ML20217J959
| ML20217J959 | |
| Person / Time | |
|---|---|
| Site: | San Onofre  |
| Issue date: | 06/12/1997 |
| From: | Burda D, Hyde A SOUTHERN CALIFORNIA EDISON CO. |
| To: | |
| Shared Package | |
| ML20217J945 | List: |
| References | |
| J-SPA-289, J-SPA-289-R, J-SPA-289-R00, NUDOCS 9710220322 | |
| Download: ML20217J959 (93) | |
Text
__ _ - - _ - _ - - - - __ _ _ - _ _ _ __ -
CALCULATION TITLE PAGE 7,*,"jecy ,0. ,, _o, Cate. No. 3-5PA-289 DCP/FDCN/FCN No. & Rev. OcP 2 a 3 M281 of SJ l CCNCONVERSION-R ccN NO. CCN.
Subjed . ESFAS Radiaf'on MWor Softwere common Mode FaRwe Evate She.1 1 of1 System Number / Primary Station Systern Designator 2306 / $8 A SONGS Unit E31 0-Cases 11 Tech. Spec. Affecting? S NO O YES, Sed.on No. N'A EquipM Tag No. See below CONTROLLED O PROGRAM PROGRAMDATABASE NAME(S) VERSION / RELEASE NO.(S)
COMPUTER PROGRAM / O ALSO, USTED BELOW DATABASE O DATAeAsE ACCORDING TO SO123-XXIV-51 Meroshie'd 4to RECORDS OF ISSUES PEV. ^
DESCRIPTION S PREPARED APPROVED DISC. (Prtrf name& cat %te) (Signaturemate) uSTsc 0 trdialissue 93 ORI yde FLS Other Controis 93 IRE aI//2/p Other # Other ORIG. GS Other tRE DM Other ORIG. GS Other IRE DM Other ORIG. CS Other IRE DM Other Space for RPE Stamp, idere/ use of an asemate cat, and notes as ap;2catie, Equipment No.s 2(3)RE7804G1, 2(3)RE7807G2,2(3)RE7822G1,2(3)RE7823G2,2/3RE7824G1 & 2/3RE7825G2 RECENED004 JUN 161997
, %%WY Document prepared using Wordperfect, Version 6.1 This cale, was prepared for the idertfled DCP/FCN. DCP/FCN ct.npiecon and tumover acceptance to be veriful by receipt of a memorandum directing DCN Corwe'sion. Upon recevet_ this cale represe1s t.4 as-built condit'on. Memo date by ace mes en o em putmectseinuunsi 9710220322 971017 . _ _
PDR ADOCK0500g1
CALCULATION CROSS-INDEX **#-
~' -
l -
. cmemem Na J-SPA-289 sheet 2 .t es CCNNO CCN -
INPUTS C *?P1JTS ca. ,w w-er ewe. -- -- :
. .w w. rx % --.=s -
name w a**..re. + ,s.*e ' _D d"' ,
- j* cmoen.tcun= rocaw g a***g**
agy y ==**=*me***==** nwomt ,
CalcCoewnent No. Ra No. C h No. R" h YES1NO l
O Calc No. N-0720-013 1 PCN 459 0 No
, SCE PRA Repost NSG-97-001 2/20/97 DBD-S023-890 1 Yes DCP 2 & 36926.01SJ h/ S O123-606-1-8-1 1 DCP 2 & 3 6928.01SJ ASC 3 0 No S O123-606-1-9-0 0 SO123-806-1-10-1 1 SO123406-1-15-1 1 S O123-606-1-98-0 1 30123-606-1-316-0 0 SO1234 06-1-8-317-0 0 S O123-606-1-359-0 0 S O123-606-1-367-0 0 90400 0 N-4072-003 2 90402 0 oce me. nev . .n ymwe sosuxm-risi hs w _ _ _ _ _
EC&FS DEPAR TMENT ICc NOJ CALCULATION SHEET """ * * *a _"'
CCN HO. CCN-Projed or DCP/FCN 2 * * 'eu atu . Calc No. J.RPA.?A9 Subject sty nhR wb*= Meakm Ra8h =re ('a==na MA F 1: mEtaluation Sheet No. 3 of: et amist w ee oaTe tar carr [__ary enicim4 Tom l oare see mate O
A. nydn 6/12/97 o.surde 6/12/97l ls I +
TABLE OF CONTENTS 1.0 P U RP O S E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6. . . . .
1.1 Pu rpo se . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.3 Scope of Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 1.3.1 ESFAS Radiation Monitors . . . . . . . . . . . . . . . . . . 7 1.3.2 Objective s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... . ........ ...... 7 1.4 Intended Uses/ Acceptance Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.4.1 intended U se . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.4.2 Software Acceptance Criteria . . . . . . . , . . . . . . . . . ....... 8 1.4.4 Dose level Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..9 ...
2.0 RESULTS/ CONCLUSIONS and RECOMMENDATIONS . . . . . . . . . . . . . 11 .
2.1 Evaluation Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.2 2.3 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.4 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.5 Interfacing Calculations, Documents and Drawings . . . . . . . . . . . . . 12 3.0 ASS U M PTIO N S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 ....
3.1 Assumptions Which Do Not Require Verification. . . . . . . . . . . . . . . . . 14 3.2 Assumptions Which Require Verification .................. .. 15 3.3 Assumptions by Engineering Judgement . . . . . . . . . . . . . ........ 15 4.0 EVALUA110N INPUTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 4.1 Software Operating Experience inputs . ....................... 16 4.2 Software Failure tnputs . . . . . . . ............... ..........
.. 17 4.3 LPU Software Module Data . . . . . . . . . . . . . . , . . . . . . . . . . . . . 18 4.4 LDU Software Module Data . . . . . . . . . . . . . . . . . . . . . . . 18 4.5 Hardwai e B asis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . . ...
...... 18 4.6 Probable Failure Rate Assessment inputs ..................... 19 4.7 Dose Event inputs . . . . . . . . . . . . . . . . . . . . ................ 20 5.0 M ETH OD OLOGY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 ..
6.0 REFERENCES
.... .... .............. ... 23 KE M42 REY.9 8/94 MUM MNF.M1
EC&FG DEPARTMENT icc No/
r)toject or DCP/FCN 21 1 OM.0LU CALCULATION SHEET ""*"L _ _'" CCN NO. CCN -
Calc No. W A.M9 SutijecL_ESFAS Radiattaaafonhor.Softwart Common nfode fautee Brahtatloa.
erv cessinatte Sheet No.1 of _tL tatt set part i arv tu tcimaire patr ser pair t a. nyo. mim 9.sure. 6fttrer I
70 N O M E N C LATU R E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 0 7.1 S ymb o ls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.2 Abbreviatlun s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 7.3 D e finition s . . . . . . . . . . . . . . . . . . ................. . . . . . . . . . . . . . .31 ..............29 8.0 EVCATI O N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 8.1 General Descriptions of keplacement Digital ESFAS Monitors . . 33 8.1.1 Fuel Handling Building Airbome Monitors. 2(3)RE7822G1, 2(3)RE7823G2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 8.1.2 Containment Airborne Radiation Monitor Channels, 2(3)RE7804G1, 2(3)RE7807G2 . . . . . . . . . . . . . . . . . . . . . . . . 34 8.1.3 Control Room Intake Air Monitors,2/3RE7824G1,2/3RE7825G2
......................................... 3G 8.2 Software Evalus.tlon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
- 8. 2.1 G en eral . . . . . . . . . . . . . . . . . . . . ....... . . . . . . 38 .. . . . . . . . . . . . . . . 38 8.2.2 Safety Channel Architecture . . . . . . . . . . . . . . . . .........39 8.2.3 Software Module Complexities . . . . . . . . . . . . . . . . . . . . . . . . . 39 8.2.4 Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 8.2. 5 S oftware D e0 s1 n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 6 8.2.6 Software Verification and Validation . . . . . . . . . . . . . . . . . . . .
8.2.7 Operating Experience . . . . . . . . . . . . . . . . . . . . . . . .. .52 . . . . . . . 51 8.2.8 The Naturo of Software Failures ............
8.2.9 Fault D ensities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 8.2.10 Summary . . . . . . . . . . . . . . . . . . . . . . . . . ........... . . . . . . . . . .58
. . . 56 8.2.11 Interference Affects on Software . . . . . . . . . . . . . . . . . . . . . . . 59 8.2.12 Machine-Human Interface (MHl) Affects . . . . . , . . . . . . . . . . . 59 8.3 Probability Failure Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G1 d 3.1 Review of Failure Assessment Approach . . . . . . . . . . . . . . . . . G1 8.3.2 Failure Prob *llitles One out of Two Logic , . . . . . . . . . . . . . . 62 8.3.3 Failure Probabilities One out of One Logic . . , , . . . . . . . . . . . 62 8.4 Accident Dose Evaluation . . . . . . . . . . . .
.............. 64 8.4.1 System Failure Review . . . . . . . .............. 64 8.4.2 Review of Accidents to be Evaluate" . .... ......... S5 8.4.3 Accident Dose Review . . . .................. 68 8.4.4 Dose Consequence Summs ; ................ .. 83 ATTAC H M E NT 1 ' ' ' ' . . . . . . . . . . ....... ........... 84 m ma m o m nma u .omwt ni
EC&FS DEPARTMENT ICC NQ/
CALCULATION SHEET _ _ " "-
Project or DCP/FCN - 1 *
- 2146151 TN No. CCN.
- Cale No. MPA 9R9 '
S_ublect__ESFAS way osicrearon Dadiarlos MonkarMwart ra==anMode ranurtreatuation - No. l_ of ._ti__
sheet eate ser __ cair I arv cessimasta pars 8
set east t a, ryde 4/tr/tr o.suree 6/1r/97l 5
-y +
ATTAC H M E NT 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86. . . . . . . . . . .
ATTA C H M E NT 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 ATTA C H M E N T 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 ...........
ATTA C H M E N T 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 ...........
EC&FS DEPARTMENT CC NO/
^
CALCULATION SHEET " " " " " - "- ' -
CCN CONVER&l0N:
Project or DCP/NN i i 16026.h1SJ ccn No. CCN.
Calc No. MI'A.'1Ro StNeet _ ESPAS Radistkun Mookor.Sohware Common Mode Failure Eraluation- Sheet No.1_ of _9L_
WTV (WlC1hATOR DAff lif DATE FFV ORIGIltAfta DATE 1Rf DAff 0 A. Nyde 6/i?/97 D.Durde 6/1?/97 1.0 PURPOSE 1.1 Purpose The purpose of this domiment is to perform a Software Common Mode Failure (SCMF) evalual.un of the replacement digital ESFAS Radiation Monitors. These monitors are safety related instruments being installed at SONGS Units 2 & 3 by Design Change Package (DCP) number 2 & 3 6926.0iSJ and associated Affected Section Changes (ASCs).
This evaluation will support a licensing change request to install an all digital, ESFAS radiation monitoring system at SONGS Units 2 and 3. '
1.2 Introduction The cunent analog radiation monitoring system is considered obsolete and is being replaced with a predominantly digital design. An aspect of this evaluation is to show that prudent steps have been taken to minimize the likelihood of a SCMF from occurring. At several meetings held between NRC officials and SCE personnel on this subject, the difficultics of eliminating the possibility of a SCMF were discussed. As a result of these meetings, this review is structured to review the software and its adherence to a software quality plan. However, since the possibility of a SCMF cannot be totally eliminated, the dose consequences that would result from accidents with failed ESFAS radiation monitors is also considered.
To demonstrate that the software has undertaken the necessary steps to assure against a SCMF, the evaluation will examine the nature of the software design structure, the testing, control and the operating experience of the software used to support this new system.
A SCMF is defined as a software fault simultaneously occurring at each newiy installed dvtal radiation monitor. The fault is considered to originate as a result of a common failure or weakness in the failed software. This fault prevents each monitor from correctly performing its con ol and alarm functions. Refor to section 3 for further assumptions related to the postulated SCMF.
n u. m . m emma omuum
__ ___________-_m_ _ _ - - - - - - - - - - - - - - '
CALCYL55N SHEET *** * ;_ ' * '" -
Project or DCP/FCN lm t seu amt con No. CCN.
CalcNo. 1.KPA.M Sub}ect.
FATMlle&atica Moukoriftwatt C-an Mode FaQure baluatlom Sheet No. 7 of _s3_
REV (WitfMATOR I DATE lbf DATE l RfV (R!$lkATOR _DATE ikt DATE O
A. Wyde 6/1F/97 D.turda 6/12/97l l
A probability assessment is made of the recorded failurcs for the existing analog system and failure estimates for the replacement digital system.
This assessment will compare the loss of isolation function for both system types that results from both hardware or software failures.
In the unlikely event that a SCMF should occur, causing a total loss of isolation function, and any one of a series of accidents, defined in the UFSAR (Ref. 6.5.1), occur simultaneously with the SCMF. the radiological impact to the public and the Control Room operators is evaluated.
1.3 Scope of Document 1.3.1 ESFAS Radiation Monitors There are a total of ten (10) radiation monitoring channels used in the ESFAS system. The Containment Purge Isolation Signal (CPIS) is initiated by two (2) radiation monitors in each Unit (2(3)RE7804 & 2(3)RE7807). The Fuel Handling Building isolation Signal (FHIS) is generated by two radiation monitors in each Unit (2(3)RE7822G1 and 2(3)RE7823G2). The Control Room isolation Signal (CRIS) is common to both Units and is initiated by two (2) radiation monitors 2/3RE7824G1 and 2/3RE7825G2.
There are four other radiation channels associated with the CPIS radiation monitors that measure particulate actMty (non ESFAS),
that can under some circumstances, affect the operability of the Noble Gas ESFAS channels. These particulate channels along with the noble gas channels are part of the Reg. Guide 1.45 ' leak before break" program. The failure of these four (4) channels will not compromise this program since alternate methods of measuring leaks within the containment exist.
These particulate channels are included in this analysis only when they are considered to influersee the operability of the ESFAS functions.
1.3.2 Objectives The initial objective is to use the guidelines of the NRC's Generic 8CE 25428 REY 0 494 lstERROct 5012kAXN.1Hj n
9
y EC&FS DEPART)AENT cCNot
" ""' "^*'
CALCULATION SHEET CCN CONVt. WON:
Project or DCP/FCN 2 & 1226.fttSt CCN No. CCN -
Calc No. 1.8;PA.?99 SWecL__E5FAS erv Radiation Monitor 3aftware CommonMode Failure Eralmatias__ Sheet No. 8 of 33 _
cosciuton eart ter r.atr lerv casspaion cart ser Dart 8
- a. *,s. 6firier o.nura. 6/$rf97 I
I t.etter,95-02 (Ref. 6.1.8), EPRI document TR-102348 (Ref. 6.2.1) and other IEEE Standards to examine the software modules used in the FHIS, CPIS and CRIS radiation monitoring systems. By adhering to these guidelines, the resulting software design is considered to have taken the steps that will minimize the likelihood of occurrence of a common modo failure.
The second ob}ective is to provide the results of an assessment of the system failure probabilities that will show that the likelihood of losing the isolation function is reduced by the introduction of the digital replacement system.
The third objective of this document is to summarize the dose impact to the general public and to the Control Room Operators in the event that the SCMF and one of several postulated accidents occur. By examining this scenario, the difficulty of proving that the software will never fail in a common mode manner is reduced to assessing the plants ability to withstand a simultaneous SCMF and an FSAR Chapter 15 dose producing accident.
The last objective is to demonstrate that the instal!stion of these ESFAS digital radiation monitors is acceptable and meets 10CFR50.92 criteria for a licensing change submittal.
1.4 Intended Uses/ Acceptance Criteria 1.4.1 Intended Use This document is intended to support licensing amendment, Proposed Change Notice (PCN) 459, being requested by Southern Califomia Edison (SCE) in order to install new ESFAS digital radiation monitors into SONGS Units 2 & 3.
1.4.2 Software Acceptance Criteria The acceptance criteria for aspects of the software design process are established in each subsection of the software evaluation in section 8 of this document, in some cases, there are no regulatory or industrial standards available for use in determining acceptance icwn m o m snue somm un
EC&FS DEPARTMENT Ec was ~
)'
CALCULATION SHEET "'" ***"c _ ,,, 7 " -
I Project or DcP/FCN .1 Ar 160M AMf CCN Ho. CcN .
Calo No, MPA.M Select _.ESFAS Radiatiem MaakarSoftwart CommanMoit rallure.Evahiation Sheet No.1 of ._.9L_
_ ry p celsisAT(3 OATF Ipf
_ OAff l ptV (RIGlhA ft3 o
DA1_t lpt I baif ,
A. Wyde 6/12/97 0.9sda 6/tt/97 _ Ig criteria. Engineering Judgement has been usod in these cases.
1.4.3 Failure Probability Assessment No absolute probability values have been assigned as a criteria for acceptance for this replacement system. The criteria used for on acceptable failure rate for the replacement digital system is: that I each new system is demonstrated to have a lower probability of I failure than the existing analog system that it replaces.
1.4.4 Dose Level Criteria The dose level criteria for the operators in the Control Room is determined by 10CFR50 Appendix A, General Design Criteria 19 (Ref. 6.1.1) and SRP 6.4 (Ref 6.1.11). Doses received over the duration of the accident are not to exceed:
Control Room (accident dose levels) Whole body 5 Rem Thyroid 30 Rem Beta skin 30 Rem The acceptance criteria for dose levels to the general public are determined by 10CFR100 (Ref 6.1.3) for site accident levels. The Standard Review Plan (Ref. 6.1.11) modifies the maximum ,
allowable accident doses for specific accidents. The dose levels used in Calculation N-0720-013 (Ref 6.5.1) are the same as those used for design basis analysis. These values are:
Table 1,4.4 Accident Dose Criteria Ref.6.5.1 Boundary Accident Maximum Dosoin Rem Whole body Thyroid EAB Afl accidents except as noted 25 300 LPZ All accidents except as noted 25 300 EAB & LPZ Letdown une Break 2.5 30 EAB & LPZ Controf Rod Assemth Election 6 75 sesa4,neve wnnocs n exw nsi i
EC&FS DEPARTMENT ccwoe CALCULATION SHEET CCN CONVER&tCR i
Project or DCP/FCN 1 & 160M.Itttt CCN NO. CCN .
. Calc No, MPA.M9 Subject._ ESTAS Radiation Monitor Seftware Conunca Mode Tallury Etatuatinn _
Sheet No. JO_. of __f3_
_ RIV te lClb410R DAf[ )RE DAf[ kfy l ($1Clb4T(9 D_47[ lRf $4Tt ,
O A. prete 6/12/97 D.Duede 6/17/97 I3 Table 1.4.4 Accident Dote Criteria Ref.6.5.1 Boundary Accident Maximum Dose in Rorn Location Whole body Thyroid EAB & LPZ Fuel Handling Accident & Spent 6 75 FuelPool Gate Drop Accident EAB&LPZ Main Steam Flow 6 75 Note: EAB doses are accumulated over a 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> period; LPZ doses are the expected hiegrated doses for the entire accident terlod scs rSus arv o see tatsteret. sommt isi
EC&FS DEPARTMENT ccNQ>
CALCULATION SHEET ""
""" ***c
- a co_ ,m Pioject or DCP/FCH _2.A1191&t1SJ CCN NO. ecN .
Cato No. WA.M Subject ESFAS Radiation M=h-Snftware Comunen Mode TaDute *:.raluation r>heet No.1L of _tL._.
_ mry misimatan emir int pair f arv 'isihaton batt int taart 0
- a. % sm/n ti.we m tf97 5
2,g RESULTSICONCLUSIONS and RECOMMENDATIONS 2.1 Evaluation Summary The software phase of the evaluation examines seven aspects of the software. These aspects of the software evaluation are architecture, complexity, design, verification and validation, experience, failures and fault densities. These portions of the overall software operation are considered to be relevant indications of the quality of the software to be evaluated.
