ML20236N599
| ML20236N599 | |
| Person / Time | |
|---|---|
| Site: | Big Rock Point File:Consumers Energy icon.png |
| Issue date: | 01/31/1987 |
| From: | Reigel D, Robare D GENERAL ELECTRIC CO. |
| To: | |
| Shared Package | |
| ML20236N440 | List: |
| References | |
| RTR-NUREG-0390, RTR-NUREG-390 NEDO-30883-A, NUDOCS 8711160246 | |
| Download: ML20236N599 (62) | |
Text
-,-
5.,
v
- h:'
,I' I
,5 j.
4 t
i
?
q.g#:: %.{.lp., *
%Q
\\ f l; ', ^8 i
_p.
mj
,e
- g. ;
m w +; '
, Js<
g 5
...i zi j, y rg'
?".,.
\\-
t NEDO 30883 A,
s
- CLASSI L je M
- JANUARY 1987-
+
e 3
(
- ,' }
/
il i
- . t
- - * ' '
l l
[\\l l.+ \\ (;.
1 a. :-
t
'l
~;
3 j ':
c-r.
4 n
T LICENSING TOPICAL REPORTq
],
/
j I
1
,[
1 4
tl g
)
1 5
.t THEiNUDllEAR? MEASUREMENT 7 m
J ~.
SANALYSISEAND1CONTRDOE c.
~
s:
n TLOGARITHMICJRADIATIDNL JMO.NITOR/NUMACLLRM[ '
y.
.u
- b.
a, t
s g
i i
i i
i 1
)
f 4
,i
',P l
4 1
8711160246 871109
- oa
^oock oso W 5 G E N E R A L,'
ELECTRIC x
L_A N-_ A_-_s.
NEDO-30883-A Class I January 1987 I
LICENSING TOPICAL REPORT l
THE NUCLEAR MEASUREMENT ANALYSIS AND CONTROL LOGARITHMIC RADIATION MONITOR (NUMAC-LRM) l t?
Approved:
Ef M
l'l Approved:
D.W. Reigel, tanager D.J. Robare, Manager
~
Electronic Products Licensing Services Engineering I
l NUCLEAR ENERGY BUSINESS OPERATIONS
- GENERAL ELECTRIC COMPANY SAN JOSE, CALIFORNIA 95125 GENER AL $ ELECTRIC 1
NEDO-30883-A DISCLAIMER OF RESPONSIBILITY This document was prepared by or for the General Electric Company.
Neither the General Electric Company nor any of the contributors to this document:
A.
Makes any warranty or representation, express or implied, with respect to the accuracy, completeness, or usefulness of the information contained in this document, or that the use of any information disclosed in this document may not infringe privately owned rights; or
\\
B.
Assumes any responsibility for liability or damage of any kind which may result from the use of any information disclosed in this document.
The information contained in this report is believed by General Electric j
to be an accurate and tru3 representation of the facts known, obtained or I
provided to General Electric at the time this report was prepared.
ii
'l
' jnse
- Y
'k UNITED STATES
- ((
. p NUCLEAR REGULATORY COMMISSION ~-
E.
\\..... pf
. WASHINGTON, D. C. 20665 '
r September 16,1986 R
Mr. D. J. Robare.
-Licensing Services Manager t
General' Electric-Company, 175 Curtner Avenue J
- San Jose, California 95125
Dear Mr. Robare:
1
SUBJECT:
, ACCEPTANCE FOR REFERENCING OF' LICENSING TOPICAL REPORT j
.NED0-30883, "THE NUCLEAR MEASUREMENT-ANALYSIS AND CONTROL LOGARITHMIC RADIATION MONITOR (NUMAC-LRM)"
j f
We have completed our review of the subject topical report submitted by l
General Electric Company by letter dated May 17. 1985.
- l We.-find the_ report!to be acceptable for referencing in license applications to
-l the axtent specified and under the limitations delineated in the report and d
the associated NRC; evaluation,'which is enclosed. The evaluation defines-the
-basis for acceptance'of the report.
We.do not intend to repeat our review of the matters described in the report and found acceptable.when the report appears:as a reference in-license applications,-except to assure that the material presented is applicable to the specific plant-involved. Our acceptance applies only to the matters described in the report.
In accordance with procedures established in NUREG-0390, it is requested that GE publish accepted versions of this' report within three months of receipt of this letter. The accepted versions'shall incorporate this letter and the enclosed evaluation between the title page and the abstract. The accepted versions?shall include an -A (designating accepted) following the report identifi. cation symbol.
Should'our criteria or regulations change such that our conclusions as to the acceptability of the report are-invalidated, GE and/or the applicants
-i referencing the topical report will be expected to revise and resubmit their 1
respective documentation, or submit justification for the continued effective i
applicability of the topical report without revision of.their respective.
' documentation.
Sincerely, V
Gus C. Lainas Assistant Director Division of BWR Licensing
Enclosure:
'As stated 111/iv
l.
L j
ENCLOSURE SAFETY-EVALUATION OF. LICENSING TOPICAL REPORT NEDO-30883,
'"THE' NUCLEAR MEASUREMENT ANALYSIS AND CONTROL LOGARITHMIC
' RADIATION' MONITOR (NUMAC-LRM) 1.0 Sumary -
The staff has completed its review of the General Electric Company (GE) topical report NED0-30883, "The Nuclear Measurement. Analysis and Control Logarithmic
~ Radiation Monitor (NUMAC-LRN)," and the supplemental information provided in
-References 3 and 4.
The staff finds the report to be. acceptable for referencing-in license applications.to the extend specified and under limitations delineated in the report and the associated NRC evaluation.
- 2.0 ' Acceptance Criteria ~
The criteria used in evaluating this topical. report-include 10 CFR Part 50.55.a.(h) (IEEE Standard 279 requirements), Regulatory Guide 1.152-(Criteria for Programmable Digital Computer System Software in Safety-Related Systems of-Nuclear Power Plants), and the Standard Review Plan Section 7.1, Table 7-1 (Acceptance Criteria and Guidelines for Instrumentation and Control Systems Important to Safety).
3.0 Description
]
The Logarithmic Radiation Monitor (LRM) is a member of the Nuclear Measurement Analysis and Control-(NUMAC) family of microcomputer-based instruments
. developed by the General Electric Company as a functional and physical replacement for the existing Integrated Nuclear Measurement and Control (INMAC)
LRMs. currently used in many BWRs. The NUMAC product line is expected to have lower failure rates than the INMAC spare parts for the NUMACs are more readily
.j available with shorter lead times;NUMAC-maintenance costs are expected to be lower; and technical support is'more readily available. To enhance the reliability and availability of the instrument, the NUMAC-LRM incorporates into its design a microprocessor controlled Self-Test System, which continuously checks the operability of all safety-related functions. General Electric undertook the development.of the NUMAC-LRM in early 1983, using the latest state-of-the-art technology.
The NUMAC-LRM design has yielded the following valuable improvements:
a.
Instrument drift rate is reduced by at least_ a factor of four with the incorporation of automatic zero and automatic gain feateres, o
b..
Accuracy,and resolution is improved by a fact:r of two with the use of automatic calibration and digital processing / display and noise reduction.
v 2
1
7
. c.
-Separation of safety-related and non-safety-related components is
. achieved with-the use of a serial data link.
d.
- Human error.is reduced through the use of digital display,. menu-driven software, and human-factor engineered front panel design, e.
Possibility of in' advertent scram or containment isolation is reduced because'of improved calibration and testing techniques; 4.0 : Evaluation (1) Conformance to Safety-Related System Requirements (IEEE Std. 279-1971)
The report states that the NUMAC-LRM can perform both safety-related and non-safety-related functions.
The safety classification of a NUMAC-LRM is
' t as specified for a particular application. The self-testing feature.is, in itself,ilot safety-related. However, if it detects a failure of a safety-related function, it causes an Inop trip.
It is the staff's position that when the LRM is used for safety-related function-(such as' Main Steam Line High Radiation Trip). it should conform to the IEEE. Standard.279-1971 requirements for a protection system.
The interface between the non-safety-related portion of the NUMAC-LRM system 1
' and the safety related trip systems should be isolated by the qualified isolators. Particular emphasis should be placed on the methods (s) used to i
qualify the isolators for their particular function.
This should. include an analysis and tests which will demonstrate that the isolator will function under the maximum worst case fault conditions.
In response to the staff's request for' additional information, General Electric stated that the NUMAC-LRM is designed to be an exact replacement j
for Log' Rad Monitors Used in the BWR Process Radiation (Main Steam Line and Offgas) Monitoring and Containment Atmospheric Monitoring Systems.
When used for such purposes, conforriance of the host system to IEEE Standard 279-1971 is preserved, including the use of multiple instruments i
where required. The staff finds this design approach acceptable.
L_
(2) _ConformancetoSeparationCriterion(R.G.1.75)
'In response to the staff's request for additional'information, General Electric stated that the NUMAC-LRM is a single-channel' instrument designed to be an exact replacement for Log Rad Mor.itors'.
E6ch NUMAC-LRM contains a single input module. A second one cannot be effectively added. When i
the LRM is used for safety-related function, the channel separation and i
channel independence will be maintained. The interface criteria for its installation into existing operating plant will be the same as for the l
original monitors.
It utilizes the existing external isolation devices and the power source that the present instrument uses.
