ML19022A312
ML19022A312 | |
Person / Time | |
---|---|
Site: | Vogtle |
Issue date: | 01/22/2019 |
From: | NRC |
To: | NRC/NRO/DLSE/LB4 |
References | |
Download: ML19022A312 (88) | |
Text
- Neil Haggerty
SV0-GW-GLR-185, Revision 0 Page 2 WESTINGHOUSE NON-PROPRIETARY CLASS 3 © 2019 Westinghouse Electric Company LLC. All Rights Reserved. Preliminary Information to Support NRC Technical Exchange Meeting on Protection and Safety Monitor System Surveillance Reduction Introduction This document provides preliminary information to support an NRC Technical Exchange meeting related to the reduction of Protection and Safety Monitoring System Technical Specification Surveillance Requirements. The information provided below summarizes potential Vogtle 3 & 4 licensing actions and the associated technical evaluations. The following information is based upon on-going draft analyses and is still under formal review. Therefore, this information is subject to change. Any potential future licensing actions associated with the final version of this information will follow the 10 CFR Part 52 change control process separate from this report. Description of Proposed Activity The following licensing actions are proposed: 1. The SRs requiring a manual Channel Check to be performed on PMS components are proposed to be removed from the TS. 2. The SRs requiring a manual COT to be performed on PMS components are proposed to be removed from the TS. 3. The SRs requiring a manual ALT to be performed on PMS components (excluding the ADS and IRWST injection blocking device) are proposed to be removed from the TS. 4. The approach for satisfying the reactor trip and ESFAS response time SRs is changed. The current approach for satisfying the PMS response time surveillance tests is to perform a response time tests on the PMS equipment. The proposed method is to use allocated response times for the PMS equipment in lieu of testing. The reactor trip and ESFAS response time definitions allow an exception to testing if the response times can be verified via a previously reviewed and approved NRC methodology. This activity seeks NRC approval for the methodology outlined in this license amendment request. If approved, the Bases will be updated to allow for allocated values to be used for the PMS equipment to support the overall response time test SRs. Text is also added to describe where the PMS equipment allocated values can be found. The SRs throughout the TS are renumbered to support changes 1, 2, and 3. Associated Bases changes are also made for the TS changes proposed above. This includes rewording the Background description of the PMS self-diagnostic test features in Bases 3.3.1 and 3.3.8 to more clearly align with the changes described above. The Bases surveillance requirement description for SR 3.3.4 and SR 3.3.6 is revised to acknowledge that these functions have no SRs due to self-checking features continuously monitoring logic OPERABILITY. None of the activities change any PMS software or hardware. The activity credits the PMS self-diagnostic test features already part of the approved PMS design and uses these existing self-diagnostic features to justify the removal of redundant manual PMS surveillance tests. Technical Evaluation of the Activity Self-Diagnostic Overlap with Manual Surveillance Testing Evaluation An evaluation was performed to compare the manual PMS surveillance tests included in the TS with the PMS self-diagnostic tests. The evaluation included the following general process: [ . ]a,c SV0-GW-GLR-185, Revision 0 Page 3 WESTINGHOUSE NON-PROPRIETARY CLASS 3 © 2019 Westinghouse Electric Company LLC. All Rights Reserved. [ o. ]a,cA summary of the evaluation of each manual surveillance test and the available self-diagnostic tests is included in Table 1 below. In Table 1, the surveillance tests applicable to the PMS are listed, along with the applicable SR number and a test description. A high-level description of the self-diagnostic coverage for each manual surveillance test is provided. A summary conclusion is made for each surveillance test based on the associated evaluation. Most of the SRs associated with PMS Channel Checks, COTs, and ALTs are deleted based on the information in Table 1. With a few exceptions addressed in Table 1, it is shown that the self-diagnostic tests can detect the same failures as would be detected by the Channel Check, COT and ALT surveillance tests. In addition, though the Response Time Tests will be retained as a surveillance requirement, it is determined to be unnecessary to periodically test the response time of the PMS equipment. An allocated value for the PMS equipment is proposed to be used in lieu of a test in order to support the overall Response Time Test measurement. With an exception addressed in Table 1 below, it is shown that the self-diagnostic tests would capture any credible failure resulting in slower response times. Overview of Self-Diagnostic Testing Features
[ o o ]a,c SV0-GW-GLR-185, Revision 0 Page 4 WESTINGHOUSE NON-PROPRIETARY CLASS 3 © 2019 Westinghouse Electric Company LLC. All Rights Reserved.