Criteria for satisfactory performance were established for each category.
These criteria were developed from industrial standards and engineering judgement. The results of the evaluation show that the software under consideration meets or exceeds the established criteria. By meeting the criteria, the software is considered to have taken tne necessary steps that would minimize the likelihood of a SCMF.
The second part of the evaluation shows that the digital replacement system is expected to produce system availability improvements of approximately a factor of ten over the existing analog systems.
The third part of the evaluation reviews thu dose consequences that would result from a SCMF to any or all of the ESFAS radiation monitors.
The SCMF is considered to occur in conjunction with a series of bounding accidents given in chapter 15 of the UFSAR. The accidents under consideration in this evaluation are:
1 An increase in Main Steam Flow with a single active failure (Steam Generator Tech. Spec. Leak)'
- 2. A Control Element Assembly Ejection Accident
- 3. A Letdown Line Break Accident
- 4. A Small Break Loss of Coolant Accident
- 5. A Fuel Handling Accident in the Fuel Handling Building
- 6. A Spent Fuel Pool Gate Drop Accident 7, A Fue! Handling Accident in the Containment Some of these accidents have been postulated with realistic dispersion ecs m m e a own,ce. sww m
EC&FS DEPARTMENT ice Not CALCULATION SHEET """ *** *1_ " * ' "- -
Project et D0fTCH _1 A A um atRt CCN Wo. CCN.
_ Calc No. MPA.M Sub}eeCESFAS Rtv 8*lan Monhor_Softwart Commne Mode Failurt Evaluation _Sheet No. 12 of _1L__
.. (*1stuAtot 041t Ike pait j arv talstaatta catt let DAff 0 A. Wyde 6/12/97 0.Durde 6/1?/97 l3 values and other minor modifications to design basis conditions.
Acceptance criteria for site boundary and Control Room accumulated doses were obtained from 10CFR100, modified by the Standard Review Plan, and 10CFR50 Appendix A General Design Criteria 19 respectively.
The results show that with the aid of other equipment within the plant (Ref. Section 8.4), mitigating action will prevent the dose levels from exceeding those acceptance criteria.
2.2 Conclusions
- 1. Industry guidance on software development and maintenance has been used to rr,;nimize the likelihood of a SCMF.
- 2. The probability of losing the total function for each of the ESFAS systems will be lowered by replacing the cu. rent analog system with the replacement digital system.
- 3. In the unlikely event that a SCMF of all ESFAS radiation monitors, sufficient defense-in-depth or time for operator action has been shown to exist such that accident consequences are acceptable.
The installation of redundant digital monitors in these ESFAS applications is considered not to involve a significant hazard.
2.3 Recommendations None i
2.4 Requirements
- 1. Modification of exisiting Operational Procedures to ensure that manual action to initiate CREACUS is taken under accident conditions. Ref.
Section 3 (AR970 GOO 574)
- 2. Completion of revisions to V & V process. Ref. Section 3 (AR 970300582) 2.5 Interfacing Calculations, Documents and Drawings
.ce un arv e w mm.coomuey
EC&FS DEPARTMENT icc woe CALCULATION SHEET '"2***"a _ ,J^' "-
Project or DCP/FCN 1 A 1 au nier cCN No. CCN -
Cala No. 1. EPA.S R4 Subject _ ESTAS 9 mandan Monhar Software Connanna Modt railure D ata=*ian
,_ try ottcluaton Sheet No. _13 of ._91_
Datt Int DAtt l krv Ottelhafor part let DAtt 0 A. Pyde 6/12/97 D.Burde 6/1F/97 Is Proposed Change Notice PCN-459 Amendment Application, Radiation Monitoring System, San Onofre Nuclear Generating Station Unita 2 & 3 Calculation N-0720 013 Rev.1, Offsite and Control Room Doses due to Failure of CPIS, CRIS and FHIS. This calculation determines bounding accidents under SCMF conditions. Accumulated doses at the site boundary and Control Room are determined and the required times for manual Control Room isolation.
SCE report NSG-97-001 Software Reliability Assessment of Radiation Monitoring System. This report estimates the failure rates of both analog and digital systems in a one out of two logic and a one out one logic configurations.
.c, ma n . roi.cuce so xw.n.i
EC&FS DEPARTMENT oc wo/
CALCULATION SHEET * * * * " " " " -
CCN COWER &M Project or DCP/FCN _ i A t wa atti oCN No. CCN -
Calc No. MPA 1R9 sub}.ct mas mainsMoshorSaltware Ca.=== W wl* Dhm Erahusian ____
arv caisinaum Sheet No. _1L of et pair ist care nry ca rcinatas part int pair
- A. % 6/tr/97 0.surd. 6/1r/97 3
3.0 ASSUMPTIONS 3.1 Assumptions Which Do Not Require Verification.
3.1.1 This evaluation assumes that all replacement safety related Engineered Safely Features Actuation System (ESFAS) Radiation Monitors are installed and placed into operation prior to the beginning of the postulated software failure. No analog monitors are operating within the radiation monitoring ESFAS.
3.1.2 The total of ten (10) safety channels, consisting of four (4) FHIS channels, four (4) CPIS channels and two (2) channels of CRIS can fall simultaneously or in any combination.
3.1.3 No channel failure resulting from a SCMP is identified by annunciation, or other means, at either the Remote Display Unit (RDU) or at the Local Display Unit (LDU). It is assumed that the operational staff will not be aware, initially, of the SCMF, 3.1.4 Each failed channel is assumed to fallin the 'as is* state at the RDU. This means that the failure neither actuates the safety system nor alerts the operators.
3.1.5 No other safety failures are assumed to occur.
3.' .6 Each accident scenario is assumed to occur simultaneously with the SCMF.
3.1.7 The LPUs used in both Unit 2 & 3 are identical it is assumed that these LPUs will all fall as a result of the SCMF. However, the postulated accident will only occur at one Unit.
3.1.8 The software quality assurance program that controls software changes and configuration befora and during the plant installation phase of the project is governed by the QA program of the softwaro manufacturer, MGPl. After installation, a OA program under SCE control will be initiated. The assumption is that these OA program controls will maintain the low probability c' a SCMF from occurring.
.a m nev . m iam.c.c omma m
_________m________________________._.. _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ . . _ . . - . _
eCarsosAnwn ,cc um CALCULATION SHEET -
CCN COWI.ASKNt
'^"' * -
Project or DCP/FCN - 2 A 't '9M 01SJ Calc No, con no. CCN.
MPAato Subject __EWAS Radistka Monitor Softwart.CommanMode Failure baluatloa_. _
_ Rfy _ otitlesArts Sheet No. _15 .. of _t1L_.
tint t let . Mit _ f __tr y ~~
telt 154Tn_e DATE Itt DATE 0
A, hyde 6/17/97 p.Burde 6/1?/97 g
3.2 Assumptjons Which Requito Verification 3.2.1 SCE conducted an evaluation of the software and its related processes (Ref. 6.5.121. The results of this evaluation snow that aspects of the V & V program require corrective actions to be taken prior to the equipment bcIng placed into operation.
The assumption is that the required actions to the V & V process will be successfully completed. (AR 970600582) 3.2.2 in order to achieve the manual action response times, for CRIS and CPIS, that are claimed in calculation N-0720-013, it is assumed that operatlonal procedures have been modified so that the operator is directed to take the appropriate action. (AR 970600574) 3.3 Assumptions by Engineering Judgement Critoria for an acceptable time for software operating experience is not available. Acceptable Unit-years of oprration s was judged to be greater than 10 unit years of operation.
SCE 24426 ftEV $ WM 18tfFERtpeCE $312&AAN f 151
{ EC&FS DEPARTMENT CC NO/
CALCULATION SHEE1 CCN CCWVERslON:
Projeet or OT/FCN 2JU14926 ci(I cCN NO. CCN-Caio No. J.RPAdR9 Sut4*ct __.lSPAS Radia&a MaakarSoftwart Common Mode FailurtI.nlaa'taa Sheet No. J6 . of _f1__
ntv twistutta mate ser utt arv cessturca ute ten oave
- A. proe 6/tr/97 p.surd. 6/12/97 [gE
+
4.0 EVAL.UATION INPUTS 4.1 Software Operating Expedcnce inputs Table 4.1 Opera 5cnal Experience of Software Modules thru 6/96 Ref. 6.4.12 section 7.1 s
Plant Site LPU!PIPC' LPgUse' W "M LPU/SAS* DU Base & Appli' (UnR4ays) (Unit-days) (Unit 4ays)
%ghals 24054 4005 7525 34962 Barseback 657 0 438 219 Technicatome 515 0 0 0 Lovusa 5556 0 5556 0 Kosloduy $32 0 532 1064 OIMluoto 326 0 0 326 PAKS 412 0 0 412 North Anna 626 0 626 626 Total unit-days 32678 4095 14677 37609 Notes 1 l.PU basa inc;udes RAMSYS Common, LPU Common, I/O, Appii Common and LPU base 2 -Used in FHIS and CPIS applications 3 -Used in CRIS applica5on 4 DU Base & Appu includes RAMSYS Common. DU common DU base and DU Appil.
ses un arv e so. menare soinaS,isi
EC&FS DEPART 1AENT CC NOJ CALCULATION SHEET """ * * * * " "-
OCN CONVLRslON:
Project or DCP/FCN 2 & 14920ater CCN WO. CCN .
Sub}ect_.ESFAS ladiarlos Maaltar. Software Comioon hie BurtEtalmation Fa Sheet No. 17 of et hty teltthAfot DATE ler DATE l trV CRl6thATOR DATE Ikr DAff o A. Wyde 6/1F/97 0.turde J/12/97 l*5 4.2 Software Failure Inputs Table 4.2 Software Failures Reference 6.4.12 section 7.2 Software Module Jemming Failure' Non Jamming Failure' Total Failures LPU/ Base 2 9 11 LPU/lO O O O LPU/ PIPS 10 33 43 LPU/SAS 11 42 53 LPU PIPS Totals 12 42 54 LPU SAS Totals 13 51 64 DU/ Base 6
, 19 25 DU/ Application 18 69 77 DU Totals 24 78 102 Note 1 Jamming refers to a failure that prevents the monitor function from being performed.
Non Jamming refers to a failure that does not prevent the taltor from performing its safety function set un m o am suenau somuu.7ist
EC&FS DEPARTMENT CC NQ/
CALCULATION SHEET CCN COWER &lON:
Projeet or DCP/FCN i *
- 692001RI OCN No. CCN .
Csic No, MPA.1R0 sutdect ISTAS Radiation Mankar. Software Commann Mode FailurtEr*le -
Sheet No. It of_ 11 _
erv aristnatan natt inc patt _ erv onicinatan ute tar natt o
A. Mvde 6/12/97 D.t urtle 6/12/97
- 4. 3 LPJ Software Module Data Tatde 4.3 LPU Software Module Data Ref. 6.4.13 Modufe Name No. Sub Modules No. Functions No. Unos of Code RAMSYS Common 19 93 2785 "
LPU Common 3 14
- 236 rf,pa Common 13 127 6171 LPU-PIPS 10 77 5620 LPU-SAS 15 it3 7133 LPU-l/O 3 13 511 LPU Base 5 20 821 4.4 LDU Software Module Data Table 4.4 LDU Softwarei lodule Data Ref. 6.4.13 Module Name No. Sub Modules No. Functic%s l No. Unos of Code RAMSYS Common 19 93 2785 DU Common 12 49 2208 DU Appli 27 253 15533 DU Base 3 30 2021 4.5 Hardware Basis The hardware associated with running the software for the newly installed radiation monitoring equipment is identified in SCE document 90402 (Ref.
6.5.13) m m .sv . . , ,,m .o,-, ,.i
{
.. ekd ..NA.~ --
EC&FS DEPARTMENT CCNOJ CALCULATION SHEET CCN COPNEA&40N:
Project or DCP/FCN i A 1 '92L ottt CCN WO. CCN .
Calo No. 1 RPA.?R9 Subleet
. E5FAS Radiation Monkor Software t'n=moc hM TaDun Italuallas Sheet No. 39_ of . et
_ esv taistwaton cave tar oate erv l cancinator batt see sate
- a. *ve.
p 6ftriv7 o.euro. 6ftster -
I+l 4.6 Probable Failure Rate Assessment inputs Tatde 4.6a Summary of System Failure ProbabilCes (1 out of 2 logic) Ref. 6.5.11 table 3 System A Fallare Ratein failureWhr Digital (neW) Analog (edsting)
CPlS 2.6E-5 2 2E-4 CRIS 1.5E-5 1.2E-4 FHIS 1.7E-5 1.4 E-4 Table 4.6b Summary of System Failure Probabill6es
_ (1 out of 1 lodi c) Ref. 6.5.11 Attachment 3 System A Failure Rate in fauures/hr Digital (new) Analog (existing) cpl 3 1.3E 4 2.64E 3 CRIS 8.59E 5 8.11E 4 FHiS 8.36E-5 1.96E-3 oce um esv e m ieracce somumn
EC&FS DEPARTMENT ice Nos CALCULATION SHEET CCN CONVERSK)N; Project or DCPECN 1&11it1001K1 ocN NO. CCN -
_ Cale No. MDA.?R9 Sub}ect ESE'ASitwhla= MonitarSoftware Commen Mo&laihartEv '""La erv .ostainatur pair Sheet No. 20.. of tL._
set oatt [erv oercimaton eAtt tre navy 0
A. PA 6/1F/97 D. turds 6/12/97 II
+
4.7 Dose Event inputs
- fable 4.7 Summary of Evaluated Accidents Ref. 6.5.1 section 8.1 UFSAR Accident Airbome A:,tivity Release Location SIAS Ref.
inside Initleted inside MSSV ADV Other Cont. FHB prior 30 min to 30 to SDC min 15.1.2.3 increase in Main Steam No No Yes Yes No No Flow 15.1.2.4 Inadvertent Opening of No No No Yes No No Steam Gen. ADV 15.2.3.1 Feedwater System pipe Yes No Yes Yes No No break 15.4.3.2 Control Element Yes No +4s Yes No No Assembly Election credit 15.6.3.1 Primary sample line break / No No No Yes Yes' No Letdown line 15.6.3.3 Small Break LOCA Yes No Yes Yes No Yes/
No*
15.7.3.4 Fuel Handling Accident in No Yes No No No No FHB 15.7.3.0 Spent Fuel Pool Gate No Yes No No No No Drop 15.7.3.8 Spent Fuel Pool Boiling No Yes No No No No 15.7.3.9 Fuel Haridling Accident in Yes No No No No No Containment Note 1 Release outside containment directly into the atmosphere Note 2 SBLOCA break sires smaller than 0.01 tt' may not gt nerate a SIAS s
Note 3 All other UFS AR chapter 15 accidents are considered to be bounded by the accidents shown in this table Note 4 Reviewed accidents in Ref. 0.5.1 are considered beyond design basis Note 5 The Steam Generator Tube Rupture occident (SGTRAlwas not included in Ref. 6.5.1. The design basis accident doses produced from a SGTRA will be mitigated at the Control Room by the SIAS/when no CRIS channels are operational (Ref. 6.5.3). Resutting doses are within 10CFR100 limits.
i 8C8 26425 ftEV O 494 lm[4Rouct notaxxN ? 18]
EC&FS DEPARTMENT cc wo/
CALCULATION SHEET cCN COWUtSM
^** - '-
Project Or DCP/FCN 1 A 1612101U CCN No. CCN -
Calc No. LSPA.MO sub}ect FSf'AS iteAleeinn MonitorSoftwartfommen. Mode FailurtEralsailos____.
aty Sheet No. 2L. of _t1_
catctufte bAtt taf Daft] _Rtv CWICIUTna DAlt IRE DAff 0 4. Hyde
~- 6/t2/97 D. turd. 6/12/97
} $+1 4.8 Accident Dose inputs Teu. 4.s Summ.ry of Aooident Dooes Ref. 6.5.1 eeobon 2.1 (note 21 Accident Control Roorn Dosee in Retn CA B Doets in Rom LPZ Doese in Ram
- Thyroid Bote whole Thyroid Bete whole Thyroid Bete whole sun body eUn body eUn body increase in Mein Steem 6.1 3.7 0.7 0.2 < 0.1 Flow
< 0.1 0.2 < 0.1 < 0.1 inadvertent Opedng of 14.1 < 0.1 <0.1 < 0.1 1
< 0.1 < 0.1 <0.1 <0.1 < 0.1 Steam Gen. ADV reedwater System pipe 7.9 < 0.1 < 0.1 < 0.1 < 0.1 < 0.1 < 0.1 < 0.1 <0.1 brook Centrol Element 23.8 0.7 0.1 1.0 < 0.1 < 0.1 0.9 < 0.1 <0.1 Asserridy Ejection Primary esmple Rne 2.2 0.2 < 0.1 < 0.1 < 0.1 <0.1 < 0.1 <0.1 breekileteown line <0.1 Smet Break LOCA 4.9 < 0.1 < 0.1 < 0.1 < 0.1 < 0.1 < 0.1 < 0.1 < 0.1 Fuel Handling Acckient 20.4 0.4 < 0.1 0.2 <0.1 < 0.1 0.1 < 0.1 <0.1 in FHB Spent Fuel Pool 0ete 29.2 0.8 0.1 0.6 < 0.1 < 0.1 0.1 < 0.1 < 0.1
, Deep Spent Fuel Pool Boihno 19.4 NA 0.3 < 0.1 NA < 0.1 < 0.1 NA < 0.1 Fuel Henming Accident 19.5 5.3 0.3 72.7 0.5 0.4 2.1 <0.1 < 0.1 in Containment (note 1)
Note i Data source le calcu'ation N.4072 003 (Ref. 6.5.2)
Note 2 Some of the accidents have been postulated with rechetic despersion values and other mnor modifications to design basis conditione seg suas arv. e see IngstacNet. soinuw.t isj
EC&FS DEPARTMENT G NO/
CALCULATION SHEET " * " "a _ ,,,,
" ^
Project or DCP/FCN 1AL1612( 0mf- cCN No. CCN.
- Calc No. J S ". m Sub}ect____1WAS Radladon MonhxSoftware Cornmon Mode FahreItalandon_ Sheet_ No. 22 of _9L_.
oststuator nev_ cate set oatt [nry emicinatre catt tar oat 0 A. nyd. 6/12/97 p.eurde 6/12/97l
, I 4
5.3 METHOD 01.OGY The evaluation has three sections. The first section is an examination i
of the software, the second is a comparison of the probabilities of faltere of the digital replacement system and the existing analog system and the third section is an evaluation of the dose consequences that could occur if a simultaneous SCFM takes place concurrently with one of a number of postulated accidents.
The first task in the software evaluation it to select the elements that have most effect on the overall ability of the software to perform and maintain the desired function and operability. After the selection of the main elements impacting software operability, criteria for each element were established. The criteria were obtained from NRC endorsed NUREGs, industrial Standards and with the use of Industrial comparativo data. These critetia were used to gauge the overall likelihood of the software experiencing a common mode failure.
The second evaluation aspect examines hardware failure data for the existing analog system. This data was used to determine the overall Mean-Time Before. Failure based on a redundant analog system configuration. A comparable overall system MTBF value is determined for the combined hardware and software for the replacement sy tem, in configuring thei failure probability logic paths, the hardware is considered to be redundant. Software is considered ,
to be non redundant such that a software failure will impact both trains. The only acceptanco criterion is that the replacement digital system have an overall probability of isolation function failure that is lower than the existing analog system.