The staff finds
{
this design aspect acceptable.
j vi l
l i
a o[ V
[
,1 n
A
'.'g g
- (3) Equipment Qualification The.NUMAC-LRM was qualified, using the methodology of IEEE Std. 323-1974, to the same temperature limits as specified for.the instruments being replaced. The qualification procedure used for the NUMAC-LRM, including the aging process, represents an improvementiin product testing over the older
- log rad monitors. The NUMAC-LRM was designed for use in control room or similar environments, not in " harsh" environment, including a total integrated radiation dose of 175 Rads, and the maximum operating temperature of 50*C (122*F) for the location where a NUMAC-LRM is installed.
Recent operating plant event reports have identified problems involving temporary loss of HVAC in the instrument room area causing the heat sensitive electronic components to fail. Therefore, it is the staff's 1
position that the installation of the NUMAC-LRM. system in a plant area should include a conservative correlation between the hottest spot temperature inside the cabinet and the pennissible maximum room temper-ature. The staff will review the plant specific submittal-to assure that the NUMAC-LRM instrument will be operating within the qualification limit.
..(4) Software Design VeHfication and Validation Test Results In the staff's-request for additional information, the staff requested General Electric to describe the design of the LRM and its conformance to Regulatory Guide 1.152, Criteria for Programmable. Digital Computer System Software in Safety-Related Systems of-Nuclear Power Plants.
General Electric's response (Refs. 3 and 4) states that. Regulatory Guide 1.152 was not'available at the time NUMAC-LRM development began. However. the response does describe the design process'and the design verification and validation steps utilized in the development of the hardware and of the software.. The staff's review of the description of the design process and of the design verification and validation (V & V) steps noted that many documents were prepared to record the design, test results, and V & V activities. An overall Requirements Specification, which lists all functional and technical requirements for the instrument was prepared.
The requirements specification was design verified by comparison against i
the specification for the instrument NUMAC-LRM replaces and by a review of its intended application.
Required hardware-software integration testing was specified in the Software Validation Plan and Procedure, which was prepared and design verified with the Requirement Specification.
Software was developed in accordance with a Software Management Plan. A design specification was prepared for each software component module, and after coding..each module was tested. The developed so.ftware was then entered in Programable Read Only Memory (PROM) and installed in a NUMAC-LRM chasa s for testing in accordance with self-test Integration and Software Validation Test Plans and Procedures, v11 a
m
i i
V The staff also recuested General Electric to provide examples of problems found during valication testing.
General Electric described the problems in three general categories:
1)
' software problems requiring rework, such as resolution of trip point settings due to software sampling logic;-
2) minor software anomalies, such as an inconsistency with a' design intent;
- 3). minor inconsistencies in the test procedure,-such as ambiguous wording.
Based on the data provided by General Electric, the staff concludes that an effective design verification and validation program was used in the development of the instrument. The staff finds that th' program meets
. the intent of Regulatory Guide 1.152.
(5) Operating System and Software Structure In the staff's request for additional information, the staff solicited data on the design methods and techniques used to prevent the software program from cycling. in a continuous loop and to defend against comen mode failures, as the same software program is used for redundant safety-related channels. The staff's review of General Electric's response to this concern found the following:
1)
Software for the NUMAC-LRM was developed and documented in accordance with the NRC approved Nuclear Energy Group Boiling Water Reactor i
Quality Assurance Program.
2)
The NUMAC-LRM has two computers, but only the functional computer is required to perform critical tasks. The display computer is designed to run an " executive loop" with. hardware timers so that the potential for traps is minir.ized and depends primarily on the integrity of the hardware.
3)
One functional computer runs with a small operating system, which itself is an executive loop, started and re-entered by a hardware timer.
Initiation of the operating system depends on hardware, and any endless loop in the application software will.be escaped via the hardwere restart.
4)
The operating system occupies about 2k bytes of PROM memory. Total operational run time for the operating system in the LRM plus other
' instruments is in excess of 40,000 hours0 days <br />0 hours <br />0 weeks <br />0 months <br />.
Structured and unstructured testing of the operating system is in excess of 2,000 hours0 days <br />0 hours <br />0 weeks <br />0 months <br />. Testing of the operating system logic included monitoring viii
ta l
p e
R
]
k software timers to assure that task times are correct and, therefore,-
confirmed'that software paths are as expected.
1 5)
The NUMAC-LRM functional software is structured in tasks with all of the critical > functions included in one task, which has the highest.-
priority. A hardware watchdog' timer _is refreshed by software logic that requires the main' operating system and the, main task to be running at the predefined frequency.
Failure of the. main task'to run at the. required rate will.' result in time out of the watchdog timer.
1
' Based on this data, the staff concludes that the above design measures andLtest procedures.are' reasonable.to prevent the software program for cycling in a continuous loop and to defend against common mode failures.
5.0 Conclusion Based'on its review, the staff concludes that the topical report NED0-30883
)
witn the supplemental information provided in References 3 and 4 have
' demonstrated that the' NUMAC-LRM instrument will perform safety-related function in a reliable manner. Therefore, it'is acceptable for referencing in license-application, along with plant specific considerations delineated in this report.
6.0 References L
1.
- NED0-30883, "The Nuclear Measurement Analysis and Control Larithmic l
Radiation Monitor (NUMAC-LRM), " General Electric Company, April 1985.
2.
Letter from M. Srinivasan, NRC, to R. Artigas,-General Electric Company,
Subject:
Request for Additional Information'on; licensing Topical Report.
NEDO-30883, "The Nuclear Measurement Analysis and Control Logarithmic Radiation Monitor (NUMAC-LRM)," dated April 7, 1986 3.
Letter from D. J. Robare, General Electric Company, to M. Srinivasan, NRC,
Subject:
Response' to Request for Additional Infonnation on NED0-30883, dated June 11, 1986
'4.
Letter from D. J. Robare General Electric Company to M. Srinivasan, NRC,
Subject:
Supplemental Infonnation on NUMAC-LRM, dated August 7,1986.
]
l l
1x/x
NEDO-30883-A CONTENTS f
Page
'l ABSTRACT
.xv
'1.(INTRODUCTION ~
~
1-1 l
2.
SUMMARY
AND CONCLUSIONS 2-1 3.
SYSTEM DESCRIPTION 3-1
- 31. Hardware Configuration 3-1 3.1.1 Essential Microcomputer 3-7' l
3.1.2 - High Speed Parallel Data Bus.
3-7 3.1 3 Serial Data Link 3-7 3.1.4 Detector Signal Conditioning' 3-8
-l 3.1.5', Detecter Power Supply 3-8 3.1.6 Trip and Analog outputs 3-8 3.1.7 ' Redundant Instrument Power Supplies 3-8
~
3.1.8 Display Computer and Front Panel 3-8 3.2 Firmware Configuration 3-9 3.2.1 Functional Firmware 3-9 3.2.2 Display Firmware 3-12 3.1 System Operation 3-12 4.
DESIGN REQUIREMENTS 4-1 4.1 Safety Classification-4-1 4.2 Instrument Power 4-1 4.2.1 Standard Supply 4-1 4.2.2 Optional Supply 4-1 4.3 Environmental Conditions 4-1 4.3.1 Seismic and Vibration 4-2 4.3.2 Product Life 4-4
~4.3.3' Reliability and Availability 4-4 4.4 Mechanical Design Requirements 4-5 4.4.1 General 4-5 4.4.2 Dimensions 4-5 4.4.3 Weight 4-6 4.4.4 Modularity 4-6 4.4.5 ' Mounting 4-6 4.4.6 Chassis 4-6 4.4.7 Front Panel 4-7 1
4.'4.8 Connections 4-8 4.4.9 Color and Finish 4-8 4.5 Electrical Design Requirements 4-8 4.5.1 Measurement Section (Femtoammeter) 4-d 4.5.2 Trip outputs 4-9 4.5.3 Polarizing Power Supply output 4-13 i
Xi
.i m =
i
's)
CONTENTS (Continued)
Page
- 4.5.4 Other Outputs
.4 4.5.5 Component Grade 4-14
~
4.6 User lnterface/C6ntrols 4-14 4.6.1 Controller.
4-14 4.6.2 Front Panel Display 4-15 4.6.3 Front Panel Operating Keys 4-17 4.6.4 Keylock Switch 4-17 4.6.5 HELP System 4-19 4.7 Computer Configuration 4-19 4.8 Self-Te s tability 4-21 4.9 Calibration 4-23 4.9.1 External 4-23 4.9.2-Internal 4-24 4.9.3 Trips 4-24
(
4.9.4 Microprocessors 4-24 l
4.9.3 Display 4-25 l.
4.9.6 Ramp Tests 4-25 l
- 4.9.7 Enhancements 4-25 l-5.
QUALITY ASSURANCE REQUIREMENTS 5-1
.5.1 Design Verification 5-1 5.1.1 ' Thoroughness of Design 5-1 5.1.2 Qualification 5-1 5.2 Product Quality 5-3 5.2.1 Workmanship 5-3 5.2.2 Acceptance Testing 5-3' 6.
REFERENCES 6-1 APPENDICES l.
A.
INFORMATION REQUESTED BY THE STAFF A-1 l-i xii l
1
1
- p.
1 NEDO-30883-A.
gL '
1 ILLUSTRATIONS
.3i Figure --
Title Pa g e'-
f
. 3-1.
NUMAC-LRM Front Panel 1 3-2 3 NUMAC-LRM, Top View 3-3~
'3-3 NUMAC-LRM, Side view 3-4
' \\
3 NUMAC Functional Block. Diagram
'3-5
~
3 3-5 Typical NUMAC Logarithmic Radiation Monitor Displays 3-6
- 4-l'
. Required Response Spectra, Horizontal and Vertical.
