ML18355A765: Difference between revisions
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
||
Line 16: | Line 16: | ||
=Text= | =Text= | ||
{{#Wiki_filter:Deanna Jing Zhang and Dawnmathews Kalathiveettil1 United States Nuclear Regulatory Commission 11555 Rockville Pike, Rockville, MD 20852 Deanna.Zhang@NRC.gov; Dawnmathews.Kalathiveettil@nrc.gov | {{#Wiki_filter:INSIGHTS AND EXPERIENCE FROM THE NRC REVIEW OF THE APR1400 INSTRUMENTATION AND CONTROLS DESIGN Deanna Jing Zhang and Dawnmathews Kalathiveettil1 United States Nuclear Regulatory Commission 11555 Rockville Pike, Rockville, MD 20852 Deanna.Zhang@NRC.gov; Dawnmathews.Kalathiveettil@nrc.gov ABSTRACT Modern digital instrumentation and controls (I&C) systems incorporate many design features that provide safety and reliability benefits to plant operations. However, design decisions relating to I&C system architecture and implementation of these design features may present challenges to demonstrating safety and compliance to regulatory requirements. There can be significant safety and regulatory impacts from design decisions related the I&C platform used, interfaces among redundant safety divisions and between safety and non-safety systems, deterministic behavior, and diversity strategies. These design decisions may influence the I&C system architecture, result in different hazards and hazard controls (e.g., measures for prevention or mitigation), and affect design complexity, all of which may necessitate corresponding levels of evidence (i.e., level of detail, analysis, testing, operating experience, etc.) to demonstrate that the I&C design provides reasonable assurance of safety and compliance with applicable regulatory requirements in an efficient and effective manner. | ||
This paper discusses some of the key design decisions for the APR1400 I&C system and architecture and their impact on the Nuclear Regulatory Commission (NRC) staffs design certification application licensing review. For example, this paper discusses benefits and challenges associated with the I&C platform used for the safety-related I&C system. This paper also explores the challenges associated with non-safety to safety communications and the design constraints chosen that addressed hazards of concern associated with this communication and compliance with the independence design principle and regulatory requirement. In addition, this paper provides examples of information necessary to support the safety and regulatory compliance demonstration. | |||
Lastly, this paper provides additional insight on lessons learned during the regulatory process for the APR1400 I&C system design certification application review. | |||
Key Words lessons learned, safety demonstration, hazards, architecture, I&C platform 1 INTRODUCTION Instrumentation and controls for nuclear safety applications should meet the fundamental safety design principles and must meet applicable NRC regulations. The four fundamental design principles include independence, determinism, diversity, and redundancy. Independence ensures that failures are not propagated across independent domains. Determinism is ensured through designing safety systems that exhibit predictable and repeatable behavior. Diversity is a means that can be used to protect against 1 | |||
Although this paper reports on efforts by staff of the U.S. Nuclear Regulatory Commission (NRC), the information and views expressed in the paper are those of the authors and are not necessarily those of the NRC. Neither the U.S. | |||
Government nor any agency thereof, nor any of their employees, make any warranty, expressed or implied, or assumes any legal liability or responsibility for any third partys use. | |||
common cause failures (CCFs). Redundancy helps ensure that a single failure will not cause the loss of a safety systems ability to perform safety functions. These fundamental safety design principles are incorporated in the NRCs regulations and demonstrating that safety-related I&C systems meet these principles facilitate demonstrating compliance to NRC regulations. | |||
Modern digital I&C systems incorporate many design features that provide safety and reliability benefits to plant operations. For example, digital technology provides more accurate control of complex processes, allows for enhanced diagnostic capabilities, and enable enhanced information displays. Further, communications links can allow non-safety systems to be used as a means to monitor, and maintain control system parameters of a safety system (e.g. online diagnostics). However, as digital I&C systems become more complex and interconnected, it is important to consider how design decisions will impact demonstration of safety and regulatory compliance. Design decisions on the APR1400 I&C system and architecture had significant impact on the applicants safety and regulatory compliance demonstration. In addition, these design decisions directly affected the efficiency and focus of the NRC staffs design certification application licensing review. | |||
2 BACKGROUND Korea Hydro & Nuclear Power (KHNP) Company submitted the APR1400 design certification application for NRC review. This included information on the I&C system design and how the design met applicable NRC regulations and conformed to NRC guidance. The NRC staff reviewed the design to the requirements of Title 10 of the Code of Federal Regulations (CFR) Section 50.55a, which incorporates by reference IEEE Std 603-1991 and other applicable regulatory requirements. The staff also reviewed the design against the requirements in 10 CFR Part 50, Appendix A, General Design Criteria (GDC) applicable to I&C system reviews such as GDC 13, 19, 21, 22, and 24. For this review, the NRC staff followed Chapter 7 of NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants, Revision 6 and the regulatory guides and NUREGs applicable to I&C. The NRC staffs review followed the design certification review process, which includes six phases followed by rulemaking. Prior to receiving the design certification application, the NRC staff also held a number of pre-application coordination meetings and conducted a readiness review audit of the planned submittal documentation to facilitate the review process. | |||
The APR1400 I&C systems consist of both safety-related and non-safety I&C systems. The safety-related I&C systems consist of the plant protection system (PPS), the core protection calculator system (CPCS), engineered safety features - component control system (ESF-CCS), ESF-CCS soft control module (ESCM), qualified indication and alarm system safety (QIAS-P), excore neutron flux monitoring system (ENFMS), auxiliary process cabinet - safety (APC-S), and the safety-related portion of the radiation monitoring system (RMS). These systems perform the necessary functions to maintain the plant in the prescribed safety limits and provide indications to the operators for post-accident monitoring functions. | |||
