Text

Summary of 961119-20 Meeting W/Epri & Utility Generic PLC Qualification Group in Rockville,Md Re Qualification of Programmable Logic Controllers
	ML20133A333
Person / Time
Issue date:	12/23/1996
From:	Mckenna E; NRC (Affiliation Not Assigned)
To:	Matthews D; NRC (Affiliation Not Assigned)
References
	PROJECT-669 NUDOCS 9612310052
	Download: ML20133A333 (88)
	v • d • e

{{#Wiki_filter:_ j##'% F UNITED STATES k NUCLEAR REGULATORY COMMISSION WASHINGTON, D,C. 2061 December 23. 1996 wese* MEMORANDUM T0: David B. Matthews, Chief Generic Issues and Environmental i Projects Branch Division of Reactor Program Management Office of Nuclear Reactor Regulation FROM: Eileen McKenna, Senior Reactor Engineer j[ / Generic Issues and Environmental i Projects Branch A,fl'A Division of Reactor Program Management \\ i Office of Nuclear Reactor Regulation

SUBJECT:

SUMMARY

OF NOVEMBER 19-20, 1996, MEETING WITH THE ELECTRIC POWER RESEARCH INSTITUTE (EPRI) AND UTILITY GENERIC P] QUALIFICATION GROUP ON QUALIFICATION OF PROGRAMMAB i CONTROLLERS (PLC) On November 19-20, 1996, representatives of the Electric Power Research Institute (EPRI) and the Utility Generic PLC Qualification Group met with The agenda for the meeting is given in Attachment 1. representatives of list of meeting attendees. provides a Sumary The purpose of the meeting was to review comments on the revisions to the EPRI PLC document. This document is part of EPRI's program for qualification of programable logic controllers for application in safety systems in nuclear power plants. 9-10, 1996, The NRC staff and EPRI had met on this program on September document. to discuss NRC coments on EPRI's draft requirements / guidance { draft (Revision A), both datedRevision B, together with the sumary of comments on th 10/15/96, had been reviewed and coments returned to W. Sotos prior to this meeting. The NRC comments that were still i considered as open and therefore requiring further discussion at this meeting are given in Attachment 3. A new revision had been prepared by S Levy Inc and was pres (Revision C, dated Nov. 4, 1996) i ented at the meeting as the document for discussion; this document is given in Attachment 4. This revision contained changes associated with issues related to dual and triple redundancies as well as proposed resolution of comments on revision 8 that had been received by the end of October. Comments made to both revisions B and C will be incorporated into revision D which was to be sent to meeting participants by December 9, 1996. By December 16th, comments on Revision D were to be sent. By December 17th, participants would receive the agenda for a conference call on December 18, at 11:00 CST,12:00 EST to resolve any remaining issues. 9612310052 961223 PDR PROJ 669 pog

= _ _ t D. Matthews December 23. 1996 The two day meeting was very productive and the majority of the comments received were satisfactorily resolved. ETE osed Resolution of Soecific NRC Comments Three NET. comments required some specific proposal from the NRC for resciution. Two of these are given in Attachment 5. li ese proposals were presented at the meeting and were accepted. The third NRC comment dealt with the response time for RTD Input Requirements as specified in 64.3.2.1.3.G that refa:s back t., f4.2.1 where tha response time is defined by Fig 1. The NRC requested time to discuss this matter with HICB personnel directly involved with response time testing criteria and planned to submit a proposed resolution to W. Sotos the following week. This proposed resolution is given in Attachment 6. Attachments: As stated Project No. 669 cc: Mr. Gary Vine S(2nior Washington Representative Electric Power Research Institute 2900 L St. NW hashington DC 20036

I December 23, 1996 D. Matthews The two day meeting was very productive and the majority of the comments received were satisfactorily resolved. Proposed Resolution of Specific NRC Comments Three NRC comments required some specific proposal from the NRC for resolution. Two of these are given in Attachment 5. These proposals were presented at the meeting and were accepted. The third NRC comment dealt with i the response time for RTD Input Requirements as specified in 54.3.2.1.3.G that refers back to 64.2.1 where the response time is defined by Fig 1. The NRC requested time to discuss this matter with HICB personnel directly involved with response time testing criteria and planned to submit a proposed resolution to W. Sotos the following week. This proposed resolution is given in Attachment 6. Attachments: As stated cc: Mr. Gary Vine Senior Washington Representative Electric Power Research Institute 2000 L St. NW Washington DC 20036 Project No. 669 DISTRIBUTION: See attached page Document Name: G:\\emm\\MSUMll19.96 To receive a copy of this document, indicate in the box: "C" - Copy without attachment / enclosure "E" = Copy with attachment / enclosure "N" - No copy 0FFICE PGEB o. l E SC:PGEB%,1 E BC:HICB b,el E BC:PGEB E NAME EMMcKehn4 W \\ FAkstuldiht twJWermiel(T' DMatthewsf{t% DATE 12/q]/96 12/n/96 12/4/96 " 12/)J/96 r 0FFICIAL RECORD COPY

l s i D DISTRIBUTION: Mtg. Sumary of November 19-20, 1996 w/EPRI dated ecember 23, 1996 j Hard Cooy i l Docket File PUBLIC PGEB R/F OGC ACRS EMcKenna E-Mail FMiraglia AThadani BSheron RZimmerman TMartin FAkstulewicz JGallagher DSpaulding JMauck JWermiel JStewart TJackson JHWilson I S b qv-I75 g gg:gg ygp,ggpy ,, g 310025 y G6 yfl.)a cPW

AGENDA November 19, 1996 8:30 a.m. Introductions and Distribution of Pre-submitted comments 9:00 a.m. Discussion of Comments for Resolution 4:30 p.m. Adjourn for the day i i November 20, 1996 8:30 a.m. Continue Comment Resolution Activities 10:30 a.m. Dual / Triple Redundancy Review / Comment Session 1:30 p.m. Discuss strategy for closing out open items and format issues 2:30 p.m. Discuss strategy for qualifying and implementing PLCs identify guidelines needed by utilities to accomplish this 3:30 p.m. Set date for next meeting and wrapup 4:30 p.m. Adjourn

LIST OF ATTENDEES - NOVEMBER 19-20, 1996 MEETING NRC and EPRI Hang Affiliation Jim Stewart NRC/NRR/DRCH/HICB Al Ostanso S. Levy, Inc. Nicolos Henry EDF-DER Patrick Salaun EDF-DER Joseph Naser EPRI William Sotos HCI/HL&P Larry Erin Westinghouse Terry Jackson NRC/RES/ DST /CIHFB John Gallagher NRC/NRR/DRCH/HICB Deidre Spaulding NRC/NRR/DRCH/HICB Ron Churlik Centerior Energy Joe Ruether Northern States Power Jay Amin TV Electric Ken Caraway Duke Power Co.

NOTE TO: W. Sotos

SUBJECT:

NRC Comments on Proposed Resolution of NRC Comments on First Draft of Requirements Specification 1 FROM: J. Gallagher i DATE: November 12,1996 CC: J. Wermiel J. Mauck J. Wilson J. Stewart D. Spaulding J. Peralta T. Jackson ] We have reviewed the proposed responses to the NRC comments on the first draft of the document " Requirements Specification for Qualifying a Programmable Logic Controller for Nuclear Class IE Service" that was prepared by S. Levy Inc and find that the following are still considered as open, i.e. the proposed resolution requires further discussion. As you requested this i response is in WP 6.1. The headings in the first two columns were taken from the S. Levy table given in their Oct 15,1996 mailing. 4 seq / Item pg/section Reason that Item is still considered as open. 39/T-039-JG 8/4.1.1 The major concern is the use of an operating system that has provisions for event based interrupts and other programming features such as multi-tasking that can result in a non-deterministic program control structure that in turn results in questionable V&V coverage. Many documents, in addition to IEC 880, that deal with safety and other high integrity system software have requirements that advise against such features: - NUREG/CR-6294, 3.8 Product Design Factors, lists no interrupts, no multi-tasking, and deterministic, predictable timing as important factors in the design of safety critical software. - EPRI ALWR URD, Chapter 10 M-MIS, 6.1.3 Software Design states that "a continuous-loop non-intermptible software structure is preferred for M-MIS functions of protection, control, alarm and display. A suggested resolution is to advise against event based intermpts and multi-tasking functions in 4.4.1.3 where specific program control flow requirements are discussed. J

c 53/T-053-JG 10/4.2.1 The NRC comment can be closed with a statement in {4 2.1 that the response time referred to her'e does not include any application specific time behaviors such as that associated with algorithmic functions. 58/T-058-JG 11/4.2.2 This response still leaves open the concern that the development of the logic functions using the ladder logic language does not account for "make before break" and " break before make" logic other than that which is implemented external to the PLC. This seems to be a limitation on the capability of the PLC. 61/T-061-JG 11/4.2.3 1 The last sentence of the NRC comment is still unresolved. A suggestion is to state that the approach given in 4.2.3.1 takes into account random hardware failure rates and does not include common mode software failure probabilities, consequently failure probabilities less than 10E-4 are very likely unrealistic. 105/T-105-JG 17/4.3.2.1.3 There seems to be some confusion in this response. If the temperature decrease for an event that requires initiation of a temperature based safety function is faster than 1"C/sec but the temperature measurement has a limited response time of equal to or less than 1*C/sec the safety system is inadequate. This ite v. is still open 197/T-197-JG 46/6.1 This response still does not resolve the concern with the last paragraph of s6.1; suggest that this paragraph be deleted. M

a 4 S. LEVY INCORPORATED 3425 S. Bascom Avenue Campbell, CA 95008-7006 USA 408/377-4870 FAX: 408/371-6804 TITLE: Generic Requirements Specification for Qualifying a Commercially Available PLC for Safety Related Applications in Nuclear Power Plants REV PURPOSE OF REVISION ISSUED BY DATE 4 A DRAFT FOR REVIEW A. Ostenso B/9/96 B SECOND DRAFT A. Ostenso 10/15/96 4 C SECOND DRAFT WITH ADD'L REDUNDANCY ITEMS A. Ostenso 11/1/96 i PREPARED BY DATE QUALITY ASSURANCE REVIEW DATE A. L. Ostenso L. G. Marquis REVIEWEDNERIFIED BY DATE PROJECT MANAGER APPROVAL DATE T. Y. Fukushirna R.S.May PROJECT ENGINEER DATE CLIENT APPROVAL (WHEN REQUIRED) DATE N/A N/A CLIENT / PROJECT TITLE DISK / FILE ID TOTAL HL&P / 3878 HLP001-01/ S01RA. doc AGES: .eneric Regis Spec for Qualifying a Commercially Available PLC DOCUMENT NUMBER for Safety Related Applications in Nuclear Power Plants p 'I I

- ~ _ - -o HLP-001-S-01(Q) Rsv C Page i of v l TABLE OF CONTENTS SECTION PAGE

1. SCOPE.

.1

1.1 BACKGROUND

.1 1.2 OVERVIEW OF TECHNICAL SCOPE AND FOCUS.. .2 i 1.2.1 Overview of the Generic Qualification Process.. .2 1.3 OVERVIEW OF ROLES IN PLC APPLICATIONS TO NUCLEAR SAFETY SYSTEMS.. .3 1.4 GENERAL OVERVIEW.. .3 1.4.1 PLC Architecture Overview.. .3 1.4.2 Requirements Variations Background. .4 1.4.3 Generic vs. Application Specific Overview.. .4 l 1.4.4 Third Party PLC ltems Overview.... .5 1.4.5 Redundancy Overview. .5

2. DEFINITIONS, ABBREVIATIONS, ACRONYMS..

.6 2.1 DEFINITIONS. ... 6 i 2.2 ABBREVIATIONS & ACRONYMS.. .. 7

3. REFERENCE DOCUMENTS..

.8 3.11996 CODE OF FEDERAL REGULATIONS (CFR).... .8 3.2 U.S. NUCLEAR REGULATORY COMMISSION (NRC) REGULATORY GUIDES (RG) AND NUREGS 8 3.3 AMERICAN NATIONAL STANDARDS INSTITUTE (ANS!)..... .9 3.4 ELECTRIC POWER RESEARCH INSTITUTE (EPRI). .9 3.5 INSTITUTE OF ELECTRICAL & ELECTRONICS ENGINEERS (IEEE).. .9 3.6 AMERICAN SOCIETY OF MECHANICAL ENGINEERS (ASME). .10 3.7 DEPARTMENT OF DEFENSE (DOD).. .10 3.8 INTERNATIONAL STANDARDS...... .10

4. SYSTEM REQUIREMENTS,.

.11 i 4.1 OVERVIEW OF PERFORMANCE BASIS. .11 l 4.2 FUNCTIONAL REQUIREMENTS. .11 4.2.1 General Functional Requirements.. .11 4.2.2 Control Functional Requirements... .12 4.2.3 Availability / Reliability Requirements... .12 4.2.3.1 Availability / Reliability Calculation Requirements.... .12 4.2.3.1.1 Availability / Reliability Calculation Requirements Applicable to Redundant PLCs.. . 13 4.2.3.2 PLC Fault Tolerance Requirements... .14 4.2.3.3 Failure State Requirements.... .14 4.2.3.4 Failure Detection Requirements.... .15 4.2.3.5 Recovery Capability Requirements..... . 15 4.2.3.6 Requirements for Use of Operating Experience. .. 16 4.3 HARDWARE REQUIREMENTS.. .16 4.3.1 General......... .16 4.3.1.1 Background.,. .16 4.3.1.2 Requirements Common to all Modules... . 16 4.3.1.3 External Device Requirements.. .17 4.3.2 input Requirements.................. .17 4.3.2.1 Analog input Requirements. .17 4.3.2.1.1 Voltage Input Requirements........ .17 4.3.2.1.2 Current input Requirements.... .18 4.3.2.1.3 RTD input Requirements........ .19 4.3.2.1.4 Thermocouple input Requirements.. .19 c:\\projipicqual\\reve\\picsprc. doc 4-Nov-96

HLP-001-S-01(Q) R;vC Page ii of v TABLE OF CONTENTS (Cont.) SECTION PAGE 4.3.2.2 Discrete input Requirements.. .20 4.3.2.2.1 Discrete AC input Requirements.. .21 4.3.2.2.2 Discrete DC input Requirements.. .21 4.3.2.2.3 TTL Input Requirements.. .22 4.3.2.3 Other inputs. .22 4.3.2.3.1 Pulse input Requirements.. .22 4.3.3 Output Requirements.. .23 4.3.3.1 Analog Output Requirements.. .23 4.3.3.1.1 Voltage output Requirements.. .23 4.3.3.1.2 Current output Requirements.. .23 4.3.3.2 Discrete output Requirements. .24 4.3.3.2.1 Discrete AC output Requirements.. .24 4.3.3.2.2 Discrete DC Output Requirements.. .25 4.3.3.2.3 Relay Output Requirements... .25 4.3.3.2.4 TTL output Requirements.. .26 4.3.4 Processor /Other System Component Requirements. .26 4.3.4.1 Processor Loop Time Requirements. .26 4.3.4.2 Memory Capacity and Data Retention Capability Requirements.. . 27 4.3.4.3 Data Acquisition Requirements.. .27 4.3.4.4 Communication Port Requirements. .28 4.3.4.5 Coprocessor module Requirements. .28 4.3.4.6 Chassis Requirements.. .29 4.3.4.7 Backup Devices / Redundancy Requirements. .29 4.3.5 Programming Termir.al Requirements.. .29 4.3.6 Normal Environmental Requirements.. .30 4.4 SOFTWARE /FIRMWARE. .30 4.4.1 Executive.. .30 4.4.1.1 Background.. .30 4.4.1.2 Main Processor Executive Capability Requirements .30 4.4.1.3 Program Flow Control Requirements.. .31 4.4.1.4 Unintended / Unused Function Isolation Requirements.. .31 4.4.1.5 Coprocessor Executive Capability Requirements. .32 4.4.2 Media Requirements. .32 4.4.3 Ladder Logic Requirements. .33 4.4.4 Software Tools Requirements. .34 4.4.5 Configuration identification. .35 4.4.5.1 Configuration identification Background. .35 4.4.5.2 Configuration Management Aids Requirements. .36 4.4.6 Diagnostics Requirements.. .36 4.4.6.1 General Diagnostic Requirements.. .36 4.4.G.2 On-line Self Test Requirements.. .57 l 4.4.6.3 Power up Diagnostics Requirements.. .38 1 4.4.7 Data and Data Base Requirements.. .38 4.4.8 Other Non-Ladder Logic Programming Languages.. .38 4.4.8.1 Requirements for Sequential Logic Languages. .38 4.4.8.2 Requirements for Standard High Level Languages.. .38 4 4.9 Sequence of Events Processing Requirements. .39 4.4.10 Verification and Validation Requirements.. .40 s 4 4.11 System Integration Requirements. .40 4.5 HUMAN / MACHINE INTERFACE (HMI).. .40 l i i c:\\proj\\picqual\\reve\\plesprc. doc 4-Nov-96 i i

HLP-001-S-01(O) R2v C Page iii of v TABLE OF CONTENTS (Cont.) SECTION PAGE 4.5.1 Requirements for Human / Machine Interface Functions. 40 4.5.2 Requirements for interactive Features.. .41 4.5.3 Requirements for Operator Action System Responso Times.. .41 4.5.4 Display Requirements.. .41 4.5.5 Alarm Processing Requirements., .42 l 4.5.6 Hard Manual Backup.,.. .42 4.6 SHIPPING AND HANDLING REQUIREMENTS.. .42 4.6.1 Packaging Requirements... . 42 4.6.2 Shipping Requirements. .42 4.6.3 Storage Requirements.. .43 4.7 ELECTRICAL. .43 i 4.7.1 General Overview.. .43 4.7.1.1 Power Sources and Power Supply Requirements., .43 s 4.7.1.2 Loop Power Supply Requirements... .44 4.7.1.3 Separation.. . 44 4.7.1.41E/non-1E lsolation Requirements. .44 4.7.1.5 Cable / Wiring / Requirements.. .44 i j 4.7.1.6 Termination Requirements..... .45 4.7.1.7 Backup Power..... .. 45 4.7.1.8 Grounding / Shielding Requirements.. .45 4.8 MAINTENANCE. .45 4.8.1 Diagnosis / Built-in Testability Requirements. .45 4.8.2 Module Replacement Requirements. .45 4.8.3 Preventative Maintenance Requirements.. .45 j 4.8.4 Surveillance Testing Requirements.. .46 4.8.5 Output Bypass / Control Devices... .46 4.8.6 " Hot" Repair Capability. .46 4.8.7 Manufacturer System Life Cycle Maintenance.. .46 4.8.7.1 Parts Replacement Life Cycle Requirements. .46 4.8.7.2 Spare Parts Requirements.. .46 4.8.8 Maintenance Human Factors.. .47 1 4.9 REQUIREMENTS FOR THIRD PARTY /SUB-VENDOR ITEMS... .47 4.10 OTHER.. .47 4.10.1 Data Handling & Communication Interfacing Overview.. .47 4.10.1.1 Peripheral Communication Requirements. .47 4.10.1.2 PLC Peer to Peer Communication Requirements. .48 4.10.2 Overall System Security Requirements.. .48 4.10.3 Heartbeat Requirements. .48

5. ACCEPTANCE TESTING..

.49 5.1 PRE-QUALIFICATION ACCEPTANCE TEST REQUIREMENTS. .49 5.2 OPERABILITY TEST REQUIREMENTS... .49 5.3 PRUDENCY TESTING REQUIREMENTS..... .50 5.4 OPERABILITY /PRUDENCY TESTING APPLICABILITY REQUIREMENTS.. .51

6. QUALIFICATION TESTING AND ANALYSIS,,.

.51 6.1 SOFTWARE QUALIFICATION OVERVIEW.... .51 6.2 PLC SYSTEM TEST CONFIGURATION REQUIREMENTS.. .52 6.2.1 Test Specimen Hardware Configuration Requirements. .52 6.2.2 Test Specimen Mounting... .53 6.2.2.1 Seismic Test Mounting Requirements. .53 c:\\projipicquar\\reve\\plesprc. doc 4-Nov-96

HLP-001-S-01(Q) Rsv C Page iv of v TABLE OF CONTENTS (Cont.) SECTION PAGE 6.2.2.2 EMI/RFl & Surge Withstand Test Mounting Requirements.. .53 6.2.2.3 Environmental Test Mounting Requirements.. .53 6.2.3 Test Specimen Application Program Configuration Requirements...... .53 6.2.3.1 Coprocessor Test Specimen Application Program Requirements.... ... 54 .54 6.2.4 Test Support Equipment Requirements..... 6.3 QUALIFICATION TESTS AND ANALYSIS........... . 54 6.3.1 Aging Requirements.... . 55 . 55 6.3.2 EMI/RFI Test Requirements................ 6.3.3 EnvironmentalTesting Requirements...... .55 6.3.4 Seismic Test Requirements.................... .56 6.3.4.1 Seismic Test Measurement Requirements... .56 6.3.4.2 Seismic Test Pe:Tormance Requirements........ ......... 56 6.3.4.3 Seismic Test Spectrum Analysis Requirements... .. 57 ........ 57 6.3.5 Surge Wrthstand Capability.. 6.4 OTHER TESTS & ANALYSIS. ...... 58 .58 6.4.1 FMEA.. 6.4.2 Electrostatic Discharge (ESD) Testing Requirements.. .58 6.4.3 Power Quality Tolerance Requirements.......... . 58 6.4.4 Requirements for Compliance to Specificatens.. . 58 . 58 6.4.5 Human Factors.... 6.5 QUALITY ASSURANCE MEASURES APPLIED TO QUALIFICATION TESTING.. .58 ... 59

7. QUALITY ASSURANCE......

7.1 GENERAL... .59 7.1.1 10CFR50 Appendix B Requirements for Safety Related Systems...... .59 7.1.210CFR 21 Compliance Requirements.. .59 7.1.3 Requirements for Manufacturer Qualification Maintenance throughout Product Life Cycle.. . 60 . 60 7.1.4 Software Specific Requirements.. 7.1.5 Requirements for Compensatory Quality Activities for Legacy Software.. . 60 7.1,6 Configuration Management. . 61 7.1.6.1 Hardware Configuration Management Requirements.... .61 7.1.6.2 Software Configuration Management Requirements.,.... .. 61 . 62 7.1.7 Problem Reporting / Tracking Requirements.

8. DOCUMENTATION..............

... 62 8.1 EQUIPMENT GENERAL OVERVIEW DOCUMENT REQUIREMENTS. .. 62 . 63 8.2 EQUIPMENT GENERAL SPECIFICATIONS REQUIREMENTS... 8.3 OPERATORS MANUAL REQUIREMENTS....... .63 8.4 PROGRAMMERS MANUAL REQUIREMENTS. .63 8.5 EQUIPMENT MAINTENANCE MANUAL REQUIREMENTS.. .63 . 63 8.6 0UALIFICATION DOCUMENTATION REQUIREMENTS..... .. 64 8.6.1 Programmatic Documentation Requirements.. 8.6.2 Technical items and Acceptance Criteria Documentation Requirements. . 65 8.6.3 Application Guide Documentation Requirements.... .65 .65 l 8.6.4 Supporting Analyses Documentation Requirements..... 8.7 V&V DOCUMENTATION REQUIREMENTS............................ .65 .. 65 8.8 SYSTEM DESCRIPTION REQUIREMENTS.... . 65 8.9 CRITICAL CHARACTERISTICS LISTING REQUIREMENTS... i 8.10 SYSTEM DRAWINGS REQUIREMENTS.... .66 I 8.11 SYSTEM SOFTWARE / HARDWARE CONFIGURATION DOCUMENT REQUIREMENTS.. .66 8.12 SYSTEM DATABASE DOCUMENTATION REQUIREMENTS... .66 c:\\proj\\picqual\\revcipicsprc. doc 4-Nov-96 I

=~ - l HLP-001-S-01(Q) Rsv C Page v of v TABLE OF CONTENTS (Cont.) SECTION PAGE 8.13 SYSTEM SETUP /CAllBRATION/ CHECKOUT PROCEDURE REQUIREMENTS.. .66 i 8.14 SYSTEM TEST DOCUMENTATION REQUIREMENTS... . 66 8.15 MANUFACTURER'S QUALITY DOCUMENTATION REQUIREMENTS.. 8.16 MANUFACTURER'S CERTIFICATIONS REQUIREMENTS.. .67 .67 FIGURE 1: ANALOG SIGNAL RESPONSE TIME. .68 FIGURE 2: SINGLE CHANNEL EXAMPLE AVAILABILITY MODEL.. .69 FIGURE 3: EXAMPLE AVAILABILITY MODEL FOR PLCS WITH REDUNDANCY. .70 FIGURE 4: ENVIRONMENTAL PROFILE.. .71 FIGURE 5: REQUIRED RESPONSE SPECTRUM., .72 c:\\projipicquaf\\revc\\plesprc. doc 4-Nov-96

HLP-001 S-01(Q) l R:;v C Paga 1 of 72 L SCOPE i l l This is a set of requirementt to be applied to the generic qualification of Programmable Logic Controllers (PLCs) for application to nuclear power plant safety systems. The information in this specification provides requirements for generic qualification of one or more l commercially available Programmable Logic Controllers (PLCs) for use in U.S. Nuclear Power Plant safety related applications. The requirements specification will be suitable for use in: A. Procuring a PLC with an appropriate selection of 1/0 and other types of modules that encompasses a broad range of potential safety related applications. B. Demonstrating that the PLC operating software quality is adequate for use in Nuclear Power Plant safety j systems. C. Demonstrating that a selection of PLC hardware is suitable for use in safety systems whose requirements lie within the qualification envelope. ] The specification is consistent with the requirements of 10CFR50 Appendix B. The following subsections provide background information only to aid in focusing on the scope and intent of this specification. Requirements are given starting at section 4. Throughout this specification, sections that contain requirements have titles which include the word

requirements" while other section titles use the words
background" or
overview" to indicate the intent of the section.