4-3' l '
>-r:
i i
l-l 1
1
' )
I xiii/xiv
1 i
ABSTRACT L
Described in this report is a microcomputer based Logarithmic Radiation Monitor (LRM), which is a member of the Nuclear Measurement Analysis and Control (NUMAC) family. The NUMAC-LRM uses microprocessors and solid-state logic for radiation monitoring and includes a Self-Test System (STS) to assure a high degree of availability.
Design criteria, performance and qualification bases, and pctential applications for the NUMAC-LRM are described.
I xv/xvi
1.
INTRODUCTION L
l l
The Logarithmic Radiation Monitor (LRM) is a member of the Nuclear 1
Measurement Analysis and Control (NUMAC) family of microcomputer-based instruments developed by General Electric Company (GE) as s functional and physical replacement-for the existing Integrated Nuclear Measurement and Control (INMAC) LRMs currently used in many BWRs. The NUMAC product line is expected to have lower failure rates than the INMAC; spare parts for the NUMACs are more readily available with shorter lead times; NUMAC maintenance costs are expected to be lower; and technical support is more readily available. General Electric Company undertook the development of the NUMAC-LRM-in early 1983 using the latest state-of-the-art technology.
The NUMAC-LRM instrumentation meets all of the applicable regulatory requirements and improves the performance of existing instrumentation.
These goals are achieved through the use of microprocessor cards for all logic and timing operations. To enhance the reliability and availability of t'e instrument, the NUMAC-LRM incorporates into its design a microprocessor controlled Self-Test System (STS) which continuously checks the operability of j
all safety-related functions.
1 On November 16, 1983, GE made a presentation to the Staff regarding the design of the NUMAC-LRM. The Staff documented their concerns and preliminary conclusions in Reference 1.
Reference 1 also indentifies information to be provided about the final NUMAC-LRM design in this Licensing Topical Report (LTR) for Staff review and acceptance prior to allowing installation of the NUMAC-LRM at an operating reactor with increased surveillance intervals. Since any proposed increase in surveillance interval would be plant-specific, this information is not included in this LTR, but is provided separately.
A listing of the Staff concerns is given in Appendix A with the corresponding sections of this report containing that information.
1-1
'. 75.' #
NEDO-30883-A Section 3 of'this report contains a description of the NUMAC-LRM System,
- including hardware, firmware, and' system operation. -Section 4 describes the
~
design criteria and performance _ standards of the ' system.
Section 5 contains the qualification bases (seismic, environmental,.and testing) for the system.
i I
i I
1 I
1-2
w,
s;.
.e
]
y
-NEDO-30883-A ii i-K I
hY, 2.
SUMMARY
-AND. CONCLUSIONS j
w The proposed'new LRM is a member of the NUMAC microcomputer based family of. instruments"for nuclear safety-related>and non safety-related appli-l
- cations. The NUMAC-L2M offers'several advantages over the systems now in use at'many BWRs and meets all-: applicable. regulatory requirements. -'One significant Limprove:sent -is that : the functional circuitry is continually.being J
l checked as opposed to a once per month or less surveillance: frequency for a
1 conventional designs. Another significant improvement'is that the test circuitry is hard wired in place,so that-: temporary modifications to the
.. )
functiona1Leircuitry during testing;(e.g., bypassing channels, connecting'and.
D
' disconnecting test;1eads and'other test equipment) is not necessary. This feature ~ eliminates the potential for not-returning functional' circuits to
'their normal' operating mode.following~ testing. In addition, the NUMAC-LRM design has' yielded the following valuable improvements:-
q I
a.
Instrument drift rate is reduced by at:1 east a factor of four with the incorporation of. automatic zero and automatic:-gain features.
- b. -Accuracy!and resolution is improved by.a factor of two with the use ofl automatic calibration and digital processing / display and noise reduction.-
Separation of safety-related and non-safety-related components is c.
. achieved with the use of'a serial data link.
j
.d.. Human error is reduced through the use of a digital display, menu-driven software, and a human-factor-engineered front panel
. design..
e.-
,2blity of inadvertent scram or containment isolation is reduced because of improved calibration and testing techniques.
l.I i
2-1
.:n l
.q I
NED0-30833-A In conclusion, the NUMAC-LRM meets all of the appliethle regulatory requirements and improves the reliability and performance or the existing instrumentation. The use of the STS will improve the overall safety margin of the nuclear power plant.
1 1
2-2
aNEDO-30883-A.
w; q:
J.g.
. 3.-
SYSTEM DESCRIPTION The4 following sections discuss = the hardware and firmware ~ features of the
'NUMAC-LRM' System. LA description of. the operation of ' the system, including the' Lc.
Self-Test System,- is ' also presented.
L i; >
3.1 HAPJNARE CONFIGURATION -
L
-The NUMAC-LRM is designed to physically replace GE Log Rad Monitors 194X629, 238X660,.368X426AA and 442X795.
The NUMAC-LRM's chassis has
' dimensions'of-19-in.; wide by7-in. high by approximately 17-in. deep,.and is slide mounted to permit easy maintenance end module replacement.
- The NUMAC' chassis. is.a standard 7-in. high by 19-in. wide rack-mounted
~
dnstrument. : Printed circuit boards are housed in a standard card file which.
!haa, soace for a. maximum of'15 printed circuit boards.
Circuit boards clug.
1 into a'st'ndard backplane or motherboard containing printed power wiring, a
~
a L
. ground wiring and the signal / computer bus.
Located at the. rear of the chassis Jis -almodular'connectorL panel for signal input / output (I/0) and pcuer input.
Located'at the front of the chassis is the front display panel.
The design off c.
the chassis includes' features to aid in testing.
Every pin.and. card slot is 11abeled on the back' of the motherboard.
Printed circuit boards are mounted from the top of_the chassis to allow quick replacement if required.
l The NUMAC-LRM, which is illustrated in Figures 3-1 through 3-5, consists
'of the following modules: an essential microcomputer; a high speed parallel data bus; a serial data link; detector eignal conditioning; a detector power
. supply; trip and analog outputs; two redundant instrument power supplies; a
)
1 display microprocessor; and the front panel display. Each of these modules is Ldescribed:in Subsections 3.1.1 through 3.1.8.
3-1
3 r
%rr-r v%,
rr 6
1_LAi TTTT
= = k
[=~
g a
a s8 v
p s-E T
- -sj (r~~
T o
a (r.
3 2
s N
=
l x
\\
os o
>=
s O
T W
m
==A o
s 4
d oc W
^))
U W
2 O
3
(%
J o
C 3
3-2
W NEDO-30883-A l
. N P
R et E--
R
i-
- .m k
.i;-
W W
l
'l o
jl o
1I o
I
\\#
l
^ - -
~
^ ^ - ~
{ i.,
w vu n
,y
,y w
wwnn w n pv n w
gg gg,
_q t
N.' -
a.r ut.rvi_hp nu m m_m. rut r( g
..1 g
l i
l l
I l
l
.N,.
. 7,y l
"FF"9 lO
.l_
10 o
lIo o
01 1
,,,,a.,,,
I o
01 i
I
_iii_
N g
g g
o n- -
3 I~
_ = _ _ _...,
E m,
% uni
td 1
i
.i i
w w
Y,o.
> '.4.
V if Figure 3-2.
NUMAC-LRM, Top View 3-3 i'
}'d '
' {
- 4.,
4 c
- . j ;
I I
4' w
=__,. _ _ _ _ r_ g _ _ _ _ _ _p. w=w u@ i-E( K I
- 4 ::_ _ m.au o
i r,
m l$2)h
'5 c
i.,i
- g I
l II l.
, E1 mO... __ _g
-A,.
i '-
n L.
@ r-R l 1' t lia ss l
a i
i-l-
y l
L l.-
fL I
Figure 3-3.
NUMAC-LRM, Side View I
3-4 L
H 4
d *.,
s.
on,
/,
'a i
.I
+ 100-350 VOLTS DISchETE TRIPS l
, OUT.
FROM DETECTOR PUT DUEMOR SIGNAL TRIP AND ANALOG DETECTOR CONDITIONING POWER SUPPLY ANALOG Z
{ FEhtTOAMM ETER OUTPUTS PROCESS MODULE)
COMPUTER i
,g RECORDER
\\/
V NJ HIGH SPliSD PARALLEL DATA BUS wO I
Lp
^L REDUNDANT Vee MICROCOMPUTER g gy 0"#'
SUPPLIES MEASUREMENTS SELATEST 5YSTEM SERIAL j L DATA LINK 1f DISPLAY MICROCOMPUTER H
a U
Os a6 3
CD i
i i-1 i
0000 0000 E G @ W OL100 Oe
__0000 g Figure 3-4.
NUMAC Functional Block Diagram T
3-5
s.
/'
MOOE: OPERATE
. RAD LEVEL - 3,33 E 2 TRIPS =
SELF TEST STATUS = OK ALARMS =
1E2.
