOINT MEETING 6 INSTRUMENTATION AND CONTROL SYSTEMS AND 7 COMPUTERS AND ELECTRICAL POWER SYSTEMS SUBCOMMITTEES 8 +++++ 1 9 TUESDAY 10 OCTOBER 8, 1996 11 +++++ I l
12 ROCKVILLE, MARYLAND 13 +++++
7 14 The Subcommittees met at the Nuclear 15 Regulatory Commission, Two White Flint North, Room T2B3, 16 11545 Rockville Pike, at 8:30 a.m., Don W. Miller, 17 Chairman, presiding.
18 19 COMMITTEE MEMBERS:
20 DON W. MILLER Chairman 21 GEORGE E. APOSTOLAKIS Member 22 JOHN J. BARTON Member 23 THOMAS S. KRESS Member 24 ROBERT L. SEALE Member l
C 25 WILLIAM J. SHACK Member NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON. D.C. 20005 3701 (202) 234 4433
2 i
1 ACRS STAFF PRESENT: )
e 2 SAM DURAISWAMY
, (
3 RICHARD P. SAVIO 4 NOEL DUDLEY 5 MICHAEL MARKLEY 6 AMARJIT SINGH 7
8 ACRS CONSULTANT PRESENT:
9 TED QUINN 10 11 ALSO PRESENT:
12 MATT CHIRAMAL 13 JARED WERMIEL O
5 #
\/ 14 PAUL LOESER l
15 SATISH AGGARWAL 16 FRANK COFFMAN 17 JOHN GALLAGHER
- 18 JIM STEWART 19 GARY JOHNSON 20 JERRY MAUCK 21 JIM SCECINA FRAMATOME 22 WESLEY BOWERS 23 LARRRY SHAO 24 MIKE MAYFIELD D
25 ALEX MARION NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
3 1 A-G-E-N-D-A gy 2 AGENDA ITEM PAGE NsE 3 ACRS Introduction by Chairman Miller 4 4 SRP Sections and BTPs l
5 M. Chiramal 27 6 Use of SRP Chapter 7 in Digital I&C Reviews 7 J. Wermiel 89 8 P. Loeser 90 9 NRC Lightning Protection Program 10 S. Aggarwal 163 11 F. Coffman 199 12 General Discussion and Adjournment 210 13 O
14 15 16 17 i l
18 19 20 21 22 23 )
l 24 l
, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4133 WASHINGTON. D.C. 20005-3701 (202) 234-4433
4 1 P-R-O-C-E-E-D-I-N-G-S f-s 2 (8:42 a.m.)
3 CHAIRMAN MILLER: this meeting will now come 4 to order. This is a joint meeting of the ACRS 5 Subcommittees on Instrumentation and Control Systems and 6 Computers and on Electrical Systems. I am Don Miller, 7 Chairman of both subcommittees.
8 ACRS members in attendance are -- George, you 9 say, is on his way, right? -- George Apostolakis, John 10 Barton, Tom Kress, William Shack. Is Bob here? Bob Seale 11 should be here soon.
I 12 Also in attendance is Ted Quinn, an ACRS 13 Consultant.
O
'\- 14 The purpose of this meeting is to continue the 15 Subcommittees' review of proposed Standard Review Plan 16 Sections and Branch Technical Positions related to digital 17 instrumentation and control systems. The Subcommittees 18 will also review the status of NRC programs to address 19 equipment vulnerabilities to lightning and other 20 transients.
21 The Subcommittees will gather information, 22 analyze relevant issues and facts, and formulate proposed 23 positions and actions, as appropriate, for deliberation by 24 the full Committee.
25 Michael T. Markley is the Cognizant ACRS Staff NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
_ . - - . . - - - - - - . - . . - . - - . - . . . - - ~ . - . - . . ~ - - , . - . . . - - .
5 )
1 Engineer for this meeting.
2 The rules for participation in today's meeting l O 3 have been announced as part of the notice for this meeting 4 previously published in the Federal Recister on September l
5 17, 1996.
l i
6 A transcript of the meeting is being kept and I
7 will be made available as stated in the Federal Recister 8 notice. It is requested that speakers fir identify 9 themselves and speak with sufficient clarity and volume so 10 that they can be readily heard.
11 We have received no comments or requests for 12 time to make cral statements from members of the public.
i 13 The only comments that I have -- one back )
0 14 here. It looks like something was left out here, Mike, on 15 this statement. I was reading it.
16 Basically, the Standard Review Plan update is 17 one in which we're codifying and bringing together current 18 regulatory framework, and really not meant to introduce 19 anything new into the regulatory positions.
20 With that, we'll proceed ahead with 21 presentations by the staff. The staff member who is going 22 to lead the presentation is Matt Chiramal. Matt is here.
23 Is that corr (ct?
, 24 MR. WERMIEL: Yes. This is Jerry Wermiel from l
l 25 the NRR staff. I just wanted to make a very -- couple of NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
6
- 1 very brief introductory remarks.
l i gg 2 We've briefed the Committee previously on two 3 occasions on portions of the SRP update to Chapter 7. We l
4 have completed that update, and copies were provided to 5 the Committee recently. As you're aware, this is the 6 first major update to Chapter 7 since 1981.
7 The revision incorporates, as Dr. Miller 8 mentioned, guidance that the staff has developed, and it 9 codifies the guidance that the staff has develo. rad over 10 the years since then from the reviews of operating plant 11 modifications, the advanced reactor designs, from our 12 interactions with experts in other industries, and our 13 international interactions with our counterparts, and from tD>.
'- 14 operating experience itself. l i
15 We are going to be presenting an overview of 16 the content of the entire SRP update this morning, and i
17 then later we will provide an overview of how the SRP is 18 going to be used by reviewers, including a walk-through of 19 a specific review that we performed on the B&W STAR 20 digital reactor protection system modification.
21 Although that review was done prior to this 22 SRP update actua31y being available, the criteria that was 23 used and the way that review was conducted isn't any 24 different from what the SRP currently says.
! -s
_ 25 We hope to -- We anticipate that we'll obtain l
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234 4433
l 1 CRGR agreement to publish the SRP update for public gS 2 comment, and we will go out for a public comment period V 3 before -- and address public comments before finalizing 4 this SRP update sometime in early 1997.
5 Matt, why don't you go ahead.
6 CHAIRMAN MILLER: The one comment I had --
7 MR. WERMIEL: Sure, Don. .
1 8 CHAIRMAN MILLER: It says branch technical 9 positions raised at digital instrumentation and control 10 systems. It's really much broader than that.
11 MR. WERMIEL: Yes. Yes, this SRP update, 12 while this committee is focusing on digital IEC systems, 13 the update itself and a lot of the information in there
\# 14 goes well beyond digital technology.
15 We had to incorporate new rules, for example, 16 that were promulgated since 1981. We had to incorporate 17 new guidance on analog systems and in various review 18 areas. All that has also been done, although the focus 19 here, of course, is on digital technology.
20 CHAIRMAN MILLER: I raised that point, because 21 I know Ted Quinn and I were talking just before the 22 meeting. We'll have questions somewhat beyond the digital 23 I&C areas.
24 MR. WERMIEL: That's no problem.
O k_) 25 CHAIRMAN MILLER: It does cover -- It goes NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
8 l 1
1 beyond that.
I s 2 MR. WERMIEL: Well, yes. In 1984, for
\ (v) 3 example, the ATWS rule came out. There have been a number 1
4 of positions taken in the area of post-accident monitoring 1 5 systems that we had to incorporate. Oh, yes. There is ,
1 6 guidance on set point methodology that was never in there 7 that we have been using.
8 So, yes, there's a number of things in there l 9 that don't relate specifically to digital technology.
10 That's true.
11 CHAIRMAN MILLER: That's true. The '81 didn't 12 even have the original version of Reg. Guide 1.197 in it.
13 MR. WERMIEL: No, it didn't. It also didn't 7% !
( )
'~' 14 even have the original version of Reg. guide 1.152 on 15 digital systems. So we're actually several versions 16 beyond even what the SRP said in 1981.
17 CHAIRMAN MILLER: Okay. George?
18 MEMBER APOSTOLAKIS: I have some general 19 concerns that maybe I should express now and see whether 20 the staff can answer them as we go along. Is that okay, 21 because otherwise I think they'll be lost.
22 CHAIRMAN MILLER: Well, go ahead. dure.
23 MEMBER APOSTOLAKIS: I'm having a problem 24 understanding the acceptance criteria with BTP.
w 25 CHAIRMAN MILLER: Which BTP? Fourteen?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
9 1 MEMBER APOSTOLAKIS: Fourteen. I tried to 1
i ex 2 follow the guidance, you know, going to the IEEE guides l
(~, I 3 and so on, and it seems to me -- and maybe that's a wrong I 4 impression, but these are not acceptance criteria. These 5 are just requirements for the existence of documents.
6 For example, for the software management plan 7 the acceptance criteria -- one of the acceptance criteria 8 is that they must have a description of the project 9 organization. This should include a process model, 10 organization structure, organization boundaries and so on.
11 Now I don't think that's an acceptance 12 criteria. All that says is that you have to have a 13 description of the project organization. Whether it's
'- gcod or bad, there are no criteria that are given.
14 15 Then I went -- There's anothe.c example, 16 software verification and validation activities. A V&V 17 summary report should be produced for each life cycle 18 activity group. Now that doesn't sound like an acceptance 19 criterion to me.
20 The V&V documentation should confirm that the 21 requirements, design elements, and code elements satisfy 22 the appropriate software development process 23 characteristics of completeness, consistency, correctness, 24 and so on. Again, what are the standards that one will (9s- 25 use to make sure that this happens?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4 0 3 WASHINGTON, D C. 20005-3701 (202) 234-4433
10 1 So I thought I misunderstood the whole thing.
I igx 2 So I tried to understand what the BTP is supposed to do.
f So Jit Singh gave me some information, and it turns out 3
4 that the BTP is supposed to provide the technical bases 5 for some of the sections of the Standard Review Plan.
6 Now I don't see how this type of thing is a --
7 can be a technical basis. So I'm having a big problem on 8 that. What exactly is the reviewer supposed to do? It l l
l 9 seems to me that all that this requires is production of 10 documents without any guidance as to what is acceptable l
11 and what is not acceptable.
12 I realize that the state of the art is still l
,_s 13 primitive here, but -- So I looked again, and I found that
! )
\# 14 in other places they are doing a bit more. For example, I I 15 saw two papers that describe what Ontario Hydro has done 1
16 for Darlington, and there they also have general 17 principles like completeness and correctness and 18 replaceability and so on, but they also do it a little l
19 more.
20 They ask, for example, that the requirements l 21 be stated in a certain mathematical form, because they 22 make a big deal out of the fact that common language is 23 very inadequate to describe the requirements correctly,
! 24 and that that's a major source of misunderstandings and l gs l
(_ 25 errors.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
. .. . - . . - _-. - - ~._ .... - - - _-. . ~ . . . - - - . . - - . - . _
l l 11 l
1 They propose various methods like what they i 2 call information hiding to-do certain things and so on.
rO 3 So it seems that this SRP and BTP are way too general, let 4 alone the fact that it's extremely difficult to follow 5 them, because they keep referring to IEEE guide after IEEE 6 guide. You go to one IEEE guide. :t refers you to 7 another IEEE guide, and I did.
8 In fact, I had a graduate student do that. I 9 said, " Follow the damn thing all the way down, and let's 10 see what we will find." So that was software V&V.
11 We went from BTP 14 to IEEE Standard 1012, 12 then to -- Oh, I don't remember the other one, but -- and
- 13lI then, ultimately, what it came down to was software V&V l l 14 documentation should confirm that the requirements, design
, 15 elements and code elements satisfy the appropriate l 16 function and characteristics of accuracy.
l 17 So after all these guides and all these 1
l l 18 documents, it comes down to that. It should --
l I
19 CHAIRMAN MILLER: Is that in 1012?
l 20 MEMBER APOSTOLAKIS: This is -- I think this i
21 is from the BTP.
22 MR. WERMIEL: It's in the BTP.
23 MEMBER APOSTOLAKIS: It is in the BTP?
24 MR. WERMIEL: Yes.
25 MEMBER APOSTOLAKIS: But then, if you go to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
1 l' 12 1 1012, it says -- It simply gives you what minimum tasks 7- 2 must be accomplished, like the trace software N-]3 3 requirements, the system requirements, and analyze the ,
1 4 relationships between them for such qualities as
- I l
5 correctness, consistency, completeness, and accuracy. So 6 that's all the guidance you get: Analyze the l 7 relationships between them for such qualities as 8 correctness, consistency, completeness, and accuracy.
9 Seems to me, you don't need three IEEE 10 standards to say that. If you say I want the thing to be 11 accurate, complete and consistent, you just say it up 12 front. Is this really guidance? Is it -- Are there any 13 acceptance criteria here?
14 MR. WERMIEL: Let me make a comment, if I 15 could, Dr. Apostolakis.
16 We did not intend to prescribe a process for 17 development or designing or ensuring the quality of the 18 software. What we intended to do was to provide guidance 19 for a reviewer to ensure that the designer of the software 20 and the developer of the algorithms and the digital system 21 did that, and then confirm that these particular 22 characteristics and these particular attributes were 23 addressed somehow by the designer.
l l 24 Ontario Hydro has a specific process that they l
(')
\, .) 25 believe is appropriate for the design of the systems that l
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 2344433
l 1
13 l l
1 they buy. They are a -- The etandard that they write is {
1 n 2 for use by them, and they are a utility, not a regulatory e
i N) ,
3 authority.
4 Now we believed, and we still believe, that we ;
I 5 needed to be flexible enough and broad enough in our 6 application of the guidance that we could accept, 7 basically, a wide range of approaches to development of 1
8 high quality software, because we know there are a wide l 9 range of approaches. What we hope the reviewer does is 10 ensure that whatever commitment the designer makes to 11 addre.s these attributes is indeed incorporated into the 12 design.
13 That's why we haven't prescribed things like (nU) 14 you mentioned from the Ontario Hydro standard that they 15 use for their designs, a mathematical approach to 16 confirmation of the requirements, that kind of thing.
17 In general, that's the way instrumentation and 18 control system reviews have been done even in the analog !
l I
19 days. While the flexibility and the broadness of approach j i
1 20 may not have been there, to the extent that it is with 21 digital systems, we intended to maintain that broad 22 approach, and we think our reviewers, for tne most part, ;
i 23 are comfortable with that.
24 MEMBER APOSTOLAKIS: Well, if I can make a i f
(3,1 25 comment.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 2344433
. _ . _ . _ . _ . . _ . . _ _ . _ . _ _ _ _ _ - _ . . . _ _ _ . _ . ~ _ . . - _ . _ _ . _.. _._ _ . _ _ m . _ _ . _ _ _ _ _ . .
14 1
- 1 MR. GALLAGHER
- Maybe I could add something. l E
j 2 CHAIRMAN MILLER: Yes, sure. Go ahead, John.
(
2 .t 3 Introduce yourself, and go to a microphone. )
4 MR. GALLAGHER: John Gallagher, HICB. I was 5 one of the authors of this, along with Dennis Lawrence of ,
f 6 Lawrence Livermore, and we hac & lot of difficulty getting
{ 7 this document down to a size that it could go into the i
8 book, because we tried to put a lot into it .
} 9 We wrestled with the idea of dealing with what i L l 10 one could say were acceptance criteria, and there is l
j 11 another document that has not been issued yet that will be l l
. 12 available to the reviewer, who this is written for, that :
! 13 will give him specific guidance in each one of the
- 14 software life cycle activities. Lawrence Livermore is now
! 15 in the process of trying to finalize that, but it's a 16 detailed audit checklist.
i 17 This detailed audit checklist gets into what 18 is completeness, consistency, those attributes that you 19 talked about, and that will be available both to the 20 reviewer, and, of course, it will be a public document 21 that will be available to the people who are actually 22 doing the work.
23 MEMBER APOSTOLAKIS: So the BTP itself is not 24 complete?
25 MR. WERMIEL: It's not the end of the story i.s NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISt.AND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
15 1 what John is trying te say.
l
,f S 2 MR. GALLAGHER: Yes. This could not go into -
3 - This really didn't fit into the BTP in keeping with the 4 framework of the BTP view, as Jerry Wermiel mentioned. S 5 one of our decisions was not to put this in. It's not 6 only too big, but it also -- It goes down to a very 7 specific level of guidance for the auditors.
l 8 MR. WERMIEL: Just to make sure you're clear, 9 we would expect the designer of the system and the 10 licensee that's referencing it to describe how they have 11 accomplished or verified for themselves that the algorithm 12 is complete. They would describe or confirm how they have 13 established its accuracy or how they're going to establish p)
\
N- 14 its accuracy.
15 What John is describing is an audit tool that 16 will allow the reviewer to take what the commitment is for 17 completeness and accuracy, for example, and verify that 18 that's been accomplished.
19 MEMBER APOSTOLAKIS: Well, I'd like to make 20 two comments on that. First of all, Ontario Hydro also 21 did this when they first went to their regulatory body, 22 and my understanding is that, because of that, they were 23 delayed by two years, because the control board hired 1
l 24 outside consultants, and they forced Ontario Hydro to be a
()\
(_ 25 little bit more specific, actually much more specific.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
16 1 Finally, Ontario Hydro accepted that approach, 2 and now it's part of their standards. It's not just a
(_
3 utility.
4 CHAIRMAN MILLER: Accepted which approach.
5 MEMBER APOSTOLAKIS: They came up with a 6 consensus which is much more detailed, in my opinion, than 7 this.
8 Second, I am still having problems with the 9 acceptance criteria. I mean -- So again, not knowing what 10 the reg. guide is of BTPs, I asked Jit to give me some.
11 So he gave me one that endorses other standards, pretty 12 much like we.do here, Regulatory Guide 152, " Design 13 Testing and Maintenance Criteria for Post-Accident ESF
/ i 14 Atmosphere Clean-up System Air Filtration."
15 What do I see here? The design should be 16 based on the maximum pressure differential radiation dose 17 rate, relative humidity, maximum and minimum temperature.
28 The volumetric air flow rate of a single clean-up train 19 should be limited to approximately 30,000 feet per --
20 cubic feet per minute, and so on.
21 It seems to me this is detailed guidance.
22 This -- A reviewer can pick this up and review something 23 and have some guidance how to do it, and then we could go 24 back here, Acceptance Criteria: A V&V summary report
'(y 25 should be produced for each life cycle. The V&V NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234 4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
17 l
1 documentation should confirm that the requirements and so I l
l ,- 2 on have been met.
3 MR. WERMIEL: We don't establish the l
l 4 requirements.
5 MEMBER APOSTOLAKIS: Yes, but how do you 6 confirm that they have been met? That's my problem.
7 MR. WERMIEL: We look to see that the 8 requirements are there, and then that the V&V plan has a 9 connection to those requirements for confirmation of them.
10 MEMBER APOSTOLAKIS: Right.
11 MR. WERMIEL: That's what the BTP basically 12 says in that area.
13 MEMBER APOSTOLAKIS: But this seems to be
,Q I
\ '/ 14 pretty awful to me. In other words --
15 MR. WERMIEL: I'll grant you that. It does ,
1 16 allow for some flexibility. No question about it. I 1
17 CHAIRMAN MILLER: Is this more reflection on 18 the status of software engineering than it is the status 19 of these BTP? l 20 MEMBER APOSTOLAKIS: As I said --
l 21 MR. WERMIEL: To some degree, yes.
l 22 CHAIRMAN MILLER: You know, we had the 23 discussion --
24 MEMBER APOSTOLAKIS: I believe that the state
(
(_,/ 25 of the art here is such that it does not allow you to do NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-?701 (202) 234-4433
18 1 what this other reg guide does, give you physical l
,- -) 2 quantities and so on, but how far can you go? Can you O 3 really say, because the state of the art is so weak or 4 primitive, all I need is a document? I mean, you have to 1
5 address the question of what's in the document.
l 6 So then you say, well. is everybody else doing 7 the same thing? It turns out, they are not. I mean, when -
8 you read the Ontario Hydro documents, you really get the 9 feeling that they tried to go beyond that, and especially I l
10 in the requirements area.
11 That's another thing. There is no
, 12 prioritization here. I mean, they emphasize that that's 1
- 13 where the screw-ups occur, and they went out of their way 14 to make sure that the applicant does something about it.
15 MR. STEWART: This is Jim Stewart with I&C 16 Branch.
17 One thing on Ontario Hydro I'd like to bring 18 up is the reason they were held down for two years is 19 because the safety system was not developed in accordance 20 with any kind of a structured plan. What they have now is 21 the result of having been held down for two years and 22 having to come up with these type of activities.
23 The only significant area that I'm aware of 24 where we're that much different from Ontario Hydro is that
) 25 we do not require the formal methods.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
l 19 1 MEMBER APOSTOLAKIS: Again, formal methods 7- 2 means a hell of a lot. They are not really using formal N')3 3 methods either. What they are asking the applicant is to 4 express the requirements in mathematical form, which is 5 very different from using formal methods, the way software 6 engineers understand it, but again they didn't follow a J
l 7 structured approach.
8 What is a structured approach? That you have 9 to have requirements?
10 MR. STEWART: Well, that's a good place to 11 start.
12 MEMBER APOSTOLAKIS: I mean, what really 13 bothers me is the degree of specificity, which I think is
\
14 completely absent. All it says is do this, do that, and 15 produce a document.
16 CHAIRMAN MILLER: We have another -- Go ahead, 17 Jerry.
18 MR. WERMIEL: I understand what Dr.
19 Apostolakis is saying, and I don't believe anything in our 20 presentation is going to change what the documents 21 themselves say or how we've implemented them. Paul Loeser 22 this afternoon can describe how that kind of information 23 was used to find the STAR system acceptable, and what he 24 did by way of a review.
. 25 Now I'll be the first to tell Dr. Apostolakis NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433 l
20 1
1 that Paul Loeser has some understanding of software j 2 systems, what to look for. Now that kind of knowledge and 7-s V 3 understanding has to go into the review. There's no 4 question that just taking the literal word on face value 5 isn't going to help somebody who is not familiar with 6 these systems do a review. I'll give you that. I'll 7 agree with that.
8 CHAIRMAN MILLER: Can I -- Jerry, I assume 9 Paul will be more detailed in what he's going to present 10 than what we were given in our --
11 MR. WERMIEL: That's our intent, yes.
12 CHAIRMAN MILLER: Although I wasn't quite as l
,_ 13 outspoken as George has been, I share some of his concern, t 1
'- 14 and I felt those concerns were most -- became most 15 apparent to me when I read through the SER. I kept saying 16 what were the criteria that were used to make the 17 judgments that you reach conclusions on.
18 MR. WERMIEL: Yes.
19 CHAIRMAN MILLER: I have little flags in that 20 report. I've gone back to where George is, in a way.
21 MR. WERMIEL: Yes. I understand, and I guess 22 -- Let me try to characterize the way BTP 14 and the 23 overall approach that the staff took works, and make sure 24 that everybody understands it, and then maybe we can go
/~5
.,) 25 forward.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
21 1 We did not intend to prescribe a method for 2 development of high qualitative software. What we
\' ,/
3 intended to do was define and identify from existing j 4 industry standards and fron our own experience a set of 5 attributes or documents that you would look for to see had 6 been generated by a software developer, and that those 1
7 documents included or addressed certain aspects that we 8 thought were important to a high quality software system; i 9 but we didn't say how you were to do it.
l l
10 This is that what versus the how argument that 11 I think we've heard before. We tried to address the what l 12 is it that we want, not the how is it to be done. We have 13 a little bit of the how, but not much.
O 14 CHAIRMAN MILLER: I don't think George is 15 asking for how. l l
16 MR. WERMIEL: Well, formal methods is the how, 17 for example.
18 CHAIRMAN MILLER: Well, I know, but I think 19 what I'm looking for -- maybe George is looking for more -
20 - is you're saying what to do. I think you're not really 21 saying that. You're saying here is the activity you have 22 to do, but there's no criteria to judge on how well you 23 did those activities.
24 MR. WERMIEL: And again --
(h
's_) 25 CHAIRMAN MILLER: Nowhere we're asking to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 2344433 WASHINGTON, D C. 20005-3701 (202) 234-4433
l 22
]
1 prescribe how. l l
l ,s 2 MR. WERMIEL: And again, we would look to the 3 designer to have defined the things that were important in 1
4 those functions of the software life cycle, and then it's I
5 our job to confirm through the type of review that we do - l l
4 6 - and it's more than just a review of the documents. i 7 There is more to it than that, and Paul will talk about ,
1 1
8 some of those additional details, and that's what we would 9 be doing.
10 MEMBER APOSTOLAKIS: I fully agree, Jerry, 11 with what you're saying. I have no doubt that the very l 12 experienced software engineer will do a good job. The l 1
13 problem I'm having is not that. The problem I'm having is l
/_T 14 -- and I think it's the same as Don's -- is that this is 15 way too general.
16 So a good guy will do a good job, but a weak 17 guy may do a weaker job, which will be accepted because 18 there is no guidance as to what to accept and what not to 19 accept. That's my problem.
20 MR. WERMIEL: I'll be honest with you, Dr.
21 Apostolakis. It's been my experience that, even with 22 prescriptive guidance, the staff -- if the reviewer is 23 weak or if there is a lapse in the oversight by 24 management, will make an error and not ensure that even i /\
l (_) 25 some of the proscription has been implemented.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
2 i 23 1 MEMBER APOSTOLAKIS: Now one last fault, and 1
i 2 maybe we can go on. I find the document extremely
- O 3 confusing. It keeps referring from IEEE standard to IEEE l
{ 4 standard. Is there'any way to simplify that and maybe --
5 I mean, first of all, why go -- I read some of those 6 standards and, in my opinion, they don't say anything.
7 Why can't we say it not in here and, instead l 8 of sending us to a guide to find out there is nothing 9 there? Formalize the principles and say we want 10 completeness. We want consistency. We want this. Please l 11 produce such and such a document, and seems to me in five 1
12 and a half pages, you're done, instead of sending to 1012 l l
13 and then the other one, the other one. I mean, it keeps 14 graduate students busy, but all it says is make sure they 15 are consistent, at least to make sure --
r 16 MR. WERMIEL: I can address that specifically. I 17 The reason we referred to the IEEE standards is because 18, those are the bases for the designs that our industry has 19 developed.
20 MEMBER APOSTOLAKIS: Mostly, the really great 21 colleague, Dana Powers.
22 CHAIRMAN MILLER: Our consultant, Mr. Quinn, 23 has been trying to raise a question or a comment.
24 MR. QUINN: I share some of George's concerns 25 with regard to how this will be implemented in the future, NEAL R. GROSS l COURT REPORTERS AND TRANSCRIBERS i 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C, 20005-3701 (202) 234-4433 l l
_-_ , - _ l
_.-._ ___ -_ _ . _ . . . . _ . _ _ _ . _ _ . . _ - _ . . . . - . . _.m_. .. ..___ _ _ _..._ ___.____ __ .
24 1
5 1 but I want to give a perspective of what I thought a i !
2 designer is doing when they go put together a system now.
] 3 I think, George, you referred to a reg. guide
- 4 as providing more specific guidance. This is not a reg.
4 i
j 5 guide. The reg. guides, actually, are the six that we 6 reviewed over two meetines and spent time on.
i l 2 7 When I see a designer put together a system, i
j 8 they take this IEEE standards and they take the reg.
j 9 guides and refer to them in the specifications that are 4
i 10 written. I see this document in our layered approach or
?
1
- 11 whatever as really being a summary document that ties us l 12 back to which reg. guides, which IEEE standards, and we W.
l 13 spent two meetings looking at to make sure -- and I spent ,
- I i~ 14 a lot of time to make sure that I thought the reg. guide 1
l 15 exceptions, the qualification statements in being more 16 specific on the IEEE standards were the correct ones to l
j i
- 17 'take, that they would reflect, actually, the lessons l
l 18 learned in the past, and I thought they did.
! 19 So when I looked at this document, I wanted to
) 20 make sure this one was not as voluminous as we would make l
l 21 it, and it would refer back to the correct IEEE standard, i
- 22 to the correct reg, guide, and I think it does.
l
! 23 Now it still is a question if it needs more
?
?
i 24 detail, but I wouldn't look at this document to tell me.
1 l 25 I'd go to the others. I would see the others.
j I
NEAL R. GROSS
! COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
! (202) 234 4 33 WASHINGTON, D.C. 20005-3701 (202) 234-4433
25 1 CHAIRMAN MILLER: Well, Section 7.0 provides f~s 2 very good overview, a good roadmap. I don't fino it as i \
L.J 3 confusing as George does.
4 MEMBER APOSTOLAKIS: I anticipated that 5 comment. So I went out of my way to understand what these 6 documents do. Okay.
7 The specific information required -- This is 8 from the Standard Review Plan. Okay, the specific 9 information required by the staff for an evaluation of an 10 application is identified in Regulatory Guide such-and-11 such. Okay. So that's what the guide does.
12 Then the technical bases for some sections of 13 the SRP are provided in Branch Technical Positions. These
\N-) 14 documents typically set forth the solutions and approaches 15 determined to be acceptable in the past by the staff in 16 dealing with a specific safety problem or safety related 17 area.
18 The Branch Technical Positions and appendices 19 represent solutions and approaches that are acceptable to 20 the staff, but they are not required as the only possible 21 solution and approach. So according to this, everything I 22 need to know to do the review should be in the SRP and the 23 BTP. The reg. guide is addressed to the applicant. Okay?
24 Correct?
(~s
(_ 25 Mike, you know these things, but for the staff NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234 4433 WASHINGTON, D C. 20005-3701 (202) 23&4433
26 1 it's the BTP that provides the technica~ positions, the f- 2 solutions and approaches that are acceptable. That's what
) 3 bothers me, because I read this here that says we have to 4 have solutions and approaches, and then it says all you 5 have to do is give me a document.
6 MR. WERMIEL; The reg. guide is very, very 7 important, though, Dr. Apostolakis, in that the designer 8 is going to use it, and we need to confirm that they have 9 actually done that. So it is part of the review process, 10 a very important part.
11 MCMBER APOSTOLAKIS: Isn't it true, though, 12 that the level of detail that we have here is also the 13 same in the reg. guide? You don't recommend any methods
[,\' )
14 there either.
15 MR. WERMIEL: No, but I think in some areas 16 you'll find the BTP has amplifying guidance. I don't 17 think there's any question in my mind it does.
18 MEMBER APOSTOLAKIS: So if the BTP has 19 amplifying guidance and is so weak, then I think -- I have 20 made my point. I think you summarized it very well 21 earlier. You said, we are telling the applicant that what 22 we expect him or her to have, but not how to do the job.
23 MR. WERMIEL: Yes.
24 MEMBER APOSTOLAKIS: And that's where my A
(_,) 25 problem is, that there is absolutely nothing on how. Now NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234 4 33 WASHINGTON, D C. 20005-3701 (202) 234-4433
27 1 I think we exhausted this. So maybe we can -- I mean, I 2 made my point.
3 CHAIRMAN MILLER: I think so. I think they'll 4 be looking for --
5 MEMBER APOSTOLAKIS: It took a while, but it ,
6 was very interesting, by the way, to try to understand :
7 what an SRP and a reg. guide and a BTP are, but finally -- -
8 Jit Singh helped me a lot. He gave me -- He also gave me 1
9 a diskette which I haven't used yet. Now I still think 10 they are confusing documents.
11 CHAIRMAN MILLER: Is the remainder of the 12 Committee prepared to forge ahead now? Matt, are you !
13 ready?
14 MR. CHIRAMAL: Yes, I'm ready to try and go 15 through the canned speeches here.
16 My name is Matt Chiramal. I'm with the 17 Instrumentation Controls Branch. On my left is Gary 18 Johnson from Lawrence Livermore who -- our contractor, who 19 helped us a lot in preparing this SRP update. Jim Stewart 20 of the staff is there to talk to us, if you need to know i
21 anything more about the EPRI commercial off-the-shelf l l
1 22 software document that's being -- that's referenced in the !
c SRP, but it's not yet out for our review yet.
24 CHAIRMAN MILLER: So that's one question I l 25 had. So you've kint *f built a document now as if you're NEAL R. GRGSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234 4 33 WASHINGTON, D C. 20005-3701 (202) 234-4433 w
28 1 going to endorse the EPRI guideline on COTS. Is that --
2 MR. CHIRAMAL: That's correct. I O 3 CHAIRMAN MILLER: That answers a kind of a i
4 question that kind of pervaded throughout this Section l l
5 7.0.
6 MR. CHIRAMAL: As Jerry mentioned, we have i 7 been here a couple of times before this, giving the 8 details of some sections of the SRP Chapter 7.0.
9 This is a mapping that shows the layout of the l 10 Chapter 7.0 of the SRP. It has a Section 7.0, which is an 11 introductory section, and a Section 7.1. Section 7.0-is I l
i 12 the new section that provides guidance to the reviewer as l
13 to how to use Chapter 7.0 of the SRP.
- O 14 Section 7.1 is an existing section which has l
15 been revised, and it contains the general criteria. This 16 is the requirements from the regulations as well as l
17 guidance, and the basic requirements are the general 18 design criteria and the 10 CFR 50.55a (h) and Appendix A 19 and Appendix B.
20 The guidance in the document consists of 21 reference to reg. guides as well as the BTPs which provide ,
i l 22 additional details which are not covered by reg. guides.
23 The BTPs also -- One particular BTP which we l 24 discussed earlier and which we'll touch upon today will be 25 BTP 14 on software reviews, which is a predominant BTP I
l NEAL R. GROSS i COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON. D C. 20005-3701 (202) 234 4433
29 l
1 which has many aspects that are covered in more details by
.f s 2 regulatory guides which were endorsed by the particular 3 area.
l
- 4 Included in the Section 7.0 is reference to l
5 other generic communications, like Reg. Letter 9502 on 6 retrofit reviews, EPRI EMI/RFI document, and on the 7 digital guidance provided by Reg. Guide 1.105 on setpoint 8 methodology, 1.153 on IEEE 603 and, of course, the EPRI 9 COTS document we talked about.
10 CHAIRMAN MILLER: Question on that, and Ted 11 Quinn can help out here. You considered Reg. Guide 1.105 12 as nondigital guidance. It seems like there's some 13 digital guidance w..hin that reg. guide.
- \
'I 14 MR. CH. JUC\L: Setpoint methodology? Like 15 Eagle 21 is the digital system that applies.
16 CHAIRMAN MILLER: So I wouldn't say it's 17 nondigital. The other thing on this list, I found it --
l 18 and John Gallagher probably found it equally enlightening, l 19 that when you did the review on the STAR system, you used 20 entirely 279 as the main document for all the hardware 21 criteria which is, of course, the basis for 603.
22 MR. CHIRAMAL: That's correct.
23 MR. WERMIEL: That's correct.
24 CHAIRMAN MILLER: I would just say you should N/ 25 list 279 there, too.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234 4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
30 1 MR. CHIRAMAL: But 279 is in 10 CFR 50.55a(h).
~) 2 CHAIRMAN MILLER: Oh, that's right. Okay, (d
3 you're right. Okay.
4 MR. QUINN: I'm sure Jerry Mauck would tell us 5 that 1.105 has been reviewed and applies to digital, just 6 as well as --
7 MR. WERMIEL; Yes, 105 applies to any 8 instrumentation and control system.
9 MEMBER APOSTOLAKIS: Do we have a copy of the 10 EPRI COTS document?
11 MR. WERMIEL: We just got it yesterday, Dr.
12 Apostolakis, and we just gave a copy of it to Mike this 13 morning.
/~_ T l 14 CHAIRMAN MILLER: Yes, I have an old copy with 15 me, but I don't have this latest.
16 MEMBER APOSTOLAKIS: How do you pronounce 17 that? COTS?
18 MR. WERMIEL: COTS. It's commercial off-the-19 shelf software.
20 CHAIRMAN MILLER: The main document is not 21 really included here.
22 MR. CHIRAMAL: Included in Section 7.0 is the 23 guidance on the review for 10 CFR 52, one-step licensing, 1
24 and as part of that will be the guidelines on level of r\
l k_- 25 detail.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
31 1 The rest of the SRP is broken up into the j 1
l
,, ~3 2 sections that are for the review of systems, like the l 3 reactor protection system, the engineered safety feature 4 actuation system, and so on, and two new sections have 5 been added, one on 7.2 which is the diverse I&C systems 6 which includes the 10 CFR Part 50.62, adverse mitigation I 7 system, as well as .ny other diverse systems that are
)
8 taking credit for in the analysis.
9 Section 7.9 primarily the data communications l 10 system multiplex, primarily multiplex that would probably
)
11 be used in Advanced Light Water Reactor design; and i
12 Appendix 7-A is the existing appendix which contains the l
13 BTPs and new BTPs that have been added to it.
'- 14 MR. QUINN: Matt, on the new reg. guides, i 15 they're out for public comment now.
16 MR. CHIRAMAL: Yes.
1 17 MR. QUINN: When is that closed, and are there '
18 any comments that have been submitted?
19 MR. WERMIEL: The Research staff is here.
20 I've just been told the public comment period on the reg.
21 guide closes October 31st. Do we know if we have any 22 public comments yet on the reg. guides? We have a few, 23 apparently.
24 CHAIRMAN MILLER: Yes. Once the reg. guides
- 25 comment periods close, then that will come back. ACRS NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
32 1 will take a look at all those as a big package.
p 2 MR. WERMIEL: Oh, yes.
3 CHAIRMAN MILLER: Right now the date is April 4 of '97.
5 MEMBER APOSTOLAKIS: Incidentally, sp^aking of 6 the ACRS, are we going to write a letter this week?
7 CHAIRMAN MILLER: Yes.
8 MEMBER APOSTOLAKIS: To whom? To Taylor or to 9 higher powers?
10 CHAIRMAN MILLER: I assume Taylor.
11 MR. MARKLEY; We wrote the last one to Taylor.
12 So it would probably be appropriate to do the same here.
13 MEMBER APOSTOLAKIS: This letter will say
( )
'd' 14 what? It will address the adequacy of this, and this is 15 the last letter we're writing or --
16 MR. MARKLEY: No.
17 CHAIRMAN MILLER: No. We'11 write another 18 letter in '97.
19 MR. MARKLEY: On the final.
20 MEMBER APOSTOLAKIS: So this is more or less a 21 commentary on work in progress?
22 MR. MARKLEY: On the draft SRP with the I
23 exception of the COTS and the NAS study which also has i i
24 application, which they plan to integrate in the proposed ]
O V 25 final. So this is the pre-public comment closecut with l
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234 4433
I 33 1 the exception of the BTP or SER on COTS.
f- 2 MEMBER APOSTOLAKIS: Why did you call it b 3 closeout?
4 MR. MARKLEY: Because we have all of them.
5 MR. WERMIEL: Well, what we're -- Dr.
6 Apostolakis, what we would like is agreement from ACRS to 7 publish the document for public comment. During that 8 public comment period, what I think Mike is trying to say 9 is we are also going to be receiving additional input that 10 may have an impact on the content of the document before 11 it goes final.
12 That includes the National Academy of Sciences 13 study, as well as the public comments themselves and
,f^~ht
'ss' 14 whatever publi' comments may impact this document from the 15 comments on the reg. auides.
16 MR. MARKLEY; But as a basic and minimum, an 17 ACRS letter should address whether or not you have any l
18 objections to issuing it for public comment at this time.
19 MEMBER APOSTOLAKIS: If we do. Is it too 20 late? l 21 MR. MARKLEY: That's for their consideration.
22 MR. WERMIEL: We will, of course, be back 23 again, as Dr. Miller said, after we've addressed the 24 public comments and finalized the document.
O
\s ,/ 25 MEMBER APOSTOLAKIS: So no matter what we say, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, O C. 20005-3701 (202) 234-4433
1 34 !
1 you will go ahead and solicit public comment? That's how gx 2 it works?
C 3 MR. WERMIEL: I don't know that that's what 4 will happen at all. If the Committee has an objection to 5 issuing it for public comment, we would have to take that i
6 objection up with management and then decide what to do.
7 We may come back to the Committee. We may revise the 8 document. There are a lot of things that could happen. i 9 MR. MARKLEY: This is the same kind of process l 10 you would expect for the PRA SRP reg. guide development as 11 well. The pre-public comment --
12 MEMBER APOSTOLAKIS: The FRA, though, is not
_ 13 so advanced in the same --
14 MR. MARKLEY: No, no. The schedule is not 15 nearly as far along.
16 CHAIRMAN MILLER: And you've been here a year 17 to know that our advice is sometimes taken and sometimes j 18 not.
19 MEMBER APOSTOLAKIS: That's true.
20 CHAIRMAN MILLER: So we should move ahead 21 here.
22 MR. CHIRAMAL: Yes. I think this slide was 23 mentioned a lot by both Dr. Miller and Jerry who mentioned 24 that we're not changing the existing SRP outline. We are m
I 25 just revising it and including additional guidance for the
~/
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
- - .-. - .-.-.. -- _ . .. - - - . . . - . . .- - . . . ~ . - - . - - . - - _ - . - .