In the event that a software common mode failure occurred and any one of the postulated accidents were to take place simultaneously, the third section of the evaluation examines how the accident could be mitloated with the aid of alternate equipment and menual intervention. A check of bounded accidents is mado to ensure that lower radiological activities do not Integrate over a longer time period, causing a greater dose impact. The resulting doses aro compared with the dose criteria determined in section 1.4.4
EC&FS DEPARTMENT ccHos CALCULATION SHEET _ _ " " -
Project or CCP/FCN 1A.14t200tSJ CCN No. CCN.
Caio No. 1-SPA M0 gjact__EWM Ru1=*Lw MontforSoftware Caraman Mode Talturt Eraluation i niv ca ssinattu Sheet No. 23 of_ t L _
nate ser cart arv I corsinnto_n . enn int aan 8
- 5. nyd. 6/12/97 n.: ea. 4/gr/97 I
8.0 REFERENors l 6.1 Regulatory 4.aferences 6.1.1 10CFRF0 Appendix A General Design Criteria for Nuclear Powe! Plants 6.1.2 '.0CFR50 Appendix B Ouality Assuranu Criteria for Nuclear Power PlanM and Fuel Reprocessing Plants 6.1.310CFR100 Reactor Site Criteria 6.1.4 R.G.1.45 Reactor Coolant Pressure Boundary Leakage Detection Systems, May 1973 6.1.5 R.G 1.109 Rev.1 Calculation of Annual Doses To Man from Routine Releases of Reactor Effluents for the purpose of Evaluating Compliance with 10CFR50 Appendix l 6.1.6 Reg. Guide 1.1521985 Criteria for Programmable Digital Computer System Software in Safety-Related Systems of Nuclear Power Plants 6.1.7 Reg. Guide 1.1531985 Criteria for Power , Instrumentation, and Control Portions of Safety Systems 6.1.8 NRC Generic Letter No. 95-02; S. A. Varga, 'Use of NUMARC/EPRI Report No. TR-102348 in determining the acceptability of performing Analog-to-Digital replacements under 10CFR50.59" April 26,1995 6.1.9 NUREGICR-4640 Handbook of Software Quality Assurance Technologies Appilcable to the Nuc.! ear industry 1987 l
6.1.10 NUREGICR-6018 Survey and Assessment of Conventional Software Verification and Validation Methods; April '1993 6.1.11NUREG 0800, USNRC Standard Review Plan, July 1981
= = m . a. numa somer m
EC&FS DEPARTMENT ice No; CALCULATION SHEET *** '** "L,,7 " -
Project or DCP!FCN _11 % st2OR1 CCN HO. CCN -
ca.)c No. IMDA.M Subleet LWAS ita=*nonMonkar.Sattwart Comunes Mode n11are.Evahantion Sheet No. 24 of . 3L._
arv omittmaton ier pair nev
____ ea_tr _ _ omistmaton oats far cars o A . W y* 6/12/97 0.to w 6/12/97 g 6.2 EPRl/ International Standards 6.2.1 NUMARC/EPRI Roport TR 102348, ' Guideline on Licensing Digital Upgrados' Dec 1993 6.2.2 EPRI Topleal Report, TR-102323, 'Guldelines for Electromagnetic interference Testing in Power Plants' 6.2.3 IS O 9000-3 1991 Quality Management and Quality Assurance Standards- Part 3: Guidelines for the Application of ISO 9001 to the Development, Supply and Maintenance of Software 6.3 Industrial 6.3.1 IEEE Std 7-4.3.21993 Criteria for Digital Computers in Safety Systems of Nuclear Generating Stations 6.3.2 lEEE Std 279-1971 Criteria for Protection Systems for Nuclear Power Generating Stations 6.3.3 IEEE Std 603-1991 Criteria for Safety systems for Nuclear Power Generating stations 6.3.4 IEEE Std 730.1-1989 Standard for Software Quality Assurance Plans G.3.5 IEEE Sid 830-1984 Guide to Software Requirements Specifications 6.3.6 IEEE Std 982.2-1988 Guide for the Use of IEEE Standard Dictionary of Measures to Produce Reliable Software 6.3.7 IEEE Std 983-1986 Guide for Software Quality Assurance Planning 6.3.8 IEEE Std 1012-1986 Standard for Software Verification and Validation Plans 6.3.9 IEEE Std 1016.1-1993 Guide to Software Design Descriptions 6.3.10 lEEE Std 10231988 Guide for the Application of Human Factors x:m m n r.~ =nnes uminn m -
e
EC&FS DEPARTMENT CC NOJ CALCULATION SHEET CCN COWtJtSiOH; CCN NO. CCN -
Projed or DCP/FCN 1 A i 026.015J Calc No. .1.RPA .M Sub}ect__.ESFAS Radiation Mankor.Sah wart Camais Mode TaDurtEp1=4=
Sheet No. _15 of _33_.__
REY OrtCINA10k DAff IDE DAtt RfV (RIC f kA TCat DATE IRE _ D4ft 0 A. kyde 6/12/97 0.Surda 6/12/97
$3 Engineering to Systems, Equipment, and Facilities of Nuclear Power Generating stations S.3.11 ANSI X3.1591989 Programming Language-C 6.4 SCE Vendor Documents 6.4.1 SCE VPL No. SO123406-1-8 Rev.1 RMS Software Quality Assurance Plan 6.4.2 SCE VPL No. SO123-606-1-9 Rev. O RMS Protocol Technical Specifications 6.4.3 SCE VPL No. SO123-606-1-10 Rev.1 System Software Requirements Specifications 6.4.4 SCE VPL No. SO123-606-1-15 Rev.1 DRMS Software Verification and Validation Plan 6.4.5 SCE VPL No. SO123-606-1-98 Rev.1 DU General Software Design Description 6.4.6 SCE VPL No. SO123-608-1-180 Rev. 2 DRMS Skid 7822,7823 P&lD 6.4.7 SCE VPL No. SO123-606-1-175 Shts 1, & 2 Rev. 5 DRMS Skid 7822,7823 Wiring Diagram 6.4.B SCE VPL No. SO123-606-1316 Rev. O User's Manual, LDU/RDU 6.4.9 SCE VPL No. SO123-608-1317 Rev. O User's Manual, Local Processing Unit (LPU) 6.4.10 SCE VPL No. SO123406-1-346 Rev. O LPU General Software Design Description 6.4.11 SCE VPL No. SO123-606-1-359 Rev.1 Electromagnetic Interference (EMI) Test Report on the Radiation Monitoring System ses aSus may a w [atrtuwct totnoov.7 sq e
i .
EC&FS DEPARTMENT cc No; CALCULATION SHEET """***"a _ '"
CCN No. CCN -
Project or DCP/FCN _.113 6926.815T Cato No, J.MPA.? A0 Subject ESTAS Radiatina Monitor _ Software Common Mode Failure Evaluatinn Sheet No jf_,of _ 91
, ety tRICIN ATER DATE Ikt DAff 0
RTV OR!C1beine l . DAff _ IDE DAff A. Hyde 6/12/97 0.turda 6/12/97 IE 6.4.12 SCE VPL No. SO123-606-1-367-0 Software Verification and Validation Final Report 6.4.13 SCE S0123-6064-210 Letters Jean-Paul Guillemot (MGPI) to D. Beauchaine (SCE) Feb 20 & 221996
Subject:
RMS software in LPU and DU/Line numbers 6.5 SCE Documents 6.5.1 SCE Calculation N-0720-013'Rev.1 Offsite and Control Room Doses Due to Failure of CPIS, CRIS and FHIS 6.5.2 SCE Calculation N-4072-003 Fuel Handling Accident inside Containment-Control Room and Offsite Doses 6.5.3 SCE Calculation N-4075-004 Rev. 2, Doses for Revised Steam Generator Tube Rupture 6.5.4 SCE Analysis J-SPA-269 Rev.0 ESFAS Radiation Monitor Single Failure Analysis 6.5.5 SO123-606-1-12 Rev.2 Radiation Monitoring and Sampling System Replacement Supplier Scope of Work 6.5.6 SONGS 2 & 3 Updated Final Safety Analysis Report, Rev.12 6.5.7 SCE SO23 ODCM Rev. 29 Offsite Dose Calculation Manuel 6.5.8 SCE SO23 XXV 9.339 Rev. 2 Setting of Nuclear Measurements Corporation Radiation Monitoring Alarrn Set points 6.5.9 SCE SO123 XXV 9.338 Rev.1 Alarm Setpoints Calibration General Atomics Analog Radiation Monitors 6.5.10 SCE Nuclear Consolidated Database Document 90010A Rev.47 6.5.11 SCE Report No. NSG-97-001, Software Reliability Assessment of Radiation Monitoring System, Feb 241997
.c m m %wene .mmm m
EC&FS DEPARTMENT CC NO/
CALCULATION SHEET _,..
Project et DCP/FCN i & % H2001 A1 CcNNo.CCN.
cale No. I-SPA.299 subject ___ESFAS RadinhanM=hae_Softwartcommon ModeTanure Eraluattaa erv twicinatta pair Sheet No. 27 of 11 _
ist eate l _ery cassinaron nave ser cait C
- a. mW. 6/tt/97 c .kn ct. s/tr/97 ,
5 0.5.12 SCE Report No. 900400 Rev. O, Software Evaluation Report 6.5.13 SCE Report No. 900402 Rev. O. Software Configuration Data Base 6.5.14 Facility Operating License No.s NPF-10 and NPF-15, Amendments 135 & 125 6.5.15 SCE Procedure SO2315.56A Annunciator Panel 56A, PPS 6.b.16 SCE Topical Quality Assurance Manual Chapter 1-J Rev. 4 6.5.17Merno to File; L. Bray to J. Rolph; Suggested Allowable Values for Area Radiation Monitors at San Onofre Units 2 & 3 Aug 26,1987 6.6 Industrial Texts / Data 6.6.1 J. D. Musa, A. lannino, K. Okumoto; Software Reliability-Professional Edition; McGraw-Hill,1990 6.6.2 J. Inglis, F. Gray, D.M Kare, M.K. Kaufmann,1986 Unpublished work (Referenced in 6.6.1) 6.6.3 R. S. Pressman; Software Engineering-A Practitioner's Approach; McGraw-Hill; 1992
.:... .cv . m mune.cr. smav.rw
I EC&FS DEPARTMENT cc Ncn CALCULATION SHEET CCN CONVERSON:
CCN No. CcN -
Project or DCP/FCN -.1 A 3 692001K1 Calc No. 1SP.A it9 Subject ESEAS Rarhattan hf=> lear Softwant Ca= mon Mode TaDirrtEratuarian Sheet No.1. of _11_
erv twicisatta pate ter i emir l arv naisimatta oart ser oatt _
0 a. pro. 6/12/97 c.purd. 6/ir/97l t I i 7.0 NOMENCLATURE 7.1 Symbols pCi 1 x 104 Curies XIQ atmospheric dispersion factor -
Am- Isotope of Americium Bq Becquerel cc cubic contimeter = milli Liter Cl 1 Curlo G Energy (averaDe) In kev ft Feet it 8 Cubic foot gm gram hr hour in inches Ir- Isotopo of irridium K 1 x 108 kev 1 x 108electron volts 8
m cubic meter MeV 1 x 10' electron volts milli 1 x 10
min minute ml 1 x 10'8 liters = 1 cm8 mR 1 x 10'8 Rad mrem 1 x 10'8 Rem sec second Xe- isotope of Xenon SCE t>4M REV 0 &8M [REFEPENG 8012HUW-714
EC&FS DEPARTfKNT ccwo; ProjectorDCP/FCN 111Id2Latsr CALCULATION SHEET ""**""L _ "
ocN No. CCN.
Calc No, MPA.5R0 Sub}*cL_17AS Radiatlas MonitarSonwareDeumou Mode Fa!!ure Etatuadan Sheet No. _24 of _f.L _
trV onlCt hAffR DATE Iff BAff l krV oRIGlkAfta DATE ltE D&if C
A. P A 6/12/97 0.turde 6/17/97 l
i 7.2 Abbreviations ASC Affceted Section Change CAEP Constant Air Exchange Plenum CAEA Control Rod Assembly E]ection Accident CFR Code of Federal Regulations ' .
Conc. Concentration CREACUS Control Room Emergency Air Clean Up System CPIAS Containment Purge Isolation Actuation Signal
- CPIS Containment Purge isolation Signal CR control Room CRIS Control Room isolation Signal DBD Design Basis Document DCP Design ChanDe Package y
EAB Exclusionary Area Boundary EMI Electro-magnetic Interference Engrg Engineering EPRI Electrical & Power Research Institute ESFAS Enginaered Safety Features Actuation System FHA Fuel Handling Accident FHB Fuel Handling Building FHIS Fue! Handling Building isolation Signal FWSPBA Feed Water System Pipe Break Accident gpm Gallons per minute GWD Giga (1 x 10') watt-days IEEE Institute of Electrical and Electronic Engineers IMSF Increased Main Steam Flow IOSGADV Inadvertent Opening of Steam Generator Atmospheric Dump Valves LDU Local Display Unit LOAC Loss of AC Power LPU Local Processing Unit LPZ Low Population Zone Max Maximum MGPl Marlin Gerin Provence Instruments Inc.
MHI Man-Human interface MSSV Main Steam Safety Valve MTBF Mean time Between Failure PCN Proposed Change Notice SCE as Ce REY. 0 444 (REFEREKL totoxxiv.7.15) l
EC&FS DEPARTMENT CC NO/
CALCULATION SHEET CCN CONVL SON:
ccN No. CCN -
Project or DCP/FCN ._1Ed 026A151 Cale No. MPAdR9 Subject ____EWAS Ra&ation Monker_Softwart CommonMode FaDure.haka*a Sheet No. J0_. of _93_
try celtthAton DATE ter DATE tt #_ _ m icinATCm DAfr Int Date O
A. Hyde 6/i?/97 0.turde 6/12/97 I
PIPS Passivated impregnated Planar Silicon PVS Plant Vent btack RAMSYS MGPI's Basic Radiation Monitoring System Softwaro R.G. Regulatory Guido RCS Reactor Coolant System RDU Remote Display Unit RE Radiation Element (Detector)
Ref. Reference Rem Rad equivalent man RFI Radio Frequency Interference RMS Radiation Monitor System SAF Single Active Failure SAS Spectral Analysis Detector SBLOCA Small Break Loss of Coolant Accident SCE Southern California Edison SCMF Software Common Mode Failure SDC Shut Down Cooling SFPBA Spent Fuel Pool Boiling Accident SFPGDA Spent Fuel Pool Gate C;op Accident SIAS Safety injection Actuatlan Signal SONGS San Onofre Nuclear Generating Station SRCPSS Single Reactor Coolant Pump Sheared Shaft SRP Standard Review Plan UFSAR Updated Final Safety Analysis Report V&V Validatior & Verification
.c m 3 .av . m n oi.oct so m x w w
EC&FS DEPARTMENT ccHo/
"'""*""~ "
CALCULATION SHEET CCN COWER 5ON:
Project or DCP/FCN - i A 1 '92001R1 ccN No. CCN -
t, ale No. MPAMR4 Subject ESFAS Radiathnhinnitor Software _CommanMode FalturtIratuatire Sheet No. 31 of _9L_
IEV m istuAfon _ D_ ATE ter Daft __ (_ et y _ celtthAfee Daft ikF DATE O A. Wyde 6/12/97 D . Strde 6/1F/97 l
7.3 Definitions PIPS Detector: A Passivated impregnated Planar Silicon solid stato detector. This detector type is used in 'ho detection or beta emissions. '
This detector type is used for the FHIS noble gas and the CPIS particulate measurements.
SAS Detector: A Sodium lodide detector used in conjunction with a photomultiplier to obtain measurement of Damma emissions. This scintillation detector type is capable of producing spectral analyses from an array of gamma energies. This detector type is used for the CRIS Induct detector and the CPIS noble gas detector.
Rad: The unit of absorbed dose equal to 100 ergs / gram in any defined material.
Rom: The unit of absorbed dose in body tissue equal to a Rad times a quality factor. The quality factors for gamma and beta radiations are equal to 1.
Curie: The amount of radioactivity that produces 3.7 x 10
disintegrations /sec.
Exclusionary Boundary Area: The area surrounding the reactor, in which the licenses has the authority to exclude or remove personnel or property.
Low Population Zone: The area immediately surrounding :he excusionary arsa ti at contains residents of such density that appropriate measures could be taken to protect them in the event of a serious accident.
MTBF: The average time between failures of a system or component, in units of hours per failure.
Validation: The process of evaluating software at the end of the snftware development to ensure compliance with the software requirements.
see am av e = mmuice son >uu.nsi
EC&FS DEPARTMENT iCo Noj CALCULATION SHEET CCN CONVERSKW:
9' or-Project or DCP/FCN _1 a 1 soir niu ._ Calc No. 3-RPA.2R9 Subject ___ESEAS Radiation Monkar_SoftwartCommon.ModtFailure Evaluattaa RTV Sheet No. 32 of .JP3___
Cult 1NATOR DATE I ItE DAff l REV DRICIWATOR DATE IRE DATE O A. Hyde 6/12/97 0.turda 6/12/97
$5
+
Verification: The process of determining whether the products of a given phase of software developement fulfill the requirements established during the previous developement phase.
4
$CE MM REV 0 W (REFERENCE tem?.15)
~
e
EC&FS DEPARTMENT iceHo/
CALCULATION SHEET CCN CONVER$10N:
ccN uo. CCN .
Probet or OcP/FCN 2 Ae 3 026 012t Calc No, f.RPA.?RO Sub]ect ESFM]L2diationMordtar hhwartfommDo Mode Emilureirahiation Sheet No. 33 of #1 ffV 0F.1CIRATOR DATE 1RE DATE l Rrv
~
Of!CIhATOR DATE tee DATE O
A. Hyde 6/12/97 0.turda 6/12/97 8.0 EVAL.UATION 8.1 General Descriptions of Replacement Digital ESFAS Monitors 8.1.1 Fuel Handling Building Airborne Monitors,2(3)RE7822G1, 2(3)RE7823G2 The Fuel Handling Building monitors perform an isolation function.
The ESFAS function assigned to these monitors is the alarming and switching of the Fuel Handling Building tiow path into a closed loop under accident conditions. Outside air is restricted from entering and all the contained air in the building is recirculated through a filtration system.
The Fuel Handling Building monitors consist of Noble Gas detectors. This detector is used as the ESFAS protection sensor.
This detector operates by measuring samples of the air at the exit of the building. Prior to the sample entering a *00 milliliter sample "
chamber, Particulate and lodine activities are removed. The Noble Gas detection systera uses a Passivated impregnated Planar Silicon (PIPS) detector. This detector uses a low voltage bias voltage (<25 volts). The output of this detector produces q pulses proportional to the Fuel Handling Building sample activity disintegration rates, A secondary PIPS detector measures gamma activity induced from the background field present around the detector. The count rate values collected from this detector are subtracted from the primary detector count rates to compensate for gamma background count contributions.
The detector output electrical pulses are shaped, discriminated and counted in registers for predetermined time intervals. The accumulated counts per time interval will statistically vary for a constant concentration. A software module averages these values and produces average count rates in counts per second.
Other software modules convert the averaged count rate into Noble Gas concentrations using stored calibration values for this t
SCE 2H2s Rgy. O Me ptEWRDeCF 80175KXV7 it)
EC&Fli DEPARTMENT cc Nos CALCULATION SHEET CCN CONVERSlott Project or DCP/FcN 1 A 1 m' n1CT CCN Ho. CCN -
___ Calc No. - MPA Mto Subject--
BTASJtadiation Alanitorkftwartcommonliede_EallurtEvaluation__ __ . Sheet No. 34 of **
arv omistuaton oatt tre care arv i
onectuarm cate tae oate 0 g
- a. pyd. smm o.eure. smm I
conversion. The output is given in pCi/cc or Bq/m*. When trip set points are exceeded, alarm status bits are set. The concentration and status are serially communicated to both the LDU and to the RDU.
