ML20137B272

From kanterella
Jump to navigation Jump to search
Summary of 970225 Meeting W/Westinghouse in Rockville,Md Re Qualification of Ovation Distributed Control & Info System. List of Attendees & non-proprietary Presentation Matl Provided at Meeting Encl
ML20137B272
Person / Time
Issue date: 03/19/1997
From: Craig C
NRC (Affiliation Not Assigned)
To: Matthews D
NRC (Affiliation Not Assigned)
References
NUDOCS 9703210253
Download: ML20137B272 (68)
v  d  e


Text

{{#Wiki_filter:. eM4 9 p , k UNITED STATES } NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20665-0001 yg March 19,1997 MEMORANDUM T0: David B. Matthews, Chief Generic Issues and Environmental Projects Branch Division of Reactor Program Management Office of Nuclear Reactor Regulation FROM: Claudia M. Craig, Senior Project Manager dA, v W g{ i Generic Issues and Environmental Projects Branch Division of Reactor Program Management Office of Nuclear Reactor Regulation i

SUBJECT:

SUMMARY

OF MEETING WITH WESTINGHOUSE TO DISCUSS THE QUALIFICATION OF THE OVATION DISTRIBUTED CONTROL AND INFORMATION SYSTEM The subject meeting was held at the Nuclear Regulatory Commission (NRC) offices in Rockville, Maryland on February 25, 1997, between representatives of Westinghouse, utilities, and the NRC staff. The purpose of the meeting was for Westinghouse to provide the staff with an equipment overview and proposed licensing approach for the qualification of the Westinghouse Ovation Distributed Control and Information System. Attachment 1 is a list of meeting participants. Attachment 2 is the non-proprietary presentation material provided at the meeting. The meeting started with discussion on why the utilities believe a dedicated commercial grade system is needed for upgrades to safety-related instrumentation and control systems. The utilities indicated their goal is to standardize one system which can be used for both safety-related and non-i safety applications. The intent is that Westinghouse will submit a topical report on the Ovation system, and obtain NRC approval of the design concepts used. In the future, utilities can utilize the approved topical report to expedite approval of plant-specific modifications using the Ovation system in various applications. Westinghouse provided the staff with an overview of the Ovation Distributed Control and Information System. The overview included discussions on the '\\ input / output subsystem, the controller, power supplies, software tools, and differences between the older Eagle 21 and the new Ovation systems. Westinghouse discussed the quality requirements of the Ovation system, and how )3/ r they planned to meet and demonstrate those requiremer,ts. Westinghouse also { listed those standards they expected the Ovation system to satisfy. Westinghouse provided the staff with their licensing approach to submittal of a topical report, and what areas would be addressed in the report. Paetinghouse proposed a series of meetings with the. staff during the 9703210253 970319 PDR TOPRP EMVWEST C PDR f j ,g - 210050 g g g}g Q x 04M4 A"W" na a

4 l D. Matthews March 19,1997 development of the topical report, both to keep the staff informed of the progress of development of the Ovation system and to get staff input on design areas important to the staff. The first of these meetings is scheduled for 14ay 12, 1997. Attachments: As stated cc w/atts: See next page

i 4 D. Matthews March 19, 1997 development of the topical report, both to keep the staff informed of the progress of development of the Ovation system and to get staff input on design areas important to the staff. The first of these meetings is scheduled for May 12, 1997. Attachments: As stated cc w/atts: See next page i s 1 t 1 i d i i j DISTRIBUTION: See attached page ^ DOCUMENT NAME: 2_25 97. MIN To receive a copy of thle document, Indicate in the boa: "C' = Copy without attachment / enclosure "Ife Co y with attachment / enclosure 'N' = No copy f 0FFICE PGEB[ii fl SC:PGEB W BC:HLCl,,( C:PCD ! / NAME CCralg!%* RArchitzbl JWermTfT'

DMatthws, 1

DATE 3/7] /97 3/l93/97 3//f(/97 3/(/ /97 0FFICIAL RECORD COPY l 1 l aw

DISTRIBUTION w/ attachments: Sumary of February 25, 1997, with Westinghouse dated March 14. 1997 Central File PUBLIC PGEB R/F RArchitzel CCraig E-Mail SCollins/FMiraglia RZimmerman AThadani TMartin DMatthews BBoger JWermiel JStewart JMauck LCampbell PLoeser JGallagher 4

WESTINGHOUSE / NRC MEETING QUALIFICATION OF THE DISTRIBUTED CONTROL AND INFORMATION SYSTEM FEBRUARY 25, 1997 MEETING PARTICIPANTS NAME ORGANIZATION Claudia Craig NRC/NRR/PGEB Joel E. Hasenkopf Westinghouse /PCD Jerry L. Mauck NRC/NRR/HICB John M. Gallagher NRC/NRR/HICB Jim Stewart NRC/NRR/HICB Bill Ghrist Westinghouse PCD Larry L. Campbell NRC/NRR/DRCH Paul J. Loeser NRC/NRR/HICB Larry Erin Westinghouse Electric Jay Amin TV Electric G.C. Sundberg NSP/ Prairie Island Bob Sterdis Westinghouse I&C Karl Evans Union Electric /Callaway Plant Brian Beley Westinghouse Energy Systems Dillit Gulati com Ed Corporate-Nuclear Eng. Jared Wermiel NRC/NRR/HICB i ATTACHMENT 1

i ~ ~ STANDARD ZK 05 OF \\ STRUME \\TA-101\\, CO N-~ROLS & NFORMAT 0N SYSTEMS 20R NUCLEAR 30WER P_AN-S SA ETY RELATE)/l\\0N-SAFE-Y RELATED i Janarcan (Jay) Amin TU Electric 3 esentation to r NRC - \\ RR February 25,1997 ~ Rockvil e, MD J.G. Amin, TUE Page 1

DRIVING FACTORS: i = Competition from deregulation = Cost competitiveness among/between nuclear and fossil power! generation = External pressure to improve plant safety, performance & availability while reducing cost = Rising maintenance costs due to obsolescence - Parts difficult to maintain /obtain l -Software support difficult to maintain /obtain 0 High inventory cost of storing multiple tppe of replacem~ent parts i o High cost of maintaining multiple types of digital systems i o Need.for automation to reduce O&M costs o High cost of Digital Upgrades including licensing uncertainty Oh

VISION: i To standardize Safety Related & Non Safety Related Instrumentation, Controls, & Information Systems currently installed in nuclear power plants by orderly migration ' based on system health status) over a period of 5-20 years to a single platform based digital ' technological alternative that will enable the utilities to operate'their plants cost-effectively I through the end of operating license. J.G. Amin.TUE

I BENEFITS: = Standard Control Room Man Machine Interface = Fault Tolerant Architecture Fault Tolerant Networking = Improved plant availability & performance = Reduced O&M costs -operations -maintenance -training -parts inventory l o Over a period of time elimination of multi vendor, multi-technology based systems, site o Paperless design control / configuration control ~ o Simplicity with respect to Operations, Maintenance & modification o improved on-line performance ' monitoring -Maintenance Rule -Component Life Extension o Standardized Licensing Process J.G. Amin,TUE Page

l GENERIC REQUIREMENTS: ) i The following attributes need to be addressed as a minimum from a utility perspective: A. System Requirements ~ -hardware -software B. Performance Requirements C. Networking Requirements D. User Community Requirements -Operations l -Maintenance -System Engineering -Design Engineering l E. Qualification Requirements ~ -Seismic l -Environmental -Verification & Validation -EMI/RFI F. System Life Cycle Maintenance Plan G. Design Control / Configuration Control i 1 J.G. Amin,TUE Paqo

