ML20203M649
| ML20203M649 | |
| Person / Time | |
|---|---|
| Issue date: | 01/14/1998 |
| From: | Craig C NRC (Affiliation Not Assigned) |
| To: | Essig T NRC (Affiliation Not Assigned) |
| References | |
| PROJECT-694 NUDOCS 9803090207 | |
| Download: ML20203M649 (33) | |
Text
_ _ _ _ - - _ _ _ _ _ _ _ _ _ - _ _ _ _ _
gn Ct:
}t UNITED STATES pe g
'j NUCLEAR REGULATORY COMMISSION
\\*****}#
WASHINGTON, D.c. 30e464001 January 14, 1998 MEMORANDUM FOR: Thomas H. Essig, Acting Chief Generic lasues and Environmental Projerrts Branch Division of Reactor Program Management Office of Nuclear Reactor Regulation FROM:
Claudia M. Craig, Senior Project Manager OMdkO. $.
4 5
Generic lasues and Environmental Projects Branch (l
Division of Reactor Program Management Office of Nuclear Reactor Regulation
SUBJECT:
SUMMARY
OF MEETING WITH THE WESTINGHOUSE OWNcRS GROUP (WOG) TO DISCUSS APPLICATION SPECIFIC INTEGRATED CIRCUlTS (ASICs)
The subject meeting was held at the NRC offices in Rockville, Maryland on December 3,1997, between representatives of the WOG, Westinghouse, and the NRC staff. The purpose of the meeting was to provide the NRC staff with an update of the WOG project regarding the ASIC-based replacement module (ABRM) for control and protection systems. Attachment 1 is a list l
of meeting participants. By letter dated December 29,1997, Westinghouse provided both the l
proprietary and non-proprietary versions of the presentation material. Attachment 2 is a copy of the non proprietary material provided at the meeting.
Wastinghouse provided a summary of the design changes that resulted from integration testing.
These changes consisted of hardware and algorithm changes. Westinghouse also provided the results of the failures mode and effects assessment (FMEA). As a result of the testing, all failure modes are detectable via surveillance testing; the mean time between failures goal and requirement numbers were met and no new failure modes were identified.
Westinghouse provided information regarding NRC staff concems raised in previous meetings.
Westinghouse described how the analog design requirements were translated to the new digital design. Westinghouse stated that the validation testing will demonstrate the design was translated properly. Westinghouse discussed the testing and testability of the design at the component, module, and system level. The testing confirmed the design, the equivalency of the ABRM to the analog system, and that the system is testable and problems are detectable.
As a result of the integration testing, Westinghouse will now per'vrn fault grading testing. The fault grading will test as much of the design as it can, and for the functions that are not tetted, Westinghouse will perform a FMEA to determine the impact of the failure. The staff had a question concerning the technical specification (TS) applicability to the ABRM. Westinghouse stated the ABRM and analog systems mr at the same TS requirements. The staff stated that plants may need to update their Safety /
/ sis Reports (SARs) to reflect the digital ABRM and to identify the standards that need to be met when using ABRM. Westinghouse also discussed 1[U, 4+
the implementation of the changeover from analog to the ABRM using 10 CFR 50.59 and how e
individual plants would perform their 10 CFR 50.59. The staff is reviewing generically the use - PD I l
9003090207 900114 b _
TOPRP EMVW
.]
,,,,,hyyy as y
d g
January 14, 1998 T. Essig 2
of the ABRM, but each plant will have to perform a 10 CFR 50.59 review for the plant specific ABRM application. Westinghouse also discussed the testing versus field conditions, and the use of tools.
Westinghouse provided the staff an updated schedule. One submittal has already been made to the staff and Westinghouse plans to submit two more packages, with the last package scheduled to t,e submitted in May 1998. Westinghouse would like the safety evaluation report in July 1998. The staff plans to conduct several audits during its review of the submittals. The staff and Westinghouse discussed possible time frames and locations for the audits. The staff will develop an audit plan and willinclude an estimate of the level of staff resources to complete the review. The staff will provide this estimate to Westinghouse before February 1998.
