ML18163A392: Difference between revisions
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
||
Line 15: | Line 15: | ||
=Text= | =Text= | ||
{{#Wiki_filter: | {{#Wiki_filter:DI&CISG06 REVISION 2 NRC TABLETOP EXAMPLE D.2.2 New System Architecture Warren OdessGillet (NEI) | ||
[Email address] | |||
Tabletop Example for ISG06 AR D.2.2 New System Architecture Table of Contents Introduction ............................................................................................................................................... 3 Architecture ............................................................................................................................................... 3 Allocation of Functions ........................................................................................................................... 0 Functional Architecture .......................................................................................................................... 1 Communications .................................................................................................................................... 3 Tricon Communications ...................................................................................................................... 5 ALS Communications .......................................................................................................................... 7 NonSafetyRelated MWS ................................................................................................................... 8 Triconex Communications with MWS ................................................................................................. 8 ALS Communication with MWS .......................................................................................................... 9 Tricon and ALS configurations .......................................................................................................... 10 I/O Modules ..................................................................................................................................... 12 Manual Trip and Reset ......................................................................................................................... 13 Power Supply ....................................................................................................................................... 13 Plant Power ...................................................................................................................................... 13 Chassis Power ................................................................................................................................... 13 I/O Power ......................................................................................................................................... 14 Interface to Existing Control Board Display Indications ........................................................................ 16 PPS Testing Capabilities ........................................................................................................................ 16 Failure Modes and Effects Analysis (FMEA) .......................................................................................... 18 PostAccident Monitoring .................................................................................................................... 18 IEEE Std 603 and IEEE Std 74.3.2 Conformance ................................................................................... 18 Table of Figures Figure 1: [Figure 41] WEC Pressurized Water Reactor RPS Concept .......................................................... 5 Figure 2: [Figure 31] Eagle 21 PPS ............................................................................................................. 0 Figure 3: [Figure 32] PPS Replacement...................................................................................................... 1 Figure 4: [Figure 44] Typical Replacement Protection Set ......................................................................... 0 Figure 5: [Figure 45] Simplified Functional Architecture ........................................................................... 2 Figure 6: [Figure 33] PPS Replacement Communications .......................................................................... 4 Figure 7: [Figure 413] PPS Replacement Communications Single Protection Set .................................... 6 4/5/2018 Page 1 | |||
Tabletop Example for ISG06 AR D.2.2 New System Architecture Figure 8: [Figure 47] Tricon Triple Modular Redundant Architecture ...................................................... 10 Figure 9: [Figure 48] Generic ALS FPGA Architecture .............................................................................. 11 Figure 10: [Figure 410] Triconex Trip Output Diagnostic ......................................................................... 15 Figure 11: [Figure 49] ALS Diversity Architecture .................................................................................... 16 4/5/2018 Page 2 | |||
Tabletop Example for ISG06 AR D.2.2 New System Architecture Introduction This is an example license amendment request (LAR) description to address the draft ISG06 Revision 2 Section D.2.2, New System Architecture. It is based on the Diablo Canyon Power Plant (DCPP) Process Protection System LAR, ADAMS Ascension Number ML11307A332. Architecturerelated text, drawings, and tables were aggregated into a single section based on the D.2.2 description. Any missing information was identified. | |||
Architecture Throughout this document, mention will be made of Process Protection Sets and channels. It is important to understand these terms as used at DCPP because the terminology is somewhat different from that used at other installations. A process channel is an arrangement of components, modules and software as required to generate a single protective action signal when required by a generating station condition [FSAR) [xx] Section 7.1]. Redundant process instrumentation channels are separated by locating the electronics in different protection "sets". The PPS at DCPP is comprised of four such Protection Sets. Each Protection Set is further comprised of various process "channels". | |||
The existing Eagle 21 Process Protection System (PPS) four redundant Protection Sets, as shown in Figures 41 and 31, will be replaced with four redundant and independent Protection Sets (Protections Set I, Protection Set II, Protection Set Ill, Protection Set IV) that receive input from sensors and provide output to two trains (Train A and Train B) of the SSPS. | |||
Figure 32 contains an overview of the Reactor Trip System (RTS) and Engineered Safety Features Actuation System (ESFAS) including a simplified representation of the PPS replacement. The PPS Replacement Project replaces in its entirety the Westinghouse Eagle 21 PPS hardware currently housed in PPS Racks 1 16 as illustrated in the shaded portion of Figure 32 (corresponding to the shaded portion of Figure 41 and 31 ). Equipment in the unshaded portion of Figure 32 is not being replaced or modified by this project. | |||
Each Protection Set in the PPS replacement contains a softwarebased Triconex Tricon V10 processor subsystem described in the Triconex Topical Report [xx] and a diverse safetyrelated CSI ALS subsystem described in the ALS Topical Report [xx]. The PPS replacement is based on the Tricon PLC, Version 10, described in Tricon V10 Topical Report Submittal [xx] and the CSI ALS described in [xx]. The proposed project replaces in its entirety the current Westinghouse Eagle 21 PPS with a new PPS that has improved reliability, diversity, diagnostic, and testing capabilities. | |||
Both replacement digital platforms, Tricon and ALS, are located in the same cabinets that house the existing PPS. Figure 32 shows the maintenance workstation (MWS) located in the protection set racks. Commented [wog1]: j. physical location(s) of existing system equipment in the plant 4/5/2018 Page 3 | |||
Tabletop Example for ISG06 AR D.2.2 New System Architecture The PPS replacement is used as a direct replacement for the existing Eagle 21 PPS and has mostly the same design basis as the existing Eagle 21 PPS: | |||
Commented [wog2]: a) system design functions The following are other changes to the PPS architecture in addition to the platform changes: | |||
The Feedwater Flow signals and the Steam Flow/Feedwater Flow Mismatch alarms are being removed from the PPS as discussed in the PPS replacement Conceptual Design Document (CDD) | |||
[xx]. The feedwater flow signals are nonsafety related and will be input to the Digital Feedwater Control System (DFWCS), which will then generate the Steam Flow/Feedwater Flow Mismatch alarms. | |||
As described in the PPS replacement CDD [xx], the spare RTDs in the thermowell of each hot leg will now be activated for use by the PPS replacement. Each thermowell contains two RTDs and currently only one in each thermowell is available for the averaging process. In the PPS replacement, a wiring change will enable the use of all 6 RTDs for this averaging process. This should improve measurement accuracy for DeltaT/Tavg and increases conservatism. Commented [wog3]: d) connections and internal interfaces within the safety system, including crossdivisional interfaces and interfaces between components 4/5/2018 Page 4 | |||
Tabletop Example for ISG06 AR D.2.2 New System Architecture Figure 1: [Figure 41] WEC Pressurized Water Reactor RPS Concept 4/5/2018 Page 5 | |||
Figure 2: [Figure 31] Eagle 21 PPS Tabletop Example for ISG06 AR D.2.2 New System Architecture Figure 3: [Figure 32] PPS Replacement 4/5/2018 Page 1 | |||
Each Protection Set is independent of the other Protection Sets and is protected from adverse influence from the other Protection Sets. The PPS replacement does not utilize or implement interdivisional safetytosafety communications. Within a protection set, the PPS replacement does incorporate safety Commented [wog4]: c) Separation and independence requirements within the system (e.g., channels, trains, isolation) tonon safety communications. The PPS replacement architecture is designed to ensure that communications between safety and nonsafety equipment that resides within the Protection Set d) connections and internal interfaces within the safety system, including crossdivisional interfaces and interfaces between adhere to the guidance described in the ISG 4 Staff Positions. components Commented [wog5]: g. connections between safetyrelated Each of the four Protection Sets contains a nonsafety related maintenance workstation (MWS) for the and nonsafetyrelated systems and identification of signal and data Tricon and a MWS for the ALS. isolation devices Commented [wog6]: g. connections between safetyrelated The NRC D3 SER [x] determined that the design addresses Staff Position 1 of ISG02 [x] adequately. and nonsafetyrelated systems and identification of signal and data isolation devices Allocation of Functions Commented [wog7]: a) System Design Functions The same Eagle 21 functions will be performed by the PPS replacement. Figure 44 shows the channel assignments (inputs and protective action signals) for a single protection set. | |||
Figure 4: [Figure 44] Typical Replacement Protection Set | |||
Tabletop Example for ISG06 AR D.2.2 New System Architecture Functional Architecture Figure 45 illustrates typical functional architecture for a single Eagle 21 replacement Protection Set. | |||
4/5/2018 Page 1 | |||
Tabletop Example for ISG06 AR D.2.2 New System Architecture Figure 5: [Figure 45] Simplified Functional Architecture 4/5/2018 Page 2 | |||
Tabletop Example for ISG06 AR D.2.2 New System Architecture Communications Figure 33 provides a simplified representation of the communications architecture for a single Protection Set. | |||
4/5/2018 Page 3 | |||
Tabletop Example for ISG06 AR D.2.2 New System Architecture Figure 6: [Figure 33] PPS Replacement Communications 4/5/2018 Page 4 | |||
Tabletop Example for ISG06 AR D.2.2 New System Architecture Tricon Communications Commented [wog8]: c) Separation and independence requirements within the system (e.g., channels, trains, isolation) | |||
There are no communications paths between redundant Protection Sets in the Tricon portion of the PPS replacement. The nonsafetyrelated MWS within each redundant Protection Set communicates only with the safetyrelated Tricon PLC within that Protection Set. The Tricon Communications Module (TCM) output media from the Tricon is fiber optic to provide electrical isolation. A media converter converts the fiber optic media to Ethernet. | |||
A NetOptics Model PACU port aggregator tap device is utilized to ensure that only oneway communication takes place between the Tricon processors and the Plant Process Computer (PPC) | |||
Gateway Computer. The NetOptics device permits twoway communications between the Tricon TCM and the MWS, while permitting the PPC Gateway computer readonly access to the Tricon TCM and the MWS. The nonsafety PPC Gateway computer is shared by all four Protection Sets. | |||
The PPS replacement design incorporates the NetOptics Model PACU port aggregator tap device shown in Figure 413 to ensure that only oneway communication takes place between the Tricon processors and the PPC Gateway Computer. | |||
4/5/2018 Page 5 | |||
Tabletop Example for ISG06 AR D.2.2 New System Architecture Formatted: Font: Times New Roman Figure 7: [Figure 413] PPS Replacement Communications Single Protection Set The port aggregator tap is a hardware device that is installed between the Tricon processor, the MWS, and the Gateway computers. Ports A and B of the NetOptics are respectively connected to the Tricon 4/5/2018 Page 6 | |||
Tabletop Example for ISG06 AR D.2.2 New System Architecture TCM fiber optic NET2 port through a fiber optictocopper media convertor and directly to the MWS associated with the Tricon via copper Ethernet. The PPC Gateway is connected to Port 1 of the NetOptics device, thus providing oneway communications from the PPS replacement system to the PPC. This design ensures that no data or command messages can be sent from the PPC to the MWS. | |||
The data link protocol from the NetOptics to the MWS and to the TCM media converter is Triconex NET2. The port aggregator tap copies all information that is flowing between Ports A and B to Port 1 of the data aggregator. Neither Port A nor B of the NetOptics can read data from Port 1 of the data aggregator, and Port 1 cannot transmit data to Port A or Port B. | |||
There is no transmitting capability from NetOptics Port 1 back to Ports A or B, which ensures security of the Tricon safety function. This NetOptics device permits twoway communications between the Tricon TCM and the MWS, while permitting the PPC Gateway computer readonly access to the Tricon TCM and the MWS. Commented [wog9]: Previously approved (see below). Is it necessary to provide such detail in the LAR for an item that has regulatory precedence? | |||
Figure 413 only shows one TCM installed in the Tricon Main Chassis (Slot 7L), the PPS replacement will utilize two TCM cards in each main chassis (Slots 7L and 7 R). This will provide two nonsafetyrelated communication paths to the MWS and the PPC Gateway Computer from each Protection Set to ensure continued communications if a single TCM fails. | |||
The NetOptics Model PACU/PADCU1 PACU port aggregator network tap was approved previously by NRC for a similar application in the Oconee RPS SER Section 3.1.1.4.3 [xx]. The NRC staff determined that due to the electrical isolation provided by use of fiber optic cables and the data isolation provided by the Port Tap and the Maintenance and Service Interface (MSI) in the Oconee RPS, there was reasonable assurance that a fault or failure within the Oconee Gateway computer or the Operator Aid Computer will not adversely affect the ability of the Oconee RPS to accomplish its safety functions. | |||
The P2P communication capability provided by the TCM is not used for the PPS replacement. | |||
Specific Tricon Main Processor and System Bus PPS Replacement Project compliance with ISG04 [x] is addressed in Sections 3.1 and 5.0 of the Triconex DCPP PPS ISG04 Conformance Report [xx]. | |||