O UTILITY EXPECTATIONS OF VENDORS: = Safety Benefit of Standardized System ~ ) -Objective Data = System Description = Quality Assurance Program -System l -Software o Part 21 Reportability i o Standard Review Plan -Compliance with NRC endorsed IEEE Standards -Adherence o Generic issues with Digit.al Systems -Common Mode Software Failures -Diversity o Design Control o Configuration Control o System' Qualification & Maintenance -Over life cycle = e

.i l a POTENTIAL VENDORS:- -Combustion Engineering -Siemens -Westinghouse i Long Term Partnering with vendors is an important consideration to reduce cost j J.G. Amin, TUE Pann

CONCLUSION: ' Based on the above facts, there is a need to develop a plan for standardization of Instrumentation, Controls & Informatiori Systems at Nuclear Power Plants taking into consideration utility industry deregulation & competition; including-migrating the nuclear utilities to a current j day technology. - -.. we .y

l ~ PROPOSED ACTION PLAN: i o Propose a joint Westinghouse / utility workshop to develop a list of ge.neric requirements that Nuclear Power Utilities want in a single platform based i Standardized Instrumentation, Controls and Information System j o Publish a Report on " Generic Requirements' for Single Platform based Standardized Instrumentation, Controls and Information Systems j o Publish a Report on generic " Cost Benefit Analysis" based on single platform systems utilized in other industries NOTE: Majority of the guidance is available from existing documents o Request NRC participation in this generic effort o Obtain NRC approval via SER for -Standardized Distributed Instrumentation, and Information Control System -Generic Process for Life Cycle Management J.G. Amin, TUE Page 9

J' NRC, Westinghouse and Utility l Meeting on the Qualification of the Ovation Distributed Control and Information i System l i l 1 1 February 25,1997 le2SH pptW3NRC

Agenda 1.0 Introduction 2.0 Purpose of the Meetmg 3.0 Overview of the Distributed l Control and Information System 4.0 Licensing Approach for Qualification of the Distributed j Control and Information j System j 5.0 Schedule for Submittals j l 6.0 Schedule for NRC Staff Review 7.0 Meeting Summary i i l t623H pptW3NRC

.l Purpose of the Meeting Present an Equipment Overview and Proposed Licensing Approach for the j Qualification of the Westinghouse Ovation Distributed Control and j Information System to the NRC Staff. i 1623H pptW3NRC _ ~ _

G b

  • i i

b i f I i i f I l CJVAT 83N l Process Control & Information Technology from Westinghouse l i Overv'ew I

it;iji. , \\i i t!!:!:!!I!ll; j<ii ,t)4,i 'c -dnWi ' Hhn' ae n w ir " e n "i a e e ok n Aao g ~,:k r.it r 'd ^ emw n ek 'c x E drt a'. sr e ao_ ', io y fN .~ i Wn hw ^- J, Nt I e ~ . ~ ^ AN C = s 7 u e t b ~

  • mc y
  • ea d

l' l t f e

  • 3
  • s i

r "Sn F e

  • yt s

I ,N ^ ^' ^ G ~ d ) [ :' <,- - c ~ ~ D , ', :y t _'. l e I _ ~ 'n e;s r D

~

F tui s M am 'B a T ~; C; A tL; i l e k " e . uP: t ~.: n r e L: . M, J oi r ^ e w*r e ' 'e._L r h e t i n E iOr L/e ( I A ~ > Qy N L U. 'a .h t T na t R P n j - t l u ~.' e c - p n ~t ~ e n. s e i ~ r u sg 'Q J f / e a ~t c O o nY .u qr a8 p ^, PML n .I e ~ !t h[:irt [ i i4 ,i' ,l)

j i

asAHgN j External Design Principles Availability of the plant process Adaptable / Flexible to many applications Compatible /Migratable with WDPF ll i Open - easily integrates with other products Inexpensive to install, operate & maintain Fast & Easy to configure / engineer system j Fast & Easy to service & repair j Secure control of access and configuration Safe to personnel & the environment Easy to upgrade 1

9 Q g l i l 1 i C3VATIGN Process Control & Information Technology from Westinghouse 6 { } Network 1 i l 1 l i i

RsA!zsw Our "Open" Network is FDDI FDDI (ANSI X3T12) Single or Redundant 100 MBaud Fiber, Copper, or Both 200,000 (1 sec) points Sync and Async Transmission 200km Max Length Collapsed Backbone $f i!] l$f g w l l l l i Reliable Environmentally Sound Robust Fault Tolerant High Bandwidth Utilization Ultimate" Connectivity

i [ t i YA FDDI Fault Tolerance: Wrapping i Dual Attachment Station ( DAS) FaultisolatedI i DAS DAS Cb i Wrapped Ring j l m V DAS DAS 'DAS

f C3 VAT 8!liBN Process Control & Information Technologyfrom Westinghouse /0 Subsystem f I

as^upN I/O Subsystem - Overview l 3 Modular Components - Electronics Module (EMOD) - Personality Module (PMOD) l - 1/O Base / Termination Unit 21/O Modules Per I/O Base No User Addressing of 1/O Modules Hot Swap of 1/O Modules No Special Handling Required No Tools Required for Maintenance Any Module in any slot j No Configuration Jumpers Industrial components (85 degrees C) Power Consumption drastically reduced 1

i 1/0 Subsystem - Overview i Single Point Fastening to DIN Rail Automatic Interconnection of 1/O Bases Module Power supplied via Bus (3A @ 24 VDC;I Auxiliary Power supplied via Bus (5A @ 150 VAC/D.C;l Color Keying between 1/O Module and Personality Module j Signal Conditioning and Fusing through Personality Module Latching integrated into Module and base Housing Test Points built into Terminal Block j Terminal blocks handle single 12 AWG or two 14 AWG j Built-in Spare Fuse Holders Built-in Strip Length Gauge i l l l

.i t w 1/O Subsystem - Status Indicators Standardized Status Indicators on each Module - Red Indicates Abnormal Condition - Green Indicates Status or Normal Condition Power (Green) Communication (Green) External Error (Red) n Internal Error (Red) j Channel Status Indicators I Digitals - Green = ON Analog - Red = Channel Error l

1 1/O Subsystem - Electronic Identificatisin j t Electronic ID of 1/O Modules and I/O Interface - Stored in I/O Module Flash memory i n Module Type index Group Index { Serial number i Revision Level j Module + internal Boards Firmware Artwork levels of Internal Boards - Used by Controller to ensure proper configuration - Can be queried on-line for QA and Site Inventory

2eu=N 1/O Subsystem - Local 1/O Local Configuration - Up to 128 I/O Modules per Controller Up to 21/O Interfaces per Controller E 81/O branches per I/O Interface [ te g 8 Modules per branch w g' i --i l i - Increased Reliability f Serial Communication to each branch e, Fewer components on bus 1 - Increased Fault Tolerance 1 g Limited to one branch (8 Modules) i 4 i 1 [ g I ~ UO MODULES UO MODULES FRONT REAR

