Text

Non-Proprietary 07.08 1 / 3 KEPCO/KHNP

SUPPLEMENTAL RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION APR1400 Design Certification Korea Electric Power Corporation / Korea Hydro & Nuclear Power Co., LTD Docket No.52-046 RAI No.: 33-7880 SRP Section: 07.08 - Diverse Instrumentation and Control Systems Application Section: Table 2.5.2.5 of DCD Tier 1 Date of RAI Issued: 06/16/2015 Question No. 07.08-1 Clarify what is meant by diverse design group.

10 CFR Part 50, Appendix A, General Design Criterion (GDC) 22, Protection system independence, states, The protection system shall be designed to assure that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels do not result in loss of the protection function, or shall be demonstrated to be acceptable on some other defined basis. Design techniques, such as functional diversity or diversity in component design and principles of operation, shall be used to the extent practical to prevent loss of the protection function. Item II.Q of the Staff Requirements Memorandum (SRM)

(ML003708056) to SECY-93-087 (ML003708021), Positions 3, states, If a postulated common-mode failure could disable a safety function, then a diverse means, with a documented basis that the diverse means is unlikely to be subject to the same common-mode failure, shall be required to perform either the same function or a different function. The diverse or different function may be performed by a non-safety system if the system is of sufficient quality to perform the necessary function under the associated event conditions.

Section 5.1 of Technical Report APR1400-Z-J-NR-14002-P, Rev.0, Diversity and Defense in Depth, states, The DPS [Diverse Protection System] is designed to mitigate the consequences of a DBE [design basis event] concurrent with a postulated CCF [common-cause failure] of the safety I&C [instrumentation and control] system digital computer. The DPS is part of the Diverse Actuation System.

The acceptance criteria for the DPS Inspection, Tests, Analyses, and Acceptance Criteria (ITAAC) Item 2 on Table 2.5.2-5 (2 of 3) of the APR1400 FSAR, Tier 1, states,



Non-Proprietary 07.08 2 / 3 KEPCO/KHNP

The as-built DPS is developed by diverse design group from the design group(s) which developed the PPS [Plant Protection System] and ESF-CCS [Engineered Safety Features - Component Control System] software. Based on the staffs evaluation, the staff requests the applicant to provide definition(s) for diverse design group. Specifically, what criteria would the groups need to meet in order to be considered diverse from one another (e.g., level of communication, organizational separation, etc.) Update final safety analysis report (FSAR) and technical reports accordingly.

Response

NUREG/CR-6303, Paragraph 2.6.1 states, "Using separate designers to design functionally diverse safety systems may reduce the possibility of similar design errors." Although the DPS is classified as non-safety system, the DPS design is performed by a different design team than that which is used to design the PPS or the ESF-CCS.

The following criteria are applied for the definition of different design team:

- The DPS and PPS/ESF-CCS engineers belong to different engineering teams within the same Instrumentation and Control (I&C) engineering department.

- Communications between the DPS and PPS/ESF-CCS design teams are controlled by the project office.

- Different system testers are assigned to test the DPS and PPS/ESF-CCS during development.

Item 2 on Table 2.5.2-5 (2 of 3) of DCD Tier 1 will be revised as follows:

Current description: The as-built DPS is developed by diverse design group from the design group(s) which developed the PPS and ESF-CCS software.

To be revised as follows: The as-built DPS is developed by a different design team than the design teams which developed the PPS and ESF-CCS.

Supplemental Response In order to confirm the equipment and software diversity between the DAS and the PPS/ESF-CCS, the contents of Item 2 on Table 2.5.2-5 (2 of 3) of DCD Tier 1 will be revised to add the following acceptance criterion (refer to Attachment 1) :



Non-Proprietary 07.08 3 / 3 KEPCO/KHNP

- is developed by different hardware of programmable logic devices and different programmable tools than the hardware and the programmable tools which have applied for the PPS and ESF-CCS.

To clarify the design diversity and diversity attributes between the DAS and the PPS, Sections 6.2.1 and 8 (references), and Note (f) of Table C-1 of the D3 TeR will be revised as shown in Attachment 2.

Impact on DCD Item 2 on Table 2.5.2-5 (2 of 3) of DCD Tier 1 will be revised as indicated in Attachment 1.

Impact on PRA There is no impact on the PRA.

Impact on Technical/Topical/Environmental Reports Sections 6.2.1 and 8(references), and Note (f) of Table C-1 will be revised as indicated in Attachment 2.