Reference 2.5.35 [xx] in the Tricon V1 0 Topical Report Submittal [xx] describes the Tricon V10 conformance to ISG04 [x]. The TCM handles all communications with external devices, and it has been qualified under the IOM Appendix B program for nuclear applications. Upon total loss of all TCMs, the main processors continue to function. | |||
Specific PPS Replacement Project TCM compliance with ISG04 is addressed in Section 4.1 and 5.0 of the Triconex DCPP PPS ISG04 Conformance Report [xx]. | |||
ALS Communications Commented [wog10]: c) Separation and independence requirements within the system (e.g., channels, trains, isolation) | |||
There are no communication paths between redundant safety divisions in the ALS portion of the PPS replacement as shown in Figure 33. The two Electronic Industries Alliance EIA422 standard ALS communication channels (TxB1 and TxB2) from the ALS102 in each ALS chassis to the Gateway 4/5/2018 Page 7 | |||
Tabletop Example for ISG06 AR D.2.2 New System Architecture computer and the MWS, respectively, are isolated, serial, and oneway (transmit only). The communications channels do not receive any data, handshaking, or instructions from the Gateway computer. The ALS processes reactor coolant system (RCS) temperature signals and transmits the conditioned and scaled data to the Tricon via analog 420 milliampere (mA) signals. | |||
The Test ALS Bus (TAB) communication channel provides communications between ALS Service Unit (ASU) maintenance software in the MWS and the ALS chassis. This Electronic Industries Alliance EIA485 standard communication path is normally disabled, with twoway communication permitted only when a hardwired switch is closed to complete the circuit from the MWS back to the ALS. No communication is allowed on the TAB if the switch is not closed. The Protection Set containing the ALS chassis remains functional with TAB communications enabled. The information is collected in a nonobtrusive manner and does not affect the ongoing operation of the system. | |||
The PPS replacement application does not utilize the ALS601 Communications Board described in the ALS Topical Report Submittal [xx]. Two (2) independent, dedicated, serial, transmitonly (no handshake) | |||
EIA422 communication channels (TxB1 and TxB2) provided by the ALS102 provides information to external systems [Figure 46]. The ALS102 transmits application specific input and output states and values continuously to the MWS (which performs the function of the ASU via the oneway RS422 communication channel TxB2 on the ALS102). The second, oneway RS422 communications channel TxB1 on the ALS102 transmits application specific input and output states and values continuously to the nonsafety PPC. | |||
Non-Safety-Related MWS Separate MWS are used to view data from the Tricon and the ALS and to maintain the Tricon and the ALS in a given protection set. One nonsafetyrelated MWS is used to maintain and configure the Tricon and to view data from the Tricon. Another MWS is used to view data from ALS. When the TAB has been placed in service as described above, the MWS is used to perform the maintenance functions associated with the ASU. Commented [wog11]: b) Service/Test Functions A MWS may access data only within its own Protection Set. Communication of any MWS with any other Protection Sets is not possible. There are no means of connecting any Protection Set to another MWS without reconfiguring the Protection Set controllers and communications cabling. There are no communications switches in the architecture that could allow inadvertent connection of a MWS or other device to a Protection Set. Commented [wog12]: c) Separation and independence requirements within the system (e.g., channels, trains, isolation) | |||
Triconex Communications with MWS Commented [wog13]: c) Separation and independence requirements within the system (e.g., channels, trains, isolation) | |||
Under operating plant conditions the MWS simply displays plant parameters and diagnostic information. | |||
The controls for access to functions beyond displaying data is securityrelated information per 10 CFR 2.390 and will be provided in a separate letter to the NRC staff. The MWS will be used for injecting test values and modifying Tricon safety system parameters. Use of the MWS is in accordance with site specific administrative (procedural) and physicalaccess controls. | |||
4/5/2018 Page 8 | |||
Tabletop Example for ISG06 AR D.2.2 New System Architecture Data isolation between the safetyrelated Tricon control processor and the nonsafety MWS is performed by the safetyrelated TCM. Fiber optic cable electrically isolates the Tricon from external non safetyrelated devices. | |||
The Tricon application software utilizes the safetycritical Tricon library functions "GATENB" and "GATEDIS" to control MWS access to the Tricon in RUN mode. To update a parameter, the technician places the safetyrelated instrumentloopspecific out of service switch in the closed position. The Tricon will activate the preprogrammed "GATENB" and "GATDIS" functions to open a data window of limited range. Prior to updating the parameter in the Tricon control program, the new value will be staged on the MWS screen for acknowledgement. After the changes have been made and the maintenance technician has placed the switch in the open position, the safetyrelated control logic will close the data window to prevent further changes. The MWS interface will also have protective measures built in, such as passwordprotected logon, rolebased security functions to ensure only authorized individuals have the ability to update tuning parameters. If the out of service switch is deactivated before the change is made, the safetyrelated control logic will return the instrument loop to normal operation automatically. | |||
A similar series of request/confirm actions is used to direct maintenance and test functions from the MWS, always under control by the safetyrelated Tricon application program. Commented [HD14]: If this is covered by the topical report it would not be in the LAR. | |||
Communication between a safetyrelated Tricon controller and a nonsafety device as shown in Figure 413 is discussed in Sections 3.2 and 5.0 of the Triconex platform ISG02 and ISG04 compliance document [xx] and Section 4.1 and 5.0 of the DCPP ISG04 compliance document [xx]. Section 4.0 of Appendix 1 to the Triconex platform conformance to DI&C ISG02 and ISG04 [xx], "Nonsafety VDU Communication to TRICON Example", discusses the use of the MWS and "GATENB/GATDIS". The GATENB/GATDIS functions are also discussed in Section 4.1 and Section 5.0, Point 3 of the DCPP specific evaluation of conformance to DI&C ISG04 [xx]. | |||
ALS Communication with MWS Commented [wog15]: c) Separation and independence requirements within the system (e.g., channels, trains, isolation) | |||
Communications from the ALS to the MWS are via the transmitonly (no handshake) ALS102 communication channel TxB2. The TxB2 communications channel does not receive any data, handshaking, or instructions from the MWS. | |||
Twoway TAB communications between ASU application software in the MWS and the ALS chassis are used to perform ALS maintenance and calibration functions. This EIA485 communication path is normally disabled, with twoway communications permitted only when a hardwired switch is closed to complete the circuit between the MWS and the ALS chassis. Communications on the TAB are not possible if the switch is open. | |||
The EIA422 communications channels on the ALS102, as discussed in Section 3.9 of the 600261202 ALS 102 Design Specification [xx], are electrically isolated and inherently oneway; therefore the use of the NetOptics device is not required. | |||
4/5/2018 Page 9 | |||
Tabletop Example for ISG06 AR D.2.2 New System Architecture Tricon and ALS configurations The DCPP Conceptual Design Document (CDD) [xx], Functional Requirements Specification (FRS) [xx], | |||
Interface Requirements Specification (IRS) [xx] and Controller Transfer Function Requirements Specification [xx] specify the overall functional requirements of the PPS replacement. | |||
The Tricon subsystem of the PPS replacement utilizes three safetyrelated Model 3008N Main Processor modules to control the three separate legs of the system shown in Figure 47. A 32bit primary processor in each Main Processor module manages execution of the control program and all system diagnostics at the Main Processor module level. Between the primary processors is a dedicated dual port random access memory (DPRAM) allowing for direct memory access data exchanges. All external communication is through separate microprocessors, located on separate modules installed in the Main Chassis. The dual microprocessor architecture structure described above thus complies with Position 4 of DI&C ISG04 [x] by executing the communications process separately from the processor that executes the safety function, so that communications errors and malfunctions will not interfere with the execution of the safety function. | |||
Figure 8: [Figure 47] Tricon Triple Modular Redundant Architecture The ALS102 Core Logic Board (CLB) is the primary decision making board in the ALS field programmable gate array (FPGA) system, and contains all the application specific logic circuits that define and control the operation of a given system. Figure 48 shows the relationship of the CLB with the rest of the ALS configuration. | |||
4/5/2018 Page 10 | |||
Tabletop Example for ISG06 AR D.2.2 New System Architecture Figure 9: [Figure 48] Generic ALS FPGA Architecture 4/5/2018 Page 11 | |||
Tabletop Example for ISG06 AR D.2.2 New System Architecture I/O Modules As shown in Figure 47, Tricon TMR input modules contain three separate, independent processing systems, referred to as legs, for signal processing (Input Legs A, B, and C). The legs receive signals from common field input termination points. The Triconex I/O modules listed in Table 46, voting processes, and fault detection processes are described in Section 2.1.2.7 of the Tricon V10 Topical Report Submittal | |||
[xx]. These I/O Module types are used in the PPS replacement and are described in Reference 2.5.30 of the Tricon V1 0 Topical Report Submittal [xx]. | |||
The ALS Input Boards perform sensor sampling, signal conditioning, filtering, and analogtodigital conversion of field input signals. Input Boards perform specific input functions, such as 24V or 48V digital contact sensing, 420 mA analog inputs, 010V analog inputs, resistance temperature detector (RTD) inputs, or thermocouple (TC) inputs. The ALS Input Boards used in the PPS replacement are listed in Table 47 and described in Section 2.2 of the ALS Topical Report Submittal [xx]. | |||
The ALS Output Boards provide signals to control field devices such as actuators, indicators, and relays. | |||
The output modules, fault detection, configuration and data validation processes are described in Section 2.2 of the ALS Topical Report Submittal [xx]. The ALS Input Boards used in the PPS replacement are listed in Table 47. ALS Output Boards are used to provide 420 ma signals to the Tricon in the same Protection Set. | |||
The design specifications listed in Table 47 describe I/O board fault detection, configuration, and data validation processes. | |||
4/5/2018 Page 12 | |||
Tabletop Example for ISG06 AR D.2.2 New System Architecture Manual Trip and Reset The system level manual trip and actuation functions are hardwired and are not affected by the PPS replacement. Once initiated, protective actions run to completion. Reset of the protective action must be initiated manually after the initiating cause is no longer present. Commented [wog16]: e) connections to humansystem interfaces Power Supply Commented [wog17]: i. interface with supporting systems (e.g., electrical power supply) | |||
Plant Power There is no discussion of HVAC in the LAR. | |||
The PPS is supplied vital uninterruptible AC power from four electrically independent and physically separated 120 V AC distribution panels. This is unchanged and outside the scope of the modification. The SyRS addresses the HVAC and electrical power supporting systems. | |||
Each distribution panel is supplied from a separate, dedicated inverter and from a backup common 480 V AC vital bus. An inverter can be fed from the 125 V DC vital system or from the 480 VAC vital system. | |||
Chassis Power The Triconex PPS subsystem utilizes two redundant Triconex power supply modules in each chassis. The power supply modules have been qualified by Triconex per the Tricon V10 Topical Report Submittal [xx] | |||
and operate from the redundant uninterruptible 120 V AC safetyrelated instrument power supply used to power the existing Eagle 21 PPS. Each power supply module is rated for 175 watts, which is sufficient to supply the power requirements of a fully populated chassis. Two different power supply modules can be used in a single chassis. The PPS replacement utilizes 120 V AC modules. The Triconex power supply modules are described in Section 2.1.2.5 of the Tricon V10 Topical Report Submittal [xx]. | |||
The power supply system in each ALS safety system cabinet is comprised of two qualified, independent AC/DC power supplies (supplied by PG&E). Each power supply is designed to provide 150 percent of the cabinet load, and operates in a redundant configuration. They are redundant, hot swappable, and capable of being replaced while the system is operational without interruption of power to the ALS chassis or other safety system components. The 48 V DC from the redundant cabinet power supplies is fed to the ALS chassis, where they are diode auctioneered to provide a single local 48 V DC supply. The power supplies are mounted in the same cabinet as the ALS chassis. Each ALS PPS subsystem chassis is powered via the Backplane Assembly from an external dualredundant power supply system. The 4/5/2018 Page 13 | |||
Tabletop Example for ISG06 AR D.2.2 New System Architecture cabinet load consists of all ALS platform components and peripheral devices. The ALSA and ALSB subchannels are supplied by the same 48 V DC power supplies (typical for each Protection Set). The ALS power supply and distribution within the ALS chasses is described in Section 2.6.2 of the ALS Topical Report Submittal [xx] and in Section 4.2.1 of the ALS Platform Specification [xx]. | |||
*Separate I/O power supplies are provided and qualified by PG&E during detailed design for the Triconex and ALS subsystems.* It is understood that this would need to be provided as part of the LAR for the AR process.* Commented [wog18]: Gap that would be included in an AR LAR. | |||
I/O Power The Tricon and the ALS subsystem in each Protection Set are provided with its own pair of safetyrelated adjustable redundant loop power supplies capable of powering all 420 mA instrument input loops associated with that subsystem. *Operating voltage will be selected during detailed design to power instrument loops without exceeding voltage limitations of instrument loop sensors (transmitters). - It is understood that this would need to be provided as part of the LAR for the AR process* Commented [wog19]: Gap that would be included in an AR LAR. | |||
Deenergize to trip discrete Triconex outputs to the SSPS and auxiliary relays utilize the 120 V AC safety related PPS instrument power supply. Energize to trip discrete Triconex outputs to the SSPS and auxiliary relays are powered by safetyrelated redundant 24 V DC power supplies. Other discrete Triconex outputs are powered by the external system. | |||
Triconex discrete inputs are powered by redundant 24 V DC power supplies, except trip output loopback signals, which are powered by the 120 V AC discrete output (DO) [Figure 410]. Triconex analog 420 rnA output loops are powered by redundant 24 V DC power supplies. The Triconex qualification requires that separate power supplies be used for analog and digital I/O. | |||
4/5/2018 Page 14 | |||
Tabletop Example for ISG06 AR D.2.2 New System Architecture Commented [wog20]: f. connections between safetyrelated systems Figure 10: [Figure 410] Triconex Trip Output Diagnostic All discrete ALS outputs to the SSPS are powered by safetyrelated 120 V AC Protection Set power. Other discrete ALS outputs such as output signals to the Main Annunciator System (MAS) are powered by the external system. Discrete ALS inputs are powered by safetyrelated redundant 48 V DC power supplies. | |||
Analog ALS 420 rnA outputs are powered by the ALS internal power supply. The feedback signals shown in Figure 49 are powered by the redundant, safetyrelated 48 V DC discrete input power supply. | |||