1.1 BACKGROUND

PLCs have been successfully and widely used in industrial facilities for more than 20 years. A PLC is a collection of hardware and software specifically designed to perform a sequence of user-defined control actions that were traditionally irnplemented using electro-mechanical (e.g. relays) and single function electronic devices (e.g. single-loop controllers). The controls for most of the safety systems in nuclear power plants fallin this category. A major advantage of a PLC is that its programming

language" uses symbols that are readily related to control and protective actions or to electro-mechanical devices that are used to implement these actions. A second major advantage is that they can utilize existing operator controls, final actuating devices, and isolation devices. Consequently, a PLC can be applied with minimum impact on plant operations and wiring external to the control cabinets.

l Since its inception, PLC hardware was designed to operate reliably in severe environments. Therefore, most commercially available PLC hardware is capable of withstanding the stresses applied to it during class 1E qualification testing. However, PLCs contain both application and operating software which requires a broader qualification effort. The application software (e g., ladder logic and/or other high level representations) for a specific l implementation is generally much easier to qualify than the operating software that is resident in the PLC independent of the application. This is so because the application software can be developed using the rigorous quality standards required by regulation and by judicious design practice. Historically, the PLC 4 resident executive software and support software has been more difficult to qualify because of a lack of adequate rigor and/or documentation of the software development process used by the vendors. In recent years, there has been significant national and international effort expended to develop standards for developing dependable software. In particular, the ISO-9000 series of standards has gained international recognition and has a certification process that provides high confidence in the dependability of software provided by certified vendors. c:\\proj\\picquahreve\\picsprc. doc 4-Nov-96

I HLP-001-S-01(Q) Rsv C Pega 2 of 72 Given the robustness of PLC hardware, the inherent modularity of PLCs, the broad spectrum of PLC performance available, and the rigorous and well documented operating software development process used by a growing number of vendors, it is possible to generically qualify a PLC for application to class 1E systems. A generic qualification would encompass a selection of PLC hardware and the operating software. The generic qualification would not absolve the user from demonstrating that the specific application is enveloped by the generic qualification. This is really no different from current qualified devices. A qualified device can only be applied within the qualification envelope. 1.2 OVERVIEW OF TECHNICAL SCOPE AND FOCUS l The goal of this specification is to provide generic requirements for pre-qualifying commercial PLC lines for i use in safety related applications in Nuclear power plants. This does not relieve tne utility or system integrator from aII the tasks needed to actually apply that PLC in a speci6c plant application! a The goal of the PLC Generic Specification is to define the essential technical characteristics, (e.g.,1/O points and options, scan rates, software features, etc.) that must be included to cover the needs of a range of plant j safety applications. Process-oriented considerations, including system and software development and quality processes, are addressed in this specification primarily by reference to published standards and guidelines. l The reqdrements are geared towards qualifying a PLC as a replacement for specific segments of safety systems at existing plants (for example, using a PLC in place of a large portion of the ESFAS). The envisioned application is to place one or more PLCs in the control logic portion of each channel of existing safety j actuation systems to perform control actions that are currently performed using electro-mechanical devices and loor controllers. In this type of application, the disruption of existing separation and isolation is minimal which, in tum, minimizes the impact of the replacement on the current licensing basis for these elements. 1,21 Overview of the Generic Qualification Process The technical scope focus, and content of this specification is based on the steps involved in completing a generic qualification effort. Performing the qualification requires, in effect, creating a synthetic application so the steps are similar to those used in qualifying any device for nuclear safety related service. The steps are: A. Selection of a PLC product line that supports the requirements of this specification and the required functionality of nuclear safety related applications. The selection process includes selecting the set of PLC modules to be qualifeed. B. Evaluating the manufacturer's (including third party or sub tier suppliers) hardware and software QA programs applied to the products of interest to determine if they are adequate to support nuclear safety related applications with a reasonable set of supplementary activities. The evaluation includes factors relating to both generic qualification and future applications of the qualifted products. C. Procuring a set of modules and any required supporting devices and software from the PLC manufacturer or third party suppliers to be used as the qualification test specimen. D. Defining and producing a test specimen application program (TSAP). The TSAP is, in effect, a synthetic application designed to aid in the qualification tests and operability testing. l E. Combining the modules and the TSAP into a suitable test configuration and performing a set of acceptance tests on the test specimen. This is, in effect, a system integration test for the test specimen. l F. Specifying the set of qualification tests to be performed on the test specimen, including defining a set of operability tests to be performed at suitable times in the qualification process. The operability tests are designed to demonstrate satisfactory operation under the stresses applied during qualification tests. G. Perform the qualification tests and document the results. Results documentation includes producing documentation that defines the qualification envelope, specific products that were qualified, and other application information and application guidance for using the qualified PLC in a specific application. I c:\\proj\\picqua!\\reve\\picsprc. doc 4-Nov-96

HLP-001-S-01(O) R;v C pig] 3 of 72 1.3 OVERVIEW OF ROLES IN PLC APPLICATIONS TO NUCLEAR SAFETY SYSTEMS Any discussion of process-oriented activities invariably comes around to the question of who, or what organization, must perform each activity. The process reqairements in this specification only relate to completion of the activities, without specifying which orgaraation actually performs them. Nevertheless, it is useful to clarify key roles that are referred to thrn';ghout the generic specification. In any given circumstance, different organizations (utility, consultant, reactor vendor, equipment manufacturer, etc.) may assume one or more of the roles. i The manufacturer (sometimes called the PLC vendor) produces the generic PLC product for the commercial marketplace. The qualifier (or generic qualifier) is responsible for confirming that the PLC product meets the requirements of this specification. The qualifier could be one or more utilities, an independent consultant or test lab, EPRI, or another organization. The role of qualifier is not concerned with any particular application. The qualifieris the principal user of this generic specification. The applier is responsible for designing, implementing, and testing the specific application in a specific plant. This role includes any application-specific activities of commercial dedication that cannot be covered by the generic qualification, including i) confirming that the critical characteristics of the specific application are enveloped by the generic requirements, and ii) evaluating any exceptions found in the PLC product qualification against the critical characteristics of the application. The applier could be the utility, a contractor such as a consultant or system integrator, or a reactor vendor. Finally, the utihtyitself has ultimate responsibility for the safety application and its impact on plant safety, regardless of whether the utility itself has performed any of the above roles. Note that a particular organization, such as the utility or a consulting firm, can assume multiple roles on a particular application project. Attematively, one of the roles (e.g., qualifier) may be performed jointly by multiple organizations (e.g., the utility and its consultant). Thus, the generic specification is no way prescribes what organization fulfills the responsibilities of these roles. 1.4 GENERAL OVERVIEW This section provides the overall basis for the various requirements (functional, hardware, software, performance, system, reliability) given in subsequent sections and an outline of generic vs. application specific considerations. This section also addresses the issue of third party hardware and software modules that are l available to varying degrees for some platforms. 131 PLC Architecture Overview A PLC is an assembly of hardware and software that is specifically designed for implementing controls. The main processor uses plant data acquired via inputs to the PLC along with a suitable application program, usually based on a high level language designed specifically for implementation of control logic and control algorithms, to determine appropriate control actions. The desired control actions are then sent to PLC outputs that are connected to plant equipment. The hardware structure of most commonly used PLCs generally consists of the following items: l A. Has a base chassis that can accept a processor module plus several other modules. B. Has a selection of analog 1/O, discrete I/O, and special purpose modules that mount on the chassis. C. Has a selection of one or more main processor modules that can be installed in the main chassis. D. Has the ability to use expansion chassis for additionalI/O. l The main chassis has a backplane that contains data and control lines for transfer of information between the main processor and the I/O modules. c.\\proj\\picqual\\reve\\plesprc. doc 4-Nov-96

HLP-001-S-01(Q) Rtv C - } Psga 4 of 72 1 j The PLC main processor has an executive program that is responsible for managing the I/O and for executing the application program. The executive provides all of the low level 1/O access and performs various other j ' housekeeping functions such as on-line diagnostics and power up initialization. The executive also causes the l j application program to be executed in a continuous loop. The executive first reads all of the inputs 2 and then scans the application program steps. When the application program has completed, the executive loads the outputs as determined by the application program and then it restarts the loop. 1 i Some PLC architectures include varying degrees and types of redundancy. See section 1.4.5 for additional background on redundancy. l { .L4.2. Reauirements Vanations Background The performance requirements given in this specification are intended to provide qualification parameters that i encompass a wide range of applications. It is possible that some classes of applications have requirements . that are significantly less stringent than given herein for some characteristics (e.g. lower seismic RRS for j ' some geological areas) or have more stringent requirements for a given characteristic (e g. the temperature is very high in Arizona) and less stringent requirements for other characteristics (e.g. it's very dry in Arizona). In 4 j these cases, it is appropriate to adjust the requirements given herein to encompass a different envelope. Care must be taken to insure that the actual qualification envelope is adequately documented to assure that the qualified devices can be applied to systems for which they are suitatale. l { . The characteristic that is most likely to cover a large number of potential applications with a less stringent l l requirement is overall response time. The overall response times needed for LWR safety-system varies from tens of milliseconds to a few hundred milliseconds and the distribution of the response time between l/O times and application program scan time will vary among PLC products and architecture. .L(1 Generic vs. Ar.rhh Soecific Overview This section provides background information on the relationship between a generic qualification and applying the qualified device to a specific application. The information is intended only to provide an overview of using the qualified device in an appkcation and to define the interface between the qualification activities and the application activities. A generic qualification of a PLC is useful for providing a set of hardware, software, and firmware that meets some range of performance requirements and specifications that can be applied to LWR safety systems. The implementation of a specific application must fall within the qualification envelope. The key relationships between generic qualification and a specific application are: A. Single Failure analysis, defense in depth analysis, and similar evaluations are system wide and plant wide evaluations based on overall considerations and general characteristics of devices rather than the specifics of any device in the system. The generic qualification of a specific platform has little impact on these types of evaluations except to provide assurance that a qualified device with qualified software and firmware is used. B. Electrical separation depends on the plant layout and details of a specific application. The isolation specifications used in the generic qualification are intended to support the requirements for instrumentation and control circuits in IEEE 384 (reference 3.5.10). The implementation of a specific application must confirm the suitability of the requirements for the application. j C. The specifications and qualification envelop of a specific platform must be compared against the equivalent requirements of a specific application to confirm the suitability of the platform for the intended application. D. The accuracy and drift specification of the generic PLC platform provide data to be used in the setpoint analysis of a specific application. 2 - For some PLCs executen of the appicaten program overlaps aculuinng the mputs. c:\\projWcquaI\\reve\\picsprc. doc 4-Nov-96 ~

HLP-001-S-01(Q) Rsv C Paga 5 of 72 E. The generic qualification includes requirements on software tools to support development of an application. However, a suitable V&V program must be used in developing the software for a specific application. j F. The generic qualification requires performing an FMEA on the PLC elements. The results of the PLC FMEA provide inputs to the system level FMEA for a specific application. The " effects" of the PLC level ) FMEA are the " failure modes

for the system level FMEA.3 G. The generic qualification provides requirements to define the as qualified configuration of the PLC platform and requirements for configuration management aids. Suitable configuration management methods must be used in developing and maintaining an application.

H. The generic qualification specifies that an availability / reliability analysis needs to be performed on the PLC platform and requires the manufacturer to provide a breakdown of the accuracy specifications. This information is used to develop a suitable surveillance test program for a specific application. The application must either be bounded by the generically qualified PLC platform, additional qualification / dedication must be performed based on the requirements of a specific application, or additional qualified devices must be used to compensate for PLC characteristics that do not support the needs of the application. id.,d_ Third Party PLC ltems Overview For some PLCs software and hardware items are available from third parties. In addition, external devices used to meet a specific requirement will generally be third party items. Some of the third party items that may be availab'e are: A. l/O modules or external devices that provide some number of characteristics not available from the l primary manufacturer, B. Software modules that perform some specific typd control actions. C. Extemal devices that connect to serial ports on t'ie PLC for the purpose of providing HMI functions. l The use of third party items can extend the quali5ed envelope of a particular PLC product line. However, using third party items requires substantial additional qualification resources - particularly since the items may l include some software or firmware - and add to the configuration management and life cycle maintenance burden placed on the end user, " Third Party" could be extended to include Distributed Control System (DCS) type I/O and processing modules that the PLC can communicate with. For the purposes of this specification, these types of third party devices l will not be considered as part of the PLC qualification. The third party items could be qualified or dedicated as part of a specific application. 14,5,, Redundanev Overview Some of the sections include additional or modified requirements that apply to redundant PLC architectures. The degree and type of redundancy can vary from cases where the PLC modules are triply redundant intamally to cases where only some of the modules are redundant and the redundancy is provided by using a separate chassis with special modules in each chassis to implement the redundancy. There are also synchronous and asynchronous fault detection schemes which differ in the degree of time synchronization needed to detect faults. 4 A particular redundancy design may incorporate varying degrees of redundancy any have characteristics of both synchronous and asynchronous design. The requirements given in this specification that apply to redundant schemes are provided so that, to the extent practical, they are independent of the scheme used. The requirements are based on any PLC redundancy that may be included which is in addition to the redundancy in the system design. The requirements are not designed norintended to specify redundancy that 3 For example, a failure of the fremmes in the PLC turr.s the widget blue. The effect of a blue wulgit on the system has been analyzed. OK. c:\\proj\\picqual\\reve$lesprc. doc 4-Nov-96

l* HLP-001-S-01(Q) Rw C Prg)6 of 72 may be used to replace existing redundancy in the safety actuation systems. The redundancy requirements focus on assuring that the design, analysis, and configuration management of any PLC redundancy elements is adequate None of the requirements are intended to imply that a particular level of redundancy is required. For a j particular platform, both redundant and non-redundant configurations could be qualified if both configurations are available for the platform and it is determined that both configuration could be used for different applications. L. DEFINITIONS, ABBREVIATIONS. ACRONYMS 2.1 DEFINITIONS ITEM DEFINITION Ancillary Any hardware device that is attached to the PLC to add to or modify its Device capabilities. A simple example would be a resistive device to convert between current and voltage signals. Availability The probability that an item or system will be operational on demand. 4 Baselines A specification or product that has been formally reviewed and agreed upon, that thereafter serves as the basis for further development, and that can be changed only through formal change control procedures. Coil A class of digital outputs in ladder logic. See section 4.4.3 in the text. Configuration An element of configuration management, consisting of selecting the 5 1D configuration items for a system or device and recording their functional and physical characteristics in technical documentation. 8 Configuration An e'e:nent of configuration management, consisting of recording and reporting status the information needed to manage a configuration effectively. This information accounting includes a listing of the approved configuration identification, the status of proposed changes to the configuration, and the implementation status of approved changes. Constant That portion of the " bathtub" failure rate characteristic where the failure rate does Failure Rate not vary with time. Coprocessor in the current occ.lext, any processor with functions complementary to that of the main processor, May provide computation, communication or other functions. Applier The organization that uses the PLC for a specific safety application. Note that l even though the PLC may have been generically qualified, there are always some remaining application activities, such as confirming that the application critical characteristics are enveloped by the generic qualification. The applier may be the utility itself or its agent. Executive A

skeletal" operating system used in a flexible, but not general purpose, device which contains an embedded microprocessor, such as a PLC.

Extemal See Ancillary Device Device Heartbeat A heartbeat is an indication that changes at a frequency that is some multiple of the PLC scan time. The heartbeat provides some indication that the scan and logic cycle is active. I Taken from IEEE 352 (reference 3.5.7). l 4 5 Taken from reference 3.513. c:\\proj\\picquahreve\\plesprc. doc 4-Nov-96

HLP-001-S-01(Q) f Rsv C Pega 7 of 72 ITEM DEFINITION i Qualifer The organization that qualifies a particular PLC product against the generic { specification. The qualifier may be the utility itself or its agent. l Reliability The characteristic of an item or system expressed by the probability that it will f d perform a required mission under stated conditions for a stated mission time. j Ringback Connecting an output to an input. The input is used to verify that the output l response is correct. Test Specimen The set of PLC modules, hardware and software configuration, and Test System Application Program used as the basis for generic Qualification Testing. Unintended Undocumented functions or

bugs" in the PLC software Function a Unused-Functions or options in the PLC software that are beyond those required to 8

Function satisfy the identrfied safety functions. Watchdog An item that will time out and cause some action to occur if it is not updated Timer within its time out period. PLC Module An assembly that plugs into a chassis or other mounting device included as part of the PLC product line. Examples of modules are analog 1/O, discrete I/O, main processor, etc. 3-2-0 A triple redundancy scheme where failures in two of the channels results in PLC Redundancy failure. 3-2-1-0 A triple redundancy scheme where the PLC remains operable with failures in Redundancy two of the channels. 2.2 ABBREVIATIONS & ACRONYMS BIT Built in Test EMI Electro-Magnetic interference I ESFAS Emergency Safety Features Actuation System INOP Inoperative condition. LSB Least Significant Bit LWR Light Water Reactor MTBF Mean Time Between Failures. The average time between failures of a component, device, or system. MTTR Mean Time To Repair. As used in this specification, the average elapsed time between the occurrence of a failure and the time when a repair is completed and the item retumed to service. OBE Operating Basis Earthquake PID Proportional integral Derivative control. PLC Programmable Logic Controller: Devices designed to implement control actions based on process and operator inputs. RFI Radio-Frequency interference O The definiten is taken from reference 3.2.10. c:\\proppicqual\\reve\\picsprc. doc 4-Nov-g6

HLP-001-S-01(O) Riv C P ge 8 of 72 RRS Required Response Spectrum. The seismic frequency / amplitude characteristic that a device must withstand. RTD Resistive Temperature Detector SOA Software Quality Assurance SRSS Square Root of the Sum of Squares SSE Safe Shutdown Earthquake TSAP Test System Application Program. The " synthetic application" used to complete the PLC functionality needed to support the qualification test program. A TSAP is l required for a meaningful system-level test of the PLC, and the TSAP should exercise important hardware and software capabilities as required in the text. TTL Transistor-Transistor Logic. EEROM Electrically Erasable Read Only Memory. A type of memory that will retain its contents on loss of power but whose contents may be modified by erase /wnte cycles while it is installed. NVRAM Non Volatile Random Access Memory. A type of RAM that will retain its contents on loss of power. Includes EEROM, battery backed RAM, etc. CRC Cyclical Redundancy Check. A method for dt.tecting and correcting digital communication errors. L. REFERENCE DOCUMENTS 3.1 1996 CODE OF FCCERAL REGULATIONS (CFR) 3.1.1 10CFR21 Title 10, CFR, Part 21: Reporting of Defects and Non-compliance's. 3.1.2

10CFR50, Title 10, CFR, Part 50, app. B: Quality Assurance Criteria for Nuclear Power Plants l

Appendix B and Fuel Reprocessing Plants. 3.1.3 10CFR50.59 Title 10, CFR, Part 50.59. Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants. 3.2 U.S. NUCLEAR REGULATORY COMMISSION (NRC) REGULATORY GUIDES (RG) AND NUREGS The latest revisions of the following shall be used. 3.2.1 RG 1.22 Periodic Testing of Protective System Actuation Functions. 3.2.2 RG 1.47 Bypassed and inoperable Status Indication for Nuclear Power Plant Safety j Systems. i 3.2.3 RG 1.75 PhysicalIndependence of Electric Systems. 3.2.4 RG 1.89 Qualification of Class 1E Equipruent for Nuclear Power Plants. 3.2.5 RG 1.100 Seismic Qualification t,f Ettoc Equipment for Nuclear Power Plants. 3.2.6 RG 1.118 Periodic Testing of Electne Power Protection Systems. 3.2.7 RG 1.152 Cnteria for Programmable Digital Computer System Software in Safety Related Systems of Nuclear Power Plants. 4 3.2.8 RG 1.153 Cnteria for Safety Systems. c:\\proj\\picqual\\reve\\plesprc. doc 4-Nov-96

HLP-001-S-01(O) R;v C P ge 9 of 72 3.2.9 NUREG/CR-6090 The Programmable Logic Controller and its Apphcation in Nuclear Reactor Systems. 3 2.10 NUREG/CR-6421 Proposed Acceptance Process for Commercial Off-the-Shelf Software in Reactor Apphcations. 3.3 AMERICAN NATlONAL STANDARDS INSTITUTE (ANSI) 3.3.1 ANSI N45.2.2 Packaging, Shipping, Receiving, Storage, and Handkng of items for Nuclear Power Plants. 3.4 ELECTRIC POWER RESEARCH INSTITUTE (EPRI) 3.4.1 TR-103699 Programmable Logic Controller Quahfication Guidelines for Nuclear Apphcations, l Volume l & Volume 2. 3.4.2 TR-103734 Programmable Logic Controller Requirements and Evaluation Guidehnes for BWRs. 3.4.3 TR 102348 Guidelines on Licensing Digital Upgrades. 3.4.4 TR-102400 Handbook for Electromagnetic Compatibility of Digital Equipment in Power Plants V1& V2. 3.4.5 TR-106439 (draft) Guideline on Evaluation and Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Applications. 3.4.6 TR-102323, Guidelines for Electromagnetic interference Testing in Power Plants l 34.7. TR-103291 Handbook for Venfication and Validation of Digital Systems. Vol. I: Summary. Vol. l 11: Case Studies. Vol. lil: Topical Reviews., December 1994. 3.5 INST!?UTE OF ELECTRICAL & ELECTRONICS ENGINEERS (IEEE) 3.5.1 IF.:EE Std 1012-1986 Standard Software Venfication and Validation Plans. l 3.5.2 iEEE Std 1050-1989 Guide for instrumentation and Control Equipment Grounding in Generating l Stations. 3.5.3 IEEE Std 279-1971 Cnteria for Protection Systems in Nuclear Power Generating Stations. l 3.5.4 IEEE Std 323-1983 Standard for Quahfying Class 1E Equipment for Nuclear Power Generating l Stations. 3.5.5 IEEE Std 338-1987 Standard Cnteria for Periodic Testing of Nuclear Power Generating Station l Safety Systems. 3.5.6 IEEE Std 344-1987 Recommended Prachce for Seismic Quahfication of Class 1E Equipment for l Nuclear Power Generating Stations. 3.5.7 IEEE Std 352-1987 Guide for General Principles of Reliabikty Analysis of Nuclear Power l Generating Station Safety Systems. 3.5.8 IEEE Std 381-1977 Standard Criteria for Type Tests of Class 1E Modules used in Nuclear Power l Generating Stations. 3.5.9 IEEE Std 383-1980 Standard for Type Test of Class 1E Electric Cables, Field Splices and l Connections for Nuclear Power Generating Stations. 3.5.10 lEEE Std 384-1981 Standard Criteria for independence of Class 1E Equipment and Circuits. l 3.5.11 IEEE Std 498-1985 Standard Requirements for the Calibration and Control of Measunng l Equipment Used in Nuclear Facihties (ANSI). 3.5.12 IEEE Std 603-1980 Standard Criteria for Safety Systems for Nuclear Power Generating Stations. l c:\\proj\\plcquaf\\reve\\plesprc. doc 4-Nov-96

~ HLP-001-S-01(O) Rsv C P:ge 10 of 72 3 5.13 IEEE Std 610.12-1990 Glossary of Software Engineering Terminology. l 3,544-E 8tef301989

Softwas Quality As3DrEnre rum l

/ 3.5.15 IEEE Std 828-1990 Standard for Software Configuration Management Plans. l 3.5.16 IEEE Std 829-1983 Standard for Software Test Documentation. 3.5.17 IEEE Std 830-1993 Guide Recommended Practice for Software Requirements Specifications. 35.18 IEEE Std 10081987 Standard for Software Unit Testing. 3.5.19 IEEE Std 1028-1988 Standard for Software Reviews and Audits. 3.5.20 IEEE Std 1074-1995 Standard for Developing Software Life Cycle Processes. 3.5.21 IEEE Std 7-4.3.2-1993 Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations. C3.5.22 IE St C62.41-1991 Recommended Practice on Surge Voltages in Low-Voltage AC Power -w 6 Circuits. 3.5.23 IEEE Std C62.45-1987 IEEE Guide on Surge Testing for Equipment Connected to Low-Voltage AC Power Circuits. 3.6 AMERICAN SOCIETY OF MECHANICAL ENGINEERS (ASME) --444' NQA-1 1993 Quality Assurance Program Requirements for Nuclear Facilities.

3 6.2 NOA-2 Part 2.7 Quality Assurance Requirements for Nuclear Facility Applications.

3.64-NOA-2a-1990, Part 2.7 Quality Assurance Requirementi t! Computer Systems in Nuclear Facility Applications. 3.7 DEPARTMENT OF DEFENSE (DOD) 3.7.1. HDBK 21TD' F" Reliability Prediction of Electronic Equipment. e 3.7.2 MIL-STD-461 986 Guide for Instrumentation and Control Equipment Grounding in Generating Stations. e 3.7.3 MIL-STD-462D Measurement of Electromagnetic interference Characteristics. l 3.8 INTERNATIONAL STANDARDS 3.8.1 ISO 9001 : 1987(E) Quality Systems - Model For Quality Assurance in Design / Development, Production,insta!!ation, And Servicing. 3.8.2 ISO 9000-3 : 1991(E) Guideline For The Application Of ISO 9000 To The Development, Supply, And l Maintenance Of Software. c:\\projipicqual\\reve\\plespre. doc 4-Nov-96

HLP-001-S-01(O) e R;v C I P g)11 of 72 L SYSTEhl REQUIREMENTS 4.1 OVERVIEW OF PERFORMANCE BASIS The controls for safety systems have vario as regulatory requirements imposed on them that are intended to assure that they will perform as intended when needed. The basic performance requirements (e g. speed, accuracy,1/0 points) are derived from the plant equipment characteristics and various safety analyses that establish overall mitigation system requirements. The regulations address the environmental conditions under which the systems must perform (e.g. temperature, vibration) as well as performance characteristics. For this specification many of the performance and capacity requirements are derived from EPRI TR-103699 (reference 3.4.1) and EPRI TR-103734 (reference 3.4.2). The environmental specifications are a synthesis from various resources and are intended to encompass the ' mild

environment conditions presumed to bs possible at domestic Light Water Reactors (LWR).