Impact on Technical Specifications There is no impact on the Technical Specifications.



Non-Proprietary RAI 33-7880 - Question 07.08-1 $35'&'7,(5 Attachment 1(1/1)

Sup. RAI 33-7880, 07.08-1 7DEOH RI 

'HVLJQ &RPPLWPHQW ,QVSHFWLRQV 7HVWV $QDO\VHV $FFHSWDQFH &ULWHULD

 7KH'36LVSK\VLFDOO\  ,QVSHFWLRQRIWKHDVEXLOW  7KHDVEXLOW'36

VHSDUDWHHOHFWULFDOO\ '36336DQG(6)&&6 LQGHSHQGHQWDQGGLYHUVH HTXLSPHQWDQGGHVLJQ  LVSK\VLFDOO\VHSDUDWHG

IURPWKH336DQG(6)&&6 GRFXPHQWDWLRQZLOOEH IURPWKHWKHDVEXLOW

336DQG(6)&&6 

LQFOXGLQJDGLYHUVHPHWKRG SHUIRUPHG

IRUWKHUHDFWRUWULSWKH  XWLOL]HVGLYHUVHVRIWZDUH

WXUELQHWULSWKHDX[LOLDU\ DQGKDUGZDUHIURPWKH

IHHGZDWHUDFWXDWLRQDQG WKHDVEXLOW336DQG

VDIHW\LQMHFWLRQDFWXDWLRQ (6)&&6

 LVSRZHUHGIURPGLYHUVH

SRZHUEXVHVIURPWKH

WKHDVEXLOW336DQG

- is developed by a different design team (6)&&6DQG

than the design teams which developed the  LQLWLDWHVUHDFWRUWULS

PPS and ESF-CCS. WXUELQHWULSDX[LOLDU\

IHHGZDWHUDFWXDWLRQ

DQGVDIHW\LQMHFWLRQ

DFWXDWLRQE\GLYHUVH

PHWKRGVIURPWKHWKH

- is developed by different hardware of DVEXLOW336DQG(6)

programmable logic devices and different &&6 

programmable tools than the hardware and the  LVGHYHORSHGE\GLYHUVH

programmable tools which have applied for the GHVLJQJURXSIURPWKH

PPS and ESF-CCS. GHVLJQJURXS V ZKLFK

GHYHORSHGWKH336DQG

(6)&&6VRIWZDUH

 7KH'36SURYLGHVWKH  $WHVWRIWKHDVEXLOW'36  7KHDVEXLOW'36LQLWLDWHVWKH DXWRPDWLFIXQFWLRQVDV ZLOOEHSHUIRUPHGXVLQJ IXQFWLRQVLGHQWLILHGLQ

VKRZQLQ7DEOHLI VLPXODWHGWHVWVLJQDOV 7DEOHZKHQWKH

SODQWSURFHVVVLJQDOV SODQWSURFHVVVLJQDOVUHDFK

H[FHHGSUHGHWHUPLQHG SUHGHWHUPLQHGVHWSRLQW

VHWSRLQWV

 7KH'36XWLOL]HVDRXW  $WHVWRIWKHDVEXLOW'36  7KH'36FRLQFLGHQFHORJLF RIFRLQFLGHQFHORJLFIRU ZLOOEHSHUIRUPHGXVLQJ SURGXFHVDQLQLWLDWLRQZKHQ DXWRPDWLFLQLWLDWLRQRI VLPXODWHGWHVWVLJQDOV DQ\WZRFKDQQHOVDUHLQD SURWHFWLYHIXQFWLRQVVKRZQ WULSVWDWHIRUDSURWHFWLYH LQ7DEOH IXQFWLRQ

 7KH'36FDELQHWVOLVWHGLQ  ,QVSHFWLRQRIWKHDVEXLOW  7KH'36FDELQHWVDUH 7DEOHDUHORFDWHGLQ '36HTXLSPHQWZLOOEH ORFDWHGLQVHSDUDWHURRPV

VHSDUDWHURRPV SHUIRUPHG

 Rev. 0

RAI 33-7880 - Question 07.08-1 Attachment 2(1/3)

Non-Proprietary Sup. RAI 33-7880, 07.08-1 Diversity and Defense-in-Depth APR1400-Z-J-NR-14002-NP, Rev.1 to separate control processors. 7KHSRWHQWLDOIRUVLPXOWDQHRXVCCF errors in these multiple SURFHVVRUVLVPLQLPL]HGVLQFHIXQFWLRQDOGLYHUVLW\LVXWLOL]HGDQGVRIWZDUHH[HFXWLRQLVDV\QFKURQRXV

