ML18355A765: Difference between revisions

From kanterella
Jump to navigation Jump to search
(Created page by program invented by StriderTol)
 
(Created page by program invented by StriderTol)
Line 19: Line 19:


===3.3 Diversity===
===3.3 Diversity===
Strategies    The actuation signals from the ESF-CCS, the DPS, and DMA switches converge at the Common Interface Module (CIM). The CIM is a non-software-based qualified, nuclear safety grade module which does the signal prioritization and actuation of plant components. CIM is credited as being diverse in operation from the Common Q Safety PLC platform used in the PPS and ESF-CCS. Hence, the same CCF cannot affect both the CIM and the safety-related I&C system. The CIM priority logic is implemented by complementary metal-oxide-semiconductor (CMOS) (or transistor-transistor logic (TTL)) devices. DI&C-ISG-04 addresses software CCFs of a priority module. In the APR1400 design, use of simple TTL logic reduced the need for the CIM design to be fully tested and to demonstrate that it is not affected by software CCF. The priority logic is tested to ensure there are no design defects in the priority logic configuration. The test cases confirm the logic generates the correct Energize/De-energize output states. To facilitate this testing all input and switch states are manually or automatically stimulated. The energize/de-energize output states of the priority logic are manually or automatically compared to manually generated acceptance states. If an automated comparison method is employed, the automated test results are manually verified through sampling the test cases. The CIM implements state-based priority logic such that for normal or accident conditions (except CCF), each command is generated by a logical OR of the demand from the ESF-CCS with the demand from the DPS. When the resulting signals conflict (e.g. open vs close), the outputs are driven to the safe state which is can be selected on a component basis. The DMA switches are implemented by using manual switches which are hardwired directly to the CIM through isolators. Commands from the DMA switches are received at Port Z of the CIM and this has the highest priority. The manual diverse actuation signal blocks the command from ESF-CCS and DPS. This also provides a diverse path for the actuation and control of safety-related systems by the operator in the event of a software CCF of the safety-related I&C systems. The technology selected for the CIM and the DMA switches reduced the likelihood of software CCF from affecting these components and facilitated the demonstration of diversity. The design decisions on the DAS technology and development process allowed the applicant to more effectively demonstrate diversity between the DAS and the primary safety-related I&C systems. There are several diversity attributes incorporated into the DAS design. The reactor trip mechanism of the DPS is diverse from that of the PPS. The DPS uses shunt trip mechanism while the PPS uses undervoltage trip mechanism. Selecting different mechanisms used to initiate a reactor trip allowed KHNP to credit functional diversity for meeting ATWS requirements. The DPS and DIS are both implemented on FLC technology while the safety-related I&C systems are implemented on the Common Q PLC-based platform. The use of different platforms provide design and equipment diversity. Hardware Description Language (HDL) is used for programming the FLC of the DPS and DIS. The Common Q PLC-based platform is programmed using software for microprocessor-based technologies. This provides software diversity. The DAS is designed and tested by different teams and personnel as compared to the design and test teams of the safety systems and thus provides human diversity. The design and development differences selected by KHNP allowed an effective demonstration of adequate diversity between the safety I&C system and the DAS and compliance to NRC regulations and guidance, including Item II.Q in the Staff Requirements Memorandum to SECY-93-087. 3.4 Pre-application Coordination Meetings A key lesson learned from the APR1400 I&C Systems design certification application review is the importance of conducting pre-application coordination meetings. These meetings allow the applicant to present key aspects of the planned submittal, identify information to be submitted, and allow the staff the opportunity to provide feedback on any challenging areas of the design that require more focus. For example, as discussed in Section 3.1 of this paper, KHNP presented their design for safety and non-safety HMI interfaces to safety systems. Based on the NRC demonstrate that hazards associated with these interfaces are properly identified and controlled, the applicant modified the design in order to reduce the set of hazards that need to be considered. During the pre-application coordination meetings, the NRC staff was also able to provide KHNP feedback on the latest