[. ]a,cImproved Reliability, Safety, and Operability of Self-Diagnostics The self-diagnostics are a reliable and superior alternative to manual surveillance tests. The self-diagnostics tests are automatically and continuously executed. This is in contrast to the manual tests which are executed every 92 days or 24 months, per the surveillance test program. Therefore, the self-diagnostics tests are executed more frequently than the manual tests. In addition, the self-diagnostics tests do not reduce the redundancy of the safety system. The PMS remains at full system redundancy during the self-diagnostic tests, unlike the manual surveillance tests which require the system to be at less than full redundancy. Because the surveillance tests are accomplished by the operator, they have a higher probability of a human error adversely impacting the operation of the safety system than the self-diagnostic tests which are inherently less prone to error than a human operator. This is supported by the fact that the self-diagnostics have gone through a rigorous design life-cycle processes.
[ ]a,cQualification of AC160 Self-Diagnostics The AC160 diagnostics were commercially dedicated to the same standards as the rest of the AC160 system software. In 2000, the NRC issued a safety evaluation report (ML003740165) on the Common Q Topical Report (CENP-396-P, Rev. 01 which is the predecessor to WCAP-16097-P-A). In the safety evaluation report the NRC acknowledged receipt of Westinghouse document GWKF 700 777, "Design and Life Cycle Evaluation Report on Previously-Developed Software in ABB AC160, I/O Modules and Tool Software" Rev. 02 (February 22, 2000), in support of the commercial dedication of the AC160. The safety evaluation report stated the, "AC160 PDS [Previously Developed Software] is composed of the AC160 software, S600 I/O Module(s) software, and ABB Tool software." The evaluation is based on the requirements specified in International Electrotechnical Commission (IEC) standard IEC-60880, "Software for Computers in the Safety Systems of Nuclear Power Stations." IEC 60880 is referenced in IEEE 7-4.3.2-2003, "IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations." IEC 60880 is comparable to IEEE 7-4.3.2-2003, and the staff has found standard IEC 880 to be an acceptable equivalent." The Design and Lifecycle Evaluation (DLCE) applies to all aspects of the PDS including the system software that executes the nuclear application program and the diagnostics integrated with the system software. In other words, the same software quality approach applied to both aspects of the system software. Therefore, the Common Q Platform diagnostics were developed using a rigorous process which was accepted by the NRC. These same diagnostics were reviewed by the NRC staff in relation to the Palo Verde Nuclear Generating Station Core Protection Calculator System Technical Specifications. The NRC concluded, "per the safety evaluation of the Palo Verde Nuclear Generating Station (PVNGS) Core Protection Calculator System (ML0330303630) in allowing for extended surveillance testing frequencies, "the NRC SV0-GW-GLR-185, Revision 0 Page 5 WESTINGHOUSE NON-PROPRIETARY CLASS 3 © 2019 Westinghouse Electric Company LLC. All Rights Reserved. staff found that the diagnostics to be employed on the Common Q system are more extensive and have more coverage than in the legacy system." Using self-diagnostics is also consistent with the Background sections of Bases 3.3.1 and 3.3.8 which state that PMS testing will be accomplished with continuous system self-checking features, to the extent practical. This text is enhanced throughout the Bases to clearly identify how the self-diagnostics are relied upon in lieu of manual surveillance tests and to ensure the self-diagnostics cannot be changed in such a way as to invalidate how they are currently used to confirm system operability. Similarly, the PMS, including its application-specific self-diagnostics, was developed under a formal life-cycle process per COL Appendix C ITAAC Table No. 2.5.02.11 and 2.5.02.12. Therefore, the PMS and Common Q self-diagnostic equipment relied upon to test system operability has been developed using project life-cycles which included specific processes for conceptual design activities, requirements development, design activities, implementation, testing, and commercial dedication. Self-Diagnostics Compliance with Regulations A review was performed to determine which of the regulations and industry guidance documents discussed above are specifically applicable to the self-diagnostics. It is concluded that the self-diagnostics adhere to those requirements or, if not directly applicable, satisfy the intent of requirement. GDC 18 and GDC 21 of 10 CFR Appendix A require systems