Diversity - Diversity offers the final defense against CCFs. All critical safety functions, such as reactivity control, inventory control and heat removal, can be monitored, automatically controlled, and manual action taken to maintain the safety margins from both the control systems and the safety I&C V\VWHPV 7DEOH6-1). 7KHVHV\VWHPVDUHIXQFWLRQDOO\GLYHUVHDVDUHWKHIOXLGPHFKDQLFDOV\VWHPV TS WKH\FRQWURO  ,QDGGLWLRQWRFRUUHVSRQGZLWKWKHKDUGZDUHGLYHUVLW\RIWKHVHIOXLGPHFKDQLFDO

systems, the $35HPSOR\VERWKKDUGZDUHDQGVRIWZDUHGLYHUVLW\EHWZHHQFRQWURODQGSURWHFWLRQ

I&C systems to eliminate the potential for CCFV  7KLVGLYHUVLW\H[LVWVLQDOOVRIWZDUH-based aspects of these systems, including processors, multiplexers, communication neWZRUNVDQGHSI GHYLFHV  7KLV

VDPHGLYHUVLW\SKLORVRSK\LVDSSOLHGEHWZHHQthe QIAS-P/N and the IPS to ensure availability of control room information.

6.1.3 Evaluation of Defense-in-Depth 1XFOHDULQGXVWU\VWXGLHVRI, &V\VWHPVKDYHVKRZQsystematic ZD\VLQZKLFKSRVWXODWHGCCFs or sneak-SDWKVFDQFRPSURPLVHSRUWLRQVRIWKHOLQHVRIGHIHQVHIRUSODQWHYHQWV  7KHVHVWXGLHVKDYH

verified that not all such potential faults or paths are identified and/or evaluated during the design process.

7KHEDVLVIor the evaluation documented herein is that CCFV KRZHYHUVOLJKWWKHLUSRWHQWLDODQGno PDWWHUKRZmany evaluations are done or KRZWKH\PD\RFFXU FDQEHSRVWXODWHGWRRFFXU  $VD

result, the CCF coping analysis takes credit for diverse functions (automatic, manual, and indication)

WKDWDUHUHTXLUHGWRPHHWWKHDSSOLFDEOHDFFHSWDQFHFULWHULDIROORZLQJDQLQLWLDWLQJHYHQWFRQFXUUHQW

ZLWKDSRVWXODWHGCCF in the protection system.

6.2 Diversity and Defense-in-Depth Analysis 7KHGHWDLOed D3 DQDO\VLVLQDFFRUGDQFHZLWK185(*&5-6303 guidelines is provided in Appendix C.

7KHDSSHQGL[demonstrates that the vulnerabilities to CCF have been adequately addressed in the APR1400, and the APR1400 I&C systems have sufficient diversity features using the guidelines 1 through 14 in NUREG/CR-6303 (Reference 13). 5HIHUWR$SSHQGL[&7DEOH&-1 for diversity attributes diverse I&C platforms against safety I&C system platform.

6.2.1 Diversity Evaluation between the DPS and the PPS Detailed DQDO\VLVUHVXOWVRIGLYHUVLW\DWWULEXWHVEHWZHHQWKH'36DQGWKH336DUHDVIROORZV

Design Diversity - Diverse equipment platform based on different technology is applied to the DPS FRPSDUHGZLWKWKH336  7KH PPS uses the PLC technology IRUWKHGLJLWDOORJLFSURFHVVLQJZKHUHDV

the DPS uses the FPGA logic controllers (FLC) technology for the digital logic processing. In DGGLWLRQV\VWHPDUFKLWHFWXUHVDUHGLYHUVHEHWZHHQthe PPS and the DPS. 7KHUHIRUHVLJQLILFDQW

design diversity factors DUHSURYLGHGEHWZHHQWKH336DQGWKH'36 

of the common safety PLC platform Functional diversity - 7KHreactor trip mechanism of the DPS are diverse form that of the PPS.

7KH336XVHWKHXQGHUYROWDJHWULSPHFKDQLVPZKHUHDVWKH'36XVHthe shunt trip mechanism.