4.2 FUNCTIONAL REQUIREMENTS 4.2.1 General Functional Reauirements The overall functional and performance requintments of the generic PLC platform are as follows. l A. Resoonse Time. The overall response time from an input to the PLC exceeding its trip condition to the 8 resulting outputs being set shall be 100 mi'liseconds or less. The response time shallinclude: 1. The effects of any input filtering on the response. For cases where analog inputs are involved, the response time shall be defined as shown in Figure 1. 2. The time it takes the input module to convert the signals at its terminals to digital representations. 3. The time it takes lhe main processor to acquire the input values over the PLC bus. 9 1 Two scan times of an application program containing the equivalent of 2000 simple logic elements 0 4. 5. The time it takes the main processor to send values to the output module over the PLC bus. 6. The time it takes the output module to convert the digital data received over the bus to the corresponding odput signallevel. 7. The maximum time required to implement any self-diagnostic and redundancy implementation features including any redundant processor synchronization, processor to processor communication and execution of the associated algorithrr's. B. Discrete I/O. The PLC shall have the capability to provide a total of at least 400 discrete I/O points". C. Analoa l/O. The PLC shall have the capability to provide a total of 100 analog 1/O points" D. Combined I/O. The PLC shall have the capabil,ty to provide a total of 50 analog and 400 discrete I/O points" The I/O capacity requirements shall include the main processor resources to support the I/O, the module addressing capability to support the I/O, and the maln and expansion chassis for mounting the I/O. 7 For some PLCs executen of the apphcaten program overlaps acquiring the inputs. 8 This requirement does not encompass the BWR RPS, NSSSS and some associated systems. Encompassing these systems would require response times as short as 20 mithseconds. Note that some PLC vendors have coprocessor modules available that can provide these speeds independent of the main processor. Using a 200 mithsacond response time would ehminate severat potential apphcatens but would still envelope a significant number of systems. 9 Two scan times are required to cover the case where the input achieves a tnp value just after the scan of the apphcation program starts. In this case, the change in outputs h response to the change in the input will not occur until the apphcation program has been scanned twice. 10 The appheaton program size is based on EPRI TR-103699 (reference 3 4.1) and EPRI TR-103734 (reference 3 4.2). The compkexity of the safety Systems where apphcaten of a PLC was judged to be appropnate were evaluated based on informaton in the references. " The I/O capacity numbers are based on EPRI TR-10M9 (reference 3.4.1) and EPRI TR-103743 (reference 3 4 2) The I/O requirements given in these documents for safety systems where apphcation of a PLC was judged to be appropnate were evaluate for maurmum l/O configuraten requirements. c:\\proj\\picqua!\\reve\\plesprc. doc 4-Nov-96

HLP-001-S-01(C) R;v C Prg)12 of 72 4.2.2 Control Functional Reauirements i The PLC main processor shall provide a high level language designed for implementing control algonthms. The language must use symbology that is easily related to specific control actions. The control features that must be included are as follows. Additional details are given in section 4.4.3. l A. Emulation of relay coils. (e.g. pulse, latch). B. Emulation of relay contacts (e g. Normally Open. Normally Closed). 1 C. Emulation of timer functions. (e g. repetitive, on demand). D. Emulation of comparators. (e.g. <, >, =). E. Emulation of Limiters. F. Mathematics operabno capability needed to provide dynamic compensation, analog 1/O calibration (if not provided by the I/O modules), signal scaling, limits checking, and sensor signal transformations. G. PID algorithm implementation. The algorithm must include manual control capability, auto / manual tracking, anti-reset windup, remote setpoint capability, and a method to permit on-line tuning of the PID settings via a removable programmers terminal or an HMI interface. 4.2.3 Availabilitv/Reliabiktv Reauirements For a safety system application of a PLC the applicable requirement is the availability (see section 2.1 for definition) of the PLC to initiate a protective action when needed and its reliability over the period of time it must operate to mitigate an accident or abnormal condition. The overall availability goal 12 of the PLC is 0.99. The availability shall be calculated for a combination of modules as ' allows: A. 3 discrete input modules. B. 2 analog input modules. C. 1 analog output module. j D. 3 discrete output modules and 1 relay output module. l E. 1 high levellanguage module. F. Any other module needed to support overall performance requirements. G. Any ancillary devices associated with any of the modules that are needed to meet the overall PLC l requirements. H. Main processor module. l. Power supplies per section 4.7.1.1. J. Chassis /Back plane. K. Any interconnect devices needed to support the above modules. L. Any modules or other devices needed to implement any redundancy included as part of the qualification. M. If ringback signals or other application layer features are used to meet the requirements, then the modules required to support the application layer features shall be included. For example, if ringback is used then the discrete and analog input modules need to support the outputs per items C and D shall be included. 4.2.3.1 Availability / Reliability Calculation Requirements The availability calculations shall conform to IEEE 352 (reference 3.5.7)13. An availability model that indicates the availability / reliability factors to be included is as indicated in Figure 2. l he analysis shall use factors as follows: A. Failures that are detectable by on line diagnostics may assume an instantaneous detection time unless id the time to detect a failure is 1 hour or more. For self diagnostic features that require transient changes in the output (see section 4.4.6.1), the analysis shall be performed with the feature inactive and active. 12 There is no requrement for availabihty. Standards suggest that a rehabihty/availabihty goal should be estabhshed. 13 Methods for estrnating rehabihty of components are given in MIL STD 217F. 14 Self diagnostics may require scheduhng of the various tests over several scans in order to prevent them from unduly extending scan time Ois hour is judged to have an insignificant effect on any availabihty anstysis c:\\proj\\picqua!\\reve\\plcsprc. doc 4-Nov-96

HLP-001 S-01(Q) Rev C Pcga 13 of 72 B. The analysis shallinclude a calculation of the surveillance interval required to support the availability goal j for those failures that are only detectable by periodic surveillance testing. In addition, the availability resulting from 6,12,18, and 24 month surveillance intervals shall be calculated. C. The analysis shall use 24 hours 15 for that portion of the MTTR that involves replacing a module once the failure is detected. This portion of the MTTR includes calibration and testing needed to confirm operation i of the replaced item. ) D. The value for the fraction of the failures that will be detected by observation of PLC behavior from indications on or near the PLC shall be based on those failures that cause some indication on the PLC ? itself but are not detected and alk;med by self diagnostics. The MTTR for these failures shall be 24 hours i plus the MTTR per item C above. [ E. The environmental stress for normal conditions to be used in the analysis are as given in section 6.3.3 with the margin applied. F. In addition to the probability of successfully initiating a protective action, the availability analysis shall also include the probability that the PLC will operate as intended for 2 weeks following initiation with environmental stress conditions that are given in section 6.3.3*for abnormal conditions with the margin d applied. G. The availability for the modules defined shall be based on a correct response probability for the following l actions: } 1. 1/2 of the discrete inputs changing from ON to OFF and 1/2 changing from OFF to ON. l 2. 1/2 of the discrete outputs changing from ON to OFF and 1/2 changing from OFF to ON. 3. 1/2 of the analog inputs moving from downscale to midscale,1/4 moving from upscale to midscale and 1/4 changing from 20% of full scale to 80% of full scale. 4. 1/2 of the analog outputs moving from downscale to midscale,1/4 moving from upscale to midscale l and 1/4 changing from 20% of full scale to 80% of full scale, t 5. Any failure in the main processor, backplane, power supplies, or co-processor is considered to result in an incorrect response unless it can be clearly demonstrated that some failures in these devices do l not cause incorrect responses. 4.2.3.1.1 Availability /Reliabilrty Calculation Requirements Applicable to Redundant PLCs i For PLC architectures the availability / reliability calculation is somewhst more complex because of the larger number of possible states. An example of the availability states for reacvtant systems is shown in Figure 3. If varying degrees of redundancy are provided (e.g. dual processor, single 1/0) within a particular platform or a j triple redundant systems has some 3-2-1-016 capability, then the availability model is more complex. j Availability / reliability calculation requirements in addition to those in the previous section (4.2.3.1) are: l A. Any single points of failure and the associated failure rates shall be included in the calculation. f-B. The model and calculation shallinclude consideration of faults that are not detectable by self diagnostics. j For example, a normally ON discrete output fails ON. C. For triple redundant systems with voting, the coverage may be assumed to be 1.0 when there is no faults j in the redundant channels and the failure is not masked from the fault detection (e.g. can't detect a " stuck j ON" condition for a normally ON output). The coverage used given a failure in one of the redundant channels of a triplicated system or in a dual redundant system shall be justified. j D. A PLC failure shall be defined as one or more of the following conditions: l 1. Combination of failures in the input modules that cause the loss of the ability to measure a particular input signal. For example, a failure of 2 channels of the same discrete input is a PLC failure but the j failure of 1 redundant discrete input and 1 redundant analog input is not a PLC failure. OR i i l 15 A 24 hour MTTR is judged to be the maximum expected to collect the procedures and equipment needed for a repair, get 1 authontaten to proceed, perform the degnostes, and topiece and test the failed modutos. 16See secten 2.1 for denneen 4 c:\\proj\\picqual\\reyciplesprc. doc 4-Nov-96

HLP-001-S-01(Q) Rev C P g)14 of 72 2. Combination of failures in the output modules that cause the loss of the ability to generate a correct level for a particular output signal. For example, a failure of 2 channels of the same discrete output is a PLC failure but the failure of 1 redundant discrete output and 1 redundant analog output is not a PLC failure. OR 3. Combination of failures in the processors, backplane, signal selection devices, or interconnections that cause the loss of the ability to acquire inputs, perform the control calculations, or transmit and connect all outputs to the field terminals. For example, a failure of 2 channels of the same discrete input is a PLC failure but the failure of 1 redundant discrete and 1 redundant analog is not a PLC failure. OR 4. Combination of failures in shared elements, such as power supplies or interconnections, that causes the loss of the ability of the PLC to operate as desigried. The PLC availability is therefore the most limiting of these conditions and may be calculated on that basis. 4.2.3.2 PLC Fault Tolerance Requirements Fault 16rance (e g. redundancy) capability may be used in the PLC to meet the overall PLC availability requirements. Any availability analysis that takes credit for fault tolerance must include considebation of the failure of the fault tolerance feature to operate correctly and justification of the probability for correct response of the features provided. Any special application level features (e g. redundant 1/O included as part of the application) needed to provide the fault tolerance required to meet the PLC availability goal must be documented and included as part of the l qualification envebpe definition. In addition, the features must be evaluated for potentialimpact on other requirements given herein (e.g. extra scan time needed to implement fault tolerance). For redundant PLCs, fault tolerance shall include the ability to transfer to alternate channels requirements given in section 4.3.4.7, For inplicated PLCs the fault tolerance capability given a failure in one channel shall be provided. 4.2.3.3 Failure State Requirements i Failure States can be identified from the PLC level to component (Fault Tree Analysis) or from the component failures to the PLC level. For generic qualification of a PLC, a FMEA analysis of the effects of failures of components in the PLC modules on the PLC performance shall be provided. This FMEA shall identify the effect of faults on the state of the outputs (i.e. fail high, fail low, fail asis) and on the ability of the PLC to operate (e g. main processor inoperable, some number of 1/O inoperable, etc.) given the fault. The FMEA shall also identify fault categories as follows (see also section 4.2.3.4): A. Those faults that will be detected by the on-line diagnostics. B. Faults that can be detected by easily recognized effects on the PLC. C. Faults that can only be detected by surveillance testing. D. For redundant PLCs failure categories shall be included as follows: I. States that result from one or more failures where the PLC remains or>erable as well as states where it is not operable. 2. States where undetected failures have occurred. 3. States where a failure in a single element has caused the PLC to fail. 4. States where failures reduce the effectiveness of self-diagnostics. The identified PLC failure states are an input to the application specific FMEA. The FMEA categories listed above shall be used to estimate the fraction of the total failure rate that is in each category. These estimates provide data for the availability analysis described in section 4.2.3.1. See section 6.4.1 for additionalinformation. c:\\proj\\plcqual\\reve\\plesprc. doc 4-Nov-96

HLP-001-S-01(O) j RIv C Pig 315 of 72 4.2.3 4 Failure Detection Requirements The failure detection capability of the PLC is an important element of the PLC availability since it has a major impact on the portion of the failures in the categories desenbed in section 4 2.3.3. The self-diagnostic requirements are given in section 4.4.6. If needed to meet the requirements, the availability may be calculated assuming ringback of critical signals. If ringback is used, the availability analysis shall include consideration of l the failure rates for the ringback modules and the detection coverage that is provided by the ringback (e.g. may not detect a failure to turn ON for a normally OFF signal) along with the failure rates associated with the l detectable and non-detectable failures. The PLC shall contain features to permit generating an alarm when the on lin? fault detection detects a failure. l Any extsmal devices used to implement this feature must be included as part of the qualification program or be implemented with previously qualified devices. l if ringback signals (or any other application level failure detection) are needed to provide the failure detection j needed to meet the availability goal then they must be documented and included as part of the qualification l envelope definition. In addition, the features must be evaluated for potentialimpact on other requirements given herein (e.g extra scan time needed to implement failure detection). l For redundant systems, any failure d tion all have characteristics as follows: j A. Shall automatically detect and trer 'wat fem and of all random failures in the redundant elements. B. If special processor-to-processor communication is added as part of failure detection and recovery, then: ) 1. The communication path shall be at least dual redundant dedicated paths. 2. Loss of one communication path shall not cause any processor to stall nor result in indeterminate fault detection nor create a potential for conflicting fault detection. 3. Loss of all communication, or loss of more than one channel for PLCs with triplicated fault detection l communication, shall not result in indeterminate fault detection t,or create a potential for conflicting fault detection. A halt of all redundant processors is acceptable. 4. The capability to provide a remote alarm on loss of one or more communication paths shall be provided. l S. The communication shall be deterministic (i.e. the time it takes to achieve the communications shall be well defined)

6. The response time requirement shall be met with the maximum time needed to provide any time synchronization and to perform the communication activity added to the nominal loop time.

7. The communication shall include a data quality check which is at least as robust as a CRC-16 check. C. Any fault detection software or firmware included in the PLC executive or in any of the modules shall meet the applicable requirements of sections 4.4.5.2,4.4.10, and the subsections of section 7. 4 4.2.3.5 Recovery Capability Requirements The requirements for recovery from faults are as follows: A. The PLC shat! have a watchdog timer or equivalent method of detecting a failure to complete a scan. The requirements for the mechanism to detect failure to complete a scan are: 1. On failure to complete a scan the PLC shall halt operation. If the PLC does not automatically halt on failure to complete a scan, then it shall have features to permit the application program to effectively halt control logic processing on detection of a failure to complete the scan. 2. The mechanism shall not depend on the same clock source as the processor.

3. Any communication functions in the executive shall not defeat operation of the mechanism while waiting for a response from the communication devices.

U Fault detection of less than this is judged to provide insufficent availability unprovement to justify the added complexity. c:\\projipicqual\\reve\\plesprc. doc 4-Nov-96

HLP-001-S-01(Q) R;vC Pcg316 of 72 l 4. Any interrupt servicing functions, such as interrupt disable or interrupt masking, in the executive or application program shall not defeat operation of the mechanism or cause it to pause. B. The PLC processor shall contain power bus monitoring features to avJre that the processor completes any memory writes and goes into a reset state at a supply voltage level that is greater than the voltage required to assure successful memory reads and writes for any memory that can be modified by the application prog, ram or by the run time portion of the executive.18 C. All output modules included in the qualification shall initialize to a known state on power up. 4.2.3.6 Requirements for Use of Operating Experience Operating experience may be used as a basis for establishing module failure rates. If used, the manufacturer must have a problem reporting tracking program 0 with the features given in section 7.1.7. In addition, the 2 manufacturer must provide justification for the operating times assumed in the analysis of operating history. l 4.3 H'4RDWARE REQUIREMENTS 111 General 4.3.1.1 Background The hardware modules are assemblies that install on the PLC chassis. The assemblies include a main processor and a variety of 1/O modules Most 1/O modules provide a particular type of interface between the PLC and the plant equipment. The types of modules that are necessary to support a generic qualification are: 1 A. Mrin Processor. These modules provide the intelligence required to access other modules and execute an application program. B. Analoo Inouts. These modules provide the ability to connect the PLC to devices (e g. process sensors) that provide continuous measurement of a parameter. C. Discrete Inouts. These modules provide the ability to detect the change of state of high levelinputs such as 120 VAC,24 VDC, etc. D. Analoo Outouts. These modules provide the ability to connect the PLC to devices (e.g. valve positioners) that require a continuous signal for their operation. E. Discrete Outouts. These modules provide the ability to tum ON and OFF the power to field devices. l F. Low Level Discrete I/O. These modules provide TTL level inputs and outputs. G. Soecial Puroose Modules. These modules provide special functions for a variety of purposes such as communication, utilization of high levellanguages, PID controllers, etc. Analog signal accuracies given are for calibration temperature, power source variatioas, and temporal drift l only. See section 6.2.2.2 for accuracy requirements during EMI/RFI testing. 4.3.1.2 Requirements Common to all Modules A. All modules in the PLC shall meet or support the general requirements given in section 4.2.1. B. When determining overall accuracy requirements based on multiple contributing factors, a Square Root of the Sum of Squares (SRSS) may be used to combine independent random contributions. For deterministic l and dependent random factors, the contributions must be algebraically added. C. Unless otherwise noted, the PLC and i+s modules shall meet the requirements for the range of environmental conditions given in section 4.3.6. 19 This requirement is included to avoid potential continued operation following memory corruption caused by the processor continuing to operate through a power dip that is low enough to cause incorrect memory read / writes. 20 it is possible that a single user. or a sma:1 group of users, could have sufhcient sample size and operating history to provide meaningful statistics independent of the vendor. It is conceivable that users in this category could have an intemal tracking system that could be used to supplement the vendor program. c:\\projipicqual\\reve\\plesprc. doc 4-Nov-96

l HLP-001-S-01(O) R:;v C i Pcg217 of 72 The surge and isolation requirements given in the following subsections are based on 1/O modules with a single type of 1/O per module. If single assemblies which contain both inputs and outputs or both high and low energy signals are used to meet any of the requirements then the isolation and surge protection between inputs and outputs and between low energy and high energy signals shall meet the module isolation and surge withstand requirements given in the following subsections. Special purpose modules that require both input and outputs to perform their function (e g. PID modules) are exempt from this requirement. 4.3.1.3 External Device Requirements in the several subsections of sections 4.3.2 and 4.3.3 the use of external devices to meet some of the requirements is permitted. This in no way implies that the use of external devices is encouraged or preferred. They are to be used only as a isst resort. If they are used, the manufacturer shall: A. Define requirements and specifications for the device. B. Demonstrate that devices which meet the requirements and specifications are available. C. Demonstrate that the overall performance of the associated modules meets all other pertinent requirements and specifications with the extemal device installed. D. Any external devices shall be included under the requirements in sections 4.2.3 and its subsections. 4.3.2 Inout Recuirements 4.3.2.1 Analog Input Requirements The PLC shall have modules that provide analog inputs as given in the following subsections. The inputs may be provided by modules that cover a single range or by modules that can be configured to cover two or more of the ranges. Requirements that apply to allinputs are: A. Monotonicity. The inputs shall be monotonic within 11/2 LSB. B. Number of channels. Each module shall provide a minimum of 4 input channels. C. Over range. The converted value shall remain at its maximum value for over range inputs up to twice the rated input. D. Under range. The converted value shall remain at its minimum for up to twice the rated low level input for bi-polar inputs and for up to the negative of the rated value for unipolar inputs. E. Under range and over range conditions shall be indicated with a flag that is available to the application program. F. The manufacturer shall provide the individual contributions to accuracy in the following, or equivalent, categories 21 1. Calibrated accuracy, including hysteresis and non-linearity. 2. Repeatability. 3. Temperature sensitivity. 4. Drift with time. 5. Power supply variations. 4.3.2.1.1 Voltage input Requirements 4 A. The PLC shall have analog voltage inputs that cover ranges of22;

1) O to 10 VDC and 2)-10 to +10 VDC and

3) O to 5 VDC l

The PLC shall provide both differential and single ended inputs for these ranges. The breakdown is needed to support setpoint analysis. l 21 22 These requirements are taken from references 3 4.1 and 3 4.2. Each input range appeared in at least one class 1E system in the references. Some special ranges that appeared in the references are not supported by PLCs in general and were not included. c:\\proj\\plcqual\\reve\\plesprc. doc 4-Nov 96

HLP-001-S-01(Q) Rav C Prg318 of 72 B. The overall accuracy - including repeatability, hysteresis linearity, and one year of drift shall be equal to or better than 10.32%23 of the specified range over the range of environmental operating conditions given in section 4.3.6. C. The minimum resolution shall be 12 bits. D. The common mode voltage shall be at least 10 volts with a common mode rejection ratio of at least 90 DB. E. The overall response, including any filtering and data conversion time must support 24 the overall response requirement given in section 4.2.1. The response time shallinclude consideration of the input capacitance with a source impedance of up to 5 Kohm. 25 solation shall be at least 130 Volts peak. No input signal within this range shall l F. The group to group i cause more than an 0.05% change to any other channel on the module. Extemal devices may be used to meet this requirement. If external devices are used, the overall accuracy and response requirements must be met with the external device installed and a source impedance of up to 1 Kohm. G. The module isolation shall be at least 11000 volts peak applied for 30 seconds. Applying this level for the l specified time shall not disrupt the operation of any other module or disrupt the operation of the chassis backplane. External devices may be used to meet this requirement. If extemal devices are used, the overall accuracy and response requirements must be met with the extemal device installed and a source impedance of up to 1 Kohm. H. The surge withstand shall be as given in section 6.3.5. Applying this level of surge to a module input point l shall not damage any other module in the PLC nor cause disruption of the. operation of the backplane signals for more than one PLC scan cycle. Extemal devices may be used to meet this requirement. If l extarnal devices are used, the overall accuracy and response requirements must be met with the external oe, ice installed and a source impedance of up to 1 Kohm. 1. The input impedance shall be at least 1 megohm. 4.3.2.1.2 Current input Requirements Differential voltage inputs witti extemal current to voltage conversion may be used to meet these requirements. If extemal current to voltage conversion is used, then the overall requirements must be met with the current to voltage device characteristics included. 2s A. The PLC shall have analog current inputs that cover ranges of 27.

1) 4 to 20 ma or 0 to 20 ma27 and

2) 10 to 50 ma or 0 to 50 ma B. The overall accuracf of the specified range over the range of environm includirr.epeatability, hysteresis, linearity, and one year of drift shall be equal to or better than 10.35%

section 4.3.6. C. The minimum resolution shall be 12 bits. [ note that 11 bits plus sign is considered to be the equivalent of 12 bits for bipolarinputs.) D. The common mode voltage capability shall be at least 10 volts. E. The common mode rejection ratio shall be at least 90 DB. 23 This accuracy is judged to be suttable for a vanety of applicatens. Note that using a PLC will generally result in a dnft free (i e. digital) setpoint. For any apphcaten of a PLC a setpoint analysis based on the error contributens of the PLC should be performed. l 24 The *must support' requirement is used here and in following sections instead of a specific requirement because the combination of l/O module response plus main processor loop time must meet the secten 4.2.1 overall response requirement. The spht between the vanous items will depend on the charactotistes of a specific product line. The requirement is for overall response, not for the response of a specsficitem. 25 in this context. a group is a set of channels on a module that share a common ground. The number of channels per group vanes from 1 to the number of channets on a module. 26 These requirements are taken from references 3 4.1 and 3 4.2. Each input range appeared in at least one class 1E system in the references. Some special ranges that appeared in the references are not supported by PLCs in general and were not included. Note that the 10-50 ma range is not generally supported by the current genersten of PLCs but is commonly used in some of the early LWRs. 27 A tHpolar range may be used but must meet the overall requirements for the truncated range. c:\\proj\\picqua!\\reve\\plesprc. doc 4-Nov-96

HLP-001-S-01(Q) R;vC P:g219 of 72 F. The overall response, including any filtering and data conversion time must support the overall response l requirement given in section 4.2.1. G. The group to group isolation shall be at least 130 Volts peak. No input signal within this range shall cause l l more than an 0.05% change to any other channel on the module. External devices may be used to meet this requirement. If extemal devices are used, the overall accuracy and response requirements must be met with the external device installed. H. The module isolation shall be at least 11000 VAC applied for 30 seconds. Applying this level for the l specified time shall not disrupt the operation of any other module or disrupt the operation of the chassis backplane. External devices may be used to meet this requirement. If extemal devices are used, the overall accuracy and response requirements must be met with the extemal device installed. l. The surge withstand shall be as given in section 6.3.5. Applying this level of surge to a module input point l shall not damage any other module in the PLC nor cause disruption of the operation of the backplane signals for more than one PLC scan cycle. External devices may be used to meet this requirement. If l external devices are used, the overall accuracy and response requirements must be met with the external device installed. J. The input impedance shall be 250 ohms maximum. 4.3.2.1.3 RTD input Requirements A. The PLC shall have input modules suitable for both European ( using RTD elements with calibration characteristics per DIN 43 760) and US standard 100 ohm RTDs. B. The range shall be at least 0 to 800 'C (32 to 1472 'F). C. The overall accuracy, including repeatability, hysteresis, linearity, and one year of drift shall be 12 'C (i3.6 'F) or better over the range of environmental operating conditions given in section 4.3.6. D. The minimum resolution shall be 12 bits. E. The common mode voltage capability shall be at least 10 VDC. F. The common mode rejection ratio shall be at least 90 DB. G. The overall response, including any filtering and data conversion time must support the overall response requirement given in section 4.2.1 when the measured temperature is changing at 1 *C (1.8'F) per second. H. The group to group isolation shall be at least i30 Volts peak. No input signal within this range shall cause more than an 0.3 'C (0.54'F) change in any other channel on the module. Extemal devices may be used to meet this requirement. If extemal devices are used, the overall accuracy and response requirements must be met with the extemal device installed. 1. The module isolation shall be at least 11000 VAC applied for 30 seconds. Applying this level for the l specified time shall not disrupt the operation of any other module or disrupt the operation of the chassis backplane. Extemal devices may be used to meet this requirement. If extemal devices are used, the overall accuracy and response requirements must be met with the extemal device installed. J. The surge withstand shall be as given in section 6.3.5. Applying this level of surge to a module input point l shall not damage any other module in the PLC nor cause disruption of the operation of the backplane signals for more than one PLC scan cycle. Exteme.! devices may be used to meet this requirement. If l extemal devices are used, the overall accuracy and response requirements must be met with the extemal device installed. K. The input impedance shall be 1 megohm minimum. 4.3.2.1.4 Thermocouple input Requirements The module must meet the performance requirements vv.th 1000 feet of 20 AWG thermocouple extension wire 28 connected to the input. l This is the maximum expected length and smallest expected wire size for thermocouple extension wire used in nuclear power plants. l 28 c:\\proj\\picqua!\\reve\\plesprc. doc 4-Nov-96

HLP-001 S-01(Q) R;;v C Paga 20 of 72 The PLC shall have thermocougle inputs that for the following thermocouple types with a minimum A. measurement span as follows ;

1) Type B, O to 1800 *C ( 32 to 3272 'F) and

2) Type E, O to 1000 *C ( 32 to 1832 'F) and

3) Type J, O to 1200 *C ( 32 to 2192 'F) and 4) Type K, O to 1300 'C ( 32 to 2372 'F) and

5) Type N, O to 1250 *C ( 32 to 2282 'F) and 6) Type R, O to 1700 *C ( 32 to 3092 'F) and

7) Type S, O to 1700 *C ( 32 to 3092 'F) and 8) Type T, O to 400 'C ( 32 to 752 'F)

B. The overall accuracy - including repeatability, hysteresis, lineanty and 1 year of drift - shall be equal to or better than as follows over the range of operating conditions given in section 4.3.6,:

1) Type B,12.5 *C (i4.5 'F) and 2) Type E, 3.0 'C (t5.4 'F) and

3) Type J,13.5 *C (16.3 'F) and

4) Type K,14.0 *C (17.2 'F) and

5) Type N,12.0 *C (23.6 'F) and

6) Type R.12.5 *C (14.5 'F) and

7) Type S,12.5 *C (i4.5 'F) and

8) Type T,12.5 'C (14.5 'F)

C. The cold junction compensation shall support the specified accuracy for the environmental temperature range referenced in item B. D. The minimum resolution shall be at least 0.1 degrees for both 'F and 'C scaling. E. The common mode voltage capability shall be at least 10 VDC. F, The common mode rejection ratio shall be at least 90 DB. G. The module shall provide open thermocouple detection. H. The overall response, including any filtering and data conversion time must support the overail response requirement given in section 4.2.1 when the measured temperature is changing at 1 'C (1.8'F) per l second. l. The group to group isolation shall be at least 130 Volts peak. No input signal within this range shall cause more than an 0.3 *C (0.54'F) change in any other channel on the module. Extemal devices may be used to meet this requirement. If extemal devices are used, the overall accuracy and response requirements must be met with the extemal device installed. J. The module isolation shall be at least 11000 VAC applied for 30 seconds. Applying this level for the specified time shall not disrupt the operation of any other module or disrupt the operation of the chassis backplane. Extemal devices may be used to meet this requirement. If extemal devices are used, the overall accuracy and response requirements must be met with the extemal device installed. K. The surge withstand shall be as given in section 6.3.5. Applying this level of surge to a module input point shall not damage any other module in the PLC nor cause disruption of the operation of the backplane signals for more than one PLC scan cycle. Extemal devices may be used to meet this requirement. If l extemal devices are used, the overall accuracy and response requirements must be met with the external device installed. L. The input impedance shall be 1 megohm minimum. 4.3.2.2 Discrete input Requirements The PLC shall have input modules that provide for the inputs as given in the following sections. The inputs may be provided by modules that cover a single range or by modules that can be configured to cover two or more of the ranges or are capable of covering two or more ranges. Any ranges not directly covered by a module may be provided using a module with a lower nominal range and a suitable external voltage divider. If an extemal voltage divider is used, the overall requirements must be met with the extema! device installed. Requirements that apply to all inputs are: A. Each module shall provide a minimum of 8 input channels. B. The modules must be provided with indicators that show the ON/OFF status of each of the points. l 29 These are the most commonly used industnal thermocouple types. The most commonly used in LWRs are types J, K, T, and E. The ranges given are typical of the ranges for industnal thermocouple signal conditioners. Typical LWR required ranges for safety system actuation are smaller, c:\\proj\\picqua!\\revc\\plesprc. doc 4-Nov 96

HLP-001-S-01(O) R ',v C P:ga 21 of 72 4.3.2.2.1 Discrete AC Input Requirements A. The PLC shall have discrete AC voltage inputs for nominalinputs of30: 1)120 VAC and

2) 24 VAC B. The input must transition to ON at:

1) 120 VAC input: 90 VAC max. and

2) 24 VAC input: 20 VAC max.

C. The input must transition from ON to OFF between: 1

1) 120 VAC input: 65 to 25 VAC. and

2) 24 VAC input: 15 to 6 VAC.

D. The input must operate for an input up to at least:

1) 120 VAC input: 150 VAC min.

and

2) 24 VAC input: 40 VAC min.

l E. The overall response, including any filtering and data conversion time must support the overall response requirement given in section 4.2.1. F. The group to group isolation shall be at least 600 Volts peak for the 120 VAC input and 100 volts peak for the 24 VAC input. This requirement shall be interpreted as applying this level to an input shall not cause misoperation of any other channel on the module. Extemal devices may be used to meet this requirement. If extemal devices are used, the overall requirements must be met with the external device installed. G. The module isolation shall be at least 11000 volts peak applied for 30 seconds. Applying this level for the specified time shall not disrupt the operation of any other module or disrupt the operation of the chassis backplane. External devices may be used to meet this requirement. If external devices are used, the overall requirements must be met with the external device installed. H. The surge withstand shall be as given in section 6.3.5. Applying this level of surge to a module input point shall not damage any other module in tne PLC nor cause disruption of the operation of the backplane signals for more than one PLC scan cycle. External devices may be used to meet this requirement. If l external devices are used, the overall requirements must be met with the extemal device installed. 4.3 2.2.2 Discrete DC input Requirements 30 A. The PLC shall have discrete DC voltage inputs that cover nominal inputs of

1) 125 VDC and 2) 24 VDC and 3) 15 VDC and 4) 12 VDC.