guidance that the APR1400 I&C system design needed to address. For example, as required by 10 CFR 52.47(a)(9), the applicant needed to evaluate the standard plant design against the SRP revision in effect 6 months before the docket date of the application. Since the NRC staff issued SRP, BTP 7-for Evaluation of Diversity and Defense-in-Depth in Digital Computer Based Instrumentation and Control application, the staff informed KHNP that the I&C system design needed to address the new guidance in this revision of BTP 7-19 regarding analysis for the effects of spurious actuations. This feedback resulted in KHNP submitting to the NRC their analysis on the potential effects of spurious actuations and identifying the methods adopted to minimize the likelihood of spurious actuations. The NRC staff finds that by conducting these pre-application coordination meetings, there were significant gains in efficiency of the APR1400 I&C systems review. This increase in efficiency is evident in the decrease in the number of requests for additional information issued for the I&C system review compared to previous design certification applications as well as a decrease in review time and resources. 3.5 Phase Discipline Based on previous design certification application reviews, a significant amount of resources were spent in later stages of the review. As mentioned previously, the NRC typically has six phases during design certification application reviews. This includes Phase One: preliminary safety evaluation report (SER) and request of additional information issuance; Phase Two: SER with open items issuance; Phase Three: Advisory Committee on Reactor Safeguards (ACRS) meeting to present Phase Two review results; Phase Four: Advanced SER with no open items issuance; Phase Five: ACRS meeting to present Phase Four review results; and Phase Six: Final SER issuance. During previous design certification application reviews, the NRC staff spent a significant amount of resources during the Phase Four review in order to resolve the open items identified in Phase Two of the review process. During the APR1400 I&C systems review, the staff used lessons learned from the previous design certification application reviews to ensure that all open items identified the Phase Two SER had clear paths for resolution. The NRC staff focused on coordinating with the applicant to get resolution plans for these open items prior to exiting the Phase Two h more efficient manner with less time and resources spent on closing open items. 4 CONCLUSIONS      5 ACKNOWLEDGMENTS  6 REFERENCES 1. 2. 3. 4.  
Strategies    The actuation signals from the ESF-CCS, the DPS, and DMA switches converge at the Common Interface Module (CIM). The CIM is a non-software-based qualified, nuclear safety grade module which does the signal prioritization and actuation of plant components. CIM is credited as being diverse in operation from the Common Q Safety PLC platform used in the PPS and ESF-CCS. Hence, the same CCF cannot affect both the CIM and the safety-related I&C system. The CIM priority logic is implemented by complementary metal-oxide-semiconductor (CMOS) (or transistor-transistor logic (TTL)) devices. DI&C-ISG-04 addresses software CCFs of a priority module. In the APR1400 design, use of simple TTL logic reduced the need for the CIM design to be fully tested and to demonstrate that it is not affected by software CCF. The priority logic is tested to ensure there are no design defects in the priority logic configuration. The test cases confirm the logic generates the correct Energize/De-energize output states. To facilitate this testing all input and switch states are manually or automatically stimulated. The energize/de-energize output states of the priority logic are manually or automatically compared to manually generated acceptance states. If an automated comparison method is employed, the automated test results are manually verified through sampling the test cases. The CIM implements state-based priority logic such that for normal or accident conditions (except CCF), each command is generated by a logical OR of the demand from the ESF-CCS with the demand from the DPS. When the resulting signals conflict (e.g. open vs close), the outputs are driven to the safe state which is can be selected on a component basis. The DMA switches are implemented by using manual switches which are hardwired directly to the CIM through isolators. Commands from the DMA switches are received at Port Z of the CIM and this has the highest priority. The manual diverse actuation signal blocks the command from ESF-CCS and DPS. This also provides a diverse path for the actuation and control of safety-related systems by the operator in the event of a software CCF of the safety-related I&C systems. The technology selected for the CIM and the DMA switches reduced the likelihood of software CCF from affecting these components and facilitated the demonstration of diversity. The