The non-safety distributed control system (DCS) provides for component level control, automatic process control, and high level group control. The DCS utilizes a redundant and fault tolerant architecture and consists of the power control system (PCS), nuclear steam supply system (NSSS) process control system (NPCS), process component control system (P-CCS), and information processing system (IPS). | |||
An independent and diverse actuation system (DAS) is provided to cope with software CCFs of the safety related I&C systems. The DAS consists of the diverse protection system (DPS), the diverse manual actuation (DMA) switches, and the diverse indication system (DIS). | |||
The safety and non-safety I&C systems are implemented using two major platforms. Most safety related I&C systems are implemented using a safety-related programmable logic controller (PLC) platform, | |||
which the applicant has identified as Asea Brown Boveris (ABB) Common Qualified (Q) platform. An industrial DCS platform is used for the data processing and non-safety control systems. Several I&C systems such as the ENFMS, the safety portion of the RMS, the Turbine/Generator (T/G) control and protection system, and the APC-S are implemented on independent platforms. The DPS and DIS are implemented using field programmable gate array (FPGA) logic controllers (FLC) and the DMA are hardwired switches. | |||
3 APR1400 DESIGN DECISIONS AND IMPACT ON SAFETY DEMONSTRATION 3.1 Overall I&C Architecture and Independence Understanding the overall I&C architecture is a key aspect of the NRC staffs review to determine whether the safety-related I&C system design meets the safety design principles, and in particular independence requirements. The overall I&C architecture provides the foundation for understanding the interfaces between systems with different safety classification and how Human Machine Interfaces (HMI) interact with safety and control systems. Figure 1 depicts a simplified APR1400 I&C architecture. | |||
Figure 1. Simplified Architecture of the APR1400 I&C Systems As can be seen in Figure 1, there are several interfaces between safety-related and non-safety systems. | |||
During the NRC staffs review, the staff focused on these interfaces and how independence is achieved between these interfaces. As mentioned previously, the staff held several pre-application coordination meetings with the applicant to discuss key aspects of their proposed design. During these meetings, KHNP described the intended interfaces between safety-related and non-safety I&C systems. The interface between the non-safety HMI and safety-related systems was described, including how this HMI will be used by operators to control safety-related equipment. During these discussions, the NRC staff identified areas where significant amount of information would be needed to demonstrate hazards associated with non-safety to safety data communication would not impact safety. In addition, the applicant would need to | |||
demonstrate how the non-safety to safety-related I&C system communications enhanced the performance of safety functions as specified in Digital I&C Interim Staff Guidance (ISG) 4 (DI&C-ISG-4), Section 1, Staff Position 3 (Note: DI&C-ISG-4 is the NRCs guidance for interdivisional communications). To facilitate demonstrating independence between the safety-related and non-safety systems, KHNP decided to modify certain aspects of the design. For example, KHNP modified the HMI (ESF-CCS Soft Control Module (ESCM)) that directly controls safety-related components to be divisionalized. Although the non-safety Information Flat Panel Display (IFPD) is still used to select the component for control, only a limited amount of data is transmitted from the IFPD to the divisionalized safety-related ESCM such that the hazards associated with this interface are significantly reduced. In addition, since the IFPD does not directly control safety related equipment, having an independent safety-related ESCM with added operator verification also greatly reduces the possibility of undetected communications failures from adversely impacting the safety function. KHNP also provided an analysis that demonstrates an operational time reduction when using IFPD in conjunction with the ESCM to control safety-related equipment versus using the ESCM in a standalone manner. This analysis also shows the potential for reducing operator error when using the IFPD in conjunction with the ESCM because of the ability of the IFPD to provide better graphics that shows the status of plant components in a holistic manner. The results of this analysis demonstrate that the communication from the IFPD to the ESCM provides a safety benefit from a human factors perspective and thereby conforms to the guidance of DI&C-ISG-4, Section 1, Staff Position 3. By making these design changes, KHNP significantly reduced the information needed to demonstrate independence between the IFPD and the ESCM while keeping the benefits of increased operator situational awareness and operational versatility of the non-safety IFPD. | |||
3.2 Determinism and Platform Characteristics Demonstrating that the design exhibits deterministic behavior is key to ensuring that safety functions can be accomplished in the required response time. For digital I&C systems, SRP Branch Technical Position (BTP) 7-21, Guidance on Digital Computer Real-Time Performance, states, digital system architecture affects performance because communication between components of the system takes time, and allocation of functions to various system components affects timing. The architecture may also affect timing because an arrangement of otherwise simple components may have unexpected interactions Digital computer timing should be shown to be consistent with the limiting response times and characteristics of the computer hardware, software, and data communications systems. BTP 7-21 also states that risky design practices such as non-deterministic data communications, non-deterministic computation, use of interrupts, multitasking, dynamic scheduling, and event-driven design should be avoided. The APR1400 design had certain challenges to demonstrate the safety-related I&C systems design exhibits deterministic behavior due to the I&C platform selected for these systems. | |||
The Common Q platform used for the APR1400 safety-related I&C systems (i.e. CPCS, PPS, ESF-CCS, QIAS-P) is a multitasking operating system. Although this platform does not strictly conform to the guidance of BTP 7-21 for avoiding the use of multitasking operating systems, the Common Q platform uses a scheduling technique and design restrictions to ensure such that deterministic performance can be achieved. Specifically, this platform uses a scheduling technique that specifies shorter cycle duration tasks have higher job priority than longer duration tasks. This technique is similar to the rate-monotonic scheduling (RMS) algorithms used in real-time operating systems. Comparable to the RMS technique, to ensure all tasks are completed, the Common Q Platform Topical Report specified that the platform safety function processors central processing unit (CPU) load limit must be set to under a certain percentage. | |||