B. The input must transition to ON at:

1) 125 VDC input: 90 VDC max.

2) 24 VDC input: 20 VDC max.

3) 15 VDC Input: 12 VDC max.

4) 12 VDC input: 10 VDC max.

C. The input must transition from ON to OFF between: l

1) 125 VDC input: 65 to 25 VDC.

2) 24 VDC input: 15 to 6 VDC.

3) 15 VDC input: 9 to 4 VDC.

4) 12 VDC input: 7.5 to 3 VDC.

D. The input must operate for an input up to at least::

1) 125 VDC input: 150 VDC min.

2) 24 VDC input: 40 VDC min.

3) 15 VDC input: 25 VDC min.

4) 12 VDC input: 20 VDC min.

l E. The overall response, including any filtering and data conversion time must support the overall response requirement given in section 4.2.1. F. The group to group isolation shall be at least:

1) 125 VDC input 600 Volts peak.

2) 24,15,12 VDC input: 40 Volts peak.

This requirement shall be interpreted as applying this level to an input shall not cause misoperation of any other channel on the module. Extemal devices may be used to meet this requirement. If extemal devices are used, the overall requirements must be met with the extemal device installed. 30 These requirements are taken from references 3 4.1 and 3 4.2. Each input range appeared in at least one class 1E system in the references. c:\\projipicqua!\\reve\\plesprc. doc 4-Nov-96

HLP-001-S-01(Q) R;,v C Pig)22 of 72 G. The module isolation shall be at least 11000 volts peak applied for 30 seconds. Applying this level for the specified time shall not disrupt the operation of any other module or disrupt the operation of the chassis backplane. External devices may be used to meet this requirement. If external devices are used, the overall requirements must be mei with the extemal device installed. H. The surge withstand shall be as given in section 6.3.5. Applying this level of surge to a module input point shall not damage any other module in the PLC nor cause disruption of the operation of the backplane signals for more than one PLC scan cycle. External devices may be used to meet this requirement. If l external devices are used, the overall requirements must be met with the extemal device installed. 4.3.2.2.3 TTL Input Requirements A. The PLC shall have discrete TTL levelinputs. B. The switch points shall be the standard TTL levels. C. The input must operate for an input up to at least 8VDC. D. The overall response, including any filtering and data conversion time must support the overall response requirement given in section 4.2.1. E. The group to group isolation shall be at least 25 VDC. Applying this level to an input shall not cause misoperation of any other channel on the module. External devices may be used to meet this requirement. If extemal devices are used, the overall requirements must be met with the extemal device installed. F. The module isolation shall be at least 11000 volts peak applied for 30 seconds. Applying this level for the specified time shall not disrupt the operation of any other module or disrupt the operation of the chassis backplane. External devices may be used to meet this requirement. If extemal devices are used, the overall requirements must be met with the extemal device installed. G. The surge withstand shall be as given in section 6.3.5. Applying this level of surge to a module input point shall not damage any other module in the PLC nor cause disruption of the operation of the backplane signals for more than one PLC scan cycle. External devices may be used to meet this requirement. If l external devices are used, the overall requirements must be met with the external device installed. 4.3.2.3 Other inputs 4.3.2.3.1 Pulse input Requirements The PLC shall have pulse inputs as follows: A. The module shall have at least two inputs. B. The count frequency range shall be at least 20 to 5000 Hz. C. The input must operate for an input pulse height with a range of at least 3 to 28 VDC and a pulse duty cycle range of at least 10 to 90%. D. The module shall have up and down count modes with a count range of at least 9999. The accuracy of the count, including repeatability and one year of drift shall be 0.1% or better over the range of environmental operating conditions given in section 4.3.6. E. The module shall have a frequency mode with range of at least 20 to 5000 Hz. The accuracy of the frequency, including repeatability and one year of drift shall be 0.1% or better over the range of environmental operating conditions given in section 4.3.6. F. The overall response, including any filtering and data conversion time must support the overall response requirement given in section 4.2.1. G. The group to group isolation shall be at least 40 VDC. Applying this level to an input shall not cause misoperation of any other channel on the module. Extemal devices may be used to meet this requirement. If extemal devices are used, the overall requirements must be met with the external device installed. H. The module isolation shall be at least 11000 volts peak applied for 30 seconds. Applying this level for the specified time shall not disrupt the operation of any other module or disrupt the operation of the chassis backplane. Extemal devices may be used to meet this requirement. If external devices are used, the overall requirements must be met with the extemal device installed. c:\\proppicqual\\reve\\picsprc. doc 4-Nov-96

HLP-001-S-01(Q) R:;v C Prge 23 of 72 1. The surge withstand shall be as given in section 6.3.5. Applying this level of surge to a module input point shall not damage any other module in the PLC nor cause disruption of the operation of the backplane signals for more than one PLC scan cycle. External devices may be used to meet this requirement. If external devices are used, the overall requirements must be met with the external device installed. .41.3. Chltayt Reauirements 4.3.3.1 Analog Output Requirements. The PLC shall have modules that provide the analog outputs as given in the following sections. The outputs 1 may be provided by modules that cover a single range or by modules that can be configured to cover two or more of the ranges. Requirements that apply to all inputs are: A. Monotonicity. The outputs shall be monotonic within 11/2 LSB. B. Number of channels. Each module shall provide a minimum of 4 output channels. C. The manufacturer shall provide the individual contributions to accuracy in the following, or equivalent, 2 categories ( 1. Calibrated accuracy, including hysteresis and non-linearity. 2. Repeatability. 3. Temperature sensitivity. 4. Dnft with time. 5. Power supply variations. 4.3.3.1.1 Voltage output Requirements A. The PLC shall have analog voltage outputs that cover ranges of.

1) O to 10 VDC and 2)-10 to +10 VDC and 3) O to 5 VDC.

l The PLC shall provide differential outputs for these ranges. B. The overall accuracy - including repeatability, hysteresis, linearity, and one year of drift shall be t0.3% of the specified range or better over the range of operating conditions given in section 4.3.6.

- C.The minimum resolution shall be 12 bits.

D. The outputs shall meet the requirements for a load impedance of 1 Kohrn or greater. E. The overall response, including any filtering and data conversion time must support the overall response requirement given in section 4.2.1. F. The group to group, module to module, and module to backplane isolation shall be at least 1000 volts l peak for 30 seconds. This requirement shall be interpreted as applying this level to an output No signal ] within this range, when applied for the specified time, shall cause rnore than an 0.05% change to any other channel on the module, disrupt the operation of any other module, or disrupt the operation of the chassis backplane. Extemal devices may be used to meet this requirement. If extemal devices are used, the overall accuracy and response requirements must be met with the extemal device installed with a load impedance as small asi Kohm. G. The surge withstand shall be as given in section 6.3.5. Applying this level of surge to a module output l point shall not damage any other module in the PLC nor cause disruption of the operation of the 4 backplane signals for more than one PLC scan cycle. Extemal devices may be used to meet this l requirement. If extemal devices are used, the overall accuracy and response requirements must be met with the extomal device installed and with a load impedance as small asi Kohm. 4 4.3.3.1.2 Current output Requirements A. The PLC shall have analog voltage outputs that cover ranges of:

1) 4 to 20 ma or 0 to 20 ma and 2) 10 to 50 ma or 0 to 50 ma.

l l c:\\proJ\\picqua!\\reve\\plesprc. doc 4-Nov-96

HLP-001-S-01(Q) R:;v C Pcg)24 of 72 B. The overall accuracy -including repeatabikty, hysteresis, linearity and one year of drift - shall be 10.32% of full range or better for 4 to 20 ma and 0.42% of full range or better for 10 to 50 ma outputs over the range of operating conditions given in section 4.3.6. C. The minimum resolution shall be 12 bits. D. The outputs shall meet the requirements for a load impedance of 1 Kohm or less on the 4-20 ma outputs or for a load impedance of 400 ohms or less for the 10-50 ma outputs. E. The overall response, including any filtering and data conversion time must support the overall response requirement given in section 4.2.1. F. The group to group, module to module, and module to backplane isolation shall be at least 1000 volts l peak for 30 seconds. This requirement shall be interpreted as applying this level to an output No signal within this range, when applied for the specified time, shall cause more than an 0.05% change in any other channel on the module, disrupt the operation of any other module, or disrupt the operation of the chassis backplane. Extemal devices may be used to meet this requirement. If extemal devices are used, the overall accuracy and response requirements must be met with the extemal device installed with a load impedance as small as 1 Kohm. G. The surge withstand shall be as given in section 6.3.5. Applying this level of surge to a module output l point shall not damage any other module in the PLC nor cause disruption of the operation of the backplane signals for more than one PLC scan cycle. External devices may be used to meet this l requirement. If extemal devices are used, the overall accuracy and response requirements must be met with the external device installed and with a load impedance as small as 1 Kohm. 4.3.3.2 Discrete output Requirements The PLC shall have modules that provide the discrete outputs as given in the following sections. The outputs may be provided by modules that cover a single range or by modules that can be configured to cover two or more of the ranges or are capable of covering two or more ranges. Any ranges not directly covered by a module may be provided using a PLC module with a higher nominal range along with suitable external voltage divider. If an extemal voltage divider is used, the overall requirements must be met with the external device installed. Requirements that apply to all discrete outputs are: A. Each module shall provide a minimum of 8 output channels. B. The leakage current in the OFF state shall be the lesser of: 1. The values specified in the following subsections. OR 2. 80% of the minimum current needed to tur 9N any of the input modules who's range includes the nominal value of the output 31 For output modules that are designed with intemal ringback of the output only item B.1 applies. C. The outputs must be provided with a fuse commensurate with the specified output drive capability of the module. D. The modules must be provided with indicators that show the ON/OFF status of each of the points. 4.3.3.2.1 Discrete AC output Requirements A. The PLC shall have discrete AC voltage outputs for nominallevels of: 1)120VAC and 2) 24 VAC B The outputs must operate as specified with a output current between 50 ma and 0.5 amps with an inrush capabi'Jty of at least 2 amps. C. The ON state voltage drop shall not exceed 2 VDC at 0.5 amps. D. The OFF state leakage shall not exceed 2 ma. 31 That is, the off state leakaDe of an output must be less than the dnve current of an input so that connecting a PLC output to a PLC input will not result in the snput ahvays being on. This is included to permit the use of nngback of outputs if needed for apphcations. c:\\proj\\picqual\\reve\\plesprc. doc 4-Nov-96

HLP-001-S-01(Q) R;v C P ga25 of 72 E. The outputs must operate with a 47 to 63 Hz source over a range of at least:

1) 120 VAC output: 90 to 130 VAC min. and 2) 24 VAC output: 20 to 28 VAC min.

l F. The overall response, including any filtering and data conversion time must support the overall response requirement given in section 4.2.1. G. The group to group isolation shall be at least 600 Volts peak for the 120 VAC output and 100 volts peak for the 24 VAC output. No signal within this range shall cause misoperation of any other channel on the module. External devices may be used to meet this requirement. If external devices are used, the overall i requirements must be met with the external device installed. H. The module isolation shall be at least 11000 volts peak applied for 30 seconds. Applying this level for the l specified time shall not disrupt the operation of any other module or disrupt the operation of the chassis I backplane. Extemal devices may be used to meet this requirement. If extemal devices are used, the ) overall requirements must be met with the extemal device installed. l. The surge withstand shall be as given in section 6.3.5. Applying this level of surge to a module input point shall not damage any other module in the PLC nor cause disruption of the operation of the backplane signals for more than one PLC scan cycle. External devices may be used to meet this requirement. If l extemal devices are used, the overall requirements must be met with the extemal device installed. 4.3.3.2.2 Discrete DC Output Requirements A. The PLC shall have discrete DC voltage outputs for nominallevels of: 1)125 VDC and 2)48 VDC and 3)24 VDC and 4)15 VDC and

5) 12 VDC.

l B. The output must operats as specified with a output current between 50 ma and 0.5 amps with a surge capability of at least 2 amps. C. The ON state voltage drop shall not exceed 2 VDC at 0.5 amps. D. The OFF state leakage shall not exceed 2 ma. E. The input must operate when supplied with a source over a range of at least: 1)125 VDC output: 90 to 140 VDC min. and

2) 48 VDC output: 35 to 60 VDC min. and

3) 24 VDC output: 20 to 28 VDC min.

and

4) 15 VDC output: 12 to 18 VDC min. and

5) 12 VDC output: 10 to 14 VDC min.

F. The overall response, including any filtering and data conversion time must support the overall response requirement given in section 4.2.1. G. The group to group isolation shall be at least twice the nominal output. No signal within this range shall cause misoperation of any other channel on the module. Extemal devices may be used to meet this requirement, if extemal devices are used, the overall requirements must be met with the extemal device installed. H. The module isolation shall be at least 1000 volts peak applied for 30 seconds. Applying this level for the specified time shall not disrupt the operation of any other module or disrupt the operation of the chassis backplane. External devices may be used to meet this requirement. If external devices are used, the overall requiremena must be met with the extemal device installed. I The surge withstand shall be as given in section 6.3.5. Applying this level of surge to a module input point shall not damage any other module in the PLC nor cause disruption of the operation of the backplane signals for more than one PLC scan cycle. External devices may be used to meet this requirement. If l extemal devices are used, the overall requirements must be met with the extemal device installed. 4.3.3.2.3 Relay Output Requirements A. The PLC shall have relay output mocNlt>s available that provide normally open and normally closed 32 contacts, 32 PLCs do not have output modules that provide multiple contacts wiHi special features. In particular, make before break and break before make type output modules are not available, c:\\proj\\plcqual\\reve\\plesprc. doc 4-Nov-96

HLP-001-S-01(Q) R;vC i Prg)26 of 72 B. The continuous current carrying capacrty must be at least 2 amps with make and break switching capability of at least 750 VA for AC and 150 watts for DC. C. The contact resistance shall not exceed 0.2 ohms. 1 D. The contact must operate from a source of up to 30 VDC or 150 VAC. l E. The overall response, including any filtering and data conversion time must support the overall response requirement given in section 4.2.1. ) F, The group to group isolation shall be at least 600 Volts peak. No signal within this range shall cause misoperation of any other channel on the module. Extemal devices may be used to meet this requirement. If external devices are used, the overall requirements must be met with the extemal device installed. G The module isolation shall be at least 11000 volts peak applied for 30 seconds. Applying this level for the j specified time shall not disrupt the operation of any other module or disrupt the operation of the chassis backplane. Extemal devices may be used to meet this requirement. If extemal devices are used, the overall requirements must be met with the extemal device installed. H. The surge withstand shall be as given in section 6.3.5. Applying this level of surge to a module input point shall not damage any other module in the PLC nor cause disruption of the operation of the backplane signals for more than one PLC scan cycle. Extemal devices may be used to meet this requirement. If l 6xtemal devices are used, the overall requirements must be met with the extemal device installed. 4.3.3.2.4 TTL output Requirements A. The PLC shall provide for TTL level outputs. B. The applied voltage range shall be standard TTL levels. C. The overall response, including any filtering and data conversion time must support the overall response requirement given in section 4.2.1. D. The group to group isolation chall be at least 25 VDC. No signal within this range shall cause misoperation of any other channel on the module. Extemal devices may be used to meet this requirement. If external devices are used, the overall requirements must be met with tne extemal device installed. E. The module isolation shall be at least i1000 volts peak applied for 30 seconds. Applying this level for the specified time shall not disrupt the operation of any other module or disrupt the operation of the chassis backplane. Extemal devices may be used to meet this requirement. If extemal devices are used, the overall requirements must be met with the extemal device installed. F. The carge wnhstand shall be as given in section 6.3.5. Applying this level of surge to a module input point shall not damage any other module in the PLC nor cause disruption of the operation of the backplane signals for more than one PLC scan cycle. Extemal devices may be used to meet this requirement. If l extemal devices are used, the overall requirements must be met with the extemal device installed. 4.3.4 Processor /Other System Comoonent Reauirements 4.3.4.1 Processor Loop Time Requirements. The processor loop time, including reading and storing the inputs, executing the application program, output signal scaling, and sending the outputs, shall support the overall response requirement given in section 4.2.1. In addition, the processor loop time shall be faster than the longer of 1) the analog input conversion time or 2) 33 the period associated with 2.5 times the analog input filter cutoff frequency. For example, if the conversion time is 25 milliseconds and the input filtenng cutoff is 16 Hz, then the maximum permissible loop time is 20 milliseconds. However, if the filter cutoff is at 4 Hz, then the permissible loop time is 100 milliseconds [1/(4 Hz*2.5)]. 33 The loop tune is based on samphng the analog inputs fast enough to avoid frequency shasing c:\\projipicqualireve\\plesprc. doc 4-Nov-96

HLP-001-S-01(Q) Rsv C P:g)27 of 72 l 4.3.4.2 Memory Capacity and Data Retention Capability Requirements. The memory capacity of the main processor shall provide sufficient program memory, non-volatile program constant memory, and scratch pad memory to provide the following capabilities in a single application program (see section 4.4.3 for a description of the element functions)3t 1 A. 1/0 buffers to support the I/O capacity requirements given in section 4.2.1. B. Non-volatile constants for scaling / calibrating 200 analog 1/O. I C. 100 non-volatile setpoints and other values. D. 1000 simple contacts (i.e. NO, NC)35, E. 100 transition contacts. F. 300 coils. GJ 200 relational operators. l H. 100 timers / counters. j l. 5 PID loops. J. 50 value limiters. 3 K. 1000 character communication buffer. L. 1500 simple math operations. The memory used to contain the application program, its associated constants, and field modifiable parameters associated with the application program shall be capable of retaining the information for a j minimum of 6 months with no power applied 38 o the unit. Any memory used for field modifiable constants t shall be capable of at least 100,000 wnte cycles. 4.3.4.3 Data Acquisition Requirements. I' The PLC shall be capable of transferring information between the main processor and I/O modules mounted ) in the same chassis. In addition the PLC shall be capable of transferring information between expansion i j and/or remote I/O chassis needed to support the I/O capacity requirements. The rate of transfer between tht) i local modules, expansion chassis modules, and remote I/O modules must suppoft the response time requirements per sections 4.2.1 and 4.3.4.1. Any devices required for connecting the main chassis to remote i chassis shall meet the following requirements: A. The interfacing devices shall meet the requirements for the range of environmental conditions given in section 4.3.6. Any failures in the interconnect modules on the expansion or remote chassis shall not defeat the ability to transfer information between the main processor and local I/O. B. Any failures in the interconnect modules on the expansion or remote chassis shall not defeat the ability to transfer information between the main processor and local I/O. C. Loss of power in interconnect modules located on the expansion or remote chassis shall not defeat the ability to transfer information between the main processor and its local I/O or I/O on any other chassis. D. The main chassis interconnect module isolation shall be at least *1000 volts peak applied for 30 seconds. 1 Applying this level to the interconnect path for the specified time shall not disrupt the operation of any other I/O module on the main chassis or disrupt the operation of the main chassis backplane. Extemal devices may be used to meet this requirement. M For apocac PLCs, some of the funciens may have dilleront names and con be provided in a venety of ways or by combinetens of more basic elements. If comtnnations of basic elements are used to form any part of the required functens, then the number of I required pnmitive elements must be increased by the amount required to support the complex functens specified in the following. 35 PLCs do r.ot generally have output modules that provide multpie onntacts with special foetures. In partcular, make before break and break before make type output modutos are not available. These types could be simulosed using multiple PLC scans. However, t's twrung occumng from the ownulaten is quite different from conventional relays and could violate the relative twning assumptons used in the ongenal desi0n. In additen, the overall response would have to be met with the additenal scan cycles included. In general, I these types of contact transitons should be provided extemel to the PLC. 36 The applicaten program could be contesned in bettery backed RAM. EEPROM, or some other type of non-volatile memory. This requirement is e ' shelf his* requwoment for the opphcoton program retenten. c3proBpicqual\\revc\\plesprc. doc 4-Nov-96

HLP-001-S-01(Q) R:v C P ge 28 of 72 E. The surge withstand shall be as given in section 6.3.5. Applying this level of surge to the interconnect path shall not damage any other module in the main chassis nor cause disruption of the operation of the main chassis backplane signals for more than one PLC scan cycle. External devices may be used to meet this requirement. F. The data acquisition time shall be deterministic or the manufacturer shall provide information needed to establish the maximum possible data acquisition time based on the I/O configuration and any other factors that may effect the time. G. If inter-processor data acquisition back plane busses are used as part of implementing any redundancy, then: 1. The busses shall be at least dual redundant. 2. Loss of one bus shall not cause any processor to stall nor result in indeterminate fault detection nor create a potential for conflicting fault detection. 3. Loss of all busses, or loss of more than one bus for PLCs with triplicated busses, shall not result in indeterminate fault detection nor create a potential for conflicting fault detection. A halt of all redundant processors is acceptable. 4. The capability to provide a remote alarm on loss of one or more busses shall be provided. 5, The data acquisition time shall be deterministic (i e. the time it takes to transfer data shall be well defined) 6. The response time requirement shall be met with the maximum time needed to provide any tirri synchronization and to acquire the data added to the nominalloop time. Communication Port Requirements. 9,h. The main processor shall provide at least one communication port. The requirements for the communication port are: A. The port shall support data rates up to at least 9600 Baud. B. The ports electrical and connector interface shall support RS-232, RS-422 RS-485 or other widely used standard physicallayer protocol. C. The port must provide for positive hold down of connectors. D. For multiple ports, the port to port isolation shall be at least 1300 volts peak for 30 seconds. Applying this level to the port connections shall not disrupt the operation of any other ports, the main processor or any other I/O module. External devices may be used to meet this requirement. E. The port to processor isolation shall be at least 21000 volts peak applied for 30 seconds. After applying this level to the port connections for the specified time, the normal main processor operation shall be restored. Extemal devices may be used to meet this requirement. F. The surge withstand shall be as given in section 6.3.5. Applying this level of surge to the port connections shall not damage the main processor or any other module in the main chassis nor cause disruption of the operation of the main chassis backplane signals for more than one PLC scan cycle. Extemal devices may l be used to meet this requirement. 4.3.4.5 Coprocessor module Requirements. Coprocessors are devices that may be installed in 1/O slots but contain local processing capability independent of the main processor. The hardware requirements that apply to coprocessors are: l A. The coprocessors shall meet the requirements for the range of environmental conditions given in section 4.3.6. B. Any communication ports on the coprocessor shall meet the requirements of section 4.3.4.4. C. Any 1/O contained on the coprocessor shall meet the applicable requirements given in sections 4.3.2 and 4.3.3. For PID modules, the analog inputs and outputs assigned to a given loop do not need to c:\\proj\\picqua!\\reve\\plesprc. doc 4-Nov-96

.m HLP-001-S-01(Q) Riv C Ptge 29 of 72 independently meet the reference section requirements but together they shall meet the combined signal accuracy requirements for an analog input and output 37, D. For coprocessors that are intended for executing a customized version of a high level language, a se minimum of 32 K of non-volatile application program memory shall be provided. The application program memory shall be capable of at least 100,000 write cycles. E. Transfer of 1/0 data between the coprocessor and the main processor shall not disrupt the main processor scan cycle or main processor 1/0 transfer. F. A general purpose coprocessor must provide the capability to store data values acquired by the application program in NVRAM39, G. For redundant co-processors, the hardware / software design shall: 1. Provide any synchronization needed to implement self-diagnostics and to support application program co-ordination between co-processors. 2. Manage any information transfers needed to support self-diagnostics. 3. Provide transparent transfer of 1/O data from other redundant devices within the PLC. 4.3.4.6 Chassis Requirements. The chassis used for containing the modules must meet or exceed the following requirements: A. The chassis must be suitable for mounting in a standard 19 inch rack. The use of adapters for mounting is permitted shall be included as part of the qualification. l B. The chassis must provide positive hold down for the modules. C. The chassis must have sufficient strength to meet the seismic requirements given in section 6.3.4. 4.3.4.7 Backup Devices / Redundancy Requirements. Redundancy may be used to meet the overall availability / reliability requirements. Any redundant devices shall meet the following requirements: A. Automatic transfer to a back up device shall occur within the larger of two main processor scan cycles or l 3 data conversion cycles of the failed module.

3. Features and/or procedures shall be provided to assure that any undetected failures in any redundant modules can be detected during periodic surveillance testing.

C. The diagnostics shall not result in any indeterminate failure states that cause repetitive attemation between the selection of redundant modules or cause lack of agreement between modules such that two or more redundant modules are selected simultaneously. D. The mechanism for transferring between redundant analog 1/O modules shall not cause more than an 0.5% transient shift in the final output signal or the input level sensed by the PLC. For cases where the failure of the active module caused the signal to shift by a larger amount prior to transfer, the transfer mechanism shall not cause more than an 0.5% transient shift in the signal level of the backup device. In either case, the signal shall settle to within the accuracy specifications within the greater of two main processor scan cycles or 21/O module data conversion cycles. E. For surge withstand and module isolation requirements, the redundant modules may be treated as a single module. M,1. Precrerninins Terminal Raouirements if a special programming terminal panel is required for programming the PLC or is to be used for developing applications for the generic PLC platform, then: 37 For PID controllers. the overall loop accuracy is the defining requirement. The error detributen between the input and the output is of l little significence. 38 The high level language may be somewhat different then a standard language in that it does not contem features that are not needed for control apphcotens and may have additional features to support control actens. 39 This is included to permit storing calibraten informaton, sierm data, and sequence of event data in a menner that can be retrevable following a loss of power. c:\\proj\\picqua!\\reve\\plesprc. doc 4-Nov-96

HLP-001-S-01(Q) R;vC Pcge 30 of 72 A. The hardware and software /firmware for the device shall meet the requirements of section 7 and its applicable subsections. B. The software /firmware shall meet the applicable requirements for software tools and configuration management aids of sections 4.4.4 and 4.4.5.2. C. The software /firmware shall meet the V&V requirements of section 4.4.10. 4.3.6 Normal Environmental Reauirements The operating environment where the PLC must meet the performance requirements given in sections 4.3.2 through 4.3.4 are as follows. Requirements for performance under abnormal or extreme conditions are given in section 6.0. A. Temoerature Ranoe. The PLC sha!! remain operable over an ambient temperature of 0 to 60 'C (32 to 140 'F) near the fan inlet if forced circulation is used or at the bottom of the chassis if natural circulation cooling is used. B. Humiditv. The PLC must operate over a 10 to 95% (non-condensing) relative humidity range. C. Pressure. The PLC must operate over a -1 to 1 psig ambient pressure range. D. Power sources. The PLC must operate within specification for the power source ranges given in items A and B of section 4.7.1.1. 4.4 SOFTWARE /FIRMWARE 111. Executive. 4.4.1.1 Background Operating systems range from complex megalithic packages (UNIX, Windows, System 7.5) to very simple, reliable, ROM resident packages (e.g. simple, diskless, word processors such as " alpha-smarts"). The operating system that is resident in a typical PLC main processor tends to the smaller, simpler, packages that contain only those functions needed to perform control actions. The operating system is sometimes called the PLC

executive" to distinguish it from the large, general purpose, operatirT systems.