important to safety to be designed to permit periodic testing. This includes testing of the performance of the components of the system and the system as a whole during plant operation. This activity does not propose any change to the PMS design. The PMS continues to be designed to permit periodic testing during plant operation. This activity credits the PMS self-diagnostics in certain instances in lieu of manual surveillance tests. The PMS self-diagnostics are design features which periodically and continuously test the system during plant operations, which is consistent with GDC 18 and GDC 21. Criterion XI, "Test Control," of 10 CFR 50 Appendix B requires a test program to be established to ensure the safety system is tested in accordance with procedures to verify it is performing satisfactorily while in-service. The AP1000 surveillance test program continues to meet this requirement. The self-diagnostic tests support this requirement in that it is part of the overall suite of tests available to the PMS used to verify the PMS is performing satisfactorily while in-service. While performing the tests "in accordance with test procedures" is not directly applicable to self-diagnostic testing, the self-diagnostics execute in a specific, well-defined sequence and respond to given test failures in a predictable way, as shown in the evaluation summarized above. Similar to GDC 18 and GDC 21, IEEE 603-1991 requires the protection system to have the capability for testing and calibration during power operations while retaining the capability of the safety systems to accomplish their safety functions. The protection system needs to be capable of performing the tests described in IEEE 338-1987. As stated above, this activity does not propose any change to the PMS design, and the self-diagnostics support this requirement. Though not always necessary due to self-diagnostic coverage, the AP1000 PMS is capable of performing the tests as described in IEEE 338-1987. According to UFSAR Appendix 1A requires testing to be in accordance with Regulatory Guide 1.118 Revision 3 and IEEE 338-1987. Regulatory Guide 1.118 and IEEE 338-1987 provide guidance specifically for periodic testing included "as part of the surveillance program." It defines the scope of periodic testing as including functional tests and checks, calibration verification, and time response measurements, as required, to verify the safety system performs to meet its define safety function. IEEE 338-1987 does not define how to determine what is required to be part of the manual surveillance SV0-GW-GLR-185, Revision 0 Page 6 WESTINGHOUSE NON-PROPRIETARY CLASS 3 © 2019 Westinghouse Electric Company LLC. All Rights Reserved. program, but provides guidance for those tests within the surveillance program. The self-diagnostic tests are not part of the surveillance program and, therefore, the requirements in IEEE 338-1987 Section 6 are not directly applicable. In addition, IEEE 338-1987 is largely written specifically for manual testing and, therefore, the guidance does not explicitly address self-diagnostic testing features. IEEE 338-1987 Section 5, item 8 addresses the "automatic test features" and "programmable digital computer" used within the surveillance program and the need to meet the requirements in the standard for these items. Even though the self-diagnostics are not part of the surveillance program, they do support the basis of the standard (i.e., IEEE 338-1987 Section 4) in that they continuously and periodically check the system to verify operability. The self-diagnostic tests also support the design requirements included in the standard (i.e., IEEE 338-1987 Section 5) in the following ways: The self-diagnostics support the requirement to have a system designed to be testable. The self-diagnostics permit the independent testing of redundant channels while maintaining the capability of these systems to respond to actual signals. The self-diagnostics are designed to provide overlap testing in that the diagnostics cover all relevant PMS components, including multiple diverse diagnostics covering the same PMS equipment. 10 CFR 50.36 establishes the need to have Technical Specifications; including limiting conditions for operations and surveillance requirements. Surveillance requirements are used, in part, to assure that the limiting conditions for operation will be met. It is concluded that, in some instances, the manual PMS SRs associated with COT, ALT, and Channel Checks are not required to assure the corresponding LCO is met. This is because comparable tests, as evaluated above, are built into the PMS design. These self-diagnostic tests have been shown to identify the same issues as the corresponding SRs and alert the operator of any condition contrary to the LCO.