design decisions on the DAS technology and development process allowed the applicant to more effectively demonstrate diversity between the DAS and the primary safety-related I&C systems. There are several diversity attributes incorporated into the DAS design. The reactor trip mechanism of the DPS is diverse from that of the PPS. The DPS uses shunt trip mechanism while the PPS uses undervoltage trip mechanism. Selecting different mechanisms used to initiate a reactor trip allowed KHNP to credit functional diversity for meeting ATWS requirements. The DPS and DIS are both implemented on FLC technology while the safety-related I&C systems are implemented on the Common Q PLC-based platform. The use of different platforms provide design and equipment diversity. Hardware Description Language (HDL) is used for programming the FLC of the DPS and DIS. The Common Q PLC-based platform is programmed using software for microprocessor-based technologies. This provides software diversity. The DAS is designed and tested by different teams and personnel as compared to the design and test teams of the safety systems and thus provides human diversity. The design and development differences selected by KHNP allowed an effective demonstration of adequate diversity between the safety I&C system and the DAS and compliance to NRC regulations and guidance, including Item II.Q in the Staff Requirements Memorandum to SECY-93-087. 3.4 Pre-application Coordination Meetings A key lesson learned from the APR1400 I&C Systems design certification application review is the importance of conducting pre-application coordination meetings. These meetings allow the applicant to present key aspects of the planned submittal, identify information to be submitted, and allow the staff the opportunity to provide feedback on any challenging areas of the design that require more focus. For example, as discussed in Section 3.1 of this paper, KHNP presented their design for safety and non-safety HMI interfaces to safety systems. Based on the NRC demonstrate that hazards associated with these interfaces are properly identified and controlled, the applicant modified the design in order to reduce the set of hazards that need to be considered. During the pre-application coordination meetings, the NRC staff was also able to provide KHNP feedback on the latest guidance that the APR1400 I&C system design needed to address. For example, as required by 10 CFR 52.47(a)(9), the applicant needed to evaluate the standard plant design against the SRP revision in effect 6 months before the docket date of the application. Since the NRC staff issued SRP, BTP 7-for Evaluation of Diversity and Defense-in-Depth in Digital Computer Based Instrumentation and Control application, the staff informed KHNP that the I&C system design needed to address the new guidance in this revision of BTP 7-19 regarding analysis for the effects of spurious actuations. This feedback resulted in KHNP submitting to the NRC their analysis on the potential effects of spurious actuations and identifying the methods adopted to minimize the likelihood of spurious actuations. The NRC staff finds that by conducting these pre-application coordination meetings, there were significant gains in efficiency of the APR1400 I&C systems review. This increase in efficiency is evident in the decrease in the number of requests for additional information issued for the I&C system review compared to previous design certification applications as well as a decrease in review time and resources. 3.5 Phase Discipline Based on previous design certification application reviews, a significant amount of resources were spent in later stages of the review. As mentioned previously, the NRC typically has six phases during design certification application reviews. This includes Phase One: preliminary safety evaluation report (SER) and request of additional information issuance; Phase Two: SER with open items issuance; Phase Three: Advisory Committee on Reactor Safeguards (ACRS) meeting to present Phase Two review results; Phase Four: Advanced SER with no open items issuance; Phase Five: ACRS meeting to present Phase Four review results; and Phase Six: Final SER issuance. During previous design certification application reviews, the NRC staff spent a significant amount of resources during the Phase Four review in order to resolve the open items identified in Phase Two of the review process. During the APR1400 I&C systems review, the staff used lessons learned from the previous design certification application reviews to ensure that all open items identified the Phase Two SER had clear paths for resolution. The NRC staff focused on coordinating with the applicant to get resolution plans for these open items prior to exiting the Phase Two h more efficient manner with less time and resources spent on closing open items. 4 CONCLUSIONS      5 ACKNOWLEDGMENTS  6 REFERENCES 1. 2. 3. 4.
: 5. 6. 7. 8.}}
: 5. 6. 7. 8.}}