1/O Modules ~ ~ ~ ~~ 16 Channel Digital input j 16 Channel Contact input 16 Channel Digital Output j 4 Channel Analog Output 8 Channel Analog input (7 ranges) 4 Channel 3 and 4 wire RTD input 2 Channel Pulse Accumulator / Counter 16 Channel Sequence of Events Single Loop Interface with SLIM Datalink Controller ~ On-going development of new modules l

l I l l I t l C3 VAT 8':illN Process Control & Information Technologyfrom Westinghouse Controller I i f a i

a .4 e.-a .a 4 -.A.-,.mA_ ,.s ..w,-. 2. wa m J w_a -.c._.-._..--,m 1 i f e h i I i 1 4 f 4 1 e W' .-.,>:g k Y- [ k s W:.}.4&,i[IjNf;. $N6 taeeeeeg

w ht aa st su
ai

~e~ w$Q ~:"%m -.h Y9:19mg. 4ijf;b.? %gn//wR"%'5"W ~MM' VfM".h>b~- 4

  • O n.'s Mf.:; 3l '"llg ?iKpf it; e i* E i' A V;% :r '

sii L . %'":ind:

  • oi

'sA. da 15- 'd. y ' '/?WY' EY%4 -

w. r%'A' ?< <:?;w!"bd. -

x- ,,.3:$"' f'53Q';'$ f'?0. "'",,. / Y yn): / f; A / '-'Ms / .M:.. ^ '?% spf k ' p?e*** IM - : wa%,f '.g, ' ~f. '- - rgs b 344 km. m%: f;. s g <>g .g;<g[g f-{<; - {g y'Mdj # s .x ,,,p;. > ~. 3 c:s..a...-

9
: L e.t.

3 -!f$. b' 'g w ..o m..aup"'d hll f,.f h ,,[ i$Ni/ ' ff$)k 5bI$g:WNA'N Som. f 2i: s s s s 00000000 a O M 1 d ~ i s 5 s \\ eseessee a a sums O mi n i C OO

c u a:n a N Controller Block D.iagram ~ ~ Redundant Controller Chassis 7______________________ I I l CPU Card JDE Flash FDDl/CDDI CPU Card JDE Flash FDDl/CDDI i 3 Disk Interface Disk Interface i i l Jk N I I I I U PCIBus PCI Bus V i l A n i f v l i 1/O Interface Redundancy Datalink 1/O Interface 1 I 1 8 i (PCRL) (PCRL) To Other I i .i iii ~ ~ i iii ~ -* I/O BranchI i ~ I To Other i I 1/O Branch 4""" j t_______________________________________ _ _ _ _ _ _ _ _ _i ,,== ,== E E I C 1/0 Branch I/O Branch i i e i s a . = ,i 6 = i==,

N Controller 1/O Interface / / / Flexible I/O Interface on Std. PCI Bus - PCQL Local Q-Line interface card 1 - PCRL W3 Local I/O interface card ll ll - PCRR W3 Remote I/O interface card d E5 t - Fieldbus and 3rd party 1/O cards 1/O Interface Capacity l - 21/O cards per controller M F / l - 8 branches of 1/O per PCRL card l - 8 modules per I/O branch l - Maximum of 128 I/O modules per controller ] l - Remote I/O maximums are higher - l

t i CHAT _L9N Controller Capabilities / / / Po. t Capac. ties in i - 4000 originated points maximum . se e s - 1024 direct-wired analog points max. M ll ll - 2048 direct-wired digital points max. M - 1024 direct-wired SOE points max. j Performance - 120 MHz. Pentium processor A F f - 1.5 to 2 times the performance of old DPU - Serial & Parallel I/O scanning options - More than double memory space for control (660 KB) - 5 control areas, each with selectable speeds (17 mS - 30S) - Ladder logic solving of 1000 ladders /100 mS - SAMA digital logic performance equivalent to ladders

i .j i i C N u u !!p N Controller Fault Tolerance ~l / "/ / Redundancy of all cards Redundant powering =- g 1/O bus failure isolation G G Watchdog functions Auto-restart function Bumpless failover (tracking algos) g ,==: y No active components on the backplane j i l i i

e} I i l I I I C3VATl8'2N l Process Control & Information Technology from Westinghouse j i l WEStation I l

L i wx+ WEStation i RISC workstation I Real-time UNIX operating j U systen) ~ ~ gy. [6'.. g,J/ s X-comp ant windowin9 li .g ., ? a

  1. .x -,%,ih

.. ec. fU ~ Process highway interface b5# .c C :.( .p (FDDI) m-y Plant LAN interface g 5> (Ethernet, FDDI, ATM, etc.) j g i .... : ? Operator station <$+hggy]@7..- p-g Logger j Historian i p,7 y t n Engineer station j N. ~y Gateway i i

I i i i C3 VAT GN Process Control & Information Technology from Westinghouse Packa ing and Power upp1ies l l i

Local Cabinet Arrangement 23.5" 2 Power Supplies l 2 Controllers 16 1/O Bases 20" j 32 1/O Modules i 32 Personality Modules '~ 1 Transition Panel l l' Personality Module I/O Module 78" i i ~ Field Terminations M = 1 I/O MODULES 1/O MODULES FRONT REAR

cmangN Simplified Powering Scheme Primary Single power source to each 24 volt power supply Power 24 Volt power supplies feed both Controllers fo*,","r AUX 24 Volt power fed to Controller and I/O N PCPS supplies SVDC and +/-12VDC to controller l 1 Auxiliary Power through controller to 1/O branches I l Different Auxiliary voltages to a branch granularity I y]@m Simple harness for 1/O power Simple to build ~ Simple to apply i l = r m- -u I

.l j r t i i f f f CJVAT 8?liBN Process Control & Information Technology from Westinghouse l Power Tools l.

PowerTools Guiding Principles - Easy to configure system and applications - Secure control of system access and configuration - Integration of plant and business data PowerTools Approach - Set of engineering tools integrated around central database - Implement with full featured 3rd party database (Oracle) - Error and consistency checking on all database interactions - Integrate existing Control Builder & Graphics Builder tools - Comprehensive security and configuration control system - ODBC/SQL access for plant integration - Multiple platform support (Solaris/ Windows)

[ PowerTools Architecture f" 3 Control Builder l d l Plant 1/O Database Builder / / Point Builder IMPORT / EXPORT Plant 1/O w Database m / U / / Configuration Builder i [ / Integrity Checking / / i WEStation USER Side g Software r PQ_W_?_U_Q_QL_S _ _ _ _ _ _ _ Compiied Graphics Builder f Server 6'*P"'"* DATABASE J SYSTEM Side FDDI Highway I g I i s 7 CONTROLLER DROP CONTROLLER DROP WESTATION DROP Distributed Database Distributed Database Distributed Database [ j

,...-.g.----....--- l I l O e i O 6 WC %.O O *N C> 0.O MN 6O ~ E

.4 Migration Strategy Maintain verified, proven Eagle software Get as close to standard Ovation platform as practical Provide application development tools similar to Ovation -l l l 1 l I l l l

I i cualWN Performance Requirements Deterministic Operation - Continuous (periodic) processing approach for j 1/O scanning i Applications Communications Support system time budget - Processor - Communications - l/O i i Accuracy - Better than analog t - Self calibration i - Low drift i

. -.... -.. ~ - cwngN Hardware Requirements Qualify to 1E requirements Commercial product will be CE Mark certified Incorporate provisions for testing i Incorporate provisions for output redundancy - Some are standard in commercial product System redundancy configurations typically are j different for safety vs. commercial applications Support migration of Eagle software - Architecture for separate application processor to support non-multi-tasking application processing. i i