Although the PPS, ESF-CCS, and QIAS-P are able to meet the CPU load limit requirement, due to the required complex computations in the CPCS, CPU load limit for this system needed to be raised. As a result, KHNP needed to provide additional information and analysis to demonstrate that the CPCS will perform its safety functions in a deterministic manner. This included imposing sixteen additional design and implementation requirements for the CPCS and performing additional testing for the as-built CPCS to | |||
demonstrate that this system can perform all its safety functions in the required response time. Based on these committed to design restrictions and additional testing requirements, the NRC staff was able to find that the CPCS meets deterministic performance requirements. | |||
3.3 Diversity Strategies DAS is the independent and diverse system used by the APR1400 design to cope with software CCFs of the safety related I&C systems concurrent with an Anticipated Operational Occurrence (AOO) or Postulated Accident (PA). The DAS design was reviewed against the criteria established in Item II.Q of the Staff Requirements Memorandum (SRM) to SECY-93-087, Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs." Position 3 of the SRM states, If a postulated common-mode failure could disable a safety function, then a diverse means, with a documented basis that the diverse means is unlikely to be subject to the same common-mode failure, shall be required to perform either the same function or a different function. The diverse or different function may be performed by a non-safety system if the system is of sufficient quality to perform the necessary function under the associated event conditions. DAS is the system in the APR1400 design which is used to meet the criteria in SRM to SECY-93-087. | |||
The DAS consists of the DPS, DMA switches, and the DIS. The DPS is provided to meet the requirements of 10 CFR 50.62 regarding Anticipated Transient Without Scram (ATWS) mitigation. The DPS design includes the following automatic functions: reactor trip, turbine trip, auxiliary feedwater actuation, and safety injection actuation. The DMA switches, which are located in the main control room (MCR), permit the operator to manually actuate ESF systems in a timely manner following a postulated CCF of the safety system. These switches provide the following ESF signals: safety injection actuation, main steam isolation, containment isolation, containment spray actuation, and auxiliary feedwater actuation. The DIS provides diverse indications to monitor critical variables following a postulated software CCF of safety-related I&C systems. The DIS display and the DIS manual transfer switch are located on the MCR safety console. The manual transfer switch is used to manually transfer the control function from the QIAS-P to the DIS display. QIAS-P is the safety system which provides indications to monitor critical variables during normal plant operations. | |||
The actuation signals from the ESF-CCS, the DPS, and DMA switches converge at the Common Interface Module (CIM). The CIM is a non-software-based qualified, nuclear safety grade module which does the signal prioritization and actuation of plant components. CIM is credited as being diverse in operation from the Common Q Safety PLC platform used in the PPS and ESF-CCS. Hence, the same CCF cannot affect both the CIM and the safety-related I&C system. The CIM priority logic is implemented by complementary metal-oxide-semiconductor (CMOS) (or transistor-transistor logic (TTL)) devices. | |||
DI&C-ISG-04 addresses software CCFs of a priority module. In the APR1400 design, use of simple TTL logic reduced the need for the CIM design to be fully tested and to demonstrate that it is not affected by software CCF. The priority logic is tested to ensure there are no design defects in the priority logic configuration. The test cases confirm the logic generates the correct Energize/De-energize output states. | |||
To facilitate this testing all input and switch states are manually or automatically stimulated. The energize/de-energize output states of the priority logic are manually or automatically compared to manually generated acceptance states. If an automated comparison method is employed, the automated test results are manually verified through sampling the test cases. The CIM implements state-based priority logic such that for normal or accident conditions (except CCF), each command is generated by a logical OR of the demand from the ESF-CCS with the demand from the DPS. When the resulting signals conflict (e.g. open vs close), the outputs are driven to the safe state which is can be selected on a component basis. The DMA switches are implemented by using manual switches which are hardwired directly to the CIM through isolators. Commands from the DMA switches are received at Port Z of the CIM and this has the highest priority. The manual diverse actuation signal blocks the command from | |||
ESF-CCS and DPS. This also provides a diverse path for the actuation and control of safety-related systems by the operator in the event of a software CCF of the safety-related I&C systems. The technology selected for the CIM and the DMA switches reduced the likelihood of software CCF from affecting these components and facilitated the demonstration of diversity. | |||
The design decisions on the DAS technology and development process allowed the applicant to more effectively demonstrate diversity between the DAS and the primary safety-related I&C systems. There are several diversity attributes incorporated into the DAS design. The reactor trip mechanism of the DPS is diverse from that of the PPS. The DPS uses shunt trip mechanism while the PPS uses undervoltage trip mechanism. Selecting different mechanisms used to initiate a reactor trip allowed KHNP to credit functional diversity for meeting ATWS requirements. The DPS and DIS are both implemented on FLC technology while the safety-related I&C systems are implemented on the Common Q PLC-based platform. | |||
The use of different platforms provide design and equipment diversity. Hardware Description Language (HDL) is used for programming the FLC of the DPS and DIS. The Common Q PLC-based platform is programmed using software for microprocessor-based technologies. This provides software diversity. The DAS is designed and tested by different teams and personnel as compared to the design and test teams of the safety systems and thus provides human diversity. The design and development differences selected by KHNP allowed an effective demonstration of adequate diversity between the safety I&C system and the DAS and compliance to NRC regulations and guidance, including Item II.Q in the Staff Requirements Memorandum to SECY-93-087. | |||
