ML063170445

From kanterella
Jump to: navigation, search

Diablo Canyon Power Plant, Unit No. 1 and 2 - Licensee Handouts- Summary of 11/6/2006 Meeting with Pacific Gas and Electric Company on Digital Upgrade Project (TAC MD0386 and MD0387)
ML063170445
Person / Time
Site: Diablo Canyon Pacific Gas & Electric icon.png
Issue date: 11/06/2006
From:
Pacific Gas & Electric Co
To:
Office of Nuclear Reactor Regulation
Wang A B, NRR/DORL/LPL4, 301-415-1445
Shared Package
ML063250103 List:
References
TAC MD0386, TAC MD0387
Download: ML063170445 (81)


Text

{{#Wiki_filter:Diablo Canyon Power Plant Digital PPS Upgrade Project Presentation to: USNRC I&C Branch November 6, 2006 Agenda i.; Intiroductio n (15 min A. Wh' Here ~.>.....B. Industry I ssu es D iscussion V(Whyarwehe?

c. Meetn Objectives ii., Review March Meeting (20 min)iii. Proposed Architecture (60 min)A. Discuss Diverse Actuation System (DAS)B. Identify Vulnerabilities
c. Modify Functional Requirements to Remove Vulnerabilities D. Implement Alternate Initiation Functions iv. Common Platform (30 min)A. Identify Issues B. Interpret Regulations v., Review Objectives vi. Open Discussion and Feedback vii. Closing Remarks Diablo Canyon Power Plant Digital RPS Project2 Industry Issues* Staff technical issues with digital upgrades (Oconee)* Impact of digital upgrade technical issues on final design" Insufficient digital upgrade licensing guidance* Significant staff/utility resources and cost for reviews Diablo Canyon Power Plant Digital RPS Project 3 Meeting Objectives
  • Present current approach and architecture

-Feedback requested from the NRC m3 Does the approach meet NRC Guidance?m NOT "Can we install it in the plant?" zi Identification of weak points that will require more justification m Issues with the architecture or approach z Suggestions on format and content (e.g., NUREG/CR-6303 Section 5).Open discussion on any technical issues Diablo Canyon Power Plant Digital RPS Project 4 Schedule* 2004 ii Main Turbine Control System (Ul and U2)* 2006 Li Digital Feedwater Controls (U2)* 2007 u] Defense-in-Depth and Diversity Topical Submittal for NRC Review Li Digital Feedwater Controls (U1)* 2008 Li Submit RTS/ESFAS LAR* 2009 Li Process Control System Replacement (Ul and U2)* 2010 Li RTS/ESFAS (Unit 1)* 2011 Li RTS/ESFAS (Unit 2)Diablo Canyon Power Plant Digital RPS Project 5 Agenda i.Introduction (15 min)A. Who's Here B. Industry Issues Discussion (Why are we here?)c. Meeting Objectives i .Rview March MAee~ (20 min)iii. Proposed Architecture (60 min)A. Discuss Diverse Actuation System (DAS)B. Identify Vulnerabilities

c. Modify Functional Requirements to Remove Vulnerabilities D. Implement Alternate Initiation Functions iv. Common Platform (30 min)A. Identify Issues B. Interpret Regulations
v. Review Objectives vi. Open Discussion and Feedback vii. Closing Remarks Diablo Canyon Power Plant Digital RPS Project6 6 March Meeting Review* Westinghouse Analog ProtectionSystem (Reference)" Eagle 21 PPS (Existing)
  • TRICON PPS (Proposed Replacement) m] Replicated Eagle 21 Architecture Ei RTS and ESFAS in same box El Westinghouse study assumed same DCCF disabled all TRICON applications:
  • RTS* ESFAS* Control Systems ro Extensive DAS required to meet BTP HICB-19 acceptance criteria Diablo Canyon Power Plant Digital RPS Project 7 rEf I PWR Protection Concept Diablo Canyon Power Plant Digital RPS Project 8 U I Analog PPS Architecture (Reference)

Isolated gnou-1 E outputs to Process Controls AMSAG Diablo Canyon Power Plant Digital RPS Project 9 U. .Analog PPS Signal Isolation Independent Class II Outputs to:* AMSAC* Digltal Fee(tvater Control System* Auxiliary Feedwater Pump Runout Protection

  • Pressurizer Pressure Control* Pressurizer Level Contro,* Reactor Control (Turbine Poer)* Steam Dump Control Isolated Output to Control System (Not Independent)