35 1 review of digital systems as well as things that have been l q 2 performed by the staff since 1981.
3 CHAIRMAN MILLER: Matt, your plan now is to go ,
4 through each of these sections one by one? l l
5 MR. CHIRAMAL: Yes. Quickly. (
l 6 MR. WERMIEL: Very quickly, Matt, because 7 we're a little behind. I
, 8 MR. CHIRAMAL: Yes. !
i ,
9 CHAIRMAN MILLER: Well, I warned Matt before i 10 we started I didn't believe the schedule was going to 11 happen.
12 MR. CHIRAMAL: Well, primarily because we --
l 13 as you'll see in the next couple of slides, the major i 14 portions of the SRP hm.e been through the two meetings.
i r 15 That picked up on the basic scheme of the changes that we- (
16 did. That gave you an idea of the details of what's in 17 the SRP, and the rest of the sections which came in after !
18 are just like cookie cutters, really. It's a duplic'ation 19 of Section 7.2 for the systems.
20 CHAIRMAN MILLER: And in each spot you refer 21 back to 7. -- all digital?
I 22 MR. CHIRAMAL: Right.
23 CHAIRMAN MILLER: So we might want to harken 24 back to that section, once we get through these sections f 25 to see if we're all comfortable with that one.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
36 1 MR. CHIRAMAL: Primarily, we have made -- As 73 2 we said before, we have made no fundamental changes to the 3 architecture of Chapter 7. It's the same as the one that 4 existed before.
5 It has a - We did introduce three new 6 rections, 7.0 on how to use Chapter 7, Section 7.8 on 7 diverse actuation, which includes the ATWS mitigation 8 systen. and any other diverse actuation system which we're 9 taking credit for in the accident analysis or any other 10 analysis that's in the SAR, and then Section 7.9 is the 11 new section on data communications.
12 CHAIRMAN MILLER: You didn't make any change 13 in the architecture. Did you make any change in
,\
(
14 substance?
15 MR. CHIRAMAL: In the substance or the content 16 of the sections,yes.
17 CHAIRMAN MILLER: Okay. You're going to cover 18 that, though?
19 MR. CHIRAMAL: Yes. Yes, I have slides 20 following, goes through every section.
21 CHAIRMAN MILLER: Okay.
22 MEMBER APOSTOLAKIS: Did you do anything 23 anywhere that went against an IEEE standard?
24 MR. CHIRAMAL: No, we were consistent.
/m
_- 25 CHAIRMAN MILLER: Well, you took exceptions.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433 I
37 1 MR. CHIRAMAL: Well, that's the regulatory fm 2 guide we did. We took exceptions, and we reviewed.
t \
V 3 MEMBER APOSTOLAKIS: Can you remind me of one 4 exception?
5 MR. WERMIEL: Oh, I'm trying to remember an 6 exception in one of the reg. guides.
7 MR. CHIRAMAL: Well, independence of the 8 review, V&V team as compared to the design team. That's 9 an exception.
10 MEMBER APOSTOLAKIS: Would the IEEE standard 11 except the same guys doing it?
12 MR. WERMIEL: If the standard didn't call for 13 that, then we did call for it. We did.
(' MR. CHIRAMAL: It's clarification more than 14 15 exception.
16 MEMBER APOSTOLAKIS: So the standard was 17 written at the same level as your BTP. It allowed --
18 MR. CHIRAMAL: The standard was not written 19 for a nuclear application. It's a general application.
s 20 MEMBER APOSTOLAKIS: Yes, I know, but isn't it 21 true, though, that wherever there was an IEEE standard, 22 you really rushed to endorse it?
23 MR. WERMIEL: Rushed to endorse it? No.
24 MEMBER APOSTOIAKIS : That's the impression I
(/ 25 get from re # ig this. I mean, is there any IEEE standard NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234 4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
}
38 !
1 on software that is not endorsed?
l 2 MR. STEWART: There is approximately 700 O 3 software standards published in the world right now. We 1
4 narrowed it down to this group that had been around for a :
5 while and have been tested and benchmarked on nuclear l 1
6 applications.
4 7 So these were selected. Most of them were i 8 previously endorsed in the origin'al 7-4.3.2. So they have 9 been around for a while. So I don't think we really 10 rushed into this particular set that we selected.
11 CHAIRMAN MILLER: I notice you added the ASME 12 and Q-1 now that was not before. ;
i 13 MR. STEWART: Correct. l O 14 CHAIRMAN MILLER: We certainly support that ;
l 15 addition.
16 MR. CHIRAMAL: A new set of Branch Technical 17 Positions: Now Branch Technical Positions are really 18 guidance to the reviewer to review a design which is not 19 provided anywhere else, either in the standards or in the 20 sections of the SRP, and that's where the BTPs are. It's 21 one level below or it's additional details to the reviewer 22 to provide guidance.
23 We found that in the areas of software reviews 24 we tried to keep the BTP 14 for software reviews as the 25 basic document that wraps all the other regulatory guides NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
l l 39 l l
l 1 into it, and it was the most voluminous document when we i fs 2 initially started, but we pared it down to what we have lh I
3 now.
l 4 We have a BTP on defense-in-depth and l 5 diversity, on real-time performance. Most of these are 6 for the digital system reviews, and then there are other 7 non-digital system topics, BTPs like the review of Reg.
8 Guide 1.97, setpoint methodology which is, as you say, 9 applies to both digital and non-digital.
10 CHAIRMAN MILLER: RTD -- 1 11 MR. CHIRAMAL: RTD bypass cross-calibration.
12 The next slide lists the various regulatory 1
13 guides that were written by the Office of Research and l
(".s\
l
) 14 which have been through the Committee already, so. i i
i 15 CHAIRMAN MILLER: Just a point of 16 clarification. I noticed in this liat you refer to them 17 with the DG number --
18 MR. CHIRAMAL: That's the number that I --
19 CHAIRMAN MILLER: -- but in the document you 20 referred to them as your XX or YY.
21 MR. CHIRAMAL: Yes, wa're going to -- before 22 the document goes for public comments we will put these 23 numbers in there.
l 24 CHAIRMAN MILLER: Substitute them?
t m
- 25 MR. CHIRAMAL: Exactly.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234 4433
. _ _ . . _ . _ _ _ _ _ _ _ . . _ . _ _ . _ _ _ . _ - - . _ . _ _ ._._.__._..._.____._._____._m._
t 40 +
1 CHAIRMAN MILLER: I know it's normal. I think i 2 it's part of George's confusion probably, factor, and it's
! i
! 3 part of mine too, at times.
i
! 4 MR. CHIRAMAL: The SR field, the new Reg I
5 Guides are, will have no impact on existing systems.in h
j 6 that it will be used for the review of future applications i
7 and licensed amendments that come in with -- systems are i
! 8 modified.
4 9 Publishing the SRP will help -- its primary
. i 10 purpose is for the review of, the new guidance to the 4
l 11 staff members and will also allow licensees and designing
! 12 people to have an understanding of what we're looking for
- 13 in the way of implementation of the design.
14 It will also help utilities making a 10 C.F.R.
15 50.59 evaluation as to what to look for in unreviewed 16 safety questions.
17 CHAIRMAN MILLER: The statement you have 18 there, it says " Licensees have a clear path to acceptance 19 of modifications". I think only time will tell whether 20 that's true. I find that statement rather presumptuous.
21 MR. CHIRAMAL: Well, it tells the licensee 22 that this is what we're going to be using to review your ]
l 23 application, and in that sense it doesn't -- what to look 24 for, what the staff is looking for and what the staff 25 considers a safety significance.
I NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234 4 33
I 41 l 1 MEMBER APOSTOLAKIS: Well, the fact that it's g- 2 clear doesn't mean it's good.
~
3 MR. WERMIEL: That's true.
4 MR. CHIRAMAL: Yes, that's true.
5 MR. WERMIEL: I think Dr. Miller's right. No ,
6 no. I -- I think Dr. Miller's right. Time will tell.
7 The fact that we finally put together the "what" of a 8 staff review I think is a, kind of a milestone for the 9 industry because they've been asking for this for quite a 10 long time, and we can at least show them this.
11 MEMBER SHACK: But just because it's intended 12 to be clear doesn't mean that it is.
13 MR. WERMIEL: That's true.
r~% ,
(N-14 MR. CHIRAMAL: That's absolutely true.
15 MR. WERMIEL: As a matter of fact, I'm sure 16 the public comments will tell us that it isn't clear.
17 MEMBER APOSTOLAKIS: At a certain level it is 18 clear.
19 CHAIRMAN MILLER: I would say that, you know, 20 your Section 7.0 certainly is going to make it much easier 21 to follow.
22 MR. WERMIEL: That's our anticipation. We 23 think 7.0 is an achievement in the sense that, for the 24 first time we have to -- we've delineated how a review was (My
(,) 25 actually going to be done depending on the type of NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
42 1 application that's before the reviewer. I don't believe 2 you'll find anything quite like that anywhere in the 3 Standard Review Plan.
4 CHAIRMAN MILLER: Probably good for other 5 chapters to look at what you've done there, but whether 6 the licensees are going to view it as --
7 MR. HERMIEL: I hope so.
8 MR. STEWART: I think it's worth noting that 9 everything that's in here, while it's never been all put 10 in one package and put out as one product like this, 11 everything in here has been used of licensees --
12 MR. WERMIEL: Yes. i 13 MR. STEWART: -- and the feedback I get is '
(V~h' 14 they much prefer having something like 7-4.3.2 to work l l
15 against rather than having reviewers show up with no laid-16 out groundwork for what they need to provide.
17 MR. CHIRAMAL: As been mentioned earlier, the 18 revised SRP or the updated SRP, Chapter 7, will be used in 19 the -- for the' review of both the advanced light water 1
20 reactor applications as well as license amendments. Then j i
21 of course, the depth of review for a license amendment 22 will differ entirely, a lot upon what changes are being 23 asked for and the depth of the review will depend upon the )
24 significance.of the changes.
() 25 CHAIRMAN MILLER: Yes, that statement bothered NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
i 43 I
)
1 me in March and May, and for some reason it bothers me l l
2 even more today. I understand what you're saying. You're 3 saying, depending on the complexity in relation to safety I 4 tells the reviewer how much time you're going to spend on 5 --
6 MR. CHIRAMAL: That's correct. How much --
l 7 CHAIRMAN MILLER: It doesn't give any guidance i
8 to the licensee on what he has to do depending on the ,
l :
i l
- 9 safety significance. There's no graded approach built in 10 to that -- i
)
11 MEMBER APOSTOLAKIS: And how is safety 2 12 significance determined? It isn't saying.
l l
13 MR. WERMIEL: Can I make a point? In the 1
14 design of a safety-related system, I don't believe the 15 staff -- our expectation is that the designer would do 16 essentially the same thing in the development of it, i
)
17 notwithstanding its complexity. In other words, even if l
18 you're designing simply a radiation monitor, a digital 19 radiation monitor, you would have to ensure that you've 20 got the proper documentation or'whatever to demonstrate 1
21 quality commensurate with Appendix B if it's a safety-22 related radiation monitor. The same would be true for l
l f
23 reactor protection system, Don.
24 CHAIRMAN MILLER: Yes, I should have said more f 25 -- not complexity, more relation to safety significance.
I NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234 4 433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
44 1 MR. WERMIEL: Again, unfortunately, when we 2 call something safety-related, the documentation that we 3 require to demonstrate that it's safety-related is the 4 same for a radiation monitor as it is for a reactor 5 protection system. So in that sense it's encumbent upon 6 the designer to ensure that they're meeting whatever 7 requirements are commensurate with the safety 8 classification of the system, consistent with Appendix B.
9 Now, I think what we're saying here is, our ;
10 review may not be quite as intense of that documentation 11 for something like a radiation monitor versus a reactor 12 protection system. ;
13 CHAIRMAN MILLER: But the criteria that should i 14 be followed by licensees should be exactly the same?
i 15 MR. WERMIEL: Yes -- '
16 MR. CHIRAMAL: That's correct.
17 MR. WERMIEL: -- that's basically the case.
18 MR. QUINN: Except at a system level for 19 diversity in defense and depth, we have a graded approach.
20 MR. WERMIEL: Well remember, I'm talking a 21 radiation monitor versus a reactor protection system. The 22 diversity for a radiation monitor if you read the SRP, 23 doesn't apply. It does apply for the protection system.
24 So that particular aspect is something that you would 25 focus on in the one case and not the other.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-443% WASHINGTON, D.C. 20005 3701 (202) 234-4433
. _ _ _ __ - . . _ _ _ _ . . . . _ _ . _ . _ _ . . _ _ _ _ _ _ _ _ _ _. . _ _ __ __ m_..__.
- 45 i j 1 MR. CHIRAMAL
- In fact, that's what -- !
4
~
2 CHAIRMAN MILLER: And that way the graded r
3 approach.is built in?
f 4 MR. WERMIEL: Exactly. That's exactly right.
1
- 5 It is built in in the sense that we have already prejudged 3
6 certain things to be more important and therefore we apply I
j 7 diversity to them, let's say as an example, versus others, 6
a 4 :
4 ,8 where we don't.
4
- 9 MR. QUINN: The question comes in for example, i
l 10 Reg Guide 1.105 is very specific guidance on what is a ]
11 graded approach.
i \
~
- 12 MR. WERMIEL
- Yes.
l t l 4
13 MR. QUINN: I agree with it. I think it's --
l
, 14 that level of specificity is not provided in 7.0a or --
i l 15 MR. WERMIEL: Yes.
16 MR. QUINN: That's not there.
3 i 17 MR. WERMIEL: I think that's fair.
i 18 MR. CHIRAMAL: It's the call of the reviewer l
i 19 and the staff member to --
I l 20 MR. WERMIEL: We anticipated a fair amount of i
21 comments on that graded approach in 1.105 as a matter of l 1
)
, 22 fact. The -- again, correct me if I'm wrong, Matt, but I
- i j 23 think the software development process itself, the BTP, l
24 even has -- I don't know if I'd call them caveats or i i (~
4 25 exceptions, but it does tend to allow for a gradation in l 4
J I
! NEAL R. GROSS
- COURT REPORTERS AND TRANSCRIBERS i 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
46 1 the design of the software, . depending on its importance to 1
f- s 2 safety, does it not? I 3 MR. CHIRAMAL: Yes. l 4 MR. WERMIEL: I thought it did. I thought l l
5 there were words to that effect. I remember reading some ,
l' 6 words to that effect in there. So it may not be quite as 7 explicit, Ted you're right, as the guidance in that Reg ,
l 8 Guide, but I believe that there is, certainly, some !
9 statements in the Branch Technical Position that the l 10 designer has a somewhat more latitude for systems that are l 11 not safety-related.
l 12 CHAIRMAN MILLER: As we go through, could you 13 point a couple of those out? See if I pick those up as 14 well as you.
15 MR. WERMIEL: Boy, you guys will have to do 16 that because I don't know where they are. I remember 17 reading them at one point, but --
18 MEMBER APOSTOLAKIS: The word " complexity", is 19 that used in the everyday -- in its everyday meaning, or 20 does it mean anything else? I mean, what is a complex 21 system? Or complexity of the change?
22 MR. CHIRAMAL: Well, it's again, subjective, 23 but what we're looking for is the extent of the change, if 24 it's a reactor protection system and what parts of the rs
% 25 reactor protection system. Is it the entire system from NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
i 47 ]
1 the sensor down to the actuator device? Then it's 2 complex. Does it include additional things like self-3 testing? Does it provide input to the other computers?
4 What are the interfaces? And those are the complexities 5 that come in. If there's a small change just to a meter 6 alone, then it's not a complex system.
7 MEMBER APOSTOLAKIS: In the last bullet, 8 defense-in-depth and diversity, what does defense-in-depth 9 mean here?
10 MR. CHIRAMAL: Defense-in-depth means there's 11 a certain process they've got to follow using Chapter 15 12 events to make sure that, for a -- unit common mode 13 failure of the software in the protection system or the 14 safety system, that you have other systems that will 15 compensate for that.
16 MEMBER APOSTOLAKIS: And do they have any 17 guidance as to how to postulate that common cause failure? ,
l 18 MR. CHIRAMAL: Yes.
-l 19 MR- WERMIEL:
. Yes. I 20 MR. CHIRAMAL: It's in BTP 16.
21 CHAIRMAN MILLER: Yes, I think that part is j 22 pretty well laid out. From my perspective.
23 MEMBER APOSTOLAKIS: And this is limited to 24 the software, right? It doesn't go all the way to -- for 25 example, it it's a scram system, diversity would require NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
48 1 that one train or one system --
7-) 2 MR. CHIRAMAL: Well, the scram system's ed 3 already required by 50.62, a diverse system or ATWS 4 mitigation system is --
5 MEMBER APOSTOLAKIS: No, but I'm trying to 6 understand, how far does diversity go? I mean, does it go 7 all the way to, you know, thou shall monitor these 8 parameters, in this other system than other parameters? ,
1 9 But that's none of the software engineer's business.
10 MR. CHIRAMAL: No , it's not. It is not --
11 MEMBER APOSTOLAKIS: So where does it stop?
12 MR. CHIRAMAL: Against the -- it's based on 13 the Chapter 15 analysis.
14 MR. WERMIEL: It stops with the events that 15 are to be protected against. In other words, the licensee 16 knows what events are required for protection, and we 17 define -- or, we say that for those events you must have a 18 diverse capability, so they know what equipment is needed 19 to cope with those events and therefore they must have a 20 diverse way of ensuring that that equipment will work, or 21 that something equivalent is available to accomplish those 22 functions. That's basically what the BTP says.
23 MR. STEWART: Yes, I think maybe what you're 24 getting at, this BTP really only addresses the common p
b 25 cause software --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
49 1 MEMBER APOSTOLAKIS: That's right.
fs 2 MR. STEWART: The other diversities and i I v' 3 defense-in-depths, for example, the aux feedwater system 4 having a turbine-driven pump and a motor-driven pump, 5 you'll find that in the other SRP chapters.
6 CHAIRMAN MILLER: I think that, George, I 7 think the whole concept would be much clearer to me once 8 they go through the case study, because the STAR system is 9 built basically on the concept of diversity.
10 MEMBER APOSTOLAKIS: In fact, maybe we should 11 spend most of our time on that. It seems to be --when is 12 that? At 10:15?
-w 13 MR. WERMIEL: And if you would like, my part
's- 14 of it is just an overview of Chapter 7 -- of Section 7.0, 15 and I don't have to even do it if it's felt it's 16 unnecessary, and Paul can go right into its application 17 for the STAR system. I l
18 MEMBER APOSTOLAKIS: I think it's a great 19 idea. Great idea. l 20 CHAIRMAN MILLER: You want to jump to the 21 example --
22 MEMBER APOSTOLAKIS: I think we -- I mean, 23 since specificity seems to be an issue, let's go through a 24 case study and maybe communicate a bit better.
m m ) 25 MR. WERMIEL: With an actual review on this NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
50 1 stuff.
2 CHAIRMAN MILLER: Yes, I think -- I know I 3 have and I know Ted Quinn has questions. I don't object 4 to going to the case study as long as we can come back' 5 with questions later on. I do believe that you're right. ;
6 The case study may answer some questions.
I l
7- MEMBER APOSTOLAKIS: Yes. 1 i
l 8 MR. MARKLEY: I think it would be good if we I I
9 wrapped up whatever portions of the overview, and then 10 pick that up at the break time, because there may be 11 people who wanted to attend that portion only, and if you 12 start into it.before that time, then you run into a public 13 access problem. That's the only point. i O 14 MEMBER APOSTOLAKIS: I didn't follow that.
I 15 MEMBER BARTON: Stick to the agenda, is what 16 he's saying. i l
17 MEMBER APOSTOLAKIS: Oh, okay. In plain 18 English.
19 MR. CHIRAMAL: The rest of the slides really 20 go through the entire Chapter 7 starting from Section 7.0, 21 which -- whose focus is, as we said, is to provide 22 guidance to the reviewer on how to use Chapter 7. It 23 tells them what the materials he should be getting from 24 the licensee, how to plan the review, how to schedule the 25 review, and then of course, how -- when --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433 l 1
I
51 1 MEMBER APOSTOLAKIS: Did - daderstand fm 2 correctly earlier, one of you gentlemen said that even a
(
3 figure such as that on page 14 -- I think you just showed 4 that, yes? No, 14, these are numbered, right?
5 MR. CHIRAMAL: Right. Flowchart.
6 MEMBER APOSTOLAKIS: Flowchart That's not on 7 14, though.
8 MR. CHIRAMAL: That's in the Appendix to 7a --
9 MEMBER APOSTOLAKIS: Yes.
10 MR. CHIRAMAL. -- which is process fc.c review 11 --
12 MEMBER APOSTOLAKIS: Even that is something 13 that did not exist before, and that --
,A t \
b 14 MR. CHIRAMAL: That is correct. )
i 15 MR. WERMIEL: That's correct. That's exactly 16 right.
17 CHAIRMAN MILLER: And that figure has not 4
18 changed since March or May, right?
19 MR. CHIRAMAL: No.
20 MR. WERMIEL: No, it's not.
21 MR. CHIRAMAL: It's the same one we showed you )
l 22 when we -- l 23 CHAIRMAN MILLER: I wanted to veri -- I did 24 check that.
f')%
(, 25 MR. CHIRAMAL: Yes, as we said, Section 7.0 is NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISUAD AVE., N W.
(202) 234 4 433 WASHINGTON, '.) C. 20005-3701 (202) 234 4433
52 1 new as well as Appendix A to Section 7.0, it's also a new
<x 2 section. And it gives additional guidance for the review l \
x_/
3 -- of digital systems to the reviewer. It follows the 4 flowpath where you, you know, you get an application and 5 then it walks through steps that we consider then, basic 6 design review.
7 MR. QUINN: Matt, I've got a question on that 8 one. The diverse section now, section 7.8, why is that 9 not up with RTS and ESFAS per the 10 C.F.R. 50.62 10 requirement, to go through the diversity and defense-in-11 depth design review? It is back in Branch Technical 12 Position, it refers to it, is it must meet the 13 requirements, diversity, defense-in-depth. And then it's 14 shown as not requiring that --
15 MR. CHIRAMAL: You mean up here?
16 MR. QUINN: Up there instead of down on the 17 right, yes.
18 MR. CHIRAMAL: In Section 7.8?
19 MR. QUINN: Yes, right now it's listed in the 20 middle --
21 MR. CHIRAMAL: Well, it's middle in the sense 22 the -- it says that you need to do defense-in-depth and 23 diversity analysis only if you're reviewing the reactor 24 trip system or the engineering safety feature actuation
/~
(,S) 25 system.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W (202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
53 1 MR. QUINN: Why not diverse actuation?
fx 2 MR. CHIRAMAL. Well, when you -- it's a 3 different logic in there. When you review the diverse 4 actuation system, all you've got to make sure is that it 5 is diverse from the RTS and the ESFAS, but you don't have 6 to defense-in-depth analysis for diverse actuation system.
7 MR. WERMIEL: Correct.
8 MR. CHIRAMAL: It's the result of an actuation 9 -- it's a result of the analysis, it's not because of the 10 analysis. So if you make a modificatioa, say to the 11 diverse actuation system, you don't have to go through a 12 defense-in-depth analysis.
13 MR. QUINN: No, it's just with some of the !
/~N !
( '
\ ') 14 digital systems now that are being used for ATWS --
l 15 MR. CHIRAMAL: Well, those --
16 MR. QUINN: -- the design -- in review and the l
17 design we've got to make sure that it's not the same as )
l 18 the design that's been used in the current system -- l 19 MR. CHIRAMAL: That's correct.
20 MR. QUINN: -- and I don't see --
21 MR. CHIRAMAL: Well, because what we say in 22 that section of 7.8 is that you've got to make sure when 23 you implement the design of an ATWS mitigation system or a 24 diverse actuated system, that you do not violate or do
(~)%
(, 25 anything contrary to the defense-in-depth analysis you did NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433 N
54 1 for the ESFAS or the RTS.
2 MR. QUINN: Okay, I thought about that a lot O 3 and I just thought that it belonged up there. It just !
4 seemed to me that in the history of the way the licensee's 5 reviewed it,.it would be up there, but you don't think so?
6 MR. CHIRAMAL: Well, we debated that and what 7 we did was, you write that phrase in the Section 7.8.
8 MR. WERMIEL: Can I make a point for Ted?
9 Maybe it will help. One of the reasons I think Ted, we )
l 10 made a separate section for diverse actuation system is l 11 that, in the advance reactor reviews there is such a l
12 system. In the operating plants a comparable system would '
13 be called the AMSAC, or the ATWS Mitigation System. ,
O 1
1 14 That's a different system, a separate system from the l 15 reactor protection system or the engineering safety i
16 features actuation system. That's why it's in a separate 17 section. I think that was the logic we went through.
18 MR. CHIRAMAL: I think Ted's question is 19 basically, why didn't you tie in the defense-in-depth 20 analysis in Section 7.8?
21 MR. JOHNSON: This is Gary Johnson of Lawrence 22 Livermore. Let me try a different tactic and this is 23 that, I think the philosophy we arrived at there is the 24 defense-in-depth and diversity analysis is part of the O
V -25 basis for acceptance of the design, the reactor trip ,
a NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
55 1 system. It's not really part of the basis for the design gs g 2 of the ATWS system. The ATWS system is there as a backup.
t Ls')
3 Now, if you're doing an ATWS system design, 4 you need to confirm that you've addressed any impacts on 5 any other systems, just like if you do a design 6 modification to an HVAC system you need to ccnsider the 7 impacts on systems in Chapt + 7, Chapter 5, and so on. So 8 that's the philosophy here, is that the requirement to do 9 the analysis is located with the system for which the 10 analysic provides part of the acceptance basis.
11 MR. QUINN: I think scae of the public 12 come s that will come back will say that up there in 13 that corner, what would be expecting what we saw in
/~i <
l
\2 14 licensee reviews, I believe in the past, are RPd and ATWS, 15 and that ESFAS is a new addition. That's what I see as 16 being the experience on reviews, but that's -- I guess l 17 we've discussed it enough.
38 MR. CHIRAMAL: Okay. Slide 15 is where we are 19 now. It talks about Section 7.1 -- 7.1 is where the basic 20 acceptance criteria and the guidance are listed, and 7.1 21 is the chapter to which the SRP, other sections of the 22 SRP, 7.2 through 7.9, bring the reviewer to, because this 23 is where the basic acceptance criteria are provided.
24 And the regulatory basis for these technical O
(_s/ 25 acceptance criteria are the basic acceptance criteria, of NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
56 l
l 1 course are the density of 10 C.F.R. 50.55a(h) which is --
l ,,q 2 endorses IEEE Standard 279. And for the reviewer the lU 3 guidance is provided to say that IEEE Standard 603 and 4 IEEE Standard l ,
l 5 7-4.3.2R equivalent to 279 for the review of both analog i l
l 6 as well as digital systems.
1 1 7 And then 10 C.F.R. 50.34(f), which contains I 1
8 all the TMI action plans, 10 C.F.R. 50.62 on ATWS 1
9 mitigation. And Appendix A contains the general design l
10 criteria.
11 CHAIRMAN MILLER: Just a comment on 7.1. I 1 l
12 noticed you added a line relating to lightning protection.
, 13 MR. CHIRAMAL: Yes, we did. After that -- in 1 f~)
t
'w
i 14 response to your comments.
15 CHAIRMAN MILLER: We'11 maybe talk about that j 16 later today. j 17 MR. CHIRAMAL: The structure of Seccion 7.1 18 is, as we said before, is unchanged but we have added of 19 course, Appendix -- revised Appendix B and added a new 20 Appendix C which is an evaluation with respect to IEEE 21 603. And in the areas to review in acceptance criteria, 22 we've added the reference to the new regulatory guides and l l
23 renew standards and new BTP's.
24 In Section 7.1 we have added review guidance
,m 25 from digital system reviews and that is primarily based on l l
l NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, O C. 20005-3701 (202) 234-4433
57 1 IEEE standard 7-4.3.2, which is endorsed by the 1993
(~ 2 revision of this -- Reg Guide 1.152, Rev. 1. And the top C
3 layer of this chart actually lays out the paragraphs in 4 the regulatory .;13e -- or rather, in the standard. And 5 below that lies the BTP's and the regulatory guides that 6 provide additional guidance to the reviewer.
7 For example, in the area of qualification of 8 existing computers we have a BTP for programmable logic 9 controllers, and we will have this commercial dedication, 10 commercial digital equipment EPRI document as a reference 11 when it is finally issued with an SER.
. 12 In the last two legs of the chart shows items 13 which are not at present in the IEEE standard but which l I
\/ 14 are defense-in-depth against common mode failure and any 15 emerging software matters which are not covered by the 16 standard that is defined there. All we have in 7.1 is a 17 small paragraph to the reviewer saying that, because the 18 technology is changing you could be expected to see other 19 methods of implementation of digital technology --
20 CHAIRMAN MILLER: You're referring to Item 8 21 on page 7-1.6, is that --
22 MR. CHIRAMAL: Yes.
23 CHAIRMAN MILLER: Of course, and George is not 24 here, we do specifically --
b(_/ 25 MR. CHIRAMAL: Formal methods --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234 4433 WASHINGTON, D C. 20005-3701 (202) 234 4433
__...__.._._____.____...__.._.._.m__ - _ _
l 58 l
l 1 CHAIRMAN MILLER: -- mention formal methods --
l i
2 MR. CHIRAMAL: Formal methods, oh yes, and lO 3 there -- and other non-procedural languages like Euronet, 4 -- Logic, Artificial Intelligence --
5 CHAIRMAN MILLER: Right. ,
6 MR. CHIRAMAL: We expect to see those coming ,
7 in, and an applicant may suomit a design based on 8 something that we haven't yet considered in our SRP, and 9 that's all what this particular paragraph tells the 10 reviewer.
11 CHAIRMAN MILLER: So that would -- how would 12 you handle that? I mean, I'm going to recommend --
13 MR. CHIRAMAL: It will be a case-by-case 14 basis.
15 CHAIRMAN MILLER: In other words, we'd --
16 MR. CHIRAMAL: We'11 have to --
17 MR. WERMIEL: We could have a lot of problems.
18 MR. STEWART: I think I can give you an 19 example. We nave a review coming in for the use of 20 ASIC's, Application Specific Integrated Circuits, that we 21 did not have anything specific in the SRP for, so we went 22 out and got a contractor to help us line up some i
! 23 acceptance criteria and some guidelines and we've been 1
i 24 working with the industry to see what they're doing and 25 coming up to speed on it. We hope to basically, bring
- NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234 4 33 WASHINGTON, D.C. 20005-3701 (202) 234-4433
- l. .- _ _ . _ . _
59 1 that up to the level that we could add that as a BTP.
rx 2 CHAIRMAN MILLER: That would be a BTP or an
( )
N_/
3 SER, either one, or --
4 MR. WERMIEL: It will be an SER on a topical 5 report in all probability, not a BTP.
6 MR. STEWART: It will show up as an SER.
7 Eventually, if it works out we would use that information 8 --
10 CHAIRMAN MILLER: With a small neural network 11 building to a control system for a low-level safety -- low 12 safety significance.
13 MR. WERMIEL: You're talking about, Don, in a rh
() -
14 safety-related application or in a non-safety --
l 15 CHAIRMAN MILLER: Say in a control system, i
16 MR. WERMIEL: Well, control system as opposed 17 to a protection system?
18 CHAIRMAN MILLER: Right.
19 MR. WERMIEL: On something that they could 20 probably implement even without our review, because they 21 probably didn't credit it in the Chapter 15 Accident 22 Analyses, so it would probably fall out under 50.59.
23 However, I think we'd be very interested in such a system 24 if they were going to use it, for our own future t'~')s
'U 25 knowledge.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
--_- - -. ..-- - - . - ~.---,.:---.
JO 1 CHAIRMAN MILLER: I think it's only fair to !
)
2 ask --
O- 3 MR. WERMIEL: Yes, some plants I guess, are 4 using things like that for certain -- they don't use them 5 in a control application.
6 CHAIRMAN MILLER: That's Crystal River --
7 that's the one University of Tennessee is working on? 3 8 MR. WERMIEL: Right.
{
9 CHAIRMAN MILLER: I kind of knew that was ,
10 happening. I just was curious to how far we are on that.
I 11 MR. WERMIEL: Yes, well -- >
12 CHAIRMAN MILLER: That's one of my --
13 MR. WERMIEL: If somebody was to propose use l 14 of neural networks in a safety-related application we l 15 would have somewhat of a problem, because it would be a 16 little bit unique for us to address all the issues that we i
17 would be concerned about, and we would probably have a lot 18 of dialogue with a licensee on something like that.
19 CHAIRMAN MILLER: Well, we certainly do expect 20 that to happen over the next several years.
21 MR. WERMIEL: It may happen, thera's no )
1 22 question -- l l
23 CHAIRMAN MILLER: -- network -- I 24 MR. STEWART: Probably not in safety systems. j i
O. 25 Most of what goes in the safety systems tends to be, the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
61 1 basic technology is at least ten years old.
7- 2 MR. WERMIEL: Yes, I'm not sure our licensees
{,s,1 '
3 would want to take a regulatory risk, let's say, with l
4 something of that sort. ;
l 5 MR. CHIRAMAL: Yes, Section 7.1 has a table 6 7.1-1 which is, summarizes at a glance, all the standards 7 and the guidance and the regulatory requirements that 8 apply to the INC systems and it's got -- which are 9 particular to which section, which sections of the SRP.
10 CHAIRMAN MILLER: That' 7.1 --?
11 MR. CHIRAMAL: It's 7.1-1. Appendix 7.1-A is 12 really the place where -- it's a roadmap for the reviewer 13 to go to look for the acceptance criteria and the ,
I )
\ ') 14 regulatory guides, and I think this is the part of what 15 Dr. Apostolakis was talking about. Is when you review any 16 other section 7.2 through 7.9, it will bring us back to 17 the 7.1-A where we have the 10 C.F.R. and the general 18 design criteria requirements.
19 And from there it goes into the regulatory 20 guides and the BTP's, as well as into Section -- Appendix 21 7.1-B and C where the reviewer is guided to plant 22 acceptability of the design against IEEE 279 or 603.
23 CHAIRMAN MILLER: Recognizing this wasn't 24 available when you did the STAR system, would it be o
\s , 25 possible when we go through the STAR that we kind of try NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234 4433 WASHINGTON. D C. 20005-3701 (202) 234 4433
. . . - - - - - - - - - . - . - . - - . - - - . ~ . - - - - - . - . .
- 62 ,
! 1 to go back to using this? or maybe they're planning to do ,
i !
! 2 that. i
- O j 3 MR. CHIRAMAL: Yes, I think it --
i l 4 CHAIRMAN MILLER: I think that would help me. }
i 5 MR. CHIRAMAL: When the reviewer talks about :
! 6 his metnod of review it will go through this particular -- i i
- 7 it starts off with the general design criteria and the 10 i e :
f 8 C.F.R. and the IEEE 279, and then where he needs !
- t 1
- 9 additional details he's going to standards, regulatory ;
i 10 guides or the BTP's.
f 11 MR. QUINN: Matt, have you reviewed -- in each 4
12 of Section 7.2 through 7.9, they address specific type
]
l 13 systems. Has there been a review by the staff of a a
i 1
{ 14 digital system in each of those sections so that we have i 4
- 15 lessons learned from that, that go back to 7.1? Have we 1
l 16 done every one at least once through?
1 l
17 MR. CHIRAMAL: Except on the advanced i
l 18 lightwater reactor review, but for --
I 19 MR. QUINN: But I'm more --
i 20 MR. CHIRAMAL: -- retrofit the --
t i 21 MR. QUINN: Retrofit plants? l f
1
. 22 MR. CHIRAMAL: No. Primarily it's been the I
l 23 reactor -- parts of the reactor protection system and some l .
24 of the monitoring systems and the wide range neutron i
- O.
2e menitere ane thime 11ke that.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
j (202) 2344433 WASHINGTON, D.C. 20005-3701 (202) 234-4433 i
i 63 l i i 1 MR. QUINN: I think you've gotten most of them ;
l 2 and that's what I -- I'm wondering what you haven't N/ 1 l
3 gotten. .
4 MR. STEWART: We've -- yes, we've looked at l
5 RPS, ESFAS systems, ATWS systems --
6 MR. QUINN: Radiation.
7 MR. STEWART: Radiation, both wide range and 8 now to OPRM's. We've looked at some non-safety systems 9 like feedwater. So I think we've covered most --
10 MR. QUINN: Like accident monitoring digital ,
l 11 systems?
12 MR. STEWART: I've looked at PAMS, I think 13 we've covered most of them.
,O
'- 14 CHAIRMAN MILLER: I realize the Committee as a 15 whole may not be interested in all of that, but I would be 16 interested in some of those, if they're available.
17 MR. STEWART: There's SER's on all of them, 18 yes.
19 CHAIRMAN MILLER: Okay. I'd find that 20 interesting to me.
21 MR. CHIRAMAL: Back in March when we presented 22 the Section 7.1 and 7.0, we did not have Appendix 7.1-B 23 and 7.1-C, so that's something new that you see. But 7-lb l 24 is an existing section of the SRP, -- SRP, which is really A
kJ s- 25 review guidance on conformance to IEEE 279 at --
NEAL R. GROSS j COURT REPORTERS AND TRANSCRIBERS
- 1323 RHODE ISLAND AVE., N W.
(202) 234 4433 WASHINGTON, D C. 20005-3701 (202) 234-4433 l
i 64 1 CHAIRMAN MILLER: Basically, the STAR system i
2 review sent you 7.1-B, right?
l
- 3 MR. CHIRAMAL: Yes.
4 MR. WERMIEL: Yes, i
- i
i l 7 systems were not any different --
i j 8 CHAIRMAN MILLER: Right.
}
9 MR. WERMIEL: -- than they were for the analog I 10 system that it replaced. And that's compliance with IEEE 11 279. That's the licensing basis, i
12 CHAIRMAN MILLER: A reviewer could then choose l
j 13 to use 603. Is it a matter of what you choose to do or j i
1 14 you can do --
l 15 MR. WERMIEL: Well no --
i l 16 MR. CHIRAMAL: It wasn't what the licensee --
4 j 17 MR. WERMIEL: The real key here is, which one
! 18 of the two is the licensee required to meet per their 19 licensing basis? All of our operating plants comply with 20 IEEE 279 based on 50.55a(h). Future plants in all, at 21 least as far as the design certifications go, will meet 22 IEEE 603, since that's the basis upon which their designs 23 were developed, and that's the standard that's referred to 24 in those certification rulemakings.
25 CHAIRMAN MILLER: Okay. So all 110 plants NEAL R. GROSS i COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
65 1 we're now operating are all 279?
,f g 2 MR. WERMIEL: Exactly. That's exactly right.
3 CHAIRMAN MILLER: And all the advanced 4 lightwater designs are 6037 5 MR. WERMIEL: That's correct, so far, 603.
6 MR. STEWART: There are some plants that are 7 pre-279.
8 MR. WERMIEL: Well, yes, that's true.
9 CHAIRMAN MILLER: There can't be too many.
10 MR. JOHNSON: More than you may think.
11 MR. WERMIEL: The rest of the section 7.2 12 through 7.9 follow a common outline and it contains -- the
_ 13 subsections are shown on the slide, number 21 here; area t 1
14 of review, acceptance criteria, review procedures, 15 evaluation findings, implementation, and references. So 16 all the chapters follow the same outline.
17 We beefed up the area of coordination based on 18 the comments we received from the ACRS. We included 19 additional -- about coordination in all the sections.
20 We're looking at the possibility of moving this into 21 Section 7.0 rather than repeating it in every chapter, but 22 we haven't decided yet. So it's possible that before 23 public comments we may bring all this into Section 7.0 and 24 beef up that last section of 7.0.
p
(%- 25 CHAIRMAN MILLER: So you could make a -- not a NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON. O C. 20005-3701 (~ )) 234-4433
66 +
1 major -- it would be a major change in organization based 2 on public comment, or following public comment?
3 MR. CHIRAMAL: No , we were thinking that since 4 --
what we've done is we've repeated the coordination --
5 CHAIRMAN MILLER: Right. !
6 MR. WERMIEL: -- that would be in Section 7.2 7 through 7.9. It's repeated almost verbatim in each l l
8 section because th -- well, difference on the system that j 9 you're talking about. Some systems only go for reactor 10 systems and plant systems, some of them go across quite a 11 few others. So we thought we could bring this 12 coordination of reviews between HICB and the other 13 branches, into Section 7.0 rather than have it repeated in O 14 every other section.
15 CHAIRMAN MILLER: I understand. I'm just 16 saying that would be a -- not it would be a change in 17 substance, it would be a change in organization?