1E3 1E4 1E5 1E6 l
l 1
I A
A H1 Hi-HI EXIT
" OPERATE" MODE " DISPLAY BAR GRAPH" DISPLAY.
l l
MODE: OPERATE RAD LEVEL = 1.23 E 3
)
TRIPS =
l SELF-TEST STATUS = OK ALARMS =
l l
' TRIP STATUS SET POINT RESET POINT HYSTERESIS.
i LO TESTED 1.E3 E 1 1.60 E 1 0.4%
1 Hi
~ UNTESTED 1.0025 9.00 E 4 0.7%
Hi-HI TESTED 1.50 E 5 1.40 E 5 0.4%
. HVPS SETTING = 250 V HVPS ACTUAL = 248 V EXIT
" OPERATE" MODE " DISPLAY PARAMETERS" DISPLAY MODE: OPERATE RAD LEVEL = 1.23 E 3 TRIPS =
SELF-TEST STATUS = OK ALARMS =
TEST CYCLE = 21457 RUNNING CPU MODULE = OK
-) HVPS MODULE = OK ANALOG MODULE = OK FEMTOAMMETER MODULE = OK LVPS MODULES = OK 1/0 CONTACT MODULE = OK EXIT "QPERATE" MODE "SELF-TEST RUNNING" DISPLAY MODE: INOP CAL RAD LEVEL =
TRIPS =
INOP SELF-TEST STATUS = OK ALARMS =
- CALCULATING NEW INTERNAL PARAMETERS -
TIME REQUIRED 50:00 MIN (APPROX)
TIME ELAPSED 43:34 MIN WHEN ' EXIT' APPEARS CALCULATIONS ARE COMPLETE.
EXIT "lNOPERABLE" MODE " CALIBRATION" DISPLAY Figure 3-5.
Typical NUMAC Logarithmic Radiation Monitor Displays 3-6
NEDO-30883-A 3.1 1 Essential Microcomputer l
The essential microcomputer, a Harris 80C36 microprocessor, performs three functions: it controls the instrument's measurement, trip and I/O function; it communicates with the display microcomputer; and it performs the tests of the STS when not processing instrument data.
The essential microcomputer contains the 80C86 microprocessor, Random Access Memory (RAM),
Electrically Alterable Random Access Memory (EARAM), Read Only Memory (ROM), a priority interrupt controller, independent timers, and the STS circuitry. The microcomputer has sufficient computing power to perform digital trips, digital temperature compensation, automatic ranging, automatic calibration and digital filtering. Trips are set digitally and thus do not drift.
The automatic ranging feature eliminates the requirement for manual range switching on multiple decade inst uments.
These features result in a reduction in instrument drift rate by at least a factor of four. The microcomputer automatically calibrates the instrument to a known internal reference, compensating for time dependent drift characteristics with a resulting improvement in accuracy and resolution by a factor of two.
3.1.2 High Speed Parallel Data Bus The high speed parallel data bus provides the communication link between the essential microcomputer and the other modules, except for the display microcomputer and the front panel.
3.1 3 Serial Data Link The serial data provides electrical separation between the safety-related essential microcomputer and the non-safety-related display microcomputer and front panel. The serial data link is used to minimize the possiblity of injecting faults into safety related circuits.
3-7'
- b E
THEDO-30883-A-3
'- 3'.l.4 ' Detector Signal Conditioning, nThe detector signal; conditioning provides the specific. signal J1 conditioning: function required by the LRM and its associated, detector.. Th e detector signal conditioning consists of a femtoammeter having's sensitivity
-range.from 3.33 E-13 amp to.3.33 E-7_ amp.
1 3.1.5 Detector PowerL upply S
The' detector power supply provides a current limited ground ' referenced.
voltage between 100 and 350 volts to the detector.
~
.]
3.1.6 Trip and Analog Outputs The analog outputs are used'co drive recorders and the plant's process computer. ;The trip. outputs are used to drive. external trip relays and.
. annunciators.
3.1.7~Radundant Instrument Power Supplies
' l The NUMAC-LRM has two redundant power supplies.
In the event of the 1
' failure of a power supply,.the LRM will, automatically switch to the other
' supply.
l l
3.1.8 Display Computer and Front Panel I
The essential microcomputer transmits data to the display computer via the' serial data link.
The display computer drives the front panel and performs all necessary engineering unit conversions. The front panel contains
'all-of the. circuitry necessary to interface with the display computer and the front panel's keyboard and; the electroluminesent display (ELD). The display computer uses a National Semiconductor NSC-800 microprocessor, an NSC-810 RAM I/O timer and program data RAM and ROM. A separate block of screen data RAM is' dual-ported for use in providing rapid screen updates. The front panel is i
3-8 i
N
= _1
NEDO-30883-A shown in Figure 3-3.
It consists of a 512 x 128 pixel ELD, four function keys, four cursor keys, enter and clear entry keys, and a numeric keypad for entering passwords and setpoint information.
The front panel, with its human factors design and menu-driven operation, reduces the possibility of human error.
3.2 FIRMWARE CONFIGURATION The NUMAC-LRM application firmware consists of two principal modules:
the functional firmware for the essential microcomputer (including self test);
and the f ront panel. keyboard and display firmware for the display computer.
These two modules coincide with their hardware counterparts. The NUMAC-LRM firmware is generic enough to support a large number of logarithmic radiation menitoring tasks, including main steam line radiation monitoring and offgas system monitoring.
The NUMAC-LRH firmware is written in high-level languages, to the maximum extent possible, to simplify firmware maintenance over the NQdAC-LRM lifetime.
Instrument operating manual EPROM text files are easily accessed using the front panel display.
The NUMAC-LRM firmware performs sampling and filtering of sensor data, comparison of data to operator-entered trip setpoints, operator display updates, the generation of analog and trip output signals, and concurrent self-tests and maintenance operation.
Each firmware module is described in Subsections 3 2.1 and 3.2.2.
3.2.1 Functional Firmware The essential microcomputer's firmware executes under control of a resident multitasking operating system which assures proper scheduling of event and time-critical functions. When the instrument is in the Operate mode, data are acquired, converted to machine format, processed, and reconverted to physical outputs (analog and trip) under firmware control of the essential microcomputer. Additionally, proper instrument operation is monitored (i.e., self-testing is perf ormed).
The results of these activities are transmitted to the display computer in a " Broadcast Only" mode using the serial data link for display to the operator. When the instrument is placed 3-9
NED0-30883-A l
'in either the Inop-Cal or Inop-Set mode, two-way communication is established over the serial data link between the functional and display microcomputers.
The operator may then request the functional computer to perform operations such as self-calibration and alteration of its trip and high voltage settings.
)
Self-testing is accomplished by the essential microcomputer through the reading of selected voltages and data registers within the instrument and their comparison with expected values. When in either the Inop-Cal or Inop-Set mode, this testing is done on operator demand so as not to interfere with calibration or setpoint adjustment.
Included in these tests is the exercising of the trip output circuits. When the NUMAC-LRM is in the Operate I
mode, testing is automatic.
However, the trip output circuits are not exercised in the Operate mode to prevent spurious trips. The results of any self-t(sting can be accessed by the operator f rom the front panel display.
Since the STS is an integral part of the LRM hardware, the possibility of temporary test modifications (i.e., jumpers) not being removed after testing l
is eliminated.
In addition, since the STS can continually operate, reliability is enhanced as compared to older designs with surveillance intervals of 1 month or more.
3.2.1.1 Adequacy of Self-Test Isolation The adequacy of the isolation provided between the NUMAC STS and the functional circuitry is demonstrated below:
a.
Functional and self-test circuits for the NUMAC-LRM are integrated rather than separated into islands.
Passive measurements are made via voltage measurements and data register readouts rather than observing the responses to test stimuli. The essential microcomputer handles self-test rather than a separate self-test controller.
Each NUMAC-LRM in a system is independent and individual instruments are not connected for self-test purposes.
l 3-10
'NEDO-30883-A b.
NUMAC-LRM self-testing is divided into two parts:
automatic periodic testing while in the Operate mode; and automatic testing on request while in the Inop mode.
In both cases, testing is under control of the essential microcomputer.
c.
Testing in'the Operate mode consists mainly of reading circuit voltages and capturing data in registers, performing calculations based on this data, and checking to see that the measured and calculated values are as expected for the given set of instrument input conditions.
Specifically, trip output circuits are not made to change state during self-testing, even for short (e.g., millisecond) periods as plant system behavior cannot be predicted when there is more than one " free-running" NUMAC-LRM.
d.
When an instrument is in the Inop mode (i.e., it is in the Inop tr,ip condition), the instrument can be made to change output states so that, for example, operability of the trip output circuits can he verified.
The check-out procedure is initiated by the user and l
performed automatically by the essential microcomputer.
e.
The amount of circuitry specifically needed to perform the self-test tasks previously outlined is minimal, approximately 10 to 15% of the total..
f.
In addition, the essential microcomputer itself performs such tasks as a self-check, a memory check, and an inventory of instrument hardwa re.
g.
The front panel with its keypad and display, and its associated display controller, are not considered safety-related.
The controller has its own microprocessor, memory and signal bus.
The only way the functional and display computers communicate is via two-way serial data link.
In this way, display circuitry failure has negligible effect.
3-11
4 t
- u...
i
. NEDo-30883-A.
a p) ;
'yy-
"3.2.2.
Display Firmware.
The display-firmware for' the display computer acquires and-displays the '
results f rom theiessential microcomputer.. It also obtains and interprets user' j
- command inputs, displays. hardware f ault status,- and supplies mode ' selection -
for all user. functions..The " HELP" system, an operating aid, is included.in
.:thisifirmware.' ;The display' firmware also supports text,: sormal and inverse video, and graphics displays..