Reactor Control (Tavg)Control Board Instru rrments.To SSPSSReactor ThpJESFAS Diablo Canyon Power Plant Digital RPS Project 10 Analog PPS Functional Requirements Integrated RTS/ESFAS Architecture Protection System Analog Inputs RCS F,-Turbine Impulse Preusur-Pressurizer Pressurp Pressurizer Level___ Pressutzer Vapor Space Tfeo rNt Flux ROS Narrow Range Temperatur RCS Wide Rarne Temperatu-re. RCS Wide Range Pressure--- -NR Steam Generaior Level _-.... Stem!ne Pressure-PrssurizerPressu.NR Steam Generator Level :.Conlainmnet Pressure-- OPDT----------- RCS FIow-Low---- ____O PZIR Pressure-.Hlgh-PZR Pressure-Low (Note 1)-Op-PZR Level-High0 ---Steam Generator Level Low-Low-+.m-- Cold Leg Temp-Low (LTOPS}---


Loop Pressure-High (LTOPS)--

-.---Pressure-Low (RHR Interlock))--. -PZR Pressure-Low (Note 2)-----PZR Pressure-Low Pi 1 (Note 4--..-" Steamllne Pressure-Low---- --Steamline Pressure Rate-HIgh Steeam Generator Level High-High P1 4-----Containment Pre.sure-High---- ---Containmentr Pressure High-Hlgh.o-----. Reactor Trip Bistable Outputs to Exisfing SSPS ToRNASA Engineered Safeguards Bistable Outputs to Exislting S$PS Diablo Canyon Power Plant Digital RPS Project 11 rn Analog PPS m Redundant 4-channel Analog System* Analog outputs are isolated z Independent analog outputs to AMSAC El Independent analog outputs to process controls m Credible single PPS failures will not cause control system excursion that requires mitigation by the failed PPS channel rm DFWCS will reject single failed input channels m Single failures affect single loops Diablo Canyon Power Plant Digital RPS Project 12 Uh Eagle 21 PPS Architecture (Existing) Isolated (Non-Independent) naR-.1E outputs to Process Control Isolated Qndependerif) non-1E outJputs to AMSAG Diablo Canyon Power Plant Digital RPS Project 13 Eagle 21 PPS Signal Isolation Process Sensor.Process Sensor Isolated (IndependenL) Outputs to AMSAC " " i .I I I I I I t Isolated (Non-Independeunt) ..Outputs to: Class IE Out"tsto Class 1E Outputs to SSPS Reotaor Trip .SSPS ESFAS .* Digtal Feedwater Control.Systemi Auxiliary Feedwater* Rod Speed & Direction* Pressurizer Pressure* Pressurizer Level* Steam Dump Control Diablo Canyon Power Plant Digital RPS Project 14 M Eagle 21 PPS Functional Requirements Integrated RTS/ESFAS Architecture nTypirpisP Protection Systern Analog Inputs ,RCS Flow-Turtine Impulse Pressure -Prassurizer Pressure -Pressurizer Level Pressurizer Vapor Space Terri-NI F!w:-RSNarrow Range Temperatures- -- RCS Wide Ranre Temperaturesm- _RCS Wide Range Pressure---NR Steam Generator Level---Searnline Pressure~-essurizer Pressu ---NR Steam Generator Level-Containment Pressure--OPDT OTDT RCS Flmy-Lcow , PZR Pressure-High


PZR Pressure-Low (Note 1)-.-ZR Level-Hi g----Seam Generator Level Low4Low-------


Cold Leg Temp-Low (LTOPS)-'-------

---Loop Pressure-High (LTOPS: "---Loop Pressure-Low (RHR Intertock))-b-f-PZR Pressure-Low (Note -PZR Pressure-Low P11 (Note 4)---. 0.._ Steamllne Pressure-Lnw----- ,----Steamline Pressure Rate-HIgh------- .-Steam Generator Level HIh -High P14----Containment Press.ure-H igh-------


Containment Pressure High-Hlgh

-Reactor Trip Bletable Outpuls to Existing SSPS To RNASA Engneered Safeguards Bistable Outputs to Existing S-SPS Diablo Canyon Power Plant Digital RPS Project 15 Eagle 21 (Existing) m Redundant 4-channel Digital System m Combines RTS and ESFAS functions in same boxes m Isolated analog outputs o Only outputs to AMSAC are independent of digital processing ri Other analog outputs are dependent on digital processing