18 MR. CHIRAMAL: Yes, it would be a change in 19 organization of things.
20 CHAIRMAN MILLER: With an attempt to simply 21 it?
22 MR. CHIRAMAL: It will make it simple.
23 MR. QUINN: I think at one of the last 24 meetings I saw the inspection criteria. You had one set 25 of inspection criteria for plants that were reviewed under i NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433 j
67 1 50.59 and one for those that are submittal, is that right?
i ew 2 MR. WERMIEL: That's right. Two different i 1
Q_,)
3 inspection procedures, that's right, Ted.
4 MR. QUINN: Can you update those for -- I 5 don't think those include some of the latest material 6 that's in here. Were you intending to do that?
7 MR. WERMIEL: I don't think there's anything 8 that's in this presentation or in the SRP that isn't 9 currently included in that inspection guidance. I'm not 10 sure I know what update you'd be referring to. ,
1 11 MR. QUINN: Some of the branch technical 12 divisions are not in there. This is the first time we've 13 seen them. i
\ '
(_
k- # 14 MR. WERMIEL- The inspaction guidance dcean't l I 1 15 specifically reference -- no, it doesn't get to that level 1 16 of detail. It's a different approach than what the review 17 would be of an application using the SRP.
18 MR. CHIRAMAL: What I could do is, if you want 19 we can skip through 7.2 through 7.9 because we have 1
20 already seen Section 7.2 in detail, 7.3 which is the ESFAS 21 is very much like it, in fact, the slide says very little.
22 We have seen Section 7.8 and 7.9 previously. So the rest 23 of the sections, 7.2 -- at least the section on 7.3 which 24 is Engineered Safety Features Actuation System, 7.4 on p
ks 25 Safe Shutdown System, 7.5 on Information Systems, 7.6 on NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234 4433
68 1 Interlock systems, and 7.7 on Control Systems are very ,
l q 2 similar.
V 3 MR. QUINN: In 7.3, in the new tech specs, i
i 4 standard tech specs, they're in the NUREG-1431, 30, 32 -- l S there's new guidance on -- well, there's guidance on, I i
l 6 think, definition of ESFAS systems and where things fall l 7 in, whether they're ESFAS -- they broke it out in the )
1 8 standard tech specs to some different systems. Is this 9 consistent with the new standard tech spec system lineup I l
l 10 see from -- I 11 MR. WERMIEL: That shouldn't have changed the 12 review of the ESPAS system that's done in our branch, Ted.
13 I think I know what you mean. I believe the standard tech !'
,e m V 14 specs reorganized some of the surveillance requirements 15 and some of the definitions --
16 MR. QUINN: Right.
17 MR. WERMIEL: But I think the content of the 18 new standard is the same as it was before. It's just been 19 reformatted or reorganized. The review that we do under 20 Section 7.3 of the systems hasn't changed, and the tech 21 spec change that you're referring to wouldn't impact that.
22 Unless you would just take the requirements for 23 surveillances and limiting conditions for operations and 24 arrange them in accordance with that new format in the new b(~N 25 standard tech specs, that's all. As I understand it.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 2344433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
69 1 MR. CHIRAMAL: If you -- should I skip this p 2 Section 7.2 through 7.9 and go --
N CHAIRMAN MILLER:
3 As far as I'm concerned 4 that's fine. Other members of the Committee may have --
5 go ahead.
6 MR. CHIRAMAL: And we can skip straight to 7 slide number 40.
8 CHAIRMAN MILLER: That's one way to catch up 9 your schedule, isn't it?
10 MR. CHIRAMAL: Right. Did I say 40?
11 CHAIRMAN MILLER: That's 39.
12 MR. CHIRAMAL: Oh, I'm sorry, you're right, 13 39. Slide 39. Slide 39 is the content of Appendix 7.1-A O
\' 'j 14 which is where the -- that's where the Branch Technical 15 Positions reside. The BTP's from 1 through 9 are -- 1 16 through 10, are the existing BTP's which have been 17 renumbered and sort of scrunched up to the top. And BTP's 18 --
19 CHAIRMAN MILLER: You're saying those are 20 identical to what -- no change in those?
21 MR. CHIRAMAL: No change except we did change 22 the format to be consistent with the rest of them. That 23 means the BTP's are --
24 CHAIRMAN MILLER: You're saying there's C
V) 25 virtually no substantive change to any one of those?
NEAL R. GROSS :
l COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON. D C. 20005 3701 (202) 234-4433 I
. . - - - . . . . . . _ . . . - - . - . . - - . - =_ - -. - .. - - - - ... - . -
70 i
- 1 MR. CHIRAMAL
- Right. I'm sorry, the next 2 slide tells you a little bit more. BTP 10 through 13 3 reflect lessons learned from operating reactor reviews, i i
4 and BTP 10 is the application of Reg Guide 1.97, the post-t 5- accident monitoring system, 11 is application and i 6 qualification of isolation devices, and 12 is establishing l I
7 and maintaining instrument set points.
8 CHAIRMAN MILLER: Okay. So your plan now is l 9 to do -- for the rest of this you're going to skip 1 10 through 9 and --
11 MR. CHIRAMAL: Skip 1 through 9, tell you a 12 little bit of 10 through 13 and then - . The BTP's format 13 is -- all the BTP's look something like this. The -
0 14 background, the Branch Technical Position and references, h
15 and the details in some of them will vary depending on the
.16 content of the BTP.
17 As we said, the BTP 10 through 13 incorporate 18 the lessons learned since 1981 through the timeframe now, !
19 and BTP 10 deals with the implementation of Reg Guide 1.97 20 and some of the positions taken by the staff in review of 21 implementation of that Reg Guide and operating plans.
22 MR. QUINN: Matt, when I reviewed 1 through 9, 23 I saw that they were updated for either 603 or 1.153.
24 It's not the same as it was. You've added the later 25 standards, right?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234 4433
. . . . - - - -- - . - ~ .- - . - - .__ -- .. . . - - - ... - . .- . - - . - . - _ -
71 1 MR. CHIRAMAL: Oh, yes. ,
2 MR. QUINN: Now, were there any lessons NU 3 learned in 1 through 9, the diversity for low-pressure 4 systems in one, that over the past ten years that would 5 have benefitted from a change in this section? Did you -
6 look at that, too?
7 MR. WERMIEL: Yes.
8 MR. CHIRAMAL: Oh, yes. We did look at it but 9 --
I 10 MR. WERMIEL: And if it was, we would have 11 made changes. Absolutely.
12 MR. QUINN: Can you give some examples where '
13 you've made changes at all, in 1 through 97 e
14 MR. WERMIEL: Off the top of my head I can't.
15 MR. JOHNSON: There were no changes to 1 16 through 9 except for reformatting and adding the reference 17 to 603.
18 MR. WERMIEL: In other words what we're saying 19 is those, based on experience and all that's happened in 20 the last ten years didn't warrant a change in the ,
21 guidance. It's a guidance we're still comfortable with.
22 MR. CHIRAMAL: The BTP 11 deals with the 23 testing and qualification -- application and testing of 24 electrical isolation devices used as interface between 25 safety systems and non-safety INC systems.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
72 1 CHAIRMAN MILLER: They're the new technology g3 2 of fiberoptics, I notice you refer to.
b 3 MR. CHIRAMAL: That's right.
4 CHAIRMAN MILLER: But I didn't notice that you 5 introduced any criteria for fiberoptics. If I read that 6 correctly. For example, if you had fiberoptics near a 7 radiation field, no mention of that. Did I miss something 8 there?
9 MR. STEWART: We would address rad protection 10 on the fiberoptics as part of the environmental 11 qualification. This is really -- BTP 11 is just the 12 electrical isolation.
13 CHAIRMAN MILLER: So the criteria in BTP 11 is
(~)
- # 14 totally electrical, even those you use a fiberoptic --
15 MR. STEWART: Right, and we --
16 CFAIRMAN MILLER: Fiberoptic in --
17 MR. STEWART: Yes, we just acknowledge that if 18 you have a fiberoptic cable in between, it's inherently an 19 isolation device as far as electrical propagation.
20 MR. CHIRAMAL: And the qualification of 21 fiberoptics to the environment depends on the application 22 and if it's in the reactor trip system that's where we 23 will review it and I think we have --
24 CHAIRMAN MILLER: Then you go back to 323 to -
O
(_) 25 -
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 2344 433 WASHINGTON, D C. 20005-3701 (202) 234-443?
1 1
73 1 MR. WERMIEL: That's right. l 2 MR. CHIRAMAL: That's correct. The BTP 12 is
,O 3 the one that provides additional information on the review 1
4 of Reg Guide 1.105. {
5 CHAIRMAN MILLER: How is this going to -- I l i'
6 should have done this, I should have set those down side-7 by-side. How is this going to differ from Reg Guide 1.105 8 which endorses 67047 9 MR. CHIRAMAL: It provides -- it really l
\
10 incorporates a lot of lessons, some of the actions taken '
I 11 by the staff in the review of some of the set point 12 methodolonies, which took some exceptions or some changes l l
13 to 1.105 methodologies.
l O~ 14 CHAIRMAN MILLER: And that's already built in 15 to 1.105 which is now out for comment, right?
16 MR. CHIRAMAL: Yes, well --
17 MR. WERMIEL: It is not yet, is it? It should 18 be out soon.
19 CHAIRMAN MILLER: Because we chose not to 20 review it prior to comment.
1 21 MR. WERMIEL: That's right.
22 CHAIRMAN MILLER: We plan to review it after 23 comment.
l 24 MR. WERMIEL: Right. What the BTP does is l 25 tells the reviewer what to look for in the methodologies NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. '
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433 I
74 1 for establishing set points. The Reg Guide itself is a f
2 way of developing the methodology, and then in the Reg 3 Guide we took some exceptions to certain of what's stated L
4 in the standard. But the amplification of how to take l l 5 what's in the standard and actually do a review is what's 6 provided in this BTP.
7 CHAIRMAN MILLER: My question more is 8 procedural, I suppose. If the comments come back on Reg l 9 Guide 1.105 with a lot of comments, does that mean you 10 have to come back and change --
11 MR. WERMIEL: We may, yes. Oh, yes. l 12 MR. CHIRAMAL: Yes.
13 MR. STEWART: That would be true of all the 14 ones that are out for public comment right now?
15 MR. WERMIEL: Yes.
16 CHAIRMAN MILLER: That's true, but I guess the 17 only one where we -- oh, I see your point. We already 18 have other Reg Guides out --
19 MR. STEWART: We have the --
20 CHAIRMAN MILLER: There's another set of Reg 21 Guides out, too.
22 MR. STEWART: We have those six software
'23 standards that are still out for public comment, too.
l 24 CHAIRMAN MILLER: Yes, Reg 1.105 is the one we 25 didn't review, I guess that's the comment.
l NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
75 1 MR. WERMIEL: That's right.
~] 2 MR. QUINN: I have two questions. One,
\~sl 3 there's two issues with 1.105 that I know of that I think i 4 are fairly controversial. One issue is its application to 5 EOP set points --
6 MR. WERMIEL: Right.
I 7 MR. QUINN: -- and the other one is the graded 8 approach.
9 MR. WERMIEL: Right. l 10 MR. QUINN: So in Purpose, on page 2 in the 11 Purpose Section 4 of this one it has a second bullet says, l
12 to verify that set point calculation methods are adequate
~_ 13 to ensure that control and monitoring set points are i I l
~
14 consistent.
15 MR. WERMIEL: Right. l l
16 MR. QUINN: Are you expanding 1.105 in this 17 word " monitoring" to identify EOP decisional points as I 18 part of this, or not?
19 MR. WERMIEL: No, all we're -- whatever the 20 scope of 1.105 is, is not changed by the BTP. All the BTP 21 is intending to do is tell the reviewer that those are 22 included as part of the review of the set points.
23 MR. QUINN: Okay, since I haven't seen 1.105 24 then I didn't know if you've changed the scope.
/~~
l I
\_/ 25 MR. WERMIEL: No.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D.C. *0005-3701 (202) 234-4433
76 [
1 MR. QUINN: Okay. The second thing is, in the 2 graded approach you come up with your categories.
3 MR. WERMIEL: Right. ,
F 4 MR. QUINN: And we've spent I think, in the 5 Standards Groups, about five years looking at these kinds j 6 of things. [
i 7 CHAIRMAN MILLER: You've spent five years on ;
8 this one page?
9 MR. QUINN: This type of issue was very i
10 significant for a long, long time. Maybe more than five 11 years.
12 MR. WERMIEL: It's still controversial. ;
13 MR. QUINN: Right. Now, when you're reviewing !
O 14 licensees now for coming in on issues of generic letter 15 91-04 24-month, this applies directly to a submittal like 16 that.
17 MR. WERMIEL: Right. l
, 18 MR. QUINN: Has this 75.75, you know, if we j i
19 look at 1.105 right now all it says is 95. That's it. l l
20 MR. WERMIEL: That's right.
21 MR. QUINN: Is this wording going to appear in 22 1.105 or is this more specific guidance than is provided 23 there?
24 MR. WERMIEL: It's more specific guidance.
25 MR. MAUCK: Jerry Mauck, Instrumentation NEAL R. GROSS l COURT REPORTERS AND TRANSCRIBERS ]
1323 RHODE ISLAND AVE., N.W. I (202) 234 4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
i 77 1 Branch. Reg Guide 1.105 in its new format brushes briefly gS 2 on that there's different grading that can be applied to V 3 the different safety-significant set points or throughout 4 a system. The Branch Technical Position takes those words 5 a little bit further and gives the reviewer some details l
6 on what particular things he or she should look for when 7 they're looking at the way set points are treated for the 8 different functions and that.
9 And I guess, you know, I was with you over the 10 last, I think it was more than five years, trying to come 11 up with a clear position on what do to with set point 12 grading. We're now seeing, Matt's doing different things, 13 so what we're trying to do is try to come up with one
(,_)
- - 14 uniform approach that everybody can live with. That's the 15 purpose of this particular position.
16 MR. QUINN: I think -- it's the last thing, on 17 the biggest thing I agree with that statement in -- the 18 biggest thing, the confusion factor that's been out there 1
19 I think is, people were unsure what the requirements were 20 --
21 MR. WERMIEL: Right.
22 MR. QUINN: -- and they went ahead and did 23 work, and in fact, I believe in a number of cases they've 1
l 24 submitted that work to you --
I
\_) 25 MR. WERMIEL: Right.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIDERS l 1323 RHODE ISLAND AVE., N W.
(202) 234Mt3 WASHINGTON, D C. 20005-3701 (202) 234-4433
78 1 MR. QUINN: -- and they didn't do the correct 2 thing in accordance with this listing, so I believe you've 3 rejected it.
4 MR. WERMIEL: Right.
l 5 MR. QUINN: Told them to go back and redo it. j 6 MR. WERMIEL: That's right.
}
7 MR. QUINN: Once they know up-front that this 1
8 is to be done, then I think -- and this is good by our l 9 methodology -- this listing is a good, this is a good 10 categorization.
11 MR. WERMIEL: And we anticipate that some 12 licensees will take exception to what we're saying there !
I 13 and we'll have to weigh their comments on it. !
O l
l 14 CHAIRMAN MILLER: Okay. Any more on 11 here? /
15 I mean 12?
i 16 MR. CHIRAMAL: No, that's it. Then BTP 13 is 17 the supposition of cross-calibration of RTD's.
18 CHAIRMAN MILLER: I had a question on 13, 19 mainly because I was, I suppose I have enough knowledge to 20 be slightly dangerous. But I was involved in a study some 21 years ago where there was concern about the cross-22 calibration protocols. And I assume those concerns are 23 pretty well behind us?
24 MR. CHIRAMAL: Yes, it --
25 CHAIRMAN MILLER: This didn't refer to any of I
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS l 1323 RHODE ISLAND AVE., N W. J (202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433 i
79 1 those. It was a matter of RTD drifting and there was 2 concern that --
3 MR. CHIRAMAL: Right, it was the processing of 4 taking the RTD's and taking it down to a lab and bringing 5 it back again. j 6 CHAIRMAN MILLER: Yes, the NRC staff had 7 contemplated a requirement that every time you did a 8 change-out or every time you had an outage you'd have to 9 pull out an RTD and put in a new one and cross-calibrate 10 them.
11 MR. CHIRAMAL: Well, that's the whole -- that 12 means the reference RTD's still got to be bench tested, I 13 mean it's got to be lab tested and lab calibrated --
0 14 CHAIRMAN MILLER: Right.
15 MR. CHIRAMAL: -- and then the rest of the 16 RTD's can be cross-calibrated against that one, depending 17 on which one you select as the reference guide --
18 CHAIRMAN MILLER: Yes, there was an EPRI study 19 done on that issue, which I notice rasn't referred to at 20 all in here. I thought it was trying to clarify 21 everything -- clarify cross-calibration questions.
22 MR. QUINN: I thought that the current -- some 23 of the licensees now are not replacing the RTD cycle.
24 They're using a test method of cross-channel correlation 25 isothermal, and not replacing them. Is that not correct?
NEAL R. GROSS
- COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234 4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433 y .-p- -g gr
80
'i 1 MR. MAUCK: Yes, that's true. I think you're i
, 2 talking about the fossil side EPRI report on thermocouples 3 and RTD's --
4 CHAIRMAN MILLER: No, there was an EPRI -- the 5 problem I have is, I don't have a version of the final 6 report that was done by EPRI. I have the work on the 7 report but I never got the final because that's when EPRI 8 started charging money for those things. But there was a 9 report, it was done by Erin Engineering actually, a 10 contractor, and the issue of cross-calibration and 11 concerns or drifting in the '91/'92 timeframe, and EPRI I 12 assume, did do a report finally, that was supposed to 13 clarify those issues. And I notice it's not -- that 14 report --
15 MR. WERMIEL: I don't think people were aware 16 of it.
17 MR. QUINN: I think you are, and I think the 18 end result was, it didn't require a replacement each 19 cycle.
20 MR. WERMIEL: That's fair.
21 MR. QUINN: And that's when we went back to 22 using cross-channel correlation. You take a -- they --
23 license reviewers in cross-channel correlation, they take 24 that data, put it into a set point calcs, work -- we can O 25 find that --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 2344433 WASHINGTON, D C. 20005-3701 (202) 234-4433
81 1 CHAIRMAN MILLER: Is there any reason we need
,es3 2 to discuss it since the problem isn't a problem?
%-)
3 MR. WERMIEL: I don't think so.
4 MR. CHIRAMAL: The last slide --
5 MR. WERMIEL: It hasn't been a problem.
6 MR. CHIRAMAL: -- groups the BTP 14, 17, 19, 7 and 21 that deal with physical topics. And BTP 14 was the 8 one that Dr. Apostolakis discussed earlier this morning.
9 And really the document that he was referencing, the 10 Ontario Hydro Document, is a different document than what l l
11 the SRP BTP portrays. What he was talking about is the .
1 12 designer's reference manual --
13 CHAIRMAN MILLER: Right.
{~h 14 MR. CHIRAMAL: -- and we would expect to see '
15 something like that when a designer comes into implement a 16 plan according to this particular BTP.
17 MR. WERMIEL: Yes, it occurred to me, Matt --
18 let me amplify what you said. It occurred to me as, after 19 the discussion that we had, that we would have treated, or 20 we would have viewed the Ontario Hydro Document as a 21 topical report. We would have expected a designer for a 22 generic system of some sort, to have submitted something 23 like that as a topical report for us to review against our 24 criteria.
f*>
(_ 25 It goes down to a level of detail and an NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
82 1 approach that we don't provide explicit guidance to our 2 reviewers on because, as I think I was trying to ;
3 characterize before, we leave the how up tc, the designer, 4 provided that how he's going to implement the design 5 includes what we, the staff, believe is important.
6 And we would have reviewed it as a topi,;al 1
7 report and written an SER on it. That's the way I would ;
1 l
8 have viewed it. It's not intended as reviewer guidance or 9 as review criteria so much as it is an approach to a 10 design. ,
11 CHAIRMAN MILLER: So when we go through the 12 STAR System case study, we should look at that as -- their 13 topical report as comparable to what Ontario Hydro has?
O 14 MR. WERMIEL: Exactly. That's exactly right, 15 because I think B&W would tell you that a lot of what's in 16 that Ontario Hydro Document they put in their documents.
17 And that's what Paul looked at when --
18 CHAIRMAN MILLER: And we should look for 19 specific criteria you use to make those judgements that 20 says you agreed with what --
21 MR. WERMIEL: I've already been told that 22 unfortunately the answer is going to be, well, you know, 23 we use a lot of our expertise and our expert judgment when 24 we decide what level of detail and what level of 25 information was enough.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234 4 33 WASHINGTON, D.C. 20005-3701 (202) 234-4433
83 1 CHAIRMAN MILLER: Well, the experts are here I 2 so they can give me some insic s ht on that. l O 3 MR. WERMIEL: Exactly, they can tell you that.
4 Also, if there are any questions specifically about the 1
5 STAR system, I hate to put him on the spot, but Jim l 6 Sissina from B&W is here, and he can maybe help also if we 7 get to that. Oh, pardon me, Frametome, I'm sorry. I keep 8 forgetting. When we reviewed it they were B&W. They're ,
9 now Frametome.
10 MEMBER SEALE: Parlez-vous francais?
11 MR. CHIRAMAL: But the acceptance criteria in !
l 12 BTP's that Dr. Apostolakis mentioned this morning, the i
l 13 completeness, those are the things that we will be looking O 14 for. It's subjective to a degree, but acceptance criteria !
l 15 in here are the correct ones, and this is what we will be 16 using in the review process.
17 CHAIRMAN MILLER: Have you used, have you done l
18 any -- in addition to the STAR System, something on a l l 19 reactor protection system of equal complexity that would 20 be using basically these approaches?
l l 21 MR. CHIRAMAL: No , not yet.
l l
! 22 CHAIRMAN MII.LER: Because Eagle 21 was kind of 23 before all this, right?
(
i 24 MR. WERMIEL: Yes, well before.
25 MR. CHIRAMAL: We would expect to do something NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON. D.C. 20005-3701 (202) 234-4433
84 1 in great detail if we too see an advanced lightwater 2 reactor design coming in and it comes in with, you know, 7s
( '~~ /
3 the first stages of plans and we will take this
]
4 documentation and go down line by line to see whether it l 1
5 meets all these acceptance criteria. ;
1 6 MR. WERMIEL: Let me point out, Don, we are 1
7 using this guidance now in our review of the generic 1
8 platforms that are being proposed by the industry, the PLC 9 platform, the ASIC's platform, and the DSS, the Dynamic 10 Lafety System platforms. And of course we're using it in 11 the review of the AP600, the Westinghouse advanced reactor 1
12 design. But since this guidance was developed, other than 1 13 a STAR System, there hasn't been a proposed, specific It i
\ l
14 reactor protection system or engineering safety feature 1
15 modification that we've applied this to. l l
16 CHAIRMAN MILLER: Other than the ones you've 17 sioned, STAR System and those other three, 18 I don't expect anything.
l 19 MR. WERMIEL: All riaht.
20 MR. QUINN: Is a Foxborough spec 200 micro, 21 would you put this in a PLC application or not?
22 MR. STEWART: Well, I wouldn't call a spec 200 23 micro a PLC per se, but most of what we have in here was ,
I 24 what we used when we reviewed the Haddam Neck application 25 of the spec 200 micro.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
85 1 CHAIRMAN MILLER: They may be coming through,
,S
, 2 I suppose, with another plant but --
k-] 3 MR. WERMIEL: Not that we know of, but they 4 may, someday.
5 CHAIRMAN MILLER: They've done what, two 6 plants?
8 MR. WERMIEL: Other than Haddam? Yes. Cook 9 and Haddam Neck are the two spec micro's, that's right.
10 We've been told that there may be others that would want 11 to -- will want to implement STAR down the road.
12 CHAIRMAN MILLER: Right.
13 MR. WERMIEL: But we don't -- we haven't heard (3
\~ 14 anything specific about that yet.
15 MR. CHIRAMAL: BTP 17 -- we have discussed BTP 16 14 with you earlier. The other four BTP's in here, yes.
17 BTP 17 discusses self-test and surveillance as features 18 which are integrated normally in the reactor protection 19 system and the engineering safety feature actuator system 20 and it is the, it's a part of 279 but it's been 21 implemented through the computer system so it's part of 22 the complexity that we look for when we see the features 23 included in the protection system.
l l
24 BTP 18 is a consideration of the application
(~)
, (_/ 25 of programmable logic controllers which is a particular NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, O C. 20005-3701 (202) 234-4433
86 1 application of computer-based systems.
gg 2 CHAIRMAN MILLER: Since we're -- is an SER I 1
\~}
3 being looked at for PLC's as part --
4 MR. WERMIEL: Yes.
5 MR. CHIRAMAL: Yes.
6 MR. WERMIEL: What we're expecting on -- 1 7 CHAIRMAN MILLER: That could be -- in a sense 8 --
9 MR. CHIRAMAL: Yes, it may.
10 MR. WERMIEL: Exactly.
11 MR. CHIRAMAL: What we're doing is making sure 12 that the implementation of the PLC platform is in line 13 with the BTP, and one of our staff members is part of that
! l 14 review process. And if it turns out to be that we won't i 15 need this BTP and then reference the PLC EPRI document, 16 that's what we'll do.
17 CHAIRMAN MILLER: And, back to Eagle 21, my i
18 recollection is Eagle 21 is certainly building a lot of 19 self-test surveillance-type thing.
20 MR. CHIRAMAL: Yes.
1 21 CHAIRMAN MILLER: If you had to do an Eagle 21 22 now, then BTP 17 would be your --
23 MR. CHIRAMAL: That's right.
24 CHAIRMAN MILLER: It might have expedited b4 V 25 those reviews? They'd be done now?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
. _ . . - . - . . - - . - - - - . . . - _ - - . _ _ - . - = . - . - . _ . . . . . _ . . . . _ - - ._-.-
I 87 l 1 MR. WERMIEL: Yes, it sure would have.
1
- i. 2 CHAIRMAN MILLER: Not that I'm anticipating 3 any more.
j 4 MR. WERMIEL: I think a lot of what's in that
-5 BTP comes out of our review of Eagle. We learned a lot of 1
6 --
7 MR. QUINN: On -- this is surveillance 1
8 testing.
10 MR. QUINN: This has a lot of guidance on 11 self-testing in here which would apply to a digital q 12 system.
J 13 MR. CHIRAMAL: That's corree-l l 14 MR. QUINN: If a licensee came in for an 15 appli. cation, there's been definitions in our standard tech j 16 specs for 30 years, on what a channel calibration, channel i
17 check is --
18 MR. CHIRAMAL: Yes.
19 MR. QUINN: -- channel surveillance, the 20 different definitions. Have you looked at the impact on 21 the tech specs from online monitoring -- this is really 22 changing the definition of what we would call a channel 23 check and channel surveillance. Have you had --
24 MR. CHIRAMAL: Well, when we did the advanced 25 lightwater reactor we did just that. Tech specs were NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D C. 20005.3701 (202) 234-4433
88 i 1 tailored to the system.
~ 2 MR. STEWART: Yes, for the ABWR, and Gary was 3 there when we were working with General Electric, we l 4 modified the tech specs substantially to take credit for l 5 the self-diagnostics that were built in. Acknowledging 6 that the self-diagnostics cover a lot but not everything. l 1
7 They're still pretty much a liveness check, they're not a 8 correctness check. So there's still a fair amount of .
9 calibration that has to be checked, but -- '
10 MR. CHIRAMAL: A census? l l
11 MR. STEWART: Yes, so we did give some i 12 relaxation from -- if we had assumed it was an analog i 13 system. ,
14 MR. QUINN: So you know how to build the tech i 15 spec table to incorporate this good -- that's something 16 I've never seen, so it's good that you're --
17 .MR. CHIRAMAL: BTP 19 described the defense-18 in-depth and diversity analysis requirements guidelines, 19 and BTP 21 discusses a particular aspect of digital 20 technology which is the real-time performance of digital 21 systems and safety systems applications.
]
22 And that's all I had for the presentation. We 23 plan to make some small changes in the SRP before it goes 24 out to the public comments. After, you can get your 25 comments, but there's some typo's and things like that so NEAL R. GROSS j COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WAShlNGTON, D.C. 20005-3701 (202) 234-4433
89 1 those will be probably picked up before we issue it. And fm 2 we may clean up Table 7.1-1 which there's some anomalies V) i 3 there we think, so there's some small changes to be made.
4 I think there'll be no changes to the SRP, 5 except for your comments. We have been given the approval 6 by CRGR already, so we'11 await your comments before we 7 1>roceed.
8 CHAIRMAN MILLER: Okay, we are, as I expected, 9 we are behind schedule. I should have been more -- in 10 fact, let's take a 15 minute break and be back at 10:50.
11 (Whereupon, the foregoing matter went off the 2 12 record at 10:35 a.m. and went back on the 13 record at 11:02 a.m.).
,a (v )
14 CHAIRMAN MILLER: We'll reconvene and continue 15 on and the next issue on the agenda is the case study with 16 the STAR system and Jerry, you're going to give an 17 overview of that, right?
18 MR. WERMEIL: Because of -- I think Matt 19 already did that and what I did was I provided a set of 20 slides that I was going to present that just amplifies a 21 little bit more on what Matt was already describing based 22 on the content on what's in Section 7.0.
23 I don't think we really need to go into those.
24 They' re pretty much self-explanat.ory. I think because of (r. 25 time, it would be better to have Paul go right on and walk
{
NEAL R. GROS 3 COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., siW.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
90 1 you through the review that was done for STAR and how the e- 2 criteria was used and how the judgments were made on
%..)
3 acceptability. So why don't we go ahead and go through 4 Paul's presentation.
5 I think it would be best to have as much time 6 for questions as we really need.
1 1
7 Okay, Paul, you're in the hot seat now.
8 MR. LOESER: Okay. If you notice it still 9 says BWNT because that's what it was when I reviewed it.
10 It was not yet Framatone, so I apologize to those people 11 who were at Framatone.
12 I would like to state that the standard review
,- 13 plan as you will talk about today and the branch technical b 14 positions were not out when I did this review and I did 15 not use them per se. I think the idea here was to show 16 how a review done before that used the same concepts and 1
17 the same basic review methodology.
18 CHAIRMAN MILLER: And the same document.
19 MR. LOESER: The same documents. Just a brief 20 overview, a couple of slides on what the STAR system is.
21 The typical STAR system has four channels as previously.
22 The thing that makes it unique is there are four different 23 microprocessors per channel. They are of different, 24 excuse me, two different; different manufacturers, the
!, ~)
\_/ 25 software for them was independently developed. For that NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
91 1 matter, the software specifications were independently 2 developed and this is the method used to provide diversity 3 and try to alleviate some of the problems of common mode 4 software failure.
5 There are other support components: the ,
6 system monitor computer, the test calibration computer and l I
7 the serial data bus isolation modules.
l 8 For show and tell, I have a few pictures.
I 9 That's the front panel of what it looks like. A side view l 10 of the physical layout of the boards, and a very sketchy 11 block diagram level of.how the system is put together. You 12 notice there are two safety function processors. Those 13 are the two diverse processors I was talking about that 14 are used to do the actual calibration calculations and 15 provide the trip functions.
16 MEMBER APOSTOLAKIS: Let me understand the 17 left part of this figure. We have two paths, one and two.
18 Are the inputs the same?
19 MR. LOESER: The analog inputs, if you look at 20 this portion here, say the -- this is any one of the 21 inputs coming from various instrumentation. It comes down 22 through a filter and then splits out, sorry, splits out to 23 the two different safety function processors. This 24 channel for the analog inputs are through this channel, j 25 through the digital inputs. This is intended to be a NEAL R. GROSS )
COURT REPORTERS AND TRANSCRIBERS 1323 RHoDE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
i 92 I i
l i replacement system with no change in field wiring for what 2 is out there now, for the Bailey 880 series, so the l 3 signals coming from the plant remain the same.
4 MEMBER APOSTOLAKIS: Are they common to both 5 parts? ;
1 6 MR. LOESER: Yes. ;
7 MEMBER APOSTOLAKIS: So if there is a 8 possibility of common mode failure, that's where we should 9 look?
10 MR. LOESER: If there is a possibility of 11 common mode failure within the transmitter or the 12 instrument itself that is measuritig the parameter, that is 13 not changed from the system that was there in the past.
14 MR. QUINN: The old system is the same as the 15 new one?
16 MR. LOESER: In that respect, yes.
l'7 MEMBER APOSTOLAKIS: And who did this? You 18 said Framatone?
19 MR. LOESER: Yes.
20 CHAIRMAN MILLER: It's now Framatone. It was 21 BWNT at the time, ,
22 MEMBER APOSTOLAKIS: For which reactor?
23 MR. LOESER: This was a generic design. It l
24 was not designed for any specific reactor. One of the 25 things you will notice in the whole design is that this NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS j 1323 RHODE ISt.AND AVE,, N W,
! (202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
93 1 was a generic. There's no plant specific information 2 mentioned here. The design was done before it was 3 installed in any particular place.
4 MEMBER BARTON: Has this been installed?
5 MR. LOESER: It's been installed in Oconee.
6 MR. QUINN: At Oconee. How long has it been 7 running?
8 MR. LOESER: A year or so, I believe. In 9 addition, Oconee is somewhat unique in that they have a 10 fifth channel in their RPS system which isn't really 11 attached to anything. It's used primarily for testing.
12 And this system in an earlier version was installed for 13 about another year before that.
O 14 MEMBER APOSTOLAKIS: So now it says analog 15 input to 107 and discrete 1 of 12. What does that mean?
16 MR. LOESER: That means you can -- depending 17 on how you use it, you can put up to 7 variables in or you 18 may only be using one. This is the first of the capacity 19 of the machine, not to any particular usage or 20 installation.
21 MEMBER APOSTOLAKIS: I see. And these inputs 22 can be different?
23 MR. LOESER: Yes.
24 MEMBER APOSTOLAKIS: One can measure flux and 25 the other can measure temperature?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
- 94 f 1 MR. LOESER
- Yes. This is sort of a general l j 2 purpose thing. Depending on the applications program you
} 3 write for it, could be used for a great variety of J
4 different things to provide trip functions on flux or i i
5 temperature or level or any number of other possibilities.
l 6 MEMBER APOSTOLAKIS: But all these signals go
- 7 to both trains?
8 MR. LOESER: Yes. Wait a second. I don't j 9 want to use the word " train" here. That's used elsewhere.
I 10 MEMBER APOSTOLAKIS: Bus.
l 11 MR. LOESER: Yes, to both of the different, of <
12 the safety function processes.
13 MEMBER APOSTOLAKIS: Why didn't you want tt !
14 use the word " train"?
15 MR. LOESER: Train is often used in other 16 areas to refer to a specific one out of two type logic. I 17 think it confuses people if you use he same word in two 18 different ways.
19 MEMBER APOSTOLAKIS: This is not one out of 20 two?
21 MR. QUINN: It is one out of two.
22 MR. LOESER: This is one particular channel 23 out of four channels. Each channel independently has two 24 microprocessors on it. So this whole thing is one 25 channel. That contains two different safety function !
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 2344433
95 1 processors.
f-m 2 MEMBER APOSTOLAKIS: Right, but the logic is 3 for this channel --
4 MR. LOESER: For this channel itself --
5 MEMBER APOSTOLAKIS: Is one out of two?
6 MR. LOESER: Yes.
7 MEMBER APOSTOLAKIS: If you have the four, is 8 it again, one out of four?
9 CHAIRMAN MILLER: It depends on the plant.
10 MR. LOESER: It depends on the plant. It 11 could be the two out of four. It could be one out of two 1
12 taken twice. It could be on some of the older plants, I 13 suppose, one out of three.
rs i V)
(
14 MEMBER APOSTOLAKIS: Okay. l 15 MR. LOESER: Or two out of three.
16 MEMBER APOSTOLAKIS: So the signals, now, 17 talking about this channel.
18 MR. LOESER: Yes.
19 MEMBER APOSTOLAKIS: All these signals go to 20 both paths?
21 MR. LOESER: Yes.
22 MEMBER APOSTOLAKIS: Is the logic different?
23 MR. LOESER: Yes.
24 MEMBER APOSTOLAKIS: In the two paths?
/
25 MR. LOESER: Yes.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234 4433 WASHINGTON, D C. 20005-3701 (202) 2344433
. ~ . - . - - - .-. _ ... -.. --_ _ - . ...- - - . - -- - _ - --.. _ .- -
96 9
1 MEMBER APOSTOLAKIS: In other words, if I t
2 receive, let's say for simplicity, one analog and one l 3 discrete and I have two out of two logic in path one. It 4 will be two out of two in path two as well, regarding the i
5 signals themselves?
6 MR. LOESER: That -- one out of two would not 7 be the correct way to look at it. If you need two 8 different signals to compute your trip signal, both of 1
9 those would be used, but it's not a one out of two or a l l
10 two out of two. Both of them are used. The place where 11 the trip actually takes place is over here.
12 MEMBER APOSTOLAKIS: Right.
13 MR. LOESER: At this point it is still just O 14 calculating whether or not there should be a trip.
15 MEMBER APOSTOLAKIS: Yes.
16 MR. LOESER: And the calculation methodology 17 is different. The software used is different and the 18 microprocessors used in each case, the hardware is 19 different.
20 MEMBER APOSTOLAKIS: Are you going to talk 21 about it later? How the logic is different? I don't 22 understand what that means. These are binary signals. The 23 flux is above the threshold and the temperature above the 24 threshold.
O h 25 MR. LOESER: It's different in the same way NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433 e +m
c 97 i
1 that a Mackintosh or a PC uses different logic to run Word e
)
2 Perfect. The end result, that is, the trip signal is the ;
O 3 same, but the method that's used to derive it is 4 different.
5 MR. QUINN: There is a dependency between the 6 two signals. If it's pressure, one is pressure and one is 7 temperature for a given pressure, the temperature will 8 have a different value that it will trip at. You have to ,
9 have both of them in order for it to complete the i
10 algorithm, right?
11 MR. LOESER: Yes.
12 MR. QUINN: In some cases. In some cases, ;
13 it's just a pressure trip and it will take pressure --
l 14 MR. LOESER: Yes, one signal or a level. I 15 MR. MAUCK: Yes, maybe we can make one point.
l 16 What you're looking is the logic for a channel. It's not
{
17 the logic for the trip. The trip logic never has changed l 1
18 and therefore that's not part of this.
19 MR. LOESER: The actual trip logic is out here 20 somewhere further on. That's not contained within this 21 diagram.
22 MEMBER APOSTOLAKIS: But all the channels, the 23 four channels, they all see the same input?
24 MR. LOESER: Yes.
25 MEMBER APOSTOLAKIS: And both paths within NEAL R. GROSS l COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234 4433 WASHINGTON, D.C. 20005-3701 (202) 234 4433
98 1 each channel see the same input?
, 2 MR. MAUCK: Right.
(q)
3 MR. QUINN: No, different. In some cases, 4 there may be different instruments that are used for 5 channel A and C are physically different from B and D.
6 The actual transmitter and the place where the signal is 7 taken say within the fluid may be different. This is, 8 however, plant dependent and doesn't have anything to do 9 with the STAR system itself, since this is a replacement 10 I for whatever was there in the past.
11 Whatever situation existed in the past as far 12 as the transmitters and that logic, and as far as the trip i
13 logic on the far end remains the same. All this does is r~x \
I ) i
\/ 14 replace basically an analog trip unit with a digital one.
15 MEMBER APOSTOLAKIS: So just to make it 16 simple. If I pick one sensor, physically, a distinct 17 sensor, whatever that sensor is will go to all eight 18 paths?
19 MR. LOESER: No.
20 MR. SCECINA: That's not what he's saying.
21 MR. LOESER: It will probably go to two out of 22 the four of these whole things and a different sensor will 23 be used for the other two out of four.
24 MEMBER APOSTOLAKIS: Measuring the same (m.,
\,j/ 25 parameter.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 2344433
l 99 1 MR. LOESER: Measuring the same parameter.
2 MR. QUINN: Is the purpose of the two 3 multiplexers sole and only reason to meet the diversity 4 requirement, is that right?
5 MR. LOESER: Are you talking about this and 6 this?
7 MR. QUINN: Right.
8 MR. LOESER: Yes. I mean other than the i 9 actual use which is two multiplex a signal.
10 MR. QUINN: So when we looked at in meeting 11 the regulations, we could have a submittal that would come !
12 in that would have channel A diverse from channel B. In 13 this case, they put both in every channel there's two 0 14 different types of processors.
15 MR. LOESER: That's correct.
16 MR. QUINN: And the defense of common mode ,
I l
17 failure is that every channel should maintain single 18 failure. It will be okay.
19 MR. LOESER: That's right.
20 MR. QUINN: So let's take beyond what 21 regulations currently require.
22 CHAIRMAN MILLER: Let's take a typical plant 23 where you have say 12 variables you want to look at. How 24 many of these would be, how many of these STAR systems 25 would be in that plant?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
100 1 MR. LOESER: That would depend on the plant g-w 2 analysis. You would have to make sure in doing your
' b 3 defense in depth analysis that the same processes aren't 4 being used for a backup signal as for the main signal.