--------- A

l Human-Machine Interface w Requirements Non-safety interface functions implemented via gateway to plant information system i - Diagnostics - Alarming - Logging / Historical retrieval - Monitonng Safety critical HMI may include - Hard-wired (including point-to-point serial) controls - Multiplexed hard controls - Multiplexed soft controls j 1E qualified graphics display for SIDS and soft controls

cwugN Testability Built-in, continuous diagnostics to support fail-safe design principles - Process 1/O -- field circuits and I/O conversion - Communications - Memory (data and code) - CPU, math processing - Addressing - Timing 9

.\\ cwugN Testability - Periodic Testing Partial automatic testmg - Portable PC-based test cart, manually connected - Prompts technician through connection / test / restoration - Automatically generates test inputs (static and dynamic) and j monitors outputs Integrated, fully automatic testing - Feasible, but market (esp. retrofit) does not seem to support j i I

  • I s

e# Hardware Qualification Establish requirements for hardware verification and qualification to establish Baseline Design Document (BDD) j Hardware Verification Plan - Categorize modules Vendor / Westinghouse New design / existing, unverified / existing, verified - Establish verification requirements selective testing Extensive testing Repod only ] Based 3uitability of existing test results (including vendor / commercial) and analysis of design changes since previous verification.

? i Hardware Configuration mzw Control I Modules designed specifically for nuclear - Design change requires DEON (Development Engineering Order Notice) to identify differences from baseline and to summarize design verification for differences (via testing, qualification reports, or engineering analysis). Commercial modules - A separate level of drawings is established to identify j acceptable revision levels for nuclear applications. All nuclear projects (including spares) order from these drawings. - The design of the commercial module may change using only the commercial design change process, but DEON process must be followed before new revision may be used for nuclear applications. i

cenets Software Qualification Safety (Eagle) software - Developed per System Design and Implementation Process f - Top-down (requirements / specifications / implementation) - Independent verification of the outputs of the design stages - Validation of the system to its requirements - Iterative, to maintain currency of design documents Commercial software - Top-down design process - Validation of system software - Not as rigorous as nuclear j ~

,j. i h aarlsN Software Configuration Control j Safety (Eagle) software - Configuration control of application software is maintained i on a project-specific basis j - Configuration control of generic (common functions) software requires all changes to be approved by a Software Change Review Board. Commercial software used for nuclear i applications - Will be treated in a manner analogous to that described for hardware, maintaining controlled versions of software j modules that have been qualified for nuclear use. j i F

Licensing Approach Westinghouse Will Submit a Topical Report to the NRC Via Formal Letter. i . The Topical Report Will Contain Proprietary L

  • Information and Will Be Accompanied by an Application for Withholding and Affidavit.

Key Elements of the Topical Report. - Applicable Regulatory Criteria - System Requirements j - Hardware Qualification Methodology - Software Qualification Methodology - Proposed Acceptance Process j I f

Instrumentation and Controls Areas of Review Protection Systems Engineered Safety Features Actuation Systems Safe Shutdown Systems Information Systems Important to Safety Interlock Systems Important to Safety Control Systems Diverse Actuation Systems Data Communication Systems Essential Auxiliary Supporting Systems 1625H pptW3NRC

Review Process for DigitalI&C Systems i Adequacy of Design Criteria and Guidance to be Applied to the Proposed System.

  • Identification of Review Topics.

. Defense-In-Depth and Diversity.

  • Life Cycle Process Planning.

. Adequacy of System Functional Requirements and Commitments for IndividualI&C Systems. Adequacy of Software Life Cycle Process Implementation. j Software Life Cycle Process Design Outputs.

Supplemental Guidance for Digital Computer-Based Safety Systems Electromagnetic Compatibility. t - Reference EPRI TR-102323 Computer System Quality - Software Development and Hardware / Software Integration. - Qualification of Existing Computers Reference EPRI TR-106439 and NUREG/CR-6421 - Software Tools Reference IEEE Std.7-4.3.2, EPRI TR-106439 and BTP HICB-14 - Verification and Validation - Software Configuration Management le2$H ppnW3NRC

,,.\\ Supplemental Guidance for Digital Computer-Based Safety Systems (Cont'd) Equipment Qualification. System Integrity. 1 - Design for Computer Integrity j Reference BTP HICB-21 - Design for Test and Calibration

  • Reference BTP HICB-17 l

Communications Independence.. Reliability. Defense Against Common-Mode Failures. l Use of Emerging Software Methods. - F'ormal Methods - Non-Procedural Languages j

Equipment Qualification KNVIROXWENTAL - IEEE STD. 323-1983 - Regulatory Guide 1.89 - Temperature 82-120 Degrees F - Humidity 95-35 Percent SEIS MIC - Multi-Axis, Multi-Frequency Inputs in Accordance With Regulatory Guide 1.100. Equipment Is Subjected to a Series of Operation Basis Earthquakes (OBE) and Safe Shutdown Earthquake 1 (SSE) Events. 1623H p9tW3NRC

Noise, Fault, Electromagnetic Interference, and Radio Frequency Interference CE Mark Certification IEC 1000 Parts 1,2,3, and 4 - Electrostatic Discharge Immunity - Radiated, Radio Frequency, Electromagnetic Field Immunity - Electrical Fast Transient / Burst Immunity - Surge Immunity - Electrical Fault and Isolation Tests ium m w3 sac

l*.l Regulatory Requirements Acceptance Criteria 10 CFR Part 50 - Domestic Licensing of Production and Utilization Facilities. 10 CFR Part 50, Appendix A, General Design Criteria for Nuclear Power Plants. 10 CFR Part 50, Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants. i ._c - --- - ----- - ----- J

Regulatory Requirements (cont'd) REGULATORY GUIDELINES RG 1.22 Periodic Testing of Protection System Actuation Functions. RG 1.47 Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems. { RG 1.53 Application of the Single-Failure Criterion to Nuclear Power Plant Protection Systems. RG 1.62 ManualInitiation of Protection Actions. RG 1.75 Physical Independence Of Electric Systems. l RG 1.97 Instrumentation for Light Water Cooled Nuclear Power Plants to Assess Plant Conditions. RG 1.105 Instrument Spans and Setpoints. RG 1.118 Periodic Testing of Electric Power and Protection Systems. RG 1.151 Instrument Sensing Lines.. RG 1.152 Digital Computers in Safety Systems of Nuclear Power Plants. l RG 1.153 Power Instrumentation and Control Portions of Safety Systems. l -,--c

1 .c REGULATORY REQLIREMENTS (cont'd) Draft Regulatory Guidelines DG-1054 - Verification, Validation, Reviews, and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants. - Endorses IEEE Std 1012-1986 and IEEE Std 1028-1988. DG-1055 - Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants." - Endorses IEEE Std 828-1990 and ANSI /IEEE Std 1042-1987. DG-1056 - Software Test Documentation for Digital Computer Software Used in Safety Systems of Nuclear Power Plants. - Endorses ANSI /IEEE Std 829-1990 te25H pptW3NRC m