4/5/2018 Page 15 | |||
Tabletop Example for ISG06 AR D.2.2 New System Architecture Commented [wog21]: f. connections between safetyrelated systems Figure 11: [Figure 49] ALS Diversity Architecture Failure of any Tricon or ALS I/O power supply is alarmed on the control room MAS. | |||
Interface to Existing Control Board Display Indications The ALS System Requirements Specification [xx] and the Triconex SRS [xx] define the requirements for interfacing with existing DCPP control board indications. Commented [wog22]: e. connections to humansystem interfaces PPS Testing Capabilities Commented [wog23]: a) Service/Test Functions The PPS replacement permits any individual instrument channel to be maintained and calibrated in a The LAR does not go through each selfdiagnostic feature. This bypassed condition, and when required, tested during power operation without initiating a protective is a gap. | |||
action at the system level. This is accomplished without lifting electrical leads or installing temporary In the DCPP case TS SRs did not change. If TS SRs are changed, the diagnostic coverage and hooks to application would need to jumpers. The PPS replacement permits periodic testing during reactor power operation without be described. | |||
initiating a protective action from the channel under test. | |||
External hardwired switches are provided on all PPS replacement trip and actuation outputs. The switches may be used for SSPS input relay testing or to trip or actuate the channel manually if needed. | |||
Activation of the external trip switches is indicated in the control room through the SSPS partial trip indicators. Actuation of bypass switches (ALS) and out of service switches (Tricon) is indicated through the MAS. | |||
4/5/2018 Page 16 | |||
Tabletop Example for ISG06 AR D.2.2 New System Architecture The Triconex portion of the PPS replacement continuously performs diagnostic functions as described in the Tricon V10 Topical Report Submittal [xx]. Specific PPS replacement test and calibration functions and application diagnostics are supported by the platform but implemented in the application program. | |||
An example of such a diagnostic is a mismatch check that compares the trip demand from the PPS to a feedback signal. A mismatch occurs if the trip demand signal does not agree with the feedback signal, as shown in Figure 410 above. Triconex selftest methodology is described in Sections 2.1.2.6 (Main Processor module), 2.1.2.7 (I/O Modules), and 2.1.2.8 (TCM) of the Tricon V10 Topical Report Submittal | |||
[xx]. | |||
If online testing is required for troubleshooting maintenance, the PPS replacement design allows for this testing without disconnecting wires, installing jumpers, or otherwise modifying the installed equipment. Simulated signal inputs into a channel can be applied using measuring and test equipment. | |||
During performance of testing or maintenance of the PPS replacement, it may be necessary to place the individual channel into the bypass mode. | |||
Both the Triconex and the ALS platforms make extensive use of watchdog timers in performing builtin selftests. The Triconex operating system provides "hooks" to the application to enable the application to take appropriate action upon watchdog timer timeout. Refer to: | |||
* Tricon V10 Topical Report Submittal [xx] Section 2.1.2.6, 2.1.3.1, 2.2.1 0 | |||
* Appendix B to Tricon V10 Topical Report Submittal [xx] Section 3.9.A, 3;9.8, 5.3.V | |||
* ALS Topical Report Submittal [xx] Section 2.3 | |||
* ALS System Requirements Specification [xx] Section 2.7.2, 2.7.3 | |||
* ALS System Design Specification [xx] Section 5.2.5 The Triconex application program provides the means for periodic test and calibration of input sensors and output devices. Triconex PPS replacement application details are provided in the Triconex SRS [xx]. | |||
Sections 3.0, 5.0, and 6.0. | |||
Section 3.1.1.3 of the ALS Topical Report Submittal [xx] separates faults into categories and describes ALS platform diagnostics and actions taken upon failure detection. Section 3.2 of the ALS Topical Report Submittal [xx] describes the ALS design to support periodic surveillance testing, channel calibration and maintenance on a particular channel, while retaining the capability to accomplish the intended safety functions on the remaining channels. | |||
Section 3.4 of the ALS Topical Report Submittal [xx] describes the ALS design to support calibration of an analog input/output channel using the ASU or the MWS (specific to the PPS replacement) and calibrated external test equipment. | |||
A trouble alarm is generated upon detection of an input failure or an outofrange low or outofrange high input condition at 5 percent (low) and 105 percent (high) of span. | |||
4/5/2018 Page 17 | |||
Tabletop Example for ISG06 AR D.2.2 New System Architecture Failure Modes and Effects Analysis (FMEA) | |||
The platform level FMEA and reliability analyses for the Tricon digital platform has been reviewed and accepted by the NRC. In the Tricon V10 Topical Report Submittal [xx], Section 2.2.12 "Reliability and Availability," both reliability and availability were calculated with the assumption that periodic testing will uncover faults that are not normally detected by the Tricon system. For test periods ranging from 6 to 30 months the calculated reliability and availability were greater than 99.9 percent which exceeds the EPRI recommended goal found in EPRI TR107330 [xx], Section 4.2.3 "Availability, Reliability and FMEA." | |||
For a periodic test interval of 18 months the reliability is 99.9987 percent and the availability is 99.9990 percent. | |||
The FPGABased ALS PPS Equipment in the ALS topical Report Submittal [xx], reliability numbers were calculated for seven different types of modules. These calculations can be found in the following documents: 600210212ALS102 FPA FMEA and Reliability Analysis [xx], 600230212ALS302 FPA FMEA and Reliability Analysis [xx], 600231112ALS311 FPA FMEA and Reliability Analysis [xx], 600232112 ALS321 FPA FMEA and Reliability Analysis [xx], 600240212ALS402 FMEA and Reliability Analysis [xx], | |||
and 600242112ALS421 FPA FMEA and Reliability Analysis [xx]. | |||
*The systemlevel PPS replacement Failure Modes and Effects Analysis (FMEA) will be completed during Phase 2. - It is understood that this would need to be provided with the LAR for the AR process* Commented [wog24]: FMEA will be part of the LAR. | |||
Post-Accident Monitoring Postaccident monitoring capabilities are enhanced with the PPS replacement. With the exception of steam flow, reactor coolant flow, and temperature (loop wide range, loop Tavg, loop DeltaT, and Pressurizer vapor temperature), all provided PPS process indications are from the transmitter input (via qualified isolation devices where required) and are not processed by the digital PPS replacement equipment. The temperature, steam flow, and reactor coolant flow analog inputs require processing (RTD conversion or square root conversion) are performed in the PPS, as is currently done in the Eagle 21 PPS. | |||
Critical indications, such as those required for postaccident monitoring (PAM), are derived from raw instrument loop signals at the front end of the Replacement PPS, independent of any digital processing. | |||
Isolation of nonsafety related signals from safety related signals is performed by qualified isolation devices. Refer to the PPS replacement FRS [xx] and IRS [xx] for requirements. | |||
Note that Figure 45 identifies Class 1B PAM functions and their signals are acquired directly from the Class I input signals. No isolation is necessary because the input loop is the correct classification. Details are provided in the IRS. | |||
IEEE Std 603 and IEEE Std 7-4.3.2 Conformance The clauses of IEEE Std 603, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations, and IEEE Std 74.3.2, IEEE Standard Criteria for Programmable Digital Devices in Safety 4/5/2018 Page 18 | |||
Tabletop Example for ISG06 AR D.2.2 New System Architecture Systems of Nuclear Power Generating Stations pertaining to system architecture are addressed in this section. | |||
IEEE Std 603 Clause 5.7: Capability for testing and calibration of safety system equipment shall be Commented [wog25]: b. service/test functions provided while retaining the capability of the safety systems to accomplish their safety functions. The capability for testing and calibration of safety system equipment shall be provided during power operation and shall duplicate, as closely as practicable, performance of the safety function. Testing of Class 1 E systems shall be in accordance with the requirements of IEEE Std 3381987 [x]. Exceptions to testing and calibration during power operation are allowed where this capability cannot be provided without adversely affecting the safety or operability of the generating station. In this case: | |||
(1) appropriate justification shall be provided (for example, demonstration that no practical design exists), | |||
(2) acceptable reliability of equipment operation shall be otherwise demonstrated, and (3) the capability shall be provided while the generating station is shut down. | |||
The PPS replacement is a digital replacement for the existing digital Eagle 21 PPS at DCPP. The capability for testing and calibration of the PPS replacement is not significantly different from that of the existing Eagle 21 PPS. The PPS replacement provides enhanced selftesting and diagnostic functions that reduce likelihood of undetected failures in both the Tricon and ALS subsystems. However, the existing Eagle 21 technical specification surveillance requirements (SR) do not require revision as a result of this project. | |||
The requirement for periodic testing is addressed by channel calibrations. The channel calibrations are performed online using the bypass capability of the channel or during refueling outages when the PPS is not required to be operable. Calibration and testing will be performed according to approved procedures that establish specific surveillance techniques and surveillance intervals intended to maintain the high reliability of the PPS replacement. | |||
If online testing is required for troubleshooting maintenance, the PPS replacement design allows for this testing without disconnecting wires, installing jumpers, or otherwise modifying the installed equipment. Simulated signal inputs into a channel can be applied using measuring and test equipment. | |||
During performance of testing or maintenance of the PPS replacement, it may be necessary to place the individual channel into the bypass mode. | |||
Administrative procedures will provide appropriate guidance in the event a portion of the PPS replacement is in bypass or is manually tripped. These procedures are augmented by automatic indication at the system level that the system is in bypass or that a portion of the protection system and/or the systems actuated or controlled by the protection system is tripped. | |||
Both the Triconex and the ALS platforms make extensive use of watchdog timers in performing builtin selftests. The Triconex operating system provides "hooks" to the application to enable the application to take appropriate action upon watchdog timer timeout. Refer to: | |||
4/5/2018 Page 19 | |||
Tabletop Example for ISG06 AR D.2.2 New System Architecture | |||
* Tricon V1 0 Topical Report Submittal [xx] Section 2.1.2.6, 2.1.3.1, 2.2.1 0 | |||
* Appendix B to Tricon V10 Topical Report Submittal [xx] Section 3.9.A, 3;9.8, 5.3.V | |||
* ALS Topical Report Submittal [xx] Section 2.3 | |||
* ALS System Requirements Specification [xx] Section 2.7.2, 2.7.3 | |||
* ALS System Design Specification [xx] Section 5.2.5 The Triconex application program provides the means for periodic test and calibration of input sensors and output devices. Triconex PPS replacement application details are provided in the Triconex SRS [xx]. | |||
Platform compliance with this clause is discussed in Tricon V1 0 Topical Report Submittal [xx] Section 2.1 and Topical Report Appendix B Sections 3.0, 5.0, and 6.0. | |||
Section 3.1.1.3 of the ALS Topical Report Submittal [xx] separates faults into categories and describes ALS platform diagnostics and actions taken upon failure detection. Section 3.2 of the ALS Topical Report Submittal [xx] describes the ALS design to support periodic surveillance testing, channel calibration and maintenance on a particular channel, while retaining the capability to accomplish the intended safety functions on the remaining channels. | |||
Section 3.4 of the ALS Topical Report Submittal [xx] describes the ALS design to support calibration of an analog input/output channel using the ASU or the MWS specific to the PPS replacement) and calibrated external test equipment. | |||
Section 12.1.8 of the ALS Topical Report Submittal [xx] describes the ALS platform compliance with this clause. | |||
For both the Triconex and ALS subsystems, the platform selftests and the application specific test and calibration functions will be performed during the FAT to verify that the safety function is not adversely affected by performance of either builtin or application specific test and calibration functions. | |||
IEEE Std 74.3.2 Clause 5.5.2: Test and calibration functions shall not adversely affect the ability of the Commented [wog26]: b. service/test functions computer to perform its safety function. Appropriate bypass of one redundant channel is not considered an adverse effect in this context. It shall be verified that the test and calibration functions do not affect computer functions that are not included in a calibration change (e.g., setpoint change). | |||
V&V, configuration management, and QA shall be required for test and calibration functions on separate computers (e.g., test and calibration computer) that provide the sole verification of test and calibration data. V&V, configuration management, and QA shall be required when the test and calibration function is inherent to the computer that is part of the safety system. | |||
V & V, configuration management, and QA are not required when the test and calibration function is resident on a separate computer and does not provide the sole verification of test and calibration data for the computer that is part of the safety system. | |||
4/5/2018 Page 20 | |||
Tabletop Example for ISG06 AR D.2.2 New System Architecture The PPS replacement permits any individual instrument channel to be maintained and calibrated in a bypassed condition, and, when required, tested during power operation without initiating a protective action at the system level. This is accomplished without lifting electrical leads or installing temporary jumpers. The PPS permits periodic testing during reactor power operation without initiating a protective action from the channel under test. | |||
External hardwired switches are provided on PPS trip and actuation outputs. The switches may be used for SSPS input relay testing or to trip or actuate the channel manually if needed. Activation of the external trip switches is indicated in the control room through the SSPS partial trip indicators. Actuation of bypass switches is indicated through the MAS. | |||
For both the Triconex and ALS subsystems, the platform selftests and the application specific test and calibration functions will be verified during the FAT to ensure that the Protection Set safety function is not adversely affected by performance of either builtin or application specific test and calibration functions. | |||
a) TriconBased PPS Equipment Figure 410 in this LAR illustrates the Tricon DO loopback feature, which enables the PPS to determine if the external trip switch is open, or if the DO channel is producing an erroneous output. A PPS trouble alarm is generated if the instrument loop is not out of service and if the comparator output is true (commanding an energized output) and the deenergize to.trip DO loopback is sensed as deenergized. A PPS failure alarm is generated if the deenergize to trip DO loop back is sensed as energized and the comparator output is false (commanding a deenergized output), whether or not the instrument loop is out of service. | |||
Online testing in the Tricon is controlled by the nonsafety related MWS and by safety related logic enabled via an external safety related hardwired out of service switch. | |||