4.4.1.2 Main Processor Executive Capability Requirements The main processor executive shall provide capabilities to: A. Acquire inputs from the modules. B. Implement the application program in a continuous loop while in the run mode. C. Load the outputs to the modules. D. Perform the power up and run time diagnostics per section 4.4.6. E. Manage communication functions. F. Provide features to permit uploading of the application program while in the program mode. G. Provide features to support the on-line diagnostics requirements given in section 4.4.6 and maintenance and troubleshooting features per section 4.8. H. Implement at least the minimum set of functions available for the application program specified in section 4.4.3. l. Perform those power up initialization actions needed to assure a graceful start up of the PLC. This includes power up diagnostics, setting the I/O and any 1/0 configurations required by the PLC design, setting memory to default values. J. For PLCs with redundant 1/0 capability, the I/O selection shall be transparent to the application program. Also, any synchronization needed to implement the redundancy and cross checking algonthms shall be transparent to the application program. c:\\proj\\picqua!\\reve\\plesprc. doc 4-Nov-96

HLP-001-S-01(Q) R;v C Prga 31 of 72 4.4.1.3 Program Flow Control Requirements For those PLCs where scanning of the inputs and application program execution are performed in parallel, the PLC executive or development tools shall provide methods for assuring that both the input scan and application program execution are completed each cycle R d a if the PLC provides the capability to execute specific application program portions on a high priority based on specific events (i e. interrupts), then the executive must contain features to: / l A. Assign priority levels to the different events. B. Features to permit the application program to temporarily defeat the interrupts for application program steps 1 that have a higher priority than the event generating the interrupt. 4 C. Features to assure that the interrupts do not prevent execution of the remaining application program steps except as determined by application program logic. A knowledge of the vendors interrupt processing l scheme is required to confirm this characteristic. D. Time overhead for servicing the interrupts must be specified. E. For systems with redundant processors,: 1. The program flow for at least the processor in control shall not be disrupted by loss of any required synchronization between processors 2. The program flow for at least the processor in control shall not be disrupted by loss of the ability to acquire any data from other redundant processors. 3. The loss of synchronization and data transfer shall be clarmable. 4. If interrupt capability is provided, then the PLC shall provide features to assure synchronization of interrupts between processors and to assure that the synchronization does not cause excessive delays in execution time or cause false failure detection. The PLC shall have features for detecting when the scan time exceeds some limit 42. This feature is generally implemented using a watchdog timer (see section 4.2.3.5, item A). For PLCs with redundant main processors, l any time synchronization between the processors may fulfill this function. 4.4.1.4 Unintended / Unused Function Isolation Requirements. A definition of these terms is given in section 2.1. There is no specific requirement regarding these issues but the following related requirements provide confidence that unintended functions and unused functions will not be inadvertently invoked: A. The requirement in section 6 4.1 for Failure Modes and Effects Analysis supports the analysis and r9 solution of abnormal conditions and events (ACES). IEEE Std 7-4.3.2 Appendix F indicates that such activities help to ensure "that non-safety functions do not create ACES for the safety functions." B. Requirements in sections 7,7.1.1 and 7.1.4 for Software Quality Assurance provide confidence that the software and system behaves according to its requirements. Requirement #8.7.B for a Software Requirements Specification developed according to guidance from IEEE 830 provides additional confidence that the software functions and the limits of functionality are clearly defined. C. The requirement in section 4.5.5 for a " heartbeat" and item A of section 4.2.3.5 for a watchdog timer provides confidence that no unintended function can inhibit key safety functions without detection. D. For redundant systems, the design of the cross checking and channel selection between redundant elements shall assure that one, and only one, of each of the input and output signals are selected. The design shall also assure that repetitive switching between redundant elements cannot occur. 40 This requirement is included to prevent loss of data or excessive time skewing between data points that could occur when input acquisition and program execution occur in parallet 41 Features, such as forcing a minimum time interval between interrupts, may be used to provide this capabihty. 42 This capabihty requires supporting hardware features c:\\proj\\picqua!\\reve\\plesprc. doc 4-Nov-96

HLP-001-S-01(Q) R::v C Piga 32 of 72 4 4.1.5 Coprocessor Executive Capability Requirements Some coprocessors provide only a single, specific function (e g. implement a PID control algorithm) while others are general purpose devices that can be programmed by the user. Therefore, what may be considered the executive for coprocessors can vary from being the entire software /firmware in the coprocessor to a very basic set of low level functions. Any coprocessors that are included for quakfication shall have an executives that provides the following capabilities that are appropriate to the function of the coprocessor. The required functions may be provided as part of the resident executive itself or as utikties that can be invoked by a user written application program. A. Acquire inputs from PLC modules and/or from local inputs. B. Exchange data with the main processor, including status information based on the main processor on-line diagnostics. C. Initiate the application program under specified conditions. The conditions are dependent on the function of the module and - in some cases - the user supplied application program. D. Load outputs to the PLC modules and/or local outputs. E. Perform the power up and run time diagnostics per section 4.4.6. F. Manage communication functions on the coprocessor,if any, G. Provide features to permit uploading and downloading of the application program. l H. Provide features to support the maintenance and troubleshooting features per section 4.8. 1. Perform those power up initialization actions needed to assure a graceful start up of the coprocessor and the PLC. This includes power up diagnostics, setting the I/O and any 1/O configuration required by the module design, setting memory to default values, etc. J. If the coprocessor provides the capability to execute specific portions of the application program on a high priority based on specific events (i e. Interrupts), then the executive or language must contain features to: l 1. Assign priority levels to the different events. 2. Features to permit the application program to temporarily defeat the interrupts for application program steps that have a higher priority than the event generating the interrupt. 3. Features to permit queuing of the interrupts so that the occurrence of a lower priority event is not lost l when servicing a higher priority event. 4. Time overhead for servicing the interrupts must be specified. K. A feature for detecting when the coprocessor execution time exceeds some limit shall be provided. Implementation of this feature may be provided by the main processor, coprocessor, or some combination of the two. L. For PLCs with redundant capability in the I/O modules, the I/O selection shall be transparent to the co-processor application program. Also, any synchronization needed to implement any co-processor redundancy and cross checking algorithms between redundant co-processora shall be transparent to the application program. M. For redundant co-processors with local 1/O, the selection of a valid input signal and selection of the appropriate output channel shall be provided by the executive. Setting the output on each processor independently with extemal selection is acceptable. 4.4.2 Media Recuirements. The media used for shipping and storing the software provided by the manufacturer shall be of high quality and shall be new. The 5-1/4" floppy disks shall not be used. 3-1/2 inch floppy disks or CD-ROMS are acceptable. The media shall be packaged so that no damage will occur during normal shipping and handling, including by exposure to secunty screening devices. If CD-ROMS are supplied they shall be in hard plastic or metal enclosures. The media shall be clearly labeled with the contents of the media, including revision level and any serial numbers assigned to the media. In addition an electronic identification shall be included on the media. c:\\propplcqual\\reve\\plesprc. doc 4-Nov-96

HLP-001-S-01(Q) R;v C Pzg) 33 of 72 4.4.3 Ladder Loaic Recuirements. The ladder logic 45 - or equivalent - language provided by the main processor shall have standard functions as follows. Various PLC products employ different terminology for the specified functions. In some cases the functions specified may be synthesized from more primitive elements. If the function is to be synthesized from primitive elements, the manufacturer should provide recommend methods of implementation. Also, see footnote 34. A. Simp'e normally inactive and normally active paths. The required capacity for the number of paths that m%t be available is given in section 4.3.4.2-D. B. Transition ON/OFF paths (i.e. one-shot). A transition ON path is a normally inactive path that becomes active for one scan cycle when a signalis applied. A transition OFF path is a normally active path that becomes inactive for one scan cycle when power is applied. The required capacity for the number of paths that must be available is given in section 4.3.4.2-E. C. Standard coil. A coil that causes the paths associated with it to change from their normal state to their attemate state when the coilis energized. The required capacity for the number of paths that must be available is given in section 4.3.4.2-F. D. Latching coil. A coil that causes the paths associated with it to change from their normal state to their attemate state when energized and remain there until the coilis de-energized and a reset signal applied. E. Timers. Timing functions that can be adjusted from 0.1 seconds to 2 hours shall be provided. The timers l shall have an accuracy of 0.1% or better. The required capacity for the number of timers that must be available is given in section 4.3.4.2-H. F. Counters. Counters that can perform up counting or down counting for a range of at least 1 to 9999 shall be provided. The required capacity for the number of counters that must be available is given in section 4.3.4.2-H. G. Comparisons. A method to perform comparisons between numerical values to determine if one value is less than, equal to, and greater than, a second value shall be provided H. Basic Math. The mathematical functions of addition, subtraction, multiplication, and division shall be provided. Both integer and floating point calculations are required. The algorit5ms shall provide an indication when values are out of range. The cHvision algorithm shall provide an error condition when a division by zero occurs. l. Advanced Math. The PLC shall provide the capability to perform square roots, exponentiation, and logarithms. The functions shall provide indications when values are out of range. J. PlD. The PLC shall contain a PID algorithm. The algorithm shall provide. 1. Proportional band in the range of 5 to 500% with a minimum of 1% resolution. 2. Integral action in the range of 0 to 100 repeats per minute with a minimum resolution of 1 repeat per second.

3. The function shall provide anti-reset windup.

4. Rate action in the range of 0 to 100 minutes with a minimum resolution of 1 second. The rate action shall contain a filtering feature to reduce the effect of noise on the rate action. 5. Output limiting. 6. The function shall provide indications when parameters or results are out of range. 7. The function shall provide a method of assuring satisfactory operation of the algorithm for various scan times. 8. The function shall provide a method for manual control using remote switches and features for l bumpless transfer. 9. The PLC shall have the capability to include at least the number of loops given in section 4.3.4.2-1,

10. The function shall provide features for implementing cascade control.

45 Typical ladder logic terminology uses registers. tables, input image matnx. etc. to describe what are vanous uses of memory and operations. Since there is some vanation of the use of the terms between vendors. the more generic terms

values" and
parameters" to describe the funcions are used in the following sections.

l c:\\proj\\picqual\\reve\\plesprc. doc 4-Nov-96

.. -. -.- _. -. - - - - _. ~ - - - HLP-001-S-01(Q) a a Rav C j Prg) 34 of 72 K. A dynamic compensation function shall be provided. The function shall provide lead / lag compensation with a lead / lag ratio range of 0 to 10 with a minimum resolution of 0.05. The lag time shall have a minimum range of 0.01 to 100 minutes with a minimum i second resolution. A filter shall be provided on the lead action to reduce the effect of noise. The function shall provide a method of assuring satisfactory operation of the algorithm for varying scan times. L. The capability to put limits on values shall be provided. M. The capability to implement a function generator with up to at least 5 slopes shall be provided I.e.: l OUTPUT INPUT N. The PLC shall have the functions necessary to support the communications requirements given in section 4.10.1. O. The PLC shall have the functions necessary to permit the application to capture the results of the self-l tests. See also section 4.4.6. P. The PLC shall have the functions to implement the sequence of events requirements given in section l 4.4.g. o Q. Bit manipulation functions of AND, OR, and XOR shall be included. R. The ability to store the results of calculations, comparisons, and bit manipulations in buffer type memory with the ability to store up to at least 10 instances of at least 50 values in a ring, or similar, buffer. Facilities to make these buffers available for transmission over a serial port based on the status of an input shall i also be provided.# S. The PLC shall have functions to implement the requirements in sechon 4.4.7. LA.A. Software Tools Requirements. The PLC shall provide development tools for programming, debugging, and program documentation. The tools may be provided as a single multi-purpose package or as several different packages. The features to be provided ere: A. The ability to use a host device to enter a program in the PLC. The host device may be a PC or a special programming device. Any such device shall have a screen that is large enough to view several program i steps at the same time. The features that shall be provided by the programming package are: l 1. The ability to attach explanatory comments to the program steps. .)

2. The ability to store the program on a removable magnetic media or some other type of permanent off line electronic storage device.

3. The ability to perform a bit by bit comparison between a program that is contained in the PLC and a program contained in the programming device. The comparison tool must provide sufficient indication of the location of any differences to permit locating the program elements that are different.

4. The ability to print the program that is contained in the PLC and in the programming device in a fashion similar to the appearance of the program steps on the display of the programming device. The programming device shall have the ability to provide a supplemental print of any programming values I (e g. constants,1/0 points, memory locations, etc.) associated with the function blocks that does not appear on the screen. The supplemental print out must relate the values to the specific block where they are used. 5. Features to aid in I/O mapping and memory management of the PLC.

The main processor in conjunction with a coprocessor may to used to implement these requirements.

l c:WQWcquahreve\\picspre. doc 4-Nov-96

i HLP-001-S-01(Q) 1 R';v C Ptg3 35 of 72 6. If the programming device is capable of modifying the application program while the PLC is on-line. l then the device must provide positive mechanisms to prevent unauthorized accessd7 to this feature i and provide reasonable measures to protect against inadvertent changes 8 to the program. d B. The debugging aids that shall be provided are as follows: 1. The ability to highlight all discrete elements that are not in their normal (i.e. de-energized) state. 2. The ability to display the values of all inputs, outputs and intermediate results.

3. The ability to set constants and variables, including the host image of the inputs, to arbitrary values -

including values that are outside of the normal expected range. 4. The ability to force outputs.

5. The ability to single step through the program.

6. The ability to view the status of any memory where error codes and other status information is stored.

C. The applicable configuration management requirements in section 7.1.6 shall be applied to the software tools. D. For redundant systems, the tools shall provide features to aid in detecting any faults that are not detectable by the self diagnosis. 2 fM., Confiouration Identification, Configuration management requirements are given in section 7.1.6. The requirements given in this section are intended to assure that suitable features are provided by the PLC manufacturer to permit the configuration j management requirements in section 7.1.6 to be easily implemented. 4.4.5.1 Configuration Identification Background For a product such as the PLC there are several aspects to configuration management: A. The configuration management that the PLC manufacturer applies to hardware and software development l and modifications. These issues are addressed in section 7.1.6. B. The hardware and software configuration management and configuration definition applied to the generi qualification process. C. The configuration management and definition used in the process of developing a specific application. D. The configuration management and definition used in the processes of installing, tuning, and calibrating a PLC application. E. The configuration management applied to maintaining an installed system. Software and hardware configuration management generally use somewhat different approaches but have the common goal of tracking a specific field resident item back through the production and application design j process. 4 ) l In the case of a PLC (and other devices with embedded software) there is some overlap between software and hardware configuration. The main process (,r and many of the modules contain embedded software. Therefore, the configuration of the modules requires a knowledge of the embedded software revision level as well as the hardware design revision level. For some PLCs the embedded software can be modified in the field, which can produce another layer of configuration management concems. Also, calibration information for 1/O modules could be contained in the PLC main processor as software factors, which is still another layer of configuration management because in this case modules that are appear to be identical in every way are not interchangeable. In addition, some modules are multi-function and must be configured for a particular application. This configuration has historically been implemented primarily with onboard jumpers. However, the trend is toward 47 Use of a password or equivalent to restnct access is considered to be satsfactory. 48 A confirmatory prompt or the equivalent is judged to be satsfactory. c \\proj\\picqua!\\reve\\plespre. doc 4-Nov-96

l HLP-001-S-01(Q) R;v C P;g3 36 of 72 using more software type configuration of these devices in lieu of hardware jumpers. For these devices, access to data intemal to the module (e g. EEPROM data) is required to determine its as-is configuration. l There are features that can be provided in the PLC and its supporting items that aid in managing some of these configuration concerns. 4.4.5.2 Configuration Management Aids Requirements The PLC executive and/or software tools shallinclude all of the following features for establishing the status of configuration items: A. An electronic revision level of the executive embedded in the PLC executive. The embedded revision level must be retrievable in the field using a suitable software tool. The significance of the revision level shall conform to the requirements of section 7.1.6. B. For modules where configuration information (e g. signal range) is downloaded through software, the configuration information shall be retrievable in the field. C. Any software tool or other device that is capable of modifying a configuration item shall provide positive mechanisms to prevent unauthorized access # to this feature and provide reasonable measures to protect against inadvertent changes" to the configuration. D. The PLC and its support tools shall provide the capability to extract and record any data base type information contained in the application. The type of data base information to be retrievable are program constants (e.g. scale factors, limits, calibration data) that are used to provide the desired control actions or describe the I/O configuration. E. Any device mounted in any PLC assembly or any extemal device that contains firmware or other programmed information (e g. in programmable gate arrays) shall be marked with an identifier that includes the revision level of the information programmed into it. F. For PLCs with redundancy, the tools shall provide the capability to confirm that the configuration of the hardware, software, and firmware, between redundant devices is consistent. 4.4.6 Diaanostics Reauirements. 4.4.6.1 General Diagnostic Requirements The PLC must have sufficient diagnostics and test capability so that a combination of self-diagnostics and surveillance testing will detect all failures that could prevent the PLC from performing its intended safety function. The types of faults that must be considered are: Fault Condition Detection Action 1 Processor stall. Watchdog timer. PLC Halt. If redundant processors are used. only the failed processor shall halt. I Executive Data quality check of executive firmware Halt program and alarm. If redundant program error. using a checksum or other similar integnty processors are used, only the failed test. Could be performed by inter-processor processor shall halt. comparisons if redundant processors ar6 used. 3 Application Data quality check of application program Halt program and alarm. If redundant program error, using a checksum or other similar integrity processors are used, only the failed test. processor shall halt. c:\\proj\\picqual\\reve\\plesprc. doc 4-Nov-96

HLP-001-S-01(O) RIv C { Pzg2 37 of 72 l Fault Condition Detection Action 4 Vanable Memory test. The memory test shall write and Halt program and c' arm. If redundant memory error. read back bit pattems that test both states of processors are used, only the failed all bits. Could be performed by inter. processor shall halt. processor comparisons if redundant processors are used. 5 Module The PLC processor monitors the Set by application or by alarm if detected f communication communication data integrity. Could be by self-diagnostics. error 8 performed by inter-module comparisons if 4 redundant modules are used. 6 Memory bat *ery Battery monitoring. Replace. low, if 1 applicable. I 7 Module loss of Read ad compare configuration. Possibly Set by application or by alarm if detected configuration 50 detecteo %v self diagnostics if redundancy is by self-diagnostics. used. 8 Watchdog Built in diagnostics. Halt program and INOP alarm. If timer failure. redundant processors are used, only the failed processor shall halt. 9 Application not Heartbeat stopped or by self diagnostics if Operator declares INOP or by alarms if executing. redundant processors are used. redundant processors are used. 10 Analog output Surveillance test or by self diagnotes if Repair. not following. redundant outputs are used. 11 Analog input Surveillance or by self diagnostics if, Repair. q not responding. redundant inputs are used.. 1 12 Discrete I/O not Surveillance or by self diagnostics if Repair. responding. redundant 1/O is used. 9 13 Analog 1/O out Surveillance or by self diagnostics if Recalibrate. of calibration. redundant 1/O is used. 14 Power supply Surveillance or by self diagnostics if Repair. out of redundant power supplies are used. tolerance. { I i The first 6 items must be covered by on-line self tests t. The seventh item must be covered by on-line or s power up self tests. The eight item must be covered in power up tests. Additional requirements on the ninth item are given in section 4.4.1.4. Requirements addressing the last five items are given in section 4.8. If any diagnostics of output modules use short term changes in the outputs to detect failures, then the change in output state shall be 2 milliseconds or less for DC outputs and 1/2 cycle or less for AC outputs. In addition, a the capability to disable the test for a specific module shall be provided. The availability / reliability analysis shall be performed with and without this feature active. 4.4.6.2 On-line Self Test Requirements ] On-line self-test for the main processor shall cover at least the first six items in the above table. Any coprocessor modules to be included in the qualification must include these same items, as appropriate for the nature of the module. The results of the self-tests shall be made available to the application program except for faults that cause the processor to halt. For PLCs with redundant processors, a failure that causes a halt in 49 For local I/O this is over the backplane. For expansion or remote I/O this is via a senal path of some type. l 50 Appies only when module configuration is set via software. 51 Items cannot reasonably be tested as part of a surveillance test or represent a failure condition that should be detected fairly quickly. c \\proJ\\picqua!\\reve\\plesprc. doc 4-Nov-96

HLP-001-S-01(Q) Rav C P:ge 38 of 72 one processor shall be detected by the remaining processors and the failure made available to the application progratn of the remaining processors. These represent the minimum set of on-line diagnostics for any PLC. If additional self-test capabilities are assumed in the availability analysis for a particular PLC then those tests become a requirement for that PLC. 4.4.6.3 Power up Diagnostics Requirements. The power up diagnostics must include at least: A. All of the on-line self tests. B. Configuration verification for modules with software set configurations. { C. Test of the watchdog timer. The PLC shall provide features so that application program execution can be inhibited if the power up l diagnostics detects any failures. d,dl Data and Data Base Reauirements. The data base resident in a PLC are those items necessary to cause the application program to operate as designed or to establish the configuration and/or types of 1/O modules connected to the PLC. The requirements for data management capabilities are given in sections 4.4.4 and 4.4.5.2. Additional requirements are: A. The PLC shall support usage of user defined program constants that are contained in non-volatile memory. For redundant systems, features shall be provided to confirm that the constants in redundant processors are the same. B. The PLC shall provide functions to permit reading and modifying the constants in the application program. For redundant systems, features shall be included to assure that the modifications of constants are consistent between the redundant processors. If the quality of the data is not covered by the executive self-diagnostics, then the capability for the application program to check data quality shall be provided. C. The PLC shall provide features to prevent modifications to the local data table over peer-to-peer communication paths and any other on-line communication paths, except for data that is transmitted to permit cross checking between redundant processors, if used. D. The PLC shall provide features to permit transmitting inputs, outputs, and calculated values to other devices over a serial port. For PLCs with redundant elements, the transmitted data may be either the selected data or data from the specific redundant device only,

H f 11 Other Non 1 addar I aair Proorammina Lananma==

i 4.4.8.1 Requirements for Sequential Logic Languages A sequential logic language other than ladder logic may be used. These types of languages may be provided in lieu of ladder logic or may be applied in conjunction with ladder logic. In either case, the sequential language or the combined sequential language and ladder logic shall provide the minimum capabilities given in section 4.4.3. Any sequentiallanguage that is used to supplement or replace ladder logic must provide the equivalent constructs in a form that is easily related to control actions. The language must be supported by tools with the l features described in secton 4.4.4 and 4.4.5. 4.4.8.2 Requirements for Standard High Level Languages A PLC may support standard high level languages in different forms as a language used in a coprocessor. These range from standard compilers and assemblers to BASIC, 1 which is generally executed via en interpreter. as a language used to produce a special purpose function block that may be inserted in ladder logic or a sequential control language. These may be blocks containing executable code created using off line c:\\proj\\picquahreve\\picsprc. doc 4-Nov-96 7.m m -swm op. - - - ~ + - 9 "W'

HLP-001-S-01(Q) REv C Pigs 39 of 72 compilers / assemblers or blocks that contain user defined logic in syntax similar to a high level language which are liiterpreted by the PLC executive. To support these types of languages that may be available on the PLC, the PLC shall provide the following. as applicable: A. For coprocessors, features that permit utilization of the applicable coprocessor executive functions given l in section 4.4.1.5. B. Features that permit the user to easily access the bus 1/O and, for coprocessors,1/0 that is directly connected to it. C. Methods that aid in loading the application to the generic PLC platform and confirming that the load was successful. For redundant co-processors, methods for verifying that the loaded application programs are consistent shall also be provided. D. Tools to aid in debugging the application code. The tools shall have the applicable debugging features equivalent to those described in section 4.4.4. E. A linker / Loader to convert compiler generated code into executable code suitable for the generic PLC platform. F. Methods for coordinating the main processor with actions on coprocessors (e.g. the ability to start a coprocessor task from the PLC) using high levellanguages. A knowledge of the capabilities of the PLC main processor and coprocessor is necessary to confirm this characteristic. G. Methods for accessing timers or creating timers, 52 H. Support for floating point and integer arithmetic. 1. If interrupt capability is provided in the device using the language then features to support interrupt servicing, interrupt prioritizing, and interrupt disabling shall be provided. If redundant processors with interrupt capability are provided, then the co-processor shall provide features to assure synchronization of interrupts between co-processors and to assure that the synchronization does not cause excessive delays in execution time or cause false failure detection. J. A method of creating a repeatable build procedure for compiling, linking, and loading the code for the target processor. 4.4.9 Secuence of Events Processino Recuirements. The PLC shall provide sequence of events processing capability as follows: A. Sequence of events application object. The object characteristics are as follows:

1. Shall permit the application program to capture, store, and time tag up to 20 transitions using up to 50 different discrete events originating in the inputs or other application objects.

2. Shall permit stopping and starting of the event recording. l 3. Shall permit transmitting the data to an extema! device over a serial port with characteristics per section 4.3.4.4. 4. The relative accuracy of the time tags shall be one scan cycle 150 ms. l B. Shall provide the hardware and/or software required for acquiring and recording the data using an extemal device with characteristics as follows: l 1. Shall permit storing up to 30 minutes of data prior to and up to 30 minutes of data following a change to a specific state of any of the discrete events in the application object. j 2. If handshaking is required between the PLC and the extemal device, then the handshaking shall be designed so that the PLC scan will not be delayed by more that a manufacturer specified amount of { time if the handshaking is unsuccessful. The specified amount of time shall be included as an addition to the scan time when determining overall response time per section 4.2.1 item A. C. If redundant processors are provided, the manufacturer shall provide information of how to evaluate any differences between sequence of event data in the redundant processors. 52 Necessary for anything but the most rudimentary real time programming c:\\proj\\picqual\\reve\\plesprc. doc 4-Nov-96

HLP-001-S-01(Q) Rav C Prg3 40 of 72 4.4.10 Verification and Validation Reauirements. This section applies to Verification and Validation of the manufacturers software and firmware for the commercial PLC product as well as to any software tools used to build, configure, and maintain the PLC. The general requirement for quality processes is described in section 7.1.1. l In addition, the qualifier shall evaluate the manufacturefs software verification and validation program plan l eqainst IEEE 7-4.3.2 Section 5.3.4 (reference 3.3.1) and against guidance provided by the EPRI V&V Handbook, EPRI TR-103291 (reference 3.4.7.) and by IEEE Std 1012-1986, Software Verification and Validation Plans. The qualifier shall confirm 3s that the manufacturers V&V process fulfills the following basic requirements. The references to the V&V Handbook sections in the following table provides guidance for evaluating compliance of the manufacturers V&V plan to the requirements. Basic Requirement IEEE 1012 V&V Handbook Guidance a) The manufacturer shall have a V&V Plan 54 for the PLC product. Vol.1, p. 2-12 through 2-14 b) The manufacturer shall take a life cycle approach 55to software Vol.1, p. 2-4 through p. 2-11 development, with V&V activities performed throughout the life cycle. c) The software requirements document shall t e reviewable for Vol.1, pp. 3-9 through 3-15 completeness, correctness and consistency 06 Vol. 3, Chapter 1. d) The manufacturer shall provide traceability of requirements Vol.1, p. 2-2 and p. 3-28 throughout the life cycle. Vol. 2, p. A.3 3 and p. 4-31 (examples) e) There shall be both functional and structural testmg of the Vol.1, p. 3-24 through 3-31 software. Vol. 3. Chapter 2. Requirements for Software Configuration Management are included in section 7.1.6.2. 4.4.11 System Intearation Reauirements This activity is application specific. However, an appropriate level of system integration and integration testing shall be applied to the test specimen and the TSAP. See section 5.1. 4.5 HUMAN / MACHINE INTERFACE (HMI). From a plant operation standpoint, a typical PLC has limited inherent HMI capability other than that provided by the I/O modules via extemallocal or remote switches, indicators, controls, etc., and managed by the application program. Some of these features can be provided by coprocessors with application specific software. There are software and/or hardware packages available that can serve these funct!ons using devices that connect to the PLC programming port or other PLC data paths. Many of these packages are available from third party vendors. Therefore, qualification of the process control HMI for PLCs is, in effect, a separate qualification issue and not part of generic qualification of a PLC, per se. Any requirements applicable to connections to HMI devices connected to the PLC are encompassed under Section 4.10.1.1. l The HMl functions required to support plant and system operation are provided in this section. Any special HMi functions required to support maintenance are given in section 4.8.8. 4.5.1 Reouirements for Human / Machine Interface Functions. The PLC shall provide functions to manage operator actions as follows. The actions may be provided either by using normalI/O points and suitable software functions or by devices that connect to ports on PLC modules in Mjunction with suitable application program functions: 53 See section 7.1.5 for a discussion on compensatory factors for legacy software for which V&V documentation is incomplete or unavailable. i 54 Additicnst guidance for planning for testing and test documentation is available in IEEE Std 1008-1987, *lEEE Standard for Software i Unit Testing.' and IEEE Std 829-1983,"lEEE Standard for Software Test Documentation." Additional guidance for planning software l reviews and audits is available in IEEE Std 1028-1988, "lEEE Standard for Software Reviews and Audits". i 55 Additional guidance is provided in IEEE Std 10741995. *lEEE Standard for Developing Life Cycle Process". 56 Additional guidance is provided in IEEE Std 830-19g3, Recommended Practice for Software Requirements Specifications c:\\proj\\picqual\\reve\\plesprc. doc 4-Nov-96