...e e REGULATORY REQLIREMENTS (cont'd) Draft Regulatory Guidelines (cont'd) DG-1957 -Software Unit Testing for Digital Computer Software Used in Safety Systems of Nuclear Power Plants. Endorses ANSI /IEEE Std 1008-1987. DG-1058 - Software Requirements Specifications for Digital Computer Software Used in Safety Systems of Nuclear Power Plants." - Endorses IEEE Std 830-1993. DG-1059 - Developing Software Lifecycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants. Endorses IEEE Std 1074-1995. It2Mi pptWERC

s' cc: Mr. Nicholas J. Liparulo Westinghouse Electric Corporation Mail Stop ECE 4-15 P.O. Box 355 Pittsburgh, PA 15230-0355 Mr. Henry A. Sepp Westinghouse Electric Corporation Mail Stop ECE 4-07A P.O. Box 355 Pittsburgh, PA 15230-0355 Mr. Andrew Drake, Project Manager Westinghouse Owners Group Westinghouse Electric Corporation 1 Mail Stop ECE 5-16 P.O. Box 355 Pittsburgh, PA 15230-0355 + l l

Y DISTRIBUTION w/ attachments: Summary of February 25, 1997, with Westinghouse dated March 14. 1497 Central File PUBLIC PGEB R/F RArchitzel CCraig E-Mail Scollins/FMiraglia RZimmerman AThadani TMartin DMatthews BBoger JWermiel JStewart JMauck LCampbell PLoeser JGallagher

g-i g* "'% p 4 UNITED STATES NUCLEAR REGULATORY COMMISSION f WASHINGTON, D.C. 30006-0001 \\ g/ j March 19, 1997 MEMORANDUM T0: David B. Matthews, Chief 2 Generic Issues and Environmental Projects Branch Division of Reactor Program Management Office of Nuclear Reactor Regulation FROM: Claudia M. Craig, Senior Project Manager dM G Mg(~ Generic Issues and Environmental Projects Branch Division of Reactor Program Management j Office of Nuclear Reactor Regulation

SUBJECT:

SUMMARY

OF MEETING WITH WESTINGHOUSE TO DISCUSS THE 4 QUALIFICATION OF THE OVATION DISTRIBUTED CONTROL AND INFORMATION SYSTEM i I-The subject meeting was held at the Nuclear Regulatory Commission (NRC) offices in Rockville, Maryland on February 25, 1997, between representatives of Westinghouse, utilities, and the NRC staff. The purpose of the meeting was for Westinghouse to provide the staff with an equipment overview and proposed i lir.ensing approach for the qualification of the Westinghouse Ovation Distributed Control and Information System. Attachment 1 is a list of meeting 3 participants. Attachment 2 is the non-proprietary presentation material j provided at the meeting. The meeting started with discussion on why the utilities believe a dedicated j commercial grade system is needed for upgrades to safety-related s instrumentation and control systems. The utilities indicated their goal is to standardize one system which can be used for both safety-related and non- ) safety applications. The intent is that Westinghouse will submit a topical j report on the Ovation system, and obtain NRC approval of the design concepts used..In the future, utilities can utilize the approved topical report to expedite approval of plant-specific modifications using the Ovation system in various applications. i . Westinghouse provided the staff with an overview of the Ovation Distributed 4 Control and Information System. The overview included discussions on the input / output subsystem, the controller, power supplies, software tools, and i differences between the older Eagle 21 and the new Ovation systems. Westinghouse discussed the quality requirements of the Ovation system, and how they planned to meet and demonstrate those requirements. Westinghouse also l listed those standards they expected the Ovation system to satisfy. Westinghouse provided the staff with their licensing approach to submittal of a topical report, and what areas would be addressed in the report. Westinghouse proposed a series of meetings with the staff during the l ) 4 e w <. e um

a l D. Matthews March 19, 1997 f development of the topical report, both to keep the staff informed of the progress of development of the Ovation system and to get staff input on design areas important to the staff. The first of these meetings is scheduled for May 12, 1997. 4 Attachments: As stated cc w/atts: See next page

D. Matthews March 19, 1997 development of the topical report, both to keep the staff informed of the progress of development of the Ovation system and to get staff input on design areas important to the staff. The first of these meetings is scheduled for May 12, 1997. Attachments: As stated cc w/atts: See next page DISTRIBUTION: See attached page DOCUMENT NAME: 2_25_97. MIN

  • [a Co[ with ettschment/ enclos To,eceive a copy of this document, Indicate in the box: "C" = Copy with t attachment / enclosure

'f u - wo e py OFFICE PGEB[\\i fl SC:PGEB w BC:HkCR,,( C:PC$E ! / NAME CCra'1gN~ RArchitzbl JWermTTP' DMattbws DATE 3/7]/97 3/l9)/97 3/15'/97 3/6 /97 0FFICIAL RECORD COPY l

WESTINGHOUSE / NRC MEETING QUALIFICATION OF THE DISTRIBUTED CONTROL AND INFORMATION SYSTEM FEBRUARY 25, 1997 MEETING PARTICIPANTS M8ME ORGANIZATION Claudia Craig NRC/NRR/PGEB Joel E. Hasenkopf Westinghouse /PCD Jerry L. Mauck NRC/NRR/HICB John M. Gallagher NRC/NRR/HICB Jim Stewart NRC/NRR/HICB Bill Ghrist Westinghouse PCD Larry L. Campbell NRC/NRR/DRCH Paul J. Loeser NRC/NRR/HICB Larry Erin Westinghouse Electric Jay Amin TU Electric G.C. Sundberg NSP/ Prairie Island Bob Sterdis Westinghouse I&C Karl Evans Union Electric /Callaway Plant Brian Beley Westinghouse Energy Systems Dillit Gulati Com Ed Corporate-Nuclear Eng. Jared Wermiel NRC/NRR/HICB i ATTACHMENT 1 i I

STA\\JARD ZAT ON OF h STRL MEh TA~~10N, CONTROLS & INFORMATION SYSTEMS FOR NUCLEAR POWER 3LAhTS SAFETY RELATED/NON-SAFE-~Y RELA ~~ED Janardan (Jay) Amin TU Electric Presentation to NRC - h RR February 25,1997 ~ Rockville, MD J.G. Amin,TUE Page 1

VISION: To standardize Safety Related & Non Safety Related Instrumentation, Controls, & Information Systems currently installed in .l nuclear power plants by orderly migration ' based on system health status) over a period of 5-20 years to a single platform based digital technological alternative that will enable the utilities to operate'their plants cost-effectively through the end of operating license. J.G. Amin.TUE

i GENERIC REQUIREMENTS: l The following attributes need to be addressed as a minimum from a utility per A. System Requirements -hardware -software B. Performance Requirements C. Networking Requirements D. User Community Requirements -Operations -Maintenance -System Engineering -Design Engineering E. Qualification Requirements i -Seismic -Environmental -Verification & Validation l -EMI/RFI F. System Life Cycle Maintenance Plan G. Design Control / Configuration Control i J.G. Amin,TUE 4 Pann

POTENTIAL VENDORS:- -Combustion Engineering i -Siemens -Westinghouse Long Term Partnering with vendors is an = important consideration to reduce cost e e e 9 J.G. Amin TUE Pnne

PROPOSED ACTION PLAN: o Propose a joint Westinghouse / utility workshop to develop a list of ge.neric requirements that Nuclear Power Utilities want in a single platform based Standardized Instrumentation, Controls and Information System o Publish a Report on " Generic Requirements' for Single Platform based Standardized Instrumentation, Controls and Information Systems = Publish a Report on generic " Cost Benefit Analysis" based on single platform systems utilized in other industries NOTE: Majority of the guidance is available from existing documents