The LDU has the function of locally displaying Ncble Gas concentration values and alarm status. The RDU has the same functions as the LDU except for operating remotely. In addition, the RDU operates relays used to actuate the Fuel Handling Building isolation valves.
The input conditions and signals that can affect the. isolation of the Fuel Handling Duilding are given in table 1 of Attachment 3.
8.1.2 Containment Airbome Radiation Monitor Channels, 2(3)RE7804G 1, 2(3)RE7807G2, 2(3)RE7804P1, 2(3)RE7807P2 The Containment Airbome monitors perform multiple functions.
The ESFAS function assigned to these monitors is the alarming and closure of the Containment Purge supply and exhaust valves for both Main and Mini purges under accident conditions.
The Containment Airbome monitor has both Noble Gas and Particulate detectors. Only' 44oble Gas detector is used as the ESFAS protection sensor. T , Particulate detector's function is to identify small leaks into the containment and is not considered to be an ESFAS channel (Ref.6.1 A).
A sample of the containment air is extracted from the containment.
Prior to the sample entering a 7.825 liter sample chamber, Particulate and lodine activities are removed. The Noble Gas detection system uses a Sodium lodide scintillator coupled to a photomultiplier to generate electrical pulses at a rate proportional to the containment sample activity disintegration rates.
The photomultiplier detector operates with a high voltage (-1000 volts) power supply. The gain of the photomultiplier is sensitive to changes in high voltage. High voltage control is maintained using the output of an embedded standard Am-241 source in the Sodium sci- mwim.a somemi
EC&FS DEPARTMENT CC NO/
CALCULATION SHEET " * * " " - ^"' ' -
CCN CONVERSION:
Project or DCP/FCN 2 A 1'MK nM1 CCN No. CCN -
Calc No. J-SPA-2R9 Subject nry FSFAR RmAlmen MotdtotSoftwart_ConunctLMade FailurwEr L-*n*an Sheet No. 35 of et ontstutoa Dart tar oAir l arv catctutoa DAtt see natt g
- A. pyde 6/12/97 e.surts. 6/12/97 5
lodide crystal. The output from this source can be measured separately and used to adjust the window widths in order to maintain a constant gain value.
The detector output electrical pulses are shaped, discriminated and counted in registers for predetermined time intervals. The accumulated counts per time interval will statistically vary with constant Noble Gas concentration. A software module averages these values and produces average count rates in counts per second.
Other software modules convert the averaged count rate into Noble Gas concentrations using stored calibration values for this conversion. The output is given in pCi/cc or Bq/m*. When trip set points are exceeded, alarm status bits are set. The concentration and status are serially communicated to both the Local Display Unit (l.DU) and to the Remote Display Unit (RDU).
The particulate channel consists of a Passivated impregnated Planar Silicon (PIPS) detector located close to the filter area used to trap the airbome particulate matter contained in the incoming air stream. The detector is powered with a low voltage bias supply
(<25 volts). The activity build up on the filter increates with time until an equilibrium state is reached with the decay of the short lived isotopes. The resulting count rate is proportional to the leak rate of the Reactor Coolant System (RCS) into the containment.
A secondary PIPS detector measures gamma activity induced from the background field present around the detector. The count rate values collected from this particulate detector are subtracted from the primary detector count rates to compensate for gamma background count contributions.
The detector output electrical pulses are shaped, discriminated and counted in registers for predetermined time intervals. The accumulated counts per time interval will statistically vary for a constant filter activity. The same software module averages these values and produces average count rates in counts per second.
SCE 26426 REV. 0 844 [MCFEWENCE. SO12MutW.1*l
EC&FS DEPARTMENT ccHo/
CALCULATION SHEET CCN CONVERSION:
CCN HO. CCN .
Project or DcP/FcN _ t A t ms amt cale No. J. SPA.?RO Subject ESFAS Ratharian Mn=h .Saftware f'aimman W4Talkre Ft31andn= Sheet No. 36 of et REV mlCluATOR Daft IRE DATE RfV ERittEATOR DATE IRE DATE O A. Ryde 6/12/97 0.Burda 6/12/97 lE Other software modules convert the averaged count rate into particulate concentrations using stored calibration values for this 8
conversion. The output is given in pCl/cc or Bq/m When trip set points are exceeded, alarm status bits are set. The concentration and status are serially communicated to both the Local Display Unit (LDU) and to the Remote Display Unit (RDU).
The LDUs have the function of locally displaying Noble Gas and particulate concentration values and alarm status. The RDU has the same functions as the LDU except for operating reme ;ly. In addition, the Noble Gas RDU operates relays used to acLate the containment purge isolation valves.
The input conditions and signals that can affect the isolation of the Containment are given in tables 2a and 2b of Attachment
- 4. Table 2a covers operational modes 1 through 4 and table 2b covers operation in mode 6.
8.1.3 Control Room Intake Air Monitors,2/3RE7824G1,2/3RE7825G2 The Control Room Intake Air monitors perform an air flow path switching function. The ESFAS function assigned to these monitors is to switch from a normal single source, recirculated air flow configuration to a redundant, highly filtered, recirculating, emergency mode flow path. Postulated accidents have releases that are drawn into the Control Room air system. The monitors are located in the incoming air ducting.
The Control Room Intake Air monitors consist of Noble Gas detectors. The detectors operate by directly measuring the air activity in the duct at the entrance to the Control Room. The Noble Gas detection system uses a Sodium'lodida scintillator with a photomultiplier. The output of this detector produces pulses proportional to the inlet duct activity disintegration rates.
The photomultiplier detector operates with a high voltage (~1000 volts) power supply. The gain of the photomultiplier is sensitive to changes in high voltage. High voltage control is maintained using the output of an embedded Am-241 standard source in the Sodium ECE 2M26 REV.4 t/94 PEPtpfMCE' SO12SNI.16]
EC&FS DEPARTMENT '
cc Not CALCULATION SHEET CCN CONVERSION:
CCN No. CCN -
Project or DCP/FCN 1 A t 6eu n1SJ Calc No. _.-. J. SPA.2R9 Subject ETAS Radiatlan Monitor.Saftware rammaald=A* rature Eral- " - _
Sheet No. 37 of__91L__
arv omtatsaum pave int part I arv oercinaire part ime oaTE I 0 a p yo. 6/t2/97 o.sved. 6/1r/97l f I
lodide crystal. The output from this source can be measured separately and used to adjust the high voltage in order to maintain a constant gain value.
The detector output electrical pulses are shaped, discriminated and counted in registers for predetermined time intervals. The accumulated counts per time interval will statistically vary with a constant concentration. A software module averages these values and produces average count rates in counts per second.
Other software modules convert the averaged count rate into Noble Gas concentrations using stored calibration values for this conversion. The output is given in pCl/cc or Bq/m*. When trip set points are exceeded, alarm status b s are set. The concentration and status are serially communicated to both the Local Display Unit (LDU) and to the Remote Display Unit (RDU).
The LDU has the function of locally displaying Noble Gas concentration values and alarm status. The RDU has the same functions as the LDU except for operating remotely. In addition, the RDU operates relays used to actuate the Control Room Air path valves and dampers.
The input conditions and signals that can affect the helation of the Control Room are given in table 3 of Attachment 5.
.com av . m r=mna .co>xxee)
f EC&FS DEPARTMENT ccwo/
- "~
CALCULATION SHEET CCN COWERSION:
Project or DCP/FCN 111692&01Rf CMHo.CCN.
Calo No. MPAN Subject r5EAS. Radiation Monitor Software.Comnum Mode Failure Ev=b-*=* Sheet No. 38 of __9L_.
RFV OtistWAfot Daft IRE Daft i REY ORIC'hATOR Daft TRE DATE O A, kyde 6/12/97 0.tards 6/12/97 l3
+
8.2 Software Evaluation 8.2.1 General The govembg documents that describe the required steps in designing, testing, contro!!ing, maintaining and enhancing the safety-related software used in an analog to digital conversion program are: Reg. Guides 1.152 and 1.153 (Ref 6.1.6 & 6.1.7 ),
NRC Generic Letter 95-02 (Ref. 6.1.8), which endorses EPRI TR-102348 (Ref 6.2.1), which in turn references IEEE 603 (Ref. 6.3.3) and IEEE 7-4.3.2 (Ref. 6.3.1). The software quality program is defined by NUREG/CR-4640 (Ref. 6.1.9) in accordance with 10CFR50 Appendix B (Ref. 6.1.2). Other IEEE standards are referenced from these documents that establish the software requirements. The use of these standards ensures that design, testing and maintenance are performed in mannor that will minimize and/or not introduce the probability of a software common mode failure.
In evaluating the software used in these safety-related monitoring channels, seven specific aspects of the software are examined.
These are:
e software channel architecture e software module complexity e design e V&V and testing e operating experience e number and nature of recorded failures e operational software fault density These aspects are reviewed and compared with the established criteria.
The affects of EMI/RFI on the system and any detrimental design aspects resulting from MHI deficiencies are also evaluated in this document.
sca 2542s Rey e am smereswee. so12mS71st 4
\
l
EC&FS DEPARTMENT cc Hot CALCULATION SHEET CCN CONVER&lON; CCN Ho. CCN -
Project or DCP/FCN 1 m t sou niet Calo No. J. SPA.?R9 Sut> lect EATAR Radiatlan Monker. Software Catutaan Made F "- i F * 'lan .
SheetNo. 39 of et REV OplC1WATOR DATE t#E DATE KEV ORIGINATOR DATE 1RE DATE O A. Wyde 6/12/97 0.turde 6/12/97 8.2.2 Safety Channel Architecture 8.2.2.1 General The safety channel architecture for each of the ESFAS channels is essentially the same. The hardware and software modules located at or close to, the measurement point in the process are the LPU and the LDU. The centrally located display unit, RDU, is connected to the local units via RS-485 serial communication lines. The output of the RDU produces the control relay contact opening. Each safety function has two channels operating in a simple, one out of one, control logic.
8.2.2.2 Criteria The requirements stated in standard IEEE 279 Criteria for Protection Systems for Nuclear Power Generating Stations (Ref. 6.3.2) and lEEE 603 Criteria for Safety Systems for Nuclear Power Generating Stations are the basis for the software architectural design criteria. IEEE Std. 7-4.3.2 provides the specific software criteria.
8.2.2.3 Results The independence and redundance of the designs, per IEEE 279 (Ref. 6.3.2), meets the same criteria as the previous hardware design. There are no inter-connections from any of these systems that could compromise the integrity of chanrwi independence (Ref. 6.5.4).
8.2.3 Software Module Complexities 8.2.3.1 General The complexity of a software design can be used as a measure of the likelihood of a fault or failure occurring during its operational life. The influence of software
.ca a u. m.. me.co som-m
EC&FS DEPARTMENT ice No/
CALCULATION SHEET CCN CONVERSION:
CCN No. CCN-Project or DCP/FcN 2 A t (A M ntRf Cale No. J.RPA.2R0 Subject TRFAR Radiattne Monhar Softwareca==aa Mah FailmtEra'=-86 __ Sheet No. _40 of et Rtv antsteAfoR DATE I Itt _ j _ DATE REV DRICINAfoR DATE IItE DAT' 0 5 A. Hyde 6/12/97 0.tuede 6/12/97 I
- p. ..-
q- - ,
- p. q .
3 l I I
l me A l eu a I i aIn A gett 3 l i
3 nas ina i nm i rHs I Fhi
,, Bh,1i[] J 1
(([F@,,h, ,, (@ [ ,, ]
~
r----,------,----------ir----,-----,
o e l i o e e ei i I
- - Il I l mm A m mis a dI; an em me A sig l mii s $$ l
" ^
lcEs l Ins gr !
I Siis 6u~s " "l lllcNs ~
gcEs *l
~ ~ ~ ~ ~ ~ ~~
I ~ ~ C"o lnn~er[AIrbime ~ ......... ~ I. . . . . . . . .l .I .~. ~ . aI.dtaInn~e:IAIrbome.........
I . .Cht olIloom aAilrIake ...'
UNR 2 COMMON UNR3 Figure 8.2.2.1 Redundant Software Channel Configurations for RMS Safety Functions complexity in fault occurrence is modified by the level of V and V testing that is applied. V and V testing levels are determined based on the complexity level and the integrity required from the software (Ref. 6.1.10 Table 2.4.3-1).
Integrity, in this context, refers to the consequences resulting from the failure of the software.
8.2.3.2 Criteria To further examine the complexity of the safety software, it was necessary to establish a set of criteria to define the level of complexity. A set of criteria relating to complexity of software is established in NUREG/CR-6018 (Ref 6.1.10 Table 2.4.2-1). This document categorizes software as having low, medium or high levels of complexity in six areas
.ccm a m ..,.innu.a son > m
~
EC&FS DEPARTMENT scc NOJ CALCULATION SHEET cCN CONVERsON.
CCN NO. CCN.
Project or DCP/FCN 1 Ae 1 att a1Rf Cale No, MPA.2R9 Subject FRFAS.RadaaticaMaal'a- Rahwartf'animan.Made FailstEgIr * -6= Sheet No. _ 41 of _91 try ORIsthATOR DATE 4 1RE DATE l REV ORIGIRATOR DATE tRE DATE o A. Ityde 6/12/97 D.surda 6/12/97 l+a of software design. Table 8.2.3.2 provides these criteria.
Table 82.3.2 Software Complexity Criteria (Ref. 6.1.10)
Complexity Factor Low Level Medium Level High Level
- 1. Physical Control None No direct control but Can direct!y manipulate Capabiltty provides decision data control system elements Advisory function into controlmodules
- 2. Processing Not Realtime Near realtime Realtune Sequential N/A Cooperating Single processor Multiple processors Concurrent / multiple heterogenous processors Synchronous N/A Asynchronous Centralized Central /datributed Highly distributed Batch / Interactive interactive Interactive
- 3. Interactivity with Stand alone Embedded / Attached Embedded Other Systems Single User-interface Continuous / Intermittent Continuous Data Input data input No data-ir.terfaces Data interfaces Multiple Channels
- User 4 riven Usually data driven Usuallydata driven No interrupt handling Possibleinterrupt Possibleinterrupt handling handling
- 4. Knowledge / Data Homogeneous Homogeneous / Heterogeneous Structures & Storage heterogeneous Centralized Centralized / Distributed Centralized / Distributed Dertved from codified Derived from codiflod Dertved from codified sources sources sources or expert or invented sources S. Decision Backward (top down) Backward, forward and All types of chaining Procedure or mixed chaining Forward (Bottom up)
Breadth first or Breadth first or Breadth first or Depth first Depth first Depth first ses mu. nev.o am tecnoce somxxv-usi
EC&FS DEPARTMENT cc wo; CALCULATION SHEET CCN CONVtOSION:
ccwNo.CCN-Project or DCP/FCN 1 A t N6.0tSJ Calc No. f SPA.?RO Sub}ect___.ESFA.tRadiationMonkarJinftware.Comaton. Mode FailurtEr=1=dlan Sheet No. _q. of et erv minisaton oArt see oAtt lerv orict=At0R DATE lee DATE g 0 A. Hytt. 6/12/97 0.sarda 6/12/97 l+l Table 8.2.3.2 Software Compledty Crteria (Ref. 6.1.10)
Complexfty Factor Low Level Mediurn Level High Level
- 5. Decision Monotonic reasoning Heuristic ressoning, Model Basedinferencing Procedure (cont'd) Constraint based plus all other types reasoning Belief-revision, truth maintenance
- 6. Uncertainty None Funy reasoning, Complex fuzzylogic and Handling reasoning under uncertainty reasoning, uncertainty Multiple hypothesis evaluation Note:
- Interpreted as mu:tiplexed inputs l
.m mm . .m = .om-,,
EC&FS DEPARTMENT iccez/
CALCULATION SHEET CCN 00NVERSIOH; CCN HO. CCN -
Project or DCP/FCN 1 A< 1601001RI Calc No, MPA-2R9 Subject FKFASRafl uationMonkor_SaftwareCommostModeJatureIraluarian Sheet No. 43 of et
_ arv omisruatoe eait ime part lery naistuator pais tat eart g 0 a. vy* 6 m /97 e.sure. 6/12/97 Il+
8.2.3.3 Evaluated Results Each aspect of the design has features that are used to determine the level of complexity of the system. Table 8.2.3.3 summarizes the review o' the safety software with respect to the software complexity enteria. It cien l'e seen that the software complexity falls ir'to the low-medium category.
Table 8.2.3.3 Software Complexity (Ref.6.1.10)
Complexity Factor Software Feature Assessed Level Reference I Co+nments
- 1. Physacal None Low Attachment i No closed loop Control Capabihty control
- 2. Processing Near Realtime Medium Attachment 1 PeriodE 6.4.5 processing of 6.4.10 input data Sequential Low 6.4.5 Timed sequence 6.4.10 for data processang Multiple Medium 6.4.5 Processorsin LPU processors 6.4.10 & display unfts Synchronous Low '
6.4.5 Clock drtven ti.4.10 Centralized / Medium 6.4.8 Processingin LPU disaibuted 6.4.9 & RDU/LDUs Interactive Medium 6.4.5 Continuous 6.4.10 measurement
- 3. Interactivity with Attached Medium 6.4.5 DAS accesses Other Systems system data Continuous' Medium 6.4.5 Intermittent intermittent data requests for data.
Input READ only Data interfaces Medium 6.4.5 DAS access SCE Kp426 ROf.0 &Se (MSFERENCE 501N74
EC&FS DEPARTMENT ccwol CALCULATION SHEET "" * '*" "a _"
CCN NO. CCN .
Project or DCP/FCN 1A.1RM n1Rf Calc No. J.KPA.?R9 Subject ESFAR BadM=)4anitar. Sot;-e C- -- hindefalhan t; ' Sheet No. 44 of et REV oRitthATre DAff IDE DATE REV oRitthATOR SATE 1RE Daft a 4. Hyde +
6/12/97 0.turde 6/12/97 Table 82.3.3 Software Complexity (Ref.6.1.10)
Complexity Factor Software Feature Assessed Level. P.oference Comrnents
- 3. InteractMty with User-driven Low 6.4.5 Primarily a polled Other Systems (polled) request for data.
(cont'd) Periodic user requests Possibleinterrupt Medium 6.4.5 Polled or user handling 6.4.10 requests for data, requireinterrupts to main systen4 program
- 4. Homogeneous Low 6.4.1 Data structure Knowledge / Data 6.42 uniform Structures & 6.4.10 throughout system Storage Centrahzed/ Medium 6.4.8 LPU & DUs have Distributed 6.4.9 separate storage Derived from Low 6.3.11 Instructions from codified sources program set ordy.
C language used
- 6. Decelon Backward (top Low 6.4.1 sid C language Procedure down)
Breadth first Low 6.4.1 Std Clanguage Monctonic Low 6.4.1 Std C langua06 reasoning
- 6. Uncertainty None Low 6.4.5 Handling No artlecial 6.4.10 intelligence used inlogic decisions 8.2.4 Software Requirements 8.2.4.1 General The software was designed undcr the guidelines of ISO 9000 (Ref.6.2.3). The software used with safety related radiation monitoring channels had further 10CFRSO Appendix B Quality Assurance requirements imposed on them. These requirements were identified to the
.c.mc. m . pme<m .omau t *:
P.MFS DEPARTMENT CC NO/
CALCULATION SHEET CCN CO.WERSION:
CCN NO. CCN-Project or DCP/FCN - 2 A 1 '*26.01SJ Cale No, MPA.?R9 Subject NASJtadiationManitor.Sofbrarte== arm &Iailure Fraleation Sheet No. 45 of et.