3.4 Pre-application Coordination Meetings A key lesson learned from the APR1400 I&C Systems design certification application review is the importance of conducting pre-application coordination meetings. These meetings allow the applicant to present key aspects of the planned submittal, identify information to be submitted, and allow the staff the opportunity to provide feedback on any challenging areas of the design that require more focus. For example, as discussed in Section 3.1 of this paper, KHNP presented their design for safety and non-safety HMI interfaces to safety systems. Based on the NRC staffs feedback on the information necessary to demonstrate that hazards associated with these interfaces are properly identified and controlled, the applicant modified the design in order to reduce the set of hazards that need to be considered. During the pre-application coordination meetings, the NRC staff was also able to provide KHNP feedback on the latest guidance that the APR1400 I&C system design needed to address. For example, as required by 10 CFR 52.47(a)(9), the applicant needed to evaluate the standard plant design against the SRP revision in effect 6 months before the docket date of the application. Since the NRC staff issued SRP, BTP 7-19, Guidance for Evaluation of Diversity and Defense-in-Depth in Digital Computer Based Instrumentation and Control Systems, Revision 6 more than six months prior to the submittal of the APR1400 design certification application, the staff informed KHNP that the I&C system design needed to address the new guidance in this revision of BTP 7-19 regarding analysis for the effects of spurious actuations. This feedback resulted in KHNP submitting to the NRC their analysis on the potential effects of spurious actuations and identifying the methods adopted to minimize the likelihood of spurious actuations. The NRC staff finds that by conducting these pre-application coordination meetings, there were significant gains in efficiency of the APR1400 I&C systems review. This increase in efficiency is evident in the decrease in the number of requests for additional information issued for the I&C system review compared to previous design certification applications as well as a decrease in review time and resources. | |||
3.5 Phase Discipline Based on previous design certification application reviews, a significant amount of resources were spent in later stages of the review. As mentioned previously, the NRC typically has six phases during design certification application reviews. This includes Phase One: preliminary safety evaluation report (SER) and request of additional information issuance; Phase Two: SER with open items issuance; Phase | |||
Three: Advisory Committee on Reactor Safeguards (ACRS) meeting to present Phase Two review results; Phase Four: Advanced SER with no open items issuance; Phase Five: ACRS meeting to present Phase Four review results; and Phase Six: Final SER issuance. During previous design certification application reviews, the NRC staff spent a significant amount of resources during the Phase Four review in order to resolve the open items identified in Phase Two of the review process. During the APR1400 I&C systems review, the staff used lessons learned from the previous design certification application reviews to ensure that all open items identified the Phase Two SER had clear paths for resolution. The NRC staff focused on coordinating with the applicant to get resolution plans for these open items prior to exiting the Phase Two review. As a result of the NRC staffs efforts, later review phases were completed in a much more efficient manner with less time and resources spent on closing open items. | |||
4 CONCLUSIONS Modern digital I&C systems incorporate many design features that provide safety and reliability benefits to plant operations. Design decisions regarding the overall I&C system architecture, I&C platforms used, interfaces among redundant safety divisions and between safety and non-safety systems, deterministic behavior, and diversity strategies may have a significant impact on the safety and regulatory compliance demonstration. Design decisions for the APR1400 I&C system resulted in different levels of information required to demonstrate meeting the fundamental safety design principles and compliance to NRC regulations. For example, design decisions regarding safety and non-safety interfaces reduced the amount of information required to demonstrate the safety design principle of independence is met, while decisions regarding the I&C platform for the safety-related I&C system resulted in the need for more design and implementation restrictions. As shown in this paper, designers should carefully consider how design decisions impact the safety and regulatory compliance demonstration. | |||
Insights from the APR1400 I&C systems design certification application review also identified the importance of having pre-application coordination meetings to facilitate the licensing and design certification review process. Having these meetings will ensure a more efficient review by allowing the applicant to present key aspects of the planned submittal, identify information to be submitted, and allow staff the opportunity to provide feedback on any challenging areas of the design that require more focus. | |||
Also, having phase discipline during the review ensures there are no unresolvable open items during late stages of the review; thus allowing for a more timely and efficient closure of open items and completion of the overall review. | |||
5 ACKNOWLEDGMENTS The authors would like to thank their NRC colleague Ian Jung for contributing to this paper. | |||
6 REFERENCES | |||
: 1. IEEE 603-1991, Standard Criteria for Safety Systems for Nuclear Power Generating Stations, Institute of Electrical and Electronics Engineers, New York, June 1991. | |||
: 2. 10 CFR Part 50, Appendix A, General Design Criteria for Nuclear Power Plants, https://www.nrc.gov/reading-rm/doc-collections/cfr/part050/part050-appa.html. | |||
: 3. NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants, U.S. Nuclear Regulatory Commission, 2016, http://www.nrc.gov/reading-rm/doc-collections/nuregs/staff/sr0800/ch7/. | |||
: 4. APR1400 Design Control Document, Revision 3, ADAMS Accession No. ML18228A667. | |||
: 5. Interim Staff Guidance DI&C-ISG-04, Highly-Integrated Control Rooms - Communication Issues, Revision 1, ADAMS Accession No. ML083310185. | |||
: 6. BTP 7-21, Guidance on Digital Computer Real-Time Performance, Revision 6, ADAMS Accession No. ML16020A036. | |||
: 7. Staff Requirements Memorandum to SECY-93-087, Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs," 1993, ADAMS Accession No. ML003708056. | |||