When the out of service switch is activated, the safety related logic in the associated Protection Set allows the associated instrument channel to be taken out of service while maintaining the rest of the instrument channels in the Protection Set operable; that is, an individual out of service switch only removes an individual instrument channel from service and no other instrument channel. If the out of service switch is returned to the normal position during test, the safety related logic automatically restores the instrument channel to safety related operation. | |||
The test and calibration functions are initiated by the nonsafety related MWS, but are controlled by the safety related Triconex processor application program. There is one MWS per Protection Set to ensure that a test or calibration function on one Protection Set will take place only on the Protection Set for which the action is intended, and that only one Protection Set can be affected by actions taken at any single MWS. The MWS from one Protection Set cannot communicate with any other Protection Set. | |||
Data is allowed to be received by the safety related Protection Set from the nonsafety MWS only when the channel is out of service. The channel is taken out of service by taking multiple deliberate actions: | |||
4/5/2018 Page 21 | |||
Tabletop Example for ISG06 AR D.2.2 New System Architecture (1) activating a hardware out of service switch locked in a cabinet; and (2) activating a software switch on the Workstation requiring password access. In addition, feedback is provided to the user on the MWS that the out of service switch for the loop to be tested has been activated. If the safety related hardware out of service switch is not activated, nonsafety related actions or failures cannot adversely affect the safety related function. | |||
The nonsafety Triconex MWS software is designed, developed and tested under the Triconex software development programs described in the Tricon V10 Topical Report Submittal [xx] to address the Clause 5.5.2 requirement for V& V, configuration management, and QA shall be required for test and calibration functions on separate computers (e.g., test and calibration computer) that provide the sole verification of test and calibration data. Triconex platform compliance with this clause is discussed in the Software Qualification Report [xx] Sections 4.0 and 8.0, the Critical Digital Review [xx] Sections 1.0, 2.0, 3.0, 4.0, and Appendix Band the Topical Report Submittal [xx] Section 2.1 and Appendix B Section 3.0. b) | |||
FPGABased ALS PPS Equipment The ALS provides test and calibration capability as described in Section 2.3.2 and Section 3 of the ALS Topical Report Submittal [xx] and Sections 10.2 and 10.3 of the ALS System Design Specification [xx]. | |||
Each Protection Set has one ASU associated with the ALS subsystems in that set. The TAB allows the nonsafety related ASU function performed by the PPS replacement MWS) to interact with the ALS components for test and calibration only when the TAB RS485 communication switch described in Section 5.3.3 of the ALS Topical Report Submittal [xx] is closed. ALS platform compliance with this clause is discussed in Section 12.2.13.2 of the ALS Topical Report Submittal [xx]. | |||
In the PPS replacement, the MWS described in Section 4.2.4.5 of this LAR is the hardware platform on which the ASU function is implemented. The nonsafety related ASU software is designed, developed, and tested under the CSI software development program to address the Clause 5.5.2 requirement that V&V, configuration management, and QA shall be required for test and calibration functions on separate computers. | |||
IEEE Std 74.3.2 Clause 5.5.3: Computer systems can experience partial failures that can degrade the Commented [wog27]: b. service/test functions capabilities of the computer system, but may not be immediately detectable by the system. Self diagnostics are one means that can be used to assist in detecting these failures. Fault detection and self diagnostics requirements are addressed in this subclause. | |||
The reliability requirements of the safety system shall be used to establish the need for selfdiagnostics. | |||
Self diagnostics are not required for systems in which failures can be detected by alternate means in a timely manner. If selfdiagnostics are incorporated into the system requirements, these functions shall be subject to the same V&V processes as the safety system functions. | |||
If reliability requirements warrant selfdiagnostics, then computer programs shall incorporate functions to detect and report computer system faults and failures in a timely manner. Conversely, selfdiagnostic functions shall not adversely affect the ability of the computer system to perform its safety function, or 4/5/2018 Page 22 | |||
Tabletop Example for ISG06 AR D.2.2 New System Architecture cause spurious actuations of the safety function. A typical set of selfdiagnostic functions includes the following: | |||
Memory functionality and integrity tests (e.g., PROM checksum and RAM tests) | |||
Computer system instruction set (e.g., calculation tests) | |||
Computer peripheral hardware tests (e.g., watchdog timers and keyboards) | |||
Computer architecture support hardware (e.g., address lines and shared memory interfaces) | |||
Communication link diagnostics (e.g., CRC checks) | |||
Infrequent communication link failures that do not result in a system failure or a lack of system functionality do not require reporting. | |||
When selfdiagnostics are applied, the following selfdiagnostic features shall be incorporated into the system design: | |||
a) Selfdiagnostics during computer system startup b) Periodic selfdiagnostics while the computer system is operating c) Selfdiagnostic test failure reporting a) TriconBased PPS Equipment The Tricon is a fault tolerant controller as described in Section 5. 7 of the Triconex System Description | |||
[xx]. As such, it is designed to run continuous diagnostics to detect and mask or override faults. | |||
Diagnostic results are available to host devices via communication modules and alarm contacts on the Main Chassis. The alarm contacts on Main Chassis Power Modules are asserted when: | |||
: 1. The system configuration does not match the control program configuration | |||
: 2. A Digital Output Module experiences a LOAD/FUSE error | |||
: 3. A module is missing somewhere in the system | |||
: 4. A Main Processor, I/O or Communication module in the Main Chassis fails | |||
: 5. An 110 or Communication module in an Expansion Chassis fails | |||
: 6. A Main Processor detects a system fault | |||
: 7. The interchassis 110 bus cables are incorrectly installedfor example, the cable for LegA is accidentally connected to LegB | |||
: 8. A Power Module fails | |||
: 9. Primary power to a Power Module is lost | |||
: 10. A Power Module has a Low Battery or Over Temperature warning Extensive diagnostics validate the health of each Main Processor as well as each I/O module and communication channel. Transient faults are recorded and masked by the hardware majority voting 4/5/2018 Page 23 | |||
Tabletop Example for ISG06 AR D.2.2 New System Architecture circuit. Persistent faults are diagnosed, and the errant module is hotreplaced or operated in a fault tolerant manner until hot replacement is completed. | |||
Main Processor diagnostics do the following: | |||
: 1. Verify fixedprogram memory | |||
: 2. Verify the static portion of RAM | |||
: 3. Test all basic processor instructions and operating modes | |||
: 4. Test all basic floatingpoint processor instructions | |||
: 5. Verify the shared memory interface with each I/0 communication processor and communication leg | |||
: 6. Verify handshake signals and interrupt signals between the Central Processing Unit (CPU), each I/O communication processor and communication leg | |||
: 7. Check each I/O communication processor and communication leg microprocessor, ROM, shared memory access and loopback of RS485 transceivers | |||
: 8. Verify the TriCiock interface | |||
: 9. Verify the TriBUS interface All I/O modules sustain complete, ongoing diagnostics for each leg. Failure of any diagnostic on any leg, activates the module's FAULT indicator, which in turn activates the chassis alarm signal. The FAULT indicator points to a leg fault, not a module failure. The module is designed to operate properly in the presence of a single fault and may continue to operate properly with some multiple faults. | |||
TMR Digital Input Modules with SelfTest continuously verify the ability of the Tricon to detect the transition of a normally energized circuit to the OFF state. TMR HighDensity Digital Input Modules continuously verify the ability of the Tricon to detect transitions to the opposite state. | |||
Each type of digital output module executes a particular type of Output Voter Diagnostic (OVD) for every point. In general, during OVD execution the commanded state of each point is momentarily reversed on one of the output drivers, one after another. Loopback sensing on the module allows each microprocessor to read the output value for the point to determine whether a latent fault exists within the output circuit. | |||
A DC voltage digital output module is specifically designed to control devices, which hold points in one state for long periods. The OVD strategy for a DC voltage digital output module ensures full fault coverage even if the commanded state of the points never changes. On this type of module, an output signal transition occurs during OVD execution, but is designed to be less than 2.0 milliseconds (500 microseconds is typical) and is transparent to most field devices. | |||
The results of all diagnostic tests are available to a host device via each installed communication module. Individual diagnostic flags are asserted upon any module fault within any chassis, DO load fuse or output voter fault, printer fault, math error, scan time overrun, Tricon keyswitch out of position, host communication error, program change, and I/O point disabled. | |||
4/5/2018 Page 24 | |||
Tabletop Example for ISG06 AR D.2.2 New System Architecture The Tricon Planning and Installation Guide [XX] provide descriptions of the main processor and I/O modules diagnostics. | |||
b) FPGABased ALS PPS Equipment As described in [the ALS Topical Report] Reference [xx], Section 3, the ALS platform incorporates advanced failure detection and isolation techniques. The operation of the system is deterministic in nature and allows the system to monitor itself in order to validate its functional performance. The ALS platform implements advanced failure detection and mitigation in the active path to avoid unintended plant events, and in the passive path to ensure inoperable systems do not remain undetected. The system utilizes logic to perform distributed control where no single failure results in an erroneous plant event while maintaining the ability to perform its intended safety function. | |||
The ALS platform incorporated selfdiagnostics, application specific diagnostics and selftest features into the input boards, bus communications, CLBs, and output boards. | |||
In addition, system level diagnostics are incorporated as divided into four categories: fatal, vital, non vital, and undetectable, as described in [the ALS Topical Report] Reference [xx] Section 3.1.1. | |||
IEEE Standard 74.3.2 Clauses 5.4.1 and 5.4.2 address computer system testing and qualification of existing commercial computers, respectively. | |||
Note IEEE Std 603, Clauses 5.8.1 and 5.8.4 need not be addressed in accordance with the AR process that states, If the design affects indications used by the operator for manual control, the LAR should describe how those modifications affect the ability of the operator to implement manual actions, in accordance with IEEE Std 603, Clause 5.8.1. AND If the design affects indications used by the Commented [wog28]: Tabletop not addressing clauses 5.8.1 and 5.8.4 because the DCPP LAR did not change the indications operator for manual control, the status indications, or the bypassed indications, the LAR should used by operators for manual control. | |||
describe how the modifications support the ability of the operator to use the indications, in accordance with IEEE Std 603, Clause 5.8.4. | |||
IEEE Std 603, Clause 5.8.2: System Status Indication. Display instrumentation shall provide accurate, Commented [wog29]: ISG AR states, The LAR should describe the interface and controls associated with status indication and complete, and timely information pertinent to safety system status. This information shall include bypass indication, in accordance with IEEE Std 603, Clauses 5.8.2, indication and identification of protective actions of the sense and command features and execute 5.8.3, 5.8.3.1, 5.8.3.2, and 5.8.3.3. | |||
features. The design shall minimize the possibility of ambiguous indications that could be confusing to the operator. The display instrumentation provided for safety system status indication need not be part of the safety systems. | |||
The display instrumentation that indicates and identifies protective actions of the sense and command features and execute features is unchanged by the PPS replacement. This instrumentation is primarily associated with inputs and outputs of the SSPS, which is not affected by the PPS replacement. In addition, the status of all actuated components is indicated on the control boards together with the control switches that are provided for the individual components. | |||
4/5/2018 Page 25 | |||
Tabletop Example for ISG06 AR D.2.2 New System Architecture A bistable status light panel on the Control Board provides bistable monitoring information in the Control Room. A "postage stamp" indicator lamp on the panel illuminates to indicate that a protection channel has been activated. This panel is part of the SSPS and is not affected by the PPS replacement. | |||
Display instrumentation that indicates and identifies the status of protective actions of sense and command features is specific to the application. | |||
a) TriconBased PPS Equipment Triconex PPS replacement application details are provided in the Triconex Software Requirements Specification (SRS) [xx]. Platform compliance with this clause is described in Tricon V1 0 Topical Report Submittal [xx] Section 2.1 and the Triconex DI&C02 and 04 Compliance Report [xx] Section 3.0. | |||
b) FPGABased ALS PPS Equipment ALS application details are provided in the DCPP System Design Specification [xx] Section 5.3.3.4 and the ALS1 02 FPGA Requirements Specification [xx]. The ALS Topical Report Submittal [xx] Section 12.1.9.2 discusses compliance of the ALS platform with IEEE Standard 603 Clause 5.8.2. | |||
IEEE Std 603, Clause 5.8.3: If the protective actions of some part of a safety system have been bypassed Commented [wog30]: DCPP LAR does not separately address subclauses 5.8.3.1 - 5.8.3.3 or deliberately rendered inoperative for any purpose other than an operating bypass, continued indication of this fact for each affected safety group shall be provided in the control room. | |||
PPS Replacement FRS[xx] paragraph 3.2.1.3.3 requires status indication signals that satisfy the requirements of RG 1.47 [xx] be provided to the control room from each Protection Set for indication that a protection channel has been placed in an inoperable condition (e.g., bypassed). | |||
Display instrumentation that indicates and identifies the status of protective actions of sense and command features is specific to the application. | |||
a) TriconBased PPS Equipment Triconex PPS replacement application details are provided in the Triconex SRS [xx]. Platform compliance with this clause is described in Tricon V1 0 Topical Report Submittal [xx] Section 2.1 and the Triconex DI&C02 and 04 Compliance Report [xx] Section 3.0. | |||
b) FPGABased ALS PPS Equipment ALS System Requirements Specification [xx] requires indication of partial trip output bypasses to be provided locally at the cabinet. This requirement is implemented in ALS System Design Specification [xx] | |||
Section 11.3, which requires indication that an input channel or output channel has been placed into or removed from a bypass mode or an override mode and describes means by which the information is made available for display in the control room. The ALS Topical Report Submittal [xx] Section 12.1.9.2 discusses compliance of the ALS platform with IEEE Standard 603 Clause 5.8.2. ALS application details 4/5/2018 Page 26 | |||