REV calclutfat DATE tat DATE [REV ORICthATOR DATE IDE DATE 0
A. %tte 6/12/97 0.Durda 6/12/97 ll manufacturer, MGPI, through the Supplier Scope of Work document (Ref. 6.5.5).
8.2.4.2 Software Specification Requirements Tne Supplier Scope of Work document (Ref. 6.5.5) listed the software requirements that were to be placed on the RMS system supplier. IEEE Std 7-4.3.2-1993 (Ref. 6.3.1)is specified as guidance. This document outlines quality, qualification, integrity, independence, test and calibration, displays, access, human factors and reliability aspects of the safety related software design, Specifically addressed in the Supplier Scope of Work document, with respect to the development and assembly of the software on this specific RMS project, were the following:
- 1. Software QA plan. The guidelines for this plan are IEEE Std 730.1 (Ref. 6.3.4) and IEEE Std 983 (Ref. 6.3.7 )
- 2. Software Requirements Specification (Ref. 6.4.3 ). The guideline for these requirements is IEEE Std 830 (Ref.
6.3.5) 4
- 3. Software Design Description. The guideline for MGPl mainta.nir.g and enhancing the software is included in IEEE Std 1016.1 (Ref. 6.3.9).
- 4. Software Verification & Validation Plan & Report. The identification of the V and V plan (Ref. 6.4.4) and all test documentation with a report (Ref. 6.4.12) including results, reviews, audits and required tests and deficiencies according to IEEE Stds 1012 (Ref. 6.3.8) & 730.1 (Ref.
6.3.4)
- 5. Human Factors guidelines. The guideline used for these requirements is IEEE Std 1023-1988 (Ref. 6.3.10 )
e secsce Rev o em [WERENCE.90CHIV118)
EC&FS DEPARTMENT cc No1 CALCULATION SHEET Project or DCPNCN 1A 16916.01RI MDA.7R9
"" * * *L 7 ccnNo.CCN.
Calc No.
Subject .. F_qFAS Radiation 31anita' hhusre N=aa Modef" nry omicinaron N' -'lan___ Sheet No. _46 of_ 91 oatt i _ _ int ente I erv omistente oatr les care 0
4.E. 6mm o. nuns. 6mm l
i 3 After installation of the system with the software fully i -
operational, any subsequent changes to the software are
)
controlled by the SCE TQAM (Ref. 6.5.16) process.
! 8.2.4.3 Specification Criteria j
i The criteria for satisfying the software design and documentation requirements are that the manufacturer adhered to the functional and documentation standards j called for in the Supplier Scope of Work.
8.2.4.4 Specification Results The manufacturer, MGPI, supplied numerous documents and reports describing the plans, processes, tests and tabulations of results. An internal SCE reviewwas conducted to determine whether the functional and procedural specification software requirements had been included in the overall design. The report 90400 (Ref.
i 6.5.10) showed that, with a few excaptions, that the manufacturer had adhered to the specification requirementa.
The corrective actione are to be addressed per the assumption given in section 3.2.1.
- 8.2.5 Software Design f
The MGPl software design was driven by the functional ,
requirements of the fundamental components (LPU, LDU and RDU) of their radiation monitoring system. Based on a review of software design literature (Ref.6.6.3), the important elements of software design are considered to be the nature of the programming structure and the data structure.
- 8.2.5.1 Criteria for Good Software Design
' The software should be written in such a manner that it is independent, modular and structured. The nature of the design should be such that it is hierarchical in nature. This implies that basic software modules are common to the as ac. av e mmmenom.xmm f
ECAFS DEPARTMENT CC NOJ CALCULATION SHEET 2'" **"a _ _ " * -
Project or DCP/FcN .) Ar 16026.81K1 CCN NO. CCN .
Cale No, M A M subject FRFAR Ratkatian.Monkor Lewan f'a==aa Madefailure Ev-'--*iaa Sheet No. 47 of et REV ORICIhA10R DATE IDE DATE FYV ORIGlhATOR DAff IRE BATE O
A. kyse 6/12/97 0.surda 6/12/97 l3 design and that these rNdules call upon sub-modules which in turn call upon applicaton modules that perform specific task requirements.
The criteria for data is that it is structured and compatible with the physical storage limitations, functional requirements and language constraints.
8.2.5.2 Results A review of the specific software design components associated with this project shows that each monitoring channel typically has common software modules that exist in all channels. These channel components are the Local Processing Unit (LPU) and the' Local or Remote Display Unit (LDU/RDU). The main supporting software is divided into three software hierarchical modules:
- 1. The RAMSYS Common
- 2. The DU Common
- 3. The LPU Common 8.2.5.2.1 Program Structure The RAMSYS Common module resides in both the LPU and DU channel components. Refer to figures 8.2.5.2.1 a and b. This module performs tasks using techniques that are standard features in both of these channel components. This module consists of 19 units containing 93 software functions. This module calls either the DU Coramon sub-module or the LPU general sub-module, depending on the device type.
The DU Common module resides in both the LDU and RDU channel components, operates independently and performs typical processes ,
specific to the DUs. This module consists of 12 units N I see um psy 0 AM {REFERENCC SQt2bRXl%716)
ECSFS DEPARTMENT CCNOJ CALCULATION SHEET CCN CONVDSf0N; CCN NO. CCN.
PTolect of DCPFCN .1 A i 69u nin cale No. _ I. SPA.m Sub}ect_ _ESDLS.Pda'ina Mankaraftware Commum.hi4 Failurtlralmatian _ Sheet No. _48 of__fl REV ORICIMATOR DATC ttE DATE l . tty DEICluATOR DaTE IRE DATE O
A. Hyde 6/12/97 D.Surde 6/12/97 *#
l3
+
LRotuct asoputa saaem pesa rg a. y
. ..n%'d>
v Jgi.ve y,=: x y e m. m . ncia;; .PTM.G.T,0088
- e. % 2743. h tn; I
MWn ..:. :
ENES3ifes@di
$jffb14 $;@Rrr seWb236ds; I
3 pc ,1 %
M$,-}P*n"$Mid, dNi
$,ygg>e84f??
WW41?6171};$gid.fi ., aosf ytynp82($:yfii.'
iMt.PusetPs:si 99 t.WisAs#E 75if@W4uM4
- &
- ynhtf$ f&)ffitjd6WFMy, %%N 8+qmaets pmL ]Rashp6Mfig; M2m d&Mh5620NWps cs rhg&7LuWWJ egs%14Mhpg ;d Figure 8.2.5.2.1a LPU Software Modules m un m . = mm. a .ooxm nsi
_ . . _ . _ _ . . _ . . _ _ ._ _ . _ . . . _ . - . _ _ _ . _. .~ . _ _ . _ . _ _ . _ . _ . . . . . _ .._
EC&FS DEPARWENT cc no/
"""""~
CALCULATION SHEET CCN COWERSON:
! Project or DCPECN 1 A 4 6*M nin CCN NO. CCN.
Calc NS. LMPA 7R9 Subject I F9EAS Radi=*1a= Manitar3eftwas ra=menMode FailurtEu'ah _
Sheet No. _40 of __91_.
ttV ORIGIMATCR DATE Itf I DATE REV ORIG!aATOR DATE IRE DATE O
A. Hyde 6/12/97 D.turda 6/12/97 l
1 I
4 u
=
Its!glpiagg&
,.*p M ystch IT mll*a
- EEh2783)sn%I I
M MMI EBiiBM i WM9425i
- g W g:A 22%quq% sM
!c' REMEho
%BSd43$wwahe
%%#202y,nwt k
WA'OU8PPtJM'S iSsep?274:nspi immiW25W NN hanM1$53I$k$$
1 Figure 8.2.5.2.1b Display Unit Software Modules 1
l
- . ...
- :: 2-
EC&FS DEPARTMENT cc teos CALCULATION SHEET " " " " " "
CCN COWERSiON:
Project or DCP/FcN 2 L 16026.01SI CCN NO. CCN -
Calc No, MPA.2R9 Subject
T% TAR Rmhation MonhotSoftwart f'amman Made 5' " Jr' --
Sheet No. R.. of et niv tmicinavon nart ins care I arv omistuaron ente sur cair 0 a. nye. 6 fir /97 o. sura. 6/1rf97l i
l l 3*
' that contain 40 software functions. This module calls
' sub-modules DU Base and DU Appil. The DU Base module is comprised of 3 units consisting of 30
! functions and procedures. The DU Appli module is comprised of 27 units containing 253 functions and procedures. 4
' The LPU Common module resides in the LPU channel component, operates independently of the other LPUs and performs typical processes specific to the LPUs. This modufe is comprised of 3 units
' containing 14 functions. This module calls sub-modules . U Base and Appil Common. The LPU Base is comprised of 5 units containing 20 functions and procedures. The Appli Common module is comprised of 13 units containing 127 functions and procedures. The Appli Common module may Call any one of 4 sub-modules depending on the functional application being used by the LPU. The four application specific sub-modules that can be called are LPU/l/0, LPU/ PIPS, LPU/SAS and LPU/St.
The software can be considered to meet the criteria in that it 1.) is structured in a hierarchical manner 2.) is modular by design 3.) Has modules that are independent 8.2.5.2.2 Data Structures Reviews of the Manufacturer's documentation and telephone conversations with the design group show that data structures are based on data structures determined by the programing language 'C'. Data structure were controlled by the program development Microtec compiler. This compiler strictly
.cem nev inum.ce .omung
EC&FS DEPARTMENT CCNOJ Prrjed or DCP/FCN t a t m s atEl CALCULATION SHEET " ***" a d *'
CCN Na CCN-Calc No. _ MPA-71N ,
Subject FATAF Radaatian Mankar Softwartfommon M4 F= D-e EW-st- Sheet No. _$1 of et _
_ REV omittuATOR DATE _lRE DATE l REV 'twiC15pTtu DATE 1RE DATE I o
A. hyde 6/12 M D.surda 6/12/97
[t x-complies and meets the requirements of ANSI X3.150-1989, American National Standard for Programming Languages-C.
Since the software design is constrained by the physical memory capscity for storage, channel functional demands and the language and compilei capabilities, the complexity and organization of these data structures is determined by the software programmer. Satisfyin0 these constraints is considered to be sufficient guidance to ensure a satisfactory data structure.
The data format is considered to meet the criteia in that it is structured, compatible with the Microtec ,
compiler and the 'C' language constraints. The dcta meets the functional programming requirements and the data storage requirements do not exceed the memory capacity.
8.2.6 Software Verification and Validation 8.2.6.1 General The software quality assurance plan (Ref. 6.4.1), that was o developed based on IEEE 730.1 (Ref. 6.3.4), requires that a Verification and Validation (V and V) plan be written. The V and V plan (Ref. 6.4.4) is based on IEEE 1012 (Ref.
6.3.8). The plan defines the responsible software organization, the scheduling, resources, responsibilities and supporting techniques and methods to be used in )
conducting the plan. The life cycle of the software follows a series of phases. These being:
- 1. Management of the V and V'
- 2. Concept phase
?
- 3. Requirements phase
- 4. Design phase
- 5. Implementation phase nawe nu .u nm ce amxuam
f EUCS DEPARTMENT CCNOJ CALCULATION SHEET Project or DCP/FCN 3 A t m.: nai
" "" L J^"' ,
ccN No. CCN-Calc No. _ MPA-2R0 S:tjeet rATAS Radm* tian Manlear httwart f'a='monAfodefaBureIr* -%.s Sheet No. 52 of vt Lt.sv catstmata= OATE j tes oats i aty i ontstuaton eats the eart
!O a. =vs. 6ft f97 g
- o. sore. l ./12/97 1
l 5l
+
- 6. Test phase
- 7. Installation and Checkout
- 8. Operation and Maintenance phase The manner in which the V and V program is reported is defined in this plan. The summarization of the V and V tasks is reported in a software V and V final report (Ref.
6.4.12).
8.2.6.2 Criteric Software supplier's adherence to:
- 1. The contractual requirements.
- 2. The IEEE standards and documents defining a satisfactory V and V program (Ref. 6.4.1, 6.3.4, 6.3.8, 6.4.4).
8.2.6.3 Results The V and V plan, as part of the Sodware Quality Assurranw program, follows the IEEE standards. The final software V and V report (Ref. 6.4.12) summarizes the results of the program. An internal review was conducted en the V & V process. Some deficiencies were found during this review process. Corrective action to these deficiencies is scheduled and satisfactory results are anticipated per section 3.2.1.
8.2.7 Operating Experience 8.2.7.1 MGP Development History MGP instruments, the supplier of the RMS replacement system has a long history of supplying RMS systems to the nuclear industry. They began producing analog based systems for the French nuclear program in 1962 and continued producing this type of equipment until the 1980's.
In the mid 1970's, they produced their first digital electronics modules. In 1980, they designed their first microprocessor SCE Nd3 ftEV O e44 (IEEFDt3NCE 80tnXXN 7.161
EC&FS DEPARTMENT ico No; CALCULATION SHEET CCN CONVERSivN:
"^ ' " -
Project or DcP/FCN la ACM etRT ocNNo.CCN.
Calc No. J.KPA-220 Subiect__ESFAR Dudim*1cn3fonkor Kahwart r%==a= ModefaDure.Eralmta= Sheet No. 53 of _93 REV ORICINATOR DATE IDE DATE l REV ORICINATOR DATE IRE DATE 4 0
A. Hyde 6/12/97 0.turde 6/12/97 I3
+
based processing and display units.
A second generation, microprocessor based design was introduced in 1985. This design incorporated multichannel detector capability using a single LPU. New detector technologies were designed at this time as well. Another j) digital generation system began development in 1993. This system was developed using the emerging European Standards, ISO 9000 series (Ref.6.2.3) , as the bases for the system design. This is the software design that is used for this project.
8.2.7.2 Criteria There are no specific industry criteria for the required operational experience for aoftware modules to be used in a nuclear safety application. By assumption 3.3, it is judged that 10 unit-years is a satisfactory ooerational period.
8.2.7.3 Results The current MGPl operational digital systems that use the latest software design, are installed at eight plants around the world. The largest installed system is at the Swedish plant, Ringhals, Units 1,2 and 3. Table 8.2.7.3 provides the unit-hours for each software module as of June 1996.
Table 82.7.3 Operational Experience of Software Modules thru 6/96 Ref. 6.4.12 g
Plant Site ' LPU/ base' LPU/ PIPS LPU/SAS DU Base & Appli' (FHIS & CPIS) (CRIS) .
Ringhals 24054 4695 7525 34E32 Barseback 657 0 438 219 Technicatome 515 0 0 0 Lovisa 5556 j0 5556 0 Kostoduy 532 0 532 1064 Olkiluoto 326 0 0 l 326 sesma nsv e uw pesw<:e soimmm
EC&FS DEPARTMENT cc No/
CALCULATION SHEET L,#' * -
Project or DCP/FCN 2 & 1 aM c1RT CCN No. CCN.
CalcNo. J.MPA-2R9 Subject FRFAR DeMatloalfenifer Enftware eneman Made Failurth ' ^:na Sheet No. _ 54 of e1 REV ORICINATOR DATE 1RE DATE RfY ORIGluATOR DATE Itf BATE 0 5 A. pyd. 6/12/97 e.surda 6/12/97 fl+
PAKS 412 0 0 412 North Anna 626 0 626 626 Total unit <f ays 32678 4695 146T7 37609 Total unt. years 89.5 12.9 40.2 103.0 b Notes: 1 -LPU base includes RAMSYS Common, LPU Common, Appii Common and LPU Base 2 -DU Base & Appilincludes RAMSYS Common, DU Common, DU Base and DU Appli.
The placement of active radiation measurement channels into operation has occurred on a continuing basis over the last three years. The main LPU base and DU base and application modules have operational experience from 89.5 to 103 unit years.
The PIPS detector application module has only been used at the Ringhals plant and therefore has not had the same level of operational experience as the other software modules. The SAS detector application module has had more extensive use than the PlPS at 40.2 unit-years operation. These operational experience levels are considered sufficient to provide a good level of confidence in this software module's design.
Each software module, that is used in the design, has had revisions applied to it. The nature of these revisions have been minor (Ref. 6.4.12). Revisions to all software modules since the inception of the V and V program in 1993, are documented in the Software Verification and Validation Final Report (Ref. 6.4.12).
8.2.8 The Nature of Software Failures 8.2.8.1 General F3 lure data was obtained from the software supplier based on reported failures from operational equipment (Ref.
6.4.12). The number and nature of failures are important in
.co c m o.*nuoece m>autm
EC&FS DEPARTMENT cc NOf CALCULATION SHEET """" " "a_,7 " -
CCN Ho, CCN.
Project or DCP/FCN 2 A 16926.01e' Calc No. MPA-2R9 Sub}ect. N'AS RadiatioCAonitor. Software (%==nn.ModeF% Evalaa*ian try I oRictmATom Sheet No. 55 of __31 Da it IRE DATE l try oRictwATOR DATE IRE DATE g 0 4. p 6mm o.sure 6mm I comparing this software with other industrial software projects.
8.2.8.2 Criteria '
The criteria for software failures is that:
1.) the failures be identifiable. This implies that all failures have been identifiable through observable indications without having to apply external test equipment.
2.) non-common mode in nature. The failures have not 3 caused multiple or all channels to fail simultaneously as a result of a single common cause.
8.2.8.3 Results Ideally, the failure data would be separated into faults of various degrees of severity and time tagged from the time of introduction into operation. Data with this degree of insight is not available. From the available data (Ref. 6.4.12) the following statements can be made:
Total reported LPU w/SAS detector software failures = 64 (Jamming & nonJamming faults)
Total reported LPU w/ PIPS detector software failures = 54 (Jamming & non jamming faults)
Total reported DU failures = 102 (Jamming & nonjamming faults)
None of these software failures were the common mode type as described in section 1.2 with further modifiers (sections 3.1.3 and 3.1.4). All failures were readily identified as recorded in the Final V and V report. (Ref. 6.4.12)
.ca na m e swamum-ni e
EC&FS DEPARTMENT .
CC Ho/
CALCULATION SHEET CCN CONVERSION:
Project or DCP/FCN 2 A 1 '*16.91Rf CCN NO. CCN -
Calc No. - J.RPA.1R0 --
Subject EWAR Rarrentian MonitorSoftware Comman Mode Fauww Fr=lawlan Sheet No. 16_ of et arv omiciuren oAn its oAn i arv oeicturoa ute tee ute g o
- 4. nye. 6/ u/97 o. sura. 6/12/97 If 8.2.9 Fault Densities 8.2.9.1 General While fault rate daia during the operational phase of this "
software would be a desirable measurement of the software, the actual date of installation for each software unit is not available and therefore estimates of measured fault rate data are difficult to obtain. Estimates of the fault rate are made in section 8.3. These data are derived from calculated estimations ratner than measured values.
' Fault density is a measure of the number of faults per the nurnber of lines of code. This value is an integration of the faults during the operational phase for a fixed number of lines of code.
Fault densities vary dependent on the development phase of the software. Typically values for fault density are assigned at the following stages: coding, unit test, subrystem test, system test and operation. From measured fault density values based on industrial experience, it is possible to use these industrial values to compare against t!"e RMS software fault densities to establish whether the software is performing within successful industrial performance ranges.