  • Request NRC participation in this generic effort i

c Obtain NRC approval via SER for -Standardized Distributed Instrumentation, and Information Control System i -Generic Process for Life Cycle Management J.G. Amin,TUE Page 9

XRC, Westinghouse and Utility Meeting on the Qualification of the Ovation Distributed Control and Information System February 25,1997 I425H pyt,WDIRC

Agenda 1.0 Introduction 2.0 Purpose of the Meeting 3.0 Overview of the Distributed Control and Information System 4.0 Licensing Approach for Qualification of the Distributed Control and Information System 5.0 Schedule for Submittals i 6.0 Schedule for NRC Staff Review 7.0 Meeting Summary mc

Purpose of the Meeting Present an Equipment Overview and Proposed Licensing Approach for the Qualification of the Westinghouse Ovation Distributed Control and Information System to the NRC Staff. 1 162%f pytW3NRC

I L t C3 VAT 853N Process Control & Information Technology from Wesunghouse i s Overview i

I Wide Area i Plant LAN (Ethernet, ATM, FDDI, etc.) ( ) Information Process Work Network S '"

  • C a-~*

management in e s " y -iin. System Engineerin LSyGT interface i 1 i [ l l !l l l t l 1 i i i l i i ) l i i l a } , a= ' ve - ,',,.'~~',y;.'tr v ;- ' 1 :

1 S '_,,';

s ~ 7 -- , ;_ s : 7, > ~ x ~ r e e ' :j, ~ } W :,. 7 ^ ,.a x . - Fieldbuss +^ J ' :i, .' ' 8 3 '~ ,f, ^' ^(, s "J

I ' > [ s s

[, ^ - ' 'i!, ' ' x ,5 ' _,s b 'A JJCdN-tiased - .V ~~

~

c, ' + , ^q'.' S t r' RTU :

2 '

'e^ ^ ^ ~ ' ' ^ ~ ,c

, ;j ;,, A

' 3 : :'

^i Netw5rdi: "

', ~ j [ 7 :_,. ^ j r -~. i k_ -/. l ; ; '"? ~ ' : Q-Line ' Multi-master: e ft::: - Hand"j j ~ ie

- UO iInpu.t/Ou;tput_-Layer' ' ~T PLC Bus' : b z b: " '-

3 L' L ~ ^ held 1 I - ~ - ~ n.'ntoo 1 s I w ~ ~ ~

i i N External Design Principles i Availability of the plant process Adaptable / Flexible to many applications Compatible /Migratable with WDPF ll i Open - easily integrates with other products Inexpensive to install, operate & maintain Fast & Easy to configure / engineer system Fast & Easy to service & repair Secure control of access and configuration Safe to personnel & the environment Easy to upgrade 4

  • e, 1

t ) l i CJVAT 8'llBN Process Control & Information Technology from Westinghouse i Network

CLK50gN Our "Open" Network is FDDI FDDI (ANSI X3T12) Single or Redundant 100 MBaud Fiber, Copper, or Both 200,000 (1 sec) points Sync and Async Transmission 200km Max Length Collapsed Backbone

  • =

I I l l Reliable Environmentally Sound Robust Fault Tolerant High Bandwidth Utilization " Ultimate" Connectivity

.l FDDI Fault Tolerance: Wrapping l Dual Attachment Station ( DAS) FaultisolatedI DAS DAS Cb. Wrapped Rmg i i M DAS DAS 'DAS l l

i i i i CJVAT 8?liBN Process Control & information Technologyfrom Westinghouse I l I/O Subsystem i i l I f

l l t 1/0 Subsystem - Overview i 3 Modular Components - Electronics Module (EMOD) - Personality Module (PMOD) - 1/O Base / Termination Unit 21/O Modules Per I/O Base No User Addressing of 1/O Modules Hot Swap of 1/O Modules No Special Handling Required I No Tools Required for Maintenance Any Module in any slot No Configuration Jumpers i Industrial components (85 degrees C) Power Consumption drastically reduced

i l l i cnann~ I/O Subsystem - Overview Single Point Fastening to DIN Rail j Automatic Interconnection of 1/O Bases j Module Power supplied via Bus (3A @ 24 VDC) 1 Auxiliary Power supplied via Bus (5A @ 150 VAC/D.C) Color Keying between I/O Module and Personality Module Signal Conditioning and Fusing through Personality Module Latching integrated into Module and base Housing j Test Points built into Terminal Block Terminal blocks handle single 12 AWG or two 14 AWG j Built-in Spare Fuse Holders Built-in Strip Length Gauge I t l l l

1 i N I/O Subsystem - Status Indicators Standardized Status Indicators on each Module - Red Indicates Abnormal Condition - Green Indicates Status or Normal Condition Power (Green) Communication (Green) Extemal Error (Red) internal Error (Red) Channel Status indicators Digitals - Green = ON Analog - Red = Channel Error

.i m i I/O Subsystem - Electronic identification Electronic ID of 1/O Modules and I/O Interface - Stored in I/O Module Flash memory Module Type Index I Group Index ~ Serial number Revision Level Module + intemal Boards Firmware Artwork levels of Internal Boards - Used by Controller to ensure proper configuration - Can be queried on-line for QA and Site Inventory l I l

s w 1/O Subsystem - Local I/O Local Configuration - Up to 128 I/O Modules per Controller Up to 2 l/O Interfaces per Controller p s 8 l/O branches per I/O Interface 8 Modules per branch - Increased Reliability Serial Communication to each branch ~ Fewer components on bus - Increased Fault Tolerance j Limited to one branch (8 Modules) g z. a. e l[} l I/O MODULES l l 00 MODULES l FRONT REAR ~

110 Modules 16 Channel Digital input i i 16 Channel Contact input 16 Channel Digital Output 4 Channel Analog Output ) 8 Channel Analog input (7 ranges) l 4 Channel 3 and 4 wire RTD input 2 Channel Pulse Accumulator / Counter 16 Channel Sequence of Events Single Loop Interface with SLIM Datalink Controller ~ j On-going development of new modules

1 l l \\ l i \\ 1 I 1 I l \\ I I i C3 VAT 8'llBN Process Control & Information Technology from Westinghouse ) Contro ler 1 e i i t 4 I f l

yw -.a u a..a -a .a._a -w --a-..wsu n.n, a .as_,&e.._..,s. r.&.a.m.m_a,m e a a

n. sn

.a s, .a .a--as.m .n.a.,x1_.u a nau.aa. u.-2 .e, a a na_. i d i 4 I s o l. t i e i f Y l 4 i k u ?$.ii.diin[td$. rf/h$ o,' % s

  1. $.,o m a e ei'ase ' l;y o

.g s@4f;g%:g. <l#W1 35e WM? t' -ME' kW i i36.;n-i gc,: gs ,4 .w<~~~ w .e gg/ vA. sin $gm&ggy spJ l t., lW;d M h.