Project No. 694 l
Attachments: As stated -
ccwlatts: See next page DISTRIBUTION:
Hard Copy Central Files PUEIC Project File PGEB R/F MMalloy CCraig JStewart PLoeser CDoutt E Mail:
SCollins/FMiraglia RZimmerman BSheron JRoe GHolahan/SNewberry JWermlel DOCUMENT NAME: 12_3_97. MIN OFFICE PGE4,,n SC:PGEB BCplCE NAME CCrkgSwN
- MV-JWdmiIl DATE it' /98 1/ p\\/98 1/20/98 OFFICIAL RECORD COPY
'J3 y,,
6 2
January 14, 1998 T, Essig of the ABRM, but each plant will have to perform a 10 CFR 50.59 review for the plant specific ABRM application. Westinghouse also discussed the testing versus field conditions, and the use of tools.
Westinghouse provided the staff an updated schedule. One submittal has already been made to the staff and Westinghouse pinns to submit two more packages, with the last package scheduled to be submitted in May 1998. Westinghouse would like the safety evaluation report in July 1998. The staff plans to conduct several audits during its review of tne submittals. The staff and Westinghouse discussed possible time frames and locations for the audits. The staff will develop an audit plan and willinclude an estimate of the level of staff resources to complete the review. The staff will provloe this estimate to Westinghouse before February 1998.
Project No. 694 Attachments: As stated ccwlatts: S6e next page 4
l
.,.,,--.n,
b WOG/NRC MEETING DECEMBER 3,1997 MEETING PARTICIPANTS Name Organization i_
Jerry L Mauck NRC/NRR/HICB l
Ron Battle ORNL Carl A. Vitalbo Westinghouse /NPD Robert Stordie Westinghouse /NPD Dick Miller Westinghouse /NSD Hamilton Fish NYPA Michael C. Marino Virginia Power Darrell Cooksey UE Claudia Craig NRC/NRR/PGEB Paul Looser NRC/NRR/HICB Deidre Spaulding NRC/NRR/HlCB Jim Stewart NRC/NRR/HICB
Westinghouse Non Proprietary Class 3 ASIC-BASED REACTOR CONTROL &
PROTECTION SYSTEM REPLACEMENT MODULES FOR WESTINGHOUSE DESIGNED NUCLEAR UNITS WESTINGHOUSE OWNERS GROUP - EPRI MEETING WITH THE US NRC DECEMBER 3,1997 NRC WHITE FLINT OFFICES C 1997 Westinghouse Electric Corporation All Rights Resened a
PURPOSE OF MEETING:
Determine the Acceptability ofImplementing the ASIC-Based Rep acement Module (ABRM) Under 10CFR50.59 j
TOPICS FOR DISCUSSION:
1.
Design Update 2.
Summary of FMEA Results 3.
Review / Discussion of NRC Concerns a.
Translation of 7300 Design Requirements b.
Testability of ABPJvi Design c.
Tech Spec Accuracy d.
Implementation Under 10CFR50.59 e.
Test versus Field Conditions f.
Use of CAD /CAE Software Design Tools 4.
Program Schedule J
2
1.
DESIGN UPDATE Block Diagram Review Summary of Changes as a Result of Integration Testing Hardware Design Circuit Design Changes Board Layout C:aanges Operator Interface Changes Personality Module Changes ASIC Algoritlm1 Design Algorit:nn Changes 3
e 8, C, C Figure 2-1 ASIC BLOCK DIAGRAM 4
- l 2.
SUMMARY
OF FM.EA RESULTS Calculated MTBF for all 14 MB/PMs >
calculated MTBF for equiva:ent 7300 analog Calculated MTBF for all 14 MB/PMs >100,000 Hours All fai: ure modes that affect board function are c etectable by surveillance testing (same as 7300 Analog)
Channel measurements verify that the module is functioning properly and detects t:ae presence of process noise (same as 7300 analog)
Some failures are irmnediately detectable via o
General Alann (power supp:y, ASIC, clock, logic) 5 l
2.