SV0-GW-GLR-185, Revision 0 Page 7 WESTINGHOUSE NON-PROPRIETARY CLASS 3 © 2019 Westinghouse Electric Company LLC. All Rights Reserved. Table 1 - Summary of the Manual Surveillance Tests and Self-Diagnostic Tests for the PMS Components Test Name Relevant (PMS) SRs Test Description Summary of PMS Self-Diagnostic and Redundant Surveillance Test Coverage Evaluation Channel Calibration 3.3.1.8 3.3.1.9 3.3.2.3 3.3.3.3 3.3.8.3 3.3.10.3 3.3.11.3 3.3.13.3 3.3.14.3 3.3.17.2 3.3.20.3 3.4.1.4 3.4.9.3 3.9.3.2 Definition: A channel calibration shall be the adjustment, as necessary, of the channel output such that it responds within the necessary range and accuracy to known values of the parameter that the channel monitors. The channel calibration shall encompass all devices in the channel required for operability. Calibration of instrument channels with resistance temperature detector (RTD) or thermocouple sensors may consist of an in place qualitative assessment of sensor behavior and normal calibration of the remaining adjustable devices in the channel. The channel calibration may be performed by means of any series of sequential, overlapping, or total channel steps. Not applicable for this activity. Calibration will continue to be a manual surveillance test. Channel Check 3.3.1.1 3.3.2.1 3.3.3.1 3.3.8.1 3.3.10.1 3.3.11.1 3.3.13.1 3.3.14.1 3.3.17.1 3.3.20.1 3.9.3.1 Definition: A qualitative assessment, by observation, of channel behavior. This test includes a comparison of the channel indication and status to other indications or statuses derived from independent instrument channels measuring the same parameter. Test Overview: The manual Channel Check identifies if a component has failed by comparing all four divisions' redundant instrument input values (inter-channel check) and comparing the redundant BPL measurements within a division (intra-channel check). This test checks for a significant deviation that may indicate a gross channel failure. This is accomplished by visual comparison of the indicators at the MTP, and noting if a pre-defined difference exists between the highest and lowest indicator. PMS Components Covered: The data from the process sensor passes to the A/D converter within the BPL and is displayed on the MTP. The PMS performs continuous channel comparison on specific sensor values across all four divisions. This includes intra-channel and inter-channel comparison checks. This self-diagnostic test is described in WCAP-16675 Section 6.2. [.]a,cThe PMS self-diagnostic test verifies the same information verified by the manual Channel Check test. Therefore, the PMS Channel Checks can be eliminated. A graphical representation of the self-diagnostic channel check test is shown in Figure A.3 of Appendix A.
SV0-GW-GLR-185, Revision 0 Page 8 WESTINGHOUSE NON-PROPRIETARY CLASS 3 © 2019 Westinghouse Electric Company LLC. All Rights Reserved. Test Name Relevant (PMS) SRs Test Description Summary of PMS Self-Diagnostic and Redundant Surveillance Test Coverage Evaluation Channel Operational Test (COT) 3.1.8.1 3.3.1.6 3.3.1.7 3.3.2.2 3.3.3.2 3.3.8.2 3.3.10.2 3.3.11.2 3.3.13.2 3.3.14.2 3.3.20.3 Definition: Injection of a simulated or actual signal into the channel as close to the sensor as practicable to verify channel operability. Includes adjustments, as necessary, of the required alarm, interlock, and trip setpoints such that the setpoints are within the necessary range and accuracy. Test Overview: The COT for all SRs except 3.3.20.3 is satisfied by manually injecting a simulated digital signal at the MTP and verifying that the BPL actuates as expected. This includes: Manually entering a signal value for the input to the function being tested Executing the function with the test input value Monitoring the function outputs to determine if the response to the test input value is correct. The COT for the ADS and IRWST injection blocking device (SR 3.3.20.3) confirms the device is capable of unblocking on low CMT level. The ALT for the device (SR 3.3.20.5) confirms it is capable of unblocking for each of the blocking device inputs (i.e., remote shutdown room transfer switch, block/unblock switch, battery charger under-voltage, and CMT level low). Therefore, the ALT for the blocking device is more comprehensive than the COT and overlaps the COT. PMS Components Covered: The BPL PM646A processor modules, CI631 module, BIOB, and the HSL equipment connecting the BPL to the LCL are used to process the digital test injection signal. In addition, the ADS and IRWST injection blocking device is covered via 3.3.20.3. A graphical representation of the equipment covered by the COT surveillance test is shown in Figure A.4 of Appendix A. The PMS self-diagnostic tests have been shown to adequately test the operability of the same PMS components tested as part of the manual COTs in all the SRs listed except SR 3.3.20.3, which is addressed below. Specifically, the PM646A, CI631 Module, BIOB, and HSL Common Q Platform diagnostics were evaluated and shown to cover the applicable processor module failure modes. In addition, the self-diagnostic tests have been shown to put the system into a safe state following the same PMS failures evaluated as part of the PMS FMEA. In all cases, the internal fault detected by the diagnostic initiates the necessary visual and audible annunciation in the main control room so that the operator can take the appropriate action. The COT for the ADS and IRWST injection blocking can be eliminated. The ALT on the ADS and IRWST injection blocking device fully covers the component and completely overlaps the COT which only partially tests the device.