HLP-001-S-01(Q) Rsv C Pzg3 41 of 72 A. Methods for switching a loop controller between manual and automatic control via remote switches connected to any of the discrete input modules specified in section 4.3.2.2. For control loops that include integral action auto / manual tracking capability shall be provided. B. Methods and fea5res to parmit remote adjustments of setpoints shall be provided via remote switches connected to an) of ihe discrete input modules specified in section 4.3.2.2. The features shall permit using ' increase" and "necrease" control switches for changing the setpoint. The rate of change of the setpoint must be prograramable so that the rate can be made suitable for the application. If redundancy in the PLC is provided, tNn methods shall be included to permit confirming that the setpoints are the same in all redundant r ocessors. C. The PLC must provide features to permit manualinitiation of and detection of manualinitiation of equipment that is normally automatically initiated 57 via remote switches connected to any of the discrete input modules specified in section 4.3.2.2. D. The PLC must provide features to permit displaying the status of discrete elements (e.g. indicators) and for displaying the value of continuous parameters (e.g. meters) via remote devices connected to any of the discrete output modules specified in section 4.3.3.2 or by devices connected to any of the analog output devices specified in section 4.3.3.1. E. The PLC must provide features to permit sending information to a remote device using a serial port that meets the requirements of section 4.3.4.4. The information available for sending shall be all input and output values, values calculated within the PLC application program, the status information from on line diagnostics, and the sequence of events data per section 4.4.9. The PLC shall provide features to ignore any incoming data on the port 4.5.2 Reauirements for Interactive Features. The interactive features to support programming and maintenance are ggen in sections 4.4.4 and 4.8.8. T PLC must provide positive mechanisms to prevent unauthorized access to any on-line functions that can cause changes to the program behavior, override normal 1/O, or change an intemal parameter (e.g. a limiter setting). In addition, the PLC shall :ontain reasonable measures #8 to protect against inadvertent use of these features. Any interactive features shall be available through a port whose primary purpose is for programming, maintenance, and debugging with features as described in section 4.4.4. The PLC must operate with no connections to this port. The PLC shall provide features to permit the application to mask any interacd, commands while in the run mode if redundant processors are included, then features must be provide to assure that any interactive commands possible in the run mode are received by all redundant processors and are implemented by all of the processors at the same time. 4.5.3 Reauirements for Ooerator Action System Resoonse Times For any operator action that requires confirmation from the PLC, the PLC shall have features to enable the confirmation to be received by the operator within 0.5 seconds or to indicate to the operator that his action is being processed within 0.5 seconds. 4.5.4 Disolav Reauirements Any status displays included as part of the PLC shall be easily virilble in normal to low room lighting within a ss 130 degree angle. Any displays included as part of PLC maintenance or programming devices shall meet the same visibility requirement. 57 It is generap good practice to use manualinitiation that bypasses the PLC. However, there may be cases where informing the PLC y of manualinitiation is important or where extemal manual initiation is impractical or undesirable. 56 This is a somewhat subjective requirement. An LED display or backlit super twisted nematic LCD display is considered to provide adequate visibihty. c:\\proj\\plcqua!\\reve\\picsprc. doc 4 Nov-96

HLP-001-S-01(Q) a R:;v C Pegs 42 cf 72 4.5.5 Alarm Processing Reauirements Alarm processing requires the ability to provide alarm indications, latch alarms, and acknowledge alarms. The alarm processing capabilities that shall be provided are: A. The ability to compare input or derived parameters to set points. This capability is equivalent to item G in section 4.4.3. B. The ability to latch an alarm condition and reset it based on an alarm reset condition. This capability is equivalent to item D in section 4.4.3. C. The ability to cause an indicator connected to an output to blink. This capability is equivalent to items B and E in section 4.4.3, depending on the scan time. D. The capsbility to acknowledge an alarm. This capability is equivalent to a combination of items A, C, and D in section 4.4.3. E. The capability for the application program to capture the results of self-diagnostics. This capability is equivalent to item O in section 4.4.3. F. The capability for the application program to store the results of items A and E in a ring - or similar - type buffer with the buffer data available for transmission over a serial port. This capability is equivalent to item R in section 4.4.3. tis _ Hard Manual Backuo Hard manual backup is, by its nature, extemal to the PLC and is not an integral part of a generic PLC qualification so there are no requirements in this section. 4.6 SHIPPING AND HANDLING REQUIREMENTS Packaging and shipping shall be in accordance with the applicable portions on ANSI N45.2.2. d11. Packaging Reauirements Any items shipped by the manufacturer: A. Shall be contained in packaging that is designed to avoid the deleterious effects of shock, vibration, electrostatic discharge, physical damage due to incidental handling during shipment, water vapor, salt spray, and condensation during shipping, handling, and storage. l B. Packaging shallinclude desiccant material when required in accordance with ANSI N45.2.2, paragraph. A3.6.2. C. Items shall be inspected for cleanness immediately before packaging. Any dirt, oil residue, or other forms of contamination shall be removed by appropriate cleaning methods. Any item which is not immediately packaged shall be protected from further contamination. D. Appropriate cushicning shall be used for protection from shock and vibration; the cushioning materials shall have sufficient strength to perform this function. E. Both the item and the outside of the containers shall be marked with appropriate identification, e.g., contract number and item number. F. Copies of the Packing List shall be placed inside or attached to the outside of at least one carton of each shipment. G. Any items that are sensitive to ESD shall be in ESD resistance packaging with a waming label that the item must be handled using ESD control procedures and facilities. H. The packaging shall be suitable for movement using hand trucks or equivalent devices. ) 1. Any special handling or storage requirements shall be marked on the container, i J. See section 4.4.2 for additional requirements for packaging of software storage media. I 4.6.2 Shiocing Recuirements A. The mode of transportation used shall be consistent with the protection classification of the item and with the packaging methods employed. c:\\proj\\plcqual\\reve\\plesprc. doc 4-Nov-96

= HLP-001-S-01(Q) R:;v C i Prga 43 of 72 B. Transportation shall be by the use of fully enclosed vehicles from reputable shipping firms to minimize the possibility of theft and vandalism during shipment of items. C. Where special care is deemed necessary to avert damage, written instructions covering the location and j stacking limits of the crates or boxes on the transport vehicle shall be specified; these shall be marked on the container. D Identification and markings on the outside of packages, skids, or protective covering shall be maintained during shipping. 161 Storaae Reauirements The manufacturer shall provide storage requirements and shelf life limits for ai! devices included for qualification, including the PLC modules, chassis, power supplies, interconnecting cables, programming panel, and software storage media. Requirements for storage shallinclude temperature, humidity, and any static control requirements. 4.7 ELECTRICAL L21 General Overview The Electrical section specifies the Power source and power supply requirements. Electrical connection information is also specified. Other items listed below point to the sections that contain the requirements.: 4.7.1.1 Power Sources and Power Supply Requirements. The main PLC power supplies selected for qualification shall have capabilities as follows: A. Power supp!ies for connection to an AC source shall operate with an AC source between 90 and 150 VAC minimum and a frequency of 57 to 63 Hz minimum. The supplies shall operate temperature, humidity and pressure range given in section 4.3.6. B. Power supplies for connection to an DC source shall operate with DC source of 24 VDC i 15% The supplies shall operate temperature, humidity and pressure range given in section 4.3.6. C. In addition to item B, the DC source power supplies shall be capable of operating for 7 days with the DC source at 30 VDC. D. The supplies shall be capable of supplying 1.2 times the bus loading when the chassis contains a main processor plus a module in each of the slots. The power capability shall be based on a load for a i presumed 1/O slot contents as follows: 1. One each of an analog input module, analog output module, discrete input module, and discrete l output module. The I/O module selected shall be the ones that have the highest current draw fwn among those that are selected. 2. If any coprocessors are to be qualified, then one slot having the coprocessor with the highest current l draw shall be selected.

3. Any remaining slots shall be loaded with the I/O module with the highest current draw.

E. For expansion chassis power supplies the loading shall be based on having the slots contain an equal number of modules selected per item C.1 with any remaining slots containing modules selected per item C.3. F. The hold up time for the power supplies shall be 4058 ms on loss of AC power when the slots are loaded as above. During the 40 ms holdup time, the discrete I/O shall not change state, the analog 1/O shall not change by more than 5%, and the processor shall not be reset. A delay or temporary halt of the processor is acceptable. The hold up requirement may be met by: 1. The inherent capability of the power supply. l 59 This requirement is based on the need to nde through a transfer of AC power to an emergency supply. c:\\proj\\picqual\\reve\\plesprc. doc 4-Nov-96 L

~ HLP-001-S-01(Q) e Rtv C Prge 44 of 72

2.. Using a power supply that will accept both an AC and a DC source with automatic transfer between l

them. The required DC source shall be 24 VDC or less. Any devices needed to provide the attemate supply shall be included in this qualification or use previously qualified devices. 3. Adding devices to the PLC to enhance the hold up time. Any devices used shall be qualified with the l PLC or consist of previously qualified devices. 4. Using a qualified UPS as the AC source. Note that this, in effect, means that the hold up tirne l requirement does not apply to systems that are powered from a UPS. G. The power supply shall meet the EMI/RFI, Surge Withstand and ESD requirements of sections 6.3.2, l 6.3.5, and 6.4.2, and the grounding requirements of section 4.7.1.8. H. For power supplies with fan cooling there shall be fan failure detection or power supply overtemperature l detection. Fan failure or overtemperature status shall be available to the application. 1. If redundant power supplies are provided, then the supplies shall be protected so that undervoltage, overvoltage, shorts to ground, and other faults in one supply does not prevent the altemate supply from operating as designed. 4.7.1.2 Loop Power Supply Requirements The PLC manufacturer shall provide power supply modules for use as supplies for extemal transmitters and other devices. The supplies shall provide at least 500 ma at 24 VDC. The supplies shall meet the requirements of items A, B, C, E, G, and H in section 4.7.1.1. These requirements may be met by extemal i devices per section 4.3.1.3. If redundant loop power supplies are provided, then the supplies sbil be protected so that undervoltage, overvoltage, shorts to ground, and other faults in one supply does nct prevent the attemate supply from operating as designed. 4.7.1.3 Separation The separation barriers shall be part of the overall system design and as such are not generic PLC requiremants. Any redundancy included as part of the PLC is not required to meet the separation requirements. 4.7.1.4 1E/non-1E isolation Requirements The isolation energy requirement is as given in the several subsecbons of sections 4.3.2 and 4.3.3. Isolation features shall conform to the instrumentation and control requirements for class 1E to non class 1E eo hall be performed on the PLC connections given in IEEE 384 (reference 3.5.10) Isolation capability testing s modules and any auxiliary isolation devices to be covered by the qualification. If oreviously qualified extemal isolators are used, then this testing is not required. Channel to Channel or 1/0 group to 1/0 group Isolation is preferred for 1E to non 1E lsolation. However, channel to PLC back-plane or extemal devices may be utilized for this purpose. For PLCs with redundancy, the redundant channels may be treated as a single device with regard to meeting the isolation requirements. 4.7.1.5 Cable / Wiring / Requirements The manufacturer shall supply all PLC cabling and wiring that is used to connect the PLC modules to any termination modules included as part of the PLC and all cables between PLC chassis.. The cables shall be suitable for UL class 2 service with a withstand rating of the larger of at least 3 times the signal levels or 150 volts. The temperature rating shall be 60 *C or greater. These items shall be subjected to the qualification conditions in section 6. 60 lEEE 279 Section 4.7 and IEEE 384 Section 7.2 require a safety (1E) to non safety (non 1E)lootstor to protect the 1E hardware when a faut condaion occurs on the non 1E secton. c.'proj\\picqual\\reycipicsprc. doc 4-Nov-96

HLP-001-S-01(Q) RLv C Pcg3 45 of 72 The vendor shallidentify specify qualities of PVC type wire / cables used in the system. l Field wiring to the PLC modules is application specific, and should be previously qualified for use. 4.7.1.6 Termination Requirements The terminations of field wiring to the PLC shall permit removing and reinstalling a module without disconnecting the field wiring. The PLC shall contain features to permit substituting test signals or monitiring instruments for the field connections.61 The terminations to the PLC chassis and the power modules shall be qualified with the generic PLC.1/O Modules and communication module terminations shall be qualified with the generic PLC. Any redundant devices included with the PLC are permitted to share terminations. Any connectors that are part of the PLC shall have positive hold down mechanisms and shall be included in qualification testing. 4.7.1.7 Backup Power Backup power is not a requirement for the generic PLC except as needed to meet the requirements of section 4.7.1.1. 4.7.1.8 Grounding / Shielding Requirements Grounding and Shielding of the PLC equipment shall meet the IEEE 1050 (reference 3.5.2) and EPRI TR102323 (reference 3.4.6) requirements. The PLC chassis and power supply shall have grounding l connection points to attach an earth ground and DC common. Shielding connections shall be provided with the I/O module terminations. 4.8 MAINTENANCE Ease of maintenance, troubleshooting, and testing require consideration of these items when developing the program and designing the installation for a specific application. However, some PLC features are required to support maintenance. The following requirements are intended to aid in troubleshooting to the module level and to aid installation of a new module. fj.J., Diaonosis/ Built-in Testability Reauirements The self tests specified in section 4.4.6 and the debugging aids specified in section 4.4.4-B provide the requirements that are needed to support maintenance to the module level. 4.8.2 Module Reolacement Recuirements The PLC shall contain features to aid in module replacement. Requirements in section 4.7.1.6 aid in module replacement. Requirements in sections 4.4.4 and 4.4.5.2 specify features to aid in assuring that the l configuration is correct. In addition, the maintenance manual shall contain a description of any hardware configuration item for each module. The method of module hold down shall be easily accessible and provide ease of module removal and reinstallation when all slots are occupied. The features given in specified in section 4.4.4-B provide the requirements for features that are needed to support calibration and post installation testing of the module. 4.8.3 Preventative Maintenance Reouirements The PLC equipment manuals shall contain information needed to support preventative maintenance. The items that shall be included are batteries, fans, air filter cleanliness, terminations, power supply checks, and instrument ground checks. 61 Using interposing cable, pluggable terminal stnps. or equivalent devices fulfills this requirernent. c:\\proj'\\plcqual\\reve\\plesprc. doc 4-Nov-96

HLP-001-S-01(Q) R:iv C Prg)46 of 72 4.8.4 Surveillance Testino Recuirements Surveillance testing per IEEE 338, consists of channel checks, calibration verification, functional testing, response time testing, and logic system functional testing. The following table provides requirements to support the surveillance testing. IEEE 338 Test Type How tested Special Equipment / Features Channel Checks Reading values in the PLC. Requirements per section 4.4.4-B Application needs to block

write" operations j

Calibration Verification Stimulate analog inputs, monitor Requirements per section 4.4.4-B analog points, outputs. Functional Tests and Stimulate allinputs, monitor Requirements in section 4.4.4-B and Logic System outputs 4.7.1.6. Functional Tests Time Response Tests Measure time using PLC Requirements in section 4.4.4-B and feedthrough digital output. i.e. 4.7.1.6. digital input tums ON digital output. l Analog inp Stimulate external to PLC monitor Requirements in section 4.4.4-B and signal / analog loop analog process for deviation, when 4.7.1.6. response time. deviation is greater than setpoint drive a digital output, measure process reaction curve For PLCs that include redundancy, features and procedures shall be provided that permit detection of all failures that are not detected b) Mlf-diagnostics and are masked by redundant channel behavior. 4.8.5 Outout Bvoass/ Control Devices Output Bypass / Control Devices are part of the overall system design, not an integral part of a PLC or any other control component. In addition, the use of these devices is application specific and there are qualified devices available to perform these functions. Therefore, no requirements regarding Output Bypass / Control Devices are applicable to PLC generic qualification. 4.8.6 " Hot" Reoair Cacabinty The PLC shall support installing 1/O modules, except for the main processor, with power applied to the back plane. For modules whose field connections are 15 volts or less and whose current draw is less than 0.1 amp shall also be removable with field power applied. PLC output modules shall be designed so that when the module is removed from the PLC back-plane, the state of the output is known and repeatable. M.l Manufacturer Svstem Life Cvele Maintenance 4.8.7.1 Parts Replacement Life Cycle Requirements The generic PLC platform qualifier shall establish the baseline configuration for the dedicated PLC hardware and software. The PLC manufacturer shallindicate the revision history, failures, changes, and testing performed for all future revisions or replacements. 4.8.7.2 Spare Parts Requirements The PLC qualifier shall establish spare parts requirements at the module level or other easily replaceable assembly level (e.g. battery pack) for each of the modules selected for qualificatior' as a fraction of the number of modules of a given type used in an application. The requirements shall be based on PLC manufacturer experience and utility experience as well as calculated failure rate. ,Og h f Af M'yL t <*

i * $

c:\\proj\\picqual\\reve\\picsprc. doc 4-Nov-96 V

HLP-001-S-01(Q) RIv C Pig 2 47 of 72 4.8.8 Maintenance Human Factors The Maintenance Human Factors for the PLC will be based on four areas: A. Special PLC manufacturer Equipment - manufacturer supplied equipment shall be reviewed when used with plant or manufacturer procedures. Job A ds, clarifications, and training will be used to supplement the special equipment. B. Calibrated Test Equipment - The test equipment interface shall be reviewed for appropriate equipment, l manuals, and special test leads. Special care shall be utilized for minimizing personnel and equipment damage due to test equipment connections. Specialinterconnection devices may be utilized. C. Job Aids - Job Aids for operating the PLC equipment shall be evaluated. Special keyed connectors, waming signals, and equipment pictures shall be utilized to increase personnel and equipment safety. D. Help Screens - Help screens for software used to support maintenance shall be provided. The help screen shall be unambiguous, concise, and complete with pointers to the manual if it is not practical to provided adequate on screen help. 1 4.9 REQUIREMENTS FOR THIRD PARTY /SUB-VENDOR ITEMS Any items provided by sub-vendors to the manufacturer or by third parties shall be subjected to all of the requirements and tests that are applicable to the items function and design. The hardware and software compatibility of these items with the PLC items which interface with them shall be subjected to suitable tests and analysis to assure that PLC software and hardware performance is not impacted by the items and to provide confidence that unintended functions will not occur due to interactions between the PLC and the devices. 4.10 OTHER 4.10.1 Data Handlina & Communication interfacino Overview Communications issues depend upon the system architecture and the PLC application. For large, complex systems the PLC architecture may be expanded from a single PLC chassis to a multi-PLC architecture. Further complications such as remote I/O, redundancy of processors, redundancy of 1/O, serial connections to HMI interfaces, and supervisory computer interfaces each expand the need for communication and data handling.. The more complex architectural and data handling features required to support LANs or any other network are not appropriate for most nuclear safety applications, and are not covered by the generic requirements. Most of the installed LWR protection systems are small and simple and the protective action capability and HMI interface would not benefit from serial communications. However, providing serial data to some peripheral devices could be beneficial. Therefore, only those serial interface features where the PLC asynchronously transmits information for use by a foreign device over a serial port will be encompassed by the generic qualification. 4.10.1.1 Peripheral Communication Requirements Requirements for the physical layer of the peripheral port are given in section 4.3.4.4. The PLC executive and/or application software engineering tools shall provide features to prevent loss of serial communication from degrading the application program. The communication protocol shall assure deterministic serial communication overhead time for each PLC scan or shall permit easily determining the upper bound on the timing. Features shall also be provided to permit using the serial port with no hardware or software handshaking. The peripheral communication shall support a communication buffer of at least the size given in item K of section 4.3.4.2. All serial communication shall support data quality checks at least as robust as a checksum. l 62 These features are apphcation specific. c:\\proj\\plcqua!\\reve\\plesprc. doc 4-Nov-96

HLP-001-S-01(O) RwC Pig)48 of 72 For PLC platforms that include redundancy, the peripheral communication shall utilize data that is validated between the redundant processors. The communication path shall permit connecting a single peripheral to receive the data and the redundancy shall be transparent to any handshaking between the peripheral and the PLC. 4.10.1.2 PLC Peer to Peer Communication Requirements If peer to peer communication between PLCs are required to meet any of the requirements of this specification, it shall be performed over a dedicated link that meets the requirements of section 4.3.4.4, except for item B. The port may be directly supported on the PLC Processor, added as special I/O through communications modules or coprocessor modules, and it may be implemented as a standard serial or as a proprietary protocol. For PLC platforms that include redundancy, any peer to peer communication shall utilize redundancy commensurate with the PLC platform redundancy and redundancy architecture. The PLC manufacturer's communication support for peer-to-peer communication shall be deterministic (i.e. the time it takes to achieve the communications shall be well defined) and no communication error shall cause any other portion of the application program to stop functioning or inhibit the PLC scan cycle. Synchronization and queues used for communicated data shall be supported. Indication of message queue status shall be available to the application software, along with methods to detect and recover from errors. The response time requirement shall be met with any latency time needed to provide synchronization and to detect and recover from errors added on to the nominal loop time. The data quality check shall be at least as robust as a CRC-16 check. The PLC communication shall detect loss of peer-to-peur communication and make the loss of communication status available to the application program. 4.10.2 Overall System Security Reauirements The PLC needs to execute its application program when required and the program and program constants must not be corrupted. Switching the main processor from the RUN (or OPERATE) mode to any other mode shall by a keylock switch or by a special hardware device that connects to the programming port. For PLC platforms that include redundancy, features shall be provided to aid in assuring that the modes of the redundant processors are the same. if a device is capable of modifying the application program while the PLC is running, then the device must provide positive mechanisms to prevent unauthorized access 3 o this feature and provide reasonable 6 t measures to protect against inadvertent changes 64 to the program. For PLC platforms that include redundancy, features shall be provided to assuring that any program changes are loaded into all redundant processors. 4.10.3 Heartbeat Reauirements The PLC shall provide the capability for a local and/or remote PLC ' heartbeat 65, so that the operator can visually confirm that the PLC is currently operating. If the PLC does not have such a built-in capability, then the utility shall ensure that such a capability in included in the application program for each safety application of the qualified PLC. A heartbeat is not required for PLC platforms that use redundant processors. 63 Use of a password or equivalent to restrict access is considered to be satisfactory. 64 A confirmatory prompt or the equivalent is judged to be satisfactory. 65 A heartbeat is an indication that changes at some multiple of the PLC scan. The heartbeat can be a blinking light or other display, l such as a TOD clock. This indication addresses what is considered to be the most limiting unintended function - where the watchdog timer reset or its equivalent is the only activity occurring on the PLC. c:\\proj\\picqua!\\reve\\plesprc. doc 4-Nov-96

HLP-001-S-01(Q) 1 RsvC pig 3 49 of 72 L. ACCEPTANCE TESTING Acceptance testing as it relates to generic qualification has two main aspects: A. Testing that is performed on the test specimen prior to qualification tests to confirm that the synthetic application created for qualification testing purposes operates as intended. l B. Operability tests designed to confirm satisfactory operation of the PLC at specifed points in the qualification testing. l The development, design, and performance of these tests shall utilize the documentation requirements of l secten 8.14.~ 5.1 PRE-QUALIFICATION ACCEPTANCE TEST REQUIREMENTS These tests are performed prior to the qualification testing to demonstrate that the synthetic TSAP and test specimen hardware operate as intended and to provide a baseline for the qualification tests. These tests are performed on a test specimen that has been developed and configured per section 6.2. These tests must J include: l A. InibalPLC cahbrabon. The Generic qualification sample PLC is calibrated to NIST traceable sources. The l AS LEFT data is used as a baseline for the operational testing. A five point linearity check shall be made in addition to the calibration. The acceptance criteria are that the analog 1/O modules meet the manufacturers specifications.06 B. Svstem ;ni. ism. The system integration testing portion of the TSAP V&V should be performed in a conjunction with acceptance testing. The acceptance criteria for these tests shall be based on the requirements specification for the test specimen. C. Operabihty Tests. The operability tests to be performed during qualification shall be performed as part of initial acceptance testing (see section 5.2). This establishes the baseline performance and verifes the test procedure. { D. Prudency Tests. The prudency tests shall be performed as part ofinitial acceptance testing (see section 5.3). This establishes the baseline performance and verifies the test procedure. E. Bum-in Test. A minimum 352 hour bum-in shall be performed on the test specimen. This is used to detect any early life failures which would corrupt the qualification test results. The acceptance criteria is that the test specimen shall pass the operability tests following the bum-in. If any failures occur, included failures in redundant et ements, the failed devices shall be replaced and the replaced items bumed in and retested. l ff.t.rj. G dLe {c A *k-e' o&D # 2 i 5.2 OPERABILITY TEST REQUI ENT ' ' " ~ { in these tests the PLC system is tested to ins re that the PLC hardware modules are functioning correctly. The tests shall be applied as specified in section 5.4. The operability tests shall cover the following items. A. Accuraev. A minimum five point linearity check shall be made on the analog 1/0 modules. The test shall be performed on at least one channel of each type of analog 1/O in the qualification envelope. The acceptance criteria are that the analog 1/O modules meet the specifications given in sections 4.3.2.1 and 4.3.3.1. B. Response time.67 The response time of the loop shall be measured. The response time between receiving a discrete input and setting a discrete output and from changing an analog input to changing an analog output and a discrete output shall be measured in a fashion that is expected to provide repeatable l results.66 The acceptance criteria is that the response time shall not vary more 110% from the baseline. l l 66 Failure to meet manufactures spec 6catens indecate a faulty module. 67 ISA S 67.06 docusses the test methods and conditons for response tame teetmg. 66 This measurement may be somewhat indty because the response time can very by as much as one TSAP scan tune. depending on where in the scan cycle en input change occurs. Using a PLC output to trigger the input is one possible method of enhancing response twne repeatabiley. c:\\proj\\picquahrevc\\picsprc. doc 4-Nov-96

HLP-001-S-01(Q) RVC P ga 50 of 72 C. Discrete inout coerabilitv. The discrete inputs shall be tested for their ability to detect changes in the inputs. These tests shall be performed on at least one channel of each type of discrete input used. The acceptance enteria is that the trip and reset points shall be within the manufacturers specifications 69, D. Discrete outout ooerabilitv. The discrete outputs shall be tested for their ability to operate within the specified voltages and currents. These tests shall be performed on at least one channel on each type of discrete output in the qualification envelope. The acceptance criteria is that the voltage and current drive 69 capability shall be within the manufacturers specifications E. Communication ooerabilitv. If any communication functions are included in the qualification envelop then the operability of the ports shall be tested. The acceptance criteria is that the bit rates, signal levels, and pulse shapes shall be within the specifications for the protocol used (e.g. if RS422 is used, the high and low signal values and bit rate must meet RS422 specifications for the speed used)70 F. Conrocessor coerabilitv71. If any coprocessors are included in the qualification, then their loop time shall be determined, the operability and calibration of any 1/O resident on the processor established, and the l operability of any communication port on the coprocessor determined. The acceptance criteria are the j same as those for similar functions described above. G. Timer Tests. The accuracy of the timer functions specified in section 4.4.3 shall be tested. The acceptance criteria is that the timer base line accuracy shall meet the manufacturers specifications and timer variation throughout the qualification testing shall be 110% or less. i H. Watchdoa Timer Tests. The functioning of the watchdog timer shall be tested. The acceptance criteria is that the base line accuracy shall meet the manufacturers specifications and timer variation throughout the qualification testing shall be t10% or less. The power up watchdog timer self-diagnostics feature required per section 4.4.6.3 may be used to establish watchdog timer operability in lieu of any special test setups to measuie it. l. Failover Ooerability Tests. If redundancy with automatic transfer to a redundant device is used, sufficient tests shall be performed to establish the operability of the failover hardware. The acceptance criteria is that a successful failover should occur as described in section 4.3.4.7. J. Loss of oower test. The AC and any DC power sources shall be shut off for at least 30 seconds and reapplied. The acceptance enteria is that all I/O shall move to the power off default and power on default states and normal operation shall resume after restoration of power. K. Power Interruotion Test. The AC power source shall be interrupted for the hold up time specified in section 4.7.1.1. The acceptance criteria is as specified in the referenced section. For PLC platforms that include redundancy, the acceptance criteria may be considered satisfied if the functions still operate. A failure in one or more of the redundant devices that does not result in the inability of the PLC to operate as intended is acceptable. However, the extent of regression testing to be performed if the failed device is replaced shall be justified. Testing may continue with the failed device, if desired. 5.3 PRUDENCY72 TESTING REQUIREMENTS These tests shall be applied as specified in section 5.4. The tests shall be performed with the power supplies sources at the minimum values specified in section The prudency tests shall include the following items. A. 1/O Modulation. This test shall consist of simultaneous actions as follows: 1. Simultaneously toggling at least 15 each 120 VAC discrete inputs and 8 each 24 VDC discrete inputs at i second i 10% intervals for at least one minute. 2. Simultaneously toggling at least 8 each 120 VAC discrete outputs and 4 each 24 VDC discrete outputs at 1 second t one TSAP sample period intervals for at least one minute. 69 The manufactures specifications are used as the enteria since they are considered to be a better measure of potential degradation then the values given in this document. 70 The receiving device is presumed to operate property when signallevels and bit rates are within pubitshed standards. 71 The testing for a specific coprocessor depends on the specsfac function it provices (e g. high level language module vs. PID module) 72 Prudency testing is a set of tests that do not address any specific requirement but exercise the test specimen in vanous ways to simulate potential in-service stresses. c:\\proj\\picqual\\revc\\plesprc. doc 4-Nov-96