3. ;

..r w w w" .-eem ..u ..>,.w i p n eeb,$43R, _.. 4 $ p.. g *y d,a,S: it ? S" ' ' 'p '"^g'- o + i, M,?cA# Qjija['R"? '.'n4 - seum .~ g; y'.s.' Fv

.5NYW 4x46

.$..; w&f/ p.W'io )?d .',.c:a,.. f.<.<.s"gY. I*fh.g.u:. 3 ffw'y,-[$5??$?NW M 4, s .y apu.w 1 1 e i a 5 .ie i 1 4 0 a 1 i s x ,I ,li l I M O l h ~ i 4 b i s x s x ] 'I i i eseessee aa a emme .i i O + I \\ ( C O l O 1

a l 1 l m l Controller Block D.iagram l i l Redundant Controller Chassis I----------------------------------------------" I l 1 i IDE Flash FDDl/CDDl 3 ' "l Disk l plFDDl/CDDill IDE l Flash CPU Card CPU Card I Disk interface I interface E_ i i n n A n I i 1 7. PCI Bus 1r 1r PCI Bus if l n 2 n g I I lf I I i 1/O Interface N Redundancy Datalink I/O interface i l i (PCRL) lg l (PCRL) To Other I .i iii .iii . :....

  • l/O Branch,I 1

To Other I 1/O Branch 4""* t_________. _ _ _ _ _ _ _ _ _I i s 5 .=, I I/O Branch 1/O Branch i i e I ' = i f I a =u I. mm I D E:= .Ell

i CMD3N Controller 1/O Interface ~ / / / Flexible'1/O Interface on Std. PCI Bus t - PCQL Local Q-Line interface card - PCRL W3 Local I/O interface card - PCRR W3 Remote I/O interface card M M 1 - Fieldbus and 3rd party 1/O cards j 1/O Interface Capacity s - 21/O cards per controller E"= E y i - 8 branches of 1/O per PCRL card { - 8 modules per I/O branch - Maximum of 1281/O modules per controller - Remote I/O maximums are higher -

4 i i chAulpN i Controller Capabilities ~ i t / / / Point Capac.t.i ies - 4000 originated points maximum - 1024 direct-wired analog points max. ll ll l - 2048 direct-wired digital points max. G M - 1024 direct-wired SOE points max. ] Performance l - 120 MHz. Pentium processor A A y - 1.5 to 2 times the performance of old DPU - Serial & Parallel I/O scanning options - More than double memory space for control (660 KB) - 5 control areas, each with selectable speeds (17 mS - 30S) - Ladder logic solving of 1000 ladders /100 mS - SAMA digital logic performance equivalent to ladders

I i N Controller Fault Tolerance \\ / ^/ / Redundancy of all cards Redundant powering

-ll 11 1/O bus failure isolation i

%a %a Watchdog functions t Auto-restart function l Bumpless failover (tracking algos) m a j l No active components on the backplane l f 8 b f

1 I l l l l l l i CJVAT GN Process Control & Information Technologyfrom Westinghouse l WEStation l i I I l i

4 e i l cvuBN WEStation I RISC workstation Real-time UNIX operating .t-system .:j;j.!I.' <. _.ff/ ) ~Q X-compliant windowing .. ~. ,;m . @. /,,...;. - l Process highway interface y R:. ...' e ? >3 U p. ..,f :., (FDDi,l ~ A p., << i Plant LAN interface j c g 4g. 4 me kfhik # Nx (Ethernet, FDDI, ATM, etc.) j t s.. Operator station eg .:u- . g. d!:h,!dk Logger Historian v. . s.e - J Ny/ Engineer station e i Gateway l t

4 i l CJVATMBN Process Control & Infonnation Technology from Westinghouse l Packa ing and Power upplies ~ 4

l h V Local Cabinet Arrangement ~ ~ ~ ~ t l 23.5" i 2 Power Supplies l 2 Controllers 16 l/O Bases i 20-32 1/O Modules [;; j 32 Personality Modules l 1 Transition Panel l l 78" Personality Module I/O Module Field Terminations E llllllll L 1 = E f t/O MODULES DO MODULES i l FRONT REAR 1

e i Simplified Powering Scheme Primary i Single power source to each 24 volt power supply Power 24 Volt power supplies feed both Controllers ["' r AUX l 24 Volt power fed to Controller and I/O PCPS supplies 5VDC and +/-12VDC to controller j Auxiliary Power through controller to 1/O branches . lj t DifferentsAuxiliary voltages to a branch granularity j j Simple-harness for I/O power Simple to build t I Simple to apply i

A i i k i i ? i CJVAT 8'3N Process Control & Information Technologyfrom Westinghouse Power Too s i i i l i

1 PowerTools \\ Guiding Principles I - Easy to configure system and applications - Secure control of system access and configuration i - Integration of plant and business data PowerTools Approach i - Set of engineering tools integrated around central database - Implement with full featured 3rd party database (Oracle) j - Error and consistency checking on all database interactions i - Integrate existing Control Builder & Graphics Builder tools j - Comprehensive security and configuration control system ) - ODBC/SQL access for plant integration - Multiple platform support (Solaris/ Windows)

PowerTools Architecture Control Builder l Plant 1/O Database Builder / / IMPORT / EXPORT Point Builder Plant 110 Database / 1 r u / / Configuration Builder integrity Checking [ f WEStation USER Side k Software Server . _ _ _ _ _ _ _P_Q_WE_8T_Q_QL_S _ _ _ _ _ _ _ Compiled Graphics Builder Graphics DATABASE SYSTEM Side l FDDI Highway l m l l j 7 r i r s CONTROLLER DROP CONTROLLER DROP WESTATION DROP j Destnbuted Database Distributed Database Distributed Database j j t

. ~ - _. _ _ _ - - i O l G N I WC

w..O O *4 C>

0.O k N l @s O i

e Migration Strategy Maintain verified, proven Eagle software Get as close to standard Ovation platform as ) pract.ical Provide application development tools similar to Ovation i { I i i i i

i ( Performance Requirements Deterministic Operation j i - Continuous (periodic) processing approach for j I/O scanning i Applications Communications i Support system time budget - Processor i i - Communications - 1/O f i Accuracy - Better than analog - Self calibration - Low drift f f [

I t cvapN Hardware Requirements .l Qualify to 1E requirements Commercial product will be CE Mark certified 1 1 Incorporate provisions for testing Incorporate provisions for output redundancy I - Some are standard in commercial product System redundancy configurations typically are j different for safety vs. commercial applications Support migration of Eagle software - Architecture for separate application processor to support ) non-multi-tasking application processing.

i f [ Human-Machine Interface Requirements Non-safety interface functions implemented via f gateway to plant information system j - Diagnostics t - Alarming j - Logging / Historical retrieval - Monitonng i Safety critical HMI may include ) - Hard-wired (including point-to-point serial) controls - Multiplexed hard controls - Multiplexed soft controls 1E qualified graphics display for SIDS and soft controls

w x+n i Testability j: l l l Built-in, continuous diagnostics to support fail-l safe design principles - Process I/O -- field circuits and I/O conversion i - Communications - Memory (data and code) - CPU, math processing i - Addressing 1 - Timing 9

cMQ3N Testability - Periodic Testing Partial automatic testing - Portable PC-based test cart, manually connected - Prompts technician through connection / test / restoration - Automatically generates test inputs (static and dynamic) and monitors outputs Integrated, fully automatic testing - Feasible, but market (esp.. retrofit) does not seem to support i

l m l l l Hardware Qualification l l Establish requirements for hardware verification and qualification to establish Baseline Design Document (BDD) 1 Hardware Verification Plan - Categorize modules Vendor / Westinghouse n New design / existing, unverified / existing, verified j - Establish verification requirements Selective testing Extensive testing Report only Based on suitability of existing test results (including vendor / commercial) and analysis of design changes since previous verification.