[]a,c Therefore, the COT associated with the ADS and IRWST injection blocking device can be eliminated. In summary, the PMS self-diagnostics adequately test the components tested as part of the COT (except for SR 3.3.20.3) and, therefore, the COT can be eliminated. In addition, the COT for the ADS and IRWST injection blocking device (i.e., SR 3.3.20.3) can be eliminated because the ALT performed on the device is adequate.
SV0-GW-GLR-185, Revision 0 Page 9 WESTINGHOUSE NON-PROPRIETARY CLASS 3 © 2019 Westinghouse Electric Company LLC. All Rights Reserved. Test Name Relevant (PMS) SRs Test Description Summary of PMS Self-Diagnostic and Redundant Surveillance Test Coverage Evaluation Actuation Logic Test (ALT) 3.3.4.1 3.3.6.1 3.3.15.1 3.3.16.1 3.3.20.5 Definition: The application of various simulated or actual input combinations in conjunction with each possible interlock logic state required for operability of a logic circuit and the verification of the required logic output. Test Overview: The ALT surveillance tests include separate tests for the reactor trip system logic (SR 3.3.6.1), ESF system logic (SR 3.3.15.1, SR 3.3.16.1), ESF generated reactor trip actuation logic (SR 3.3.4.1), and the ADS and IRWST injection blocking device logic (SR 3.3.20.5). The ALT for the ADS / IRWST injection blocking device (SR.3.3.20.5) is not applicable to this activity because it will continue to be included as a manual surveillance test within the Technical Specifications. For the reactor trip system logic ALT (SR 3.3.6.1), the injected signal goes from the LCL to the reactor trip matrix logic via the DO630 module. Proper function is verified using the digital output display to check the current flow through the appropriate reactor trip matrix termination unit ITP monitoring resistors, and thereafter using the DO630 status indicators. For the ESF system logic ALT (SR 3.3.15.1 and SR 3.3.16.1), the injected signal goes from the LCL to the ILP (via the HSLs). Confirmation that the system is functioning properly is obtained by monitoring that the correct ESF system level actuation signals are received by the ILP component control processor modules. The signal path for the ESF generated reactor trip actuation logic (SR 3.3.4.1) is almost entirely covered by the other two tests described above. The only aspect of the safety path associated with this surveillance tests not covered by the other two surveillance tests is the communications over the BIOB between the ESFAS processor module and the reactor trip processor module. PMS Components Covered: Reactor trip system logic ALT: RT LCL processor modules, communication processor modules, CI631, BIOB, DO630, reactor trip matrix termination unit ESF system logic ALT: ESF LCL processor modules, communication processor modules, CI631, BIOB, HSL equipment, ILP component control processor module ESF generated reactor trip actuation logic ALT: RT and ESF LCL processor modules, communication processor modules, CI631, BIOB, DO630, reactor trip matrix termination unit, BIOB between the ESF and RT processor modules. A graphical representation of the equipment covered by the ALT surveillance test is shown in Figure A.5 and Figure A.6 of Appendix A. The PMS self-diagnostic tests have been shown to adequately test the operability of the same PMS components tested as part of the manual ALTs, except for two instances that are addressed below. Specifically, the PM646A, CI631 Module, BIOB, and HSL Common Q Platform diagnostics were evaluated and shown to cover the applicable processor module failure modes. In addition, the self-diagnostic tests have been shown to put the system into a safe state following the same PMS failures evaluated as part of the PMS FMEA. In all cases, the internal fault detected by the diagnostic initiates the necessary visual and audible annunciation in the main control room so that the operator can take the appropriate action. The components not fully covered by self-diagnostic tests include the DO630 module and the reactor trip matrix termination unit. However, these components are also tested every 92 days as part of the TADOT associated with SR 3.3.7.1. Any failure that would be detected in these components by the ALT will also be detected by the TADOT. In summary, the PMS self-diagnostics for the components tested as part of the ALT and the existing TADOT associated with SR 3.3.7.1 together provide complete coverage for the components tested as part of the ALT. Therefore, it is concluded that the ALT is unnecessary and can be deleted from the TS (except for SR 3.3.20.5). Actuation Logic Output Test (ALOT) 3.3.15.2 3.3.16.2 Definition: The application of simulated or actual logic signals and the verification of the required component actuation output signals up to, but not including, the actuated device. The test may be performed by means of any series of sequential, overlapping, or total steps. Information on the on-going ALOT evaluation is included at the end of this table. TADOT 3.3.1.10 3.3.5.1 3.3.7.1 3.3.9.1 3.3.12.1 3.3.18.4 3.3.20.6 Definition:The operation of the trip actuating device. The TADOT adjusts, as necessary, the trip actuating device so that it actuates at the required setpoint within the necessary accuracy. Not applicable for this activity. The TADOT will continue to be a manual surveillance test.