5 That is, if for some reason you should use a system, you 6 don't take out another system required for mitigation in l 7 that event. That would be a plant specific and analysis 8 end was not covered in this review.
9 MR. QUINN: This review basically covered, as 10 if you had just been looking at one module?
11 MR. LOESER: That's correct.
12 MEMBER SHACK: What would be the digital 13 inputs in this case? This is just somebody who has O
14 backfitted the digital instrumentation somewhere?
l 15 MR. LOESER: Or if it came from 16 instrumentation that is already digitized for some reason. ,
17 MR QUINN: Turbine trip.
18 MR. LOESER: Yes.
19 MR. QUINN: Seismic trip.
20 MR. SCECINA: I'm Jim Scecina from Framatone 21 Technologies. The two types of input shown on this 22 diagram are analog inputs and there are seven channels of 23 that particular' module. It's only shown one time, but 24 there are actually seven circuits so that front end there 25 gets repeated up to the filter, gets repeated seven times.
NEAL R. G4U3SS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234 4 33 WASHINGTON, D.C. 20005-3701 (202) 234 4433
101 1 The other type of input is the discrete input i
2 and that circuit gets repeated 12 times. That is not i l
C:) 3 digital in the sense of digital processor type. That is ,
l 4 an on/off binary type of input like a contact input.
5 MR. QUINN: An example would be like turbine 6 trip or seismic trip? ;
7 MR. SCECINA: Yeah.
8 MR. LOESER: If there's no other questions of 9 this slide, I'll move on.
10 On the hardware, the primary review criteria 11 was IEEE standard 279 and the SRP Sections 7.1 and 7.2.
12 This is of the old SRP. The things I looked at was the 13 system architecture and the system specifications and the 14 redundancy and testability thereof. I traced through the 15 signal paths. I looked at system operation during normal 1
16 conditions, more in detail during the emergency 17 conditions, what happens when you trip and there was a 18 hazards analysis done of what the potential problems would i
19 be. I reviewed all of that in a fair amount of detail. l 20 MR. QUINN: What kind of hazards? RFI/EMI 21 type hazards?
22 MR. LOESER: I believe the hazards were more 23 to the point of what would happen if a particular portion 24 of the circuitry stopped working. I don't think it went 25 into the detail of exactly what would make it stop ;
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 2344433
102 1 working, but jusu that --
2 MEMBER APOSTOLAKIS: So you say you did that 3 assuming emergency operation?
l 4 MR. LOESER: Well, by emergency operation I'm 5 talking about trip signals, what happens during the -- in l 6 the signal path when the signal trips. How does it trip, 7 what happens within the code on a very simple trip, say a 8 pressure. If the pressure gets to be too high, that there t
l 9 is a comparison ir *.here of the correct trip set point, I
10 what it is that a trip is then generated and that that is l
11 generated out through the rest of the circuitry.
12 I don't want to overly complicate this.
13 That's a fairly simple thing. :
14 MEMBER APOSTOLAKIS: I guess I'm confused a 15 bit by the word hardware.
16 MR. LOESER: At this point --
17 MEMBER APOSTOLAKIS: Hardware of what?
18 MR. LOESER: At this point, I'm looking 19 primarily at the microprocessor, the relays, the l
20 bistables, things like this. It's very difficult, of I
21 course, in a case like this to separate the hardware and 22 the software when you are actually doing the review.
23 You're going through it once and checking -- I mean when 24 I'm re-looking at a schematic and a flow diagram of the k 25 hardware, I'm following that part, but right next to it I l
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
103 1 have software, the software specifications. This makes it
<-~s 2 look as if they are more separate than they are. But in
\
(J 3 fact, it's not easy to separate out the two and I don't 4 think I made any attempt to do so.
5 MEMBER APOSTOLAKIS: You said you assumed that 6 some pieces of the hardware were down for some reason? Is 7 that what you said?
8 MR. LOESER: Yes, what happens if a given 9 piece of software fails? Does it go to a safe state? Do 10 you then trip the plant? If a -- I don't know -- if a 11 microprocessor just stops running, if the clock stops, 12 what happens? If the mick freezes up or EMI stops it, 13 what happens?
( 14 MEMBER APOSTOLAKIS: But you didn't try to 15 figure out if it's an emergency operation, maybe there are 16 accident conditions and maybe some of these things would 17 fail in a common mode failure because of the environment 18 they're in?
19 MP. LOESER: The environmental qualifications 20 were discussed basically on the next slide, not at this 21 point. I wasn't trying to figure out what made it stop.
22 MEMBER APOSTOLAKIS: Okay.
23 MR. LOESER: In the next slide we went into 24 what the requirements are, what kind of temperature should
/w I \
(.m/ 25 it be able to meet. That was primarily design criteria 2 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
1 104 1 and 4, the protection against natural phenomena and there 2 are temperature and humidity requirements, seismic
- 7-)
%-)
3 radiation and various EMI.
4 Since this was not a plant-specific review, we 5 were not using plant numbers, for example, worse case 6 seismic event at a given plant, but B & W chose what they 7 felt was a conservative number. We reviewed how they 8 tested it to those numbers and concluded that the 9 environmental qualifications they listed, they could meet.
10 Now one of the requirements before this gets 11 installed by anyone is for the plant to look at their own 12 environment and make sure that it is enveloped by B & W.
l 13 If, for some reason, the temperature in a particular plant G
'- 14 would go higher than this equipment would operate at or is 15 tested at, this equipment would be unsuitable for use in 16 that plant and would either have to be used as something 17 else or modified.
18 MR. QUINN: This is located in the rack area, 19 the relay rooms or the control area? !
20 MR. LOESER: That is correct.
21 MR. QUINN: So this is a mild environment?
22 MR. LOESER: It's generally a mild 23 environment.
24 MR. QUINN: So the two that apply the most are
/\
k_) 25 seismic and the EMI/RFI?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
105 1 MR. LOESER: Yes, I just used a sample. I p 2 could have used EMI just as well.
V 3 But there are, the system was designed to meet 4 certain specificat1ons and it's up to the plant when they 5 install it to make sure that --
6 MR. QUINN: I'm sure that the temperature and 7 radiation are c oing to be, it's not -- that shouldn't be 8 an impact if they're not installed out in the rest of the 9 plant.
10 MR. LOESER: That's correct.
11 MR. QUINN: For EMI, did you -- if you took 12 that and compared it and a number of questions we're going
,_s 13 tu ask you today, compare it now with this SRP application
/\
V 14 of the EPRI TR and the SER that rze wrota; the field 15 strengths that we had in the categories for EMI, would 16 that meet --
17 MR. LOESER: Yes.
18 MR. QUINN: Okay.
19 MR. LOESER: I believe it's significantly --
20 MR. QUINN: Better?
21 MR. LOESER: Better than the - -
22 MR. QUINN: Okay. On the previous slide you 23 had one on testability.
24 CHAIRMAN MILLER: I'd like to follow up on m
( )
(./ 25 that when you're done. Go ahead.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
106 1 MR. QUINN: Oh on testability, you had a g s. 2 system of redundancy and testability. We have a new
'n.}
3 branch technical position -- that's on the slide you have 4 in your hand. That's it. The first line up there is 5 testability, redundancy and testability.
6 MR. LOESER: Oh yes, okay.
7 MR. QUINN: The new branch technical position 8 we have on line testing. This is 21. It talks about 9 system design requirements for on-line. Does this meet 10 that? Does it do that?
11 MR. LOESER: I did not review it using that 12 criteria.
,s 13 MR. QUINN: Do you know -- you know the new 14 criteria. If you did, would it pass?
15 MR. LOESER: I believe so, but once again, ,
1 16 until I would sit down and do a point for point l 17 comparison, I won't swear to it. I believe it will.
18 The general design criteria, the branch 19 technical position was written on the same basis that I do 20 these reviews, that I did this review.
21 MR. QUINN: Okay.
22 MR. LOESER: But once again, I haven't seen it 23 in a couple of months. I can't swear that nobody has 24 changed it. And I can't swear that after the general A
f I
\_/ 25 comment period that it won't get modified again to some NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
107 1 degree.
2 MR. QUINN: I understand, but the reason that 7 3,
%-) I'm asking is the benefit to this test of going through 3 i l
4 and spending time to review this is to see a case in point 5 where a good review is done of a system that's recent and 6 also how does it stand up against this new criteria that 1
1 7 we've defined. And in most cases, your review will have 1
8 encompassed the new criteria. We're trying to identify I 9 areas where the new criteria wasn't looked at as part of 10 this STAR review and would it stand up to that criteria or l 11 not.
12 MR. LOESER: In no case was the new criteria 13 used for the STAR review. I think in every --
(k' 14 MR. QUINN: Explicitly. /
15 MR. LOESER: -- every case, however the same 16 standards that are called out in the new criteria were the 17 same ones that I used, so --
18 MR. QUINN: So you used 1012?
19 MR. LOESER: Yes.
20 MR. QUINN: Did they refer to 1012 in their 21 functional and detailed design spec?
22 MR. LOESER: I don't remember right now. I 23 have backup slides here.
24 MR. QUINN: 1012.
p (m / 25 MR. LOESER: I have backup slides here.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
108 1 MR. WERMEIL: Yes, I think they did. I think 2 B & W did.
O 3 MR. LOESER: It's been a year and a half since 4 I did this review and to tell you the truth I don't l l
5 remember every -- l 6 MR. WERMEIL: Jim, why don't you -- I think j 7 the documentation provided --
8 MR. QUINN: And not just 1012, but in general, 9 the IEEE guides that the staff has selected here are those 10 ones that were referred to in the STAR system.
11 MR. SCECINA: I believe so.
12 MR. LOESER: On that particular issue --
13 CHAIRMAN MILLER: Yes, there's a list of 14 references.
15 MR. WERMEIL: Jim will know.
16 MR. LOESER: I also have the B & W report 17 here.
18 MR. WERMEIL: Go ahead, Jim. Why don't you 19 speak up.
20 MR. SCECINA: Let me just say which ones we 21 used. We did a software quality assurance plan at the 22 outset for the software development and there are certain i
23 standards that we, the plan set forth as those that we 1
24 would use. Of course, everything was based on 7-4.3.2 l 25 1982 which was endorsed at the time by Reg. Guide 1.152.
NEAL R. GROSS j COURT REPORTERS AND TRANSCRIBERS j 1323 RHODE ISLAND AVE., N.W. l (202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433 I
- - . _ - . . . . - _ . - . . . _ . - . ~ _ . - . - . - - . . _ . . - , - - - . - _ . - . - . . _ - . _ - - .
I i 109 !
I 1 Software V & V plan was 1012. Software requirements 2 specification was IEEE 830. Software design document V 3 standards was IEEE 1016. The QA, software QA plan was ,
4 based on IEEE 730 and we used a checklist from ANSI 10.4. [
5 MR. QUINN: So Jim, if in one of our slides ;
6 the first slide that Matt presented today has a list of 7 IEEE standards, 1012, you're going down this list, 1012, 8 830, 1016. Are there some that you did not refer to? !
l 9 Maybe we can answer that later. Maybe you can --
i 10 CHAIRMAN MILLER: Well, they used 730 which is 11 not in that list.
12 MR. QUINN: Right. 1016 --
i 13 MR. SCECINA: We did not ur 828, 1042, 1028 l
14 and --
15 MR. QUINN: 1028 is a recommended practice, I l 16 think.
17 MR. SCECINA: We didn't use 829.
18 MR. QUINN: I'll ask a more programmatic 19 question. If a licensee came in today to ask to input 20 this STAR system, not today, but next summer when this was
.21 in effect, would you use the new SRP? How would you 22 grandfather this SER in relation to a new application, a 23 plant-specific application that came in?
24 MR. LOESER: Well, first of all, in the 25 process of doing, reviewing another plant, our general --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433 l
L - - , . ~ , _ _ _ . _ - - . _ . _- -- , - -- -
..__. _...._ __ _ _ .-_ _ . _ _ _ _ . _ _ . _ . _ . .. _ _ - . . _ _ - - . . . _ - ~ .
! 110 1 our specific policy has not been to not go over the issues i
2 that have been gone before. I don't think we would go
!, 3 back and re-review STAR, covering the issues we have i 4 locked at before to be applicable. If someone came in 4
5 with a new design, not the STAR, we would certainly use 6 all that.
. 7 MR. WERMEIL: Let's be specific. What we 1
i a 8' would do is let's assume the licensee is referencing the !
- 9 STAR design that we've approved by NSCR on the topical l 10 report. That review for that specific plant would look at j 11 differences between the approval that we granted and 5 :
q 12 whatever STAR system they're proposing to put in and those 13 aspects that are specific to that plant and those things
,O 14 are spelled out in our SER and they're the kinds of things 15 that Paul mentioned.
16 Verification that the environment, the plant 17 proposes to put the system in is consistent with that that 18 was in the approval of the generic topical report and then 19 any other -- say there are specific requirements for power 20 availability, power quality, that kind of thing, that 21 those are also satisfied and that's basically it.
22 We do not go back and re-review STAR against a 23 new set of guidance even if it's come out. The approval 24 that was granted is still valid with the exception of 25 anything different and anything plant specific.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
. ~ . .. - _
! 111 j 1 CHAIRMAN MILLER: Well, you have a list of I i
j 2 prerequisites. l l
3 MR. WERMEIL: There usually is a list of l 4 prerequisites --
4 t
- 5 CHAIRMAN MILLER: A list of prerequisites in !
l
! 6 here that have to be adhered to for every plant? .
i 1
l 7 MR. LOESER: Yes.
1 i~
j 8 CE4IRMAN MILLER: Which is one of my
! 9 questions. !
L 10 MR. WERMEIL: That's pretty typical, those 11 items are usually in any generic approval, we would i
- i 12 13entify those things that have to be satisfied up front f 1 !
j 13 by the referencing applicant licencee. !
4.o 1 14 CHAIRMAN MILLER: On the EMI, I notice on the i
! 15 prerequisite you have some limitations on use of i
16 transmitters, radio transmitters.
1 J
17 MR. LOESER: Yes.
I
.8 CHAIRMAN MILLER: Going back to the EPRI
- 19 guideline, I thought the EPRI guideline handled the radio 20 transmitters?
21 MR. LOESER: This first of all this report ,
22 came cut before the EPRI did.
23 CHAIRMAN MILLER: I understand that.
24 MR. LOESER: Yes, I believe it does in both j 25 cases they say you can't use it close to the equipment.
NEAL R. GROSS l i
COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
! 112 1
1 MR. QUINN: Administratively --
1 f3 2 MR. WERMEIL: I think it's identified as what k 3 they call a limiting practice.
1 ,
4 CHAIRMAN MILLER: Okay, so this then is 5 consistent with the EPRI guideline in that sense that you l 6 have a limiting practice.
7 MR. LOESER: Yes.
]
8 CHAIRMAN MILLER: Limiting.
9 MR. LOESER: Anyway, these are some of the 10 standards that were used against when we looked at the 11 environment qualifications.
)
12 The most controversial, I think, generally is ;
i 1
13 the EMI portion because at that time EPRI had not come out
("T I
\
' ') 14 with their guidelines and --
l 15 CHAIRMAN MILLER: You would say what you used 16 super equal or supersede?
17 MR. LOESER: Yes, but at the time I didn't l 18 know that.
19 This was fairly typical of what had been 20 approved in the past and in some cases a little higher.
21 We felt that that was barring plant specific information 22 as good as we could do. WE spent a fair amount of time 23 reviewing the test methodology that was used and the test l
i 24 results and came to the conclusion that this was
' (~T
(_/ 25 generically adequate in a plant specific case of course.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
113 1 I said that's a judgment that will have to be made.
-s 2 MR. QUINN: But the prerequisite and in the
\_/
3 EPRI guide has guidance on field, the licensee has to 4 verify that their plant complies with the basic envelope.
5 Is that a requirement for somebody to apply for a STAR 6 system installation or not?
7 MR. LOESER: The requirement basica ty from 8 design guidance, GDC 2 and 4 says that the equipment that 9 you install has to be suitable for use in that location.
10 The licensee would have to make sure that whatever they 11 have envelopes, the B & W field information, if it did 12 that and did not meet the EPRI requirements which like I 13 said are somewhat lesser, it would still be typical.
\ 14 MR. QUINN: As long as it exceeded the EPRI.
15 We negotiated the final on that EPRI guidance.
16 MR. LOESER: Yes. So if a plant came in with 17 -- who had, for example, measured their -- done a site 18 survey and measured their actual field strengths, had 19 determined that they are higher than what is allowed in 20 the EPRI guidance, but lower than the qualifications of 21 the STAR system, they could still install the STAR?
22 MR. QUINN: Right.
23 MR. LOESER: If it's higher than both, 24 obviously they can't install it. If it's lower than both, p.
(_/ 25 it's not even a question.
NEAL R. GROSS COURT REPORTERS ANDTRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234 4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
l 114 1 MR. QUINN: Okay, I understand, gg 2 MR. LOESER: On the software, the primary look GI 3 as in most cases was in the software design process and 4 the quality that goes into it. The software requirements 5 specification were reviewed and remember this became twice 6 as difficult because there was as separate software 7 requirement specification for each of the safety function I 8 processors. In addition to the requirements for some of 9 the auxiliary equipment, some of the attached equipment 10 that was not directly trip related.
11 The verification -- i l
12 MEMBER APOSTOLAKIS: This seems to be the 13 issue here today. What do you mean the software t
\~') 14 requirements were reviewed?
l 15 MR. LOESER: The document that B & W wrote, 16 the software requirements specification was reviewed.
17 This was compared against the system requirements 18 specification and the hardware requirements specification 19 to insure that all the functions that the system 20 specification said were to be done were in fact listed in 21 the software requirements specification, and that this was 22 done in both safety function processors.
23 MEMBER APOSTOLAKIS: Now would you say that 24 this depends on the ability of the reviewer of the job
,\
(_-) 25 that -- how did you know, for example, that there were no NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234 4433 WASHINGTON, D.C. 20005-3701 (202) 234 4433
1 115 1 ambiguities in the requirements document which seems to be j (N 2 a source of error all the time.
V Well, let me answer the first 3 MR. LOESER:
, 4 question first. I think in any sufficiently complex l l
5 field, whether it be digital or for that matter almost 6 anything else a man on the street with no previous 7 knowledge can't review it. Yes, I think in any case, the 8 knowledge and expertise and previous experience of the 9 reviewer comes into play. )
i 10 MEMBER APOSTOLAKIS: That's very true.
11 MR. LOESER: As far as doing the actual I 12 review, I'm not quite sure how to answer your question. I 13 looked at the requirements. If it made sense to me I
) 14 decided it was good enough. I asked for a level of detail I
15 if I didn't understand and very often initially on first 16 reading I didn't understand. These are fairly complex 17 documents. I asked questions, asked for supporting 18 documentation. In some cases talked to the designers, 19 talked to the people who wrote the document until I was 20 satisfied that I understood what it said, that what it l l
21 said is what was being done and then further on that it 22 was being done correctly and was being verified correctly.
23 And I can only assume that someone with a different level 24 of experience or different type of experience would ask (x
(~-) 25 different questions and require a different amount of time NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
l 116 l 1 to reach the same conclusion I did. I would think that 2 the end conclusion would be the same.
f-V 3 MEMBER APOSTOLAKIS: Now, you come from the 4 software side, right?
5 MR. LOESER: No, not really. I was -- I 6 started off in hardware and I've been working in software 7 the last 10 or 15 years.
l 8 MEMBER APOSTOLAKIS: But in this particular 9 case, you made sure that the software specifications were 10 consistent or did what the system requirements were, that 11 some hardware group developed?
12 MR. LOESER: Actually, the system requirements 13 specifications I don't think were developed by the p_
-# 14 hardware group. I think it was a joint effort and 15 probably at least as many software people were involved 16 with that as hardware people.
l 17 MEMBER APOSTOLAKIS: Now in this particular 18 case, you're talking about scramming the reactor?
19 MR. LOESER: Yes.
20 MEMBER APOSTOLAKIS: Even under abnormal 21 conditions? i 22 MR. LOESER: Well, pretty much the only time 23 you'd want to scram is under abnormal conditions.
24 MEMBER APOSTOLAKIS: Right. This -- there is
(~h a hell of a lot work there, I mean, Ted mentioned earlier
\m / 25 l
NEAL R. GROSS I COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
117 1 that under certain conditions the temperature and pressure 73 2 behaves in a certain way.
( )
v 3 MR. LOESER: This is not the only scram 4 system. This is only one scram function. This may be as 5 simple as if the water level drops to a preset level and a 6 simple comparison of two levels, what the trip set point 7 is to the level that actually exists as shown by the 8 instrumentation, if one number exceeds the other you close 9 a contact.
10 MR. QUINN: But for this Chapter 15 event, 11 this may be the trip that's going to be the primary
/
12 protection.
13 MR. LOESER: But the trip itself can be very p
> 14 simplistic. The software involved can be very simplistic.
15 It depends on the function. In general, trip systems are )
16 pretty simple compared to control functions.
17 CHAIRMAN MILLER: Which section, D & B?
18 MR. LOESER: That's why I said "in general".
19 There's always a few exceptions.
20 CHAIRMAN MILLER: Even those are fairly 21 straight forward.
22 MR. LOESER: And most cases, a trip is 23 comparability a simple comparison and in some cases 24 modified by a second parameter, but it's usually fairly (3
(m,/ simple.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W (202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433 l
118 1 MR. WERMEIL: Also keep in mind, correct me if
,- 2 I'm wrong, there was no attempt here to add new s
G 3 functionality.
4 MR. LOESER: No.
5 MR. WERMEIL: Trip functions that we're 6 talking about in the actual system requirements haven't 7 changed. In other words, what trips we want under what l
8 conditiw s were the same as the trips we wanted under l 1
9 those conditions when the old analog system was there.
10 That hasn't changed.
11 CHAIRMAN MILLER: So this has been installed .
l 12 at Oconee, is that correct?
13 MR. LOESER: That's correct.
.')
s 14 CHAIRMAN MILLER: So the only thing at Oconee 1
15 is only one complicated trip signal and that's where they 16 have, if I recall, you have flux and pressure and 17 temperature coming into one for D & B, is that right?
18 MR. WERMEIL: I believe so. But I think again 1'
19 Jim could probably answer better than I. I think that is l
20 one of the trip functions.
21 CHAIRMAN MILLER: The only one that has any 22 more than just an on/off type functionality.
23 MR. WERMEIL: Most of the others are. The 24 systems use an old microprocessor and it's been replaced, V 25 right?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234 4433 WASHINGTON, D C. 20005-3701 (202) 2344433
- 119 l
1 MR. SCECINA: The current systems use analogs t
2 for that. ,
1- !
i 4
3 MR. QUINN: Was there --
! 4 CHAIRMAN MILLER: Well, I thought Davis-Besse 5 had some sort of a microprocessor, not at Oconee though.
i 6 But this one then --
i
.~ 7 MR. SCECINA: Davis-Besse uses analog also. [
J f 8 CHAIRMAN MILLER: How many modules -- I'm i
l 9 trying to picture a block diagram for that system. How 4
10 many STAR modules were used for that one calculation, just l
11 one?
I
, 12 MR. SCECINA: Just one.
j
! 13 MR. QUINN: With different types of inputs.
I i 14 CHAIRMAN MILLER: Then that analog input then l
15 took those, what was it, three inputs and did the 16 computation inside the STAR module, is that right?
] 17 MR. SCECINA: There were four analog inputs 18 into the STAR module. We don't use any discrete contact
]
19 inputs for that trip.
i
) 20 MR. QUINN: Was in the Oconee application, is i
21 there a separate SER or was that done under 50.59 or how j 22 was that done?
! 23 MR. WERMEIL: Oconee's implementation was 24 under 50.59, although we did look at it, we looked at the j
a j 25 50.59 analysis. They were able to take the STAR approval i
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS l
- 1323 RHODE ISLAND AVE., N W.
(202) 2344433 WASHINGTON, D.C. 20005-3701 (202) 234 4433 i
120 1 and made the case under 50.59 but because no tech spec l
2 changes were needed, based on their evaluation of an O
3 unreviewed safety question that that also wasn't present, 4 they were able to implement it without staff approval.
5 CHAIRMAN MILLER: The key on this, you did an 6 SER and that means that you have 50.59 on many 7 applications after this, right? 1
! 8 MR. WERMEIL: Not necessarily, but possibly. l 9 It depends on the circumstances. What it really depends ,
i 10 on is what is in the plant specific licensees FSAR, what ,
11 exactly does that FSAR say and then how does the SER that 12 the staff wrote approving this design impact on what is in 13 their licensing basis and they were able to conclude that O 14 based on what their FSAR said it appeared to them that 15 they could implement this without staff approval because 16 it didn't result in an unreviewed safety question.
17 MR. QUINN: By not causing a software common 18 mode failure --
19 MR. WERMEIL: that being one of many issues to-20 address, Ted, that's right.
21 MR. QUINN: This is improved design so it 22 doesn't -- if it did have a software common mode failure, 23 more than likely it would require submittal because the 24 old system --
l l 25 MR. WERMEIL: That's absolutely right.
1 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., NW.
I (202) 234.4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
121 1 CHAIRMAN MILLER: Well, the key is by es 2 diversity they've --
I i kJ 3 MR. WERMEIL: I believe that was one of the 4 advantages. I think Paul tried to allude to this up front 5 was that they had that in mind, initially, was that if 6 they could address what was known to be a very important 7 issue from the standpoint of unreviewed safety question by 8 the design itself, that they could afford a number of 9 licensees they falt the opportunity to implement it 10 without additional approval by the staff.
11 MR. LOESER: And the same is true of the EMI 1
1 12 requirements.
13 MR. WERMEIL: Yes.
- 14 MR. LOESER: When the testing was done the two 15 different microprocessors had different EMI 16 vulnerabilities, so no one EMI event should be able to 17 take out both of the processors simultaneously.
18 CHAIRMAN MILLER: How do you characterize the 19 two different vulnerabilities, by what criteria? What !
20 does that mean?
21 MR. LOESER: They were put on in a test 22 fixture, various signals were run either radiated at them, 23 conducted through test leads, things like that.
24 CHAIRMAN MILLER: So they kind of crash, so to
(,e 25 speak --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
, __ __ _ _ . _ - . _ - _ _ _ - _ . _ . _ _ . _ . _ . . _ .._ . ~ . _ _ _ . _ - . . - _ . _ -_ . _ .
I j 122 l l 1 MR. LOESER: At different times. At different j 1
- 2 frequencies, I should say. l l
3 CHAIRMAN MILLER: So one would crash and say -
4 - 1
+
l i
1 l
5 MR. LOESER: At 800 megahertz. The other one !
- 6 crashes at 950.
7 CHAIRMAN MILLER: Okay.
2 l 8 MR. LOESER: I'm just making up these numbers.
l 9 But so if you did have an EMI spike somewhere it should 10 only take out one of the two.
l i
j 11 Also, the way the system is designed l
l 12 inherently, if one of the microprocessors stops working, i
1." 13 the system trips. Not necessarily the system, you still
- /
- \
14 have the you know, the 2 out of 4 logic, but that j 15 particular channel will provide a half trip.
1 j 16 CHAIRMAN MILLER: Somewhere in here there was
! 17 a statement made that EMI was random which I didn't agree l 18 with, but if you put in a totally random EMI type signal l 19 then that wouldn't be true? If you put in equal amount of i
1 20 power at all frequencies --
! 21 MR. LOESER: There was a test plan written and t
22 I mean I don't want to say it was random. I think I i 23 either wrote it wrong or I was -- didn't come across 24 right. Signals that were introduced were very deliberate, k 25 not random.
! NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 2344433 WASHINGTON, D C. 20005-3701 (202) 234-4433
I 123 1 CHAIRMAN MILLER: I'll find it before we're
,g
, 2 done. You made a statement that EMI/RFI was random and I
\s-3 think you really meant that.
4 MR. LOESER: It's possible that I wrote the 5 wrong thing. I don't know.
6 CHAIRMAN MILLER: The point here is that the 7 vulnerability was tested by putting in a gigahertz here 1
8 and a half a gigahertz there. l 9 One of them crashed on one and the other 10 crashed on the other.
11 MR. LOESER: Frequencies were swept and there 12 was a variety of things done. I mean a standard EMI test 13 procedure, I don't think anything unusual was done in n
\ 14 this. The standard labs were contracted to do it using 15 standard test procedures.
16 CHAIRMAN MILLER: And one processor crashed on 17 one frequency and one on the other?
18 MR. LOESER: Something like that --
19 MR. SCECINA: Could I make a statement about 20 the testing involved as far as radiated susceptibility is 21 concerned, testing at fairly high field levels all above 22 20 volts per meter and there were only two frequencies at 23 which we tripped the processor below 20 volts per meter 24 and they had to do with the fact that we had unshielded r~N k._ 25 cables in open cabinets that we used and had to do with NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
~__
124 ,
1 the cable length, tuning that particular frequency. But 2 the walkie-talkie frequencies were tested to the limits of 3 the test hardware that could generate the power and there ;
b 4 was no effect.
5 MR. QUINN: You're familiar with our EPRI and 6 SER on our EMI guidelines, right? Do you exceed those in ,
i 7 all cases of three different levels?
8 MR. SCECINA: Right. I think a question on 9 830 here, one of the concerns addrese d, I believe, to us 10 in the past was if you have a diverse design and you have 11 someone develop, you said there was a different SRS for t F
12 each of these, but the concern brought up by somebody was i
t 13 that there's a potential back in either the previous ;
O 14 document or the design description that the same type of 15 an error could appear in both, all the way through. How 16 would you address that?
17 MR. LOESER: In this particular case, it 18 started from the system requirement that was previously 19 used for the analog system. After that, everything was 20 diverse. If there was an error in that, granted it could 21 have been promulgated through. However, any time you have 22 a -- you write a system, you have to start off with some 23 basic concept of what you want the system to do. If you 24 make a mistake in that basic concept of what you want the 25 system to do, you can write the perfect software, have the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS !
1323 RHODE ISLAND AVE., N.W. l' (202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
125 1 perfect hardware, the perfect system and there will still 2 be a mistake.
3 No amount of review will change that. This is 4 something that the plant designers -- I mean if the plant 5 designers decided you want to trip at 1000 pounds and it 6 turns out they should have said 800 --
- 7. MR. QUINN: Okay, ut the reason that we would 8 accept this design is because we believe that the two, 9 that the definition, they actually meet the definition of 10 diversity.
11 MR. LOESER: Yes.
12 MR. QUINN: And hopefully they do, but the 13 concern exists that somewhere back there it will propagate O 14 through all the way.
15 CHAIRMAN MILLER: All it's saying is based on 16 the diversity of hardware and software, knowing common 17 mode failure would occur if you had an analog system.
18 MR. WERMEIL: That's the point.
19 MR. LOESER: The same common mode failure 20 would occur with an analog system, the same mistake and I 21 don't know if I would characterize that as a common mode 22 failure. This is something that is outside of the scope 23 of this system.
24 MR. QUINN: You answered the question and --
25 CHAIRMAN MILLER: the safety evaluation NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
126 1 baseline was wrong.
fm, 2 MR. QUINN: 1012.
\) 3 MR. LOESER: Yes.
4 MR. QUINN: The new requirement that we put in 5 was for V & V team separate -- did they do that?
6 MR. LOESER: I'm not quite sure. First of 7 all, the V & V team was not separate. The same team 8 reviewed safety processor 1 and safety processor 2.
9 However, nobody on the V & V team was involved in any way 10 with the design of the equipment. It was a completely 11 different organizational unit. There as no cross over in 12 personnel and the -- I reviewed all the resumes of the 13 people who were involved in it and they were at least --
O 14 actually I think in some cases they were in some cases 15 significantly better qualified. It looks like the best ,
1 l
16 people were put on the V & V team. Not to say that the l 17 designers weren't good. They certainly were.
18 MR. QUINN: A report we got last spring from 19 DC Cook was that during the test program which would be 20 covered by this testing they had three series of tests and 21 they found errors in the design all the way along. What 22 kind of -- in the factory acceptance testing, in the field 23 testing at Oconee, what kind of faults, what kind of 24 system faults did they find? Did they find any that were 25 significant?
NEAL R. CROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
127 1 MR. LOESER: Well, first of all, this review 2 does not cover the system testing at the site. However, 3 since the system has been installed, one flaw has been 1 4 found and it was reported to us by B & W. I have the 5 paperwork back in my files. I don't remember exactly what 6 it was. They corrected it. The testing at the site where 7 it was built, there was module testing. There was 8 integration testing as the system was put together and 9 yes, each level of testing found different problems and 10 originally they found individual code problems or ,
l 11 individual hardware problems. Then once they put it 12 together, they found capability problems between different 13 organizations, between different portions of the code or
"# 14 the way the code is integrated together into a system.
15 There were a fairly rigorous testing program, 16 a fairly rigorous V & V before that.
17 MR. QUINN: So you would characterize the test 18 program as showing up -- I mean, i would characterize the l 19 Cook results as being terrible, that it wasn't as good a 20 design and if it wasn't for the test program, the thing 21 wouldn't have worked very well and it appears to me in 22 this particular design that it's a lot better, that you 23 found fewer things that review process actually pointed 24 out most of the --
25 MR. LOESER: The vast majority of mistakes are NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
128 1 things that were found, were found by the V & V team e3 2 before (o) , __
4 MR. QUINN: Okay.
5 MR. LOESER: The testing --
6 MR. QUIh.'1 : Great, good.
7 MEMBER APOSTOLAKIS: Can we get a copy of the 8 report, reports on the error they found?
9 You said they found one?
10 MR. WERMEIL: You're talking about the error 11 they found at Oconee in the plant?
12 MEMBER APOSTOLAKIS: Yes.
13 MR. WERMEIL: Yes, we can get you a copy of 14 that.
15 MR. LOESER: I'm not sure is that proprietary 16 or not?
17 MR. SCECINA: No. That's the letter to you.
18 MR. LOESER: I can make a copy of that i
19 available to you. I l
20 CHAIRMAN MILLER: Was that a flaw in the STAR 21 system itself or a flaw in the STAR system as it was l
22 installed?
23 MR. LOESER: I think it was a mistake in the 24 code.
(D MEMBER APOSTOLAKIS: How about DC Cook, is
(/ 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
129 1 that a different set --
g-~.s 2 MR. QUINN: Yes, that's --
'w] 3 MR. LOESER: In the calibration and test 4 computing --
5 MR. SCECINA: Yes, I forgot about that.
6 CHAIRMAN MILLER: Okay, let's try to keep it 7 to one.
8 MEMBER APOSTOLAKIS: On this V & V, you are 9 familiar with the BTP 14? j 10 MR. LOESER: I have read it. I am certainly i l
4 11 not as familiar with it as if I had used it to do the 1
12 review.
_ 13 MEMBER APOSTOLAKIS: Okay. Now when I go to I 14 the acceptance criteria for software verification and 15 validation activities, what it says here is that reports 1
16 should be produced and so on, activities should address j 17 each requirement and then it says it becomes a bit more 18 specific as part of the software V & V or the traceability 19 matrix should be produced with the following degrees, the 20 traceability matrix should clearly show tae linkage 21 between each requirement imposed on the software by the 22 system requirements documented and so on. That's all on 23 page 11.
24 MR. LOESER: Yes, (p_) 25 MEMBER APOSTOLAKIS: Now you obviously did NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234 4 33 WASHINGTON, D C. 20005-3701 (202) 234-4433
130 1 much more than this. This is just high level stuff of
'w 2 what you have to do.
g (O 3 MR. LOESER: Well, I mean I don't know whether 4 --
5 MEMBER APOSTOLAKIS: That's all it says.
6 MR. LOESER: Yeah, well, yeah, in that case I 7 did certainly more. The traceability matrix that I got 8 from B & W, I think was invaluable in the review. It was 9 a way of making sure that the high level requirements were 10 carried down to low level actual code, what portion of the l i
I 11 code it was. It was a way of making sure that each portion 12 had a test figure or a test portion attached to it, not 1
- 13 only in the individual code test, but in the system test.
\
'- ') 14 It would have been very difficult to do the 15 thread analysis without that document. But that's also a 1 16 way that you could do through and see that --
17 MEMBER APOSTOLAKIS: What is a thread 18 analysis? Is it here?
l 19 MR. LOESER: That's about --
20 MEMBER APOSTOLAKIS: Not in your vu-graphs.
21 In the BTP.
22 MR. WERMEIL: It is in the BTP.
23 MR. LOESER: I believe it's mentioned.
24 MEMBER APOSTOLAKIS: I guess my question is Q
k_/ 25 this. Did you -- I mean if you look at this document, the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
i 131 l l
1 BTP 14 and having the experience of having done this, l l
1 gs 2 would you give more advice would you give a little more
(
s_-) 3 specific advice here, what to do, or do you think that is 1
1 4 unique to this system and if you have another system that i 5 advice isn't valid?
6 MR. LOESER: Once again it depends on the knowledge 7 of the person who is doing it. I think someone with my 8 equivalent experience, what is listed in there is 9 perfectly sufficiently. For someone who is coming i 10 straight out of school or with maybe one year or two years 11 coding experience, that's probably insufficient, but to 12 tell you the truth personally, I wouldn't trust them to do 13 a formal review regardless of how much guidance they had.
('~ 14 Not by themselves.
15 MEMBER APOSTOLAKIS: But again, if I take that )
l 16 argument and apply it to other regulatory guides I don't l
17 see why I have to look at temperatures and pressures and 18 so on. Obviously, there is a philosophy here that you can 19 give some concrete advice, you should give it. Because 20 you can apply it to anything and say gee, a good engineer, 21 you know, in thermal hydraulics doesn't need this guidance 22 because he wouldn't do it.
23 MR. LOESER: The exact level of detail that's 24 in the branch technical position, since I didn't write it, 25 I'm going to have to refer to Matt as to why they decided NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS l 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234 4 433
l 132 l
l 1 to put exactly that amount in and not more and not less.
g 2 MEMBER APOSTOLAKIS: That's my question. l t
L.)
3 MR. LOESER: That's something I'm incapable of ,
l 4 answering.
5 CHAIRMAN MILLER: The question I have which is l
6 somewhat related to previous question I guess, on page 43 1 7 said staff reviewed the software and hardware as a system 8 in order to identify potential timing and interface 9 problems.
10 MR. LOESER: Yes. i l
11 CHAIRMAN MILLER: You later said that they are l
1 12 satisfied the system requirements -- it says the staff l l
13 audit of STAR hardware and software confirmed that they )
t
14 satisfied the system requirement and therefore are 15 acceptable.
16 Is there any way you tested that or verified l 17 that other than just look at documents?
18 MR. LOESER: Actually, in a cave like this 19 there are several different parts to it. One'of them is 20 just looking at the cycle time, how often a given item is 21 checked and what the accident analysis figures are and in 22 the case of RPS.
23 CHAIRMAN MILLER: So you did that by some sort 24 of or watched a test being done to verify that?
25 MR. LOESER: No. I reviewed the tests that NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
i l 133 l 1
1 1 were being done and in some cases -- '
2 CHAIRMAN MILLER: So you reviewed their tests?
O 3 MR. LOESER: Yes.
1 l
l 4 CHAIRMAN MILLER: What criteria did you use to f
5 reach this conclusion? j 6 MR. LOESER: That I did not see a case where a j i
7 signal would be delayed because of something in the l 8 hardware architecture or say the diagnostic taking an ,
9 excessive amount of time where possibly a diagnostic !
10 hanging up could freeze the system, where a signal, if it 11 just missed being latched into a gate, arriving one 12 nanosecond too late, that there wasn't enough time to go 13 back and pick up that again before the system had 14 completed its cycle or that the cycle went fast enough 15 that it would work.. !
16 CHAIRMAN MILLER: So you took a performance 17 requirement for this system, and you looked in a 18 oscilloscope trace or --
19 MR. LOESER: No, I didn't look at oscilloscope 20 trace. I looked at --
21 CHAIRMAN MILLER: Their measurements.
22 MR. LOESER: I looked at the cycle times that 23 were specified.
24 CHAIRMAN MILLER: They made measurements to 25 verify all this. You looked at their test data in some NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS I 1323 RHODE ISLAND AVE, N.W. j (202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234 4 33 i j
l 134
- 1 way?
2 MR. LOESER: In some cases I looked at the f
3 case data. In other cases it was by analysis.
I t I j 4 CHAIRMAN MILLER: I'm just trying to get a l
l j 5 feel for what one does in your position to verify, to I
I 6 reach a conclusion of that.
7 MR. LOESER: Well, a lot of it has to do with 8 is the system fast enough to meet its requirements.
9 CHAIRMAN MILLER: And --
10 MR. LOESER: Is it so fast that it gets in 11 trouble with itself.
12 CHAIRMAN MILLER: How do you answer those 13 questions? What data was given to you to answer those?
O 14 MR. SCECINA: Yes, Paul, to refresh your 15 memory, there was one question you sent us in a request 16 for additional information on the initial topical 17 submittal that dealt with response time. And we answered 18 that.