' 3.3 ~ SYSTEM OPERATION-1 i
1.The functional performance of a NUMAC.is controlled by an essential microcomputer on a Central Processing Unit (CPU) and Memory Module located in' i the.cardfile.- Computer bus signals between modules are conducted via traces on'the motherboard.- Basic signal processing is as-follows:-
a.
-Inputs, distributed fros' the. rear I/O panel, enter appropriate -signal
- conditioning modules via connectors. Analog' inputs are converted to r
i
.. digital-form 'by an analog / digital (A/D) converter on an ' Analog Module I
-and;then read by the funetional' microprocessor via ehe bus.
Digital tand. discrete inputs, after conditioning, can be. read immediately.
.j
.. The CPU 'and Memory Module performs the required functional
- b.
calculation (e.g., trip. setting comparisons, logic, timing,
- i determination of outputs) and directs signals to appropriate output 7
modules via the bus.
j c.,
Analog outputs are developed via D/A converters on the Analog j;,
Module. Digital and discrete outputs 30 to appropriate conditioning-L boards. Signals from connectors on the. output modules are I
distributed to the rear I/O panel.
'i-.
3-12
~.
NED0-30883-A The instrument turns on throu,gh the application of power. The display is normally. turned off, but will go on whenever a trip occurs or any front panel key is pressed. Whenever the display is on, instrument reading, trip status and self-test status are shown along the top.
The remainder of the display
. will depend on actions selected by the user. When there are no trips the display is turned off through timeouts.
Four pushbutton keys (softkeys) adjacent to the display are used to determine the next display or user action. The specific function of each o f these keys will vary with the display shown.
A set of four keys is provided to move a cursor should one be needed for a given display. A set of 16 keys is used to enter settings and calibration data.
When the keylock is in the operate position, the front panel is in a
" display only" mode, and just the sof tkeys are operable. The user may selec t from a graphical presentation of radiation level, a trip setting display, a polarizing voltage display and RELF messages. The user may also reset trip displays, where appropriate.
If the self-test option is chosen, the user may interrogate the STS for diagnostics. As long as the instrument is in the operate mode, the functional microprocessor sends data to the front panel controller, but not vice versa.
When the key lock is in the Inop mode the Inop trip is set.
There is two-way communication between the microprocessors, and the user can calibrate the instrument and interrogate the STS. The detector polarizing voltage and trip settings can also be changed while in the Inop mode.
3-13/3-14
e 4.
DESIGN REQUIREMENTS This section contains the requirements for the design of a NUMAC-LRM.
4.1 SAFETY CLASSIFICATION The NUMAC-LRM can perform both safety-related and non-safety-related functions.
The classification of a NUMAC-LRM is as specified for a particular application.
The STS is, in itself, not safety-related.
However, if it detects a failure of a safety-related function, it causes an Inop trip.
4.2 INSTRUMENT POWER Internal power supplies are provided in both a standard and an optional version.
4.2.1 Standard Supply If the standard supply is used, the failure of a power supply module may result in the loss of one or more safety-related functions.
4.2.'2 Optional Supply If the optional supply is used, the failure of any one power supply module will not result in the loss of any safety-related instrument function.
4.3 ENVIRONMENTAL CONDITIONS Design Minimum Center Maximum Units Temperature Operating 5
25 50
- C Non-Operating 0
60
- C 4-1
1 My,
NEDO-30883-A Humidity (Non-Condensing)
Design; Minimum-
. Cente r -
Maximum Units t
Operating
' iO' 50' 90
,%RH Non-Operating =
10 98 ?
%RH Atmospheric Pressure 4
Design Minimum Center Maximum.
Units:
.i Static-(above ambient)-.
-0.1 1.0.
Inches Hg-
= Radiation
-l
- Operating Gamma Dose Rate 0.0005 rads (carbon)/hr
- Integrated Dose Over Qualified Life o
Normal 1.75E2 rada (carbon)
{
i 1
. Accident-3E0' rads (carbon) fl r i Electromagnetic Interference The'NUMAC-LRM is designed to minimize both its susceptibility <to and l
generation of! electromagnetic interference (EMI).
- f 4.3.1 Seismic and Vibration i-The instrument is capable of performing all safety-related functions
.i 1
when subjecte'd to seismic testing, as specified in the Quality Assurance
.l Requirements of'Section 5.
The required horizontal and vertical response
- spectra ~and damping, for upset and faulted conditions, are as shown in
.j Figure 4-1.
f 4-2
.ij
1
-NED0-30883-A 15 14 3% DAMPlNG FAULTED Hz g's 1
0.1 12 4
10.8 l
FAULTED 19 10.8 30 0.0 11 100 6.0 l
10 g
I a.
$- 9 5
G l
y.
'8 UPSET
,-=-= \\
e, w
/
'\\
l 6
\\,
/
3% DAMPING
\\
5
/
\\
[
UPSET 4
)
Hz g's t-==================-
/
1 1
' O.1 a
]
4 7.2 l
3
/
19 7.2 1
30 4.0 100 4.0 2
/
1 0
I 1.0 jo 100 PPIEQUENCY (Hz)
Figure 4-1.
Required Response Spectra, Horizontal and Vertical 4-3
'f' 1
NEDO-30883-A L.
r e
4.3.2 Product LiIe :
W
.(
- . A-usable instrument life of 40' years is: a design objective. ' The -
following guidelines apply:
Systematic' and wearout: failures are' considered in determining product
- i life.: Random ' failures which do not apply to product life are subject -to the-
. requirements of Subsection 4.3.3.
i
If-any components cause the instrument to hava a usable life'less than specified above such component is made part of a replaceable module and the module is: suitably identified.
4.3.3 J Re11 ability and Availability All reliability and availability calculations'are performed at the 60%.
- confidence level.
Reliability Each instrument has the following Hean' Time Between Failure (HTBF)
. goals for continuous operationJat 40*C based on M11-Hdbk-217D, vendor supplied data and/or test:
a.
Power Supply Module:
30000 hours b.
Circuit Module (Avg):
70000 hours c.
Chassis:
100000 hours d.
Front Panel:
10000 hours e.
'Overall Instrument:
3500 hours0.0405 days <br />0.972 hours <br />0.00579 weeks <br />0.00133 months <br /> I
4-4 I
I
_=
v.
T e
o NEDO-30883-A' i
~
Each instrument and-module performance specification includes the MTBF. measured ' or calculat'ed for it.
1 Availability The instrument has an Availability goal of 0.9997 based on the
.followingr a.
Continuous operation at 40*C.
b.
A total of 30 minutes to fetch the eeded apare modules once the STS l
has been interrogated (including time to first go to the instrument when'a fault is announced).
.4.4 MECHANICAL DESIGN REQUIREMENTS-4.4.1 General The mechenical design of this instrument permits it to physically replace
. Log Rad Monitors 194'X629,' 238X660, 368X428AA and 442X795.- In.the event of conflict between these requirements and the above drawings, the drawings shall prevail only to the extent that permits the aforementioned replacement.
'4.4.2. Dimensions 1
]
4.4.2.1 ~ Front Panel i
19-in. x 6.97-in. (same as fer Drawings 194X629, 238X660, 368X428AA and 442X795).
l 4.4.2.2 Depth The depth behind the front panel does not exceed that shown in the aforementioned drawings (approximately 16-13/16 inches).
4-5
' NEDO-30883-A'.
.4.4.3 Weight-A' weight of'not more than;35 pounds'is the' design goal.-
4.4.4 Modularity The instrument is of modular design to' facilitate calibration,'
maintenance, repair:and replacement.. A module is defined as a grouping of components:in a' mechanical assembly such that one module can easily be replaced by another of the same or equivalent type..The following. applies:
<a.
The instrument consists of a chassis _and a complement of modules.
Each module fits either onto the chassis or another module.
b.
All electrica1' connections are via connectors.
'i i
- c. ' All electronic components, including the front panel display 7
component, are contained in modules.
d.
Each module that processes a signal has a performance specification.
j.
e.
Like modules are directly-interchangeable,-both electrically and mechanically, and require no more than routine calibration upon exchange.
i I
'4.4.5 Mounting The instrument is capable of slida mounting into standard 19-in. relay i
. racks.- When the instrument is installed in a cabinet and is la its withdrawn-3 position, all modules are made available for removal and replacement.
4.4.6 Chassis The instrument contains a chassis to house power supply modules and
. electronic circuit modules / cards.
i 6
4-6 1
l
'NED0-30883-A-The instrument.is capable of accommodating at least 2' power supply modules and at-least 15 circuit modules.
The chassis containsia mother board to receive.the circuit modules. The mother board.is only used to distribute supply voltages and conduct circuit bus signals. Process I/O signals are conducted through'other connectors on
'the' card.
Cards that do not connect to the instrument bus make no electriesl connection to the bus when inserted into-the mother board, other than to po'wer.
and interlocks.
The chassis is designed so that.if, at some future. time, it is necessary to convert the instrument to dual bus operation, the conversion may be accomplished by cutting appropriate traces on'the bua and using one power supply for each.
-4.4.7 Front Panel
.)
l The front panel consists of a character / graphics display, a set of appropriate push buttons'or keys, a keylock switch, handles-to assist in moving the chassis on'its slides, and retaining hardware to secure the I
i instrument to the panel in which it is mounted.' The following apply:
L 4.4.7.1 Display q
l Capability of displaying alphanumerics and graphics will be provided a.
to the extent needed.
i 1
b.