HLP-001-S-01(O) R;v C Prg] 51 of 72 3. Simultaneously driving at least 4 voltage and 4 current analog inputs from at least 10 to 90% of full scale at a 1 Hz 110% frequency for at least one minute. 4. Simultaneously driving at least 2 voltage and 2 current analog outputs from at least 10 to 90% of full scale at a 1 Hz i one TSAP sample period frequency for at least one minute. 5. Transmitting a message over the main processor serial port that indicates the read in status of the inputs and the values the outputs were set to. The acceptance criteria is that all change of states of the discrete inputs shall be detected, all change of states of the discrete outputs shall occur, the analog 1/O meets the accuracy specifications after adjustment for loop time effects, and that the response time requirement is met. a mapping of one or more discrete inputs to one or more discrete outputs per items 1 and 2 may be used to measure timing. This test may be conducted in conjunction with the response time tests. B. Failure of serial cort receiver test. The receiving device connected to the serial port shall be simulated to fail such that the transmit line to the PLC is left floating for 5 to 10 seconds, then shorted to ground for five to 10 seconds, followed by shorting it to the receive line from the PLC for 5 to 10 seconds The acceptance criteria is that the PLC response time shall meet its requirement and shall not vary by more that 110% for any of the conditions. C. Serial oort noise test. The transmit line to the PLC shall be subjected to 2.5 VRMS white noise in the 30 to 100 kHz range for one at least one minute. The acceptance criteria is that the PLC response time shall meet its requirement and shall not vary by more that *10% during the test. D. Fault Simulation. For PLC platforms that include redundancy, failures in redundant elements that can be detected by self diagnosis shall be simulated. The acceptance criteria is that the PLC shall detect the failure. 5.4 OPERABILITY /PRUDENCY TESTING APPLICABILITY REQUIREMENTS As a minimum, the operability tests and prudency tests shall be performed at points as follows: Test condition Operability tests Prudency tests Acceptance testing (Section 5.1) All All Operability test points per Figure 4 All All at end of high temp /RH only. Post OBEs All None Post SSE All All Dunng EMI/RFI All except A. A only 6 QUAll1l CATION TESTING AND ANALYSIS 6.1 SOFTWARE QUALIFICATION OVERVIEW Equipment can be qualified for safety related use based on several methods individually or in combination (IEEE 323 Section 4). The PLC qualification is based on testing and analysis. The qualification requirements given in the following sections are based on the IEEE 279, section 4.4 requirement that "the qualification shall demonstrate that the PLC system will meet, on a continuous basis, the system performance requirements". The TSAP requirements are based on IEEE 7-4.3.2 Sect 5.4 requirement that *the device shall be qualified with a set of computer functions that represent safety system applications". The PLC modules, ancillary equipment ( isolation devices not previously qualified, contactors, etc.) communication paths, and interfaccs are tested with hardware, software and diagnostics representative of l those intended for actual operation. The vendors development process is presumed to meet the requirements of sections 4.4.10 and on section 7 and its subsections. In addition, the vendors development process is presumed to apply to all software tools c:\\proj\\plcqual\\reve\\plesprc. doc 4-Nov-96

HLP r)01-S-01(O) Ray C Pega 52 of 72 as well as embedded software. Therefore no testing that specifically addresses validating manufacturer software is included. [ ~ 6.2 PLC hYSTEM TEST CONFIGURATIOd)REQUIREM The test specimen configuration, test specimen design, test specimen application program development, and any supporting test fixture design shall conform to the applicable requirements of sections 7.1.2,7.1.6. 7.1.7, and 8.6. The requirements of section 8.11 shall be applied to all hardware and software, including all software tools and supporting software. i 6.2.1 Test Soecimen Hardware Confiauration Reauirements i The hardware configuration to be used shall be developed and documented consistent with the requirements of sections used in the test specimen shall consist of items as follows: A. At least one of each type of module needed to encompass the requirements of sections 4.3 and any hardware related requirements in sections 4.4,4.5, and 4.10. If a particular module is configurable to provide different capabilities (e.g. different ranges) then sufficient modules shall be used to cover the configurations needed to meet the referenced requirements. For thermocouple modules only one thermocouple type needs to be tested unless the module design utilizes different signal conditioning, other than pre-amplifier gain, prior to A/D conversion for the different types. B. Any additional modules that are needed to support operability testing. C. At least one of each type of ancillary device needed to meet the requirements of sections 4.3 and any hardware related requirements in sections 4.4,4.5, and 4.10 shall be included. Additional devices of a particular type shall be included if needed to meet the requirements of section 6.2.2. (e.g. if external devices are used to provide the required surge protection, then at least one of each type of device is required). D. At least one of each type of the chassis needed to meet the requirements of section 4.2.1 plus any l additional chassis needed to meet the requirements ofitem A of this section. The connections between the main chassis and the expansion / remote chassis shall use the maximum permissible cable length available from the manufacturer. Any chassis to chassis signalloading caused by connecting the number of chassis needed to meet the requirements of section 4.2.1 shall be simulated. E. Power supplies to meet the requirements of section 4.7.1.1. Additional resistive loads shall be placed on each power supply output so that the nominal current draws a; nominal power supply output voltages are equal to the power supply rating. The nominal current values shall be the sum of the module current draws as calculated using the manufacturer's procedure for determining power supply loading plus the nominal dummy load current. F. If necessary, dummy modules shall be used to assure that all slots in the base chassis and all slots in at least one expansion chassis are occupied. The dummy module shall provide a power supply and weight load approximately equivalent to an eight point discrete input module. Real modules may be used in lieu of the dummy modules. G. At least one of each type of termination devices used to provide field connections 3 needed to meet the 7 requirements of section 4.7.1.6 end any associated cables for connecting the termination devices to the I/O modules shall be obtained from the PLC manufacturer. Additional termination devices shall be included if needed to meet the requirements of section 6.2.2. H. Any modules, terminations, cables, power supplies, and other devices needed to implement any redundancy included in the PLC platform. 1. Any additional modules required to support operability and prudency testing per sections 5.2 and 5.3. 73 A vanety of methods are used from different vendors and some vendors have opbonal terminabon methods c:\\proj\\picqual\\reve\\plesprc. doc 4-Nov-96

- _ _ _ _ - _ _. _ _ -. _ _ _ _ _. ~. _ _ _ _ _ _ _ _. _ e HLP-001-S-01(Q) Rsv C Pegn 53 of 72 1 622. Test Soncimen Mountina ) 6.2.2.1 Seismic Test Mounting Requirements l For seismic testing, the test specimen shall be mounted on a structure whose configuration meets the l manufacturer's mounting requirements. The structure shall be stiff enough so that there are no resonances below 100 Hz with the test specimen mounted on it74, if the selected PLC platform has several possible j mounting configurations, then the tests shall be performed wk the mounting that can be shown to be most i susceptible to seismic vibrations. If it is not possible to establish the most susceptible mounting, then a full set of seismic tests shall be performed in each mounting configuration to be qualified. The mounting shall utilize any hardware that is REQUIRED by the manufacturer. If specific mounting hardware is not required by the manufacturer, then attemate hardware may be used if it is judged that it is needed to j meet seismic requirements. Any uses of attemate hardware shall be completely documented in the configuration information. d If any ancillary device or extemal device provided by the manufacturer or a third party supplier can be l mounted in various orientations then at least two devices of each type, one mounted vertically and one jl mounted horizontally shall be provided. Mounting hardware to supplement the required manufacturer's hardware or altemate mounting hardware. All screws used for mounting devices to be qualified shall be tightened with a torque wrench or torque screwdriver and the torque values recorded and included in the test report and qualification description document. y 6.2.2.2 EMI/RFI & Surge Withstand Tect Mounting Requirements l For these tests, the test specimen shall be mounted on a non-metallic vertical surface at a height of six feet to i the bottom of the PLC chassis with no secondary enclosure. The PLC shall be connected to ground using the j manufacturer's recommend grounding conductor to a ground bus located at the base of the mounting surface. l The grounding and shielding used for these tests shall meet the requirements of section 4.7.1.8. 6.2.2.3 Environmental Test Mounting Requirements For these tests, the PLC chassis shall be mounted in the environmental chamber on a simple structure that l does not enclose the PLC chassis. The environmental air shall be monitored near the fan inlet if any PLC power supply contains fans or at the bottom of the chassis if the PLC uses natural circulation cooling. No 3 additional cooling fans shall be included in the chamber. The dummy power supply loads specified in section j 6.2.1 shall be mounted within the cabinet for this test. gli Test Snecimen Anchc.euen Proaram Confiauration Reauirements c 4-The TSAP must be developed using the applicable portions of sections 4.4.10, 8.6, and section 7 and its subsections. The test specimen application program shall contain the items as follows: j A. At least one of each function given in section 4.4.3 5, 7 B. If providing serial output data from the PLC is included in the qualification envelope then a serial communication output sequence shall be included. C. Program sequences to support the testing specified in section 5. Some suggested methods for aiding in operability and prudency testing are: l

1. The lead / lag function may be used to simulate a simple process for connection to the PID function.

Connecting the PID analog output to the lead / lag analog input and then connecting the lead / lag analog l l 4 74 a The seismic RRS is based on the spectrum at the cabinet level, not the floor level Therefore, the mounting must not have any 3 vibrational empirlication within the seismic spectrum range. 75 To implement the IEEE 7 4.3.2 Sect 5 4 requirement that the device shall be quahfied with a set of computer functions that represent safety system apphcations. This is intended only to represent safety system ePr.lication type elements, and is not meant to imply testing to supplement the manufactures QA program. c:\\proj\\picqual\\revc\\plesprc. doc 4-Nov 96

HLP-001-S-01(O) =. Rsv C l P:gs 54 of 72 l 1 output to the PlD feedback analog input will simulate a closed control loop. The lag time should be at l l least one second. 2. Mapping a set of discrete inputs to fixed values of analog outputs to aid in linearity testing. 3. Initiating a timer on a discrete input and loading a discrete output on time out. This supports timer accuracy measurements. 4, if serial output is required to support testing per item E of section 5.2, then the TSAP shall include a l f ~ message with a bit pattem that provides ease of bit rate, pulse shape and signal magnitude measurement.

5. A round robin discrete output / input / output / input program sequence where a discrete output feeds a discrete input which in tum creates a discrete output that is connected to a discrete input that creates the first discrete output. This type of sequence will create timing benchmarks to enhance response time measurement repeatability.

} 6. Including a serial output message that contains selected analog input values and is triggered by a j discrete input can be used to aid in analog input linearity testing. l

7. A one second timer based function that toggles 8 discrete outputs each time the timer times out. The l

function should be initiated on a discrete input. l

8. A function that drives 4 analog outputs between 10 and 90% of full scale on a 1 second period. The function should be initiated on the same discrete input as item 7 above.

D. A program sequence to change the state of an output once each cycle 6, l 7 E. Any application functions needed to support any redundancy included with the PLC platform and any functions needed to support testing of fault detection and failover. .l 6.2.3.1 Coprocessor Test Specimen Application Program Requirements if a coprocessor utilizes a high level language and is included in the qualification envelope, then it must include its own TSAP. The coprocessor TSAP shall include: t A. Program that utilizes each of the characteristics described in section 4.4.8.2 B. If a serial port is available on the copa)cessor then a serial communication output sequence shall be included. C. Program sequences to support the coprocessor testing specified in section 5. f D. Any application functions needed to support any redundancy included in the co-processor and to support testing of fault detection and failover in the co-processor. 5.21 Test snaaart Faniament Raouirements I Test equipment to support the acceptance testing and operability testing shall be provided. The supporting equipment to be included is: A. Panel or other device for connecting to the inputs and outputs. This device shall contain methods for stimulating inputs and monitoring outputs as required to support acceptance and operability testing. The test panel design shall be documented as described in section 8.10. l B. Test and measuring equipment with accuracy needed to support the acceptance criteria. C. Any special tools ed Jevices needed to support testing. D. All test equipmp Aall be controlled per IEEE 498. 6.3 QUALIFICATION TESTS AND ANALYSIS Qualification testing shall be performed as given in the following sections. Documentation of the qualification process shall be per section 8.6. 76 included to provide a visble indcaten of PLC operability dunng quellfcaten and provide a tuning mark. c:\\proj\\picqual\\reve\\picsprc. doc 4-Nov-96

-. - ~. HLP-001-S-01(Q) Rzy C Pcg3 55 of 72 - 3- ) All PLC system testing shall be performed on a calibrated PLC System with all user setpoint values adjusted for their default values. User setpoint variation is not considered part of the qualification testing. $1j._ Aoina Rannirements . The sequence of tests and analysis shall be performed to simulate various aging factors. The order shall be: l A. An environmental and radiation aging analysis shall be performed by the qualifier on the PLC equipment prior to any testing. The aging analysis shall use the upper bound of the normal temperature and humidity j 77 range in section 6.3.3, and the abnormal radiation and pressure range. The aging analysis shall be { based on a target qualified life of 40 years. The analysis shallidentify any modules with an expected i " constant failure rate" period of less than 40 years and provide the expected period for each such module. l The analysis shall conform to IEEE 323. B. Environmental testing as specified for abnormal temperature and humidity conditions. j C. ESD testing. 4 D. Seismic testing l' E. EMI/RFItesting F. Surge withstand testing. l 612. EMI/RFI Test Requirements } EMI and RFI testing is performed as specified in EPRI TR1023237s. The EMI/RFI susceptibility and emissions testing from EPRI TR102323 that shall be performed is: A. Radiated Susceptibility Testing per Appendix B section 3.1.2. B. Conducted Susceptibility Testing per Appendix B section 3.2.2. C. Radiated Emissions Testing per section 7. D. Conducted Emissions Testing per mandatory tests in section 7. The susceptibility tests shall be performed at 25%, 50% and 75% levels in addition to the specifed level. The acceptance criteria are: E. The main and any coprocessors shall continue to function. F.. The transfer of 1/0 data over shall not be disrupted. G. The emissions shall not cause the discrete I/O to change state. H. Analog 1/0 levels shall not vary more than 3%. For PLC platforms that include redundancy, only the selected value from among the redundant signals needs to meet the acceptance criteria. 6.3.3 Environmental Testina Reauirements Environmental testing is performed to assure that the PLC System does not have failures due to service conditions of temperature and humidity. The immunity to pressure and integrated radiation exposure is performed by analysis per item A of section 6.3.1. Other PLC system operating conditions such as range of input power voltage value and output " contact" load can also affect the environmental testing stresses. All environmental testing shall be performed with the margins applied The margins to be used for testing are 2.8 *C (5 *F), 5%RH,.5 psig,10% TID.78. The normal environmental l conditions that shall be used are as follows. A. 15.6 to 40 *C (60 to 104 *F), with margin 12.8 TO 42.8 *C (55 to 109 'F) l 77 The aging anahsis requires a knowledge of the materials and component types used in the PLC. 78 EPRI TR102323 uses MIL Standard 461/462D and equipment classificaten A3 as a basis for testing with modfricatens to some of the test condstens and limits. 78 From IEEE 323. c:5roppicqual\\revc5Icsprc. doc 4-Nov-g6

... ~ - -. -. - ~. - - },* HLP-001-S-01(Q) i Rsv C i Pegt 56 of 72 i i l B. 40 to 95% RH, with margin 35 to 95%e0 RH l i ' C. -1 to 1 psig, with margin -1.5 to 1.5psig i 3 3 D. 1.0x10 Rads TID, with margin 1.1x10 Rads TID The Abnormal Environmental conditions are: E. 4.4 TO 48.9 *C (40 to 120 *F), with margin 1.7 to 51.7 *C (35 to 125 'F) 8 F. 10 to 95% RH, with margin 5% to 95% RH (non condensing) G. -1 to 1 psig, with margin -1.5 to 1.5 psig 8 8 H. 1.0x10 Rads TID, with margin 1.1x10 Rads TID The abnormal environmental testing shall be performed using the profile given in Figure 4. The PLC shall be energized with the TSAP running during this testing with 1/2 of the discrete and relay outputs ON and loaded l to their rated current. All analog outputs shall be set to approxin 5ly 1/2 full scale. 6.3.4 Seismic Test Requirements The PLC System is considered a safety system with a Category 1 Seismic classification. The PLC System therefore shall meet its performance requirements ouring and following a Safe Shutdown Earthquake (SSE). Tri-axial, random, multi-frequency testing shall be used for seismic withstand capability. l The seismic qualification requires that the PLC system be vibrationally aged to the end-of-life condition. The vibration aging shall use five OBEs with the RRS as shown in Figure 581 followed by an SSEs2 with the RRS l as shown in Figure 5. If equipment repairs are required during seismic testing they shall meet the guidance in IEEE 344 section 7.1.3. 6.3.4.1 Seismic Test Measurement Requirements If relay output modules are designated for qualification, then a relay contact monitor shall be connected to all relay output channels in the PLC. The acceptance criteria for contact monitoring is that no spurious contact change of state longer than 2 ms shall occur. One half of the relays on a given module shall be e'nergized and one half de-energized during application of the seismic stresses. In addition,1/4 of the relays shall transition from OFF to ON and 1/4 from ON to OFF during application of both the OBE's and SSE. If the relay modules do not meet the acceptance criteria, the tests shall be reperformed with the peak acceleration reduced in 2g increments and the associated ZPA reduced in 1g increments until the chatter criteria is met. However, a peak i acceleration of less than 8 g shall not be used. The PLC shall be powered with its TSAP operating and 1/2 of the solid state discrete outputs ON and loaded to their rated current. The sources to the PLC power supplies shall be at the lower limit given in section 4.7.1.1. In addition to the control accelerometer, one or more specimen re sponse accelerometers shall be mounted on each chassis. The additional accelerometers shall be located to establish the maximum acceleration that i occurs in each chassis so individual modules added to the qualified list could be seismically qualified as single assemblies in the future. 6.3.4.2 Seismic Test Performance Requirements The following tests shall be performed in the order shown. 80 No margin is apphed to the high end because performing tests at greater than 95% is not practcal. 81.The apphcaten of rive OBEs is as specified in IEEE 344 Sect 7.1.5.2. The PLCs are presumed to be located where the normalin-servce vibraten is noghgible. Per Reg. Guide 1.61 an OBE has one haff of the SSE amplitude over the frequency range of 1 to 33Hz. However, the ODE shown in the flgure uses 70% of the SSE over the range of 1 to 100 Hz to simulate some amount of in serven vibraten aging in additen to the seismic aging. 82 The high g levels used in the figure are used to encompass a broad range of potential applestons. The specerod SSE RRS can be schewed at domeste facilites with trLaxel shake tables. The damping value of 5% is por IEEE 344 seden 7.6.1.3. t j-c:\\proj\\picqual\\reve\\picsprc. doc 4-Nov-96 1

HLP-001-S-01(Q) R:v C P g3 57 of 72 A. Resonance search as described in IEEE 344 section 7.1.4. B. Five tri-axial OBEs. C. A tri-axial SSE. D. A complete operability test. If the selected PLC platform has several possible mounting configurations, then the tests shall be performed with the mounting that can be shown to be most susceptible to seismic vibrations. If it is not possible to establish the most susceptible mounting, then a full set of tests shall be performed in each mounting configuration to be qualified. 6.3.4.3 Seismic Test Spectrum Analysis Requirements in addition to reporting the test response spectrum from the control and specimen response accelerometers at the damping given in Figure 5, the spectrum shall also be reported for 1/2,1,2 and 3% damping. 6.3.5 Surae Withstand Canability The Surge Withstand Capacity testing is performed to assure that the PLC System does not have failures due to service conditions. Surge Withstand Test severity shall be per location B and medium exposure in section 9 of IEEE C62.41 (reference 3.5.22) except the applied voltage shall be 3000 volts peak.83 The testing shall utilize both the standard 0.5 ps-100 kHz ring wave with 3000 volts peak and the standard 1.2/50 ps-8/20 s combination wave with 3000 volts peak test surges. The surge shall be applied: A. Between line and neutral for AC connections to the power supplies. B. Between line and AC ground for AC connections to the power supplies. C. Between neutral and AC ground for AC connections to the power supplies. D. Between AC ground and the common side of the source for any power supplies with DC sources. E. Between AC ground and the high side of the source for any power supplies with DC sources. F. Across representative samples of any discrete input or output (including relay outputs) that is AC rated. The test shall be performed for both the ON and OFF states of the samples. G. Between the common connections for representative samples of any discrete inputs and outputs where a common connection is shared by two or mode I/O points. i H. Between the power supply AC ground and the common side of representative samples of any discrete inputs and outputs for both ON and OFF states of the samples. 1. Between the power supply AC ground and the common side of representative samples of any analog 1/O. J. Between the power supply AC ground and the signal ground pin on any PLC communication port connector. K. Between the power supply AC ground and the transmit and receive signal common pins on any PLC communication port if different from item J. The testing methods shall be conducted in accordance with IEEE C62.45 (reference 3.5.23). l For PLC platforms that include redundancy, the acceptance criteria may be considered satisfied if the PLC still performs as intended following application of the surge. A failure in one or more of the redundant devices that does not result in the inability of the PLC to operate as intended is acceptable. However, the extent of regression testing to be performed if the failed device is replaced shall be justified. Testing may continue with the failed device, if desired. 83 The appled levelis per 3.3 and 3 4 of EPRI TR102323 which is consistence with the guidance in IEEE C62 41. l c:\\proj\\picqual\\reve\\plesprc. doc 4-Nov-96

HLP-001-S-01(Q) Rr.;v C PrgiSB of 72 1 6.4 OTHER TESTS & ANALYSIS 6.4.1 FMEA An FMEA analysis of the PLC shall be performed consistent with the requirements of sections 4.2.3,4.2.3.1, j 4.2.3.2,4.2.3.3, and 4.2.3.4. The FMEA shall be performed per IEEE 352, sections 4.1,4.4, and 4.5. i b.12 Electrostatic Discharoe (ESD) Testino Recuirements ESD testing shall be performed to assure that the PLC System does not have failures due to service conditions. The ESD testing shall conform to EPRI TR102323 Appendix B section 3.5.8d For PLC platforms that include redundancy, the acceptance criteria may be considered satisfied if the PLC still performs as intended following application of the ESD. A failure in one or more of the redundant devices that does not result in the inability of the PLC to operate as intended is acceptable. However, the regression testing to be performed if the failed device is replaced shall be justified. Testing may continue with the failed device, if desired. 6.4.3 Power Quality Tolerance Recuirements The power source requirements are listed in section 4.7.1.1. Power quality tolerance testing to the input voltage range given in section 4.7.1.1 shall be performed during acceptance testing, at the end of the elevated l temperature test while still at high temperature and fo!!owing the seismic testing. For PLC platforms that include redundant power supplies, the redundant supplies shall be tested with the same AC supply connected to both during the testing. 6.4.4 Recuirements for Comofiance to Soecifications The compliance is based on reviewing the Type Test data from the Qualification test against the acceptance criteria in the Test Plan. The Test Plan acceptance criteria shall take into account the performance requirements of the PLC system and the test instrumentation measurement accuracy. The Test Report shall state the result of the test data and acceptance criteria's comparison (IEEE 323 sect 8). 6.15. Human Factors Human Factors issues are for PLC selection not qualification. There are no qualification test requirements. 6.5 QUALITY ASSURANCE MEASURES APPLIED TO QUALIFICATION TESTING All activities relating to qualification testing shall be performed to a quality assurance program that conforms to 10CFR50, appendix B. A. The QA program shall apply to development of the TSAP. B. The QA program shall apply to procurement of all items included in the qualification test specimen. This shallinclude shipping, handling, and storage. C. The chain of custody of all test specimen items shall be maintained from manufacturer through receiving, shipping to the various test facilities, and post test storage. The chain of custody shall be maintained until at least the test reports and all other documentation is complete and approved. D. The QA program shall apply to all tests and analysis that are performed under section 6 of this specification, including test plans, test performance, data recording, etc. 84 The ESD testing in EPRI TR10232 matches IEC 8012. 85 IEEE 279 Section 4.7 and IEEE 384 Section 7.2 require a safety (1E) to non safety (non 1E) isolator to protect the 1E hardware when a fault condmon occurs on the non 1E section. OO Note: Application specsf.c guidance in IEEE 384 does not require isolation devices for associated circuitry. However associated extemalindications and controls for the PLC system may be subject to ertemal faults that can have broader effects on the system j then in existing system designs. c:\\proj\\plcquaf\\reve\\picsprc. doc 4-Nov-96

.._.____m_._. . HLP-001-S-01(Q) RzvC Pagn 59 of 72 i L. QUALITY ASSURANCE I 7.1 GENERAL There are two levels of Quality Assurance activities: those employed by PLC manufacturer in producing the } PLC product, and those used by the dedicator / integrator in applying the PLC products for use in the plant. Whereas the application-specific activities are performed under a 10CFR50 Appendix B quality assurance program, the PLC manufacturer is providing a commercial grade item which ordinarily is not developed under i an Appendix B program. Thus, the PLC must ordinarily be qualified or dedicated for safety applications. f 111 10CFR50 Annandir B Rannirements for Saf=tv R.tmead Systems i Regardless of the quality processes used by the manufacturer in developing the PLC products that are included in the generic PLC platform qualification, the following activities and the process of applying the PLC shall be performed under a 10CFR50 Appendix B quality assurance program: A. Any activities performed to provide generic qualification of the PLC Product. B. Application-specific design and development, including system integration. C. Any supplementary application-specific activities for dedication of the PLC product. Because commercial PLC products are typically not developed and manufactured under Appendix B programs, the following approach shall be acceptable for the generic qualification: D. The qualifier shall use either the 18 criteria of 10CFR50 Appendix or the 20 Criteria of ISO 9001 as the basis for evaluating the manufacturers development and quality processes. E. The qualifier shall perform audit (s) to confirm that the manufacturers quality program conforms to the criteria described in item "d" above, and to confirm that the quality program has been adequately applied to the PLC product being qualified. F. If the audit (s) is performed against ISO 9001, then the following supplementary activities 87 shall be performed by the qualifier or utility;

i. Identification of ISO 9001 as the goveming quality standard for the PLC product's design, development and manufacturing activities.