: 8. BTP 7-19, Guidance for Evaluation of Diversity and Defense-in-Depth in Digital Computer Based Instrumentation and Control Systems, Revision 6, ADAMS Accession No. ML110550971.}} |
Latest revision as of 07:44, 20 October 2019
ML18355A765 | |
Person / Time | |
---|---|
Issue date: | 10/02/2018 |
From: | Dawnmathews Kalathiveettil, Zhang J NRC/NRR/DE/EICA |
To: | |
Dawnmathews Kalathiveettil | |
Shared Package | |
ML18355A767 | List: |
References | |
Download: ML18355A765 (8) | |
Text
INSIGHTS AND EXPERIENCE FROM THE NRC REVIEW OF THE APR1400 INSTRUMENTATION AND CONTROLS DESIGN Deanna Jing Zhang and Dawnmathews Kalathiveettil1 United States Nuclear Regulatory Commission 11555 Rockville Pike, Rockville, MD 20852 Deanna.Zhang@NRC.gov; Dawnmathews.Kalathiveettil@nrc.gov ABSTRACT Modern digital instrumentation and controls (I&C) systems incorporate many design features that provide safety and reliability benefits to plant operations. However, design decisions relating to I&C system architecture and implementation of these design features may present challenges to demonstrating safety and compliance to regulatory requirements. There can be significant safety and regulatory impacts from design decisions related the I&C platform used, interfaces among redundant safety divisions and between safety and non-safety systems, deterministic behavior, and diversity strategies. These design decisions may influence the I&C system architecture, result in different hazards and hazard controls (e.g., measures for prevention or mitigation), and affect design complexity, all of which may necessitate corresponding levels of evidence (i.e., level of detail, analysis, testing, operating experience, etc.) to demonstrate that the I&C design provides reasonable assurance of safety and compliance with applicable regulatory requirements in an efficient and effective manner.
This paper discusses some of the key design decisions for the APR1400 I&C system and architecture and their impact on the Nuclear Regulatory Commission (NRC) staffs design certification application licensing review. For example, this paper discusses benefits and challenges associated with the I&C platform used for the safety-related I&C system. This paper also explores the challenges associated with non-safety to safety communications and the design constraints chosen that addressed hazards of concern associated with this communication and compliance with the independence design principle and regulatory requirement. In addition, this paper provides examples of information necessary to support the safety and regulatory compliance demonstration.
Lastly, this paper provides additional insight on lessons learned during the regulatory process for the APR1400 I&C system design certification application review.
Key Words lessons learned, safety demonstration, hazards, architecture, I&C platform 1 INTRODUCTION Instrumentation and controls for nuclear safety applications should meet the fundamental safety design principles and must meet applicable NRC regulations. The four fundamental design principles include independence, determinism, diversity, and redundancy. Independence ensures that failures are not propagated across independent domains. Determinism is ensured through designing safety systems that exhibit predictable and repeatable behavior. Diversity is a means that can be used to protect against 1
Although this paper reports on efforts by staff of the U.S. Nuclear Regulatory Commission (NRC), the information and views expressed in the paper are those of the authors and are not necessarily those of the NRC. Neither the U.S.
Government nor any agency thereof, nor any of their employees, make any warranty, expressed or implied, or assumes any legal liability or responsibility for any third partys use.
common cause failures (CCFs). Redundancy helps ensure that a single failure will not cause the loss of a safety systems ability to perform safety functions. These fundamental safety design principles are incorporated in the NRCs regulations and demonstrating that safety-related I&C systems meet these principles facilitate demonstrating compliance to NRC regulations.
Modern digital I&C systems incorporate many design features that provide safety and reliability benefits to plant operations. For example, digital technology provides more accurate control of complex processes, allows for enhanced diagnostic capabilities, and enable enhanced information displays. Further, communications links can allow non-safety systems to be used as a means to monitor, and maintain control system parameters of a safety system (e.g. online diagnostics). However, as digital I&C systems become more complex and interconnected, it is important to consider how design decisions will impact demonstration of safety and regulatory compliance. Design decisions on the APR1400 I&C system and architecture had significant impact on the applicants safety and regulatory compliance demonstration. In addition, these design decisions directly affected the efficiency and focus of the NRC staffs design certification application licensing review.
2 BACKGROUND Korea Hydro & Nuclear Power (KHNP) Company submitted the APR1400 design certification application for NRC review. This included information on the I&C system design and how the design met applicable NRC regulations and conformed to NRC guidance. The NRC staff reviewed the design to the requirements of Title 10 of the Code of Federal Regulations (CFR) Section 50.55a, which incorporates by reference IEEE Std 603-1991 and other applicable regulatory requirements. The staff also reviewed the design against the requirements in 10 CFR Part 50, Appendix A, General Design Criteria (GDC) applicable to I&C system reviews such as GDC 13, 19, 21, 22, and 24. For this review, the NRC staff followed Chapter 7 of NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants, Revision 6 and the regulatory guides and NUREGs applicable to I&C. The NRC staffs review followed the design certification review process, which includes six phases followed by rulemaking. Prior to receiving the design certification application, the NRC staff also held a number of pre-application coordination meetings and conducted a readiness review audit of the planned submittal documentation to facilitate the review process.
The APR1400 I&C systems consist of both safety-related and non-safety I&C systems. The safety-related I&C systems consist of the plant protection system (PPS), the core protection calculator system (CPCS), engineered safety features - component control system (ESF-CCS), ESF-CCS soft control module (ESCM), qualified indication and alarm system safety (QIAS-P), excore neutron flux monitoring system (ENFMS), auxiliary process cabinet - safety (APC-S), and the safety-related portion of the radiation monitoring system (RMS). These systems perform the necessary functions to maintain the plant in the prescribed safety limits and provide indications to the operators for post-accident monitoring functions.