All displays are readily discernible by a person with.20/20 vision j
when the instrument is mounted in a panel and either its bottom edge
}
is 17 inches from the bottom of the panel, or its top edge is 73 l
inches from the bottom of the panel.
It is similarly discernible j
under lighting conditions ranging from " bright office" to " dim back i
row panel".
4-7
E:
1 NEDO-30883-A a,
5,.Y
- .c
,4.4.7.2 Controis -
- a. ' All-front; panel. controls are accessible ~and, usable as previously-
~'
described.-
t
- b. -All-push; button keys'are of a type that minimizes the entry of dust, dirt or other' contamination into'the instrument'(e.g.,: membrane-il switches).
..e b
14.4.8. Connections'
-]
'All' signal and powerLeonnections are made at the rear of the< instrument.
.The' design' accommodates both top and bottom entry cables when the instrument
<i; Lis installed in a panel or cabinet and takes the proper bend: radii of.
I:
lconnectingicables into account.
4.4.9 Color and Finish The standerd' front panel'is painted black.
4.5 : ELECTRICAL DESIGN REQUIREMENTS
'4.5.~1 Measureseat Section'(Femtoammeter) 4.5.1'.1.'
Sensitivity.
The standard sensitivity range is plus 3.33 E-13 to plus 3.33 E-7 amperes.
It is possible to provide an optional range of plus 3.33 E-12 to plus
{
3.33 E-6 amperes, if required.
'It is.also possible to provide for negative input currents over the above ranges, if required.
4-8 L
u
1 i
NED0-30883-A l
t
4.5.1.2 Scale'and' Markings.
d 4
i Whenever the display'is turned,on, an alphanumeric readout of the cu radiation: level is~always displayed.
A" graphic representation using logarithmic ' scales is available on user demand. :The inherent capability of I
displaying any number of. consecutive' decades within' the range of displayed j
signals exists. ' However, unless otherwise reouired, only four' decades shall be displayed ~at one time.~
Autoranging is used to switch ranges,: and-
- hysteresis is employed to minimize'the. effects of noise on range changing.
Offscale indicators are employed for measured values above or below an instrument's'specified range.-
l, 4.5.'1.31 Accuracy at: Recorder Output L
p Accuracy"at the recorder output is~as specified for the particular-l application.'
~
t g
l f
l-
-4.5.1.4 Speed of Response:
L Speed of response is as specified for.the particular application.
l i
4 1
4.5.1.5 Drift
]
1 Drift is as specified for.the particular application.
1
-l 4.5.2 Trip outputs l
l 1
The NUMAC-LRM is capable of providing up to four trip circuits: 'three upscale /downscale and one Inop.- For a given instrument,.the number, type, and contacts per trip are as specified for a -particular application. The status a
.of eacii' trip.is ' displayed on the front panel at all times..
i 1
4-9 i
i C
i.
i L
i.
u
., ~
- .y.- if5y
.t.
~
NEDO-30883-A ec 4
w F
?"
'4.5.2.1 iAccuracy (Upscale /Downscale Trips)
- Trip settings are ' expressed to three significant digitsi Accuracy of-setting is.+/- 1-in th'e least s'ignificant 11 git (0.1%)./
4.5.2.2L(Hy'steresis'(Upecale/Downscale Trips) 4 Hysteresis _is adjustable, as a minimum, from 0.5% to:25% of linear Tset h
point under all environmental conditions using front panel controls.
4.5.2.3 LDrift (Upscale /Downscale Trips).
t Drif t is not to exceed +/- 1 in the least significant digit (0.1%); per 30-day period at design center corditions..
1 14.5;2.'4 Range' (Upscale /Downscale Trips)
.c g s
- The upscale and downscale. trip circuits. are.each adjustable 'over the 1
q entire range of the instrument-(0% to 100% of linear full scale).-
j
- 4. n
'4'.5.2.5 Function of Inop Trip The Inop trip' occurs when any one or more of the following conditions exist::
- a. 'The instrument is not powered.
b.
y
. Any circuit module is out of file. When-the module containing the' a
Inop trip circuit is-removed,'the instrument will nevertheless
~i 4, U k
provide the Inop indication at the specified output connector.
l~
c.
When the STS has detected a failure resulting in the loss of an essential function.
4-10 Q-a
NED0-30883-A' l
i
)
d.
When the functiona1' microprocessor watchdog timer has timed out.
e.
When the.polarizng output voltage exceeds +/- 10% of the set point.
1 If a specific LRM is fitted _with an Inop trip circuit, that circuit is
)
used to indicate the preceding conditions.. If not fitted, the Inop'will be j
announced as specified for that particular application.
I 4.5.2.6 Self-Test System (Other Failures) a 1
Other failures detected by the STS will be as specified for each particular application.
I 4.5.2.7 Contact Ratings Contact ratings are as specified for each particular application.
4.5.2.8 Trip Reset The method for resetting. trips is as specified for each particular j
application. ' Provisions are included to permit manual reset both from the instrument's front panel and by remote operation (external contact closure, with'all power to operate the circuit to come exclusively from the instrument).
4.5.2.9 Interruption of Power The instrument stores the latest trip settings in non-volatile memory.
Whenever power is removed, an Inop trip is provided. Upon resumption of i
power, the LRM reverts to the trip settings that existed immediately before the interruption of power. Trip status is then recomputed and the output circuits are set accordingly and without regard to hysteresis conditions existing before interruption.
l 1
4-11
i
- l NED0-30883-A' 4.5.2.10 Displays j
a.
The conditions of all trips'are displayed whenever the front panel display' is :in the "on" condition.
b.
Trips are identified on the display as required for.each specific
. application.
c.
The upscale and downscale trip points are displayed on the graphic radiation level display, but their reset points are not.
In addition, a display of trip points, reset points and hysteresis is available on user demand.
4.5.2.11 Trips Not In Use At times, a user may wish to temporarily remove the load from a trip circuit for maintenance purposes.
Conversely, a user may wish to either load or merely observe the output of a trip circuit that has no specified system use. Since self-test results may depend on whether or not the output of a trip circuit is loaded, and to minimize any effects of false self-test i
reporting via an Inop, the following applies to all upscale and downscale trips:
~!
a.
Specified trip circuits function at all times and provide outputs depending on the input signal and trip settings.
b.
The user is able to select either SELF-TEST =YES or SELF-TEST =NO for each upscale /downscale trip at the time trip settings are made.
Choices made are displayed.
l If SELF-TEST =YES is selected, the specified self-testing for the trip c.
circuit is performed and a specified indication is given in case of a detected failure.
l 4
4-12 1
NEDO-30883-A 1.
l' DL
- d..If SELF-IEST=NO is selected, the trip circuit is self-tested to the maximum extent possible.. However, the Loutput circuit itself need no t
{
be tested if the results depend'on whether or not a. load is present..
4.5,3 Polarizing' Power' Supply Output-1 4.5.3.1 Volt' age' Range
.The output voltage range 1sLas a,pecified for'the particularl application..
~
The output voltage is. adjustable from the front panel.
I 14.5.3.2 Maximum Power and Current The. maximum power and current is as specified for~the particular
)
.t application.'
4.5.3.3 Maximum voltage Ripple The maximum output voltage ripple is 1% of the output voltage.-
4.5.3.4. Overvoltage Limit.
The' polarizing supply output is limited co the specified maximum output
> voltage -0/+100 Vdc.
l 4.5.3.5~ Display
)
)
.)
A display of the polarizing voltage ' level is available on user demand.
4.5.3.6 Interruption of Power j
The instrument stores the latest polarizing voltage setting in non-volatile memory. Whenever power is removed and then reapplied, the -
instrument revirts to the. output voltage that' existed immediately before the interruption of power.
1 4-13 I
i
r NEDO-30883-A 4.5.4 ' Other outputs
. 4.5.4.1 -Recorder Output The recorder output is as specified for.the particular application.
t 4.5'4.2 Process Computer output-The process computer output is as specified for the particular application.
'4.5.5 Component Gs2de l
Military components, or commerefal components made to meet military specifications, are used to the maximum extent practical to meet the reliability ~ goals set for this instrument.
Integrated circuits meeting the requirements.of Military Standard 883, Class B are used to the maximum extent practical to meet the reliability goals
- set for this instrument.
4.6 USER' INTERFACE / CONTROLS 4.6.1 Controller l
.The front panel, its display and its operatin8 keys work in conjunction with a microprocessor controller. This controller has the exclusive responsibility for generating and maintaining all displays, interpreting all l
keystrokes, sequencing front panel activities, and communicating with the
- safety-related essential microprocessor. The sole exception shall be the monitoring of the keylock switch by the safety-related essential microprocessor.- The sets of nativities to be performed by the front panel are determined by the position of this switch.
4-14 i
4 mc NEDo-30883-A
-The'froNtpanel-controllercommunicateswiththeessentialmicroprocessor over serial ' ata. link, one channel in each direction. With the kaylock switch J!:-
d O-
[in the Operate mode, data mays only be sent f rom the essential to the. display.
~
- microprocessor.
In the Inop mode, data flow may be : bidirectional. Data.are
- buffered.on.each1 side of the link.
Wien' in the' Operate mode, thel eource of all data l displayed is the
+<
essential microprocessor (i.e., the' display must reflect the status of the
_t
[
- microprocessor,;notfof the display compucer), except for the' Trip Alarm
)
s 1
i p
display.