2. Confirmation that the PLC manufacturer has a configuration management program meetq the l requirements of section 7.1.6. 3. On-site independent inspection of each PLC item by the utility on receipt of the device, unless the manufacturers quality assurance program requires an independent inspection before shipping. G. The qualifier shall evaluate the manufacturers V&V program according to the criteria in section 4.4.10. 112.10CFR 21 Comoliance Raouirements 10CFR 21 states that "The dedicating entity... is responsible for identifying and evaluating deviations, reporting defects and failures to comply for the dedicated item, and maintaining auditable records of the dedication process." " in other words, the 10CFR 21 Compliance is required of the utility or its designee (e.g., the qualifier and dedicator), rather than the PLC manufacturer. The utility shall ensure that the following activities are performed:: A. Identify,' document and communicate problems and errors with the PLC to the PLC manufacturer B.. Evaluate problem reports received from the PLC manufacturer, other users of the PLC, and the NRC. C. Screen relevance of all problem reports, regardless of origin, with respect to the application and environment of the PLC at the utility's plant. i D. Submit reportable items to the NRC as per the utility's Part 21 program. l In addition, the PLC manufacturer shall support problem reporting and tracking as described in requirement l 7.1.7. 87 These activites cover certain detailed re tuirements of 10CFR50 Appendix 8 that are not oddressed in ISO 9001. l c:\\proj\\picqual\\reve\\picsprc. doc 4-Nov-96

i HLP-001-S-01(Q) + Rsv C Prge 60 of 72 y i h LQ Raanirements for Manufacturer Onnlificatinn Mrintenpnce throuahout Product Life Cvele { i For the generic qualification to be valid throughout subsequent PLC product revisions, the manufacturer I) ) must maintain at least the same level of rigor in the development process, ii) must ensure compatibility of j replacement components with respect to their form, fit and function within the PLC, iii) must ensure upward I compatibility of features and functions of any design changes. The scope of the qualification maintenance f includes: e PLC Hardware l i PLC Software and Embedded Firmwaresa t e ~; Software engineering tools and the development environment. e Design, V&V, Configuration Management and Quality Processes. e Documentation. l e Of particular concem is the commonplace nature of frequent software (including firmware) upgrades; this concem further motivates the maintenance of the manufacturer's qualification throughout the product life ( cycle. It is unrealistic to expect that a PLC manufacturer will agree to support an outdated configuration l indefinitely. The qualifier shall obtain a direct commitment or documentation confirming that the PLC manufacturer will follow the following policies: A. Ensure upward compatibility with respect to all hardware and software functionality, and include in its i quality program an objective means to confirm this with each revision. l f B. Maintain the same or enhanced level of rigor in the processes described above, or inform the qualifier of l [ any degrading of the processes. j C; Commit that the particular PLC configuration subjected to qualification will be supported by the PLC j manufacturer for at least 5 additional years. j D. Commit to provide at least 6 months notice before withdrawing support of a qualified product configuration. Ill. Software Specific Requirements The engineering tools (i.e., compilers, graphical model builders, etc.) used for configuring an application are not typically employed on the PLC hardware itself. Rather, such tools for code generation, data generation or 4 configuration activities are performed on a general purpose computer. The PLC manufacturer shall ensure l i either continued access to the same versions of the engineering tools and development environment used to j generate the software for the qualified PLC, or the capability of reconstructing the functionality with the revised development environment and tools. 1 i 115. Raanirements for Comnen=='arv 0"ali+v Activities for Laamev Software j Commercial PLCs may contain legacy software elements (sections of code, modules, complete applications, i etc.) that were developed before currently accepted practices for V&V and Software Quality Assurance. Legacy software is commonly reused in revisions of the firmware / software. Despite shortcomings in its j documentation, this legacy software may have proved its high quality due to extensive use in previous and j current revisions of the PLC software. Using the guidance of TR-106439, the qualifier may compensate for shortcomings in the design, quality assurance and V&V documentation of legacy software by: A. Eva!uating and analyzing the documented operating experience of the product revisions involving the legacy software elements la applications similar to nuclear safety instrumentation & control, and B. Planning and performing black box tests that exercise functions performed by the legacy software to confirm their conformance with requirements of this generic spefication. , Compensatory activities shall DQt apply to shortcomings in the conficurrent revisions,~or to rece 08 This shall be interpreted to include programmable hardware devices with firmware like functions that are included as part of an assembly, such as programmable gate arrays. c:\\projipicqual\\revc\\picsprc. doc 4-Nov-96

HLP-001-S-01(Q) Rsv C Prgs 61 of 72 l 11S_ Configuration Management NUREG 6421 states as a basic screening criterion for PLC selection that the requirements that the " product l shall be under configuration and change control. The following subsections point to the standards and guidance for evaluating the manufacturefs configuration management plans. I 7.1.6.1 Hardware Cr'nfiguration Management Requirements The scope of Hardware configuration management includes: { Revision to PLC module design. e l Configuration of the modules in terms of their underlying hardware components (e.g., microprocessor type e and revision). Compatibility of revised modules with respect to the existing architecture and module (e.g., compatibility of a new 1/O module with an older processor). Manufacturer documentation 89, l e l The utility shall use appropriate sections of NQA-1 as guidance to evaluate the adequacy of the manufacturers hardware management plan. The following discussions point to specific sections of NQA-1 for l j each of these areas. l A. The utility shall use Section 5 (" Change Control") of Supplement 3S-1 (" Supplementary Requirements for l l Design Control") to evaluate the configuration management process for design revisions. Key } considerations include " assurance that the desiga 1nalyses... are still valid," measures to ensure that i design changes are reviewed with respect to the original design context, and measures to ensure that a l design change results in consistent changes to the relevant design documentMion. I B. Following the guidance of Supplement 8S-1 (" Supplementary Requirements for Identification and Control l of items"), the manufacturers configuration management plan shall include a method for identification of each constituent component within the PLC modules (s), so that changes to the configuration can be tracked and evaluated for consistency with the PLC design. C. The manufacturers method for document control shall be evaluated against " Supplementary l Requirements for Document Control". Considerations include identification of controlled documents, the process for changing and issuing controlled documents, and the approach to substantive review of document changes for adequacy, completeness, correctness and (where applicable) consistency with design changes. 7.1.6.2 Software Configuration Management Requirements The scope of Software Configuration Management includes the creation and revision of: 88 PLC firmware, PLC run-time software libraries and modules. e Software engineering tools used for developing and testing configurations and special functions. Software documentation. The qualifier shall use Table A-4 of NUREG/CR-642190 and IEEE Std 828 as guidance to evaluate the adequacy of the manufacturers software configuration management plan. The basic requirements are that the plan: A. Define the organizatiori and responsibilities for performing software configuration management, and their l { relationships to development and quality assurance organizations; B. Provide the four basic functions, namely l Configuration ID (establishment of baselines) 88 This covers all vendor documentation including not only the core design docamentation. but other documents such as guidance on acceptable hmits for configuration and using the module, and documentatern of receipt inspections and tests. 90 Note that the undertying basis for NUREG 6421 descussion of software ce nfiguration management is IEEE 8261990. "lEEE Standard for Software Configuration Plans". c:\\proj\\picqual\\reve\\picsprc. doc 4-Nov-96

HLP-C31-S-01(Q) R:,v C P g2 62 of 72 - Configuration Control (determining the authority and procedure for changing a baseline) Configuration Status Accounting & Reporting (e.g., database) - Configuration Audits and Reviews C. Ensure that sub-tier suppliers to the PLC manufacturer maintain comparable level of configuration l management. Note that the " Configuration Control Board" (CCB) referred to in CR/6421 may simply be the individual (s) charged with software configuration management. Z1Z Problem Reoorting / Tracking Reauirernents The qualifier shall confirm that the PLC manufacturer maintains a problem reporting and tracking system that provides information needed by the utility to evaluate potential PLC problem impacts on safety. The essential information shallinclude: A. Classification of problem or error. B. Description of problem or error. C. Affected PLC model, part and revision numbers. D. Type of application (e.g., protection, control, safety, non-safety, etc.). E. Description of application configuration (i.e., number and types of modules involved). F. Name of reporting site and means (e g., cognizant individual) to contact site. G. Type of site (BWR, T'WR, oil refinery, etc.). H. Cumulative operating time of PLC when error occurs. The utility shall confirm that the PLC manufacturer provides i) an effective mechanism for all commercial l customers (both nuclear and other) to report prot ems and provide the above information, ii) a timely mechanism for consolidating information and making it available to M nuclear utility customers. L. DOCUMENTATION Various types of documents are required to support both the generic qualification and application specific PLC usage. The various types of information to be provided are given in the following sections. The information may be provided in suitable drawings, manuals, etc. The requirements given are intended te specify only the type of required information. They are not intended to define a specific document structure. The types of documents discussed below are either supplied by the manufacturer or by the quahfier. Manufacturer-supplied documentation is typically associated with the PLC standard product line and does not necessarily reflect the qualified configuration. However, the qualifier is responsible for preparing documentation that reflects the generic PLC platform. The qualifier may utilize manufacturer-supplied information to the extent that it is applicable to the generic PLC platform. Documentation supplied by the qualifier is subject to review and approval by the customer utility (ies). 8.1 EQUIPMENT GENERAL OVERVIEW DOCUMENT REQUIREMENTS The manufacturer supplied documentation should include an overview of the PLC product line. The overview should include: A. Description of the generic PLC platform structure. l B. Description of the types of interconnections between main and expansion / remote I/O chassis. C. Overview and selec'. ion guide of the modules available. D. Overall capacity in terms of 1/0 and processing speeds available. E. Installation information c:\\proj\\picquaf\\reve\\plespec. doc 4-Nov-96

HLP-001-S-01(Q) R;v C pig 2 63 of 72 8.2 EQUIPMENT GENERAL SPECIFICATIONS REQUIREMENTS The manufacturer supplied documentation must provide general specifications for the PLC and its modules. The specifications provided must be sufficient to establish the overall speed, accuracy,1/O capacity for discrete and analog, environmental withstand capability, EMI/RFI capability, and shock / vibration withstand capability. 8.3 OPERATORS MANUAL REQUIREMENTS This PLC manufacturer documentation must include information on the operation of the PLC. This information must include information on the significance of any status indicators on the PLC, any special procedures that should be used for operation of the PLC, and the use of any switches or controls that are part of a PLC module. The manual shall include a description of operation and use of any redundancy features included in the PLC platform. 8.4 PROGRAMMERS MANUAL REQUIREMENTS The PLC manufacturer must provide detailed information on the use of the functions available in the PLC main processor. The information to be provided in the manual is: A. A summary of the available functions with a brief description of each. B. A detailed description of the usage of each function. C. Examples of application for complex function blocks. D. Limitations on any of the functions (e.g. parameter ranges, number of functions of a particular type that can be used). E. Methods for managing resource utilization (i.e. memory utilization,1/0 mapping, scan time and overall response time estimating). F. A user manual for the programming and debugging tools that are provided. G. Detailed information for creation and testing of user defined functions if this capability is provided. H. Detailed description of the operation of any conditional execution statements (e.g. GOTO, SKIP, SUBROUTINES). 1. Description of the limitations of the application of dynamic functions (e.g. PID functions, Lead / Lag) and the relationship of their operation to loop time. J. Detailed description of the interaction between the main processor, coprocessor modules, and 1/O l modules. K. Detailed description of the interaction between the application program and any redundancy features included in the PLC and any application layer activities and functions needed to support the redundancy. K. Any software build procedures and software tools that are needed to apply the PLC to a safety system configuration. 8.5 EQUIPMENT MAINTENANCE MANUAL REQUIREMENTS The manufacturer manuals shall contain information needed for calibration, troubleshooting, and maintenance of the modules and overall PLC. The manual must include list of any special equipment and software needed to perform maintenance and trouble shooting. The maintenance instruction shall include any preventative maintenance measures (e g. battery replacement) applicable to the PLC and its modules. The manual shall describe protocols used for communications between a PLC and peer PLCs,1/0 devices, and peripheral devices. 8.6 QUALIFICATION DOCUMENTATION REQUIREMENTS The qualifier shall provide all documentation supporting the qualification of *he generic PLC platform. The qualifier shall submit all such documentation to the customer utility (ies) for review and approval. The requirements for documents to define and record the qualification process include programmatic items to meet l IEEE 323 sections 4 and 8 plus the technicalitems and acceptance criteria. The items that are to be covered i in the documentation are given in the following sections. These requirements are not intended to imply a specific document structure but each of the items must be included in a suitable document. c:\\proj\\cicqua!\\reve\\plesprc. doc 4-Nov-96

HLP-001-S-01(Q) Ray C Paga 64 of 72 The scope of test plans and reports shall include all acceptance and qualification test activities described in section 6, including seismic, environmental, EMI/RFl and surge withstand tests. B.S.1 Proarsici# Docurriere Gon Reauirements The following items are required to document the qualification process: A. Test plan 81 that includes: 1. Aging mechanism analysis and test considerations. 2. Qualified life objective.

3. Test configuration and documentation.

4. Periodic Maintenance during Qualification. 5. Qualification method (type test and analysis). 6. Normal and abnormal service conditions to be tested, sequence of service conditions tested, and margin. 7. Mechanical mounting and interconnections with test instrumentation. 8. Required functional tests during service condition appled stresses. 9. Decomposition of requirements into acceptance criteria and measurement accuracy.

10. Provisions for control and documentation of modifications during test.

11. Required documentation.

B. Specification 2e thatincludes: 1. Equipment identification and associated specifications. 2. Interfaces. 3. Qualifed life objective. 4. Safety functions. 5. Service Conditions. C. Procedure. The qualification procedure shall include the test steps and an index to the test plan and service conditions. The procedure shall have a method of collecting and indexing test data to the test step. The procedure shall contain requirements for identifying handling any test deviations. D. Type test and retest data. The output of the service conditions and functional tests are collected for review against the acceptance criteria. Identification of test failures, modifications (to the equipment or procedure), and retest data shall be controlled by the modification requirements in the Qualification Plan. E. Modifications. Modifications to the PLC system or qualification procedure shall be documented, reviewed,- and recorded. A matrix of PLC System changes, procedure changes, and changes to the service conditions needs to be maintained and reviewed. The modification documentation shall include retest i requirements and the basis for the retest requirements. F. Any analysis data (if used) and operating experience data (if used) must be documented along with the analysis that used the data. G. Test report. The test report shallinclude: 1. A summary of tests performed.

2. ' Aging conditions or analysis 3.

Ranges of service conditions tested. 4. An evaluation of the test results. 5. A statement that the equipment performed its intended safety function at the end of qualifed life within a range of service conditions. 81 From secten 6.2. 6.3 of IEEE 323. 92 Fom secten 6.1 of IEEE 323. c:5roj\\plcquarreve\\picsprc. doc 4-Nov-96

HLP-001-S-01(Q) Rsv C P:ge 65 of 72 6. Limitations for PLC safety system usage based on test results shall be included if required by the test results. 8.6.2 Technicalitems and Accentance Criteria Documentation Reauirements The technical tems documentation are used to establish and document the test specimen, describe the environmental condaions to be tested, design hfe determination, and pre-aging requirements. The items to be covered by documentation in this are: 4 A. Test Specimen requirements. This document provides the requirements to be covered by the PLC. These i requirements are extracted form this document as modified to accommodate some range of applications. B. Test specimen purchasing records. C. TSAP development documentation per applicable portions of sections 8.7 and 8.11. j D. Test specimen documentation per sections 8.8,8.9,8.10,8.12 and 8.13. E. Test documentation per section 8.14. 8.6.3 Anotication Guide Documentation Reauirements A qualification rcmmry document shall be provided that describes the PLC and ancillary equipment that is included in the quahfication. The document shall describe the qualification envelope in detail and provide all of 4 the configuration information needed for guidance in applying the PLC to a safety related system. 8.6.4 Suonortina Analyses Documentation Reauirements The qualifier shall document the analyses specified in section 6.4 as part of qualification testing. In particular, the quahfier shall provide: i A. Failure Modes and Effects Analysis (FMEA) Report that is specific to the PLC platform configuration being qualified. B. Availability / Reliability Analysis Report that is specific to the PLC platform configuration being qualified. 5 If the configuration involves fault tolerance 93, then these reports shall incorporate the fault tolerant capability and clearly state any assumptions used in evaluating the effect of fault tolerance. i 8.7 V&V DOCUMENTATION REQUIREMENTS The PLC manufacturer shall generate the following minimum documentation to support its V&V and related software quahty processes. This list is based upon Table A-7 of NUREG 6421. A. Software quality assurance plan. B. Software requirements specification. C. Software design description. l D. Software V&V plan (See section 4.4.10). E. Software V&V report. F. User documentation (Manuals - See sections 8.3 and 8.4). G. Software configuration management plan (See section 7.1.6.2). 8.8 SYSTEM DESCRIPTION REQUIREMENTS A description of the hardware and software used in the test specimen shall be provided as part of the qualification effort. The content should be similar to that of the hardware design description and software (for the TSAP) design description. 8.9 CRITICAL CHARACTERISTICS LISTING REQUIREMENTS The qualification documentation shall include a definition of the critical characteristics covered by the quahfication test specimen and qualification testing. i 93That is, if each train of the safety system includes dual-redundant PLCs or a inpty modular redundant architecture. l c:\\projiplcqua!\\reve\\plesprc. doc 4-Nov-96

HLP-001-S-01(Q) e R:;v C Pcg3 66 of 72 8.10 SYSTEM DRAWINGS REQUIREMENTS 4 As part of the generic qualification, a sufficient set of documents to define the test specimen hardware, software, and configuration shall be produced. The documents shall provide the following information: A. Functional description of the test specimen. B. Schematic of the test specimen, including devices used external to the PLC to create inputs and capture outputs. C. Ladder diagram, and/or other diagrams suitable for the language used, that defines the test specimen application program (TSAP). D. Drawing that shows test specimen wiring, power distribution, and grounding. E. Layout drawing of the test specimen chassis, modules, any ancillary devices included for qualification, and any qualification test fixture used to support testing. F. Documents to describe the test specimen mounting and any mounting fixtures used during qualification. The drawings should include any specialinstallation requirements (e.g. botting torque's). 8.11 SYSTEM SOFTWARE / HARDWARE CONFIGURATION DOCUMENT REQUIREMENTS The software and t ardware configuration used for qualification testing shall be documented. This includes: A. The identification and revision level of the executive software in the PLC main processor and any coprocessors included in the qualification. B. The revision level of any firmware used in the tested modules. C. The identification and revision level of any software tools used in developing the TSAP. D. The identification and revision level of any downloadable PLC executive packages containing extended software functions that were used in the TSAP. E. The identification and revision level of the TSAP. A print out of the TSAP shall be included with the configuration documentation. F. The identification, revision level and serial number of any hardware module shall be documented. 8.12 SYSTtiM DATABASE DOCUL1ENTATION REQUIREMENTS The data base used for qualification testing shall be documented. The database shall include all values used in the TSAP functions, including the range used if they were varied as part of qualification testing. Any changes made to the data base values that were made as a consequence of test results shall also be included. 8.13 SYSTEM SETUP / CALIBRATION / CHECKOUT PROCEDURE REQUIREMENTS All of the setup, calibration, and checkout procedures used to implement the requirements of section 5 as they apply to qualification shall be included in qualification documentation. 8.14 SYSTEM TEST DOCUMENTATION REQUIREMENTS The qualifier shall provide test plan and test report covering the system operability tests that are performed as part of initial test specimen acceptance testing and periodically throughout the qualification testing.. The itemsH to be covered in the test documentation shall include: A. Test requirements. B. Acceptance criteria for all acceptance, operability, and qualification tests. The acceptance criteria are developed from the PLC System Requirements, configuration, and test instrumentation. C. Sequence of testing. D. Vehicles for recording the results of tests (e g. data sheets, recorders). E. Requirements for test equipment, including a list of required instruments and the performance specification for each instrument. These requirements shall conform to reference 3.5.11. Mitems A through E are included in the test plan. l c:\\proj\\plcqual\\reve\\plesprc. doc 4-Nov-96

HLP-001-S-01(Q) e Riv C Pag)67 of 72 j l F, Test Report summanzing results of the test. 8.15 MANUFACTURER'S QUALITY DOCUMENTATION REQUIREMENTS In addition to the software process documentation specified in section 8.7, the manufacturer shall provide its Quality Assurance Plan. 8.16 MANUFACTURER'S CERTIFICATIONS REQUIREMENTS The manufacturer shall provide certifications of conformance to specifications and requirements for all items used in the test specimen. The manufacturer shall also provide certificates of conformance for all items included in the qualification envelope when the items are purchased for a specific application or for replacement parts. 1 i l c:\\projipicqua!\\reve\\plesprc. doc 4-Nov-96

d o n N i 58. 6 3 5 .4 y 57. m a W L E E O CHANGE IN INPUT 5 i a E 55.... g ~,. ~, _ _ _ _ _ _ _ _ _ _ p a 54. c'............ .......[....... m E SETPOINT / l ay d 53. O 3 ) T 3 / 8 'E.: 52. SCAN TIME PLUS 1/O TIME N ,~ / = 51. e / a S[ 50 ' ( TOTAL RESPONSE TIME 7 f f e ' 49. f 48. / h TYPICAL ANALOG INPUT 47 - /

RESPONSE

[ r CHARACTERISTICS / 46. / RESULTING TRIP AT OUTPUT ,xx EI5 45 f

06 3

44 0., tn N 6 Time XS M M

HLP-001 S-01(O) + s R:v C Page 69 of 72 l l l l Ano"Anu j i l Aro=Cx1, FAILURES DETECTED m BY SELF DIAGNOSTICS 1,,=1,+1,, i U re"BKA NO F RES OBSERVABLE FAILURES BY PLC BEHAVIOR

AF l

l FAILURES OBSERVABLE i ONLY BY SURVEILLANCE Ans*Asi+Anu A., is the total failure rate. A,o is the failure rate for failures that are detected by self diagnostics. 1, is the failure rate for failures that are detected by PLC behavior. A s is the failure rate for failurec that are only detected by surveillance. l f C is the fraction of the total failures detected by Self diagnostics (AKA coverage). l B is the fraction of the total failures detected by PLC behavior, i S is the fraction of the total failures are detected only by surveillance. l 1,,, is the repair rate for maintenance activities after a f6slure is detected. g A,o is the repair rate for failures that are detected by self diagnostics. Ang is the repair rate for failures that are detected by PLC behavior. l A, is the detection rate for failures that are detected by PLC behavior, m I A,ns is the repair rate for failures that are detected only by surveillance. A,si s the detection rate for failures that are detected only by surveillance. Equal to 1/ surveillance interval. i Figure 2: Single Channel Example Availability Model. c:\\proj\\picqual\\reve\\plesprc. doc 4-Nov-96

=... HLP-001-S-01(Q) Rsv C P:ga 70 of 72 ksN"kI"CIK 2 s kno=C Xks 2 PLC FAILURE (,o (, DETECTED SY s SURVEILLANCE (o=(, TEST O ONE CHANNE A,so=(n1)xh A,DnxCxk a NO 1 FAILED AND PLC FAILURE m m FAILURES DETECTED BY J DETECTED ON-LINE ^ ^ ELF DIAGNOSTIC j W1m 1,no=C x(n-1)x1, 3 4p 4 ONE CHAN FAILED AND q g NOT DETECTED BY ^ huw=(1-C )m(n 1)x4 3 ksN' st ' M The model assumes the level of redundancy is equal in all redundant portions and that a triple redundant system is 3-2-0. 4 is the total failure rate of all devices in one of the redundant channels. n is the number of channels. C, is the fraction of failures that are detected by self diagnostics when all channels are operable. 1,o is the failure rate for failures that are detected by self diagnostics when all channels are operable. A,n is the failure. ate for failures that are not detected by self diagnostics when all channels are operable. MM is the repair rate for maintenance activities after a failure is detected. Mo is the repair rate for failures that are detected by self diagnostics. 1st is the detection rate for failures that are not detected by self diagnostics. Equal to 1/ surveillance interval. Mu is the repair rate for failures that are not detected by self diagnostics. A,so is the failure rate for the remaining channels given one channel has a detected failure. C is the fraction of failures detected by self diagnostics given an undetected failure in a redundant channel A,wo is the failure rate for failures detected by self diagnostics given an undetected failure in a redundant channel A,uu is the failure rate for failures not detected by self diagnostics given an undetected failure in a redundant channel 1,s is the failure rate for non redundant portions. C: is the fraction of failures detected by self diagnostics for non-redundant portions. ArsD s the failure rate for failures detected by self diagnostics for non redundant portions. i A sN s the failure rate for failures not detected by self diagnostics for non redundant portions i f Avtso is the repair rate for system failures that are detected by self diagnostics. Msw is the repair rate for system failures that are not detected by self diagnostics. Figure 3: Example Availability Model for PLCs With Redundancy. c$proj\\picqua!\\reve\\plesprc. doc 4-Nov-96

. = _ t n nk { a Ng Operability Check k 5 0 4 Hours f Q Minimum i h l { j Note 3 ~ "g y j 140 *F. 90% Relative Humidity I j O o 2 I l e p I 48 Hours Minimum =1 g p T I g I I I I 4 Hours I %nimum _ i. _.. _.g. _.,b_... AMBIENT i !{ NOTES: j i i

1. If the specified relative humidity cannot be achieved for the specified temperature,

. 8 Hours j then run the test for the specified time at the lowest relative humidity that can be ! Minimum. achieved at the specified temperature followed by running the test at the lowest M temperature that the specified relative humidity can be achieved. l I 1 j i 1

2. Perform operabiiity tests as indicated. The tests are to be performed after the l

specified time but at the specified conditions. l t J Operability

3. For this transition, first reduce the relative humidity, then reduce the temperature.

This is required to maintain a non-condensing atmosphere. 40 *F.5% RH Check .n 3 y Note 1 i$ E 9,'

O6 U

3 R. in d N ^o

r k oSjo ie o l M g, f 00 1 II 0 lI .E 1 S lI .S E II B O z H ycn 1 I e I l u I / q i I I e y7 I / r i F [ .J / l I I I I I / I i l I I I a l i I 111 c I 1lf it I re ' 1 V d d w, na m la tn o z i ro H gn ip maD 5 1 0 4 2 0 8 6 2 0 1 1 1 yE[* a. !2E

o."

gia* *]a&a nTN-{,Rt

a y sbs8

J.Gallagher, November 20,1996 Proposed resolution of two still open NRC comments. [ Proposed resolution of T-039-JG] 4.4.1.3 Program Flow Requirements Add to first sentence "that is, a continuous essentially non-interrupterable software structure is preferred" and change note to read "This requirement is included to achieve a deterministic cycle behavior and to prevent loss of data ----(to end of note)" Delete 2nd para. and replace with: "The application ofinterrupts beyond those related to terminating the application program execution because of fault detection actions shall be restricted, especially where such interrupts result in non-deterministic application program execution. In the unusual case where such interrupts are used the executive system must contain the following features and, in addition, there shall be a plan for performing verification of the proper execution of the application programs for all states of the program control flow that can exist because of the interrupts: A--E" [ Proposed resolution of comment raised at meeting on {7.1,5] 7.1.5 Requirements for Compensatory----- Replace A with Evaluating and analyzing the documented operating experience of the product revisions involving the legacy software elements in applications similar to those for nuclear safety I&C, provided i these revisions were then and still are under configuration control, and --- ] l [ Note. This is section 7.1.6 in Revision D] j l l i

1 i j From: John Gallagher To: intemet:heinc.com:wsotos 3 j Date: 11/25/96 4:39pm

Subject:

Section 4.2.1.A. Response Time 4 j Bill: 4 Jim Stewart and I discussed this section today and recommend that the verification test for the response time of the generic PLC platform consider the following procedure. Three test inputs as follows should be considered: A. A step from -5% to +5% of the setpoint; commonly used for surveillance testing in the field. B. The slow ramp proposed at the meeting last week by Al Ostenso. C. The fast ramp more representative of accident conditions that was proposed by Jim Stewart. The recommended test procedure is: Run test for both case A and B, if the time response for case B is greater that the time response for case A and is within the specified time then the slow ramp provides an acceptable result; However, if the time response for case A is greater than the time response for case B, this can be the indication of a negative phase behavior in the PLC equipment and the fast ramp should be used to determine if the time response is within the acceptable limit. John Gallagher CC: JLM2, JSW1. JCS1, DWS, TWD2.TWPO.TWJ, JHW1 i i l

}}

ML20133A333

Contents

Text

SUBJECT:

SUMMARY

SUBJECT:

1.1 BACKGROUND

1.1 BACKGROUND

RESPONSE

Subject:

Navigation menu

ML20133A333

Text

SUBJECT:

SUMMARY

SUBJECT:

1.1 BACKGROUND

1.1 BACKGROUND

RESPONSE

Subject:

Navigation menu

Search