8.2.9.2 Failure Density Criteria Reference 6.6.2 provides operational data from systems closely resembling the LPU and DU software. This data is available in reference 6.6.1 but is from an unpublished source. 50 systems were analyzed. These systems had an 4 average operational time of 11 months and source lines of code ranging from 4.1 to 523.8K lines. The range of fault densities in this operational mode were O to 10.95 faults per 1000 lines of source code.
sc w m . numwce:so mxa usi
. EC&FS DEPARTMENT CC NOJ CALCULATION SHEET CCN CONVEQSKWt
+
Project orDCP/FCN 2
- Lse26.01RT cCN NO. CCN -
Calc No. I.MPA.2R9 Subject FATAR DmAindnn Mantear Kanware enemanna MnA.ar uere EYab=:L- Sheet No. 57 of et REV ORIGINATot DATE tat DATE l REV ORIGINATOR DATE IRE DATE O
A. nya. 6/12/97 e. aura. 6/12/97 5
+
8.2.9.3 Failure Density Results Examination of the RMS software modules provides the following information given in table 8.2.9a:
Table 82.9a Software Source Code Unes (Ref. 6.4.13) i Functon Module Source Code Unos LPU RAMSYS Common 2785 LPU Common 238 LPU Base 821 LPU AppiiCommon 6171
- LPU continued I/O anabg a
511 Common Subtotal 10524 LPU LPU/PtPS 5620 Total PIPS 10522 + 5820 =16144 s
LPU/SAS 7133 I
Total SAS 10522 + 7133 = 17657 DU RAMSYS 2785 DU Commt.,n 2208 DU Base 2021 4
4 DU Appii 15533 Total 22545 T he total number of faults given in section 8.2.8.3 for both LPU detector types, PIPS and SAS and the DU are divided by the number of code source lines given in table 8.2.9 a. Fault densities f are given in table 8.2.9 b; i
set 2 Sus arv o *94 InertarNce sot 2mitti j
! l 1
i
(
EC&FS DEPARTMENT ccwo; CALCULATION SHEET ces coNVLnON; CCN No. CCN-Project or DCP/FCN _ 2 & 3 026.01S3 Cafe No. J. SPA.? R9 Subject _.__ESFARRadiation Monitor hnwartCon man Ainde.EsilurtEv-' -**a= .
Sheet No. 58 of et erv omistuaire narr int care R erv ortctuaron oate inn oats g ,
0 a. mye. 6/12/97 e.eurd.
6/12/97 E
Table 8.2.9 b F;, ult Densities Software System No. Faults Source Codein Klines Fault Densityin faults /Klines LPU PIPS 54 16.144 3.3 LPU SAS 64 17.657 3.6 DU 102 22.547 4.5 average fault density 3.8 The average fault density is 3.8 faults per 1000 lines of code which falls well within the range of the comparable industrial study (Ref.6.6.1).
8.2.10 Summary Table 8.2.10 is a summary of the specific aspects of the software that were reviewed in this evaluation. All criteria were met or used to show that the software has a high Iikelihood of not producing a common mode failure.
Table 82.10 Summary of Software Evaluation Software feature Criteria Finding
- 1. Architecture Complies with IEEE 279t>03 Complies with IEEE Stds Simple, low to moderate simple,independentwith nointer complexity & fndependent conneetions
- 2. Softwate Complexity Levels of complexity per Low-Medium level of complexity NUREGtR-6018
- 3. Design 1. Modular Modular design, with top r'.own
- 2. Hierarchical structure. C .anguage used
- 3. Independent throughout. No cross ties
- 4. Verification & Validation Complies witti Ref. 6.4.1,IEEE V&V plan complieswith IEEE 730.1,IEEE 1012 & Ref.6.4.4 1012 std. Test data shows for satisfactory implementation successful testing.
of V and V plan
- 5. Experience None Opvational unit-year ranges frers 12.9 to 103 years SCE 24425 REY O 8,14 [RETEMSct. SC12sxxiwfa5}
EC&FS DEPARTMENT ICC NO/
CALCULATION SHEET CCN CONVF.R tlON:
Ccn m. CCN -
Project or DCP/FCN 2 A 1 seu n1R1 Cale No. W A.m Cubject_. r FATASltadiation Afocitor Rahn a-mon MaA FabM EYaln=+ia= Sheet No. _ 59 of et arv otisivaton ins oatt ears Luv omictuaTon eats set part g 0 A. seyd. +
6/12/97 o.aurd. 6/12/97 5
Table 8.2.10 Summary of Software Evaluation Software feature Criteria Finding
- 6. Failures 1. Identired failures All recorded failure causes have
- 2. No software common mode been identifled. No fauures have fatures been common mode failures
- 7. Fault densitns inindustrialrange Average fault density is 3.8
< 10 faults /K lines of source faul'sK lines of source code code 8.2.11 Interference Affects on Software Electro-Magnetic Interference (EMI) and Radio Frequency Interference (RFI) tests have been performed on ESFAS radiation monitor prototypes in accordance with a Wyle Laboratories Test Procedure No. 44356-10 ' Test Procedure for Electromagnetic Interference (EMI) Testing on the Radiation Monitoring System for MGP instruments, Inc.*(Ref.6.4.11) This procedure is based on EPRI Topical Report, TR-102323, " Guidelines for Electromagnetic Interference Testing in Power Plants" (Ref.6.2.2). Tests for emissions and susceptibility were applied.
The results of these tests are summarized in Wyle EMI Test report (Ref.6.4.11) All tests were successfully completed.
8.2.12 Machine-Human Interface (MHI) Affects The riew design presents measurement values to the user in unambiguous, engineering units with no conversions or translations required. The values are display.ed in a digital format relieving the user of interpolating from an analog scale.
Operator interfaces are used to change conversior; values, set points and other date base items associated with detector and process parameters. The incorrect entry of a data base item may cause erroneous trip setpoints for a given monitor, however there are no common data base ties that would cause a common mode error in the data bases. Training and procedural compliance sca aus any o sa4 (atygagwca: soterisi
EC&FS DEPARTMENT cc NOJ CALCULATION SHEET CCN COPNr.R$ON:
CCN No. CCN .
Psoject or DCP/FCN._2 A 159M siti calc No. MPA m ~
S4 lect ___rSFAS Radiation Monkor Softuse Cnmanon Mode railure Evalastion Sheet No. ..M_ of _93.__
try (e t t.t kAfra OAft '
itt DAftj ttV (*1&lkAfoR DAff ler DATE O
A. Hyde 6/12/97 0.turda 6/12/97 I reduces the possibility of this type of error frorn occurring.
Access to change data base items is restricted through password protection. Four levels of access exists. Only at the fourth level, the highest security level, can the basic sofiware be modified.
4 sct 44M RU e W [mtstRENet. Mon 4715) b
EC&FS DEPARTMENT cc wo/
CALCULATION SHEET Project or DCn/FCN _2 A.16916.01SJ
- ***" L f '
oCN No CCN.
Calc No. M I'A.SR9 Stbject__1% Radiation hionkor Software Common Mode railure Dahusion Sheet No. .f L of _st_
trv cultimatts DAtt _Its cAtt [ pry on t ot matts
~
etit l let tjtr i o A. Wyde 6/12/97 D,Wde 6/12/97 l l l+
8.3 Probability Failure Assessment 8.3.1 Review of Failure Assessment Approach in document NSG-97-001 (Ref. 6.5.11), an assessment was made of the probability of each of the ESFAS radiation monitor systems falling to perform its function. The assessment compared ;he existing analog systems with the replacement digital systems.
Each system has been designed for redundant trains to measure radioactive concentrations in each of the altborne pathways. The function of these monitors is to initiate an isolation function after exceeding the set point. The current Technical Specifications (Ref.
6.5.14) for San Onofre Nuclear Generation Station (SONGS) state that only one monitor has to be active for the system to be operational. The probabilistic estimate of system failure was evaluated for the cases where both trains operational and for the case where only one train is operational.
MTBF data for the existing analog systems were obtained from plant Maintenance Order records. Generally, different failure rate (A) values were obtained foi the train A and train B monitors. For the 1 out of 2 logic analyses, the A values for an "AND' logio function is determined by the product of the individual train A values. For the one out of one logic case, the lowest A value of the two monitors is chosen as the active monitor.
The replacement digital systems failure data was obtained from vendor documents. The data received frorn the vendor was a combination of hardware and software failure probabilities.
Estimates of the failure rates were made by examining the failures that have occurred since placing the equipment into operation and the total number of hours of operation for each software module.
Software failure rates were obtained by this method. Hardware failure rate data was determined by extracting the software failure rate data from the combined hardware and software data.
For the 1 out of 2 logic, logic trees were configured to account for the redundant hardware paths but no credit was taken for ett ne arv e ses gapTRENCE poinuN-f1Sl
EC&FS DEPARTMENT ccwo; CALCULATION SHEET " ""***"a co,, ,,m " " -
Project or DCP/FCN _ i116t2LatSJ CCN NO. CCN-Calc No. _f.MPA.7 R O Subject _ ESTAS Radiatine MankorSoftware Cneman MadcIailurtEralustlan ety m ictharoe Cheet No. _62 of._31 _.
care set 1 patt try mtstwaton 0
- 4. n + smm o . swo._.Atirr97 part see nave
[
ff _
redundant software pathways. This implies that if a software failure occurs, then it will be a common mode failure. The software failure A values that are used are derived from the single software failures.
This adds a level of conservatism to the overall failure probabilities.
B.3.2 Failure Probabilities-One out of Two Logle The results of a failure probability assessment for a 1 out of 2 logic configuration, from reference 6.5.11, are given in table 8.3.2.
Table 8.32 Summary of Syatem Failure Probabilities (1 out of 2 logic)
System A Fellure Rate in failures!hr MTBFin hrs /fallure Ref. 6.5.11 table 3 Calculated Digital (new) Analog (existing) Digital (new) Analog (existing)
CPIS 2.6E-6 2.2E 4 3.85E4 4.55E3 CRIS 1.5E 5 1.2E-4 0.67E4 8.33E3 FHIS 1.7E-5 1.4E 4 5.88E4 7.14E3 8.3.3 Failure Probabilities-One out of One Logic The results of a failure probability assessment for a 1 out of 1 logic configuration, from reference 6.5.11, are given in table 8.3.3.
Table B.3.1 Summarv of System Failure Probataities (1 out of 1 logic)
System A Failure Rate in falturcsAr MTBF in hrs / failure Ref.6.5,11 Atr:hmen13 Calculated Digital (new) Analog (existing) Digital (new) Analog (existing)
CPIS 1.3E.4 2.64E 3
- - . 7.69E3 3.79E2 CRts 3.59E-5 8.11E-4 1.16E4 1.23E3 FHIS 8.3SE-5 1.96E 3 1.2E4 S.1E2 w.e ma new.e aw emma sooxm ui
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - - - - - - - - - - - -_ - - - - - - ~ - - - - - ' - - - ' ' - ' -
EC&FS DEPAR1W.NT icC NOJ CALCULATION SHEET CCN CONVEP,&M CCN No. CCN .
Project or DCP/FCN 1 A t ms atet Cale No, f. SPA 3R9 Sub}ect__ ESFAS Radiation Monka Statwart Cnmman Male Falhar Ermlentlaa Sheet No. 63 of__ et
._ RFY mitthA10e DATE let DAff l Rfv otIGIh41 tut DAff IRE DAff 0
A, Wyde 6/12/97 D.turda 6/12/97 8.3.4 Summary of Failure Probability Assessment The prediction of software failures is an imprecise science and therefore, the margin of error associated with generated MTBF values is likely to be large. However, by comparing the calculated analog to digital system failure rates, the pattern shows that for all digital replacement systems, an improvement of approximately a factor of ten can be expected.
.ca - an. . imino.cr. .o x usi
EC&FS DEPARTMENT ccHos CALCULATION SHEET Project or DCP/FCN 1AJR210itt
""" '** "L _"
ocN NO. CCN.
. Calc No. M"Adeo Bubject FSEAS Radiation hiankor Software Casunon hinde railure Draluntlan Sheet No. _64 of _9L__
ety ,reisinajte rats Int oatr_[_ery carcinatte emir int, part 0
- a. vs. 6/tr m o. sura. 6/1r/97l l
8.4 Accident Dose Evaluation 8.4.1 System Failure Review As stated in Assumption 3.1.1, the monitors can fallin any combination based on the SCMF. Table 8.4.1 reviews all the possible combinations of failure.
Table 5.4.1 SCMF Failure Combinabons for Safety Radiation Monitors Case FHIS CRIS cpl 3 Comments Accidents vdthin the Fuel Handling Building i Failed Operates Don't care Design basis case Reference N-4072-001 2 Failed Failed Don't care Addressed in this evaluation 3 Operates Failed Donicare Operation of FHIS makes the dose consequences of this case bounded by case 2 Accidentswithin the Containment 4 Doni care Operates Fared Design basis case Reference N-4072-003 5 Don't care Failed Failed Addressed in this evaluation 6 Donicare Failed Operates Operation of CPIS makes the dose consequences of tiss case bounded by case 5 Accidents Outside the Containment & Outside the FHB 7 Dont care Operates Dont care Design Basis case Letdown une Break Accident Reference N-4077-001 8 Don't care Failed Don't care Addressed in this evaluation 9 Failed Failed Failed Not a viable tAustion to analyze since no single event will cause releases from both Containment and Fuel Handling Building 10 Operates Operates Operates Normaloperation ace nos m o su evearica sooxx*? est
EC&FS DEPARTMENT OC NO/
CALCULATION SHEET ccn cowtnson.
i Project or DCP/FCN _1A.16916.31R1 CCN NO. cCN.
calo No. WA.M i j
SubjecL____ rcrAS * *'=.Moniser,Sahw=nt CmamoaA ade F ilure Evaluatina -
R!v cert.imatos tatt Sheet No. _69 of__1 L _
ist tatt htV telstaatte telt 0
ist DAtt A. Pete 6/1?/97 P.pueda 6/1P/97 Cases 2,5 and B will be evaluated in this document. Cases 1,4 and 7 are the conditions used in design basis calculations which successfully meet dose criteria at the E .clusionary Area Boundary (EAB), low Population Zone (LPZ) ant Control Room. These design basis calculations do not credit the actions of either the CPIS or FHIS monitors. The dose consequences of cases 3 and 6 are bounded by cases 2 and 5 respectively. Case 9 is equal to cases 2,5 and B since only one accident is assumed to occur with the SCMF.
8.4.2 Review of Accidents to be Evaluated in calculation N-0720-013, (Ref. 6.5.1), accidents given in UFSAR 3
Chapter 15 (Ref. G.5.6) are evaluated for Moderate Frequency incident, Infrequent incident and Limiting Faults categories. Within each accident category, each accident was assessed for its release pathways and for the dose consequences that would result from failures of CPIS, FHIS and CRIS actuation signals.
The conditions for some of these accidents are considered to be less restrictive than design basis conditions. Factors such as 50 percentile y/Qs and 9 day decays for spent fuel are used for realistic accident conditions.
These accidents were further assessed whether they were a bounding accident or were bounded by~other accidents. Bounding dose consequence accidents were determined to be:
- 1. Increased Main steam Flow with a Single Active Failure Radiation releases can occur as a result of a small amount of direct primary to secondary leakage and from a steam generator leak release via the MSSVs to the atmosphere.
Neither release path can be mitigated by radiation monitor action.
This accident bounds other accidents given in UFSAR Chapter 15:
un m m e w mus vet so s uua<ss
-y - - - -
CALCb$ON SHEET CCN CONVE R$40N-l Project or DCP/FCN _ 2 A 1 a;eu nMt cCNHo.CCN. l Cafe No. M PA.2R9 Subject __ESTAS Radiation Monitor. Software Comamn Mode Talktre F.ralamet-erv Sheet No. E . of _t1.__
onttimatta care ser t.a tt ] ery carcinatan cait in narr
- r. .nw 6tirrer o.eura. 6/ttr97l t:
I +
a). Inadvertent Opening of Steam Generator Atmospheric i Dump Valve
- l and b). Single Reactor Coolant Pump Shaft Seizure
- An array of lesser dose consequence accidents are considered to be bounded by these accidents (Ref. 0.5.1).
- 2. Control Element Assembly Ejection Radiation release paths are from the containment mini purge (CPIS path), small direct leaks from the primary to secondary and secondary radiation releases, via the Main Steam Safety valves, that result from a steam generator leak. (In this analysis, the release of radiation is not mitigated by FHIS or CPIS radiation monitor action)
This accident bounds an inadvertent Opening of a
- Pressurizer Safety Valve accident given in UFSAR Chapter 15.
- 3. Letdown Line Break Radiation doses result from direct releases from an RCS break outside the containment. The source release can not be mitigated by either the CPIS or FHIS monitors.
- 4. Small Break Loss-of-Coolant Accident (SBLOCA)
Radiation can be released via four pathways. These being through direct containment leakage or through the containment mini purge. if a steam generator leak is assumed, then radiation releases can occur from the secondary system through the use of Main Steam Safety Valses or Atmospheric Dump Valves. These releases will occur if the small break is large enough and the condenser is unavailable because of loss of power. Only that activity released from the mini purge vents can be mitigated by radiation monitor action (CPIS), however, no credit is taken m e. m e a nwnw a som sm usi
ECUS DEPARTMENT ice Hog CALCULATION SHEET Project or DCPNCN 1A 1B1001st
"'"""" _" ,,0, CCN NO. CCN.
Calc No, MPA.M0 SubletL__ESTAS arv Radiation Monkor Sonware Conunon Mode Fallure halumf anaJ7 Sheet No. __of _93 _
omisthAfte (Att f>t DAtt_ _ ._ pry twict uatte DAtt ter DAff O
A. Wyde (/17/97 p.bsde 6/17/97 I
in this analysis for any Containment Purge isolation.
The SBLOCA bounds a Feedwater System Pipe Break accident and an inadvertent Opening of a Pressurizer Safety Valve Accident given in UFSAR Chapter 15.
- 5. Fuel Handling Accident in the Fuel Handling Dullding (FHA in FHB)
The release of activity from the FHB is via the FHB exhaust system which exits through the Plant Vent Stack exhaust.
The FHIS radiation monitors, if functioning properly, would isolate the FHB and prevent any releases to the atmosphere via the Plant Vent Stack. However, no credit is taken for isolation of the Fuel Handling Building by the FHIS radiation monitors. ,
The F14A bounds the Spent Fuel Pool Bolling Accident given in UFSAR Chapter 15.
- 6. Spent Fuel Pool Gate Drop Accident (SFPGD)
This accident would cause release of activity through the FHB exhaust vent. FHIS radiation monitors, when functioning, isolate the FHB. No credit is taken in this analysis for Fuel Handling Building isolation.
The.SFPGD accident bounds the Test Equipment Drop Accident given in UFSAR Chapter 15.
- 7. Fuel Handling Accident in the Containment This accident would cause activity releases via the Containment Purge stack operating on main purge flow rates. CPIS monitors, when functioning, isolate the Containment. No credit is taken for the isolation of the Containment in this analysis.
This is a design basis limiting accident.
r
EC&FS DEPARTMENT 6CC NO/
CALCULATION SHEET ocN cowr.asoc Project or DCP/FCN 1 A t '*26.01S1 oCN No. CCN .
. Caio No. J RT'A.no i
Sub}ect_.ESFAS RtV Radkatlan.hionhor Softwart Common Made Fausrehaluathn..___ Sheet No.18 of ._t1___
OtislNAf 0R . DAff IRE Daft l Arv tsisfuafuR DATE lbf DATE O
A. Wyde 4/1?/97 D.turde 6/17/97l l
_1 '
8.4.3 Accident Dose Review 1
This sectinn of the evaluation is a summary of the results obtained in calculation N-0720 01? 'Offsite and Control Room Doses Due to Failure of CPIS, CRIS and FHIS*.
8.4.3.1 Increased Main steam Flow with a Single Active Failure (IMSF w/SAF) 8.4.3.1.1 Conditions of Accident Release Points: 1.) Main Steam Safety Valves 2.) Atmospheric Dump Valves Steam Generator Leakage at Technical Specification 3.4.13 limit of 1 gpm.
Coolant lodine Activity is at Technical Specification i
Limit of 1.0 pCl/gm and Non lodine Coolant levels are at 100/E pCL/gm.
The dispersion factors, (X/Q). are at the 50%
meteorology level.
8.4.3.1.2 Bounded Accidents
- a. Inadvertent Opening of Steam Generator Atmos. Dump valve w/ single active failure (IOSGADV/SAF).