Tabletop Example for ISG06 AR D.2.2 New System Architecture are provided in the DCPP System Design Specification [xx] Section 5.3.3.4 and the ALS1 02 FPGA Requirements Specification [xx]. | |||
IEEE Std 603, Clause 5.8.3.1: This display instrumentation need not be part of the safety systems. | |||
4/5/2018 Page 27}} |
Latest revision as of 22:26, 20 October 2019
ML18163A392 | |
Person / Time | |
---|---|
Site: | Nuclear Energy Institute |
Issue date: | 06/13/2018 |
From: | Odess-Gillette W Nuclear Energy Institute |
To: | Office of Nuclear Reactor Regulation |
Golla J | |
References | |
Download: ML18163A392 (36) | |
Text
DI&CISG06 REVISION 2 NRC TABLETOP EXAMPLE D.2.2 New System Architecture Warren OdessGillet (NEI)
[Email address]
Tabletop Example for ISG06 AR D.2.2 New System Architecture Table of Contents Introduction ............................................................................................................................................... 3 Architecture ............................................................................................................................................... 3 Allocation of Functions ........................................................................................................................... 0 Functional Architecture .......................................................................................................................... 1 Communications .................................................................................................................................... 3 Tricon Communications ...................................................................................................................... 5 ALS Communications .......................................................................................................................... 7 NonSafetyRelated MWS ................................................................................................................... 8 Triconex Communications with MWS ................................................................................................. 8 ALS Communication with MWS .......................................................................................................... 9 Tricon and ALS configurations .......................................................................................................... 10 I/O Modules ..................................................................................................................................... 12 Manual Trip and Reset ......................................................................................................................... 13 Power Supply ....................................................................................................................................... 13 Plant Power ...................................................................................................................................... 13 Chassis Power ................................................................................................................................... 13 I/O Power ......................................................................................................................................... 14 Interface to Existing Control Board Display Indications ........................................................................ 16 PPS Testing Capabilities ........................................................................................................................ 16 Failure Modes and Effects Analysis (FMEA) .......................................................................................... 18 PostAccident Monitoring .................................................................................................................... 18 IEEE Std 603 and IEEE Std 74.3.2 Conformance ................................................................................... 18 Table of Figures Figure 1: [Figure 41] WEC Pressurized Water Reactor RPS Concept .......................................................... 5 Figure 2: [Figure 31] Eagle 21 PPS ............................................................................................................. 0 Figure 3: [Figure 32] PPS Replacement...................................................................................................... 1 Figure 4: [Figure 44] Typical Replacement Protection Set ......................................................................... 0 Figure 5: [Figure 45] Simplified Functional Architecture ........................................................................... 2 Figure 6: [Figure 33] PPS Replacement Communications .......................................................................... 4 Figure 7: [Figure 413] PPS Replacement Communications Single Protection Set .................................... 6 4/5/2018 Page 1
Tabletop Example for ISG06 AR D.2.2 New System Architecture Figure 8: [Figure 47] Tricon Triple Modular Redundant Architecture ...................................................... 10 Figure 9: [Figure 48] Generic ALS FPGA Architecture .............................................................................. 11 Figure 10: [Figure 410] Triconex Trip Output Diagnostic ......................................................................... 15 Figure 11: [Figure 49] ALS Diversity Architecture .................................................................................... 16 4/5/2018 Page 2
Tabletop Example for ISG06 AR D.2.2 New System Architecture Introduction This is an example license amendment request (LAR) description to address the draft ISG06 Revision 2 Section D.2.2, New System Architecture. It is based on the Diablo Canyon Power Plant (DCPP) Process Protection System LAR, ADAMS Ascension Number ML11307A332. Architecturerelated text, drawings, and tables were aggregated into a single section based on the D.2.2 description. Any missing information was identified.
Architecture Throughout this document, mention will be made of Process Protection Sets and channels. It is important to understand these terms as used at DCPP because the terminology is somewhat different from that used at other installations. A process channel is an arrangement of components, modules and software as required to generate a single protective action signal when required by a generating station condition [FSAR) [xx] Section 7.1]. Redundant process instrumentation channels are separated by locating the electronics in different protection "sets". The PPS at DCPP is comprised of four such Protection Sets. Each Protection Set is further comprised of various process "channels".
The existing Eagle 21 Process Protection System (PPS) four redundant Protection Sets, as shown in Figures 41 and 31, will be replaced with four redundant and independent Protection Sets (Protections Set I, Protection Set II, Protection Set Ill, Protection Set IV) that receive input from sensors and provide output to two trains (Train A and Train B) of the SSPS.
Figure 32 contains an overview of the Reactor Trip System (RTS) and Engineered Safety Features Actuation System (ESFAS) including a simplified representation of the PPS replacement. The PPS Replacement Project replaces in its entirety the Westinghouse Eagle 21 PPS hardware currently housed in PPS Racks 1 16 as illustrated in the shaded portion of Figure 32 (corresponding to the shaded portion of Figure 41 and 31 ). Equipment in the unshaded portion of Figure 32 is not being replaced or modified by this project.
Each Protection Set in the PPS replacement contains a softwarebased Triconex Tricon V10 processor subsystem described in the Triconex Topical Report [xx] and a diverse safetyrelated CSI ALS subsystem described in the ALS Topical Report [xx]. The PPS replacement is based on the Tricon PLC, Version 10, described in Tricon V10 Topical Report Submittal [xx] and the CSI ALS described in [xx]. The proposed project replaces in its entirety the current Westinghouse Eagle 21 PPS with a new PPS that has improved reliability, diversity, diagnostic, and testing capabilities.
Both replacement digital platforms, Tricon and ALS, are located in the same cabinets that house the existing PPS. Figure 32 shows the maintenance workstation (MWS) located in the protection set racks. Commented [wog1]: j. physical location(s) of existing system equipment in the plant 4/5/2018 Page 3
Tabletop Example for ISG06 AR D.2.2 New System Architecture The PPS replacement is used as a direct replacement for the existing Eagle 21 PPS and has mostly the same design basis as the existing Eagle 21 PPS:
Commented [wog2]: a) system design functions The following are other changes to the PPS architecture in addition to the platform changes:
The Feedwater Flow signals and the Steam Flow/Feedwater Flow Mismatch alarms are being removed from the PPS as discussed in the PPS replacement Conceptual Design Document (CDD)
[xx]. The feedwater flow signals are nonsafety related and will be input to the Digital Feedwater Control System (DFWCS), which will then generate the Steam Flow/Feedwater Flow Mismatch alarms.
As described in the PPS replacement CDD [xx], the spare RTDs in the thermowell of each hot leg will now be activated for use by the PPS replacement. Each thermowell contains two RTDs and currently only one in each thermowell is available for the averaging process. In the PPS replacement, a wiring change will enable the use of all 6 RTDs for this averaging process. This should improve measurement accuracy for DeltaT/Tavg and increases conservatism. Commented [wog3]: d) connections and internal interfaces within the safety system, including crossdivisional interfaces and interfaces between components 4/5/2018 Page 4
Tabletop Example for ISG06 AR D.2.2 New System Architecture Figure 1: [Figure 41] WEC Pressurized Water Reactor RPS Concept 4/5/2018 Page 5
Figure 2: [Figure 31] Eagle 21 PPS Tabletop Example for ISG06 AR D.2.2 New System Architecture Figure 3: [Figure 32] PPS Replacement 4/5/2018 Page 1
Each Protection Set is independent of the other Protection Sets and is protected from adverse influence from the other Protection Sets. The PPS replacement does not utilize or implement interdivisional safetytosafety communications. Within a protection set, the PPS replacement does incorporate safety Commented [wog4]: c) Separation and independence requirements within the system (e.g., channels, trains, isolation) tonon safety communications. The PPS replacement architecture is designed to ensure that communications between safety and nonsafety equipment that resides within the Protection Set d) connections and internal interfaces within the safety system, including crossdivisional interfaces and interfaces between adhere to the guidance described in the ISG 4 Staff Positions. components Commented [wog5]: g. connections between safetyrelated Each of the four Protection Sets contains a nonsafety related maintenance workstation (MWS) for the and nonsafetyrelated systems and identification of signal and data Tricon and a MWS for the ALS. isolation devices Commented [wog6]: g. connections between safetyrelated The NRC D3 SER [x] determined that the design addresses Staff Position 1 of ISG02 [x] adequately. and nonsafetyrelated systems and identification of signal and data isolation devices Allocation of Functions Commented [wog7]: a) System Design Functions The same Eagle 21 functions will be performed by the PPS replacement. Figure 44 shows the channel assignments (inputs and protective action signals) for a single protection set.
Figure 4: [Figure 44] Typical Replacement Protection Set
Tabletop Example for ISG06 AR D.2.2 New System Architecture Functional Architecture Figure 45 illustrates typical functional architecture for a single Eagle 21 replacement Protection Set.
4/5/2018 Page 1
Tabletop Example for ISG06 AR D.2.2 New System Architecture Figure 5: [Figure 45] Simplified Functional Architecture 4/5/2018 Page 2
Tabletop Example for ISG06 AR D.2.2 New System Architecture Communications Figure 33 provides a simplified representation of the communications architecture for a single Protection Set.
4/5/2018 Page 3
Tabletop Example for ISG06 AR D.2.2 New System Architecture Figure 6: [Figure 33] PPS Replacement Communications 4/5/2018 Page 4
Tabletop Example for ISG06 AR D.2.2 New System Architecture Tricon Communications Commented [wog8]: c) Separation and independence requirements within the system (e.g., channels, trains, isolation)
There are no communications paths between redundant Protection Sets in the Tricon portion of the PPS replacement. The nonsafetyrelated MWS within each redundant Protection Set communicates only with the safetyrelated Tricon PLC within that Protection Set. The Tricon Communications Module (TCM) output media from the Tricon is fiber optic to provide electrical isolation. A media converter converts the fiber optic media to Ethernet.
A NetOptics Model PACU port aggregator tap device is utilized to ensure that only oneway communication takes place between the Tricon processors and the Plant Process Computer (PPC)
Gateway Computer. The NetOptics device permits twoway communications between the Tricon TCM and the MWS, while permitting the PPC Gateway computer readonly access to the Tricon TCM and the MWS. The nonsafety PPC Gateway computer is shared by all four Protection Sets.
The PPS replacement design incorporates the NetOptics Model PACU port aggregator tap device shown in Figure 413 to ensure that only oneway communication takes place between the Tricon processors and the PPC Gateway Computer.
4/5/2018 Page 5
Tabletop Example for ISG06 AR D.2.2 New System Architecture Formatted: Font: Times New Roman Figure 7: [Figure 413] PPS Replacement Communications Single Protection Set The port aggregator tap is a hardware device that is installed between the Tricon processor, the MWS, and the Gateway computers. Ports A and B of the NetOptics are respectively connected to the Tricon 4/5/2018 Page 6
Tabletop Example for ISG06 AR D.2.2 New System Architecture TCM fiber optic NET2 port through a fiber optictocopper media convertor and directly to the MWS associated with the Tricon via copper Ethernet. The PPC Gateway is connected to Port 1 of the NetOptics device, thus providing oneway communications from the PPS replacement system to the PPC. This design ensures that no data or command messages can be sent from the PPC to the MWS.
The data link protocol from the NetOptics to the MWS and to the TCM media converter is Triconex NET2. The port aggregator tap copies all information that is flowing between Ports A and B to Port 1 of the data aggregator. Neither Port A nor B of the NetOptics can read data from Port 1 of the data aggregator, and Port 1 cannot transmit data to Port A or Port B.
There is no transmitting capability from NetOptics Port 1 back to Ports A or B, which ensures security of the Tricon safety function. This NetOptics device permits twoway communications between the Tricon TCM and the MWS, while permitting the PPC Gateway computer readonly access to the Tricon TCM and the MWS. Commented [wog9]: Previously approved (see below). Is it necessary to provide such detail in the LAR for an item that has regulatory precedence?
Figure 413 only shows one TCM installed in the Tricon Main Chassis (Slot 7L), the PPS replacement will utilize two TCM cards in each main chassis (Slots 7L and 7 R). This will provide two nonsafetyrelated communication paths to the MWS and the PPC Gateway Computer from each Protection Set to ensure continued communications if a single TCM fails.
The NetOptics Model PACU/PADCU1 PACU port aggregator network tap was approved previously by NRC for a similar application in the Oconee RPS SER Section 3.1.1.4.3 [xx]. The NRC staff determined that due to the electrical isolation provided by use of fiber optic cables and the data isolation provided by the Port Tap and the Maintenance and Service Interface (MSI) in the Oconee RPS, there was reasonable assurance that a fault or failure within the Oconee Gateway computer or the Operator Aid Computer will not adversely affect the ability of the Oconee RPS to accomplish its safety functions.
The P2P communication capability provided by the TCM is not used for the PPS replacement.
Specific Tricon Main Processor and System Bus PPS Replacement Project compliance with ISG04 [x] is addressed in Sections 3.1 and 5.0 of the Triconex DCPP PPS ISG04 Conformance Report [xx].