]
i 4
3Rien in the Inop mode, the ' following. govern the display:-
i All ' instrument readings and status derive from th'e essential I
a.
microprocessor. The only exception is the manual reset'of the upscale and downscale trip alarms on.the' front panel (see Subsection 4.5.2.8).
)
e Lb.
Calibration and setting data entered by the user are echoed on the display, but not transmitted to the essential ~ microprocessor. Once the data have been entered, the user is forced to make a decision as' I
to the' disposition of his entry (accept as is, enter again, make no i
i entry and go to some other step, 'etc).
c.-
If the data are-accepted as.is, they are transmitted to the essential microcomputer and then displayed 'in accordance with the preceding d
Item a.
i f
4.6.2 Front Panel Display i
a 4.6.2.1 Use The front panel display is used to display the following:
- a. ' L2strument readings in alphanumeric and graphic forms.
I 4-15 l
4 i
_ _ _ _ _ _ _ _ ________-_ _ _ - __-_ - ~
r-o.
t U
NEDO-30883-A:
b.
_ Trip settings and statts.-
c.-
Self-test data.
d.
Calibration data.
e.
InformationLto aid the operator.
f.
0ther. information as may. be required.
-4.6.2.2 Performance' i
The display'has the following characteristics:
~
a.
It is ste.ble and flicker-free.
I b.
Persistence is comparable to that of a standard color video monitor.
1 c.
There. is high contrast between lit and unlit portions of the screen.
]
d.
The screen is provided with or covered by an anti-glare surface.
4.6.2.3 ' To enhance its useful life, the display is turned on and of f as follows:
a.-
The display is normally kept turned off.
b.
The display turns on whenever power is (re) applied, any front panel key is pressed, cr any trip / annunciation occurs due to self-test detected faults.
t i
The display remains on as long as there are trips or uncleared trip c.
alarms.
1
NEDO-30883-A d.
The display turns.itself off 15 minutes after the last front panel key has been pressed, or 15 minutes after power has been (re) applied, whichever comes first.
u The display is capable of working in conjunction with the front panel L
operating keys, as.specified in Subsection 4.6.3.
4.6.3 Front Panel Operating Keys l:
-The following operating keys are provided:
{
\\
a.
A set of four functional or "tnenu" keys located immediately.
l underneath the display for use in selecting instrument functions to be performed.
These functions may vary as the displays change. The current function of each key'is always labeled on the display, b.
A set of four cursor keys for positioning a cursor on the display when the need arises.
3 c.
A set of 16 keys that form a numeric keypad for entering data.
In addition to containing the digits 0 through 9, there are keys for z
clearing an. entry (e.g., erasing a mistake) and accepting an entry
(
(e.g., confirming the entry is correct).
Audible feedback (i.e., a buzzer) is provided whenever a valid key is l
pressed.
i 4.6.4. Keylock Switch 1
k The front panel is provided with a barrel type keylock switch to enable a l
user to select between the Operate and Inop modes of operation.
I 4-17 j
1
5...,
<h 14(1 Jo 7g,
l3 f t
W:,
c4.6.4.1; Operate Mode i
1
. When the keylock~ switch.is in.this position, the instrument is capable,
~
Jupon' request [of'thefollowing:
1 v
- a. LDisplaying) thel measured radiation. level 'in.its al'phanumeric and
. graphical = forms.
1;
+
' b..
. Displaying trip settings and status.
i c.
Displaying the' polarizing voltage.
i d.c Displaying the self-test status.
9 r
.e.- ' Displaying appropriate HELP messages.
.)
- f. ' Clearing trip alarms.
)
With theLawitch in the Operate mode, it is NOT possible to calibrate the' instrument or ' change either trip or polarizing voltage settings.
4.6.4.2 Inop Mode When the keylock switch is in this position, the instrument is capable, upon request,.of the following:
I a.-
Providing the previously specified items under Operate Mode.. Unless
-otherwise specified for a particular application, the formats need not be the~ game.
b.: Saving the trip and polarizing voltage settings. changed.
.c.
Being calibrated.
f 4418
NEDO-30883-A I,
4.6.5 HELP System i
A HELP System is made available as a feature of the NtrMAC-LRM.
It consists of a set of instructional aids to assist the user in reading, t
calibrating, changing settings and understanding the operating features of the instrument.
Displays, wherever possible, give explanatory messages.
It is l
implemented such that a user may, at any time, press a key identified by the l
word " HELP" and receive relevant operating information.
i j
4.7 COMPUTER CONFIGURATION I
If a specific Log Rad Monitor is used in a non-safety-related L
application, the term " safety-related functions", as used below, applies to those instrument functions (e.g., measurement and trips) which would otherwise l
be considered safety-related. The term "non-safety-related functions" is I
considered in a similar manner.
f To the maximum extent possible, the hardware performing safety-related functions'is separated from that performing non-safety-related functions.
l Furthermore, the design is one that minimizes the total failure rate of the components needed to perform safety-related functions and also minimizes the effect of failures of non-safety-related circuits on safety-related circuits.
To that end, a minimum of two microprocessors are used, one primarily to control the front panel interface (non-safety-related) and the other primarily to perfore nuclear systems functions (safety-related). The former performs no safety-related functions while the latter may perform non-safety-related
)
functions.
1 Additional microprocessors may be used in the design though their use
)
is discouraged.
The requirements of the preceding paragraph concerning separation of safety-related and non-safety-related functions apply to such microprocessors.
1 1
J 4-19 1
j
l.i 4
L
. Each microprocessor, irrespective of the function it performs, has its l'
' own bus ' structure. - Busses' are not shared either in whole or in part.
Microprocessors may only communicate via communications ~or I/O ports.
Serial
- links are used in preference to parallel.
i l
- A hierarchy.of control is established among the microprocessors used. A
' microprocessor performing any safety-related function shall-rank above all l
)
- microprocessors performing, only non-safety-related functions.- Each
- microprocessor is. equipped with a hardware. implemented timeout whose status is ^
reported to a higher ranking. one. A timeout of the highest level timer causes an Inon trip.
The LRM-is designed so that, if no component has failed, it will be under j
control of'its internal microprocessors at all times. A failure resulting in' f
- the loss;of control by a microprocessor performing a safety-related function results in an Inop trip.
The internal microprocessors are dedicated solely to the performance of the functions specified for the LRM.
.i Software. included in the instrument's design meets the following requirements:
1 i
a.
Sof tware is developed in accordance with Reference 2.
b.
Programs and data are prepared using an industry standard assembly i
and/or higher level'1anguage.
The assembled / compiled version of this code is installed in the instrument's internal, non-volatile memory.
c.
The instrument is capable of performing all called-upon functions by means of hardware design and coding installed according to a and b above. ' The instrument is incapable of performing any functions other than those controlled by the installed firmware.
4-20 4
p; j
r TNEDO-30883-A-I
.l Sof tware is-designed in'a modular fashion. A module meets the following' q
requirements:-
l
'a.. It performs a specifiable function.
i
- b. ;.It may:be' separately assembled-or compiled.
w
}'i c.
It is small enough so that 4 programmer possessing average ability 1
.can readily understand its specification, design and coding, yet
]
,j-large enough so that-the programmer is not overwhelmed by the number of modules.
1 4.' 8 SELF-TESTABILITY In this document the term "self-testing" is applied.to those test-features which are to occur automatically without user intervention (except L
for requesting status displays). The term " calibration" includes those test features initiated manually by the user.
1 The instrument is equipped with a system that allows it to automatically.
test itself and report any' failures resulting in the loss of a safety-related function.
i l
At a minimum, the following is self-tested:
i; a.
The detector polarizat. ion output voltage is monitored. A voltage exceeding +/- 10% of the' set point is considered a failure and causes an Inop trip.
l
-1 b.
Each output voltage of each power supply is tested.
In the event of-redundant supplies that are auctioned, the resulting voltage is also tested. Any voltage out of specification which could cause the loss of a safety-related function, even if it does not do so at the moment, causes an Inop trip.
l l(
4-21
.l 1
p
- n-i ND0-30883-A c.
Trip output circuits are tested to insure that each can be set to both theitripped and the untripped states..The inability-to
' set / reset a trip output circuit is considered a failure and causes an Inop trip.-
When the instrument is in the' operate mode,: testing does not cause any
' trip' output to change' state. Testing that would cause change of state is only..
done with the instrument in the Inop. mode.- The circuitry that must be tested 1
I in' the 'Inop mode-is. kept-to a minimum.
-l ll7 Tofthe extent possible, the operation of the instrument from front.end to trip circuit 41s tested.' Testing may. be performed on piecewise basis provided-
}
i there is' sufficient-overlap..
i Any self-testing performed will not:
a.
Inhibit specified performance in either the operate or the Inop mode.
b.
Cause erroneous. trips when in the operate mode.
i Self-testing:will cover at least 90% of all hardware circuit components performing safety-related functions.
However, the circuits of the power supplies'of. Subsection 4.2.2 need not be self-tested and are not included in=
,the 90% criterion.
'1
.When in the' Operate mode, self-testing is automatic and a complete self-test is conducted at least once every 30 minutes.
When.in the Inop mode, self-testing is on a user demand basis.
The results of self-testing are reported as follows:
When one or more failures have been detected, that fact is indicated
.j a.
. on all= displays for the duration of the failure (s).