19 MR. LOESER: Yeah.
20 MR. SCECINA: In addition, the calibration of 21 test computer does check response time. It's one thing --
22 MR. LOESER: I think this is a little 23 different question. I don't think this is referring to 24 the actual response time of the system to meet tech specs, O
\s / 25 for example, but you're talking about how we made sure NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
135 1 that there wasn't a timing problem within the system.
2 That's one of the more difficult things to do.
-]
G 3 CHAIRMAN MILLER: Right, that's kind of why I l
4 wanted to focus on that one because it's not easy.
5 MR. WERMEIL: Paul, doesn't the testing that ,
6 they did to the extent that it covers the functions that I 7 are required to trip the system, it covers that aspect.
8 MR. LOESER: It does, but if there's a basic 9 misunderstanding as to what the time is, if you go through 10 and say do the whole check three times a second, including 11 diagnostics, but you only allow yourselves -- you have to 12 have, propagate through this system at 250 milliseconds. )
, 13 CHAIRMAN MILLER: Plus or minus --
k) 14 MR. LOESER: Yes, plus or minus. Then you 15 don't have enough time because it takes, if you arrive at l
16 just the wrong time it could take 333 microseconds, 17 milliseconds to work its way through, whereas what you 18 allotted was 250. That's the kind of question when you're 19 looking at a system level what you have to ask yourself.
20 CHAIRMAN MILLER: So there's a performance 21 requirement on that, that particular issue, right?
22 MR. LOESER: Yes. It may not be inherent. It 23 may just say what the system is expected to do, how often i
24 it's expected to respond, how fast it works and you have
(
(/ 25 to make sure that it -- that it's possible, that someone NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS l 1323 RHODE ISLAND AVE., N W !
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 2344433 !
I J
l 136 1 1 hasn't overlooked something. Obviously, this is something !
l 2 the designers do. System designers look at it. The l 3 individuals, it's tested for. Everything I looked at it's )
4 something that was already looked at by the designers. l 5 CHAIRMAN MILLER: I understand. i l
6 MR. LOESER: I'm just doing a double check to 7 reassure myself that this was, in fact, done correctly.
8 MR. SCECINA: And there are flags in the 9 software that insure that all the operations are 10 completed.
11 MR. LOESER: Yes.
12 MR. SCECINA: Per cycle.
13 CHAIRMAN MILLER: Okay, go ahead.
O 14 MR. QUINN: In order to do this you must have 15 received a formal application from B & W, is that right?
16 MR. LOESER: We received a formal submittal.
17 MR. QUINN: Formal submittal.
18 MR. LOESER: Yes.
19 MR. QUINN: Did you have a lot of comments 20 over the time? How did this go before you issued it?
21 MR. LOESER: This was a fairly unusual i 22 situation in that B & W had come to us about two or three l 23 years earlier saying we're thinking about building this 24 system, what do you think about it? Before I received 25 their formal submittal, I received preliminary versions.
i l
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 2344433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
137 l
1 I had made three trips down to B & W, spending a week 2 there at each time, first when they started their design, 3 once halfway through, reviewing the progress and offering l 4 advice as to where things may be a little weak, where 5 things should be beefed up and staying familiar with what l
l 6 was going on with equipment.
7 So it was unusual in that we didn't one day 8 just receive in the mail this big package saying is this 9 good enough. there was a lot of inter-reaction between 10 the designers and the design team and the V & V people and 11 ourselves along the way.
12 MR. QUINN: And some of that is recorded and 13 some of it's not recorded. Is that what you're saying? ,
14 MR. LOESER: That's correct. I mean I 15 certainly didn't keep a transcript of everything I said ,
i 16 while I was down on the trip. There was a trip report 17 issued each time, but --
18 MR. QUINN: But some of them are letters?
19 MR. LOESER: I think all the letters that were 20 involved are on the docket.
21 MR. MARKLEY: I was going to say one other 22 thing to add, once they get the original topical submittal 23 they do submit requests for additional information or RAIs 24 as they call them to the licensee for other stuff where 25 they would want more.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
138 1 MR. LOESER: Yes, areas where there wasn't l f-s 2 quite enough detail or whether we wanted to know more than 1 :
~
3 they had thought we might require and we asked for more 4 information. All of that is on the docket.
5 MR. QUINN: Okay, was there a failure modes l
6 and effects analysis performed? !
l 7 MR. LOESER: Yes.
)
8 MR. QUINN: Is that documented? !
9 MR. LOESER: I doubt it. that type of thing I
10 is proprietary information that goes into the exact 11 methodology by which the system works, covers the -- I l
12 suppose you use the word trade secrets, but the exact 13 design. The design information of how the system was
( i
\ 14 built, what's in the code and that sort of thing is not 15 docketed. I 16 I had copies of it all. I don't think there i 17 was any document that was produced by B & W which wasn't 18 made available to us for review.
19 MR. QUINN: So you looked at that. For 20 example, the inter-relationship of the multiplexer to the l 21 processor, the types of failures that could --
22 MR. LOESER: There was specifications for the 23 signals that went between them and what type of signals.
l 24 There were failures, what happens if the microprocessor k ,)
m 25 fails. What happens if the -- I'm not sure that from the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234 4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
i l- 139 e e j 1 gist of what you're saying that exactly what you're 2 talking about was produced in exactly that manner. I r
i 3 think there was sufficient information to verify at least i
5, 4 in my mind and in the mind of the people who read my i i, !
i 5 reviews and who I discussed this with, my bosses, that 1
6 this was adequately done.
i 1 7 MR. QUINN: Okay. I was interested in that. ,
i l 8 MR. LOESER: If there's not any other [
i I 9 questions, we'11 move on to the thread audit and this is f
1 10 where the software implementation for specific function, f t
11 in this case several different functions, were picked not
] .
12 quite at random. We looked at ones that we thought would j l
} 13 be interesting or were a little more complex than average ;
i .
i 14 and we traced these requirements through the equipment i i l 15 specification, looking to see where they were put into the i
! 16 software specification, where it was put into the code and j 1
17 how it was tested. Now since this was written in ANSI i
j 18 Standard C and I'm not an expert on C, I can read it, but d
19 not the highly complex function. I must admit that I took 20 along a recent graduate from one of the universities who 21 was much more proficient of the C than I am to analyze 22 what the code actually said and how it worked and then 23 tried to explain it to me.
4 l
24 That's where the actual sections of the code ;
25 were reviewed.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D.C. 20005 3701 (202) 234-4433
r i 140 t 1
1 Along with this we looked at the V & V reports ;
2 on this portion of code, problem reports and how they were i
3 handled. I have always figured that's one of the keys to l
4 a V & V is how the problems are recorded and how they're 5 handled and how they are verified and then taken care of.
6 We probably spent a day or a day and a half )
7 doing this. It wasn't a great deal of the audit, but I I l 8 think it's an important function, if nothing else, l 9 obviously we don't have time to review every line of code.
10 That's what the V & V is for. this is a check on the V &
1 l 11 V people to see how they did it. l 12 Any questions on this portion? l I
t l
13 MR. QUINN: Did you take a trip to Oconee?
[
l 14 MR. LOESER: Yes.
1 15 MR. QUINN: And see this system installed?
l 16 MR. LOESER: Yes. Actually, no. I never saw 17 when this system was installed. I took a trip down to 18 Oconee and saw the previous, the one in the fifth channel.
19 MR. QUINN: Same design?
l 20 MR. LOE3ER: Basically, it was more 21 preliminary. It wasn't in final format. they didn't use 22 the same PC board layout. I don't think that -- it i
23 certainly wasn't tested to the same degree. I looked to 24 see as a representative sample of how this would be used.
i 25 I did not go down to Oconee and review their installation i
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433 l
- .__ __ . , _ _ _ _ _ _ _ . - . _ _ _ _ _ . -. . . _ _ - _ , _ _ _ _ . , _-_ _~
141 ,
1 1 of the final system. I think someone from Region II may i
l
~3 2 have done that, but I wouldn't swear to it. '
)
(/
s_
3 We were talking earlier about the compliance j i
4 matrix. And this is still on the thread audit portion.
5 This would have been quite difficult to do without some 6 sort of compliance matrix and I would be very hesitant to I
7 try to do a review that did not have a fairly thorough I 8 matrix of this sort.
9 The matrix showed for each stage of the 10 documents where the requirements were to be found and it I 11 matched the requirements to the previous stages of 12 specifications of documentation and to the actual code p_ 13 portion and to the test documentation, allowing us sort of I \
\- 14 to go just across. Now naturally in the very early 15 specifications we may have one or two lines then blossom
)
16 out to a great deal, but it still allows you that 17 traceability backwards and forth through the 18 documentation. l l
19 CHAIRMAN MILLER: On that second bullet -- l 20 MR. LOESER: Second open bullet, matched ,
1
\
21 system specifications?
22 CHAIRMAN MILLER: What does that mean? What l 23 did you do?
24 MR. LOESER: I looked at the system
/%
k_) 25 specifications and with the compliance matrix in hand and NEAL R. GROSS COURT REPORTERG AND TRANSCRIBERS 1323 RHODE ISJND AVE., N W (202) 234-4423 WASHINGTON. D C. 20005-3701 (202) 234-4433
i 142 l 1 assured myself that everything that was listed in the 2 system specification was down in the compliance matrix, I f-w (v) 3 that they hadn't forgotten something.
4 CHAIRMAN MILLER: Okay.
5 MR. LOESER: Then I would take a section of 6 that and go to the software specification and do the same 7 thing and then I would take the software specification and 8 pick out a portion of that and make sure that there was 9 actually some po* tion of code that was listed that said it 10 took care of this.
11 It's just a matter of matching back and forth 12 and doing spot checks in the actual documentation. I mean 13 it gives a number here on the compliance matrix that 14 paragraph A covers this item and paragraph G(2) on the 15 software spec, for example, covers it. Then you have to 16 do a comparison, actually get those two documents out and 17 make sure those numbers are correct, that that portion 18 actually does talk about what the matrix says it talks 19 about.
20 CHAIRMAN MILLER: And then test documentation?
21 MR. LOESER: Yeah, you go back and look at the 22 test procedure to see if there's a -- I don't know, a 23 reporting requirement that a given flag will be raised at 24 a certain time if something happens. You see that there's 25 actually code written for that. Then you look at the code NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON. D C. 20005-3701 (202) 234-4433
143 i
a l 1 test portion that that's done and then later on in the I
i 2 system test that someone actually checked to see if there f
} 3 was this flag put into a buffer somewhere when it said it l
! 4 was supposed to and that had been tested correctly. :
$ 5 CHAIRMAN MILLER: Okay, and so they have some a
r
, E
]
6 sort of a test plan and test results and -- l 7 MR. LOESER: Yes, and test procedures, yes. c i
j 8 CHAIRMAN MILLER: Test procedures, and you {
i l 9 could sit down and match those up? :
10 MR. LOESER: Yes.
l j 11 CHAIRMAN MILLER: You had privy to all that 1
. 12 information?
i 13 MR. LOESER: Oh, absolutely. Like I said, I [
!'O
~
j 14 think this would be very difficult to do, just to search l 1
l 15 through the test procedures to try to find the appropriate ,
[
- 16 section unless you had this sort of matrix and I'm not i
l 17 sure how the designers and the developers of the system i !
I 18 would do it either without this sort of matrix to make 4 ,
i l 19 sure that they had covered everything.
20 CHAIRMAN MILLER: Give me a feel on this test i
i
- 21 or this compliance matrix, what dimension are we talking i
{ 22 about?
3 23 MR. LOESER: What dimension?
d 24 CHAIRMAN MILLER: Yeah, what dimension a s
25 matrix are we --
]
4 I
NEAL R. GROSS I COURT REPORTERS AND TRANSCRIBERS f 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433 l
.,, -, ,-- -n.- ---, . , . , . , , - , . - , . . , , . - - - . , -- . - - , , . , . - , . -
144 1 MR. LOESER: Oh, basically it's just a fy 2 columnar, you know the word I'm trying to say, format, b 3 where it lists on the far right hand side the system 4 specification, then software specification, software, code 5 specification, actual code. Next column would be code 6 test, system test, V & V documentation. A couple of 7 different levels of V documentation.
l 8 CHAIRMAN MILLER: For each one of those?
9 MR. LOESER: Each one of them has the 10 paragraph number or a section number in it.
11 CHAIRMAN MILLER: And there are test results I
12 for each one of thoce?
13 MR. LOESER: Yes. And then you can go all the i
/ \
14 way across. '
final one is the -- I don't remember if 15 it was the final one or not, but one of them is the test 16 procedure and you can look up that completed test 17 procedure and see what the actual numbers or signatures 18 that yes, this was verified. And --
19 CHAIRMAN MILLER: And you spot checked those?
20 MR. LOESER: Yes, and in several cases they 21 have to be running certain tests while I was there, so I 22 would have observed them doing the testing.
23 CHAIRMAN MILLER: So I:ow many rows of 24 compliance --
b')
(_- 25 MR. LOESER: Oh, the whole thing was what, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
145 l
1 maybe 100 pages, written in landscape formats. Maybe 30 l l
2 or 40 rows per page.
3 CHAIRMAN MILLER: You're talking about 3,000 -
4 -
5 MR. LOESER: It was a very comprehensive -- of (
6 course, this was also written in stages. The first --
7 when it was first started before they had actually started 8 developing code, it only had two or three columns. Then 9 the next revision they would add the fourth column. The
]
10 next revision would add the fifth and on the early visits 11 down to B&W, I would see a version that only had two or 12 three columns. I would check what was applicable and what 13 wasn't. And the rest of it just wasn't available yet. It 14 wasn't until the final visit when they were fairly well i
15 completed with the tests that I got to see the completed 16 matrix.
I 17 CHAIRMAN MILLER: How many man hours does it 18 take to do a matrix like that? That's probably a question 19 for --
20 MR. LOESER: I have no idea, but I have no 21 doubt that it's expensive and complex.
22 CHAIRMAN MILLER: I'll take one of my graduate j j
23 students and do that overnight.
24 MR. LOESER: Well, it could be generated 25 overnight. It wouldn't be right.
NEAL R. GROSS 4 COURT REPORTERS AND TRANSCRIBERS l 1323 RHODE ISt.AND AVE., N.W.
(202) 234-4433 WASHINGTON, D C. 20005 3701 (202) 234-4433
3 146 1 (Laughter.)
s 2 MR. LOESER: It depends on how close the 3 professor checks, I suppose.
4 CHAIRMAN MILLER: You're the checker. I'm 5 trying to get a feel for the level of effort here.
6 MR. LOESER: Well, like I said I spent three 7 weeks down at B & W on three separate trips. I probably 8 spent two or three months reviewing all the documentation 9 that I had brought back with me and writing the initial l l
10 version of my report. I don't think editing is fair to 11 count against B & W.
1 12 It's a fairly significant system and it's
, 13 pretty complex. I wouldn't be surprised if all tolled, 14 between my time and other people's time if over a thousand 15 hours1.736111e-4 days <br />0.00417 hours <br />2.480159e-5 weeks <br />5.7075e-6 months <br /> wasn't spent on this.
16 MEMBER APOSTOLAKIS: Why did you call it 17 pretty complex? I thought you said earlier it was simple?
18 MR. LOESER: No, I said any one individual 19 trip function may be simple. The system itself because it .
I 20 has several different microprocessors, because each one of 21 them requires code, each one of them requires a separate 22 specification, several, the hardware, the software, the 23 actual code. The overall system and the review, since 24 this is a safety grade software, has to be in a fair O(_/ 25 degree of detail. The review is quite complex. Any one NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
i 147 I i
1 individual trip function which this may produce may be a l 2 very simplistic trip function, tripping when the water 3 level gets less than 100 inches is pretty simple.
4 Tripping when the pressure gets above 100 pounds may be 5 very simple, but the equipment used to generate that trip l 6 may be complex.
7 MEMBER APOSTOLAKIS: Anyway, I'm curious.
8 What does it mean for software, the water level is below a ;
9 certain volume, for a microsecond it's below and --
10 MR. LOESER: Well, actually --
i 11 MR. WERMEIL: That's right. l 12 MEMBER APOSTOLAKIS: Is that what it is? i 13 MR. WERMEIL: That would be the same in the i 14 analog system too. It's the same thing. Whenever the set 15 point is exceeded, you expect the actuation to occur for j 16 whatever time it takes the equipment to react.
17 Now, it's possible, particularly with analog
'8
. systems for the time for that parameter to have been !
l I
19 exceeded, to be such a small period that you may not 20 actually get the trip before the parameter goes back to 21 within the acceptable bound. That has happened before in 22 operating plants. It could still happen even with digital 23 equipment.
24 CHAIRMAN MILLER: Well, digital could be 25 slower.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS ,
1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
148 1 MR. LOESER: It could be slower, it could be fS 2 faster.
( )
v 3 MR. WERMEIL: It could be faster. It depends.
4 CHAIRMAN MILLER: AS Jim pointed out, there's 5 a continual check on the response time of this system 6 which you don't have in analog.
7 MR. WERMEIL: But the point is is whatever the i 8 -- it's however long it takes the electronics to react to 9 the set point having been exceeded for the trip to occur.
10 Generally speaking, we don't expect, based on the slow 11 response of thermohydraulic systems for there not to be a 12 trip when such a thing occurs although it has happened 13 sometimes.
i
\ 14 CHAIRMAN MILLER: If you exceeded the set 15 point by less than the response time of the system you s 16 might not see it. !
I 17 MR. WERMEIL: You might not get the actuation. l 18 There have been, I think, some pressure transients where a l
19 spike, I think, in -- I can't remember the specific plant .
20 or the occurrence, but I remember there was a pressure 21 spike under one set of circumstances where we got a part 22 trip. Some of the electronics did actuate, did detect the 23 spike, but some other parts of the electronics for the 24 same system didn't trip, so you actually had some trip and n
\_/ 25 some not.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON. D.C. 20005-3701 (202) 234-4433
149 1 MEMBER APOSTOLAKIS: Now in that case would 7s 2 you like to have a trip or not?
'sv )
3 MR. WERMEIL: I think in the case that I'm 4 talking about, I wish I could remember the specifics, it 5 turns out that it didn't matter because the parameter did 6 recover and go back to an acceptable bound, so it wouldn't 7 have mattered that much. The trip of course means you 8 have to recover the plant and take all kinds of action.
9 MR. SCECINA: In that case, yo don't want a 10 trip.
11 MR. WERMEIL: You probably didn't want it in 12 this case.
13 MEMBER APOSTOLAKIS: The point is then it's 14 not always a value for the parameter exceeding the 15 threshold, maybe some measure of how long --
16 MR. LOESER: No, I think you're now getting 17 into a completely different subject. If the specification 18 and the plant is licensed on the basis that if the 19 pressure exceeds 1000 pounds, the plant is to trip, you l 20 expect the plant to trip whenever the pressure exceeds 21 1,000 pounds. If there's a requirement in there that says 22 if it exceeds 1,000 pounds for greater than 5 seconds, 23 that's a different type of requirement. But if you have 24 an absolute number in there, you expect an absciute f.- s\
i
(_/ 25 response. If you don't have an absolute number, then NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHoDE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
150 1 you'd --
2 MEMBER APOSTOLAKIS: That's always the example 3 that people who worry about requirements bring, that the 4 English language or the Greek language or the French 5 language -- !
i 1
6 CHAIRMAN MILLER: Especially Greek. I 7 MEMBER APOSTOLAKIS: Are not so precise and 8 there is an unspoken truth among the experts that when we l
9 mean this exceeds, we don't really mean that it does it in 10 --
11 MR. WERMEIL: But in this case --
12 MEMBER APOSTOLAKIS: but when you' design the j 13 software, you don't have the luxury, because you're 14 dealing with a machine.
15 MR. WERMEIL: That's correct.
16 MEMBER APOSTOLAKIS: You have to tell it what 17 to do. So --
18 MR. LOESER: If B & W had built in a delay of 19 5 seconds, I think I would have objected.
20 MEMBER APOSTOLAKIS: And then I can understand 21 that, but I'm not sure there is this-precision in the 22 regulations that always tells you it has to be exceeding 23 this for so many milliseconds. I don't think so.
24 MR. WERMEIL: Well, remember the premise for 25 the system, though, George, the basic functionality wasn't NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHoDE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
151 l
l 1 changed. Whatever the analysis said for these trip l
- s. 2 functions prior to this design was the same. It was never J
3 changed.
4 MEMBER APOSTOLAKIS: I was speaking in 5 general.
6 MR. WERMEIL: I know you are, in general, but 7 let me be frank with you. With virtually any modification 1
8 we see to an operating plant and we've seen up to this i 1
1 9 point, the functions that are required to be achieved, the !
10 safety functions have not changed. They're doing it l l
11 through digital hardware and software, versus an analog l l
12 string of components, but the actual functions and what l 13 you're trying to achieve are the same as they ever were.
/ 1 I
k '
14 MEMBER APOSTOLAKIS: Let me tell you why I 15 raised that. I was reading a paper last night in 16 preparation for this from 1991 in nuclear safety which is 17 one of the authors is very well known in this field. And !
18 the point that the authors were making -- that's related 19 to the Canadian experience -- is years of experience with 20 documentation written in a broad variety of natural 21 languages have shown natural language to be not for the 22 task of precise requirement specification. For example, 23 shut off the pumps if the water level remains above 100 24 meters for more than 5 seconds. They give four different 25 interpretations of that. The average value for the last NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
152 1 four seconds was greater than 100. The median value was 2 greater. Some deviation and so on and so forth.
3 When experts talk to each other, these things 4 are understood, but when you are actually designing a 5 system that's the point I'm making, these are not 6 understood. Somebody actually has to say, tell the 7 machine this is what you're going to do and their major l
8 argument is that that's where most of the software errors 9 occur because the requirements are not expressed in 10 mathematical form, but they are expressed in English.
11 MR. LOESER: Well, I think that's the l
12 advantage of having a system designed by an organization 13 that deals in nuclear equipment all the time as opposed to 1
O 14 one that is commercially built and just modified or 15 adapted to that use. That's, however, a question of l
16 commercial grade dedication that I'm not prepared today to l
17 talk about. I'm sure, if you wish, someone will speak to 18 you about it, but I'm not the guy.
19 MR. WERMEIL: Yes, I think --
l 20 MEMBER APOSTOLAKIS: Did you check for that?
l 21 When you say you compared the software specifications 22 against the system requirements, were you satisfied that 23 there were no misinterpretations of the system 24 requirements?
25 MR. LOESER: If I did not understand the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234 4433 l
153 1 system requirement, I asked. I'm certain there were f-~ 2 cases, I couldn't tell you a year and a half later which V 3 ones I asked about.
4 MR. SCECINA: Part of our verification of the 5 software requirements specification had to do with 6 clarity. Each of these requirements were what we called 7 parsed, so that the various points were brought out, the 8 requirements were clear and if they weren't that was a
, 9 discrepancy, one of the discrepancies that turned up on 10 our problems reports that had to get -- so the requirement 11 had to be rewritten.
12 On the point of the response time issue, even 13 with the analog hardware, it was realized at the outset of
'- 14 the design of these analog systems that they required a 15 certain number of milliseconds to respond. Once you hit 16 the set point, so that's all analyzed and our job was \
i 17 simply to make sure that the digital system wasn't any 18 slower.
19 MEMBER APOSTOLAKIS: I think what it comes 20 down to is it's not by using more formal approaches you 21 solve the problem or by not using them you're really in 22 the dark. You're doing a lot of this by going through the 23 reviews as specified in the BTP and what you've done.
24 There's no question about it.
/
(_,\/ 25 I guess something more formal gives you this NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234 4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
_ _ . _ . _ ._. _ __ .. _ .. _ _ .. . . _ . _ _ _..... _ _ . _ _ m ._________._m j 154 1 warm feeling that maybe things are'under control, that we s 2 don't depend so much on the reviewer and that some
{ 3 reproduceability there is maintained and so on. We can I f 4 argue forever, you can say I did this, yeah, because I l
1 5 knew it. But we have to look at it that way and the same I i :
{ 6 argument was going back and forth in the '70s how useful
! l l 7 PRA is, the traditional safety guides, but we found all l t
} 8 these things and why the heck do you do PRA? ,
l 9 So unless we approach these things from that i
10 point of view, we can argue forever. It's not that you 11 guys will not find things by following the BTP or using 12 your experience and judgment. The question is that all 13 that you rely on, do you want to have more formal 14 guidelines? Do you want to -- don't forget, we are 15 talking about highly reliable systems. I mean it's not 16 that you will open a book and immediately start 17 identifying errors, because the people who developed it 18 were not stupid. I mean they knew what they were doing.
19 So I think that's really the right perspective 20 to approach this. It's not oh, if you don't do this, boy, 21 the thing is wrong. Of course not. of course it's not 22 wrong. The people who look at it and develop it, 23 experienced people -- I think it's important to --
24 MR. WERMEIL: Can I make a point, George? I
]
25 think and my staff can correct me if I'm wrong, we do --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
155 1 let's hope they do, I think the very fact that we're rx 2 calling for what we call this in BTP 14, this software w] 3 life cycle which calls for these plans and the 4 implementation guidance and the traceability of one 5 document to another for the functions and for the testing 6 and the V & V, in my mind is a level of formalism. It is 7 not a mathematical proof as would be maybe called for by 8 Dr. Parness in a verification of the --
9 MEMBER APOSTOLAKIS: It's a matter of degree 10 how far do you want to go?
11 MR. WERMEIL: Exactly. There are a number of 12 -- again my staff can correct me if I'm wrong, there are a 13 number of software manufacturers who will argue that what
/,,T I
\ '/ 14 is advocated by formal methods not only isn't appropriate, 15 but it's a waste of time because there are other ways at 16 achieving formal verification of the requirements to the 17 code to the testing that are equally as good or better and l l
18 they'll swear by that.
19 MEMBER APOSTOLAKIS: First of all, he is not 20 advocating formal methods. He is advocating --
21 MR. WERMEIL: He's advocating mathematical 22 proof.
23 MEMBER APOSTOLAKIS: Which is a big difference 24 because the proof is the controversial part.
g k_- 25 MR. WERMEIL: Okay.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
156 1 MR. GALLAGHER: I'd just like to add one 2 thing. You know when we did RESAR 4.14, when I worked for f-ul 3 Westinghouse, this was one of the major issues on how did 4 you deal with this. We had a timing budget which we 5 showed and how we met this for each one of the functions, 6 but one of the major things that would have made it very 7 difficult to use, approach advocated by some people is 8 that we had an asynchronous system, so we were scanning 9 things through four channels at different times and always 10 matched up, so we had to be sure that we held things long 11 enough to take care of that and to write that in ,
l 12 somebody's tabular format is not that easy.
,,s 13 MEMBER APOSTOLAKIS: But you -- I would be 14 much happier though if I saw in these documents these 15 insights.
16 MR. GALLAGHER: They were there.
17 MEMBER APOSTOLAKIS: When you retire, will 18 they still be there?
19 MR. GALLAGHER: I'm never going to retire.
20 (Laughter.)
21 MEMBER APOSTOLAKIS: We are very close to 22 lunch time, aren't we?
23 CHAIRMAN MILLER: Yes, we --
24 MEMBER APOSTOLAKIS: I'm ready to go to lunch.
25 MR. WERMEIL: You're basically done. You've NEA,L R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
WASHINGTON D C. 20005-3701 (202) 234-4433 l (202) 234-4433 l
1
157 1 already talked about diversity. l l
2 MR. LOESER: Yes, I've talked about the l fS O 3 diversity and we basically just concluded that the 4 hardware met the IEEE 279. The software met the quality 5 *equirements in Reg Guide 1.152 and that there was 6 adequate diversity between the two microprocessors per 7 channel. WE concluded that this was an acceptable system 8 if used within the usage requirements that were listed.
9 Incidentally, I think virtually everyone of f 1
10 those prerequisites came from B & W and not from the I l
l 11 staff. They thought of them first. If they hadn't I
12 included it, we probably would have put in something to 13 that effect, but they did include it.
/,,,\
14 MR. QUINN: I have a question on the turnover 15 to the licensee. When this system went to Oconee, you say k
16 we take this premise that this is the best design system )
17 in the world and it meets all the requirements at time 18 zero. After we turn over, there's a licensee there that I
19 has hard prommed memory and may need to make a change.
20 These are two separate now designs. I would have a 21 concern, do they have the sufficient staff and ability to 22 make a change? Did they turnover the source code to --
23 MR. LOESER: I believe the agreement is that 24 Framatone now retains this. They make all the changes to
(,/) 25 the proms. They do the board repair. Oconee does not try NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
158 i 1 to fix software problems. They report them to Framatone l l
2 and Framatone makes the changes.
- O 3 MR. QUINN
- Okay, then that's a moot point.
4 Now --
5 MR. LOESER: I think this is built into the 6 licensing agreement that Framatone is intending for 7 anybody else who buys the system also. I'm putting words j 8 in their mouths right now, but I don't believe that they l
9 are prepared to turn this over, configuration management i
10 and all that, over to the licensees.
! 11 MR. SCECINA: Well, especially if the utility 12 uses the approved topical report as their licensing basis, 13 that approves our software development process.
14 MR. LOESER: Yes, i
15 MR. SCECINA: It doesn't approve theirs so 16 that behooves them to have us do the software and also the 17 software configuration management.
I 18 MR. QUINN: So the potential-that a licensee i
19 would deviate from that and take over responsibility, take 20 the code and have actual changes made and do the V & V 21 themselves, that would require a separate submittal to the j l
22 NRC? j 23 MR. SCECINA: Yes.
24 MR. QUINN: Then that's good, i
25 MEMBER APOSTOLAKIS: So we can talk about it NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 2344433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
7..
159 i
j 1 again. [
- 2 CHAIRMAN MILLER
- A question on the e i
! 3 prerequisites, just one getting back to the EMI/RFI. It ,
i 4 says that basically one of the prerequisites is
) 5 fundamentally you have to meet the EPRI guideline. ;
4 i 6 MR. LOESER: I believe it says you have to I
j 7 either meet B& W guidelines. At that time when this d
3 8 report came out, I don't believe the EPRI guidelines were i
9 out, but we knew that they were coming. So I tried to put i 10 something in there that would allow that for a future i
11 time, but I believe what I said was that they had to show l 12 that their plan enveloped or was enveloped by the B & W 1
1 13 standards.
!O
- 14 CHAIRMAN MILLER
- Analytical method using 1 l j 15 comparisons to date are obtained from tests of i
j 16 installations.
j 17 MR. LOESER: Which page are you on?
0 18 CHAIRMAN MILLER: I'm on page 48. Item 5. If 19 I interpret what that means --
20 MR. LOESER: Analytic methods using 21 comparisons to date arc obtained from other test, tests of 22 other installations such as documented in the EPRI report 23 may be used in lieu of testing provided that adequate 24 similarity can be established between the proposed 25 installation. This is for determining what the worse case NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 - WASHINGTON, D.C. 20005-3701 (202) 234-4433
160 1 levels are. If -- just as in using the EPRI report fw g 2 itself, they can't just assume their plant will fall V 3 within those guidelines. They have to go to some 4 conscious effort to show that the plant falls within the 5 guidelines, either with similarity of equipment, by 6 analysis, by I'm sure some means that I haven't even 7 thought of yet, to show that it's applicable. All I said 8 here is that if they are using the EPRI report for maximum 9 EMI levels, just like when applying the EPRI standards, 10 when applying the B & W standards, they have to show it 11 applies.
12 CHAIRMAN MILLER: So you're saying this can be 13 installed in a plant if it meets the EPRI guidelines?
[b"' 14 MR. LOESER: Yes.
15 CHAIRMAN MILLER: Even though the guidance you 16 used you felt superseded the EPRI guidelines?
17 MR. LOESER: I feel that the testing levels 18 that were done by B & W exceeded the requirements that are 19 in the EPRI guidelines, so inherently anything that meets 20 the EPRI guidelines will also meet the B & W requirements.
21 CHAIRMAN MILLER: Okay.
22 MR. QUINN: Did the tech. specs for oconee 23 change at all?
24 MR. LOESER: No.
/~N \
t
(_) 25 MR. QUINN: None?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234 4433 WASHINGTON, D C. 20005-3701 (202) 234 4433 l
161 1 MR. LOESER: If they tech. specs had changed, 2 they would have had to make a submittal.
3 MR. QUINN: Yeah, I know. That's what I'm 4 wondering, if they had. So did -- so no set points 5 changed as a result of implementing this?
6 MR. LOESER: I understand informally that they 7 had considered that, that this allowed them because of !
8 precision, they might have gained a pound or two one way l 9 or the other, an inch or two, but they decided 10 deliberately not to do that so they didn't have to make a 11 tech. spec change and as such didn't have to make a 12 submittal.
13 CHAIRMAN MILLER: We have a call for lunch by O 14 one of our members. The rest of us would go along with 15 that call. I would say we break for lunch and return at -
16 - scheduled to return -- let's say we'll return at 1:30.
17 (Whereupon, at 12:35 p.m., the meeting was 18 recessed, to reconvene at 1:30 p.m., Tuesday, October 8, 19 1996.)
l 20 21 22 23 1
24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
- . - _ ~ - - . - . . - . . . ~ - . ~ _ - - - . - - - - . . . - _ . . . - . - . - . - . _ - _ - -
I 162 1 A-F-T-E-R-N-O-O-N S-E-S-S-I-O-N l
2 (1:40 p.m.-)
3 CHAIRMAN MILLER: We're going to reconvene.
! 4 And we'll have to change gears here significantly. We're i
! 5 going to go from software based digital systems to I
! 6 worrying about lightning. And I'd just make a quick I
t
! 7 comment, and then I'll turn it over to the staff.
i i
! 8 In reviewing past history, it looks like this I
9 has been a history of many starts but no completions in 10 this area. I'm not certain we need a completion, but 11 that's part of what we're going to do today. But I looked +
12 back at a reg. guide'that started 1978, I believe, and 13 there's reason -- the ACRS actually had a report on '81 on 0, 14 that, and it very clearly said it was not needed.
15 And there's another one started since then and 16 so forth. So, with that background, I'll see what we're 17 doing right now on lightning since it did come up as an 18 issue based on a research -- and a paper published 19 recently. These were done at Brookhaven indicating the 20 lightning has been a stressor on digital systems, at least 21 based on that report.
22 With that, I'll turn it over first to Larry l 23 Shao who is going to introduce things and get things i 24 started, and that's when you'll turn it over to your 25 staff.
NEAL. R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON. D.C. 20005-3701 (202) 2344433
163 '
1 MR. SHAO: My name is Larry Shao. I'm the l
2 Director of Division of Engineering & Technology, Office 3 of Research. As you say, this reg. guide been started and j 4 stopped a couple of times in my lab. And today, we're 1 i
5 going to talk to you about our proposed program on this 6 area is lightning protection at a nuclear power plant.
7 And the plant will be presented by Satish 8 Aggarwal sitting right here. And hopefully we'11 start 9 this time and finish.
10 CHAIRMAN MILLER: Okay.
11 MR. AGGARWAL: Good afternoon. Mr. Chairman, 12 before I start discussing about our plants, the regulatory 13 background, let me try to put the proper format to the O 14 issue of lightning. At any time, there are 2,000 1
15 thunderstorms that are going around the world creating i
16 approximately 100 lightning strikes every second.
17 In United States alone, lightning causes the 18 majority of forest fires and over $2 billion dollars in 19 property losses, 100-200 deaths per year. Lightning, as 20 you know, is essentially an electric discharge of very 21 large magnitude that can accompany upsets such as storms, 22 eruption, and even small nuclear explosions. Electrical 23 current range up to 2,000 amps -- amperages to 30,000 24 Kelvin and can travel at 35,200 meter per second.
25 Damage from lightning strike can be observed NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
164 1 from direct hit or from secondary effects such as fires,
,r - 2 electrical ground falls, and power losses. In the United (m-3 States, as I recall, looking at the history, the second 4 and the third quarters of the year usually have the most 5 lightning activities.
6 Centers of the thunderstorm activity shift 7 from one area to the other in the country. About half of 8 these storms for the entire year takes place during the 9 month of June, July and August. The point I am making 10 there is that lightning protection in absolute sense is 11 essentially impossible.
12 Lightning can overcome any defense man can 13 conceive. Thus, a mitigation approach to lightning safety 7_
(\ ') 14 is a prudent call for action. Proper lightning protection 15 design should accept a strike inevitable, should provide a i 16 control path for the current to follow, and should 17 minimize the development of hazard potential difference.
18 With this, I would like to go back to the 19 history which you started. It is true that the staff 20 then, if I recall, sometime in 1978 wrote a draft reg.
21 guide on lightning.
22 CHAIRMAN MILLER: Can I ask one question --
23 MR. AGGARWAL: Yes, sir.
24 CHAIRMAN MILLER: on your history I found very
(
'xs/ 25 interesting? Is it true that the United States maybe has NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
165 1 a more intense lightning pattern than would many parts of p 2 the world? Is that fact or not a fact, or is it fairly
(_ l 3 evenly distributed?
4 MR. AGGARWAL: I think it is comparable. I 5 know many countries like Japan -- as a matter of fact, 6 Charlie Wylie asked me that we should look into what 7 precautions they are taking and what they are doing. So, 8 that is another country comes to mind where there are more 9 strikes.
10 CHAIRMAN MILLER: I was recently in France, 11 and I asked about their lightning; and they said gee, we 12 don't have it. They said the United States has much more 13 then we have.
\
I
~
'") 14 MR. AGGARWAL: They must be worshipping a god 15 which is not here. But I can only think of Japan, you 16 know.
17 CHAIRMAN MILLER: Of course, I was in southern 18 California and they said the same thing, -- (laughter) --
19 so it must be Ohio and Washington, D.C. and the Florida 20 Keys. But there are definitely patterns where it's far 21 more intense than any other places in the world?
22 MR. AGGARWAL: That's correct.
23 CHAIRMAN MILLER: So it's not a random 24 situation?
A 25 MR. AGGARWAL: Right. And it cannot even be NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
.-_m. _ _ . - . _ _ _ . . _ _ _ . _ _ _ _ . _ _ _ . _ _ _ _ . . _ _ _ _ _ _ _
1
- 166 1 explained. I mean, people has some ideas and some places l
l 2 I know tney worship certain kind of gods to keep lightning i
! 3 away. That's neither here or there. So the reg. guide i 4 came before ACRS in 1981 after public comment. And as you j 5 know, at that time, it was concluded that the guide was ,
, I l 6 not needed. I j l 7 Later on, which was late in 90's -- late 80's I
s
] 8 and early 90's, a petitioner filed a petition with the
! l 2 9 Commission for the rule making. And particularly asked I 10 that the staff should proceed with the rule making in the 2
11 area of lightning protection. The staff made a i 12 presentation to ACRS and submitted that rule making is not i
13 required at this time; however, we will consider l
O 14 developing a regulatory guide.
f 15 Essentially, what the staff said at that time I l 16 to ACRS was as follows: the consequences of lightning and 3
17 other electrical transients are known and adequately dealt l 18 with in the design of nuclear power plants. Licensing l 19 review in conformance to GDC 2 and GDC 4 includes 20 consideration of protective measures against the
]
i 21 consequences of lightning strikes.
i j 22 The staff's view was based on industry 1
j 23 standards and practices, performance of components in i
- 24 electromagnetic environments, and quality case and 25 testing. The staff also stated that we have provided j NEAL R. GROSS l COURT REPORTERS AND TRANSCRIBERS l I 1323 RHODE ISLAND AVE., N.W.
] (202) 234-4433 WASHINGTON. D C. 20005-3701 (202) 234-4433
-u.- , , . - - -, c,..- . .. , ,-,m--
167 1 guidance to the plants with the history of lightning 73 2 strikes to include events in their IPE's.
i i V
3 Digital components are to be qualified against 4 electrical transients. Advance plant designs are being 5 evaluated against the EPRI requirement for lightning and 6 electrical transient protection. ;
7 CHAIRMAN MILLER: Excuse me. I may have to 8 leave for a couple of minutes, so I'm going to turn over 9 the Chairmanship ;o -- John, you're the closest one --
10 okay, John Barton. .
11 [ Chairman Barton presiding.)
12 MR. AGGARWAL: You're planning to come back,
,_ 13 right? ACRS essentially agreed with the staff's
- ~'} conclusion that the current plants were particularly 14 15 protected at this time and that the rule making is not 16 needed, as I stated earlier. ACRS also noted that the 17 staff was reconsidering developing a reg. guide on 18 lightning protection, and that we should consider 19 endorsing industry standards to the extent practical.
20 These findings were reported by the ACRS to 21 Chairman Selin in their letter dated December 17, 1992.
22 As this issue resurfaced, the staff started thinking as to 23 what are the technical issues which we want to look at it.