Reference 2.5.35 [xx] in the Tricon V1 0 Topical Report Submittal [xx] describes the Tricon V10 conformance to ISG04 [x]. The TCM handles all communications with external devices, and it has been qualified under the IOM Appendix B program for nuclear applications. Upon total loss of all TCMs, the main processors continue to function.
Specific PPS Replacement Project TCM compliance with ISG04 is addressed in Section 4.1 and 5.0 of the Triconex DCPP PPS ISG04 Conformance Report [xx].
ALS Communications Commented [wog10]: c) Separation and independence requirements within the system (e.g., channels, trains, isolation)
There are no communication paths between redundant safety divisions in the ALS portion of the PPS replacement as shown in Figure 33. The two Electronic Industries Alliance EIA422 standard ALS communication channels (TxB1 and TxB2) from the ALS102 in each ALS chassis to the Gateway 4/5/2018 Page 7
Tabletop Example for ISG06 AR D.2.2 New System Architecture computer and the MWS, respectively, are isolated, serial, and oneway (transmit only). The communications channels do not receive any data, handshaking, or instructions from the Gateway computer. The ALS processes reactor coolant system (RCS) temperature signals and transmits the conditioned and scaled data to the Tricon via analog 420 milliampere (mA) signals.
The Test ALS Bus (TAB) communication channel provides communications between ALS Service Unit (ASU) maintenance software in the MWS and the ALS chassis. This Electronic Industries Alliance EIA485 standard communication path is normally disabled, with twoway communication permitted only when a hardwired switch is closed to complete the circuit from the MWS back to the ALS. No communication is allowed on the TAB if the switch is not closed. The Protection Set containing the ALS chassis remains functional with TAB communications enabled. The information is collected in a nonobtrusive manner and does not affect the ongoing operation of the system.
The PPS replacement application does not utilize the ALS601 Communications Board described in the ALS Topical Report Submittal [xx]. Two (2) independent, dedicated, serial, transmitonly (no handshake)
EIA422 communication channels (TxB1 and TxB2) provided by the ALS102 provides information to external systems [Figure 46]. The ALS102 transmits application specific input and output states and values continuously to the MWS (which performs the function of the ASU via the oneway RS422 communication channel TxB2 on the ALS102). The second, oneway RS422 communications channel TxB1 on the ALS102 transmits application specific input and output states and values continuously to the nonsafety PPC.
Non-Safety-Related MWS Separate MWS are used to view data from the Tricon and the ALS and to maintain the Tricon and the ALS in a given protection set. One nonsafetyrelated MWS is used to maintain and configure the Tricon and to view data from the Tricon. Another MWS is used to view data from ALS. When the TAB has been placed in service as described above, the MWS is used to perform the maintenance functions associated with the ASU. Commented [wog11]: b) Service/Test Functions A MWS may access data only within its own Protection Set. Communication of any MWS with any other Protection Sets is not possible. There are no means of connecting any Protection Set to another MWS without reconfiguring the Protection Set controllers and communications cabling. There are no communications switches in the architecture that could allow inadvertent connection of a MWS or other device to a Protection Set. Commented [wog12]: c) Separation and independence requirements within the system (e.g., channels, trains, isolation)
Triconex Communications with MWS Commented [wog13]: c) Separation and independence requirements within the system (e.g., channels, trains, isolation)
Under operating plant conditions the MWS simply displays plant parameters and diagnostic information.
The controls for access to functions beyond displaying data is securityrelated information per 10 CFR 2.390 and will be provided in a separate letter to the NRC staff. The MWS will be used for injecting test values and modifying Tricon safety system parameters. Use of the MWS is in accordance with site specific administrative (procedural) and physicalaccess controls.
4/5/2018 Page 8
Tabletop Example for ISG06 AR D.2.2 New System Architecture Data isolation between the safetyrelated Tricon control processor and the nonsafety MWS is performed by the safetyrelated TCM. Fiber optic cable electrically isolates the Tricon from external non safetyrelated devices.
The Tricon application software utilizes the safetycritical Tricon library functions "GATENB" and "GATEDIS" to control MWS access to the Tricon in RUN mode. To update a parameter, the technician places the safetyrelated instrumentloopspecific out of service switch in the closed position. The Tricon will activate the preprogrammed "GATENB" and "GATDIS" functions to open a data window of limited range. Prior to updating the parameter in the Tricon control program, the new value will be staged on the MWS screen for acknowledgement. After the changes have been made and the maintenance technician has placed the switch in the open position, the safetyrelated control logic will close the data window to prevent further changes. The MWS interface will also have protective measures built in, such as passwordprotected logon, rolebased security functions to ensure only authorized individuals have the ability to update tuning parameters. If the out of service switch is deactivated before the change is made, the safetyrelated control logic will return the instrument loop to normal operation automatically.
A similar series of request/confirm actions is used to direct maintenance and test functions from the MWS, always under control by the safetyrelated Tricon application program. Commented [HD14]: If this is covered by the topical report it would not be in the LAR.
Communication between a safetyrelated Tricon controller and a nonsafety device as shown in Figure 413 is discussed in Sections 3.2 and 5.0 of the Triconex platform ISG02 and ISG04 compliance document [xx] and Section 4.1 and 5.0 of the DCPP ISG04 compliance document [xx]. Section 4.0 of Appendix 1 to the Triconex platform conformance to DI&C ISG02 and ISG04 [xx], "Nonsafety VDU Communication to TRICON Example", discusses the use of the MWS and "GATENB/GATDIS". The GATENB/GATDIS functions are also discussed in Section 4.1 and Section 5.0, Point 3 of the DCPP specific evaluation of conformance to DI&C ISG04 [xx].
ALS Communication with MWS Commented [wog15]: c) Separation and independence requirements within the system (e.g., channels, trains, isolation)
Communications from the ALS to the MWS are via the transmitonly (no handshake) ALS102 communication channel TxB2. The TxB2 communications channel does not receive any data, handshaking, or instructions from the MWS.
Twoway TAB communications between ASU application software in the MWS and the ALS chassis are used to perform ALS maintenance and calibration functions. This EIA485 communication path is normally disabled, with twoway communications permitted only when a hardwired switch is closed to complete the circuit between the MWS and the ALS chassis. Communications on the TAB are not possible if the switch is open.
The EIA422 communications channels on the ALS102, as discussed in Section 3.9 of the 600261202 ALS 102 Design Specification [xx], are electrically isolated and inherently oneway; therefore the use of the NetOptics device is not required.
4/5/2018 Page 9
Tabletop Example for ISG06 AR D.2.2 New System Architecture Tricon and ALS configurations The DCPP Conceptual Design Document (CDD) [xx], Functional Requirements Specification (FRS) [xx],
Interface Requirements Specification (IRS) [xx] and Controller Transfer Function Requirements Specification [xx] specify the overall functional requirements of the PPS replacement.
The Tricon subsystem of the PPS replacement utilizes three safetyrelated Model 3008N Main Processor modules to control the three separate legs of the system shown in Figure 47. A 32bit primary processor in each Main Processor module manages execution of the control program and all system diagnostics at the Main Processor module level. Between the primary processors is a dedicated dual port random access memory (DPRAM) allowing for direct memory access data exchanges. All external communication is through separate microprocessors, located on separate modules installed in the Main Chassis. The dual microprocessor architecture structure described above thus complies with Position 4 of DI&C ISG04 [x] by executing the communications process separately from the processor that executes the safety function, so that communications errors and malfunctions will not interfere with the execution of the safety function.
Figure 8: [Figure 47] Tricon Triple Modular Redundant Architecture The ALS102 Core Logic Board (CLB) is the primary decision making board in the ALS field programmable gate array (FPGA) system, and contains all the application specific logic circuits that define and control the operation of a given system. Figure 48 shows the relationship of the CLB with the rest of the ALS configuration.
4/5/2018 Page 10
Tabletop Example for ISG06 AR D.2.2 New System Architecture Figure 9: [Figure 48] Generic ALS FPGA Architecture 4/5/2018 Page 11
Tabletop Example for ISG06 AR D.2.2 New System Architecture I/O Modules As shown in Figure 47, Tricon TMR input modules contain three separate, independent processing systems, referred to as legs, for signal processing (Input Legs A, B, and C). The legs receive signals from common field input termination points. The Triconex I/O modules listed in Table 46, voting processes, and fault detection processes are described in Section 2.1.2.7 of the Tricon V10 Topical Report Submittal
[xx]. These I/O Module types are used in the PPS replacement and are described in Reference 2.5.30 of the Tricon V1 0 Topical Report Submittal [xx].
The ALS Input Boards perform sensor sampling, signal conditioning, filtering, and analogtodigital conversion of field input signals. Input Boards perform specific input functions, such as 24V or 48V digital contact sensing, 420 mA analog inputs, 010V analog inputs, resistance temperature detector (RTD) inputs, or thermocouple (TC) inputs. The ALS Input Boards used in the PPS replacement are listed in Table 47 and described in Section 2.2 of the ALS Topical Report Submittal [xx].
The ALS Output Boards provide signals to control field devices such as actuators, indicators, and relays.
The output modules, fault detection, configuration and data validation processes are described in Section 2.2 of the ALS Topical Report Submittal [xx]. The ALS Input Boards used in the PPS replacement are listed in Table 47. ALS Output Boards are used to provide 420 ma signals to the Tricon in the same Protection Set.
The design specifications listed in Table 47 describe I/O board fault detection, configuration, and data validation processes.
4/5/2018 Page 12
Tabletop Example for ISG06 AR D.2.2 New System Architecture Manual Trip and Reset The system level manual trip and actuation functions are hardwired and are not affected by the PPS replacement. Once initiated, protective actions run to completion. Reset of the protective action must be initiated manually after the initiating cause is no longer present. Commented [wog16]: e) connections to humansystem interfaces Power Supply Commented [wog17]: i. interface with supporting systems (e.g., electrical power supply)
Plant Power There is no discussion of HVAC in the LAR.
The PPS is supplied vital uninterruptible AC power from four electrically independent and physically separated 120 V AC distribution panels. This is unchanged and outside the scope of the modification. The SyRS addresses the HVAC and electrical power supporting systems.
Each distribution panel is supplied from a separate, dedicated inverter and from a backup common 480 V AC vital bus. An inverter can be fed from the 125 V DC vital system or from the 480 VAC vital system.
Chassis Power The Triconex PPS subsystem utilizes two redundant Triconex power supply modules in each chassis. The power supply modules have been qualified by Triconex per the Tricon V10 Topical Report Submittal [xx]
and operate from the redundant uninterruptible 120 V AC safetyrelated instrument power supply used to power the existing Eagle 21 PPS. Each power supply module is rated for 175 watts, which is sufficient to supply the power requirements of a fully populated chassis. Two different power supply modules can be used in a single chassis. The PPS replacement utilizes 120 V AC modules. The Triconex power supply modules are described in Section 2.1.2.5 of the Tricon V10 Topical Report Submittal [xx].
The power supply system in each ALS safety system cabinet is comprised of two qualified, independent AC/DC power supplies (supplied by PG&E). Each power supply is designed to provide 150 percent of the cabinet load, and operates in a redundant configuration. They are redundant, hot swappable, and capable of being replaced while the system is operational without interruption of power to the ALS chassis or other safety system components. The 48 V DC from the redundant cabinet power supplies is fed to the ALS chassis, where they are diode auctioneered to provide a single local 48 V DC supply. The power supplies are mounted in the same cabinet as the ALS chassis. Each ALS PPS subsystem chassis is powered via the Backplane Assembly from an external dualredundant power supply system. The 4/5/2018 Page 13
Tabletop Example for ISG06 AR D.2.2 New System Architecture cabinet load consists of all ALS platform components and peripheral devices. The ALSA and ALSB subchannels are supplied by the same 48 V DC power supplies (typical for each Protection Set). The ALS power supply and distribution within the ALS chasses is described in Section 2.6.2 of the ALS Topical Report Submittal [xx] and in Section 4.2.1 of the ALS Platform Specification [xx].
- Separate I/O power supplies are provided and qualified by PG&E during detailed design for the Triconex and ALS subsystems.* It is understood that this would need to be provided as part of the LAR for the AR process.* Commented [wog18]: Gap that would be included in an AR LAR.
I/O Power The Tricon and the ALS subsystem in each Protection Set are provided with its own pair of safetyrelated adjustable redundant loop power supplies capable of powering all 420 mA instrument input loops associated with that subsystem. *Operating voltage will be selected during detailed design to power instrument loops without exceeding voltage limitations of instrument loop sensors (transmitters). - It is understood that this would need to be provided as part of the LAR for the AR process* Commented [wog19]: Gap that would be included in an AR LAR.
Deenergize to trip discrete Triconex outputs to the SSPS and auxiliary relays utilize the 120 V AC safety related PPS instrument power supply. Energize to trip discrete Triconex outputs to the SSPS and auxiliary relays are powered by safetyrelated redundant 24 V DC power supplies. Other discrete Triconex outputs are powered by the external system.
Triconex discrete inputs are powered by redundant 24 V DC power supplies, except trip output loopback signals, which are powered by the 120 V AC discrete output (DO) [Figure 410]. Triconex analog 420 rnA output loops are powered by redundant 24 V DC power supplies. The Triconex qualification requires that separate power supplies be used for analog and digital I/O.
4/5/2018 Page 14
Tabletop Example for ISG06 AR D.2.2 New System Architecture Commented [wog20]: f. connections between safetyrelated systems Figure 10: [Figure 410] Triconex Trip Output Diagnostic All discrete ALS outputs to the SSPS are powered by safetyrelated 120 V AC Protection Set power. Other discrete ALS outputs such as output signals to the Main Annunciator System (MAS) are powered by the external system. Discrete ALS inputs are powered by safetyrelated redundant 48 V DC power supplies.