Other accidents bounded by IOSGADV/SAF Increase in Feed water w/SAF Loss of externalload Turbine trip w/SAF Loss of Condenser vacuum w/SAF s:e w m o se< tweeen somm,n
}
EC&FG DEPARTIENT ICC NQ/
CALCULATION SHEET '** "-
lCCH
,ccH No.CONVER53ON.
CCN .
ProjectorDCP/FCN 1&J692001SI Calo No. J.KPA.9 R0 tubject_ ESFAS Radiatina Mankor3nftware Camman Mode FaIhare Eela h arv Sheet No. 69 of _11_
teictuarts patt ter cair ! arv . _talsthalot DAf r . lar matt 0 A. Hyde 6/1?/97 0.turde 6/'?/97 LOAC w/SAF Loss of Normal Feedwater Flow Totalloss of Forced Reactor Coolant flow Partialloss of Reactor Coolant Flow w/SAF
- b. Single Reactor Coola.at Pump Sheared Snaft (SRCPS)
Other accidents bounded by SRCPS-Single Reactor Coolant Pump Shaft Seizure Total Loss of Forced Reactor Coolant Flow /SAF Radioactive Waste Gas System Leak Radioactive Waste System Leak or Failure (Release to atmos.)
8.4.3.1.3 Response Times Control Room manual isolation is credited in 30 minutes.
8.4.3.1.4 Defense-in-Depth The instrurt.ents shown in table 8.4.3.1.4 provide the operators with indications of the need to initiate a Control Room air system isolation.
.ec u., m . - nym,.cc senmum
EC&FS DEPARTMENT cc wo/
CALCULATION SHEET "" '*" "1_,J" " -
Project of DCP/FCN .1 A 1 stM.tLMt CCN No. CCN .
Calc No. - MPA.M Sth}ecL_
erv L9FAS #m hlaa .Mankar Softwere Cammaa Made Tallure Et4*lan Sheet_ No.10 of .t1_
omicrutta pair ter oatt l_erv < mis turne eart ser sair 0 a. *yde otr/97 e. sed. 6/12/97
)
+
Table 8.4.3.1.4 Defense 4nOopth for IMSF w/SAF instrument Manufacturer inst. Function Safety Class Trip set point Reference No.
4 2/3RE7B51 NMC analog Controf Room Non safety 0.45 mR/hr Attachment 2 I system Area Monitor 8.4.3.1.5 Dose Summary The calculated doses at the EAB, LPZ and the Control Room are summarized in table 8.4.3.1.5.
Table 8.4.3.1.5 Dose Summary for IMdF w/SAF Ref 6.5.1 Location Thyrold Dose Thyroid Criteria Whole Body Dose Criteria (Rem) (Rem) (Rem) (Rem)
EAB 0.2 75 <0.1 6 LPZ 0.2 15 . < 0.1 0 Control Room 5.1 30 0.7 5 8.4.3.2 Control Element Assembly Ejection (CEAE) 8.4.3.2.1 Conditions of Accident Release Points: 1.) Directly into the atmosphere from Containment at Containment leak rate 2.) Directly to atmosphere at mini-purge flow rate 3.) Atmospheric Dump Valves and Main Steam Safety Valves Steam Generator Leakage at Technical Specification section 3.4.13 limit of 1 gpm.
SCE 44M MV 0 69e [mgMRtuct sotbaxv? 18l
EC&FS DEPARTMENT sec Hos CALCULATION SHEET ccN cowtAsKne.
. CCN NO. CCN .
Project or DCP/FCN 1 A 16*401SJ Calo No. MP A.? R0 Subject._EFAS Radiation Monitar hawart Coimmen. Mode FaDurefgalantenn __._ aheet No. 71 of _s1 _
DF_v I calGlhATOR DAff IRE DATE Rfy '41 CITATOR t>Aff Ikt DATf 0 A, Wyde 6/12/97 0.turde 6/17/97 Coolant lodine Activity is at Technical Specification Limit of 1.0 pCilgm and Ncn. lodine Coolant levels are at 100/E pCilgm.
The dispersion factors are at the 50% meteorology level.
8.4.3.2.2 Bounded Accidents inadvertent Opening of a Pressurizer Safety Valve 8.4.3.2.3 Response Times Manual action time to isolate CRIS-None. SIAS is credited with 165 second operation of Controf Room isolatic: Ref. 6.5.1 A 3.1) 8.4.3.2.4 Defense-in-Depth The instruments shown in table 8.4.3.2.4 provide the operators with indications of the need to initiate a Control Room air system isolation.
Tatde 8.4.3.2.4 Defense-in-Depth for Control Element Assembly Ejedion Accident instrument Manufacturer inst. Function Actrdty Pathway Safety Trip set Reference N o. Clast point 2/3RE7851 NMC analog Control Room No malflow Non 0.45 Attach. 2 system Area Monitor into CR from air safety mR/hr intake 2(3)RE7828 SE digital Containment Containment Air Non 10CFR20 6.5J or system Purge release via mini safety per ODCM 2(3)RE7865 radiation purge ducts when acting monitor as a replacement ses na nev e m sc inoca somau.t tsi
EC&FS DEPARTMENT cc wo;
""'"" **"" ~ '*'-"
CALCULATION SHEET ccN CONVERSION:
, 9 ocN i40. C C N .
Pro}ect or DCP/FCN 1 & 1 WA otti . Calc No. J.cPA.?R9 -
Sub}ect__ _ESFAS tadiation Monker Software Consmos Mode Fakurt Eraktation Sheet No. _7L of ._1L__
tiv on tst hAtte cAft tte Daft ortstmAtts I DEv DATE let DAtt 0
A. % 6/12/97 0.turde 6/t?/97 I 8.4.3.2.5 Dose Summary The calculated doses at the EAB, LPZ and the Control Room are summarized in table 8.4.3.2.5.
Table E.4.3.2.5 Dose Summary for Control Element AssemWy Ejection Accident Ref. 6.5.1 Location ThyroH Dose Thyroid Criteria Whole Body Dose Crtteria (Re_m) (Rem) (Rem) (Rem)
EAB 1.0 150 <0.1 20 LPZ 0.9 150 <0.1 20 Control Room 23.8 30 0.1 5 8.4.3.3 Letdown Line Break 8.4.3.3.1 Conditions of Accident Release Points: 1.) Directly into the atmosphere 2.) Atmospheric Dump Valves Steam Generator Leakage at Technical SpecNication section 3.4.13 limit of 1 gpm.
Coolant lodine Activity is at Technical Specification Limit of 1.0 pCllgm and Non-!odine Coolant levels are at 100/G pCilgm.
The dispersion factors are at the 50% meteorology level.
8.4.3.3.2 Bounded Accidents None 8.4.3.3.3 Response Times Control Room manual isolation is credited in 30
.c= = m . m em o*x x.mxwnsi
EC&FS DEPARTMENT 00 NQ/
CALCULATION SHEET " "-
"""" "1 _ ,mcCN ko. CCN .
Project or DCP/FCN 1 A 169M.hlM- Calc No. MPuto Subiect.__E5FAS Radladan MaaltotSoftware Conunon Mode Tallurt Evaluation _Sheet No. _73 of _p3_
tty.
CRIC1haf0t_ DATE IRt_ DAff l CalGib470R trtf Daft Ikt DATE o A. Wyde 6/12/97 turde 6/1P/97 l
l minutes. Letdown line isolation may occur as a result of actu.etion from a non safoty line temperature loop.
8.4.3.3.4 Defense-in-Depth The instruments shown in table 8.4.3.3.4 provide the operators with indications of the need to initiate a Control Room air system isolation.
}ble B.4.3.3.4 Defense-in. Depth for a Letdown the Break Acddent instrument Manufacturer inst. ActMty Safety Trip Set
- h. Reference Fune6on Pathway Class point 2/3RE7851 NMC analog Control Normalflow Non 0.45 Attach. 2 system Room into CR fro n safety mR/hr Area airintake Monitor 2(3)TE9267 Weed Lett:#n lne Letdown line Non 418 F 6.5.10 Instruments isolation 002-2*-C- safety Annunt.ial FEO or 2(3)TE0221 Rosemount Letdownline Latdown line Non 418 F 6.5.10 Isolation 002-2*-C- safety Annundat WO u Note: Temperature elements. TE9267 & TE02211solate Londown line upstream of sense point.
8.4.3.3.5 Dose Summary The calculated doses at the EAB, LPZ and the Control Room are summarized in table 8.4.3.3.5 Table 8.4.3.3.5 Dose Summary for Leidown Une Break Acddent Ref.6.5.1 Location Thyroid Done Thyroid Criteria Whole Body Dose Criteria (Rem) (Rem)' (Rem) (Rem)
EAB < 0.1 30
- <0.1 2.5 LPZ < 0.1 30 <0.1 2.5 Control Room 2.2 30 <0.1 5 mua arv e m pmect somumum
CALC 5bOESHEET '
CCN COWE R$CN.
Project or DCP/FCN -.1 & 3 min D153 Calc No. .I.KPA.7R9 Sub}ect__ESFAS erv Radiatinn Moshar Software Pa=-Mode FallartItalaation Sheet No. J4_.. of _t3_
cassinatos navr i ter carr larv taistuata= cave see mate o g l
- a. % amm o . n,* 6mm II 8.4.3.4 Small Break Loss-of-Coolant Accident (SBLOCA) 8.4.3.4.1 Conditions of Accident l
Release Points: 1.) Directly into the atmosphere I through Containment leaks 2.) Conts..inment reicsses through the mini-purge 3.) Atmospheric Dump Valves or MSSVs Steam Generator Leakage at Technical Spw.ification 3.4.13 limit of 1 gpm.
Coolant lodine Activity is at Technical Specification Limit of 1.0 pCilgm and Non-lodine Coolant levels are at 100/E pCilgm.
The dispersion factors are at tho 50% meteorology level.
8.4.3.4.2 Bounded Accidents Feedwater System Pipe Break 8.4.3.4.3 Response Times Manual action time to isolate CRIS-30 minutes 8.4.3.4.4 Defense-in-Depth The instruments shown in table 8.4.3.4.4 provide the operators with indications of the need to initiate a Control Room air system isolation.
EC&FS DEPARTMENT CC No.1 CALCULATION SHEET CCN COWLRslON:
CCN NO. CCN.
Project or DCP/FCN 1 A t m26.0tKI Cale No. W A.M9 ,
Subject __ ESTAS Radiation Monhar Saftware t'ammam Mode FaGure Evaluation etV sheet No. 75 of _t3__
tutictuAtot DAff DAff i Rev mist uaime itt bAff let DAtt o A. Hyde 6/1F/97 D.turde 6/1F/9F Table 8.4.3.4.4 Defense 4 Depth for a SBLOCA Instrument Manufacturer I inst. Function ActMty Safety Trip Set Reference No. Pathway Class point 2/3RE7851 NMC anatog Control Normal flow Non 0.45 Attach. 2 system Room (CR) into CR from safety mR/hr Area Monitor air intaki 2(3)Ll5853- Intemational Sump Level RCS liquia Sow 1E power Hi Alarm 6.5.15 11-2 instruments detector into 4 ft (14.7 containmer.1 ft) sump 2(3)RE7828 SE digital Containment Contr5 ment Non 10CFR20 6.5.7 system Purge Air release via safety per rec 2ation minipurge ODCM monitor ducts 2(3)RE7845 NMC analog Containment Airtiome actMty lion 30 mR/hr 6.5.8+
syste6 a Hatch area inside safety HP memo radiation containment monitor 2(3)RE7818 NMC analog Containment Non 6 mR/hr Altbome actMt> 6.5.8 +
system Refueling inside safety HP memo Cavity area containment radiation monitor 8.4.3.4.5 Dose Summary The calculated doses at the EAB, LPZ and the Control Room are summarized in table 8.4.3.4.5 Table 8.4.3,4,5 Dose Summary for SBLOCA Ref.6.5.1 Locathn Thyroid Duse Thyroid Criteria Whole Body Doso Crteria (Rem) gem) _ (Rem) (Rom)
EAB 0.1 300 < 0.1 25 LPZ <0.1 300 i
< 0.1 25 Controf Room 4.9 30 <0.1 5 s
SCI M26 REY $ 4Ab8 l81tPOl(NCR 9012kKRPAF ill
EC&FS DEPARTMENT cc wo; CALCULATION SHEET ""'"'**"";_,,,,'"*- --
Project or DCP/FCN 1AM9M.01ST CCN NO. ccN -
CJ: No. WA.M i
)
Cut,JocL__ ESf'AS Radiation Maahlaftware f'a==os Made nEart Evaluation - l KV m istuAfoR Sheet No. 76 of _ M _
l DAff IRf batt l ny celttnaff8 _ DATe att _DAfg 0 A. Hyde 6/12/97 0. turds 6/1F/97 l3 B.4.3.5 Fuel Handling Accident in the Fuel Handling Building (FHA in FHB) t 8.4.3.5.1 Conditions of Accident i Release Point: From the Fuel Handling building vents via the Plant Vent Stack to atmosphere.
Fuel is assumed to have at least 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> of decay prior to accident.
All radioactive material is released within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.
The dispersion factors are at the 50% meteorology level.
8.4.3.5.2 Bounded Accidents Spent Fuel Pool Bolling Accident 8.4.3.5.3 Response Times Manual action time to isolate CRIS-30 minutes 8.4.3.5.4 Defense-in-Depth The instruments shown in table 8.4.3.5.4 provide the operators with indications of the need to manually initiate a Control Room air system isolation.
9::2 28-426 Rev 0 M4 pagytmENCE. 80tDUN718l
EC&TS DEPARTMENT ica NO; CALCULATION SHEET CCN CONVUtslott CCN HO. CCN .
Pro}ect or DCP/FCN 1A34910015] Cale No. MS% 289 subject arv ESFAS Radiation Monker Soft ware Comunen Modt. Tallureltahtatina SWt No. _77 of J_
onscinatos eitt ser pair I arv omicimaron oats
~
ins cate 0 a. pyd. _ 4/12/97 c.sveda 6/12/97 5 Table 8.4.3.5.4 Defense-in-Depth FHAIn FHB instrument Manufacturer inst. ActMty Safety Trip Set Reference No. Function Pathway Class point 2/3RE7851 NMC Analog Control Normal flow Non 0.4b Attach.2 system Room (CR) into CR from safety mR/hr Area air intake Monitor 2(3)RE7865 SE digital Plant Vent Dutput from Powered 10CFR20 6.5.7 system Stack (PVS) CAEP spiltinto by id levels per radiation Unit 2 & Unit 3 power ODCM monitor PVS pathways 2(3)RE7850 NMC Analog Spent Fuel Normalfloviin Non 2.5 rnR/hr 6.5.17 system Cask Area FHB safety monitor Note: it is assumed that monitor 2/3RE7608 (Plant Vent Stack backup monitor) has failed as a result of the SCMF 8.4.3.5.5 Dose Summary The calculated doses at the EAB, LPZ and the Control Room are summarized in table 8.4.3.5.5.
Table 8.4.3.5.5 Dose Summary for FfM in FHB Ref.G.5.1 Location Th/rold Dose Thyroid Criteria Whole Body Dose Criteria (Rem) (Rem) (Rem) (Rem)
EAB 02 75 <0.1 6 LPZ 0.1 75 <0.1 6 Contr01 Room 20.4 30 <0.1 5 i
i ses aco an e am inerres*:e- soinswt ist
EC&FS DEPARTMENT cc wog i
CALCULATION SHEET xu w,w m CCN NO. CCN .
Project or DCF/FCN . 2 & 16921 etRf Calc No. __. MPAdE9 Stbject.
FAT 41Radiadau. Man l:er_ Software Casames Mode FailuretralmaticaSheet _ No. .jl . of _11_
arv rimittaatta DAff lit Nif efV CelC! bat 0R Mif IRE Mff 0 A. Hyde 6/12/97 b.Buede 6/12/97 8.4.3.6 Spent Fuel Pool Gate Drop Accident (SFPGDA) 8.4.3.6.1 Conditions of Accident Release Point: Prom the Fuel Handling Building vents via the Plant Vent Stack to j atmosphere Fuel is assumed to have at least 9 days of decay
{ prior to eccident.
The accident damages a total of 236 fuel pins.
4 The dispersion factors are at the 50% meteorology level.
I 8.4.3.6.2 Bounded Accidonts l Test Equipment Drop Accident i
8.4.3.6.3 Response Times Manual action time to isolate CRIS-20 minutes
{ 8.4.3.6.4 Defense-in-Depth The instruments shown in table 8.4.3.6.4 proside the 4
operators with indications of the need to manually initiate a Control Room air system isolation.
d a
l 4
ocs was arv e ese latispecx motr>xxu? is)
^
EC&FS DEPARTMENT cc No/
CALCULATION SHEET oCN COWuTRGION:
OCN No. CCN.
Project or DCP/FCN --- 1 A 128 alSi Calc No. J.RP A.S RO Subject __ESTAS Itadiatlas MaalaarSoftware Common Model'aDure Eval ela=
oa t cluATGt Sheet No.19 of _91_
__ KEV DATE 1RE Daft jety catstaATON DATE IPE _ Daft o A. pyde 4/12/97 D.turde 6/12r97 l
Table 8.4.3.6.4 Defense-in bepth Instruments for SFPGDA instrument Manufacturer inst. ActMty Safety Trip Set No. Reforence Function Pathway Class point 2/3RE7851 NMC analog Control Normalflow Non G.45 At'ach. 2 system Room (CR) into CR from safety mR/hr Area air intake
. .toni'.or 2(3)RE7805 SE digital Plant Vent Output from Powered 10CFR20 6.5.7 system Stack CAEP spiltinto by 1E levels per (PVS) Un!!2 & Unit 3 power ODCM radiabon PVS monhor 2(3)RE7850 NMC Anafog Spent Fuel Normalflowin Non 2.5 mR/hr 6.5.17 system Cask Area FH'd safety mon!!or Note:it is assumed that monitor 2/3RE7808 lias failed as a result of the SCMF B.4.3.6.5 Dose Summary The calculated doses at the EAB, LPZ and the Contil Room are summarized in table 8.4.3.6.5 Table 8.4.3.6.5 Dose Summary for SFPGDA Ref.6.5.1 Location Thyroid Dose Thyroid Criteria V.' hole Body Dose Criteria (Rem) (Rem) (Rem) (Rem)
EAB 0.6 75 < 0.1 6 LPZ 0.1 75 <0.1 6 Control Room 29.2 30 0.1 5 8.4.3.7 Fuel Handling Accident in Containment 8.4.3.7.1 Conditions of Accident Release Points: Directly into the atmosphere seg p Rey e &se [REFEREMt- $31267 iSt a
CALC 5k50N SHEET OCN CONVERslON; Project or DCP/FCN 1 A 1 con 41S1 ccn No. CCN.
Calc No. 1.',PA 2R0 Subject
__ rSEAS Radiation Ainnkar Eftwa e.Cosamon Mode FaDure EWata= _ _
~
Sheet No. A of._11_
l nry eser enir.imaton _ ser caft Xerv omistnaTre carr tar carr 8
- a. w + smm o.nus. smm l t
- i. I through Containment Main purge Stack 236 fuel pins are damaged with complete inventory release. The activity has 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> of decay since criticality prior to movement.
The disperrion factors are at the 5% meteorology level.
8.4.3.7.2 Bounded Accidents This is a limiting accident.
8.4.3.7.3 Response Times Manual actl>>n time to isolate CRIS-3 minutes 8.1.3.7.4 Defense-in Depth The instruments shown in table 8.4.3.7.4 provide the operators with indicatir>ns of the need to initiate a Control Room air system isolation.