24 The first question came to mind. What are the industry
(
\_-) 25 practices for lightning protection and mitigation at NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W (202) 23M433 WASHINGTON, D C. 20005-3701 (202) 234-4433
168 -
l 1 nuclear power plants?
2 What design considerations are given? What 3 about grounding and shielding are the most effective? And 1 4 then the application and effectiveness of surge arrestor ,
5 to protect system structures and component against the i 6 adverse effect of the electrical transient. 4 1
7 I do not believe the staff is going to come 8 out and recommend in this reg. guide a particular type or 9 matter of protection of grounding system. But certainly ]
10 we would like to establish the criteria. That's what we 11 are looking at at this time.
12 We want to visit and see what had been the 13 industry's experience with regard to the lightning ;
I O- 14 strikes, if they're direct or indirect. We want to look 15 at the propagation of electrical transient affecting plant 16 systems, the structures and components; what is known 17 about the characteristic lightning transient, whether 18 they're conducted or radiated; what lesson has been 19 learned and generic corrective action taken in response to 20 lightning which failures have taken place in different 21 nuclear power plants over last ten or 20 years.
22 We would like to answer with it and look at i
23 the codes and industry standards and criteria which are 24 used for protection against lightni- at a nuclear power 1
m 25 plant. And Mr. Chairman, at this time, I might like to NEAL R. GROSS '
COURT REPORTERS AND TRANSCRIBERS I
1323 RHODE ISLAND AVE., N.W.
(202) 234 4 33 WASHINGTON, D.C. 20005-3701 (202) 234-4433
169 i
1 point out that I took the liberty of inviting the Vice {
l fs 2 Chair of IEEE Nuclear Power Engineering Committee to )
{ l 3 participate in this meeting.
1 4 With your permission, later on in my l 5 presentation, I would like to recognize him and he would 6 like to discuss his perspectives in terms of the industry 7 standards and what they propose to do. From NRC point of 1
8 view, we have read this issue before IEEE Nuclear Power 9 Engineering Committee, and they will be meeting at Anaheim l 10 in November of this year, and we want to bring that issue 11 before them for a technical discussion.
12 Because, particularly in the nuclear area,
- 13 many of the requirements are implicit and we are looking
'# 14 for something explicit. I also briefly discussed and l l
15 talked about digital I&C systems against lightning 16 transient. We are fully aware that ACRS is concerned 17 about it. We do not know enough about it at this time to 18 answer any of the questions on the issue, but we certainly l
19 will look into.
l 20 And when we get back with the reg. guide, l 21 hopefully we'll answer your questions. We would also like 22 to look at the current industry practices to guard against 23 fire and loss of fire protection due to lightning. These 24 are essentially the six regulatory areas of the issues
/ \
'( /_
4 25 which we'd like to seek answers to in developing a reg.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
170 1 guide.
73 2 Now, let me try to give you the framework and
( )
3 to tell you what ue do have in the regulation now, because i 4 we have been licensing plants for some time, and visit 5 some of those requirements and see where we stand.
1 6 If you recall, general design criteria two is j 7 basically designed basically for protection against J
8 natural phenomena. And of course, it requires j 9 consideration of more serious natural phenomena, and J 10 lightning is one of them. We are concerned about the ;
11 frequency of thunderstorms, and of c 2rse the severity.
12 And as I discussed earlier, problems with l 13 lightning in the United States, it is a matter of concern.
h) 14 GDC 2 also required protection measures for preventing 15 adverse effects of ligntning implicitly. GDC 3 is 16 basically on fire protection, but we all know one of the 17 hazards posed by lightning is fire.
18 And under the Standard Review Plan,Section I'
9 9.5.1.c.1.c.4, July 1981, it states in part "The effects 20 on lightning strikes should be included in the overall 21 plan fire protection program." Further, SRP Section 9.5.1 22 references an industry standard, NFPA 802-1974 which 23 states " Lightening protection should be in accord with 24 NFPA standard 78-1968, lightning protection code."
/~T k-) 25 IEEE standard 142-72, which addresses NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 2344433
171 ;
1 lightning protection of a power station and substation f
^
2 references to the industry standards, namely NFPA 78-68.
3 A requirement-for lightning protection of structures were l 4 not explicitly called out because what we staff -- or we 5 in the staff believed that there were basic industry wide 6 practices and generally accepted design practice and basic 7 design principle for protection of electrical power 8 control and instrumentation system from the effect of i t
9 lightning include consideration for.hi 9n voltage spikes, t
10 direct hit, and also the high frequency electrical .
11 transient propagating into the plant from the transmission 12 line of the switchyard, electrical distribution system, 13 and I&C systems.
14 And finally, we want to look into the issue of 15 the ground -- potential issue in terms of the induced 1
16 voltages from both capacitive and electromagnetic !
17 couplings affecting transformers and system performance.
18 Regardless of whether the mechanism is GPR, EMI, or e.
19 combination of any other mechanism, I believe protection 20 of I&C from such effect implicitly covered by GDC 21, 22 21 and 23.
22 Effect of GPR and EMI are mitigated by design 23 features such as surge protectors, insulation 24 coordination, and key words, grounding and shielding.
25 MR. QUINN: Can I ask you a question?
NEAL R. GROSS !
COURT REPORTERS AND TRANSCRIBERS l 1323 RHODE ISLAND AVE., N W. 1 (202) 234 4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
172 1 MR. AGGARWAL: Yes, sir; any time.
gS 2 MR. QUINN: In your description there, it said
]
3 the protection is provided. We have -- in one of our 4 handouts that we were provided, it lists 29 LER's that 5 were submitted between '84, I think, and '94 that address 6 lightning hits on nuclear plants that resulted in most 7 cases in a plant trip.
8 My question is, what kind of protection are we 9 looking for? In some of these cases, we ended in plant 10 damage of their RTD cables and -- and in my area, 11 specifically instrumentation. But what kind of protection 12 are we looking for? Are we looking for protection that 13 says it's okay for the plant to trip and it's not damaged; C).
\
N- 14 or are we looking for protection that we expect no damage
'. Co the instrumentation and control?
16 What guidance -- or you're going to be writing 17 a reg. guide, right? Is that correct?
18 MR AGGARWAL: That's right.
19 MR. QUINN: Are you going to -- is your 20 acceptance criteria as we start out saying I don't want 21 the plant to trip? Or is it okay for the plant to trip; I 22 just don't want to have any damage to any safety related 23 equipment or functions that need to get performed.
24 MR. AGGARWAL: If I may, I want to address O(_/ 25 that issue. I want to talk to you about LER's and as to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W. :
WASHINGTON, D C. 20005-3701 (202) 2344433 j (202) 234 4433 i
- . . . - . - - - - . _ . - - - - . . . . . - . . - . _ ~ . - - . _ . . . - - . -
j 173 j 1 what were my findings, and then I.will tell you my view at
] 2 this time, you know, how to -- what we were looking at in !
4
- 3 developing the reg. guide, if you will permit me in a l
i i 4 couple of minutes. Thanks.
j 5 We looked at GDC 17 which provides the design l 6 basis for electrical power systems, namely the on site l i
j 7 electric power system, as well as the off site electric 8 power system. Lightning is one of the several causes of 3 !
9 the lose of off site power, and we have seen that in l
10 several LER's that indeed there was a loss of off site .
k 11 power.
! 12 Prevention of such events is implicit in GDC i
! 13 17. We also have a Reg. Guide 1.32 which provides >
O 14 guidance for licensees for complying with GDC 17 and which i
i 15 endorses IEEE Standard 308-71, which again identifies i
[ 16 lightning as a design basis event. I looked at also our i
j 17 inspection manual, and we noticed that the 93807 indeed i
18 requires that system based instrumentation and control 19 inspection discusses the effect of lightning induced i
1 j 20 surges on instrumentation and control system.
d i 21 We also noted that there were some fire I
i 22 related documents, namely Generic Letter 86-10 where the
! 23 effect of lightning strikes should be included in the fire i
l 24 protection program. Again, the Inspection Manual 88055 on 25 fire protection, which requires provision should be made !
4 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
! (202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
1 174 i l
1 for lightning protection. I l
2 Also, SRP 9.5.1 requires effects of the I r-g N,.
3 lightning should be included in the overall plan -- fire 4 protection program.
5 What are the objectives of developing a reg.
6 guide? And here, I briefly will try to answer your 7 question. At this time, the way I see it, we have three ;
1 8 objectives that we want to provide guidance for lightning i l
9 protection for all plant structures and components, 1 10 including the switchyard, l
11 We will attempt to endorse industry standards I 12 as appropriate, and we would like to provide application l
13 of these standards in terms of ground grid resistance,
\- 14 overhead group wire shielding, lightning arrestor. In i 15 anticipation of a question by this committee, I took the 1G liberty of going back and looking at LER's. And Ted, you 17 are right.
18 We went for about ten to 16 years and we found 19 there were large number of LER's, okay? We did not have 20 enough time to review each and every LER at this time, but l 21 we certainly intend to review all the LER's as we develop l
22 that guide. We vant to find out -- we'll attempt to find l 23 out what were the root causes, what really happened.
24 It is the I&C equipment which is affected, or
(_) 25 is it the structure in the switchyard that is affected?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
175 1 And once we have some kind of understanding of what is 2 happening in the plants, and of course we will try to seek e')
LJ 3 ways how to protect. From my professional point of view, 4 sure, we'd like to see the digital I&C equipment doesn't 5 fail, period. l 6 It should be protected against lightning )
7 effects, whether they're direct or indirect. It doesn't l
8 matter. And of course, if the system fails, then it is j 9 all right for the reactor to trip as well. Because the 10 position we are taking, protection in such place -- and if 11 you heard me earlier, that pr-% ably we will never be able l
12 to find a cure for lightning protection problem.
13 So this is the approach we intend to take at
/~T ,
\"# 14 this time, and I wish -- I cannot tell you anything more 1
15 because we have lot of work to do in this area. Just two 16 weeks ago, maybe four, when my request came in that the 17 committee would like to speak to you on this, we started 18 looking into this thing.
19 I know we have a lot of work ahead. These l 20 are the copies of the LER's which are over last ten years.
21 We know we have some work to do.
22 [ Chairman Miller presiding.]
23 MR. QUINN: You may not have seen the list 24 that we were provided, and I'm sure there's a list -- it's A
- 25 a summary of 29 LER's. In just about every case, it NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
176 1 resulted in a plant trip. I guess I'd go back tot he fs 2 Chairman here. It would be great if a design of a digital 3 system precluded a plant trip.
4 But it appears to me that, based on the last 5 ten years, it's been acceptable to us -- in analog system, 6 it gets hit by lightning and trips. Okay, the fundamental 7 requirement is that the safety system's integrity isn't 8 compromised so they can perform whatever safety functions 9 they need to to mitigate any and all occurrences.
10 That's the fundamental requirement. The trip 11 is -- whether it trips or not, it would be great -- it 12 would save a lot of money if it didn't trip, but that's 13 not a requirement. Do you --
14 CHAIRMAN MILLER: I see where you're coming 15 from, the viewpoint that all of the LER's did not result 16 in a threat to the safety system. That's true. So then 17 are you questioning the need then for a reg. guide or --
18 MR. QUINN: No, I'm just saying -- I guess I 19 was going back to where George was this morning. What is 20 the acceptance criteria that we're going to be looking for 21 in the reg. guide? And I think -- I believe the answer's 22 going to be that the safety system's not compromised.
23 It's not going to be that the plant won't trip.
24 MR. AGGARWAL: That is correct. I mean, this D
(_) 25 is the way, you know, the initial thinking. Again, we NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
177 1 have to have consistent code to the process. But this is 2 the way I see it now. Have I answered your question now?
3 CHAIRMAN MILLER: Yes.
4 MR. AGGARWAL: Thanks.
5 CHAIRMAN MILLER: I should have made one other i
6 comment. It's unfortunate Mr. Wylie wasn't able to 7 attend, because he has long experience and interest in 8 lightning and the protection from that. It would be 9 interesting to see whether the plants he worked on some 10 years ago had fewer LER's.
11 But he definitely had a design -- he 12 definitely has a design philosophy that he believes would 13 reduce the -- or mitigate the problems with lightning. As ,
O 14 we pointed out early on, you can't totally protect f
15 yourself from it.
16 MR. AGGARWAL: Yeah, I did have the benefit of 17 having discussions with Charlie Wylie on his last day of 18 retirement. And we had a long discussion, and he told me 19 his point of view. And he was quite interested to see 20 what other countries are doing. So, I can assure you that 21 we will be in touch with him and seek his advice if 22 necessary.
l 23 Something else come to -- the question of LER 24 comes to my mind that 145 LER's which involved I&C, it is 25 true to surmise they did not compromise safety systems.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
178 1 CHAIRMAN MILLER: So in a way, based on 145 2 LER's, we've not compromised safety?
3 MR. AGGARWAL: But still, I would like to see 4 some protection in the plant. And we'll hear something 5 from -- of our friend in IEEE. Dr. Miller, you were not 6 here. For your benefit, I would liked to point out that I f 7 took the liberty of inviting Wes Bowers who is the Vice 8 Chair of the Nuclear Power Engineering Committee of IEEE 9 -- he will be the chairman next year -- to discuss his 10 point of view and probably some advice. l 11 And also, I pointed out earlier that NPEC in 12 meeting in Anaheim last month, and we want to bring that 13 issue for discussion at the meeting. I also have Alex O 14 Marion here from NEI. And if he will prefer to say a few 15 words, I mean, we will be happy to recognize him as well.
16 Of course, with your permission. So let me -- ,
17 MEMBER APOSTOLAKIS: I have a question.
18 MR. AGGARWAL: Yes, sir.
19 MEMBER APOSTOLAKIS: What you described sounds 20 like a research effort. You start with the technical 21 issues and what the current regulations do. And I find 22 that a little bit at odds with the findings on your slide 23 three that the ACRS agreed with the staff's conclusion 24 that current plans are adequately protected.
25 I mean, there must have been a basis for that NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
l 179 1 conclusion and recommendation at that time, so why -- I 2 mean, I can understand why you want to go back and look at
\_/
3 the LER's, because perhaps at that time the staff and the 4 ACRS did not have the benefit of that. But the rest of it 5 though, I mean, I would suspect that in 1992 when the 6 staff and the ACRS said these things, they had reviewed 7 these things.
8 I mean, this sounds like as if you were 9 starting from scratch, and I'm sure that's not the case.
10 Shouldn't most of your effort be on the analysis of the 11 LER's and the lessons -- messages that we get from those? l 12 MR. AGGARWAL: Sure. George, you know, that
~ 13 was in 1992, and there's no question that the ACRS made
14 those recommendations. I have a copy of the letter dated l
l 15 December 1972 to the chairman. I cannot really speak as j l
16 to the engineer involved, as to what he looked at it. He l 17 is no longer with us.
18 He was smart. He took a law degree and he 19 said bye bye to NRC, so he's no longer here. But yeah, in 20 order to develop a reg. guide, I think it is our 21 obligation to go back and try to find what the root causes 22 were, why those incidents took place, and what can we do 23 in order to protect against them.
24 So, we are not trying to reinvent the wheel,
( ~\
(_ / 25 but we're simply going to look at what effective measures NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
180 1 we can implement or come out with or criteria we can eN 2 provide to protect against lightning.
! 1 G'
3 MEMBER APOSTOLAKIS: But what is it that's 4 triggering this effort? I mean, are we unhappy now that -
5 -
6 MR. AGGARWAL: Okay, that is the question.
7 Well, from my point of view, the less I know, the better 8 off I am. Because in the years, I have to learn to work 9 more with less. So, we did not invent this. What 10 happened was that initially the Office of NRR sent us a 11 request basically to develop that guide. And that was the 12 outcome of the petition which was filed with the
_ 13 Commission asking that the Commission proceed with the N
/ 14 rule making.
15 CHAIRMAN MILLER: That's the reg. guide in 16 '92, right?
17 MR. AGGARWAL: That's right. And this is the 18 -- the staff at that time recommended that the staff 19 should proceed with the development of a reg. guide.
20 MEMBER APOSTO' ^"IS : And why is that effort 21 starting now, or is it --
22 CHAIRMAN MILLER: The question George is 23 asking is why did it restart at this time and -- I think I 24 understand.
O (s/ 25 MR. AGGARWAL: My answer I think -- I thought NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON. D.C. 20005-3701 (202) 234-4433 l
i 181 1 I gave. We have learned to do more with less. It's just i
i 2 a problem -- we didn't have enough man power to look into i
) 3 it. And as a matter of fact, the director of NRR has i
4 4 identified the six regulatory guides which requires, you 4
l 5 know, consideration. And four of them, we have already l
l 6 completed, which you are aware.
l 7 Two more we want to work on and we will, you ,
i
! 8 know, work on this type. I see Mike wanted to add 1
j 9 something.
l l 10 MR. MAYFIELD: Well -- this is Mike Mayfield 11 from the staff. I just wanted to make the point that this 12 thing was prioritized early on, and it drew a medium
- 13 priority. And it's now coming up in the scheme of the 1
j 14 activities we have ongoing. So, there's nothing unique i
15 about it coming up at this -- well, coming --Satish's 16 activities coming up at this time.
l 17 It's just where it fell in the grand scheme of 1
18 getting these things done given the priority that they 19 were assigned.
20 MEMBER APOSTOLAKI3: It's not doing more with 21 less. It's doing more later.
22 CHAIRMLN MILLER: Well, and I think -- well, 23 you can only do so much.
24 MEMBER APOSTOLAKIS: I take it back.
25 CHAIRMAN MILLER: The ACRS -- I don't know if NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
182 1 ACRS had any influence on it,'but Charlie Wylie, who of 2 course had been on the committee for many years, has been 3 interested in this being a little higher than a medium 4 priority. And I'd be interested to see Charlie's view on 5 what happened in '92, why at that time a decision was not 6 to go ahead with it.
7 MEMBER APOSTOLAKIS: Well, it's a different 8 committee now.
9 CHAIRMAN MILLER: And of course, a 10 dramatically different committee now. And there was a 11 study, as I alluded to earlier, by research which was 12 chaired out by Brookhaven which indicated that with 13 digital systems, it might be more of a program than it 14 would have been with analog.
15 MR. QUINN: Is this the study that's attached -
16 to our --
17 CHAIRMAN MILLER: That's the report.
18 Actually, there's a paper published at Penn State that we 19 based on that report.
20 MR. QUINN: Maybe it's my fault, but in the l
21 BNL report, there is an appendix that lists lightning --
22 29 lightning LER's. Much smaller, I think, than the 23 research you've done. It doesn't give a summary, that I 24 would find, of the impact of lightning at all as an 25 environmental stressor.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W. i (202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
_. . . _ _ . _ . ~ . _ _ _ . . _ _ - . _ _ _ . . . _ . _ _ . _ . _ _ _ _ _ _ _ _ . . _ _ _ _ .
183 1 I couldn't fine one in here in the report. It 2 just included an appendix of lightning issues. In our 3 agenda that we were sent out, it has a statement in this l 4 part of-the -- "The staff will also present a study l 5 completed by the BNL on risk based environmental 1
6 stressors." I don't see any slides addressing --
7 MR. AGGARWAL: The staff intend to address 8 that.
9 MR. QUINN: Okay, sorry.
10 MR. AGGARWAL: Yeah, the staff does intend to 11 address that issue. But you are right in the observation 12 that was not the principal objective of that study.
13 MR. QUINN: That was not? Okay.
O 14 MR. AGGARWAL: Right. Frank is here who will [
15 address that issue immediately after my presentation.
16 MR. QUINN: One more. You're electrical i
17 branch? ;
18 MR. AGGARWAL: Yeah, electrical. l
)
19 MR. QUINN: Okay, I'll express a preference 20 just for I&C. But I see these 29 LER's or -- there's a 21 big impact on the I&C systems, in my systems. And they've 22 tripped a plant, they caused some issues, one of which 23 that's pretty big concern -- there was one in 1988 that 24 said "In addition, unit two lost RVLS and its computer 25 memory."
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
1 184 1 I'm hoping that in the evaluations that are 73 2 performed maybe in the Brookhaven, we're looking very (a) 3 carefully at the impact on a digital system of memory 4 capacity. And is that looked at?
5 MR. AGGARWAL: I don't believe so. But again, 6 we plan to look at it and see what we can do in terms of 7 the criteria.
8 MR. QUINN: Well, maybe I should -- if you're 9 electrical, are you going to have I&C support you on this )
10 or how does that work?
11 MR. AGGARWAL: Let me make one point clear per 12 se. In our Office of Research, we have electrical, i
I 13 mechanical,and materials engineering branch, which I
/_x k~/ 14 belong to. The software area has to do with Frank in the 15 other division. However, with the issue of the hardware, 16 the regular guide was prepared by other division, which is 17 headed by Larry Shao.
18 And with regard to the coordination of goals, j 19 we talk to each other not only here, but we consult NRR's 20 staff too in developing this guide.
21 MR. QUINN: So there will be a sum scope 22 impact where they can expend hours and they can do some 23 work to support you in developing this reg. guide?
24 MR. AGGARWAL: Right, that is correct. We
/~N always work together, or at least attempt to work.
(_)i 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
185 1 CHAIRMAN MILLER: Should we now proceed ahead 2 with --
YJ 3 MR. AGGARWAL: Yeah, I just wanted to take one 4 minute and then, with your permission, I would like to 5 recognize -- all I just want to show you, you already have 5 the viewgraph on the schedule. And you have the general 7 idea of this is where we intend to come back. I would 8 just also like to point out that we would like to look at 9 the IEEE standard 1050-1996.
10 I personally had some reservation about that 11 standard, and those concerns have been resolved, and the 12 '96 version was issued only about two weeks ago. We will 13 also plan to look at the IEEE standard 665-95, which is 0 14 guide for the generating station on grounding. We' plan to 15 look also at military standards.
16 Military standards 461, 462, and see if 17 they're applicable. And believe me or not, you know, you ,
18 talk about the history -- and when I was preparing for 19 this, I found out that in 1973, Jan. '73, Atomic Energy 20 Commission issued a standard on I&C equipment, grounding 21 and shielding.
22 And I have a number of -- RTD-CT-1T, and the 23 staff would like to see what kind of requirement we had at 24 that time. The bottom line is that when we come back with O 25 the reg. guide before you, we believe that we will have an NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
186 1 acceptance criteria and possibly answer to many of your
-s 2 questions you might have.
G 3 With this, Dr. Miller, with your permission, I 4 would like to call upon Wes Barber to present his views.
5 Thank you.
6 CHAIRMAN MILLER: And as Wes is going up, I'll 7 just comment on history. I took the liberty of going to 8 the library and getting a book by Gold. He apparently 9 spend his whole life on lightning. He basically says 10 nothing had changed since Benjamin Franklin, and we just 11 to -- we can't prevent it. We just need to direct it at 12 the right place.
13 So, with that, I guess we'll turn it over to
(') 14 Wec so he can go back to Ben Franklin's original and write 15 a standard.
16 MEMBER BARTON: Before Wes starts, have you 17 looked at the NPRDS data? Is there anything different in 18 there than what you see in the LER?
19 MR. AGGARWAL: We have not looked at it, but 20 we do plan to look at it.
21 MEMBER BARTON: Okay,thank you.
22 MEMBER APOSTOLAKIS: Congratulations for 23 saving a few trees. I see you put all six of your 24 viewgraphs in one. i
(~%
(_,) 25 MR. BOWERS: And there's a seventh one on the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
187 1 back, double sided copying.
l
,s 2 CHAIRMAN MILLER: Wow, you could have put six
( I RJ 3 more on the back. That's great. ,
1 4 MEMBER APOSTOLAKIS: That's actually a waste 5 of this blank space.
l 6 MR. BOWERS: So hopefully, you can read it. ]
7 I'm Vice Chairman of the Nuclear Power Engineering 8 Committee, as Satish said. What satish invited me here 9 for was to talk a little bit of what is in the IEEE 10 nuclear standards. He already has covered some of the 11 things that are -- like in the T&D standards, the normal 12 power system, things that are done.
13 And as he mentioned, in IEEE 308, it basically
14 says that lightning is a design basis event. Essentially, 15 from an IEEE nuclear power standards viewpoint, lightning 16 needs to be considered in the safety system design basis.
17 There is detailed guidance out there in a number of 18 different standards. I have several of them listed here.
19 IEEE 1050, IEEE 1100; and IEC, the 801 series 20 of standards. Essentially lightning is not a new problem.
21 There was a number of standards out there. Satish had 22 some. I listed these primarily in the I&C area because I 23 knew your interest was in the I&C area. And these three 24 standards listed here deal with proper grounding and r
(_ 25 shielding and also with a testing of the instrumentation.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
l 188 I l
1 The one particularly one dealing with
-% 2 lightening is the 80 1-4 talking about-surges -- testing 3 for surges. The Nuclear Power Engineering Committee deals i l
4 with standards that are unique to the nuclear area, and we j
)
5 provide links to some of these other standards that are {
6 out there. Let me talk a little about those other 7 standards. j 8 There's primarily two standards. IEEE 603
)
9 which is the criteria for safety systems, and also IEEE 7- l i
10 4.3.32, criteria for digital computers in safety systems.
11 So these are out there. They published standards. They're i
]
12 being used. The reg. guide endorses both of them. We are 13 continuously enhancing those standards.
14 So, I'll talk a little bit about the 15 requirements in those standards and some of the 16 enhancements that we're currently doing. In IPEEE section 17 3, there's a section on design basis. And one of those 18 design bases is in Section 4.7. I quoted it here on the 19 slide so that you can read it.
20 But basically, it's saying as part of your 21 design basis, you have to identify all those effects in 22 the environmental which could be voltage frequency, 23 radiation, temperature, humidity -- whatever is in your 24 environment, however the power changes, the motive power, 25 the control power, whatever -- surges maybe on that power.
i NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
189 1 You have to define that as part of your design
t
14 have it yet, but it's under review by Brookhaven. We 15 expect it shortly.
l 1
30 MEMBER APOSTOLAKIS: Why is it risk based? I 17 mean, what are the criteria for the screening? I 18 understand that there is a frequency for the lightning 19 that's been used somewhere. But I mean, is there a 20 numerical ranking of thase things?
21 MR. COFFMAN: Yes, there was a numerical 22 ranking by the effects on the core damage frequency.
23 MEMBER APOSTOLAKIS: And one of the 24 conclusions is that the vibration is unimportant. So what f%
(_/ 25 is important?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005 3701 (202) 234 4433
205 i
j 1 MR. COFFMAN: The vibrations -- in relative l
l fs 2 position, the vibration was two orders or magnitude below l 3 what EMI/RFI was.
4 MEMBER APOSTOLAKIS: But wouldn't that be, 5 though, a little bit artificial since the assumption is 6 there that all I&C phase --
7 MR. COFFMAN: Yes, it is artificial. It is a 8 relative --
9 MEMBER APOSTOLAKIS: So, immediately it 10 doesn't fail all I&c. So you have already dictated what 11 the results should be by making that assumption.
12 MR. COFFMAN: Yeah, these assumptions are very 13 bounding.
A \
t
\- 14 CHAIRMAN MILLER: So you're going to 15 reevaluate the assumptions and then take the same data and 16 then -- things could fall out in a little different 17 ranking.
18 MR. COFFMAN: It could. In order to clarify 19 the assumptions, though, you'd have to change -- if they l 20 were all in the occurrence frequency, you'd have to change 21 it by two orders of magnitude, and I'm not sure we're 22 going to have that precision in the data that -- I don't 23 think there's that precision of the data.
24 MR. QUINN: You lumped the licensing or the r
(_/ 25 lightning in with the EMI from the portable radios and our NEAL R. GROSS COURT REPORTERS AND 1RANSCRIBERS 1323 RHODE ISLAND AVE.. N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
206 1 arc welders and other kinds of things. Is that
- 2 categorized in the same risk based numbers?
3 MR. COFFMAN: No , the only source of 4 information that was sufficient to get an estimate of the 5 occurrence frequency was on EMI due to lightning. So, 6 this does nct Oven include EMI due to other sources.
7 MR. QUINN: Okay, but we have a table in here, 8 in the report, that lists EMI from in plant sources, 9 relays, very familiar with -- you know, the arc welders, 10 our portable radios. There's a list of LER's in here.
11 Those were not included?
12 MR. COFFMAN: Those were not included in this 13 estimate. And there was a previous study done -- reported
.O k'- ') 14 in NUREG CR 6904 which showed that between the other 15 sources and lightning, that it appeared to be that 16 lightning was only like 25% --
17 MR. QUINN: Of all the other sources?
18 MR. COFFMAN: -- of all the other sources. So 19 if -- for the purpose of this study to see if the staff 20 was properly emphasizing it, it was okay for the staff to 21 emphasize EMI/RFI in its application of research 22 resources. Then that would even reenforce it further.
23 MR. QUINN: And that would be much higher 24 than even the results here.
(_) 25 MR. COFFMAN: Right.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234 4433 WASHINGTON. D C. 20005-3701 (202) 234-4433
. . _ . . _ . __ ._...___.__.___...._._._-_____.__..__,___.._._.m _ _ _ _ . _ _ _ .
1 i 207 I l 1 1 MR. QUINN: Oh, okay.
4 l 2 MR. COFFMAN: This study was not done for l j
>O 3 lightning.
1 i
i 4 MR. QUINN: It just happened. ]
)
5 MR. COFFMAN: We backed into lightning.
Li
~
6 MR. QUINN: What's going to -- there's more i
1 7 research that's going to go on, and lightning is an 8 EMI/RFI, which lightning is going to be studied. What
{ 9 kinds of things do you think are coming out of this? Are i
i 10 you going to do -- it's a risk based approach, but are you a
- 11 going to have recommendations that will impact upon this i
- 12 reg guide and upon other things?
I 13 MR. COFFMAN: The risk screening study was lO 14 just to see if we were applying our resources right when i 15 it came tot he comparison between EMI and smoke.
1 1
16 MR. QUINN: Oh, okay.
- i. l 17 MR. COFFMAN: But we are doing work on l
! 18 qualification of digital system. And --
i l
- 19 CHAIRMAN MILLER
- And that's the work at Oak 20 Ridge then?
i 24 experimental safety channel that's been developed that we 25 are testing to se~ ch for failure modes to determine what I
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS
' 1323 RHODE ISLAND AVE., N W.
3 (202) 234-4433 WASHINGTON. D C. 20005 3701 (202) 234-4433
._, ___ -___ _ ~._.. _ . - . ,,.__ _ . -, -- ., . _ , , . , - -
208 1 failure modes are in digital systems, get more information p 2 on that.
\_/
3 There's smoke work at Oak Ridge.
4 CHAIRMAN MILLER: In Sandia?
5 MR. COFFMAN: I'm sorry, at Sandia. Sorry.
6 CHAIRMAN MILLER: I didn't know from both 7 places. It knew it was Sandia.
8 MR. COFFMAN: So there is other work going on.
9 MR. QUINN: So beyond our EPRI TR and the work 10 on the EMI which was -- and SER was written, right? There 11 will be -- there's a potential for a reg. guide.
12 CHAIRMAN MILLER: Well, I was going to ask 13 that question myself if that reg. guide is going to O
t~'1 14 consistent with the guideline we already endorsed.
15 MR. COFFMAN: Yeah, that's an objective in the 16 development of the reg. guide is to --
l l
! 17 CHAIRMAN MILLER: Now I would ask what's the l 1
18 purpose of the reg. guide? We already have a guideline 19 endorsed thorough an SER.
20 MR. COFFMAN: One more. I apologize. Has l l
21 somebody analyzed these 29 LER's for the impact of 22 lightning on the I&C systems. So far, it looks to me like 23 this table which is very well put together is -- give us a 24 good quantification value.
U 25 But included in the table is the actual impact NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS
' 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON. D C. 20005-3701 (202) 234-4433
209 i 1 of the lightenirg ont_the plant and the i&C systems. Is 2 that going to be looked at further, you know, --
3 MR. WERMIEL: Ted, we plan to look at it as 4 part of the developmental reg. guide. And I'm sure we 5 have those LER's here, but we will be again very happy to 6 get a copy of it and read what's in it.
7 Thanks.
8 MR. QUINN: I think we're scheduled to review 9 of research in December. So it may be this fall before --
4 10 MR. COFFMAN: Yes, that's correct.
11 CHAIRMAN MILLER: One more comment before you 12 take that off. Recognize that vibration, humidity and 13 temperature are probably not a major stressor on digital O 14 I&C. As we put in fiber optics, that may be a different ,
15 situation.
16 These could be specified for human optics.
17 You might want to -- obviously there's not in there to -
18 have a data base and could be -- in addition to radiation 19 in could be stressors and the fiber optic down the line.
20 I know people have interests in that area, tan they might 21 be aware that -- within fiber optics they may not want to 1
l 22 lose that as stressors right away.
23 Any other questions on where we are on the i 24 risk ranking? Sorry to hear Hassam is ill. I hope he's 25 going to be coming back. He's one of our OSU graduates, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE. N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
210 1 so I strong feelings for his work here. He works up at 2 Brookhaven, but he's worked for years off and on with 3 Vessely. Anything else here?
4 So, I think we're done with the lightning 5 review here.
6 MR. AGGARWAL: Thank you.
7 CHAIRMAN MILLER: And we should then take a I
8 break. And we will return with the purpose of -- oh, by 9 the way, for the area of lightning, the committee is going 10 to take no action. This is purely for review. At 3:15 --
1 11 I have to say we'll come back at 3:15 -- the purpose will 12 be to look at what we should prioritize to the full 13 committee on Thursday.
14 (Whereupon, the foregoing matter went off the i
15 record at 2:57 p.m. and went back on the record at 3:26 16 p.m.)
17 CHAIRMAN MILLER: I want to reconvene our 18 subcommittee. And the purpose of this part of the meeting 19 is to identify -- or give the staff guidance on what 20 should be presented at the full committee meeting on 21 Thursday and the kinds of things we would like to have 22 presented based on what we've seen today.
23 Now, Thursday's meeting is totally on the 24 standard review plan. It's not to be directed toward the 25 issue of lightning. You might mention it, but the primary NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
I (202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234 4433
211 1 purpose is the standard review plan update. The last
,3- 2 chance the full committee will see it until the issue
(-) 3 comes back following public comment.
4 So with that, I would open it up. I don't 5 want to dictate what we're going to do here.
6 MR. QUINN: I recommend slides from the --
7 Matt's discussion as an overview; and it may be only my 8 opinion, but I don't believe the full committee would be i
9 interested in the STAR review from a system level. That's 10 my opinion. l 11 CHAIRMAN MILLER: George, what do you think?
1 12 Or John?
13 MEMBER BARTON: I agree. I was just looking
's 14 at what's on the agenda for Thursday specifically. That's 15 a mouthful. By the time we struggle with that this 16 morning -- and we've allowed them an hour and a half, and l 17 I think they're going to be pushed to try to do that in an l l,
la hou,r and a half.
1 19 MR. WERMIEL: Yeah, we'd have to cut back the l 20 40 slides to a more manageable number.
21 MEMBER BARTON: About half of that. ;
22 MR. WERMIEL: Oh, yeah, no more than that.
23 Because we would definitely want to allow sufficient time 24 for the other committee members to ask questions and say O
(_/ 25 their piece.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON. O C. 20005-3701 (202) 234-4433
-- - - . - - . . _=. .. . - . .. - - . - - - - .. - . .. _ - . - - . . .. _ . _ _
212 i
1 CHAIRMAN MILLER: If that's the approach you i
j 2 want to take, I think -- then of course the key issue is 3 how everything fits together. But also, the other issue
) 4 is identifying the changes, specifically the issues li 5 involving digital I&c.
6 MR. WERMIEL: Definitely. I think it's --
7 you've got to realize that this -- the committee members 8 will unlikely have read the package.
! 9 MR. WERMIEL: All the more reason why I was 10 saying what I was, Don. I think you're right. I don't 1
11 think they'll have read the SRP, and they'll need to 12 understand how it fits together and what its content 13 really is now.
14 CHAIRMAN MILLER: Yeah, particularly I think -
! 15 - I would spend time on seven, even though 7.0 isn't on 16 the agenda, use it on every other -- 7.0-A is used on
! 17 every other section. Branch technical position on every l
18 one of them.
19 MR. WERMIEL: Exactly. Well, what I could do j 20 is maybe in my introductory remarks, I could mention how 21 7.0 works without actually presenting slides, then have a
i 22 Matt go into the specifics of what's in the SRP.
i 4
23 CHAIRMAN MILLER: And what is in 7.0-A.
l 24 MR. WERMIEL: Yeah, I can describe 7.0-A in a 25 matter of a few minutes from the slides even that I have
! NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS i 1323 RHODE ISLAND AVE., N.W.
- (202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
213 1 without actually showing them and then allow Matt to go 1
2 into some of the details. '
O 3 CHAIRMAN MILLER: You have to also remind them 4 of -- although I don't think the committee will need too ,
5 much reminding of the overall philosophy of --
l 6 MR. WERMIEL: Yes.
7 CHAIRMAN MILLER: And this -- I'm certain i I
4 8 George will not let this go by that this is on process.
9 If we bind the process to it's Nth degree, we assume we'll 10 have a good product.
11 MR. WERMIEL: That's true.
12 CHAIRMAN MILLER: I don't think George would 13 let that one go by anyhow. George, I'm certain you would 14 -- I'm kind of capsulizing.what these members have said.
15 MEMBER APOSTOLAKIS: Well, I think that's one 16 of the issues that needs to be addressed. And the second 1
i 17 one is what we discussed this morning, namely the 18 acceptance criteria. I think maybe you guys can say a few 19 words about it -- !
i 20 MR. WERMIEL: Yes. !
i 21 MEMBER APOSTOLAKIS: -- for the benefit of the 22 committee. And we'll take it from there, see what the 23 other members feel and how they feel about it. What I 24 don't find very useful is all these' references to IEEE 25 standards. So if you could cut down on those, go to the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
214 1 meat of it, you know, what exactly are we doing here, how 2 is the reviewer going to carry out the review.
3 Because the other stuff really is just -- I 4 mean, really, the fact that there are X IEEE standards 5 that have been used, it really doesn't help anybody see 6 the numbers.
7 CHAIRMAN MILLER: Well, I concur in one 8 respect. We could capture what those IEEE standards say 9 in far fewer words than --
10 MEMBER APOSTOLAKIS: Yeah.
11 CHAIRMAN MILLER: On the other hand, we have 12 to look at the standards as being what the current l i
13 software engineering community believes is best -- is l O 14 state of the art software engineering.
15 MEMBER.APOSTOLAKIS: No, I'm not saying the 16 staff can't say that, but we don't have to list all the 17 standards.
18 MR. WERMIEL: Well, remember also, George, the 19 standards were written as guidance for the developer, and 20 we are adopting them into review criteria. On the other 21 hand, the branch technical positions are written for -- as 22 reviewer guidance, and the industry is adopting them in
)
23 the course of their development. ;
24 But I don't think -- and it's been our l 25 experience that there really isn't redundancy in the NEAL R. GROSS 1 COURT REPORTERS AND TRANSCRIBERS l 1323 RHoDE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
215 1 reference to the standards and then in the expansion of 2 the wording in the BTP's. I don't -- there may be overlap i, w)'
3 in subject matter, but I think in what's actually maid, in 4 the words that are actually provided, you won't find 5 redundancy.
6 It may not be the case across the board, but I 7 know from our experience that it hasn't worked that way.
8 Where we've really needed reviewer guidance, we've really 9 needed to put it in a BTP.
10 CHAIRMAN MILLER: And the other I would 11 continue to emphasize to the world here, or at least maybe 12 the committee too, that when you're talking about safety (
13 systems, you're -- from a comparative viewpoint, there's
> 14 simple software systems versus -- I was reflecting on my 15 first ride on a Boeing 777 that I knew I was sitting on a 16 system that was far more complicated than any nuclear 17 system I'll ever see and I was depending on that to get me 18 from here to Europe.
19 MEMBER APOSTOLAKIS: So you had the 20 probability?
21 (Laughter.)
22 CHAIRMAN MILLER: I was contemplating the -- I 23 know Boeing doesn't use its -- but I was contemplating the 24 use of something similar to the approach we're talking O
V 25 about.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
216 1 MR. WERMIEL: Oh, yeah.
2 CHAIRMAN MILLER: If they were gambling all of 3 us on their use of the process, and --
4 MR. WERMIEL: Exactly.
5 CHAIRMAN MILLER: But on the other hand, they 6 do have an analog back up.
l 7 MR. WERMIEL: In the 777?
l 8 CHAIRMAN MILLER: I'm pretty certain they do.
l 1
9 MR. WERMIEL: No, I don't think so. I don't 10 think in a 777 they do.
11 CHAIRMAN MILLER: They can land it without the 12 digital --
13 MR. WERMIEL: I don't think so.
14 CHAIRMAN MILLER: Yeah, okay. I guess in a 15 sense that's what I was referring to. They could land it.
16 They can bring it to a safe position on ground --
17 MR. WERMIEL: Right.
18 CHAIRMAN MILLER: -- in the context of a safe 19 shutdown --
20 MR. WERMIEL: That was my --
21 CHAIRMAN MILLER: -- without the digital 1
22 system. l l
23 MR. WERMIEL: That was my understanding. And 24 that's different from the -- right, from the Airbus and l 25 other fly by wire aircraft. As I understand it anyway, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234 4 33 WASHINGTON, D.C 20005-3701 (202) 234 4 33
217 1 isn't it? Pardon me? The way the 777 works, what Don was 2 just describing is not the same thing as the Airbus has.