Analog ALS 420 rnA outputs are powered by the ALS internal power supply. The feedback signals shown in Figure 49 are powered by the redundant, safetyrelated 48 V DC discrete input power supply.
4/5/2018 Page 15
Tabletop Example for ISG06 AR D.2.2 New System Architecture Commented [wog21]: f. connections between safetyrelated systems Figure 11: [Figure 49] ALS Diversity Architecture Failure of any Tricon or ALS I/O power supply is alarmed on the control room MAS.
Interface to Existing Control Board Display Indications The ALS System Requirements Specification [xx] and the Triconex SRS [xx] define the requirements for interfacing with existing DCPP control board indications. Commented [wog22]: e. connections to humansystem interfaces PPS Testing Capabilities Commented [wog23]: a) Service/Test Functions The PPS replacement permits any individual instrument channel to be maintained and calibrated in a The LAR does not go through each selfdiagnostic feature. This bypassed condition, and when required, tested during power operation without initiating a protective is a gap.
action at the system level. This is accomplished without lifting electrical leads or installing temporary In the DCPP case TS SRs did not change. If TS SRs are changed, the diagnostic coverage and hooks to application would need to jumpers. The PPS replacement permits periodic testing during reactor power operation without be described.
initiating a protective action from the channel under test.
External hardwired switches are provided on all PPS replacement trip and actuation outputs. The switches may be used for SSPS input relay testing or to trip or actuate the channel manually if needed.
Activation of the external trip switches is indicated in the control room through the SSPS partial trip indicators. Actuation of bypass switches (ALS) and out of service switches (Tricon) is indicated through the MAS.
4/5/2018 Page 16
Tabletop Example for ISG06 AR D.2.2 New System Architecture The Triconex portion of the PPS replacement continuously performs diagnostic functions as described in the Tricon V10 Topical Report Submittal [xx]. Specific PPS replacement test and calibration functions and application diagnostics are supported by the platform but implemented in the application program.
An example of such a diagnostic is a mismatch check that compares the trip demand from the PPS to a feedback signal. A mismatch occurs if the trip demand signal does not agree with the feedback signal, as shown in Figure 410 above. Triconex selftest methodology is described in Sections 2.1.2.6 (Main Processor module), 2.1.2.7 (I/O Modules), and 2.1.2.8 (TCM) of the Tricon V10 Topical Report Submittal
[xx].
If online testing is required for troubleshooting maintenance, the PPS replacement design allows for this testing without disconnecting wires, installing jumpers, or otherwise modifying the installed equipment. Simulated signal inputs into a channel can be applied using measuring and test equipment.
During performance of testing or maintenance of the PPS replacement, it may be necessary to place the individual channel into the bypass mode.
Both the Triconex and the ALS platforms make extensive use of watchdog timers in performing builtin selftests. The Triconex operating system provides "hooks" to the application to enable the application to take appropriate action upon watchdog timer timeout. Refer to:
- Tricon V10 Topical Report Submittal [xx] Section 2.1.2.6, 2.1.3.1, 2.2.1 0
- Appendix B to Tricon V10 Topical Report Submittal [xx] Section 3.9.A, 3;9.8, 5.3.V
- ALS Topical Report Submittal [xx] Section 2.3
- ALS System Requirements Specification [xx] Section 2.7.2, 2.7.3
- ALS System Design Specification [xx] Section 5.2.5 The Triconex application program provides the means for periodic test and calibration of input sensors and output devices. Triconex PPS replacement application details are provided in the Triconex SRS [xx].
Sections 3.0, 5.0, and 6.0.
Section 3.1.1.3 of the ALS Topical Report Submittal [xx] separates faults into categories and describes ALS platform diagnostics and actions taken upon failure detection. Section 3.2 of the ALS Topical Report Submittal [xx] describes the ALS design to support periodic surveillance testing, channel calibration and maintenance on a particular channel, while retaining the capability to accomplish the intended safety functions on the remaining channels.
Section 3.4 of the ALS Topical Report Submittal [xx] describes the ALS design to support calibration of an analog input/output channel using the ASU or the MWS (specific to the PPS replacement) and calibrated external test equipment.
A trouble alarm is generated upon detection of an input failure or an outofrange low or outofrange high input condition at 5 percent (low) and 105 percent (high) of span.
4/5/2018 Page 17
Tabletop Example for ISG06 AR D.2.2 New System Architecture Failure Modes and Effects Analysis (FMEA)
The platform level FMEA and reliability analyses for the Tricon digital platform has been reviewed and accepted by the NRC. In the Tricon V10 Topical Report Submittal [xx], Section 2.2.12 "Reliability and Availability," both reliability and availability were calculated with the assumption that periodic testing will uncover faults that are not normally detected by the Tricon system. For test periods ranging from 6 to 30 months the calculated reliability and availability were greater than 99.9 percent which exceeds the EPRI recommended goal found in EPRI TR107330 [xx], Section 4.2.3 "Availability, Reliability and FMEA."
For a periodic test interval of 18 months the reliability is 99.9987 percent and the availability is 99.9990 percent.
The FPGABased ALS PPS Equipment in the ALS topical Report Submittal [xx], reliability numbers were calculated for seven different types of modules. These calculations can be found in the following documents: 600210212ALS102 FPA FMEA and Reliability Analysis [xx], 600230212ALS302 FPA FMEA and Reliability Analysis [xx], 600231112ALS311 FPA FMEA and Reliability Analysis [xx], 600232112 ALS321 FPA FMEA and Reliability Analysis [xx], 600240212ALS402 FMEA and Reliability Analysis [xx],
and 600242112ALS421 FPA FMEA and Reliability Analysis [xx].
- The systemlevel PPS replacement Failure Modes and Effects Analysis (FMEA) will be completed during Phase 2. - It is understood that this would need to be provided with the LAR for the AR process* Commented [wog24]: FMEA will be part of the LAR.
Post-Accident Monitoring Postaccident monitoring capabilities are enhanced with the PPS replacement. With the exception of steam flow, reactor coolant flow, and temperature (loop wide range, loop Tavg, loop DeltaT, and Pressurizer vapor temperature), all provided PPS process indications are from the transmitter input (via qualified isolation devices where required) and are not processed by the digital PPS replacement equipment. The temperature, steam flow, and reactor coolant flow analog inputs require processing (RTD conversion or square root conversion) are performed in the PPS, as is currently done in the Eagle 21 PPS.
Critical indications, such as those required for postaccident monitoring (PAM), are derived from raw instrument loop signals at the front end of the Replacement PPS, independent of any digital processing.
Isolation of nonsafety related signals from safety related signals is performed by qualified isolation devices. Refer to the PPS replacement FRS [xx] and IRS [xx] for requirements.
Note that Figure 45 identifies Class 1B PAM functions and their signals are acquired directly from the Class I input signals. No isolation is necessary because the input loop is the correct classification. Details are provided in the IRS.
IEEE Std 603 and IEEE Std 7-4.3.2 Conformance The clauses of IEEE Std 603, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations, and IEEE Std 74.3.2, IEEE Standard Criteria for Programmable Digital Devices in Safety 4/5/2018 Page 18
Tabletop Example for ISG06 AR D.2.2 New System Architecture Systems of Nuclear Power Generating Stations pertaining to system architecture are addressed in this section.
IEEE Std 603 Clause 5.7: Capability for testing and calibration of safety system equipment shall be Commented [wog25]: b. service/test functions provided while retaining the capability of the safety systems to accomplish their safety functions. The capability for testing and calibration of safety system equipment shall be provided during power operation and shall duplicate, as closely as practicable, performance of the safety function. Testing of Class 1 E systems shall be in accordance with the requirements of IEEE Std 3381987 [x]. Exceptions to testing and calibration during power operation are allowed where this capability cannot be provided without adversely affecting the safety or operability of the generating station. In this case:
(1) appropriate justification shall be provided (for example, demonstration that no practical design exists),
(2) acceptable reliability of equipment operation shall be otherwise demonstrated, and (3) the capability shall be provided while the generating station is shut down.
The PPS replacement is a digital replacement for the existing digital Eagle 21 PPS at DCPP. The capability for testing and calibration of the PPS replacement is not significantly different from that of the existing Eagle 21 PPS. The PPS replacement provides enhanced selftesting and diagnostic functions that reduce likelihood of undetected failures in both the Tricon and ALS subsystems. However, the existing Eagle 21 technical specification surveillance requirements (SR) do not require revision as a result of this project.
The requirement for periodic testing is addressed by channel calibrations. The channel calibrations are performed online using the bypass capability of the channel or during refueling outages when the PPS is not required to be operable. Calibration and testing will be performed according to approved procedures that establish specific surveillance techniques and surveillance intervals intended to maintain the high reliability of the PPS replacement.
If online testing is required for troubleshooting maintenance, the PPS replacement design allows for this testing without disconnecting wires, installing jumpers, or otherwise modifying the installed equipment. Simulated signal inputs into a channel can be applied using measuring and test equipment.
During performance of testing or maintenance of the PPS replacement, it may be necessary to place the individual channel into the bypass mode.
Administrative procedures will provide appropriate guidance in the event a portion of the PPS replacement is in bypass or is manually tripped. These procedures are augmented by automatic indication at the system level that the system is in bypass or that a portion of the protection system and/or the systems actuated or controlled by the protection system is tripped.
Both the Triconex and the ALS platforms make extensive use of watchdog timers in performing builtin selftests. The Triconex operating system provides "hooks" to the application to enable the application to take appropriate action upon watchdog timer timeout. Refer to:
4/5/2018 Page 19
Tabletop Example for ISG06 AR D.2.2 New System Architecture
- Tricon V1 0 Topical Report Submittal [xx] Section 2.1.2.6, 2.1.3.1, 2.2.1 0
- Appendix B to Tricon V10 Topical Report Submittal [xx] Section 3.9.A, 3;9.8, 5.3.V
- ALS Topical Report Submittal [xx] Section 2.3
- ALS System Requirements Specification [xx] Section 2.7.2, 2.7.3
- ALS System Design Specification [xx] Section 5.2.5 The Triconex application program provides the means for periodic test and calibration of input sensors and output devices. Triconex PPS replacement application details are provided in the Triconex SRS [xx].
Platform compliance with this clause is discussed in Tricon V1 0 Topical Report Submittal [xx] Section 2.1 and Topical Report Appendix B Sections 3.0, 5.0, and 6.0.
Section 3.1.1.3 of the ALS Topical Report Submittal [xx] separates faults into categories and describes ALS platform diagnostics and actions taken upon failure detection. Section 3.2 of the ALS Topical Report Submittal [xx] describes the ALS design to support periodic surveillance testing, channel calibration and maintenance on a particular channel, while retaining the capability to accomplish the intended safety functions on the remaining channels.
Section 3.4 of the ALS Topical Report Submittal [xx] describes the ALS design to support calibration of an analog input/output channel using the ASU or the MWS specific to the PPS replacement) and calibrated external test equipment.
Section 12.1.8 of the ALS Topical Report Submittal [xx] describes the ALS platform compliance with this clause.
For both the Triconex and ALS subsystems, the platform selftests and the application specific test and calibration functions will be performed during the FAT to verify that the safety function is not adversely affected by performance of either builtin or application specific test and calibration functions.
IEEE Std 74.3.2 Clause 5.5.2: Test and calibration functions shall not adversely affect the ability of the Commented [wog26]: b. service/test functions computer to perform its safety function. Appropriate bypass of one redundant channel is not considered an adverse effect in this context. It shall be verified that the test and calibration functions do not affect computer functions that are not included in a calibration change (e.g., setpoint change).
V&V, configuration management, and QA shall be required for test and calibration functions on separate computers (e.g., test and calibration computer) that provide the sole verification of test and calibration data. V&V, configuration management, and QA shall be required when the test and calibration function is inherent to the computer that is part of the safety system.
V & V, configuration management, and QA are not required when the test and calibration function is resident on a separate computer and does not provide the sole verification of test and calibration data for the computer that is part of the safety system.
4/5/2018 Page 20
Tabletop Example for ISG06 AR D.2.2 New System Architecture The PPS replacement permits any individual instrument channel to be maintained and calibrated in a bypassed condition, and, when required, tested during power operation without initiating a protective action at the system level. This is accomplished without lifting electrical leads or installing temporary jumpers. The PPS permits periodic testing during reactor power operation without initiating a protective action from the channel under test.
External hardwired switches are provided on PPS trip and actuation outputs. The switches may be used for SSPS input relay testing or to trip or actuate the channel manually if needed. Activation of the external trip switches is indicated in the control room through the SSPS partial trip indicators. Actuation of bypass switches is indicated through the MAS.
For both the Triconex and ALS subsystems, the platform selftests and the application specific test and calibration functions will be verified during the FAT to ensure that the Protection Set safety function is not adversely affected by performance of either builtin or application specific test and calibration functions.
a) TriconBased PPS Equipment Figure 410 in this LAR illustrates the Tricon DO loopback feature, which enables the PPS to determine if the external trip switch is open, or if the DO channel is producing an erroneous output. A PPS trouble alarm is generated if the instrument loop is not out of service and if the comparator output is true (commanding an energized output) and the deenergize to.trip DO loopback is sensed as deenergized. A PPS failure alarm is generated if the deenergize to trip DO loop back is sensed as energized and the comparator output is false (commanding a deenergized output), whether or not the instrument loop is out of service.
Online testing in the Tricon is controlled by the nonsafety related MWS and by safety related logic enabled via an external safety related hardwired out of service switch.