Hardware Configuration w Control i i Modules designed specifically for nuclear - Design change requires DEON (Development Engineering Order Notice) to identify differences from baseline and to summarize design verification for differences (via testing, l qualification reports, or engineering analysis). l Commercial modules I - A separate level of drawings is established to identify j acceptable revision levels for nuclear applications. All j nuclear projects (including spares) order from these ) drawings. - The design of the commercial module may change using ~ only the commercial design change process, but DEON process must be followed before new revision may be used for nuclear applications. m m m

I cauBN l Software Qualification Safety (Eagle) software 4 - Developed per System Design and implementation Process l - Top-down (requirements / specifications / implementation) - Independent verification of the outputs of the design stages j 1 - Validation of the system to its requirements ~ - Iterative, to maintain currency of design documents Commercial software - Top-down design process - Validation of system software - Not as rigorous as nuclear l

l m Software Configuration Control i Safety (Eagle) software j - Configuration control of application software is maintained on a project-specific basis j - Configuration control of generic (common functions) software requires all changes to be approved by a Software Change Review Board. Commercial software used for nuclear applications - Will be treated in a manner analogous to that described for hardware, maintaining controlled versions of software modules that have been qualified for nuclear use. t___

l Licensing Approach Westinghouse Will Submit a Topical Report to the XRC Via Formal Letter. l The Topical Report Will Contain Proprietary l Information and Will Be Accompanied by an 1 1 l Application for Withholding and Affidavit. j Key Elements of the Topical Report. - Applicable Regulatory Criteria ) - Syst'em Requirements - Hardware Qualification Methodology i - Software Qualification Methodology t - Proposed Acceptance Process j t i i t te2w pyswmac I

Instrumentation and Controls Areas of Review Protection Systems Engineered Safety Features Actuation Systems Safe Shutdown Systems Information Systems Important to Safety Interlock Systems Important to Safety Control Systems Diverse Actuation Systems Data Communication Systems Essential Auxiliary Supporting Systems 842SH pptW3NRC

Review Process for DigitalI&C Systems l Adequacy of Design Criteria and Guidance to l be Applied to the Proposed System. Identification of Review Topics. j Defense-In-Depth and Diversity. Life Cycle Process Planning. Adequacy of System Functional Requirements and Commitments for Individual I&C Systems. Adequacy of Software Life Cycle Process Implementation. Software Life Cycle Process Design Outputs. 16?SH yyaT3NRC

.y Supplemental Guidance for Digital Computer-Based Safety Systems Electromagnetic Compatibility. - Reference EPRI TR-102323 Computer System Quality - Software Development and Hardware / Software Integration. - Qualification of Existing Computers Reference EPRI TR-106439 and NUREG/CR-6421 - Software Tools l Reference IEEE Std.7-4.3.2, EPRI TR-106439 and BTP i HICB-14 l - Verification and Validation - Software Configuration Management l

,..I Supplemental Guidance for Digital Computer-Based Safety Systems (Cont'd) l . Equipment Qualification. 1 System Integrity. - Design for Computer Integrity

  • Reference BTP HICB-21

- Design for Test and Calibration Reference BTP HICB-17 Communications Independence. l l Reliability. Defense Against Common-Mode Failures. Use of Emerging Software Methods. - Formal Methods i ~ t - Non-Procedural Languages inne mwwac

Equipment Qualification ENVIROXWENTAL - IEEE STD. 323-1983 i - Regulatory Guide 1.89 - Temperature 82-120 Degrees F - Humidity 95-35 Percent SEIS WIC - Multi-Axis, Multi-Frequency Inputs in Accordance With Regulatory Guide 1.100. Equipment Is Subjected to a Series of Operation Basis Earthquakes (OBE) and Safe Shutdown Earthquake (SSE) Events. t I .c J

,..) i Noise, Fault, Electromagnetic i Interference, and Radio Frequency l Interference j CE Mark Certification i i IEC 1000 Parts 1,2,3, and 4 i l - Electrostatic Discharge Immunity - Radiated, Radio Frequency, Electromagnetic Field Immunity - Electrical Fast Transient / Burst Immunity - Surge Immunity - Electrical Fault and Isolation Tests 1623H pyt/W3NRC

Regulatory Requirements 1 Acceptance Criteria 10 CFR Part 50 - Domestic Licensing of Production and Utilization Facilities. 10 CFR Part 50, Appendix A, General Design Criteria for Nuclear Power Plants. 10 CFR Part 50, Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants. N 34298 pgeW3NRC

Regulatory Requirements (cont'd) REGULATORY GUIDELINES RG 1.22 Periodic Testing of Protection System Actuation Functions. RG 1.47 Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems. RG 1.53 Application of the Single-Failure Criterion to Nuclear Power Plant Protection Systems. RG 1.62 ManualInitiation of Protection Actions. RG 1.75 Physical Independence Of Electric Systems. RG 1.97 Instrumentation for Light Water Cooled Nuclear Power Plants to Assess Plant Conditions. RG 1.105 Instrument Spans and Setpoints. RG 1.118 Periodic Testing of Electric Power and Protection Systems. RG 1.151 Instrument Sensing Lines. RG 1.152 Digital Computers in Safety Systems of Nuclear Power Plants. RG 1.153 Power Instrumentation and Control Portions of Safety Systems. te25H pre /WDIRC

REGULATORY REQUIREMENTS (cont'd) Draft Regulatory Guidehnes DG-1054 - Verification, Validation, Reviews, and Audits for Digital Computer Software Used in Safety Systems of Nuclear i Power Plants. l - Endorses IEEE Std 1012-1986 and IEEE Std 1028-1988. I DG-1055 - Configuration Management Plans for Digital j l Computer Software Used in Safety Systems of Nuclear Power ( Plants." - Endorses IEEE Std 828-1990 and ANSI /IEEE Std 1042-1987. I i DG-1956 - Software Test Documentation for Digital Computer Software Used in Safety Systems of Nuclear Power Plants. - Endorses ANSI /IEEE Std 829-1990 i su mppawswac

REGULATORY REQUIREMENTS (cont'd) Draft Regulatory Guidelines (cont'd) DG-1957 -Software Unit Testing for Digital Computer i Software Used in Safety Systems of Nuclear Power Plants. ) Endorses ANSI /IEEE Std 1008-1987. t i DG-1058 - Software Requirements Specifications for Digital a i Computer Software Used in Safety Systems of Nuclear Power Plants." l - Endorses IEEE Std 830-1993. i DG-1059 - Developing Software Lifecycle Processes for Digital l a Computer Software Used in Safety Systems of Nuclear Power Plants. Endorses IEEE Std 1074-1995. usm rewmnc e

n cc: Mr. Nicholas J. Liparulo Westinghouse Electric Corporation Mail Stop ECE 4-15 P.O. Box 355 Pittsburgh, PA 15230-0355 Mr. Henry A. Sepp Westinghouse Electric Corporation Mail Stop ECE 4-07A P.O. Box 355 Pittsburgh, PA 15230-0355 Mr. Andrew Drake, Project Manager Westinghouse Owners Group Westinghouse Electric Corporation Mail Stop ECE 5-16 P.O. Box 355 Pittsburgh, PA 15230-0355 1 ) l}}

Retrieved from "https://kanterella.com/w/index.php?title=ML20137B272&oldid=4215264"