The non-safety distributed control system (DCS) provides for component level control, automatic process control, and high level group control. The DCS utilizes a redundant and fault tolerant architecture and consists of the power control system (PCS), nuclear steam supply system (NSSS) process control system (NPCS), process component control system (P-CCS), and information processing system (IPS).
An independent and diverse actuation system (DAS) is provided to cope with software CCFs of the safety related I&C systems. The DAS consists of the diverse protection system (DPS), the diverse manual actuation (DMA) switches, and the diverse indication system (DIS).
The safety and non-safety I&C systems are implemented using two major platforms. Most safety related I&C systems are implemented using a safety-related programmable logic controller (PLC) platform,
which the applicant has identified as Asea Brown Boveris (ABB) Common Qualified (Q) platform. An industrial DCS platform is used for the data processing and non-safety control systems. Several I&C systems such as the ENFMS, the safety portion of the RMS, the Turbine/Generator (T/G) control and protection system, and the APC-S are implemented on independent platforms. The DPS and DIS are implemented using field programmable gate array (FPGA) logic controllers (FLC) and the DMA are hardwired switches.
3 APR1400 DESIGN DECISIONS AND IMPACT ON SAFETY DEMONSTRATION 3.1 Overall I&C Architecture and Independence Understanding the overall I&C architecture is a key aspect of the NRC staffs review to determine whether the safety-related I&C system design meets the safety design principles, and in particular independence requirements. The overall I&C architecture provides the foundation for understanding the interfaces between systems with different safety classification and how Human Machine Interfaces (HMI) interact with safety and control systems. Figure 1 depicts a simplified APR1400 I&C architecture.
Figure 1. Simplified Architecture of the APR1400 I&C Systems As can be seen in Figure 1, there are several interfaces between safety-related and non-safety systems.
During the NRC staffs review, the staff focused on these interfaces and how independence is achieved between these interfaces. As mentioned previously, the staff held several pre-application coordination meetings with the applicant to discuss key aspects of their proposed design. During these meetings, KHNP described the intended interfaces between safety-related and non-safety I&C systems. The interface between the non-safety HMI and safety-related systems was described, including how this HMI will be used by operators to control safety-related equipment. During these discussions, the NRC staff identified areas where significant amount of information would be needed to demonstrate hazards associated with non-safety to safety data communication would not impact safety. In addition, the applicant would need to
demonstrate how the non-safety to safety-related I&C system communications enhanced the performance of safety functions as specified in Digital I&C Interim Staff Guidance (ISG) 4 (DI&C-ISG-4), Section 1, Staff Position 3 (Note: DI&C-ISG-4 is the NRCs guidance for interdivisional communications). To facilitate demonstrating independence between the safety-related and non-safety systems, KHNP decided to modify certain aspects of the design. For example, KHNP modified the HMI (ESF-CCS Soft Control Module (ESCM)) that directly controls safety-related components to be divisionalized. Although the non-safety Information Flat Panel Display (IFPD) is still used to select the component for control, only a limited amount of data is transmitted from the IFPD to the divisionalized safety-related ESCM such that the hazards associated with this interface are significantly reduced. In addition, since the IFPD does not directly control safety related equipment, having an independent safety-related ESCM with added operator verification also greatly reduces the possibility of undetected communications failures from adversely impacting the safety function. KHNP also provided an analysis that demonstrates an operational time reduction when using IFPD in conjunction with the ESCM to control safety-related equipment versus using the ESCM in a standalone manner. This analysis also shows the potential for reducing operator error when using the IFPD in conjunction with the ESCM because of the ability of the IFPD to provide better graphics that shows the status of plant components in a holistic manner. The results of this analysis demonstrate that the communication from the IFPD to the ESCM provides a safety benefit from a human factors perspective and thereby conforms to the guidance of DI&C-ISG-4, Section 1, Staff Position 3. By making these design changes, KHNP significantly reduced the information needed to demonstrate independence between the IFPD and the ESCM while keeping the benefits of increased operator situational awareness and operational versatility of the non-safety IFPD.
3.2 Determinism and Platform Characteristics Demonstrating that the design exhibits deterministic behavior is key to ensuring that safety functions can be accomplished in the required response time. For digital I&C systems, SRP Branch Technical Position (BTP) 7-21, Guidance on Digital Computer Real-Time Performance, states, digital system architecture affects performance because communication between components of the system takes time, and allocation of functions to various system components affects timing. The architecture may also affect timing because an arrangement of otherwise simple components may have unexpected interactions Digital computer timing should be shown to be consistent with the limiting response times and characteristics of the computer hardware, software, and data communications systems. BTP 7-21 also states that risky design practices such as non-deterministic data communications, non-deterministic computation, use of interrupts, multitasking, dynamic scheduling, and event-driven design should be avoided. The APR1400 design had certain challenges to demonstrate the safety-related I&C systems design exhibits deterministic behavior due to the I&C platform selected for these systems.
The Common Q platform used for the APR1400 safety-related I&C systems (i.e. CPCS, PPS, ESF-CCS, QIAS-P) is a multitasking operating system. Although this platform does not strictly conform to the guidance of BTP 7-21 for avoiding the use of multitasking operating systems, the Common Q platform uses a scheduling technique and design restrictions to ensure such that deterministic performance can be achieved. Specifically, this platform uses a scheduling technique that specifies shorter cycle duration tasks have higher job priority than longer duration tasks. This technique is similar to the rate-monotonic scheduling (RMS) algorithms used in real-time operating systems. Comparable to the RMS technique, to ensure all tasks are completed, the Common Q Platform Topical Report specified that the platform safety function processors central processing unit (CPU) load limit must be set to under a certain percentage.