When the out of service switch is activated, the safety related logic in the associated Protection Set allows the associated instrument channel to be taken out of service while maintaining the rest of the instrument channels in the Protection Set operable; that is, an individual out of service switch only removes an individual instrument channel from service and no other instrument channel. If the out of service switch is returned to the normal position during test, the safety related logic automatically restores the instrument channel to safety related operation.
The test and calibration functions are initiated by the nonsafety related MWS, but are controlled by the safety related Triconex processor application program. There is one MWS per Protection Set to ensure that a test or calibration function on one Protection Set will take place only on the Protection Set for which the action is intended, and that only one Protection Set can be affected by actions taken at any single MWS. The MWS from one Protection Set cannot communicate with any other Protection Set.
Data is allowed to be received by the safety related Protection Set from the nonsafety MWS only when the channel is out of service. The channel is taken out of service by taking multiple deliberate actions:
4/5/2018 Page 21
Tabletop Example for ISG06 AR D.2.2 New System Architecture (1) activating a hardware out of service switch locked in a cabinet; and (2) activating a software switch on the Workstation requiring password access. In addition, feedback is provided to the user on the MWS that the out of service switch for the loop to be tested has been activated. If the safety related hardware out of service switch is not activated, nonsafety related actions or failures cannot adversely affect the safety related function.
The nonsafety Triconex MWS software is designed, developed and tested under the Triconex software development programs described in the Tricon V10 Topical Report Submittal [xx] to address the Clause 5.5.2 requirement for V& V, configuration management, and QA shall be required for test and calibration functions on separate computers (e.g., test and calibration computer) that provide the sole verification of test and calibration data. Triconex platform compliance with this clause is discussed in the Software Qualification Report [xx] Sections 4.0 and 8.0, the Critical Digital Review [xx] Sections 1.0, 2.0, 3.0, 4.0, and Appendix Band the Topical Report Submittal [xx] Section 2.1 and Appendix B Section 3.0. b)
FPGABased ALS PPS Equipment The ALS provides test and calibration capability as described in Section 2.3.2 and Section 3 of the ALS Topical Report Submittal [xx] and Sections 10.2 and 10.3 of the ALS System Design Specification [xx].
Each Protection Set has one ASU associated with the ALS subsystems in that set. The TAB allows the nonsafety related ASU function performed by the PPS replacement MWS) to interact with the ALS components for test and calibration only when the TAB RS485 communication switch described in Section 5.3.3 of the ALS Topical Report Submittal [xx] is closed. ALS platform compliance with this clause is discussed in Section 12.2.13.2 of the ALS Topical Report Submittal [xx].
In the PPS replacement, the MWS described in Section 4.2.4.5 of this LAR is the hardware platform on which the ASU function is implemented. The nonsafety related ASU software is designed, developed, and tested under the CSI software development program to address the Clause 5.5.2 requirement that V&V, configuration management, and QA shall be required for test and calibration functions on separate computers.
IEEE Std 74.3.2 Clause 5.5.3: Computer systems can experience partial failures that can degrade the Commented [wog27]: b. service/test functions capabilities of the computer system, but may not be immediately detectable by the system. Self diagnostics are one means that can be used to assist in detecting these failures. Fault detection and self diagnostics requirements are addressed in this subclause.
The reliability requirements of the safety system shall be used to establish the need for selfdiagnostics.
Self diagnostics are not required for systems in which failures can be detected by alternate means in a timely manner. If selfdiagnostics are incorporated into the system requirements, these functions shall be subject to the same V&V processes as the safety system functions.
If reliability requirements warrant selfdiagnostics, then computer programs shall incorporate functions to detect and report computer system faults and failures in a timely manner. Conversely, selfdiagnostic functions shall not adversely affect the ability of the computer system to perform its safety function, or 4/5/2018 Page 22
Tabletop Example for ISG06 AR D.2.2 New System Architecture cause spurious actuations of the safety function. A typical set of selfdiagnostic functions includes the following:
Memory functionality and integrity tests (e.g., PROM checksum and RAM tests)
Computer system instruction set (e.g., calculation tests)
Computer peripheral hardware tests (e.g., watchdog timers and keyboards)
Computer architecture support hardware (e.g., address lines and shared memory interfaces)
Communication link diagnostics (e.g., CRC checks)
Infrequent communication link failures that do not result in a system failure or a lack of system functionality do not require reporting.
When selfdiagnostics are applied, the following selfdiagnostic features shall be incorporated into the system design:
a) Selfdiagnostics during computer system startup b) Periodic selfdiagnostics while the computer system is operating c) Selfdiagnostic test failure reporting a) TriconBased PPS Equipment The Tricon is a fault tolerant controller as described in Section 5. 7 of the Triconex System Description
[xx]. As such, it is designed to run continuous diagnostics to detect and mask or override faults.
Diagnostic results are available to host devices via communication modules and alarm contacts on the Main Chassis. The alarm contacts on Main Chassis Power Modules are asserted when:
- 1. The system configuration does not match the control program configuration
- 2. A Digital Output Module experiences a LOAD/FUSE error
- 3. A module is missing somewhere in the system
- 4. A Main Processor, I/O or Communication module in the Main Chassis fails
- 5. An 110 or Communication module in an Expansion Chassis fails
- 6. A Main Processor detects a system fault
- 7. The interchassis 110 bus cables are incorrectly installedfor example, the cable for LegA is accidentally connected to LegB
- 8. A Power Module fails
- 9. Primary power to a Power Module is lost
- 10. A Power Module has a Low Battery or Over Temperature warning Extensive diagnostics validate the health of each Main Processor as well as each I/O module and communication channel. Transient faults are recorded and masked by the hardware majority voting 4/5/2018 Page 23
Tabletop Example for ISG06 AR D.2.2 New System Architecture circuit. Persistent faults are diagnosed, and the errant module is hotreplaced or operated in a fault tolerant manner until hot replacement is completed.
Main Processor diagnostics do the following:
- 1. Verify fixedprogram memory
- 2. Verify the static portion of RAM
- 3. Test all basic processor instructions and operating modes
- 4. Test all basic floatingpoint processor instructions
- 5. Verify the shared memory interface with each I/0 communication processor and communication leg
- 6. Verify handshake signals and interrupt signals between the Central Processing Unit (CPU), each I/O communication processor and communication leg
- 7. Check each I/O communication processor and communication leg microprocessor, ROM, shared memory access and loopback of RS485 transceivers
- 8. Verify the TriCiock interface
- 9. Verify the TriBUS interface All I/O modules sustain complete, ongoing diagnostics for each leg. Failure of any diagnostic on any leg, activates the module's FAULT indicator, which in turn activates the chassis alarm signal. The FAULT indicator points to a leg fault, not a module failure. The module is designed to operate properly in the presence of a single fault and may continue to operate properly with some multiple faults.
TMR Digital Input Modules with SelfTest continuously verify the ability of the Tricon to detect the transition of a normally energized circuit to the OFF state. TMR HighDensity Digital Input Modules continuously verify the ability of the Tricon to detect transitions to the opposite state.
Each type of digital output module executes a particular type of Output Voter Diagnostic (OVD) for every point. In general, during OVD execution the commanded state of each point is momentarily reversed on one of the output drivers, one after another. Loopback sensing on the module allows each microprocessor to read the output value for the point to determine whether a latent fault exists within the output circuit.
A DC voltage digital output module is specifically designed to control devices, which hold points in one state for long periods. The OVD strategy for a DC voltage digital output module ensures full fault coverage even if the commanded state of the points never changes. On this type of module, an output signal transition occurs during OVD execution, but is designed to be less than 2.0 milliseconds (500 microseconds is typical) and is transparent to most field devices.
The results of all diagnostic tests are available to a host device via each installed communication module. Individual diagnostic flags are asserted upon any module fault within any chassis, DO load fuse or output voter fault, printer fault, math error, scan time overrun, Tricon keyswitch out of position, host communication error, program change, and I/O point disabled.
4/5/2018 Page 24
Tabletop Example for ISG06 AR D.2.2 New System Architecture The Tricon Planning and Installation Guide [XX] provide descriptions of the main processor and I/O modules diagnostics.
b) FPGABased ALS PPS Equipment As described in [the ALS Topical Report] Reference [xx], Section 3, the ALS platform incorporates advanced failure detection and isolation techniques. The operation of the system is deterministic in nature and allows the system to monitor itself in order to validate its functional performance. The ALS platform implements advanced failure detection and mitigation in the active path to avoid unintended plant events, and in the passive path to ensure inoperable systems do not remain undetected. The system utilizes logic to perform distributed control where no single failure results in an erroneous plant event while maintaining the ability to perform its intended safety function.
The ALS platform incorporated selfdiagnostics, application specific diagnostics and selftest features into the input boards, bus communications, CLBs, and output boards.
In addition, system level diagnostics are incorporated as divided into four categories: fatal, vital, non vital, and undetectable, as described in [the ALS Topical Report] Reference [xx] Section 3.1.1.
IEEE Standard 74.3.2 Clauses 5.4.1 and 5.4.2 address computer system testing and qualification of existing commercial computers, respectively.
Note IEEE Std 603, Clauses 5.8.1 and 5.8.4 need not be addressed in accordance with the AR process that states, If the design affects indications used by the operator for manual control, the LAR should describe how those modifications affect the ability of the operator to implement manual actions, in accordance with IEEE Std 603, Clause 5.8.1. AND If the design affects indications used by the Commented [wog28]: Tabletop not addressing clauses 5.8.1 and 5.8.4 because the DCPP LAR did not change the indications operator for manual control, the status indications, or the bypassed indications, the LAR should used by operators for manual control.
describe how the modifications support the ability of the operator to use the indications, in accordance with IEEE Std 603, Clause 5.8.4.
IEEE Std 603, Clause 5.8.2: System Status Indication. Display instrumentation shall provide accurate, Commented [wog29]: ISG AR states, The LAR should describe the interface and controls associated with status indication and complete, and timely information pertinent to safety system status. This information shall include bypass indication, in accordance with IEEE Std 603, Clauses 5.8.2, indication and identification of protective actions of the sense and command features and execute 5.8.3, 5.8.3.1, 5.8.3.2, and 5.8.3.3.
features. The design shall minimize the possibility of ambiguous indications that could be confusing to the operator. The display instrumentation provided for safety system status indication need not be part of the safety systems.
The display instrumentation that indicates and identifies protective actions of the sense and command features and execute features is unchanged by the PPS replacement. This instrumentation is primarily associated with inputs and outputs of the SSPS, which is not affected by the PPS replacement. In addition, the status of all actuated components is indicated on the control boards together with the control switches that are provided for the individual components.
4/5/2018 Page 25
Tabletop Example for ISG06 AR D.2.2 New System Architecture A bistable status light panel on the Control Board provides bistable monitoring information in the Control Room. A "postage stamp" indicator lamp on the panel illuminates to indicate that a protection channel has been activated. This panel is part of the SSPS and is not affected by the PPS replacement.
Display instrumentation that indicates and identifies the status of protective actions of sense and command features is specific to the application.
a) TriconBased PPS Equipment Triconex PPS replacement application details are provided in the Triconex Software Requirements Specification (SRS) [xx]. Platform compliance with this clause is described in Tricon V1 0 Topical Report Submittal [xx] Section 2.1 and the Triconex DI&C02 and 04 Compliance Report [xx] Section 3.0.
b) FPGABased ALS PPS Equipment ALS application details are provided in the DCPP System Design Specification [xx] Section 5.3.3.4 and the ALS1 02 FPGA Requirements Specification [xx]. The ALS Topical Report Submittal [xx] Section 12.1.9.2 discusses compliance of the ALS platform with IEEE Standard 603 Clause 5.8.2.
IEEE Std 603, Clause 5.8.3: If the protective actions of some part of a safety system have been bypassed Commented [wog30]: DCPP LAR does not separately address subclauses 5.8.3.1 - 5.8.3.3 or deliberately rendered inoperative for any purpose other than an operating bypass, continued indication of this fact for each affected safety group shall be provided in the control room.
PPS Replacement FRS[xx] paragraph 3.2.1.3.3 requires status indication signals that satisfy the requirements of RG 1.47 [xx] be provided to the control room from each Protection Set for indication that a protection channel has been placed in an inoperable condition (e.g., bypassed).
Display instrumentation that indicates and identifies the status of protective actions of sense and command features is specific to the application.
a) TriconBased PPS Equipment Triconex PPS replacement application details are provided in the Triconex SRS [xx]. Platform compliance with this clause is described in Tricon V1 0 Topical Report Submittal [xx] Section 2.1 and the Triconex DI&C02 and 04 Compliance Report [xx] Section 3.0.
b) FPGABased ALS PPS Equipment ALS System Requirements Specification [xx] requires indication of partial trip output bypasses to be provided locally at the cabinet. This requirement is implemented in ALS System Design Specification [xx]
Section 11.3, which requires indication that an input channel or output channel has been placed into or removed from a bypass mode or an override mode and describes means by which the information is made available for display in the control room. The ALS Topical Report Submittal [xx] Section 12.1.9.2 discusses compliance of the ALS platform with IEEE Standard 603 Clause 5.8.2. ALS application details 4/5/2018 Page 26
Tabletop Example for ISG06 AR D.2.2 New System Architecture are provided in the DCPP System Design Specification [xx] Section 5.3.3.4 and the ALS1 02 FPGA Requirements Specification [xx].
IEEE Std 603, Clause 5.8.3.1: This display instrumentation need not be part of the safety systems.
4/5/2018 Page 27