SV0-GW-GLR-185, Revision 0 Page 10 WESTINGHOUSE NON-PROPRIETARY CLASS 3 © 2019 Westinghouse Electric Company LLC. All Rights Reserved. Test Name Relevant (PMS) SRs Test Description Summary of PMS Self-Diagnostic and Redundant Surveillance Test Coverage Evaluation Response Time Test 3.3.1.11 3.3.2.4 3.3.3.4 3.3.4.2 3.3.8.4 3.3.10.4 3.3.11.4 3.3.13.4 3.3.14.4 Definition:A test of the response time for a reactor trip and engineered safety feature protection channel. The response time may be measured by means of any series of sequential, overlapping, or total steps so that the entire response time is measured. In lieu of measurement, response time may be verified for selected components provided that the components and methodology for verification have been previously reviewed and approved by the NRC. Test Overview: Response time tests verify that the individual reactor trip and ESFAS channel/division actuation response times, from sensor to actuating device, are less than or equal to the maximum values assumed in the accident analysis. This activity focuses specifically on the PMS equipment portion of the protection path and not the sensor or the actuating device. PMS Components Covered: Figure A.7of Appendix A shows the signal paths taken for PMS reactor trips and ESF actuations. In each case, the signal comes into the BPL processor module from an actual or simulated signal and the applicable I/O module (i.e., DP620, AI688, AI687, or DI621 module). The reactor trip inputs then pass through the reactor trip LCL, the DO630 module, the reactor trip matrix termination unit, then to the reactor trip switchgear under-voltage and shunt trip mechanisms. The ESF actuation inputs pass through the ESF LCL, the ILP, SRNC, and the CIM. In each case, the signal path also passes through the HSLs, BIOB, and the CI631 module. The response time of this signal path is measured to ensure it is less than the maximum allowable response time assumed in the accident analysis. Figure A.7 of Appendix A provides a simplified diagram of the response time signal path, along with the other surveillance tests that cover each part of the signal path. Each component in the signal path was evaluated to determine if the associated self-diagnostics within the equipment could adequately detect failures that impact response times. The PMS self-diagnostic tests or other surveillance tests (not being removed in this activity) have been shown to adequately test the PMS components (except the DO630 module) within the reactor trip and ESF actuation response time signal paths and identify any failure that could impact equipment response times.