4-22 I
__-_-_=_____-_----__-_____:__--_-..-._--___.
(
>,4 4
i NEDO-30883-A-4
.g 1
i
. b'. = The instrument is capable of displaying each' detected - failure.and its
' location'to at'least the replaceable module level upon. request by_the -
0 l user..If it is'not possible tctlocate a failure to a given module i
-(e.g.,;a failure along a bus.line) a best estimate analysis'is provided. LIf more than one failure occurs, the. failures are
' displayed in approximate-chronological order.
d
- c. -Trip outputs are'provided according to Subsection-4.5.2.
l
- d. - The instrument'is capable of providing a' separate self-test trip.
The specific. requirements for the incorporation of this option are I
dependent on the: specific application.
..q pr
.To-the extent that.any self-testing requirement would require a l
- performance. level of the pico/femtoammeter greater than specified in Subsection 4.5.1, the'self-cest requirements are relaxed.
N
, {
4.9 CALIBRATION.
In this document, the term " calibration" includes those test. features j
.' nitiated aanually by the. user.
1he. term "self-testing" is applied to 'those i
test features'which are to occur automatically without user intervention L
(except for requesting status displays).
d j
4.9.1 External.
t L
A means is provided to permit the testing of the LRM to its performance specifications as follows:
l The instrument must be-in the Inop mode or taken out-of-service.
a.
1 i
uf
- b. - Trip settings are entered via the keyboard and an external current l.
signal is injected at the instrument's detector input. The trip, recorder and process computer outputs are measured using external instruments.
L 4-23
- c..The detector polarization voltage setting is entered via the keyboard and the voltage is observed at the output connector using an external instrument..
- d.. Concurrent with tne above measurements, the instrument displays
-signal levels, trip settings and status, and polarization voltage settings, as appropriate 'to the measurement.
-4.9.2 Internal The LRM meets the calibration requirements of Subsection 4.9.1 when the following changes are made:
a.
The external current source is replaced by an internal source.
l
.b.
External measuring instruments are replaced by internal circuits and 1
software.
j I
I The internal source and measuring circuits are capable of verification against external standards according to Subsection 4.9.1.
l i
Calibration is under control of the essential microprocessor.
4.9.3 Trips-When the instrument in the Inop mode, a means is provided to test the l'
trip output circuits which are otherwise not self-tested.
- 4.9.4 Microprocessors When the instrument is in the Inop mode, a means is provided to test each of the essential microprocessors for proper operation.
4-24
3 ---
lr '
~>:
~
i.
c t
t e
a
. 1.
{ 1 i-
-4.9.5._ Display j
i,
- When'the instrument isiin either the Operate or Inop mode, a means is.
p (provided to test the front' panel display and keys.for proper operation.
i l
4.9.6 : Ramp Tests.
When the instrument is in the.Inop mode, a'means is provided to. perform L
i.; tramp tests ' to determine the' upscale and downscale trip point. settings and to I
exercise thel trip outputs. During these tests the Inop trip is in the j
non-trip. state.
4.9.7 Enhancement t
J j
\\
All NUMAC-LRMs are capable' of: the following optional features. The l
l L
- implementation of these options is via sof tware/firmware~.
a.-
Display detector. voltage versus' current data.
L
/
b.
Display _ trend' data.
H c.
Display. internal-supply voltages.
l
.l l
v0 i
.1 r.
t l'
L 4-25/4-26
.i o
NED0-30883-A i
l
, 5. ~ QUALITY ASSURANCE REQUIREMENTS I
,5.1 -DESIGN VERIFICATION 511 Thoroughness of Design All instruments are designed in full compliauce with the requirements for nuclear safety-related hardware given in NEDO-11209-04A, Nuclear. Energy Business Group Boiling Water' Reactor (BWP) Quality Assurance.Trogram Descrip:: ion (Reference 2).-
I
- 5.1.2 -Qualification i
All safety-related instruments pass environmental qualification based on testing of their safety-related functions under the requirements and
' environmental conditions stated below.
~
li
[.
In addition to the above, each safety-related module contained in the NUMAC-LRM passes environmental qualification in accordance with the require-ments of Section 4.
Module qualification may be combined with instrument
' qualification.
5 1.2.1--Qualification Requirements l
The LRM is qualified for operation in a (mild) plant control room
-environment. The following documents are utilized as they apply to such an environment:
1 a.-
IEEE Std 323-1974, Standard for Qualification of Class 1E Equipment for Nuclear Power Generating Stations..The 1983 revision of this standard may be used for guidance but the 1974 revision governs.
l l
1 5-1 i
-o NEDO-30883-A:
a' i
'b.
. NEDE-24326-1-P, Licensing ' Topical Report, General Electric-Qualification Program..This'documentwasprepared'for[ qualification
(-
involving harsh' environments. 'Until a similar document is issued to i
deal with mild environments,.the preceding Topical Report will be
.used as a model.
Seismic. qualification is in accordance with:
1 c.-
IEEE Std 344-1975, Recommended Practices. for Seismic-Qualification
- of Class 15 Equipment for Nuclear Power Generating Stations.
5.1.2.2 Environmental Conditions 1
The' instrument is qualified to the environmental conditions:specified in
- Subsection 4.3.
5.1.2.3 Qualified Product Life The instrument is qualified for the product life specified in Subsection 4.3.2.-
ia-
]
5.1.2.4 Safety-Ralated Functions l
1The: instrument is qualified for the performance of the safety related functions specified in Subsection 4.1.
' 5.1.2.5 Qualification Program A program was established and followed for q _1fication'of this instrument. The program was governed by the guide ines of Reference 2.
t 5-2
7-
.g
/
.i k i
f I
T w
NEDO-30883~A-
^
4
..1.
i 5.2.:. : PRODUCT QUALITY:
[ 5. 2.1'-) Wo rkmans hip
_.t ' k ' ;
. A11' drawings:and specifications used 'to manuf acture the instrument
- i specified herein contain requirements as to:
a.-
Standards of ~ workmanship e
I.
b.:-The use of. manufacturing.and quality. assurance procedures that
- are consistent with the reliability. requirements f or an intended' applications'of.these instruments.
'5.2.2'. Acceptance Testing;-
- The 'd$ sign of these instruments, and the drawings and specifications
_.which define'.them,- allow each instrument produced to be tested in order.to confirm that:
It has' been properly assembled, a.
b.
Its components are functioning properly, and
.c.
- It meets its performance specifications at ambient conditions.
l' l
l-c.
s i
L i
x l
5-3/5-4
.y
,.e NEDO-30883-A' r
o 6.
' REFERENCES 1.
.J; P. Joyce /R. Kendall, " Meeting Summary:. General Electric Company, Presentation on Wide Range Monitor (WRM)'and Nuclear Measurement iAnalysis and Control-(NUMAC)", January 24, 1984.
2.
" Nuclear Energy Business Group Boiling Water Reactor (BWR)' Quality.
l
. Assurance Program Description, (Revision'4)" General Electric Company, December 31, 1982,l(NEDO-11209-04A).
i i
-)
i L.
' ~
l 6-1/6-2 1
.N
I -
.l]
APPENDIX A INFORMATION REQUESTED BY THE STAFF
' Required Information Report Section 1
{
l1.
NUMAC Design Criteria 4.0 l
2;. Basic System operation 3.3 1
-3.
- Qualification Testing (Seismic and Environmental) 5.1.2
- i 4.
' Adequacy of NUMAC STS Isolation from Functional 3.2.1.1 Circuitry '
l l
?
'5. LGating' Circuitry for Test Signal Injection.
3.2.2, 4.8 I
l' I
6.
Effects'of~STS Failures on Functional Circuitry 4.8 b
7.
NUMAC Susceptibility to. EMI 4.3 l.
.8.. Indication of Failures in Control Room 4.8
'9.
Proposed Technical Specification Requirements for 1.0' NUMAC l'
~10.
Functional Changes as a Result'of Installation of 4.5.2
'NUMAC J
11.
Verification of NUMAC STS Operability 4.8
]
12.
Man-Machine Interface 3.4 13.
NUMAC Reliability Requirements 4.3.3 1
l 14.
NUMAC Software Design Methodology 4.7 I
I
. J 4
U i; 3 A-1/A-2
(T m s,.4
-s,
'f-t,
.f ';-
-'h r
g-4
^ '
)
y j \\
s_'l,.
..~
i r' L,
4, i j
'i --
g 6,'
'y' i
) _g :.
1 t.
t i
i
=<.:
t
t
_h- '
q *,u
^.J
's
\\
(
f j
f'
)
5 1: '
i-/,
3
,)
't g
3 1
f..t
.hl, N.
l
.iT l
L 1
. k '.
f
- t
+t.
I i
+
t,
}
}
'}f 4
'k 1 (
s.l -
3 E
.c, y
Ol$.,..
g,,
f E
L I
- 3.. g'.
j f
If g
-p,t.
i
,,u..
u 1
2 I
.,1 g
t
- . i i ;
t d
a i
1 i
5 4 z
9
(
'l.
'P 1
,2 'y.
. t.
r 4
Ih 9
(
l ', h a
+
a S
y
_'.4
(
l 7
. ik.I p
i.. i 4
e s
J
).
'f.
v J
i f
L
- j' s.
\\ t
(
I
~
s i
f
. G E N E R'A L$ E LE CTRIC
.x t
1
'd
% 9 i
i l
ATTACHFLENT 5 Consumers Power Company j
Big Rock Point Plant Docket.50-155 I
NEDO 31399 GE LICENSING SUFDIARY (NUMAC-DCWRM) i November 9, 1987 i
I 1
1 q
4 33 Pages i
MIO787-1583A-BT01-NLO4 i