Although the PPS, ESF-CCS, and QIAS-P are able to meet the CPU load limit requirement, due to the required complex computations in the CPCS, CPU load limit for this system needed to be raised. As a result, KHNP needed to provide additional information and analysis to demonstrate that the CPCS will perform its safety functions in a deterministic manner. This included imposing sixteen additional design and implementation requirements for the CPCS and performing additional testing for the as-built CPCS to
demonstrate that this system can perform all its safety functions in the required response time. Based on these committed to design restrictions and additional testing requirements, the NRC staff was able to find that the CPCS meets deterministic performance requirements.
3.3 Diversity Strategies DAS is the independent and diverse system used by the APR1400 design to cope with software CCFs of the safety related I&C systems concurrent with an Anticipated Operational Occurrence (AOO) or Postulated Accident (PA). The DAS design was reviewed against the criteria established in Item II.Q of the Staff Requirements Memorandum (SRM) to SECY-93-087, Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs." Position 3 of the SRM states, If a postulated common-mode failure could disable a safety function, then a diverse means, with a documented basis that the diverse means is unlikely to be subject to the same common-mode failure, shall be required to perform either the same function or a different function. The diverse or different function may be performed by a non-safety system if the system is of sufficient quality to perform the necessary function under the associated event conditions. DAS is the system in the APR1400 design which is used to meet the criteria in SRM to SECY-93-087.
The DAS consists of the DPS, DMA switches, and the DIS. The DPS is provided to meet the requirements of 10 CFR 50.62 regarding Anticipated Transient Without Scram (ATWS) mitigation. The DPS design includes the following automatic functions: reactor trip, turbine trip, auxiliary feedwater actuation, and safety injection actuation. The DMA switches, which are located in the main control room (MCR), permit the operator to manually actuate ESF systems in a timely manner following a postulated CCF of the safety system. These switches provide the following ESF signals: safety injection actuation, main steam isolation, containment isolation, containment spray actuation, and auxiliary feedwater actuation. The DIS provides diverse indications to monitor critical variables following a postulated software CCF of safety-related I&C systems. The DIS display and the DIS manual transfer switch are located on the MCR safety console. The manual transfer switch is used to manually transfer the control function from the QIAS-P to the DIS display. QIAS-P is the safety system which provides indications to monitor critical variables during normal plant operations.
The actuation signals from the ESF-CCS, the DPS, and DMA switches converge at the Common Interface Module (CIM). The CIM is a non-software-based qualified, nuclear safety grade module which does the signal prioritization and actuation of plant components. CIM is credited as being diverse in operation from the Common Q Safety PLC platform used in the PPS and ESF-CCS. Hence, the same CCF cannot affect both the CIM and the safety-related I&C system. The CIM priority logic is implemented by complementary metal-oxide-semiconductor (CMOS) (or transistor-transistor logic (TTL)) devices.
DI&C-ISG-04 addresses software CCFs of a priority module. In the APR1400 design, use of simple TTL logic reduced the need for the CIM design to be fully tested and to demonstrate that it is not affected by software CCF. The priority logic is tested to ensure there are no design defects in the priority logic configuration. The test cases confirm the logic generates the correct Energize/De-energize output states.
To facilitate this testing all input and switch states are manually or automatically stimulated. The energize/de-energize output states of the priority logic are manually or automatically compared to manually generated acceptance states. If an automated comparison method is employed, the automated test results are manually verified through sampling the test cases. The CIM implements state-based priority logic such that for normal or accident conditions (except CCF), each command is generated by a logical OR of the demand from the ESF-CCS with the demand from the DPS. When the resulting signals conflict (e.g. open vs close), the outputs are driven to the safe state which is can be selected on a component basis. The DMA switches are implemented by using manual switches which are hardwired directly to the CIM through isolators. Commands from the DMA switches are received at Port Z of the CIM and this has the highest priority. The manual diverse actuation signal blocks the command from
ESF-CCS and DPS. This also provides a diverse path for the actuation and control of safety-related systems by the operator in the event of a software CCF of the safety-related I&C systems. The technology selected for the CIM and the DMA switches reduced the likelihood of software CCF from affecting these components and facilitated the demonstration of diversity.
The design decisions on the DAS technology and development process allowed the applicant to more effectively demonstrate diversity between the DAS and the primary safety-related I&C systems. There are several diversity attributes incorporated into the DAS design. The reactor trip mechanism of the DPS is diverse from that of the PPS. The DPS uses shunt trip mechanism while the PPS uses undervoltage trip mechanism. Selecting different mechanisms used to initiate a reactor trip allowed KHNP to credit functional diversity for meeting ATWS requirements. The DPS and DIS are both implemented on FLC technology while the safety-related I&C systems are implemented on the Common Q PLC-based platform.
The use of different platforms provide design and equipment diversity. Hardware Description Language (HDL) is used for programming the FLC of the DPS and DIS. The Common Q PLC-based platform is programmed using software for microprocessor-based technologies. This provides software diversity. The DAS is designed and tested by different teams and personnel as compared to the design and test teams of the safety systems and thus provides human diversity. The design and development differences selected by KHNP allowed an effective demonstration of adequate diversity between the safety I&C system and the DAS and compliance to NRC regulations and guidance, including Item II.Q in the Staff Requirements Memorandum to SECY-93-087.