SUMMARY
OF FMEA RESULTS (cont)
. Other failures are detectable via Periodic Surveillance Program (same as 7300 ana..og)
All failures result in outputs High, Low, Drift, or As-Is (same as 7300 analog)
No new failure modes 6
3.
DISCUSSION OF NRC CONCERNS a.
Translation of 7300 Design Requirements Design process Validation Testing will demonstrate that the ABRM is functionally equivalent to analog module Parameters that demonstrate equivalency
- Accuracy
- Time Response
- Dynamic Performance
- MTBF
- Scaling via Operator Interface 7
s
.1 F
.. c. e 1
r 4
1
,l 3,
+
l Controller Design Process i
9 5
g C
e i
1 l
t 3
.i b
i U
w I
8 1.
r.,--
,,ry...-m-.-
-..v
-,w
.-,.,m..,..-.-v,
. -...w,m-
.,.--..v,,
v.-.,,m-..
,-v-w,-w~,.
3.
DISCUSSION OF NRC CONCERNS (cont) b.
Testing & Testability of Design Components
- ASIC
- FPGA g
- Other Parts
\\
\\
Module
- Integration Testing
- Validation Testing System
- Qualification 9
3.
DISCUSSION OF NRC CONCERNS (cont) b.
Testing & Testability of Design Component Level
- ASIC Commercially Dedicated Item 100% Tested Fau t Grading
- FPGA Design Process
- Other Parts: Standard Commercial Parts 10
A Od
- =M v M 4 M -* t
-MM'
~
'hM'"
h4s4*4-=h4 M AA Mh4M+MMM J rm 0
il t
ASIC DESIGN PROCESS 8, C 4
e 1
i 6
4 I
4 N
?
9 4
4 ii i
1 i
if -
E d
1 4
t a
4 4
a 4
5 4
d
- 1l-
i l
FPGAs USED IN ASIC DESIGN l
OPERATOR INTERFACE FPGA l
l USED TO ENTER / CHANGE / STORE SETPOINTS AND TUNING CONSTANTS I
USED TO PERFORM ANALOG INPUT AND ANALOG OUTPUT CALIBRATION I
l RAMLogic FPGA USED DIVIDE 4MHz CLOCK FREQUENCY DOWN TO IMHz PERFORM PARALLEI TO SERIAL CONVERSION FOR DATA FROM ASIC TO DAC
- PERFORMS COMBINATORIAL LOGIC FOR GENERAL AND TROUBLE ALARMS CONTAINS EXTERNAL (SCRATCH PAD) MEMORY FOR INTERMEDIATE CALCULATIONS i
FPGAs ARE USED IN CONJUNCTION WITH A PROM THAT CONTAINS THE l
t CONFIGURATION INFORM'ATION
FPGAs USED IN ASIC DESIGN
- 1. DESIGN PROCESS Controlled & orderly process according to Design, Verification & Validation Plan Using established tools that have wide commercial usage
- 2. CONFIDENCE LEVEL OFTHE CONFIGURATION PROCESS i
Serial configuration scheme has proven reliable in 1000's of designs & millions of devices CRC codes provide excellent protection against errors 100% protection against erroneous configuration files, defective configuration data sources (PROM), synchronization errors between PROM & FPGA, PCB defects (open/ shorted tracks) lt;
- 3. DATA INTEGilTY (CONFIGURATION, SETPOINTS & TUNING CONSTANTS)
Stored values cant.ot change inadvertently l
- 4. TESTABILITY OF THE CONFIGURED DEVICE Tested as part ofintegrated assembly during Validation, Qualification and ACES testing Device functions are simple & can be thoroughly tested Setpoints & Tuning Constants can be tested after card is installed in rack
- 5. RELIABILITY OFTHE FPGA 4
Hardware: Protection provided against abnormal conditions & envitonment provides assurance of high data integrity in noisy environments l
Using high quality devices with wide commercial usage, from reputabic saanufacturer I
FPGAs USED IN ASIC DESIGN
- 6. CONSEQUENCES OF FAILURE OF THE OPERATOR INTERFACE FPGA A. FAII.URE TG CONFIGURE
- When ccal is inserted into slot, FPGA configures from PROM
- During this time, the GA indicator is OFF & the TA indicator is ON
- Upon completion of successful configuration, the GA indicator turns ON (indicating NORMAL operation) & the TA indicator turns OFF
- After this point, any failure is considered a hardware failure (such as a gate)
B.