Revision as of 18:19, 22 April 2019

Insights and Experience from the NRC Review of the APR1400 Instrumentation and Controls Design
ML18355A765
Person / Time
Issue date: 10/02/2018
From: Dawnmathews Kalathiveettil, Zhang J D
NRC/NRR/DE/EICA
To:
Dawnmathews Kalathiveettil
Shared Package
ML18355A767 List:
References
Download: ML18355A765 (8)


Text

Deanna Jing Zhang and Dawnmathews Kalathiveettil1 United States Nuclear Regulatory Commission 11555 Rockville Pike, Rockville, MD 20852 Deanna.Zhang@NRC.gov; Dawnmathews.Kalathiveettil@nrc.gov ABSTRACT 1 INTRODUCTION 1 2 BACKGROUND 3 APR1400 DESIGN DECISIONS AND IMPACT ON SAFETY DEMONSTRATION 3.1 Overall I&C Architecture and Independence ine whether the safety-related I&C system design meets the safety design principles, and in particular independence requirements. The overall I&C architecture provides the foundation for understanding the interfaces between systems with different safety classification and how Human Machine Interfaces (HMI) interact with safety and control systems. Figure 1 depicts a simplified APR1400 I&C architecture. Figure 1. Simplified Architecture of the APR1400 I&C Systems As can be seen in Figure 1, there are several interfaces between safety-related and non-safety systems. between these interfaces. As mentioned previously, the staff held several pre-application coordination meetings with the applicant to discuss key aspects of their proposed design. During these meetings, KHNP described the intended interfaces between safety-related and non-safety I&C systems. The interface between the non-safety HMI and safety-related systems was described, including how this HMI will be used by operators to control safety-related equipment. During these discussions, the NRC staff identified areas where significant amount of information would be needed to demonstrate hazards associated with non-safety to safety data communication would not impact safety. In addition, the applicant would need to demonstrate how the non-safety to safety-related I&C system communications enhanced the performance of safety functions as specified in Digital I&C Interim Staff Guidance (ISG) 4 (DI&C-ISG-4), Section 1, Staff Position 3 (Note: DI&C-ISG-. To facilitate demonstrating independence between the safety-related and non-safety systems, KHNP decided to modify certain aspects of the design. For example, KHNP modified the HMI (ESF-CCS Soft Control Module (ESCM)) that directly controls safety-related components to be divisionalized. Although the non-safety Information Flat Panel Display (IFPD) is still used to select the component for control, only a limited amount of data is transmitted from the IFPD to the divisionalized safety-related ESCM such that the hazards associated with this interface are significantly reduced. In addition, since the IFPD does not directly control safety related equipment, having an independent safety-related ESCM with added operator verification also greatly reduces the possibility of undetected communications failures from adversely impacting the safety function. KHNP also provided an analysis that demonstrates an operational time reduction when using IFPD in conjunction with the ESCM to control safety-related equipment versus using the ESCM in a standalone manner. This analysis also shows the potential for reducing operator error when using the IFPD in conjunction with the ESCM because of the ability of the IFPD to provide better graphics that shows the status of plant components in a holistic manner. The results of this analysis demonstrate that the communication from the IFPD to the ESCM provides a safety benefit from a human factors perspective and thereby conforms to the guidance of DI&C-ISG-4, Section 1, Staff Position 3. By making these design changes, KHNP significantly reduced the information needed to demonstrate independence between the IFPD and the ESCM while keeping the benefits of increased operator situational awareness and operational versatility of the non-safety IFPD. 3.2 Determinism and Platform Characteristics