3.4 Pre-application Coordination Meetings A key lesson learned from the APR1400 I&C Systems design certification application review is the importance of conducting pre-application coordination meetings. These meetings allow the applicant to present key aspects of the planned submittal, identify information to be submitted, and allow the staff the opportunity to provide feedback on any challenging areas of the design that require more focus. For example, as discussed in Section 3.1 of this paper, KHNP presented their design for safety and non-safety HMI interfaces to safety systems. Based on the NRC staffs feedback on the information necessary to demonstrate that hazards associated with these interfaces are properly identified and controlled, the applicant modified the design in order to reduce the set of hazards that need to be considered. During the pre-application coordination meetings, the NRC staff was also able to provide KHNP feedback on the latest guidance that the APR1400 I&C system design needed to address. For example, as required by 10 CFR 52.47(a)(9), the applicant needed to evaluate the standard plant design against the SRP revision in effect 6 months before the docket date of the application. Since the NRC staff issued SRP, BTP 7-19, Guidance for Evaluation of Diversity and Defense-in-Depth in Digital Computer Based Instrumentation and Control Systems, Revision 6 more than six months prior to the submittal of the APR1400 design certification application, the staff informed KHNP that the I&C system design needed to address the new guidance in this revision of BTP 7-19 regarding analysis for the effects of spurious actuations. This feedback resulted in KHNP submitting to the NRC their analysis on the potential effects of spurious actuations and identifying the methods adopted to minimize the likelihood of spurious actuations. The NRC staff finds that by conducting these pre-application coordination meetings, there were significant gains in efficiency of the APR1400 I&C systems review. This increase in efficiency is evident in the decrease in the number of requests for additional information issued for the I&C system review compared to previous design certification applications as well as a decrease in review time and resources.
3.5 Phase Discipline Based on previous design certification application reviews, a significant amount of resources were spent in later stages of the review. As mentioned previously, the NRC typically has six phases during design certification application reviews. This includes Phase One: preliminary safety evaluation report (SER) and request of additional information issuance; Phase Two: SER with open items issuance; Phase
Three: Advisory Committee on Reactor Safeguards (ACRS) meeting to present Phase Two review results; Phase Four: Advanced SER with no open items issuance; Phase Five: ACRS meeting to present Phase Four review results; and Phase Six: Final SER issuance. During previous design certification application reviews, the NRC staff spent a significant amount of resources during the Phase Four review in order to resolve the open items identified in Phase Two of the review process. During the APR1400 I&C systems review, the staff used lessons learned from the previous design certification application reviews to ensure that all open items identified the Phase Two SER had clear paths for resolution. The NRC staff focused on coordinating with the applicant to get resolution plans for these open items prior to exiting the Phase Two review. As a result of the NRC staffs efforts, later review phases were completed in a much more efficient manner with less time and resources spent on closing open items.
4 CONCLUSIONS Modern digital I&C systems incorporate many design features that provide safety and reliability benefits to plant operations. Design decisions regarding the overall I&C system architecture, I&C platforms used, interfaces among redundant safety divisions and between safety and non-safety systems, deterministic behavior, and diversity strategies may have a significant impact on the safety and regulatory compliance demonstration. Design decisions for the APR1400 I&C system resulted in different levels of information required to demonstrate meeting the fundamental safety design principles and compliance to NRC regulations. For example, design decisions regarding safety and non-safety interfaces reduced the amount of information required to demonstrate the safety design principle of independence is met, while decisions regarding the I&C platform for the safety-related I&C system resulted in the need for more design and implementation restrictions. As shown in this paper, designers should carefully consider how design decisions impact the safety and regulatory compliance demonstration.
Insights from the APR1400 I&C systems design certification application review also identified the importance of having pre-application coordination meetings to facilitate the licensing and design certification review process. Having these meetings will ensure a more efficient review by allowing the applicant to present key aspects of the planned submittal, identify information to be submitted, and allow staff the opportunity to provide feedback on any challenging areas of the design that require more focus.
Also, having phase discipline during the review ensures there are no unresolvable open items during late stages of the review; thus allowing for a more timely and efficient closure of open items and completion of the overall review.
5 ACKNOWLEDGMENTS The authors would like to thank their NRC colleague Ian Jung for contributing to this paper.
6 REFERENCES
- 1. IEEE 603-1991, Standard Criteria for Safety Systems for Nuclear Power Generating Stations, Institute of Electrical and Electronics Engineers, New York, June 1991.
- 2. 10 CFR Part 50, Appendix A, General Design Criteria for Nuclear Power Plants, https://www.nrc.gov/reading-rm/doc-collections/cfr/part050/part050-appa.html.
- 3. NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants, U.S. Nuclear Regulatory Commission, 2016, http://www.nrc.gov/reading-rm/doc-collections/nuregs/staff/sr0800/ch7/.
- 4. APR1400 Design Control Document, Revision 3, ADAMS Accession No. ML18228A667.
- 5. Interim Staff Guidance DI&C-ISG-04, Highly-Integrated Control Rooms - Communication Issues, Revision 1, ADAMS Accession No. ML083310185.
- 6. BTP 7-21, Guidance on Digital Computer Real-Time Performance, Revision 6, ADAMS Accession No. ML16020A036.
- 7. Staff Requirements Memorandum to SECY-93-087, Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs," 1993, ADAMS Accession No. ML003708056.
- 8. BTP 7-19, Guidance for Evaluation of Diversity and Defense-in-Depth in Digital Computer Based Instrumentation and Control Systems, Revision 6, ADAMS Accession No. ML110550971.