FAILURE DURING SETTING SETPOINTS & TUNING CONSTANTS
- Circuit is only active during entering / changing / storing of setpoints & tuning constants
- A failure would result in the wrong value being entered / stored
- Failure would be detectable during the functional test conducted after the change C. FAILURE DURING CALIBRATION OPERATION
- Only active when enabled by operator (not automatic or "on-line")
- Failure results in inability to calibrate analog inputs or analog outputs
- Failure would be detectable during the functional test conducted after fne change (accuracy)
FPGAs USED IN ASIC DESIGN
- 7. CONSEQUENCES OF FAILURE OF THE RAMLogic FPGA 1
A. FAILURE TO CONFIGURE: SAME AS THE OI FPGA i
B. FAILURE OF THE CLOCK DIVIDER CIRCUIT
- Divides 4 MHz oscillator frequency down to 1 MHz operational frequency
- Failure could cause operational frequency to go high, low or to zero
- If high or low, the process functions that are time dependent (lag, derivative, lead / lag) will not function correctly because the actual cycle time would be different from the SP & TC which werc based on a one millisecond cycle time. This will be detectable during periodic ACOT testing.
If zero, the dead man timer circuit will time-aut, causing the GA to activate l"
i
- Failures would be similar to component (capacitor, resistor, op-amp) failure in analog system
- ASIC component tested at 4 MHz during post manufacturing testing C. FAILURE OF THE PARALLEL-TO-SERIAL CONVERTER l
- Converts parallel data bus from ASIC inf u serial data bus to DAC
(
- Failure would corrupt data to DAC, resulting in wrong output values l
- Failure would be detectable during periodic ACOT testing (accuracy, incorrect indication) j
- Failures would be similar to component (capacitor, resistor, op-amp) failure in analog system i
l l
e FPGAs USED IN ASIC DESIGN D. FAILURE OF THE COMBINATORIAL LOGIC
- Monitors internal diagnostic signals & generates GA and TA
- Failure results in either a spurious GA, spurious TA, no GA or no TA Circuit is not part of process signal path. If false alarm, output of card wi" still be correct. If a GA or TA failed to activate, the output of the card will be incorrect because the condition causing
)
the alarm also causes an error in the signal processing (ex. clock failure)
- The ASIC design enhances the GA feature of the 7300 System. In current analog system, the GA activates only when power, or the card fuse, fails.
E.
FAILURE OF THE EXTERNAL MEMORY (SCRATCH-PAD)
E
- Sto.es intermediate values during string calculations being performed by the ASIC math function
- Failure results in data corruption during READ or WRITE operations, or a stock bit (cate faiiure)
- If error is in LSB area, the card output may still be within specified accuracy. If error is in MSB aret, results of calculation will be wrong and card output will not be within specified accuracy.
- ASIC chip design cannot lock-up. If error was intermittent, a " glitch" may appear at the end of the current cycle, but will be correct next cycle if error disappears. If error is permanent, then output will be wrong and detectable during periodic ACOT testing.
3.
DISCUSSION OF NRC CONCERNS (cont)
- b. Testing & Testability of Design (cont)
Module Level
- Integration Testing
Purpose:
Test the interfaces between the ASIC, Controller, Operator Interface, Main Board I/O, and Personality Modules Process: Failures documented via Product Deficiency Reports (PDRs) 17
INTEGRATION TESTING PROCESS Algorithms MB & PM I (Qty = 28)
Design I
r Integration Testmg V
PDR: Revise Fail Evaluate Fail PDR: Revise
~
Algorithms Results HW Design
/
Pass V
Release Design for Manufacture i
18 l
---a i
m-
3.