Table 8 A 3.7.4 Defense-in-Depth for a Fuel Handing Accident in Containmerit instrument Manufac'urer Inst.1-unction ActMty Safety Trip Set Reference No. ___
Pathway Class point 2/3RE7851 NMC analog Contro! Normal flow Non 0.45 Attach. 2 system Room (CR) into CR from safety mR/hr Area Monitor airintak.e ;
2(3)RE7828 SF d;gital Containment Containmen* (Jon 10CFR20 6.5.7 u 2(3)7865 .fstem Purge Air releate via safety per if connected radiation inbi pittge ODCM monitor ducts 2(3)RE786 NMC analog Containment Alrbome actMty Non 30 mR/hr 6.5.8 +
system Hatch area inside safety HP memo racEation containment monitor seg es42s REY a sad tatstatiect .osnxuu.tst
EC&FS DEPARTMENT CC No.1 CALCULATION SHEET CCN COWTRslON:
Project or DCP/FCN J r t cru atK1 ecN NO. CCN -
Cole No. WA.?RO Sub}ect.._ _.17As martimilan ManitorJioftwaren==M Modefallure Evaluatica ____ Sheet No. _ BL. of _93__
ktv teltthAtot DAfr Itf Datt sty catcluAtoe catt Int pais o A. Hyde 6/17/97 0.tsch 6/iF/97
)
Table 8.4.3.7.4 Defense 4n-Depui for a Fuel Handling Accident in Containment Instrument Manufacturer Irist. Function ActMty Safety Trip Set Reference No. Pathway Class point 2(3)RE7848 NMC analog Containment Airborne actMty Non 6 mR/hr 6.5.8+
system Refueling inside safety HP memo Cavity area containment radiation monitor 2(3)7820 SE analog High Range Airbome actMty safety S.9R/hr 6.5.9 system Area monitor inside containment Personnel within the containment area during f.sel movement are in constant commu.1ications wfth the '
Control Room operators 8.4.3.7.5 Dose Summary The calculated doses at the EAB, LPZ and the Control Room are summarized in table Table 8.4.3.7.5 Dose Summary for Ref,6.5.2 Location Thyroid Dose Thyroid Crtteria Whole Body Dose Criteria
_ (Rem) (Rem) (Rem) (Rem) 4 EAB 72.9 75 0.4 6 LPZ 2.1 75 < 0.1 6 Controf Room 19.5 30 0.3 5 8.4.3.8 Bounded Accident Check Many of the UFSAR Chapter 15 accidents were considered to be bounded by the six selected I accidents (Ref 6.5.1). Three soditional accidents were analyzed to demonstrate that their integrated doses were in deed bounded by other accidents. The object of the analysis was to show that the time to identify these accidents did not result in a higher act2s-426 REv.0 au PtpfmENCC 5012MXM11SI l
EC&FS DEPARTMENT ccNos CALCULATION SHEET CCN CONVERSION:
Project or DCP/FCN t A t mz nier CCN No. CCN .
. Calc No. MPA.m Subject ____ESEAS ma<tlwina Monhor_Softwart Cosninan Made Failure Etal= arkin Sheet No. 82 ef et i try mitlhAT(R D4ft Itf DAff l RTV OE.dthATOR DAff IDE DAff 0
A. Wrde 6/12/97 D Wrds 6/12/97 $g
+
integrated dose.
i The accidents chosen were:
- 1. The lOSGADV w/SAF
- 2. The SFPBA
- 3. The FWSPBA The results of this additional analysis is summarized in table 8.4.3.8 l
Table 8.4.3.8 Bounded Accidents Dose Summary Accident EAD Dose in Rem LPZ Dosein Rem CR Dosein Rom leoiden
, l Requ6ternent '
Ttypid Whole Be's Thyroid Whole Bda Thyevid Whole Beta bo@ sidn eidn bo@ bo$ skin IOSGADV <0.1 <0.1 <0.1 <0.1 <0.1 <0.1 14.1 <0.1 <0.1 None w/SAF SFPBA <0.1 <0.1 N/A <0.1 <0.1 N/A 19.4 0.3 N/A None ;
FWSPBA <0.1 <0.1 < 0.1 < 0.1 <0.1 <0.1 7.9 <0.1 <0.1 CPIS after 30 min Since the FWSPA inside the containment requires a manual action to limit the Control Room dose, the following instruments are available for defense-in-depth indications to prompt this action:
I i
.= = m . i.m .om=> m o
EC&FS DEPARTMENT cc wo; CALCULATION SHEET 5""** " ;,, _,m"" ' -
CCN No. CCN .
Project or DCP/ 8CN - 11169100tR1 Calc No. 1-RPA ?Ro Steject__TSFAS Radf ation hionitor Softwart CanimanNodeJailure F_raluation _ Sheet No. 31 of _tL_
_erv caicinaron pair ter care i arv i omicimaron oatt inc mate 0 a . w y* 6/17/97 e.aure. 6/1r/97 lgB Table 8.4.3.8 Defense-in-Depth instruments for FWSPA Instrument Manufacturer inst. Function ActMty Safety Trip Set Reference No. Pathway Class point 2/3RE7851 NMC analog Control Normal flow Non 0.45 Attach.2 system Room (CR) into CR from safety mR/hr Area Monitor altintake 2(3)Ll5853 Intemational Sump Level RCS liquid flow 1E power Hi Alarm 6.5.15 11 2 Instruments detector into 4 ft(14.7 containment ft) sump 2(3)RE7428 SE digital Containment Containment Non 10CFR2t 6.5.7 system Puroc Air release via safety per radiation mirJ purge ODCM monitor ducts 2(J)RE7845 NMC analog Containment Airbome actMty Non 30 mR/hr 6.5.8 +
system Hatch area inside safety HP memo radiation containment monlior 2(3)RE7848 NMC analog Containment Airbome actMty Non 6 mR/hr 6.5.8+
system Refueling insHe safety HP memo Cavity area containment radiation monitor 8.4.4 Dose Consequence Summary The selected bounding accidents from UFSAR Chapter 15, all produce thyroid and body doses at the EAB, the LPZ and the Control Room that are below the established criteria. These doses were determined without the operation of either the CPIS or the FHIS monitors. A check of accidents deemed to be bounded by these primary accidents showed that no or reasonably obtainable manual isolation times are required to meet acceptable dose criteria values.
It has been shown that there is adequate instrumentation or personnel in the accident vicinity, to warn the operators of potential Control Room doses with sufficient warning to make timely, manual isolation action.
act as42s may e m tamnosce so12*Kw?.'s)
i J-SPA-28g -
Sheet No. 84
- l. ATTACHMENT 1 Telephones notes with LMiller SAIC
]
Author: ANTHONY HYDE at WEST 7 i Date: 8/30/96 9:21 AM
- i. Priority: Normal l TO: MIKE JAEGER at EOF '
i . TO: DENNIS BEAUCHAINE l TO: TED QUINN at G48
!- BCC: ANTHONY HYDE I
CC: LINDA CONKLIN--
] _
Subject:
Telecon w/ Lance Miller-SAIC
] Message Contents -
l Aug 30/1996 i
Called Lance Miller of SAIC (703)814-7722 about doctment NUREG/CR 6018 l " Survey and Assessment of Conventional Software \rerification &
Validstion Methods" He, plus two other SAIC software engineers, were
- j. responsible for producing this document for EPRI & NRC.
f I-Asked him about his interpretation of the complexity factor " Physical
' Control Capability" He said that where the output of the software . ,
module was causing a chan0e to 4m software input this constituted a
- control fundion. I explalned our situation who.e a controi bit is l set based on a comparison with a set point value but with no feedback h the software as to the position of the damper / valve. His feeling j was this did not quellfy as a control function.
De question of InternJpt Handling was posed to him. I explained that F a non safety system (DAS) period cally requested the transfer of dets
! from the safety measurement channel. His fooling was if the other i system (DAS) has to request the data, then the possibi::ty exists that l the safety channel fundion can be compromised by having to handle -
i this request. His judgement was this would bump the complexity into g the.next higher categvry for this factor.
t Asked for an interpretation of homogeneous and heterogenous as applied
- to knowledge / data structures. His answer was that the intent for this complexity factu was to differentiate between systems that have . i i,
multiple data bases with different data structures (e.g.16 bit in one >
- - .& 32 bit in another & with different headers /traliers that perhaps -
. Identified the pathway to each data base) Data bases with these kind of structures constitute a new level of complexity in the software.-
i.
We talked briefly about what "Real Time" meant in this context His feeling was that if data is being processed from an input source such i- as our detectors, then even if we only process the accumulated data i
i
J SPA 289 Sheet No. 85 overy 10 sec, it still should be considered to be real time. This would push the complexity into the medium complexity level. We discussed the example, given in CR4018, for the level of V & V selection table as low complexity level /high integrity system. This ESAS system was a batch system with data inp::ts every 30 minutes and therefore qualified as a low compWxity system.
4 el
J-Sl% 289 Sheet No. 86 ATTACH ENT2 L
1 Notee on Control Room Area monitor responses ath 1/22/97 Problem:
} if the CR monitors, RE7824 & RE7825 should fall because of a software common mode j
failure, then will the CR area monitor be sensitive enough to detect potentially
- threatening thyroid concentrations of I-131 over a 20 minute oc,riod (choax, as the a
shortest allowable manual operation per Standard Review Plan Ref. 6.1.11).
4 j - Calculation:
The dose to the thyroid can be expressed as:
_~
J' so
- Dose = If SR x CF, x C(t), df o
t Where Dose is the thyroid dose 5 Rsm j BR is the breathing rate of an adult in oc/ min CF, is the conversion factor for each specific isotope in Rem /Cl
- C(t), is the ith isotope's concentration as a function of time in pCiloc In crder to simplify, only 1 131 is used since it is the main contributor to thyroid doses, !
! Makr whole body contributors are Xe-133 and Xe-135. Excluding the remaining isotopes in the Fue: Handling Accident mix, produces a conservative whole body value i l
at_the limiting thyroid dose rate. A constant concentration is used over the relatively short period of interest (20 minutes). We know that the limiting dose is 30 Rom and i
therefore by rearranging the equation, we can solve for the limiting constant concentration C(t),
i i Dose ;
C(t) -
BR x CF;.,,, x Tome L
i s Dose = 30 Rem; BR = 7,300 m /yr = 1.39 x 10' cc/ min (Ref. 6.1.5); Time = 20 min j CFm, = 1.49 x 10' Rem /Cl (Ref. 6.1.5) = 1.49 Rom /pCl; i i 30 C(t) = = 7.2 x 10-s pCFec
, 1.39 x 10' x 1.49 x 20 I
l ..
- The next question is what kind of field does 7.2 x 104 pCi/cc of I-131 produce at the CR
- area detector? Using the Microshleid program and assuming the field from l-131 could be simulated by an annulus ring source 8 ft high and 20 ft in radius, we can determine what field will be produced in a concentration of 7.2 x 104 pCl/oc. Since the 1-131 will
} not be alone, isotopes Xe-133 and Xe 135 have been added at the same ratios as are
.i
J-SPA-289 Sheet No. 87 found in the FHA accident source term. Therefore concentration of Xe-133 is 243 x l-131 or 243 x 7.2 x 10* = 1.7x 10 8 pCl/cc. Concentration of Xe-135 le 3.5 x l-131 or 2.5 x10d pCi/cc. Other isotopes present (but not included in this calculation) will not greMiy impact the thyroid doses (~1% increase from l-133) but they will add to the dose rate, ensuring that the set point is exceeded.
I. series of Microshield calculations (attached) stows that, at .e kev detector cutoff, the field in the CR would be 13.7 mR/hr. The range of this ac- nx is 1 x 104 to 1 x 108 mR/hr. The max allowable set point is 0.5 mR/hr. Typica'ly, there is a 0.89 factor redudion from this value. This puts the set point at 0.45 inR/hr.
Conclusions:
W the I-131 concentration is at the 7.2 x 104 pCl/cc range, then the trip set point will be exceeded by more than a factor of 20 and an alarm can be expected in less than 1 fr.inute.
J SPA 289 Sheet No. 88 IN7 6x gjp MicroShield 4.10 - Serial #4.10-00705 Southern California Edison Fage : 1 File Ref:
DOS File: CRDOSE5< MS4 Late: //
Run Date: January 23, 1997 By:
Run Time: 8:23 a.m. Thursday Checked:
Duration: 0:00:14 Case
Title:
Iodine cloud GEOMITRY 11 - Annular Cylinder - Internal Dose Point centimeters feet and inches Dose point coordinate Xi 0.0 0.0 .0 Dose point coordinate Y: 121.92 4.0 .0 Dose point coordinate Z: 0.0 0.0 .0 Cylinder height: 243.84 8.0 .0 Core cylinder radius: 2.0 0.0 .8 Annulus inner radius: 2.0 0 .8
. Annulus outer radius: 1526.0 50 .0 Source: 1524.0 50 .0 Source Volume: 1.78387e+9 cm^3 62996.8 cu ft. 1.08858e+8 cu in.
MATERIAL DENSITIES (g/cm 3)
Material Cyl. Core Source Mate;;i a' Slab Air 0.00122 0.00122 BUILDUP Method: Buildup Factor Tables l'e material reference is Source INTEGRATION PARAIETERS Quadrature Order Radial 10 Circumferential 10 Y Direction (axial) 20 SOURCE NUCLIDES Nuclide curies microCi/cm^3 Nuclide curies microCi/cm^3 I-131 1.2844e-r J1 7.2000e-005 Xe-133 3.0326e+001 1.7000e-002 Xe-135 4.4597e v01 2.5000e-004
- J-SPA-289 Sheet No. 89
- Page : 2 DOS File: CRDOSE30.MS4
-Run Date:-January 23, 1997 Run Time:. 8:23 a.m. Thursday
Title:
Iodine cloud-
==== RE S ULTS =
Energy Activity Energy Fluence Rate Exposure Rate In Air (HeV). (photons /sec) -(MeV/sq cm/sec) (mR/hr)
No Buildup With Buildup No Buildup With Buildup-0.08 4.095e+011 7.242e+003 8.429e+003 1.146e+001 1.334e+001 0.15 4.762e+007 1.600e+000 1.775e+000 2.634e-003 2.923e-003 0.2 1.565e+010 7.047e+002 -7.625e+002 1.244e+000 1.346e+000 0.3L 3.105e+008 2.114e+001 2.244e+001 4.011e-002 4.257e-002' 0.4- 3.952e+009 -3.608e+002 3.787e+002 7.031e-001 7.379e-001 0.5- 1.713e+007 1.963e+000 2.045e+000 3.853e-003 -4.014e-003-0.6 -8.677e+008 1.197e+002 1.240e+002 2.336e-001 .2.421e-001 0.8- -8.566e+007 1.583e+001--1.629e+001 3.011e-002 3.099e-002 TOTAL: 4.304e+011 8.468e+003 9.736e+003 1.372e+001 1.574e+001 9
h l
J-SPA-289 Sheet No. 90 ATTACHMENT 3 FH!S isolation Logic Table 1 Fuel Handing Building isolation Operation (Proposed)
Train A Train B Input states System isolabon inlet Outlet inlet Outlet State, Dampers Dampers Dampers Dampers HV9846 HV9647 HV9844 HV9845 7822 'A'Hi Close Clow Emergency mode 7823 *B' Hi Close Close Emergencymode Channel falllow'A' Normal mode Loss ofinn, Power Close Close Emergency mode
'A' Channel faR low'B' Normal mode loss ofinst. Power Close close Emergencymode
.g.
Manuel FHIS 'A' Close Close Emergency mode Manual FHIS 'B' Close Close Emergency mode Bypass'A' Note 5 Note 5 Bypus*B' Note 5 Note 5 Note 1 Isolation state is the result of a single input action Note 2 Blank space is'As is' position Note 3 leolation valve states determined only by input changes wthin specific train; not offected by other train opers.tlon Note 4 Loss of site power will de-activate air operated valves, HV9630A2, HV9846 and HV9849 Note 5 Automatic actuation is disabled but manual override is available
J-SPA-289 Sheet No. 91 ATTACHMENT 4 .
Containment Purge Iscation Logic Table 2a Containment teoleton Operation in MODE 1-4 Operaton (Proposed) inside ContainmentValves outside Containment Valves input states inlet Valve Exhaust inlet Valve Exhaust Containment HV9823. Valve HV9821 Velve - Isolation state HV9824 HV9825 Train A Train B Train B Train A SIAS Close Close Close Close Closed CIAS Close Close - Close Close Closed CPls 7804 'A' Hi Close Close Closed cpl 3 7807 *B'Hi Close Close Closed Channel feu low'A' Open Loss ofinst. Power Close Close Closed
'A".
Channel falllow *B' Open Laos of bet. Power Close Close Closed
.g.
Manuel CPIS *A' Close Close Closed Manuel CPIS *B' Close Close Closed Bypees 'A' Note 4 Note 4 Bypees "B"- Note 4 Note 4 RE7828 HIor Close Close Closed RE7885 Hi -
Note 1 Penetration state is the result of a single input action Note 2 Blank space is 'As is" position Note 3 Main Purge Vales are administra0wely closed in modes 1-4 Note 4 Automatic actuation Is disabled but manual override is available
J-SPA-289 Sheet No. 92 Table 2b Containment isolation Operation in MODE 6 Operation (Proposed) inside ContainmentValves outside Containment Valves.
Input states Inlet Valves ExhaustValves InletValves Exhaust Valves Valve Train A Train B Train B Train A isola 6on Mini Main Mini Main Mini Main Mini Main purge purge purDe purge purDe purge purge purge HV9823 HV9949 HV9824 HV9950 HV9821 HV9948 HV9825 HV9951 SIAS N/A N/A N/A N/A N/A N/A N/A N/A N/A CIAS N/A N/A N/A N/A N/A N/A N/A N/A N/A CPIS 7804 Close Close Close Close Closed
'A' Hi CPIS 7807 Close Close Close Close Closed "B' HL Channel Open fail low *A*
Loss of Close Clnse Close Close Closed inst. Power
.A' Channel Open fab low *B' Loss of Close Close Close Close Closed inst. Power "B"
CPIS Close Close Close Close Closed Manual *A' CPIS Close Close Close Close Closed Manual *B*
Bypass 'A' Note 4 Note 4 Note 4 Note 4 Bypass'B' Note 4 Note 4 Note 4 Note 4 RE7828 Hi Close Close Close Close Closed or RE7865 Hi Note 1 Penetration state is the result of a single input action Note 2 Blank space is 'As is* position Note 3 Main Purge Valves are admiriistratively closed in modes 14. Main & mini purges can both be operable during mode 6 Note 4 Automatic actuation is disabled but manual override is available s
- J-SPA-289 Sheet No. 93
[ ATTACHMENT 6 Control Room isolation Logic
' Table 3 t,ontrol Room leoiston OperaGon (Proposed) inputstates Emergency EmergoneyAC Normal Syulomisoiston AC Unb A Ur# B Flow State.
CRIS 7824 W Hi in Operation Secured Emergency modo CRIS 7825 T Hi in Operation Secured Emergency mode Unit 2 SIAS in Operseon in Operation Secured Emergency mode Unit 3 SIAS - In Operation - in Opere6on Secured Emeegency (
Channel fan low 'A' in Operallon Normal mode (
Loes ofinst. Power - in Operation }
'A' Secured Emergency 1 mode Channelfat lowT in Operston Normel mode Loos ofinst. Power in Operaton T Secured Emergency mode CRIS Manual *A* In Operaton Secured Emergency mode 4
CRIS Manual *B' in Operation Secured Emergency mode Bypees'A' Note 5 -
Bypez T ' Note 5 Note 1 HVAC system state is the roc At of a single input action Note 2 Blankspeceis" Asis'poskion Ndeoperston train 3 HVAC . system states determined only tn input changes within specific train; not effected by other Note 4 Vital bus trained power can be obtained from either Unit 2 or Unit 3 Note 5 Automatc actuation is ctsabled but manuel override is aveilable a A