3 MEMBER BARTON: I hope it works better than a 4 Harrier --
5 MR. WERMIEL: A Harrier?
6 MEMBER BARTON: Another -- on the lightning 7 issue. You said we weren't going to talk about that.
l 8 MR. MARKLEY: Not in the full committee. ,
i 9 MEMBER BARTON: Let me ask you something. Has 10 the full committee got this?
I 11 MR. MARKLEY: Everyone -- all the members
~
12 received it.
13 MEMBER BARTON: All right. What about the O 14 fact that this committee sent a letter to Stello in '92 l
i 15 and we still have to update it. Shouldn't we at least 16 spend five minutes on where they are?
17 MR. MARKLEY: I think it would be appropriate 18 for Dr. Miller to talk about what was discussed here 19 today.
20 MEMBER BARTON: Okay.
21 MR. MARKLEY: But in terms of developing any 22 kind of a consensus on electrical, I think it would be 23 premature. :
1 24 MEMBER BARTON: As long as it's --
25 CHAIRMAN MILLER: I agree. I think a couple NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE, N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
l 218 I l
1 of minutes of information. 4 l
1 g~g 2 MEMBER BARTON: Okay.
l l N~,] l 3 MR. QUINN: But were you going to discuss also l
4 the S??AR -- there was a review of the STAR system 1 1 i 5 accomplished at the meeting and -- l 6 CHAIRMAN MILLER: Well, we'll discuss --
7 somebody should discuss that. One of us -- I thought j 8 maybe we'd start with the STAR system and -- that was a 9 good example. But I think I -- I guess I agree with --
10 let's just review what the SRP is and not -- I was looking I'
11 at it as a tutorial more than information.
12 MEMBER APOSTOLAKIS: After the process is l
,_ 13 completed, the regulatory guide and everything's out, is 1
24 that the end of the NRC or do you plan to --
15 MR. WERMIEL: Well, no, we already know of 16 some things that could use updating even now in the 17 document itself as we've presented it that we're going to I
18 work on. We're also hoping that there will eventually be l l
19 some changes based on the ongoing efforts that we've got I
20 underway with the industry groups, with EPRI.
21 I anticipate that as a result of that, there l 22 will be some additional changes that we'll have to make.
23 So, --
l 24 CHAIRMAN MILLER: COTS or that's more than l ("'N l (_ 25 COTS?
1 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
l (202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
219 l
1 MR. WERMIEL: It's more than COTS. Yeah, I l
2 well, the PLC and ASICS and the DSS, there's likely to be
-)
L/ ' '
l 3 maybe some additional wording or some additional guidance And maybe, 4 as a result of the ASICS work in particular. I l
5 in addition, on PLC's. The PLC program is taking an 6 interesting tact on. They're trying to develop a generic 7 qualification guidance document that may serve as the same .
l 1
8 kind of thing as a branch technical position would. l 9 Then they're going to take that and actually ,
l 10 propose, as we understand it, topical reports for !
l 1
11 specific PLC platforms using the original document, the )
12 qualification document, as a guide. So, in a sense, p_ 13 they'll be doing some of the kinds of things that we might i
/ ) !
2 14 do in the way of guidance for qualification of a PLC. ;
15 And we would endorse that topical report and 16 then the subsequent topical reports on specific platforms 17 in turn. Some of that probably will go in the SRP as )
18 well. So, no, George, we're not done by any means. We 19 would declare victory, I guess, on the initial effort, but 20 it's not by any means complete at that point.
I 21 MEMBER APOSTOLAKIS: I would like to see in 22 the long run the NRC exploring very seriously the 23 possibility of bringing some of these methods --
24 CHAIRMAN MILLER: We have a meeting on
(~)
(_/ 25 research in December. I think we should bring that issue NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234 4433
l 220 1 there. As you -- you know, we saw a couple of papers out
[ g- 2 in Utah there that -- we did hear somebody give a
(-
3 presentation saying using this method, I can develop a 4 bullet-proof design. Is that quoting somebody?
5 MR. WERMIEL: Who said that?
6 CHAIRMAN MILLER: I doubt she's even going to 7 be here today.
8 MEMBER APOSTOLAKIS: She didn't go to that 9 part.
10 MR. WERMIEL: Who said that?
11 CHAIRMAN MILLER: I won't say who said it 12 because -- anyhow, there are people who would say well, we 13 can do software; and of course, we all know it's the
,\
I
\- 14 design requirements that is the weakness.
15 MR. WERMIEL: Yes.
16 CHAIRMAN MILLER: After all, there's nothing 17 we can't improve upon.
18 MR. WERMIEL: Improve upon. Yeah, I would buy 19 improve upon. I'm not sure I'd agree that now I've got 20 100% certainty my requirements are right. I don't think 21 I'd buy that.
22 MR. QUINN: I wanted to ask you to reenforce 23 this issue on training on some form of ongoing -- I think, 24 you know, when this is done, and I -- we're only here (3
(_) 25 every few months or whatever, I think training, tutorial, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
..._.._._._.__.._.______.--_.._...__._.______._..__._.._m._. _._ _
M 4
221 1 something that takes and does some instruction in industry .
1 i
2 interface is really important. I 3 CHAIRMAN MILLER: Well, as you pointed out 4
4 earlier, of course, one phase -- there is an in house i
j 5 training effort for the staff, which you're aware of.
}
l 6 MR. QUINN: Right.
i 7 CHAIRMAN MILLER: Now, what you're talking i
) 8 about is a -- the NRC hosting some sort of a workshop that 4
i 9 would bring in industry so there can be some dialogue on 10 this whole are of the SRP update.
f i
i 11 MR. QUINN: Right.
12 CHAIRMAN MILLER: I don't know what the
~i 13 mechanism to make that happen is. I've never done it i
14 before.
f j 15 MR. WERMIEL: Yeah, we've held workshops on 4
16 different topics in the past. I'm not sure I know exactly I 17 what you're driving at.
18 MR. QUINN: A workshop on --
19 MR. WERMIEL: During the public comment period
- 20 you're thinking? Oh, the June workshop that you were 1
21 speaking of before?
j 22 MR. QUINN: No, not just that. I mean, that's 3
23 --
[ 24 MR. WERMIEL: You have to talk into the 25 microphone.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234 4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433 s
6
, . . _. . _ _ . ._.. _.... _ _ _._ _. _ _ _ _ _ ._._. _ _ _ __.._ .. __m _ _ .
l 222 1 MR. QUINN: Are we on? ;
2 CHAIRMAN MILLER: Yeah, we're being recorded. t 3 MR. QUINN: We are? Yeah, okay, I'm sorry. ;
l 4 No, a workshop that would be NRC sponsored that -- you I
l 5 know, to cover all these in more detail perhaps.
6 MR. WERMIEL: And you were thinking after we 7 go final with it? Oh, okay; that's something we can 8 certainly think about. ;
9 CHAIRMAN MILLER: May of '97.
10 MR. WERMIEL: Yeah, we could certainly think 11 about that. I know that we'll be getting or message to a 12 number of the industry groups that are active. Of course, .
13 in this area through the interaction on the PLC's, ASICS, O 14 and the DSS systems. So, we've already begun, I guess, i
15 that interaction.
16 But a general workshop, that's a possibility.
17 We can certainly consider that.
18 CHAIRMAN MILLER: The other issue that has not 19 been really raised at all but was raised last time is 20 integration of this update with the other updates. And I 21 do realize it was put into a table there. But we had 22 talked at least more explicitly with reference to the 23 update on the PRA.
24 I didn't -- well, maybe that's not far enough 25 along that you can have --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234 4 33 WASHINGTON, D.C. 20005-3701 (202) 234-4433
l 223 I 1
1 MR. WERMIEL: No, the PRA/SRP section that I !
I g-s 2 know is under development is -- from my understanding is ,
t ) >
3 still very controversial and there's still a lot of work i
4 to do. It is not very far along. I don't think it 5 impacts what we're doing here very much at all.
6 CHAIRMAN MILLER: You don't think even when 7 it's all done it will?
8 MR. WERMIEL: No, I don't anticipate that it l 9 will at all. This piece of the SRP update of course will 10 go into the overall SRP update that's already out for 11 public comment eventually. Although, I believe we've done l
12 a lot more by way of updating our section, Section 7, than 13 the overall update has done.
i
\- 14 It's not nearly to the level of detail or new 15 information as this section is, which is why this section 16 was broken out in the first place.
17 CHAIRMAN MILLER: And I think we had some 18 mention today of the -- in fact, you had built in some ,
19 graded approach issues, but not very -- it was not very 20 explicit.
i 21 MR. WERMIEL: No.
22 CHAIRMAN MILLER: Except the one branch 23 technical position.
24 MR. WERMIEL: Correct. The graded approach to O)
'(_/ 25 quality is something that is in the PRA/SRP section NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D C- 20005-3701 (202) 234-4433
224 1 update. And again, from my understanding, there's a lot fs 2 of different opinion on how that should proceed.
V) t 3 CHAIRMAN MILLER: So depending on how that 4 conies out, would that come back --
5 MR. WERMIEL: No, no, I don't think so. I 6 think it would work this way. The graded approach which 7 is already provided for in the regulation --
8 CHAIRMAN MILLER: You did add one thing. I 9 forgot to bring it up this morning -- specific reference 10 to the regulation as an addition over last --
11 MR. WERMIEL: It's interesting, there's a sort 12 of a -- somewhat of a misconception that graded quality is 13 a new concept, and it's not. There's always been a graded O
s
/
14 approach. It may not have been as explicitly spelled out 15 as it could have been, and it's going to be more ,
1 1
16 explicitly spelled out in this new SRP section.
17 What it will do, as I understand it, is it 18 will drive the classification of a system initially; and 1
19 then, once you've decided what that system's l 20 classification should be, you would go to the -- if it's 21 an I&C system, you would go to Chapter 7 and decide how it i 22 would fit the criteria for the development of the software 23 and the hardware to that classification.
24 So, it shouldn't make much of a change at all, r~s s- 25 at least as far as we see it right now.
1 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AE, N W.
l (202) 234-4433 WASHINGTON, D C. 2';005 3701 (202) 234-4433
225 1 CHAIRMAN MILLER: You don't think it will
<s 2 drive us toward -- I know, I hate to bring this up -- a V)
/
3 concept of a one E and a two E type classification, which 4 I know was a -- I did find out in a recent visit to France 5 they do have it.
6 MR. WERMIEL: Oh, yeah, they do. We know they 7 have it. It's not my understanding that the current 8 guidance on graded QA is going to do that. I don't 9 believe we're going to end up with one E and two E and 10 everything else. That's not the way I understand it right 11 now.
12 CHAIRMAN MILLER: Oh, and I have to put one 13 caveat in. In trying to determine the difference in one l' )
\- 14 E, two E, at least in the -- I went through the N-4 system 15 when I was in France. I didn't get a clear picture what 16 the difference was. It sounded like it was -- in the end, 17 I heard that it's exactly the same except we don't -- our 18 requirements and configuration management are 19 significantly different, which kind of surprised me.
20 MR. WERMIEL: Matt --
21 CRAIRMAN MILLER: That might have been in l
l 22 language -- l 23 MR. WERMIEL: Matt may have interpreted it 24 differently, but in our interactions with the French, the 25 one thing I remember that they don't do with two E that's
! NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 2344433 WASHINGTON, D C. 20005 3701 (202) 234-4433 l
226 1 differer.t from one E is the extent of the independent 73 2 verification validation. They have another level of IV&V
() 3 that they require of one E systems.
4 But as I recall, they do not apply to the two 5 E.
6 CHAIRMAN MILLER: Well, one E, I think, is 7 basically the same as our one E.
8 MR. WERMIEL: Right. Their two E really isn't 9 all that different from the one E.
10 CHAIRMAN MILLER: It was only applying to 11 their -- I think their man-machine interface systems 12 primarily.
13 MR. WERMIEL: But what they're controlling are
) 14 the safety systems. It's not controlled systems as we I 15 might define control systems as being non-safety. It is 16 control of the safety systems.
17 MR. CHIRAMAL: The initiation of the safety 18 system is a one E, but the control is a two E.
19 CHAIRMAN MILLER: I guess I was interpreting 20 like -- if you had control like reactor control or 21 pressurizer control, that would be two E.
22 MR. CHIRAMA'. I think some of them have pump 23 controls and things like that comes through the two E or -
24 -
O)
(_ 25 MR. WERMIEL. It does. It's my recollection KEAL R. GROSS COURT RliPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
i 227 l 1 it does.
l
- ,es) 2 MR. CHIRAMAL
- If you remember the --
l\nsi 3 MR. WERMIEL: The diagram?
4 MR. CHIRAMAL: And the down control panel and 5 also comes to the two E. So a lot of the control is 6 through the two E. Scram and some of the initiation of 7 the ESF is through one E.
8 CHAIRMAN MILLER: Okay, well, you don't think 9 we're going to be moving that way based on what the PRA --
10 MR. WERMIEL: I don't think it will -- I'm not 11 willing to predict it; but from what I know now, I don't 12 think it's going to be that explicit, no. Not the way I'm 13 hearing it at least. But if -- certainly, if there is
\- 14 something that comes out of the graded quality work that 15 it impacts what we've done, we will have to make some 16 changes.
17 We will make changes, no question.
18 CHAIRMAN MILLER: George, what's the -- when 19 do they plan to --
20 MEMBER APOSTOLAKIS: We were planning to have 21 a subcommittee meeting at the end of this month.
22 CHAIRMAN MILLER: On the standard review plan?
l 23 MEMBER APOSTOLAKIS: Yeah. But what happened l
l 24 was that there is a serious disagreement between NRR and
/~N k_,) 25 Research, so NRR is reviewing now. And I think our NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
l 228 1 meeting will be postponed.
gg 2 CHAIRMAN MILLER: Okay. I've been alerted we
() 3 maybe are moving -- some things off record here. Maybe we 4 should bring it back to our objectives.
5 MEMBER APOSTOLAKIS: I think though the 6 question of how you can make this a little bit risk 7 informed is of significance because we cannot move really 8 in one part of the agency towards risk informed regulation 9 and then at the same time develop something that's not 10 risk informed.
1 11 One -- I think you can give it some flavor l
12 even though -- of RIPPBR or whatever it is if you, for 13 example, try to prioritize a little bit the various issues )
\' 14 here. Again, as I read the literature, I see that people 1
15 emphasize the significance of requirement. If you read l 16 the BTP and the SRP, everything is really presented as if 17 they were of equal importance. ,
l 18 Just move from one phase to the other and you l l
19 provide guidance.
20 MR. CHIRAMAL: George, that's not true. We 21 have emphasized the requirement specifications and its 22 translation to software requirements quite heavily, l 23 because we know that's where most of the errors are 24 sitting anyway.
b'/
\_,
)
25 MEMBER APOSTOLAKIS: When you say you NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
229 1 emphasized, what do you mean? You have more pages, is
, 2 that what you mean?
() MR. CHIRAMAL:
3 No, I'm gaying that issue will 4 -- pay more special attention to the requirement 5 specification and how it's translated into software 6 requirements.
7 MEMBER APOSTOLAKIS: Oh, maybe you can show us 8 where.
9 CHAIRMAN MILLER: Again, that's -- you can put 10 priority there, but that isn't related to the significance 11 safety --
12 MEMBER APOSTOLAKIS: See, that's the other
,, 13 thing that --
( l 14 MR. CHIRAMAL: It comes out of the basis that 15 most of the errors are found in -- 75% of the errors in 16 the process is found at the requirement specification 17 translation -- software requirement specification and 18 hardware requirement specification. It's that 19 traceability.
20 CHAIRMAN MILLER: I see. What you're looking 21 at is -- okay, you're putting more of your eggs into the 22 where most of the errors come from.
23 MEMBER APOSTOLAKIS: Well, that's one 24 manifestation.
~
[ \
(_,/ 25 CHAIRMAN MILLER: But I was looking at more of NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234 4433
230 1 a --
-s 2 MEMBER APOSTOLAKIS: There may be some more,
(_/
3 yeah. Now, on the other hand, if by law you have to take '
4 all the engineer safety systems the same, then you get -- l 5 MR. WERMIEL: Well, yes, that part hasn't 6 changed. The basic requirement of IEEE 279 for systems 7 that perform safety functions still have to be met. And 8 if it's a system that has a safety function and is ,
l 9 governed by IEEE 279, it also must meet the ten l l
10 requirements of Appendix B and all the usual things.
11 That hasn't changed. That's a fair statement.
12 CHAIRMAN MILLER: Are we to a point where you 13 have enough g aidance now from us? l
[,_ ) l
14 f lR . WERMIEL: I think so. No, I think we know l l
15 what we neen to do for Thursday.
16 CHAIRMAN MILLER: Are members of the committee 17 happy wit'l where we're going to be?
18 MEMBER BARTON: I don't know if we're happy.
19 I think we know where we're going to be.
20 CHAIRMAN MILLER: Okay, reasonably -- knowing l l
21 what our options are, are you reasonably happy?
22 MEMBER BARTON: Yes.
23 MEMBER APOSTOLAA10. How many days do we have 24 to write a letter?
)
(_/ 25 MR. WERMIEL: I'd like to get t his thing out NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 132,$ RHODE ISLAND AVE., N W.
(202) 234-4433 WASH:NGTON, O C. 20005-3701 (202) 234-4433
231 1 for public comment sometime in November if we can.
,s 2 CHAIRMAN MILLER: Well, our goal is to write a f )
\_/
3 letter this meeting.
4 MR. WERMIEL: Great.
5 MEMBER APOSTOLAKTS: How difficult would it 6 be, Jared, to go back and edit this thing and make it 7 easier to read? It's really not easy to read at all. And 8 those frequent references to other documents really --
9 and if you could just say these are the basic principles, 10 this is what the process is, --
11 MR. WERMIEL: Yeah, I thought we had kind of I
12 done that.
13 CHAIRMAN MILLER: I thought in 7.0 they pretty
( )
\~/ 14 well did that.
15 MR. WERMIEL: Yes.
16 CHAIRMAN MILLER: Maybe -- why don't you take 1
17 another look at 7.0. Maybe you already have and still 18 disagree. But, I did that during this review and I was 19 reasonably impressed. I'm still not happy with a few 20 places there, but I'm reasonably happy with the way they 21 laid it out. I'm not certain ycu can make it much easier.
22 MR. WERMIEL: But I'm willing to have us take 23 a look at that possibilicy, at maybe a different approach 24 to the -- like you say, the very basic tenants, the --
O s_) 25 those things that are most important in the process. We NEAL R. GROSS COURT REPORTERS AND 1RANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
.232 1 can do that. I mean, that's not something that we can't 2 do and -- it's really something that we would probably ask 4
O 3 Gary to think about.
4 Yes, and I think that's something we can work 5 out. But you know, we can look into that. No question. I 6 CHAIRMAN MILLER: Do you have a comment?
7 .MR. WERMIEL: I would also -- along with 7.0, 8 Don, the table, Table 7.1-1 -- I think Table 7.1-1, as it 9 was pointed out by Ed Jordan at the CRGR meeting, is of j 4
10 extreme benefit because it really tells a reviewer what 11 are the things that I need to look at when I do a review i
12 of an INC system, and here it is in tabular form. !
13 These are those things that I should be
( 14 considering.
i 15 MR. QUINN: I'd like to ask -- I believe the l 16 ties -- and maybe not all cases, but in some cases, it !
l 17 ties to other section standards. I wish we could keep 18 them, as I see them to be important. But it's maybe not 19 all cases. Maybe some of them are --
20 MEMBER APOSTOLAKIS: You can keep the 21 references, but you can summarize here what the essence of 22 all these references is without forcing the reader to go 23 to 15 different documents to figure out what we're talking 24 about. That's what I'm saying.
25 MR. QUINN: I'll have to think about it.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
,-- _ _. -i
l 233 1 MEMBER APOSTOLAKIS: This is really what we 7g 2 want to do. These are the principles. You know, accuracy e
\'l 3 and all that. Now, for more detail --
l 4 MR. WERMIEL: That's what we intended to do in 5 7.0. That's exactly what we intended to do.
6 CHAIRMAN MILLER: I'm listening, George.
7 Instead of eating dinner and drinking wine, let's go back 8 and look at 7.0 and 7.1 and look at that context and see 9 if there's areas I think might need to be changed.
1 10 MR. CHIRAMAL: And George, in general, when we i l
l 11 make a reference to a IEEE standard, we say go there for ;
1 l
12 additional details.
7, 13 MEMBER APOSTOLAKIS: Let me give you an f
\- 14 example. l 15 MR. CHIRAMAL: Okay.
16 MR. WERMIEL: Please.
l 17 MEMBER APOSTOLAKIS: It's not a terrible 18 example, but it's an example. On the very first page of 19 the BTP 14, there's a section on regulatory basis.
20 MR. WERMIEL: Right.
21 MEMBER APOSTOLAKIS: And instead of saying 22 this is the basis, five bullets, it starts 10 CFR 50.55 23 a(h) requires blah, blah, blah, blah -- satisfy the 24 criteria of --
) Oh, I see. Okay.
\s/ 25 MR. WERMIEL:
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433 j
234 1 MEMBER APOSTOLAKIS: So I have to read now and ;
2 look to see what are the key words here. In there, it
{
f t
3 says the quality of components is to be achieved through l
4 the specification of requirements known to promote high i 5 quality. It doesn't say very much actually. 10 CFR 50 i l
6 Appendix A -- blah, blah, blah.
l 7 Instead of doing that, take those damn --
8 MR. WERMIEL: I gotcha.
1
- 9 MEMBER APOSTOLAKIS
- And say this is --
10 MR. WERMIEL: Okay.
l 11 MEMBER APOSTOLAKIS: And then, you know, if 12 you want more, go to 10 CFR.
4 13 MR. WERMIEL: That format is typical of how we O 14 wrote the SRP way back in genesis, back in 1975 when it i 15 first came out. It's always been done that way. We just i
j 16 repeated that same process --
17 MEMBER APOSTOLAKIS: It's very tiresome.
18 MR. WERMIEL: -- with our new BTP's. Yeah, I 19 see what you're saying.
20 MEMBER APOSTOLAKIS: I mean, just extract what l 21 the principles are and --
22 MR. WERMIEL: Well, we can think about it. We 1
) 23 did that only to basically perpetuate the format and the
- 24 content of the branch technical positions from the -- the i s I
25 way they were initially developed.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
d (202) 234 4 33 WASHINGTON, D.C. 20005-3701 (202) 234-4433
235 1 MEMBER APOSTOLAKIS: Now another one,
,,.- ~ 2 maintenance plan. The maintenance plan should contain the
(
3 elements -- and appropriate organization for this plan is 4 shown in Figure 3-11 of NUREG-CR-6101. So I have to go 5 now to NUREG 6101. That's my point. I mean, if it's 6 important enough to be mentioned, --
7 MR. WERMIEL: Put it in that document?
8 MEMBER APOSTOLAKIS: See what I'm saying?
9 MR. WERMIEL: Yes.
10 MEMBER APOSTOLAKIS: That really -- now there 11 is one benefit from doing it that way. There is one guy 12 in Boston who is getting a masters degree trying to 13 understand what you guys are saying.
O\- 14 MR. WERMIEL: You're kidding.
15 MEMBER APOSTOLAKIS: If he cared enough, he 16 wouldn't.
17 MR. WERMIEL: You're kidding, You mean we're 18 supporting the academic community with our work?
19 MEMBER APOSTOLAKIS: You're supporting the 20 intellectual --
21 MR. WERMIEL: I think that's great. No ,
22 that's great. I like that. I never -- but I never viewed 23 the SRP as an academic document. That's great.
24 MEMBER APOSTOLAKIS: But I asked the guy, you O
(_) 25 know, try to tell me what is the final line. What exactly NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W (202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
236 1
1 are they trying to -- asking people to do?
2 MR. WERMIEL: We can think about it.
3 MEMBER APOSTOLAKIS: You have to go through 4 several documents to finally find and say this is what 5 they want, and that's not --
6 MR. WERMIEL: I think the practitioner -- the 7 reviewers and the practitioners in the industry I think
-8 are somewhat more used to using these documents that we i l
9 reference and will have maybe a little less trouble, I i 10 think, I'm hoping. But we can look at it anyway.
11 CHAIRMAN MILLER: Okay, anything else?
l 12 MEMBER APOSTOLAKIS: Okay, time to go.
l l 13 CHAIRMAN MILLER: There are a few things off l lO i
14 record that -- I want to express my appreciation to the 15 staff.
l l 16 MEMBER APOSTOLAKIS: No, we're not --
l 17 CHAIRMAN MILLER: The ones who were not here, i
18 plus the ones who certainly are here. It was a very 1
19 valuable day, useful day for all of us.
20 MEMBER APOSTOLAKIS: By the way, the date here
! 21 is wrong.
I 22 CHAIRMAN MILLER: And Paul was on the hot seat 23 and did a nice job.
t
! 24 MR. WERMIEL: Yes, I thought he did do a good 1
25 job.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
237 1 CHAIRMAN MILLER: With that, we'll look ,
i gS 2 forward to seeing all of you, or some of you, on Thursday t
\ /
3 then. Meeting adjourned.
4 (Whereupon, the meeting was adjourned at 3:59 5 p.m.)
6 1
8 l
l 9 !
)
10 11 12 ;
13
. 1 14 15 16 17 18 19 20 21 22
, 23 l
l l 24 eO i (,/ 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N W.
(202) 234-4433 WASHINGTON, D C. 20005-3701 (202) 234-4433
1 CERTIFICATE This is to certify that the attached proceedings before the United States Nuclear Regulatory Commission in the matter of:
Name of Proceeding: ACRS SUBCOMMITTEE ON INSTRUMENTATION AND CONTROI. SYSTEMS AND COMPUTERS / ELECTRICAL POWER SYSTEMS Docket Number: N/A Place of Proceeding: ROCKVILLE, MARYLAND were held as herein appears, and that this is the original transcript thereof for the file of the United States Nuclear 0
Regulatory Commission taken by me and, thereafter reduced to typewriting by me or under the direction of the court reporting company, and that the transcript is a true and accurate record of the foregoing proceedings.
/
VCORBETT'RI ER Official Reporter Neal R. Gross and Co., Inc.
1 iO i
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHoDE ISLAND AVENUE NW
! (202) 234-4433 WASHINGTON. D.C. 20005 (202) 234-4433
b ,
INTRODUCTORY STATEMENT BY THE CHAIRMAN OF THE 0,
, I&C SYSTEMS AND COMPUTERS AND ELECTRICAL POWER SYSTEMS SUBCOMMITTEES 11545 ROCKVILLE PIKE, ROOM T-2B3' ROCKVILLE, MARYLAND October 8, 1996 The meeting will now come to order. This is a joint meeting of the ACRS Subcommittees on Instrumentation and Control Systems and Computers and on Electrical Power Systems. I am Don Miller, Chairman of both Subcommittees.
ACRS Members in attendance are: George Apostolakis, John Barton, l Thomas Kress, Robert Seale, and William Shack l Also in attendance is Ted Quinn, an ACRS Consultant The purpose of this meeting is to continue the Subcommittees' review of proposed Standard Review Plan Sections and Branch Technical Positions related to digital instrumentation and control systems. The Subcommittees will also review the status of NRC programs to address equipment vulnerabilities to lightning i and other transients. The Subcommittees will gather information, l analyze relevant issues and facts, and formulate proposed l positions and actions, as appropriate, for deliberation by the full Committee.
Michael T. Markley is the Cognizant ACRS Staff Engineer for this meeting.
l The rules for participation in today's meeting have been i announced as part of the notice for this meeting previously published in the Federal Register on September 17, 1996.
A transcript of the meeting is being kept and will be made l available as stated in the Federal Register Notice. It is
! requested that speakers first identify themselves and speak with l
sufficient clarity and volume so that they can be readily heard.
We have received no written comments or requests for time to make oral statements from members of the public.
(Chairman's Comments-if any)
We will proceed with the meeting and I call upon Mr. Matthew Chiramal of NRR to begin.
4
, , _ - . _ . _ o ,_.
o o o p, i
Update of Chapter 7 Standard Review Plan Presented to:
Advisory Committee on Reactor Safeguards Control Systems and Computers Subcommittee October 8,1996
.r- s s, i Matthew Chiramal l Senior Level Advisor on Digital Technology Office of Nuclear Reactor Regulation l Instrumentation and Controls Branch (301) 415-2845 mxcenrc. gov
(T Q /"%, <
es see Section 7.0 (new) # "
Introduction E j i
\.e../
e Section 7.1 (revised)
General Cnteria Basic Requirements - Operating and Advanced Plants (exisbng)
- GDCs l
- 10 CFR 50, Appendix B Section 7.2-7.7 (revised) l&C Systems Guidelines
- R G 1152,IEEE 7-4 3 2, Computer Sys Design (revised) m
- R G IEEE 1012&1028 V&V Plans, Reviews, and Audits (new) "
- Safe Shutdown e BTP Software Reviews (new)
- Informaton
- R G IEEE 828 & 1042, ConGg Mgt Plan and Guidance (new)
- Intertocks
. BTP Software Reviews (new)
- Controls
- R G IEEE 829. Test Documents (new)
= BTP Software Reviews (new)
- R G IEEE 830 Requirements Spec. (new) 4 Sects 7J (new)
= BTP Software Reviews (new) Diverse l&C Systems e BTP Real-Time Performance (new)
- R G IEEE 1008, Unit Testing (new)
- R G IEEE 1074, Life Cycle Process (new) -
Section 7.9 (new)
= BTP Software Reviews (new) Data Communication Systems
- BTP Defense-in-Depth and Diversity (new)
- BTP Self Test and Sury Test (new) Appendix 7.A (revised)
Other Guidance 4 4 BTPs (existing and new)
- GL 95-02 (existng)
- EPRI EMI/RFI Document (exrsting)
- EPRI COTS Document (in progress)
Basic Requirements - Advanced Plants (exisbng)
- 10 CFR 52 Guidelines
- BTP Level of Detail (new)
. _ _ __.__ ]
O O O J
.s- ~,
We updated the SRP, we did not rewrite it ..... ).
, Ground rules
- Maintain existing regulatory bases
- Incorporate lessons learned from ALWR reviews
- Incorporate lessons learned from digital retrofits
- Incorporate operating experience lessons learned
- The update will describe l&C system criteria for both operating plants (modifications) and proposed future advanced reactor designs
- If a topic is already covered, the topic is adequately covered (unless something is clearly wrong) 9610 /225 mc 3 l
o o- o!
t I
.-s We made no fundamental changes ( M 'i to the basic architecture of Chapter 7 % W,...../
t General requirements and guidance in 7.1
- Add references to new regulatory guides and branch ,
technical positions (BTPs) on special digital system issues
- Highlight review areas, acceptance criteria, and review ,
process for digital systems
- Add discussion of standard plant reviews Remaining sections (7.2-7.9) focus on systems
- Add references to digital system guidance in Section 7.1 4
9610 /225 mc
, i.
O O O
./ %,, :
Three new sections were added .....
7.0 Introduction
- How to use Chapter 7 7.8 - Diverse Actuation i
- ATWS i
- Diverse actuation a Manualsystem-levelinitiation Dedicated displays n Automatic systems that are distinct from traditional protection and control 7.9 -Data Communication Systems 9610 /225 mc 5
Two appendices were added i and three revised (g/
\.....
New Appendix 7.0-A describes the overall review process for digital systems New Appendix 7.1-C provides guidance with respect to review according to IEEE 603 (Reg. Guide 1.153)
Revised Appendix 7.1-A addresses rule changes (Part ,
52 and revisions to Part 50), and new regulatory guides Revised Appendix 7.1-B incorporates digital topics into the review of compliance with IEEE 279 Revised Appendix 7-A includes new BTPs discussed below !
1 9610/225 mc 6 ,
- I!}\! 3 ! i! :;I l[ a i
- t 1! i ! !
l 1 7
_O g3/. .
~
~
~
_ ~
,,; \
_ s s
_ n n o
_ o i t
i t a c
u i
l p
_ o p
p A
_ l a
n o
i c t
_ i n i a
c s r
y f s
_ h t i
i t
r e c c g l
_O s n e l o
i p
t e r e i t C t r
t o
v n s
e n o
. i h D e g m c c T i s C e d n c t n n a a i D
e i c s y
a s wh mo d r
g o s brde r i r o l
_ t p o e L a e e re f
f e t f p i
v D P l i l i
g e - P a b oo i
R n e d
n t
e a d _
D n-
_ tl a m _
ee i .
e mo r e m e f sve a s T wn i
- i n l o
r a n r e
wd e L-t l a g e _
_ v o f f h e o e e n e r t
_ n a s S D R O L P O Aw
_ c m
5
_ 2
_ 2
/
0
._ O .- -
1 6
9
O -
O O :
NRC Research developed new regulatory guides
[' j
\
- s DG-1054 Verification, Validation, Reviews and Audits (IEEE 1012 and 1028)
DG-1055 Software Configuration Management (IEEE 828 and 1042)
DG-1058 Software Requirements Specifications (IEEE 830)
DG-1056 Software Test Documentation (IEEE 829) l -
DG-1059 Software Life Cycle Processes (IEEE 1074)
DG-1057 Software Unit Testing
, (IEEE 1008)
- mwms - e
O _ __
O O
,~5 The revised SRP and new regulatory guides will aid in future reviews (g/
s.,,,,
)
There is no impact on existing systems
- Neither the SRP nor the new regulatory guides are proposed for backfit The SRP and regulatory guides are guidance only New system developers will benefit from identification of acceptable approaches to designing digital systems
- Licensees have a clear path to acceptance of modifications
- Utilities making 10 CFR 50.59 evaluations have more information upon which to base unreviewed safety question determination 9610 G25 mc 9
l , ;l1i ! l l! (ll!
i ! l! :? k
= .
-O i.
0 1
g /..
f
- i=\
- f don s ayt e
- ri e x c
n -
et n wle P P r n po ep ea i i R
S R
S i
vm eo f
fl i
d d p l yrt n Ta u or oc t e r c en
- t nd h t e e d h a i st cA ee f g h n yon t
s a s ona t y a i
ee _
mis s h n be c
l nt oac i
sRr y u
- dv o c dn l
agt na
- ne ie e n ac sl
,i nie er t rh ot i i nppd g e avF yoy l
.O me pf o mf r n i i s ta wivt t _
ath e ne sne eg d
e e es t ri f i
de v i
e a ee t p coc d y due v sS n
ss nu l e es be et f
eqr vee i
dod dt r e i
e se l a osb rb n ac e l
cl l
eht i s pui l l aie i
i s w n pswh pit l
n l
w un wo a p pg o yh es e
_ f osn l
l ip wu i ep v
ede u l s t u un e
doe- t r an
- s ro sg r
ei n r ng fopa e n idi ois s n ieo- l v ec ebss eit wa wd en h eh ei rf f i i
i samm n c ee dc r n c ie t pt i
- eic vp pl fel t t o de ep pss i l ee ei e l epyy vp Rd Dwh Fis DaSS
- ep t
Ra
- - - - e
- 5 2
m 2
/
0 1
6 9
- O__ _
- )
p.,-e Section 7.0 describes the overall f 3 i review process .
\,...../
Purpose
- Describes the overall HICB review process n License applications (including amendments) a Topical reports Technical basis
- Documents existing practice U
96m C5 mc
O .
O O :
_.s s.
e 2 Summary of Section 7.0 \, .....
j-r ,
Recetve appfcation L J II g ,, Deterrnene -
appicaton type 1I
$ lli Scope review 1I l
N I
- PP *** " '"*
$ IV acceptable? appicant!!censee Y ;
1I j l
$V Plan review 1I i VI Conduct review ,
1r !
r j issue SER i L 2 12 96101225 rne we -.-
O O O Appendix 7.0-A describes the unique aspects !,, .. ,)
of digital system reviews \...../- .
Purpose
- Overview of the process for reviewing the unique aspects of digital l&C
> Supplements the description of the process for review of The overall I&C system design described in Section 7.0, t
Design criteria and commitments described in Section 7.1, and i
The individual systems described in Sections 7.2 through 7.3.
a illustrates how the review activities interact with each other and with the overall I&C review process
]
i
[
I j
'o101225 me
O - -_ _.
O O :
Appendix 7.0-A outlines an overall /' \
process for digital system reviews \,,,,,/
A n Softwase ide cych process N Acceptte overas planturg confores 1
des M ** Padbace? Y a-. t c,en ,_
padance? p,,,gg,,
2": " -
as ss.:= .
. . + -m> ,,
Coreal System (F F) estunon Data Commumcahon I Y 3,%,,
RTS (? ?) Syndem under 0Y*8 I"0" 88 'YIIIII l'NI !
O cVck process N l m
"Q ESFAS (F 3) ",'
piens?
N D m OLD oesgn eso en Y
A ofISQ#ru8Pm Sam Shutdown Systems (F 4) a i t y tabnnaton Sysk ms imporant t Safety (T 5) '
Nconformswe padance? enerstock Systems imponent to Safety (7 6) openenem Dwerne Actuston Systems (F 8)
ResotAmn Data Commumtaten Systems (Safety)(7 9) a Y i w ,
'I Functocal &
characte ecs or h desgn outputs eso$
i ;
l 96101225 mc 14
[
1
O - _
O O =
-~s,,
Section 7.1 describes the basic acceptance i, 3 criteria and guidance for I&C systems \,,,,,/
i -
Purpose
- Identify systems that should be covered by SAR t
- Identify acceptance criteria applicable to multiple systems ,
- Identify regulatory guides and standards for compliance
- Guide reviewers in evaluating applicant commitments Technical basis !
- 10 CFR 50.55a(h)-IEEE Std 279 IEEE Std 603 and IEEE Std 7-4.3.2 f
- 10 CFR 50.34(f)-TMl Action Plan i t
- 10 CFR 50.62 - ATWS '
q
- 10 CFR 50 Appendix A - GDC ji 9610/225 me l f
L i
t O O O =
-~ ~- '
q ;
i
.p" "*%,,
Structure of Section 7.1 .
Section 7.1 !
i
- Review responsibilities i
- Areas of review
- Acceptance criteria
- Review process -
t
- Evaluation findings t
- Implementation Appendix A Acceptance criteria and guidance
- Summarized in Table 7.1-1 Appendix B Evaluation with respect to IEEE 279 i Appendix C - Evaluation with respect to IEEE 603 i
16 9610/225 me f
O O O '
The review of digital systems follows [N,.. ,i IEEE Standard 7-4.3.2 W...../-
Supplemental Guidance on Digital Computer-Based Safety Systems l
Quality Electromagnetic Equipment System Communications Reliability Defense Emerging (15.3) Compatibliity Qualification Integrity independence (1 5.15) Against Software l (15.4) (15.5) Common-Mode EPRI TR-102323 (15.8) Methods l l Failures IEEE 323 Annex G Software (SECY-93-087)
Software Quality I
- Development-' Design for BTP-14 )
(15.3.1) Integrity Defense-in-Depth
- v&v (15.3.4)- * "d "" '
gTP-Y
- C M (1 5.3.5) Real-Timh Performance Software BTP-21 Quality Software Design for Tools Test &
(15.3.3) Calibration Qualification (1 . 2) of Existing g
Cornpm On-Line & -
(1 5.3.2) Surveillance BTP-18 Testing l PLCs BTP-17 Commercial Grade Digital Equipment EPRI TR-106439 9610/225 me II l___ _
t
O O O '
Table 7.1-1 summarizes the acceptance . \
criteria and guidance for each system .
.....) i For use as a quick reference by reviewers The table is a starting point i
- The criteria and guidance for a specific system may be different depending upon a design characteristics I
)
licensee / applicant commitments i
h I
f i
9610/225 mc 18 i
Appendix 7.1-A outlines the review ' "%.
procedures for each acceptance criteria and Reg. Guide
() 'i
\,...../- i 7.1 -A Sections 7.2 thru 7.9 i CF GDC reference 7.1-A for i
review procedures i 7.1-BIC Reviews start with lEEE 279/IEEE 603 acceptance criteria .