DISCUSSION OF NRC CONCERNS (cont)
- b. Testing & Testability of Design (cont)
Summary of Results:
- Design Approach Confirmed
- Equivalency Demonstrated
- V&V Plan
- Design Approach is Testable
- Hardware & Algorithm Failures are Detectable Manufacturing Release: Build Validation &
Qualification Hardware Using Same Processes as Production Hardware
. Validation Testing
- Formal Verification of Compliance to Functional Requirements
- Performed on all Versions of Design
- Includes ACES Testing 19 s
3.
DISCUSSION OF NRC CONCERNS (cont) i
- b. Testing & Testability of Design (cont) i System Level
- Qualification "esting i
(
I a
f 1
20
.i 3.
DISCUSSION OF NRC CONCERNS (cont)
- b. Testing & Testability of Design (cont)
=
System Level
- Qualification Testing I
20 u
3, C, C ASIC TEST & QUALIFICATION PROCESS e
l
3, C, C ASIC TEST & QUALIFICATION PROCESS (contd)
ASIC TEST & QUALIFICATION PROCESS (cont)
SUMMARY
r 1.
INDEPENDENT REVIEW OF ORNL DESIGN WAS CONDUCTED BY ATC
. Simulation testing ofdesign was conducted by ATC
. Enhanced test vectors developed to thoroughly test the device 2.
DIVERSITY'OF REVIEW PROCESS
. DifTerent People
. Different Process
. Different Procedures
. DifTerent Tools O
3.
ALL DEVICES TESTED PRIOR TO DELIVERY a,c,e i
4 4.
COMMERCIAL GRADE ITEM DEDICATION PROCESS a,c,e 5.
CONCLUSION: ASIC CHIP WILL OPERATE IELIABLY
3.
DISCUSSION OF NRC CONCERNS (cont) c.
Tech Spec Acc.uracy Most limiting 7300 accuracy requirem:nt used for ABRM development Setpoint calculation allowances are based on module specification within the allowance 1
ABRMs and 7300 analog modules will be intermixed and meet the same requirements Recalculation of Channel Statistical Allowance not required 24
3.
DISCUSSION OF NRC CONCERNS (cont)
- d. Implementation Under 10CFR50.59 4
FMEA supports responses to 50.59 questions CMF potential / susceptibility
- Design, Verification & Validation process, in conjunction with FMEA, demonstrates that all failures are hardware related and detectable
- Controller design, verification &
validation process eliminates potential for CMF Does a digital upgrade preclude implementation under 10CFR50.59?
- ABRM is not a microprocessor-based system
- Single random hardware failures Vs.
common-moc.e software failures 25
- FMEA shows no new failures
3.
DISCUSSION OF NRC CONCERNS (cont) e.
Test versus Field Conditions Same Test Points Provided as in 7300 Analog Same Voltage / Current Levels at Interfaces Interaction with analog modules, power supply, cabinet wiring, etc. demonstrated during system level testing l
26 i
--c, g
O I
O 3.
DISCUSSION OF NRC CONCERNS (cont) f.
Use of CAD /CAE Software Design Tools Used standard commercially available tools Well proven in the industry No software tools used in validation process Final designs verified and validated 27
~
4.
PROGRAM SCHEDULE Submittal Package 2 to NRC 2/98
- Qualification Testing Complete 3/98 Validation Testing Complete 5/98 Submittal Package 3 to NRC 5/98 Ship Hardware to Demo Plant 6/98 NRC SER 7/98 l
NRC Audit TBD 28 j
1-e i
Westinghouse Owners Group l
cc:
Mr. Nicholas Liparulo Westinghouse Electric Corporation Mall Stop ECE 4-15 P.O. Dox 355 Pittsburgh, Pennsylvania 15320-0355 Mr Hank Sepp Westinghouse Electric Corporation Mall Stop ECE 4-07A P.O. Box 355 Pittsburgh, Pennsylvania 15320-0355 Mr. Andrew Drake We:Cnghouse Owners Group Westinghouse Electric Corporation i -
Mail Stop ECE 5-16
- P.O. Box 355 Pittsourgh, Pennsylvania 15320-0355 K
]
4 4
9