7herefore, functional diversity is provided EHWZHHQWKH336DQGWKH'36

Signal diversity - 7KHre is no signal diversity EHWZHHQWKH336DQGWKH'367KHVDIHW\FODVV

sensors and APC-S are shared by both the PPS and the DPS. 7KHsensors and APC-S are analog W\SHHTXLSPHQW  7KHUHIRUHWKHse equipment DUHQRWDIIHFWHGE\WKHVRIWZDUH&&)

KEPCO & KHNP 26

RAI 33-7880 - Question 07.08-1 Attachment 2(2/3)

Non-Proprietary Sup. RAI 33-7880, 07.08-1 Diversity and Defense-in-Depth APR1400-Z-J-NR-14002-NP, Rev.1

20. ,((( 6HYHQWK(GLWLRQ 7KH$XWKRULWDWLYH'LFWLRQDU\RI,(((6WDQGDUGV7HUPV

21. Westinghouse Electric Company PM Letter, APR1400 Design Certification - AC160 EPLDs and Impact on D3 Analysis (WO-102), January 9, 2018 KEPCO & KHNP 34

RAI 33-7880 - Question 07.08-1 Attachment 2(3/3)

Non-Proprietary Sup. RAI 33-7880, 07.08-1 Diversity and Defense-in-Depth APR1400-Z-J-NR-14002-NP, Rev.1



Table C-1 Diversity Attributes Between I&C System Platforms Diverse I&C Diversity Attributes against Common Safety PLC Platform Platforms (Refer to 7DEOH A-1.) Design Equipment Functional Human Signal S/W Non-Safety DCS O O O O O O DPS O O O O O FPGA DIS O O O O

+DUGZDUH Based O O O N/A Device (CIM)

Analog (Actuator) O O O N/A Analog (Sensor) O O O N/A O: Diverse, N/A: Not Applicable Explanatory Notes:

a. 7KHLQIRUPDWLRQSURYLGHGLQWKHWDEOHLVZLWKUHVSHFWWRWKHGLYHUVLW\IHDWXUHVVKDUHGEHWZHHQWKH

platforms, i.e., the reader should observe the information in each column for each diversity feature.

b. Non-safety DCS platform has functional diversity against the common VDIHW\3/&SODWIRUP7KH

common safety PLC platform provides ON/OFF trip and monitoring functions, ZKHUHDVWhe non-safety DCS platform provides continuous control and monitoring functions.

c. A different design team from the common safety PLC design team is responsible for the design of DPS and DIS, and the systems implemented on the Non-safety DCS platform. Detailed analysis UHVXOWVRIGLYHUVLW\DWWULEXWHVEHWZHHQWKH'36DQGWKH336DUHGHVFULEHGLQ6HFWLRQ

d. PPS sensor signals are also used in Non-safety DCS systems through qualified isolators.

e. Sensors and APC-S are shared by both PPS and DPS. 7KHanalog sensors and APC-S are analog equipment, and they are QRWDIIHFWHGE\WKHVRIWZDUH&&)

f. 7KHUHLVQRFRPPRQDOLW\LQVRIWZDUHPRGXOHVXVHGamong the common safety PLC platform, the Non-safety DCS, and the FPGA platforms. 7KHUHIRUHWKHRFFXUUHQFHRIFRQFXUUHQW&&)RI

different platform equipment is not considered in the D3 analysis.

g. 7KHUHDUHDIHZDUHDVLQZKLFKVHYHUDOGLYHUVLW\DWWULEXWHVDUHVKDUHGEHWZHHQSODWIRUPVEXWWKDW

LVRQO\EHFDXVHPRUHWKDQRQHSODWIRUPLVXVHGZLWKLQDQDFWXDWLRQSDWK  )RUH[DPSOHIRUDQ

ESFAS actuation path, the instrumentation channel contains analog sensors, APC-S, PPS, ESF-CCS, CIM, electrical panelDQG(6)DFWXDWHGGHYLFHV  7KHFRPSOHWHLQVWUXPHQWDWLRQFKDQQHOLV

GHVLJQHGZLWKLQWKHVDPHVDIHW\JURXSVRWKHUHLVKXPDQFRPPRQDOLW\LQWKHGHVLJQRIWKH

applicable modules.

The FLC for the DAS includes the diverse hardware of FPGA, and it does not include the same hardware of EPLDs which are used in the common safety PLC platform. In addition, the FPGA for the DAS is programmed by a diverse programming tool than that used to program the EPLD for the common safety PLC platform.

KEPCO & KHNP C12