7.1-A provides the road -
t map from acceptance Reg. Guides criteria to more detailed guidance App. 7-A BTPs 9610 /225 mc 19
O O O :
Appendices 7.1-B and C discuss review j~'g against 10 CFR 50.55a(h) (IEEE 279) \,,,,/
The reviewer selects one depending upon the licensee /
applicant's commitments
- 7.1-B for IEEE 279
- 7.1-C for IEEE 603 Compliance with IEEE 279 also satisfies many of the protection system GDC
-- Therefore 7.1-B and C are used in the review process for these acceptance criteria 9610/225 me 20
l l
O O O =
- s, i Sections 7.2 through 7.9 follow a (,M,,S
- common outline 'c..sv/
Areas of Review Acceptance Criteria Review Procedures i
Evaluation Findings Implementation References i
l i
9610rRS a 21 l
O O O "
.. ss., ,
Coordination of reviews is similar for :
all sections
..... / ,
Reactor Systems Branch
- Required I&C functions
- Reactivity measurement and control aspects i Plant Systems fManch
- Required I&C functions l
- Supporting systems '
Mechanical Engineering Branch 1
- Seismic qualification j Containment Systems & Severe Accident Branch
- Required l&C functions
- - Severe accident I&C Electrical Engineering Branch
- Power supply and cable separation
- Environmental qualification i Human Factors Assessment Branch
- User interface ITAAC (Part 52) review described in Chapter 14 9610 /225 me 22
O O O '
s,,,
Summar i, - ;
S Y stem)y of Section 7.2 (Reactor Trip %,...../ t Scope
- Automatic initiation of reactivity control Acceptance Criteria
- 10 CFR 50.55a(h) Codes & Standards (IEEE 279)
- 10 CFR50.35(f)- TMI Requirements
- GDC 1 - Quality ,
- GDC 2 & 4 - Environmental & Natural Phenomena Hazards
- GDC 13 & 19 -Instrumentation & Control / Control Room I;
- GDC 20-25 & 29 - Protection Systems
- 10 CFR 52 - Resolution of Safety issues, ITAAC, interface Requirements, Level of Detail, innovative Safety Systems
O O O "j
.p"' %,,,
Summuy of Section 7.2 (cont.) .
)
Review Emphasis
- RTS design basis
- Single failure criterion
- Quality of components and modules (including software)
-Independence a Between redundant channels i
a Between control and protection
- Defense-in-depth and diversity
- System testing and surveillance measures
- Use of digital systems
-- Setpoint determination t
9610/225 mc 24
o o O '
, %}
The evaluation findings describe the ! !!
conclusions a reviewer should be able to reach ..../
I All acceptance criteria are met '
Typical SER language is provided I
This is typical for Sections 7.2 - 7.9 I
i 9610 /225 mc 25 I
O O O '
,-mm,,,
Summary of Section 7.3 (Engineered Safety Features) g,g/j M.,,
Scope
- Engineered Safety Feature Actuation
- Engineered Safety Feature Control Acceptance criteria
- Same as for RTS
- Also criteria for ESF functions supported Review emphasis
- Same as RTS 961C /225 mc 26
/** "'%,, i Summary of Section 7.4 (Safe Shutdown) ..... ,
i Scope
- I&C for safe shutdown from control room or remote location Acceptance criteria
- GDC 2 & 4 Environmental & Natural Phenomena i Hazards !
- GDC 13 & 19 Instrumentation & Control / Control Room .
- GDC for supported systems (RHR, ECCS, Cont. Heat ;
Removal) '
- 10 CFR 52 i i
t l
9610 /225 mc 27 ;
- - - - - - - - - - - - _ - - - - - - - - - - _ - - _ - - - _ - - - - _ - - - J
o o O f w,,;
Summary of Section 7.4 (cont.) .....
Review emphasis
- Safe & remote shutdown functions
- Single failure criterion
- Independence from protection systems
- Use of digital systems I
- Surveillance test provisions i
?
9610 /225 mc
O O -
O '
, s,,, .
Summary of Section 7.5 (Information Systems) !,g/
\54V 3
Scope
- Post Accident Monitoring (PAM)
- Bypass & Inoperable Status Indication
- SPDS, ERF, ERDS/ protection system independence Acceptance criteria
- 10 CFR 50.34(f)- TMI Requirements
- GDC 1 - Quality
- GDC 2 & 4 - Environmental & Natural Phenomena Hazards
- GDC 13 & 19 - Instrumentation & Control / Control Room
- GDC 24 - Control / protection independence
- 10 CFR 52 9610/225 mc 29
O O O '
f"'%, '
Summary of Section 7.5 (cont.) ,,,,,
) t Review Emphasis ,
- PAM compliance with Reg. Guide 1.97
- PAM support of EOP actions -
t
- Severe accident monitoring i
- Scope of bypass and inoperable status indication
- BiSI conformancre with Reg. Guide 1.47
- Annunciator rall ability
- ALWR annunciator requirements limited redundancy n self-test provisions safety related annunciators in particular cases
- Use of digital systems !
- Independence from protection systems i 9610 T225 mc
Summary of Sec1: ion 7.6 (Interlock (' 3 Systems) . ../l Scope -
- Interlocks credited for preventing events or maintaining availability of safety systems t Acceptance criteria i
- 10 CFR 50.55a(h)- Codes & Standards (IEEE 279)
I
- GDC 1 Quality
- GDC 2 & 4 Environmental & Natural Phenomena .
Hazards
- GDC 13 & 19 Instrumentation & Control / Control Room
- GDC for supported systems
- 10 CFR 52 9610 /225 mc 31
O O O
.s Summary of Section 7.6 (cont.) .....
I .
i Review emphasis
- Interlock functions included
- Single failure criterion
.- Quality of components and modules
- Independence from control systems
- Surveillance testing
- Use of digital systems 9610 /225 me
O O O 'i
,ner.,}
Summary of Section 7.7 (Control Systems) (g/:
Scope
- Non-safety l&C that can affect performance of safety functions Acceptance criteria
- 10 CFR 50.34(f) TMI Requirements
- GDC 1 Quality
- GDC 13 & 19 Instrumentation & Control / Control Room
- GDC 24 Control / protection independence
- 10 CFR 52 9610T225 mc
O O O '
f ... .
?
Summary of Section 7.7 (cont.) ~s.....
Review emphasis
- Design basis
- Safety classification
- Effect of control systems on transients
- Effect of control system failures
- Environmental control for safety systems
- Use of digital systems
- Control / protection independence
- Control system functions credited for defense-in-depth and diversity i
9610 M25 mc 34 l
l O O O : .
Summary of Section 7.8 (Diverse I&C ( g Systems) "%.
Scope
- ATWS mitigation
- Systems provided specifically for defense-in-depth and diversity position
- a Diverse Actuation Manual Displays and Controls Acceptance criteria .
t
- GDC 1 - Quality i
. - 10 CFR 52 t
- 10 CFR 50.62 ATWS I
I f
t 9610 /225 me 35 l
- I
o o o '
, ~%., ;
3 s Summary of Section 7.8 (cont.) i.,...../;
,i -
Review emphasis
- Design basis
- Quality of components and modules
- Surveillance test provisions
- Consistency with defense-in-depth and diversity analysis j
- Power supply availability
- Environmental Qualification
- Independence from protection system
- Manual initiation capability
- Completion of protective action 9610/225 me 36
Summary of Section 7.9 (Data i ..%
Communication) ...../ !
Scope
\
- Communications systems supporting multiple systems i
Other than " point-to-point" cables (e.g., multiplexed systems) t i
Acceptance criteria
- Union of acceptance criteria for supported systems Review emphasis I
- Quality of components & modules
- Software quality
- Performance -
- Reliability t
9610/225 mc
l O O O ll
.. \ !
- o Summary of Section 7.9 (cont.) \., ....../
Additional review emphasis for safety-related data 4
communication .
- Single failure criterion
- Independence between redundant channels
- Failure modes
- Surveillance test provisions
- EMI/RFI susceptibility
- Consistency with defense-in-depth and diversity analysis
- Seismic qualification 9610/225 mc 38 h
O O O '
Appendix 7.1-A contains the Branch ,A Technical Positions \.....
BTP number Subject i Isolation c f Low-Pressure Systems from the High-Pressure Reactor Coolant System 2
Motor-Op : rated Vahes in the Emergency Core Cooling System Accumulator Lines 3
Protection S:~ n Trip Point Changes for Operation with RCS Pumps Out of Service 4 Guidance m esign Criteria for Auxiliary Feedwater Systems 5
Spurious Withdrawals of Single Control Rods in Pressunzed Water Reactors 6
Design of I&C Provided to for Changcoser from Injection to Recirculation Mode 7 b!ot used 8 Application of Regulatory Guide 1.22 9
Reactor Protection System Anticipatory Trips 10 Application of Regulatory Guide 1.97 (Post Accident Monitoring Systems) 1I Application and Qualification ofIsolation Devices 12 Establishirg and Maintaining Instrument Setpoints 13 Replacem< nt of Reactor Coolant RTD Bypass Manifold Temperature Instruments 14 Software Feviews for Digita! Computer-Based I&C Safety Systems 15 Not used 16 Lesel of Octail Required for Design Certification Applications Under 10 CFR Part 52 17 Self-Test and Suneillance Test Provisions in Digital Computer-Based I&C Systems 18 Use of Programmable Logic Controllers in Digital Computer-Based I&C Systems 19 Defense-i t-Depth and Disersity in Digital Computer-Based I&C Systems 20 Not used 21 Digital System Architecture and Real-Time Performance 39
7%
iMR There are four groups of BTPs \W.,,/
- One BTP deleted because now covered in Chapter 18 ,
- Others unchanged except for format and reference to ;
IEEE 603 BTP 10 - 13 reflect lessons learned from operating reactor reviews BTP 14,17,18,19, and 21 deal with digital system issues .
BTP 16 discusses level of detail for Design Certification applications i
1 9610 /225 me 40 !
i S The new BTP's follow a common outline \....../
Background
- Regulatory Basis
- Applicable Guidance
- Purpose Branch Technical Position
- Acceptance Criteria
- Review Procedures References j t
9610/225 mc Ii
O O O -
.f %,
BTPs 10 through 13 address operating '
plant lessons learned (g)i
~%,,,,
BTP-10 deals with lessons learned from implementation of Reg Guide 1.97 (PAM;l
- Acceptable deviations for selected variables BTP-11 deals with the application and qualification of electrical isolation devices in instrumentation circuits
- identifies acceptable design characteristics and test methodologies BTP-12 deais with lessons learned from implementation of Reg Guide 1.105 (Setpoints;l
- Adequacy of setpoint calculation methodologies BTP-13 documents staff position on cross-calibration of RCS temperature detectors
- Acceptable methods and impact upon setpoints 961C /225 mc 42
o O O t!
4>
BTPs 14,17-19, and 21 deal with g i digital topics .,,..f BTP 14 describes the review of software
- Criteria for planning, process, and design outputs BTP 17 discusses self-test and surveillance test features !
l
- Criteria for types of tests and constraints on tests BTP 18 discusses considerations in the use of PLCs
- The use of PLCs may simplify design activities BTP 19 describes the review of defense-in-depth and diversity analysis
- Key points in evaluating level of diversity provided BTP 21 discusses topics for consideration in l confirming real-time performance
- Architectural considerations and timing demonstration 9610 f225 mc 43
l I Review of Digital Systems Using Updates SRP Chapter 7 f
i i
Presented to:
i 4 ACRS October 8,1996 I
,+ .m,_
. I Jared S. Wermiel, Chief instrumentation and Control Branch Office of Nuclear Reactor Regulation (301) 415-2821 .
JSW1@NRC. GOV l
o
i iQ $
2 l
OmC 4~
! @o e O
.u t
Et .O N bOU i .O
- O ~ t l T cEt O e
! 4 E 2e l
1 2* U @ oo aC w %
i
< OC >. 'O O i
X .o .9
- e2 o
- 13 l
i e ef o
y 3 e
2.
.9 *
- o De I
o-u) 55e" U D* 22 Z
eE 9 a 0 2 g2 o S b
! EE k Et O we 3 z ** 2> eO a O-O
~
lO
- o oE CO e ww Oe eg w
O
.=h Um -
}
0 wa vC l
j 5(
p 38ac e
n ey e2
.e c9 OE
! e 'c .E e i
W 0) w 2 $U eC gc @e 258 l W ot Re.3O
' W f'a 5 .c E Ed .$ $
y o O 1 d S M O O-Q- O b h- IY -
a a ==
@@s $ j O
a' o$f M
SD 9$
o?
A
.5 0 0 g .O U h 4 cd K he ?*E Oe,$f !
=
'$ @ e wow o $
- ~ s, .
a e a3 ; r f *
- et m .sO ag j Tw
! i -
. *e ir *U og O ;
%% e*"
o- 3 1 h
l g$
@ - - ' l
_t
,I0 O l
1 i
o f ~s .e.,
O O 'i
, o o., j ACRS PRESENTATION ON SRP CHAPIER 7
+.,. . . . . s~
- New plant Designs SRP Section 7.0, Ill.A Design Certification and Construction Permits o General system requirements per IEEE 279 or IEEE 603 (refer to Section 7.1 and Appendix 7.1-B or C) and acceptance criterio / guidelines (refer to Table 7.1-1) o System specific requirements and acceptance criterio /
guidance (refer to sections 7.2 thru 7.9 as applicable) i o Digital system design process (refer to Appendix 7.0-A) o ITAAC (Design certification reviews only)
I Jerry wermier, chier imirunwniation and controls Branch Page 3 October M,1996 4
i t
a- f7 lO w %
l
$ v C -
e w l
.h a
e m b V A
b e V C Z C Q.
C O 4 C *
- i -
3 9 5
! l E % A
< O y
$ k X U S h C V e e i
O N w 1 8 ~
! W e V
- e C e C
m w c
- O
- U l ~
e #
- 4 o V O N g
- i 3 M Z m f O
~
.O
,]
1 O =
C O -
E N l
b E O
$" O o
e e l
i h a %
e % e v O O< o 9 Cd om C
=<*
.O g O i
W ; =
'
- OC * ,
U E l
2
& o' EX C D
- N E g eC Ox O a
/ >~V o l
@ C Eea g !
O e i E Goa O i G $e < - 4 ?
i I
- $2 SE M< w<
(e
'g o
l' r " ~ ~,,,,*
a.
l . cc
- < l
- O O 9 $
u D
- %,inse/
4
!O D
_t i
o o o ;;
~
i' ) x 's i
....!j ACRS PRESENTATION ON SRP CHAPI t_R 7 e Operating Plant Digital Retrofits SRP Section 7.0, Ill.C o General system requirements per IEEE 279 (refer to Section 7.1 and Appendix 7.1-B) and acceptance criteria / guidelines (refer to Table 7.1-1) o System specific requirements and acceptance criteria /
guidelines (refer to Section 7.2 thru 7.9 as applicable) o Digital system design process (refer to Appendix 7.0-A) i u,,, we,n,ei. chief. Inummentatii>n and Ctimmis tiranch Page5 October H,1996
l O O O ,
fs .l
,, ,, ACRS PRESENTATION ON SRP CHAPil-R 7 e RPS Digital Modification Review of design process per Appendix 7.0-A o General guidance in R.G.1.152 (IEEE 7-4.3.2) j i
- New R.G.s (IEEE 1012,1028,828,1042,830,829,1008, 1074) provide additional guidance on various aspects of software lifecycle ;
- Additional guidance in BTP-14 Review of design against IEEE 279 per Section 7.1 and Appendix 7.1-B o System architecture, redundancy, environmental qualifications, testability l
Jerry Wermici. Chief, Instrumentation and Controls Branch Page 6 October 8,1996 e
4
O ,f g O O ?
, ACRS PRESENTATION ON SRP CHAF>l t-R 7 Review of system specific requirements per section 7.2 o Defense-in-depth and diversity (BTP-19) including compliance with ATWS rule (section 7.8)
Scope of review is left to reviewer discretion based on complexity of design, previous approval of similar design or topical report, or unique aspects of design (refer to Section 7.1)
Some review approach applies to any digital safety system '
modification with exception of system specific requirements (refer to applicable Section 7.3 thru 7.9)
Jerry Wermiel, Chief, Instrunentation and Controls Branch Page 7 October 8,1996 !
i
.E O O O =,
REVIEW OF BWNT STAR SYSTEM Presented to:
ACRS October 8,1996
,p** "%,
PaulJ. Loeser !'
Instrumentation and Control Branch Office of Nuclear Reactor Regulation (301) 415-2828 ;
PDL@NRC. GOV
- - - - - _ - - - - _ _ - - --- _ - - _ - _ -- - - - - ----- - -- --- _ - _ --- _ a
O
,f"'%,, .
O O '\
( j ACRS PRESENTATION ON STAR SYSTEM '
l s, .....f .
The STAR System Reactor Protection System Digital Upgrade e STAR Module o Four channels with two different microprocessors per channel e Support components o System Monitor Computer (SMC),
o Calibration and Test Computer (CTC) o Serial Data Bus isolation Module (SBIM)
Paul J leeser, Instrumentation and Controk firanch Page 2 October M.1996 f
O O O
,-. .s, ..
) ACRS PRESENTATION ON STAR SYSIt.M r ,
o S TA R o
@ epi _
@ P2 a @ @,@ ouNT eOwER OTRIP RESET t D. = 32 0
@ e 1. Hi RC PRESSURE
@ e 2. HI NEUTRON FLUX
@e 3. POWER OFFSET
.Oh e 4. PUMP STATUS O OPERATE TEST TUNE CAUBRATE 3
', % y23 b O b e[::::::::::::::::::.)e o sessunsas o e hs '
STAR Module Front Panel l'aul J Iveser, instrumentation and Controls liranch l' age 3 October H.1996
?.
l
p p p :
V V
,p= ag , .
, ) ACRS PRESENTATION ON STAR SYSTEM FRONT PANEL BACKPLANE CONNECTOR DIGITAL BUS BOARD g'f ~
i
/
FIELD I/O BUS BOARD T
6%
C g h COMMUNICATION / POWER SUPPLY BOARD [
( --
<( x h COMPUTER BOARD [ ] ]
4 Z ,E E
( Z 4 Z
) DISCRETE I/O INTERFACE BOARD 1 [ ] ]
-h J- =B MEMORY BOARD g ]
b, 3 DISCRETE 1/0 INTERFACE BOARD 2 [ N 5 E E g p ) ANALOG 1/O INTERFACE BOARD [ _
k ] TEST INTERFACE BOARD [
l _
3
{
N \
" FRONT PANEL BOARD ( METAL FRAME STAR MODULE OUTLINE l'aul J Iveser, instrumentation and Controls Hranch Page 4 October M.1996
- - - ~
M UG(,,, e
+ 0, e .
i i ACRS PRESENTATION ON STAR SYSTEM
/
M TEST Y
SIGNAL PROCESSING PATH 1 18UrrERl r- - - .
,o,A 1
==
xx uuttiPtExEn&RTER f b (1 Of )
usi l dRi i i
____m,,________
i 21% , -I ?,r +v guS;_
7,,u", c eI ! F,<u, - L _ _ __ _ _J IQp 77,,
inn c : ~ra -
7 y >- = -
[Q [ y_y,,
o Or m = us1 m1e
_ _ _ _ - - - - _ .9 ,
, , _ , ,0 ,1
"" 7 i ,,
- cinh ,
- T PL's" caggga tsour. s"P
+ wuttiptExER ~
CONVERTER l l OuAL P
j -
L___._.______________J a,RT Test ac'Av SIGNAL PROCESSING PATH 2 h+v menArE
- TEST
_ i _TWE OPERATE STAR Module Architecture Star System Inherent Diversity:
I*aul J, tveser, Instrumentation anti Controls Hranch l' age 5 October M,1996
,~~m,. ...
( ) ACRS PRESENTATION ON STAR SYSTEM s, .....f Hardware .
IEEE Std 279-1971 (SRP Sections 7.1 and 7.2 and Appendix 7.1-B? ,
e Hardware design:
o system architecture and system specification - redundancy and testability o signal paths were traced i e System operation:
o normal operating conditions o emergency operation (trip conditions) o hazards analysis l'aul J. leewr. Instrunrntation and Controls llranch l' age 6 &tober M,1996
O O f-..,
O .
i j ACRS PRESENTATION ON STAR SYSTEM
's ...../
i Environmental Qualification :
- 10 CFR Part 50, Appendix A, General Design Criteria 2 and 4 o design basis for protection against natural phenomena '
o temperature and humidity (IEEE Std. 323) o seismic (IEEE Std. 344) o radiation (IEEE Std. 323) o electro-magnetic and radio frequency interference (IEEE Std. 344, '
MIL Std. 461C, SAMA PMC 33.1) u . A WT, ns TUUrn a 100 and ContfOl5 firanch Pap 7 (kusM 8. IW6
O O O 'l
,,- -..s .l
(, ,,) ACRS PRESENTATION ON STAR SYSTEM Software -
Reg Guide 1.152, IEEE Std 7-4.3.2-1982 (SRP Section 7.1 and BTP HICB-14) e Software design process (quality):
o software requirements specification (IEEE Std. 830) o verification and validation program and results (IEEE Std. 1012) o software quality assurance plan (IEEE Std. 730)
O code development documentation o problem / error reports and resulting corrective actions o configuration management program (IEEE Std. 828) l'aul 1 1;>eser. Instrumentation and Controls Brant h PageM October 8,1996 s
O O O
/. ...,\ -
i, '! ACRS PRESENTATION ON STAR SYSTEM i s,.....f Thread Audit e traced the software implementation for a selected function from the equipment specification and development of the functional requirements to the writing and testing of the code o reviewed the actual sections of the code for this function, O examined various software development documents:
- software specification
- V&V report '
- problem reports Paul J. Imescr. Instrurnentation and Controls Branch Page 9 October 8,1996 f
i O
O Q
,,f, -. ., .,. ,
kg f) ACRS PRESENTATION ON STAR SYSTEM e process was assisted by the BWNT compliance matrix o showed for each stage of the documentation where each requirement was to be found o matched system specification requirements to the code and test documentation o allowed a rapid check to confirm that each of the functional requirements had a corresponding section in
- Software Requirements Specification
- Software Design Description
- Source Code Listing
- Safety Analyses t
- Verification and Validation Report
- Test Report.
Paul L loeser. Instrumentation and Controle Branch PaFe 10 October M,1996
O ,.....,
O O .
g' *a
(, j ACRS PRESENTATION ON STAR SYSTEM Diversity ,
(SRP Section 7.8 and HICB-19?
The staff confirmed that:
e protection functions processed by two different safety function processors O different microprocessor manufacturer o wire "or" output, either microprocessor can trip system .
i o diverse software
- each processor software requirement specification, design description and source code was developed independently
- written by diverse software teams
- used different compilers emo n u m ,.iosim,oco .ix,o .oa cooi,oisii,moen e ye ii <xione,s.i9es
O O O i
,.,. ACRS PRESENTATION ON STAR SYSTEM Conclusion e Hardware design meets IEEE 279 and GDC 2 and 4 for redundancy, testability and qualification
- Software design meets Reg. Guide 1.152 for quality e Adequate diversity provided by two different microprocessors per channel l'arl J. leeser, instrumentatmn and Controls Isranch Page 12 October 8. lW6
j'%
M I F R AM ATO M E TECHHOLOG1ES Integrated Nuclear Services JHT/96-38 May 30,1996 l
l Mr. Paul J. Loeser Mail Stop 08H3 l U.S. Nuclear Regulatory Commission Office of Nuclear Reactor Regulation l Instrument and Controls Branch Washington, DC 20555-0001 I
Subject:
STAR Calibration and Test Computer Software Error 1
Dear Mr. Loeser:
l Recent testing of the Calibration and Test Computer (CTC) was performed by FTI to O octermi#e the rea o= ror a prodiem rece#iiy ou ervea at oco ee aerei# trip aata ouia sometimes not be displayed after a module trip when testing from the CTC Module Trip Test screen. During the testing at FTI, a software fault was discovered that can impact the validity of test data generated by the CTC that verifies the trip status of each of the two diverse safety function processors in the STAR Processor Module. This fault exists in Version 2.0 software presently installed at Oconee and Version 1.9 originally supplied for Oconee Unit 3. Presently, Oconee Units 2 and 3 are the only plants using this software.
This fault does not impact and is isolated from the safety function of the Processor Module.
Descrintion of the Problem One of the safety related functions of the CTC is to provide automated trip testing of the STAR Processor Module. This operation is performed with the module off-line in the test mode. The two test objectives are (1) to verify that the module trips at the correct input conditions, and (2) to verify that each of the two diverse safety function processors issues a trip command to the 1 out of 2 hardware voting logic in the module. Test objective 2 is necessary because one safety function processor can trip the module regardless of the state of the other safety function processor, so that merely observing the module trip output does not provide verification that both processors have tripped. A fault has been detected in the CTC software that can prevent the CTC from providing valid information required to verify that both diverse safety function processors in the STAR Processor Module have issued a trip command to the 1 out of 2 voting logic (test objective 2). The CTC does provide valid data O to verify that the medeie tries at the correct iegut conditions < test eb;ective >>. Tais i 3315 Old Forest Road, P.O. Box 10935, Lynchburg, VA 24506-0935 Telephone. 104-832-3000 Fax: 804-832-3663 l i
l
i
' N.
because the data shown is correct for the l'irst processor that trips, or for both processors if O they trip at the exact same test input values. However, if both processors do not trip at the same test input values, then the data will be valic! only for the first processor that trips. The fault only affects testing done in safety channels 2, 3 and 4 using the Module Trip Test screen. The above fault does not affect testing done on safety channel I using the Module Trip Test screen. Data obtained using the other screens available on the CTC is valid for all four safety channels.
Recommended Resolution This discovery has been documented in a Preliminary Report of Safety Concerns and is presently being evaluated at FTI. The software fault will be corrected and the new software, Version 2.1, will be installed in the CTCs at Oconee. In the meantime, we have recommended to Oconee that they test the Processor Modules used in channels 2, 3, and 4 of 1 the reactor protection systems to verify that each module is being tripped by both safety l function processors. Oconee has been given a procedure for performing this test for all l channels using the CTC in a way that circumvents the software problem and provides valid !
trip data for both safety function processors. :
I Should you require additional information regarding this issue, please call me at (804)832- l 2817 or Jim Scecina at (804)832-2922 in our Lynchburg offices. !
Very truly yours, O ,c
'l Ocw%
J.H. Taylor, Manager Licensing Services i
JS/
c: J.G. Brown - Framatome Technologies /MR9 J. Scecina - Framatome Technologies /OF46 O
O O .
O
. ~.
d i
, +
- +.,. w ;,,-
e.---- - . .. .
1 i a f ....,'o, l f ! i 5 I c
s ,
, s.,
- .< LIGHTNING PROTECTION AT ,
NUCLEAR POWER PLA~N TS ,
Presented to
_I ACRS Joint Subcommittees on I&C Systems and Computers l
l 4
and Electrical Power Systems "
l I
sf by
- Satish K. Aggarwal
-; Electrical, Materials and Mechanical Engineering Branch Division of Engineering Technology i
Office of Nuclear Regulatory Research i (301) 415-6005 i
i
' October 8,1996
- ?g$ir. uct .
h,{r("/[idi 4rc t
O.- O -
~ 4 k gl .h @Q _;
g i,
, gg ff .~o,'o, t io, &
i LIGHTNING PROTECTION A TNUCLEAR POWER PLANTS '
i l
+.,...../ .
. I I
i OUTLINE <
d M. 1. B A C KG RO UN D--------------- -- = = = = - - - -- = ------- -===---=--=------3 ,
I h.. 2. TEC HN I C A L I S S U ES------------------- - -- - - - -
-- - - - - - - - 4 y ,, ,.
i 3. REGULATORY REQUIREMENTS------ ---- -- ---7 ;
- 4. STATUS OF USER NEED REQUEST-- -- --------- - =-- -
---14 ;
l 5 . F U T U R E P L AN S ---- - -- = = = = --------- = = = = - = = = -------------------------- 1 5 t
^dt 9
~
.TN
- v. -
, O .O' . .
j .F "P f ,,
i
- LIGHTNING PROTECTION A T NUCLEAR POWER PLANTS s
e., * " * * /
l '
BACKGROUND i
ACRS agreed with the staff's conclusion that current operating l
' plants are adequately protected at this time, and that rulemaking is not needed.
x ACRS noted that the staffis reconsidering developing a regulatory guide on lightning protection.
ACRS recommended that the staff endorse industry guides and standards to the extent practical.
i 3 1
~, e . ;
~AA -e e.~=~=b
..g -
., . -- m. _ m.,_.- -
q ~~ >. - .
l
IPf$$M . . * $
O. .,
- m. O. ' , - , .
i
- gter,y, p
_ :l m.._, .m g _ . _m
- .=m. _ . _ =,,._ -
__.m,,.,.....__. _
l ,s "%,,
- e ;
I R
io, G i LIGHTNING PROTECTION A TNUCLEAR POWER PLAN 13
- +., . . . . . / -
g i
+ TechnicalIssues ,
, j i
- 1. What are the industry practices for lightning protection and mitigation L
at nuclear power plants?
- Design Considerations -
- Grounding and Shielding ll
- - Application and effectiveness of surge arrestors to protect systems, '
- structures, and components against the adverse effects of fast ,
i electrical transients.
[ .
4
? ,
f i I
m,. 4 !
y i
~w + m ~>e -w-*=---
9 ;,. r,.....,- - + .-_ :;- w . -n a. .n . -
- g. - - -
g !
~ ~!.t 2: l-
,pq'f. &'
% .4 44 . g2
. w ,.. . . . . ,,
e go -
~~
- s. .. x , - - -
. . , , n. . . , , , ,, , . _ , . . . w.., . .. um.,n ,
~
/,...,\
i 1 is )
c LIGHTNING PROTECTION A T NUCLEAR POWER PLANTS
+.,...../
i 5
! TechnicalIssues (Contd)
- 2. What has been the industry's experience with regard to lightning strikes, direct and indirect, and propagation of .
electrical transients affecting plant systems, t structures, and components? What is known about the characteristics of lightning transients (conducted and radiated)?
- 3. What lessons have been learned and generic corrective actions taken in response to lightning induced failures at
., nuclear power plants?
o
. 5 3o :
. - . s. - -. .-
[t l _
m
, Y ..
rs . ;e
. , .d TP e -
j& . .. -- . . ~ . .
t / p .... , *.,
.: i.,
a i LIGHTNING PROTECTION A T NUCLEAR POWER PLANTS -
6
+...../ l I
TechnicalIssues (Contd)
- 4. What codes and industry standards and criteria are used for r } protection against lightning at nuclear power plants?
- 5. What precautions are being taken to guard digital I&C systems against lightning transients? ,
l 6. What are the current industry's practices to guard against fire and loss of fire protection due to lightning?
l; I
E a
~l i .- c .,,-,_a.....w.~. . -s . .- m . . ,+ w . . .. &
h; .1 #3)
Mikg . - s
. x. ..,,.o..
}I*f ; .M
- < .> OO -[
t
,1 ' -
Steg
/ \ ;
i, l LIGHTNING PROTECTION A T NUCLEAR POWER PLANTS t
4 :
Regulatory Requirements 1
, GDC 2: Design bases for protection against natural phenomena...
l
- - Requires appropriate consideration of the most severe -
natural phenomena that have been reported for the site, ...
1 Lightning is a natural phenomenon i
Frequency of thunderstorms t Severity
, > l
- Protection Measures for Preventing Adverse
-l Effects of Lightning 7
- 4 t
- .w~-t..---w - -w m,
- w-a: .>-si ., a . . ,. , s ~ . r =, c -t ~ r wa. ~ j
'ih
- g ,4.
. . ; 3+
. . %'C5
g
.g ,
m.4.t . .
- y. __ , , . _ .. m. _.
4 . . . .. . _ . . . __
? fa ....,'o, e s
, iO, E i LIGHTNING PROTECTION A T NUCLEAR POWER PLANTS
., . . . . . /
, l Regulatory Requirements (Contd)
GDC 3: Fire Protection One of hazards posed by lightning is fire. l:
SRP Section 9.5.1.c.l.c.4, July 1981, states, in part: -
- ' The effects ofligntning strikes should be included
, m the overall plant fire protection program.
l SRP Secion 9.5.1 references NFPA 802-1974, which states, ;
" lightning protection should be in accord with NFPA Std 78-1968, Lightning Protection Code." :
IEEE Std 142-1972, Recommended Practice for Grounding of
+
Industrial and Commercial Power Systems, which addresses j lightning protection for power stations and substations, references NFPA 78-1968. 8
..-.r . .-g- i 4- . N+>h' . - +
.m 1 t i l
pq ' ' e ' <~ ~
"s .
M~ ! '- ^' - 7 ... ; 2 M- 4 ti G .a . , mms s a sT4 .. L ; *r i :X a . . ' *F ~ - .4 N i
i e,r "%, : '
is c
? LIGHTNING PROTECTION A T NUCLEAR POWER PLANTS 4
4.,... .. / .
i Regulatory Requirements (Contd) l Requirements for lightning protection of structures were not explicitly called out - because basic industry-wide practice y and generally accepted design practice.
- j. Basic design principles for protection of electric power, control and instrumentation systems from the effects oflightning include consideration for:
(1) High Voltage Spikes (2) Direct Hit (3) High frequency electrical transients propagating into the plant from the transmission line or switchyard, electrical distribution sytem and I&C systems.
- i i
n 9 ,
.y , -wy, ,
aq
., - M ._ r, -n,_.
- y . , .
.r. . .. . - .,._,3 . ,. m.. . ,. .
j i ( l DW. g4,ga' at A +s j
~
O~.. O. + ,
.O m.., .. e' guA 4 . ,....-m.,. m , . .s ..,__.,m,....x,._ , . . , ._.s.,. m,_,_._
j, a
/ja ncg'o,
! 4
< .- e is LIGHTNING PROTECTION A T NUCLEAR POWER PLANTS s
i RegulatoryRequirements(Contd)
(4) Ground potential rise: induced voltages from both, capacitive and electro-magnetic couplings affecting transformers and other equipment and systems' performance.
Regardless, whether the mechanism is GPR, EMI, or a combination of these and ;
other phenomena / mechanisms, protection ofI&C from such effects is covered by GDC 21, GDC 22, and GDC 23. -
i l
[GDC21 - Protection system reliability and testability; -
GDC22 - Protection system independence; GDC23 - Protection system failure modes]
Effects of GPR/EMI are mitigated by design features, such as surge protectors, insulation coordination and grounding and shielding. : i
%.x
. 10 _
n
, c . . ..,-..nn,..~....+, . .c... -i(- .
, =- . - . ,- - . ~ , . .ir, n ;
'111p.-
,p N '
gg
- .< Y s ' y . ., s .. . a.2 ;
~
O y" w O .
O
- 3. 1:,.
. . .+ : #, . ,
t f ,f'"*%,
i !
s i0,
)
G LIGHTNING PROTECTION A T NUCLEAR POWER PLANTS
- s.,.....f Regulatory Requirements (Contd)
GDC 17: Design bases for electric power systems 4
. - on-site electric power system b - off-site electric power system
+ Lightning is one of several causes of the loss of off-site
,9 power. 1 i
! Lightning strikes to the switchyard - loss of off-site power as j well as on-site power. Prevention of such event is implicit m
. GDC17.
l RG 1.32 provides guidance for licensees for complying with
, GDC 17. It endorses IEEE Std 308-1971," Criteria for Class 1E Electric Systems for Nuclear Power Generating Stations," which I I identifies lightning as a design basis event. ;;
I' m .. ., . .- . . . . . . , - _ , _ . . _ ,
Qe
' -R ow m*
g-
.h t P?.it ' ' ,#
- u. g O.
,.m
.O oR ;
I
"~.
b ',
,f***%,
t ? \
i, l LIGHTNING PROTECTION A T NUCLEAR POWER PLANTS ,
++, . . . . . / i i
i RegulatoryRequirements(Contd) l
,.. . NRC INSPECTION MANUAL 93807:
i
" Systems Based Instrumentation and Control Inspection,"
~
_ discusses effects oflightning induced surges on instrumentation and control systems.
f 12
~
a
{ --~. _n .- .. .- +. +.
, .c .: _ . .-
isaw
_------a
gr
...r.
O 19 O - O. ..
i f....,\
l I
E, ) LIGHTNING PROTECTION A T NUCLEAR POWER PLANTS s .....e Regulato,y Requirements (Contd) 4 ;
Fire-Related:
GL86-10 " Implementation of fire protection requirements require that
- effects oflightning strikes should be included in Fire Protection Program."
NRC Inspection Manual 88055, " Fire Protection" requires provision should be made for lightning protection.
SRP 9.5.1, " Fire Protection Program," effects oflightning strikes should be included in the overall plant Fire Protection Program.
i t
13 f 2 4 . .
+ .V + e IS Ik .
l
,g.., O. - .
O ,- O. ..
a
-a
~
s l
- /f...s\:
o C LIGHTNING PROTECTION A T NUCLEAR POWER PLANTS f S., . . . . . /
UserNeed Request:
1 Objectives for development of a regulatory guide -
a b
(1) Provide guidance for lightning protection for all plant structures
, and components including switchyard.
(2) Endorses industry standards, as appropriate (3) Provide for application of these standards (ground grid resistance, overhead group wire shielding, lightning arrestors.)
4 l
14 m
, a .: '
m
- r:. +. ...m_, c m m .m.- ..m -- . . i.
~ . .
- , c u$t
~ -lhI Y >'h: $ '
,. n , EV ,irf??
I+
l
___ _ - - - - - - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ____ ________.____________ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _J
O Os.+,,
~
O. .
- r. . . .
f *%,,,
t .: LIGHTNING PROTECTION A T NUCLEAR POWER PLANTS s s Preliminary Schedule for the Development of the Regulatory Guide.
Initiate Development Jan 1997 Review by ACRS/CRGR Sept 1997 Issue Draft R.G. for Public Comment Dec 1996 Resolve Public Comment June 1998 r
- Review by ACRS/CRGR July 1998 3
Issue Final R.G. Dec 1998 5
1 i
! 15 e os. x - ;,
, , . a . swm- i paWmmpun -mM ' a 2+
- e -- - A "' 4 *r +- .v 4 X' ~
ir***~ * 'E b~ 4 M W ' ---- W
[ *>-4 .
____--._.._,___m. . _ .- ~..._. _ _ . _._ _ _ . _ .___. _ __._ _._._____ _ __
h IEEE Nuclear Standards Related to Lightning Introduction a Lightning needs to be considered in safety IEEE Nuclear Standards Related system design.
I to Lightning a Detailed guidance exists in the industry.
+ IEEE 1050, " Guide for Instrumentation and Control Equipment Grounding in Generating Stations."
+ IEEE I100," Recommended Practices for Powering Wesley W. Bowers and Grounding Sensitive Electronic Equipment."
Vice Chairman + IEC 801 series ofstandards provides guidance on IEEE Nuclear Power Enginecting Committee testing.
m Current IEEE nuclear standards provide links to I detailed guidance.
l l IEEE 603, Section 4.7, Design Basis IEEE Nuclear Standards Document "the range of transient and steady.
m IEEE 603," Standard Criteria for Safety Systems state conditions of both motive and control for Nuclear Power Generating Stations." power and the environment (for example,
.g * * " "'**E""""'
a IEEE 7-4.3.2," Standard Criteria for Digital hum.E idity 'pressure,
, #9"*"##'
vibration) during normal, Computers in. Safety Systems of Nuclear Power abnormal, and accident circumstances throughout Generating Stations."
which the safety system shall perform."
a Enhancements in progress.
Revision being ballotted adds EMI and RFI to the list ofexamples.
IEEE 603, Section 5.5, Integrity IEEE 7-4.3.2, Digital Computers "The safety systems shall be designed to .. .
accomplish their safety functions under the full
"
- I*'#"' "*#E"'I
+ ntains a spec (ic nienti n TE.W range of applicable conditions enumerated in the e Annex C, Electromagnetic Compatiblility desigh basis."
+ Guidance for design found in IEEE 1050," Guide for Instrumentation and Control Equipment Grounding in Revision being ballotted adds, Generating Stations"
" Additional criteria for safety system equipment + Guidance for testing found in IEC 801-5.
employing digital computers and software or " Electromagnetic Compatibility for Industrial Process Nicasurement and Control Equipment Pan 5: Surge firmware are found in IEEE 7 4.3.2-1993.=
immunity Requirements" h
l Wesley W. Bowers l l
O O O "l L
, PRESENTATION TO ACRS SUBCOMMITTEES ON I&C SYSTEMS & COMPUTERS i AND !
t ELECTRICAL POWER SYSTEMS l t
I f
i BNL RISK-SCREENING STUDY l BY i
FRANKLIN COFFMAN RES/ DST /CIHFB I
i I
I t
[
OCTOBER 8,1996 !
t i
a .-
O O o BNL RISK-RANKING STUDY CONTEXT e Evaluated relative effects on risk from stressors e EMI event frequency estimated by lightning reports ASSUMPTIONS e Reported events have potential to fail I&C e All I&C fails simultaneously e I&C failures remain undetected until next surveillance test RESULTS e Bounding assumptions and available data limit results o
Vibration, humidity at low temperatures, and temperature itself appear unimportant {
+ _
__