3.3 Diversity

Strategies The actuation signals from the ESF-CCS, the DPS, and DMA switches converge at the Common Interface Module (CIM). The CIM is a non-software-based qualified, nuclear safety grade module which does the signal prioritization and actuation of plant components. CIM is credited as being diverse in operation from the Common Q Safety PLC platform used in the PPS and ESF-CCS. Hence, the same CCF cannot affect both the CIM and the safety-related I&C system. The CIM priority logic is implemented by complementary metal-oxide-semiconductor (CMOS) (or transistor-transistor logic (TTL)) devices. DI&C-ISG-04 addresses software CCFs of a priority module. In the APR1400 design, use of simple TTL logic reduced the need for the CIM design to be fully tested and to demonstrate that it is not affected by software CCF. The priority logic is tested to ensure there are no design defects in the priority logic configuration. The test cases confirm the logic generates the correct Energize/De-energize output states. To facilitate this testing all input and switch states are manually or automatically stimulated. The energize/de-energize output states of the priority logic are manually or automatically compared to manually generated acceptance states. If an automated comparison method is employed, the automated test results are manually verified through sampling the test cases. The CIM implements state-based priority logic such that for normal or accident conditions (except CCF), each command is generated by a logical OR of the demand from the ESF-CCS with the demand from the DPS. When the resulting signals conflict (e.g. open vs close), the outputs are driven to the safe state which is can be selected on a component basis. The DMA switches are implemented by using manual switches which are hardwired directly to the CIM through isolators. Commands from the DMA switches are received at Port Z of the CIM and this has the highest priority. The manual diverse actuation signal blocks the command from ESF-CCS and DPS. This also provides a diverse path for the actuation and control of safety-related systems by the operator in the event of a software CCF of the safety-related I&C systems. The technology selected for the CIM and the DMA switches reduced the likelihood of software CCF from affecting these components and facilitated the demonstration of diversity. The design decisions on the DAS technology and development process allowed the applicant to more effectively demonstrate diversity between the DAS and the primary safety-related I&C systems. There are several diversity attributes incorporated into the DAS design. The reactor trip mechanism of the DPS is diverse from that of the PPS. The DPS uses shunt trip mechanism while the PPS uses undervoltage trip mechanism. Selecting different mechanisms used to initiate a reactor trip allowed KHNP to credit functional diversity for meeting ATWS requirements. The DPS and DIS are both implemented on FLC technology while the safety-related I&C systems are implemented on the Common Q PLC-based platform. The use of different platforms provide design and equipment diversity. Hardware Description Language (HDL) is used for programming the FLC of the DPS and DIS. The Common Q PLC-based platform is programmed using software for microprocessor-based technologies. This provides software diversity. The DAS is designed and tested by different teams and personnel as compared to the design and test teams of the safety systems and thus provides human diversity. The design and development differences selected by KHNP allowed an effective demonstration of adequate diversity between the safety I&C system and the DAS and compliance to NRC regulations and guidance, including Item II.Q in the Staff Requirements Memorandum to SECY-93-087. 3.4 Pre-application Coordination Meetings A key lesson learned from the APR1400 I&C Systems design certification application review is the importance of conducting pre-application coordination meetings. These meetings allow the applicant to present key aspects of the planned submittal, identify information to be submitted, and allow the staff the opportunity to provide feedback on any challenging areas of the design that require more focus. For example, as discussed in Section 3.1 of this paper, KHNP presented their design for safety and non-safety HMI interfaces to safety systems. Based on the NRC demonstrate that hazards associated with these interfaces are properly identified and controlled, the applicant modified the design in order to reduce the set of hazards that need to be considered. During the pre-application coordination meetings, the NRC staff was also able to provide KHNP feedback on the latest guidance that the APR1400 I&C system design needed to address. For example, as required by 10 CFR 52.47(a)(9), the applicant needed to evaluate the standard plant design against the SRP revision in effect 6 months before the docket date of the application. Since the NRC staff issued SRP, BTP 7-for Evaluation of Diversity and Defense-in-Depth in Digital Computer Based Instrumentation and Control application, the staff informed KHNP that the I&C system design needed to address the new guidance in this revision of BTP 7-19 regarding analysis for the effects of spurious actuations. This feedback resulted in KHNP submitting to the NRC their analysis on the potential effects of spurious actuations and identifying the methods adopted to minimize the likelihood of spurious actuations. The NRC staff finds that by conducting these pre-application coordination meetings, there were significant gains in efficiency of the APR1400 I&C systems review. This increase in efficiency is evident in the decrease in the number of requests for additional information issued for the I&C system review compared to previous design certification applications as well as a decrease in review time and resources. 3.5 Phase Discipline Based on previous design certification application reviews, a significant amount of resources were spent in later stages of the review. As mentioned previously, the NRC typically has six phases during design certification application reviews. This includes Phase One: preliminary safety evaluation report (SER) and request of additional information issuance; Phase Two: SER with open items issuance; Phase Three: Advisory Committee on Reactor Safeguards (ACRS) meeting to present Phase Two review results; Phase Four: Advanced SER with no open items issuance; Phase Five: ACRS meeting to present Phase Four review results; and Phase Six: Final SER issuance. During previous design certification application reviews, the NRC staff spent a significant amount of resources during the Phase Four review in order to resolve the open items identified in Phase Two of the review process. During the APR1400 I&C systems review, the staff used lessons learned from the previous design certification application reviews to ensure that all open items identified the Phase Two SER had clear paths for resolution. The NRC staff focused on coordinating with the applicant to get resolution plans for these open items prior to exiting the Phase Two h more efficient manner with less time and resources spent on closing open items. 4 CONCLUSIONS 5 ACKNOWLEDGMENTS 6 REFERENCES 1. 2. 3. 4.

5. 6. 7. 8.