[ ]a,c SV0-GW-GLR-185, Revision 0 Page 11 WESTINGHOUSE NON-PROPRIETARY CLASS 3 © 2019 Westinghouse Electric Company LLC. All Rights Reserved. On-going ALOT Evaluation The TS SR evaluation of the ALOT is still in progress and is not as far along in the development and review process as the other surveillance tests. The preliminary results are included in this section. As indicated below, the ALOT surveillance test will likely need to remain in the TS and, therefore, may not be included in the license amendment request. Test Overview: The ALOT demonstrates that both redundant signal paths from the inputs to the ILPs through the CIM logic and CIM output driver circuits (ILP to actuator test) in the ESF Actuation Subsystem Logic process injected LCL system actuation signals for the applicable actuation function. During this test, [
]a,cPMS Components Covered: ILP processor module (PM646A), communication module (CI631), digital input module (DI621), backplane I/O bus (BIOB), HSL (ILP to/from SRNC), SRNC, double and single width transition panels (DWTP/SWTP), CIM, ADS/IRWST blocking device, squib valve TU, and the component control Isolation barriers to Non-1E components. A graphical representation of the equipment covered by the ALOT surveillance test is shown in Figure A.8 of Appendix A. For the components that have already been covered in previous sections (CI631s, PM646As, and BIOBs), it has been determined that diagnostics are sufficient, and therefore, ALOT testing is not required. The evaluation of the HSL, DI621s, and the SRNC concluded that the diagnostics are sufficient, and ALOT testing is not required. Based on the evaluation performed for the ALT and COT, it has been determined that ALT surveillance testing is necessary for the ADS/IRWST blocking device. For the CIM, there are multiple self-diagnostics that detect most of the postulated faults. [
]a,c The evaluation of the double-wide transition panel (DWTP), single-wide transition panel (SWTP), squib valve termination unit, and the component control Isolation barriers to Non-1E is still being performed, and thus, there are no results available for these components. The preliminary evaluation indicates that for most components associated with ALOT, the PMS self-diagnostic tests adequately test the operability of the same PMS components tested as part of the manual ALOTs, except for a small subset of components. In addition, the self-diagnostic tests have been shown to put the system into a safe state following the same PMS failures evaluated as part of the PMS FMEA. In most cases, the internal fault detected by the diagnostic initiates the necessary visual and audible annunciation in the main control room so that the operator can take the appropriate action. For the cases where the diagnostics are not sufficient to detect failures, surveillance testing or some other method (i.e., overlap testing, additional diagnostics, etc.) of detecting the failure will need to be performed. This will be determined once the evaluation is complete.
SV0-GW-GLR-185, Revision 0 Page 12 WESTINGHOUSE NON-PROPRIETARY CLASS 3 © 2019 Westinghouse Electric Company LLC. All Rights Reserved. Appendix A Supporting Figures SV0-GW-GLR-185, Revision 0 Page 13 WESTINGHOUSE NON-PROPRIETARY CLASS 3 © 2019 Westinghouse Electric Company LLC. All Rights Reserved.
a,c SV0-GW-GLR-185, Revision 0 Page 14 WESTINGHOUSE NON-PROPRIETARY CLASS 3 © 2019 Westinghouse Electric Company LLC. All Rights Reserved. a,c SV0-GW-GLR-185, Revision 0 Page 15 WESTINGHOUSE NON-PROPRIETARY CLASS 3 © 2019 Westinghouse Electric Company LLC. All Rights Reserved. a,c SV0-GW-GLR-185, Revision 0 Page 16 WESTINGHOUSE NON-PROPRIETARY CLASS 3 © 2019 Westinghouse Electric Company LLC. All Rights Reserved.
a, c SV0-GW-GLR-185, Revision 0 Page 17 WESTINGHOUSE NON-PROPRIETARY CLASS 3 © 2019 Westinghouse Electric Company LLC. All Rights Reserved.
a,c SV0-GW-GLR-185, Revision 0 Page 18 WESTINGHOUSE NON-PROPRIETARY CLASS 3 © 2019 Westinghouse Electric Company LLC. All Rights Reserved.
a,c SV0-GW-GLR-185, Revision 0 Page 19 WESTINGHOUSE NON-PROPRIETARY CLASS 3 © 2019 Westinghouse Electric Company LLC. All Rights Reserved.
a ,c PreliminaryVogtle3&4UFSARMarkups
Reg. Guide 1.116, Rev. O-R, 5/77 - Quality Assurance Requirements for Installation, Inspection, and Testing of Mechanical Equipment and SystemsReg. Guide 1.117, Rev. 1, 4/78 - Tornado Design Classification Reg. Guide 1.118, Rev. 3, 4/95 - Periodic Testing of Electric Power and Protection Systems Reg. Guide 1.119 - WithdrawnCriteria Section Referenced CriteriaAP1000/FSARPositionClarification/Summary Description of Exceptions
7.3.2.2.7Conformance to Requirements on Bypassing Engineered Safety Features Actuation Functions (Paragraph 5.8, 5.9, 6.6, and 6.7 of IEEE 603-1991)7.3.2.2.8Conformance to the Requirement for Completion of Engineered Safety Features Actuation Once Initiated (Paragraph 5.2 of IEEE 603-1991)7.3.2.2.9Conformance to the Requirement to Provide Manual Initiation at the System-Level for All Safeguards Actuation (Paragraph 6.2 of IEEE 603-1991)7.3.3Combined License Information7.3.4References 7A.6Not Used
a,c 15.0.6Protection and Safety Monitoring System Setpoints and Time Delays to Trip Assumed in Accident Analyses15.0.7Instrumentation Drift and Calorimetric Errors, Power Range Neutron Flux
to verifyitsperformanceremainswithinthepre-establishedlimitsofthesafetyanalysis.
Insertsfor Vogtl e3&4UFSARMarkups Insert 1 (Insert for WCAP-15776 Section 3.13) Revise Section 3.13, Conformance to the Requirements to Provide Capability for Test and Calibration (Paragraph 5.7 of IEEE 603-1991) as follows: Capability for testing and calibrating channels and devices used to derive the final system output signal from the various channel signals is provided. Testing from the sensor inputs of the PMS through to the actuated equipment is can be accomplished through a series of overlapping sequential tests with the majority of the tests capable of being performed with the plant at full power. Where testing final equipment at power would upset plant operation or damage equipment, provisions are made to test the equipment at reduced power or when the reactor is shut down. Each division of the PMS includes a test subsystem. The test subsystem provides the capability for verification of the setpoint values and other constants, and verification that proper signals appear at other locations in the system.
Verification of the signal processing algorithms is made by exercising the test signal sources (either by hardware or software signal injection) and observing the results up to, and including, the attainment of a channel partial trip or actuation signal at the power interface. When required for the test, the tester places the voting logic associated with the channel function under test in bypass. The capability for overlapping test sequence continues by inputting digital test signals at the output side of the threshold functions, in combinations necessary to verify the voting logic. Some of the input combinations to the coincidence logic cause outputs such as reactor trips and engineered safety feature (ESF) initiation. The reactor trip circuit breaker arrangement is a two-out-of-four logic configuration, such that the tripping of the two circuit breakers associated with one division does not cause a reactor trip. To reduce wear on the breakers through excessive tripping, and to avoid a potential plant trip resulting from a single failure while testing is in progress, the test sequence is designed so that actual opening of the trip breakers is only required when the breaker itself is being tested.
Insert 2 (Insert for WCAP-16675 Section 2.2.5)
[. ]a,c Insert 3 (Insert for WCAP-16675 Section 6 and Section 6.2) Revise Section 6, Maintenance, Testing, and Calibration as follows: Maintenance and testing of the PMS consists of two types of tests: self-diagnostic tests and on-line verification tests. The self-diagnostic tests are built into the AC160 equipment and consist of numerous automatic checks to validate that the equipment and software are performing their functions correctly. Self-diagnostics, as well as on-line On-line verification tests are that can be manually initiated are used to verify that the safety system is capable of performing its intended safety function. Revise Section 6.2, On-line Verification Tests as follows: Via the MTP in conjunction with the ITP, the I&C technician can perform manually initiated on-line verification tests to exercise the safety system logic and hardware to verify proper system operation. The ITP and the MTP also provide support for the detection and annunciation of self-diagnostics. Within each PMS division, the ITP interfaces with the NI subsystem, BPL subsystem, LCL subsystem, ILP subsystem, MTP, and the RTCB initiation relays to monitor and test the operational state of the PMS. The ITP together with the MTP provides support for on-line self-diagnostics and testing for the verification of PMS operability overall on-line verification testing.
Vogtl e3&4COLAppendixATechnicalSpecifications Markups
1 2 3
4
1
2 3 4
5 6
7 8
8 5 8 8 8 8 5 8 5 8 5 8 5 2 3 4 2 3 4 6 6 6 1
8 5 8 5 8 5 8 5 8 5 2 8 7
1 2
1 2
1RTSESFAS FunctiontheSR appliesto.
N/A TherearenoSRs.
1 2
1 2
1 2
1 2
1 2
1 2 3 5 4
1 2
3 4
1 applies
1
1 2 3 4 5
3 4 3 4 3 5 2 1
1
SelectPreliminaryVogtl e3&4TechnicalSpecificationBases Markups
is
.
.
7 8 This PMS TS Surveillance LAR Technical Exchange Meeting January 24, 2019
Questions & Discussion