  • PPS failure by DCCF can cause control system excursion that requires mitigation by the failed PPS m Postulated DCCF could disable RTS and ESFAS functions concurrent with FSAR Chapter 15 accident or event m Manual action required to mitigate concurrent LBLOCA if DCCF disables redundant channels m Single failure affects multiple loops Diablo Canyon Power Plant Digital RPS Project 16 Digital TMR Architecture (March 2006)Isolatod non-1 E outputs to Procms Controls Diverse Actuation System Diablo Canyon Power Plant Digital RPS Project 17 TRICON PPS Signal Isolation Sensor independent Class II Outputs to: I/E E/I
  • AMSAC 0 Digital Feedwatef Control System o Auxiliary Feedwater Pump Runout... Isolation Device Pro4ection
  • Pressurizer Pressure Control a Pressurizer Level Control , Reactor Control (Turbine Pc,#er).Steam Dump Control I I I T Isolated Output to Control System (Not Independent)Control (Tavq)Control Board Instruments Discrete Oupuls to SSPS (Reactor Trip Breakeres)

Diablo Canyon Power Plant Digital RPS Project 18 TRICON PPS Functional Requirements Integrated RTS/ESFAS Architecture (Note 31 Protection System Analog Inputs RCS Flow --Turine Impulse Pressure--rPsarizer Pressure-Pressurizer Level--Pressurizer Vapor Space Ternp-NI Flux-----Narrow Range Temperatures--RCS Wide Range Temperatures-RCS Wide Range Pressure---NR Steam Generator Level--.tteniline Pressure-Pressurizer Pressure------- -NR Steam Generator Level-Containment Pressur -I .ODT -, OOT--------CS Flow-Low--------.-----m.- .-ZR Pressure-High------ 0-e.P ZR Pressure-Low (Note 1)----PZR Level-Hiiglv --.-Generator Level Low-Low-------Cold Leg Temp-Low (LTOPS)- -------Loop Pressure-High (LTOPS)-- --Loop Pressure-Low (RHR Interlock))-l f-PZR Pressure-Low (Note 2) ,- 0---PZR Pressure-Low P1I (Note 4)-- -" Steamtlne Pressure-L -- _--J-Steamline Pressure Rate-High----- -;Steam Generator Level High-High P14----*Containment Pressure-High. ---Containment Pressure High-I-Hlgh------*- Reactor Trip Sislable Outpts to Existing SSPS To RNASA Engineered Safeguards Bistable Outputs to Existing SSPS Diablo Canyon Power Plant Digital RPS Project 19 Digital TMR Design (March 2006)" Redundant 4-channel Digital System o Each channel implemented in TRICON Triple Modular Redundant (TMR) processor m Analog outputs are isolated ahead of digital processors ri Outputs to DAS are isolated and independent oi Control System outputs are isolated and independent Di PPS failure cannot cause control system excursion* Postulated DCCF could disable RTS and ESFAS functions concurrent with FSAR Chapter 15 accident or event" Extensive DAS required to meet BTP HICB-19 acceptance criteria" Multiple faults -still works Diablo Canyon Power Plant Digital RPS Project 20 U One DAS Concept (Not "the" DAS)-Independent Inputs-s i Reactor Trip------Safety Injection -Turbine Trip----Stearn Line !solaton---AF Wi In~it-... .-Feedwater Isolation- ---SGBD IsoI II i ndicatjons..

  • Provides another actuation path if DCCF disables RTS and ESFAS El New Reactor Trip relatively simple -trip Control Rod Drive M-G set supply breakers El New ESFAS complex and prone to single failure* Interface with individual components

-pumps and valves Diablo Canyon Power Plant Digital RPS Project 21 Summary N TRICON replacement retained Eagle 21 architecture and functional requirements

  • Defense-in-depth improvements reduce opportunity for DCCF propagation among echelons El TMR processors preclude single fault from disabling function E: Front-end isolation prevents control/protection system interaction" Issues with integrated RTS/ESFAS functional diversity Eo Design met regulations when Eagle was licensed o1 Does not meet BTP HICB-19 requirements" BTP-19 Position 3: "If a postulated common-mode failure could disable a safety function, then a diverse means, with a documented basis that the diverse means is unlikely to be subject to the same common-mode failure, shall be required to perform either the same function or a different function...

11 Insufficient functional diversity El DCCF in ESFAS disables Pressurizer Pressure-Low SI safety function El Manual action required to mitigate LOCA events" Issues are independent of processor design 0- TMR processors only provide redundancy Eo Does not provide defense in depth* Same Requirements = Same Issues = DAS[] Diverse mitigation is required to meet current regulations Diablo Canyon Power Plant Digital RPS Project 22 Agenda i. Introduction (15 min)A. Who's Here B. Industry Issues Discussion (Why are we here?)c. Meeting Objectives ii Review March Meeting (20 min)A. Discuss Diverse Actuation System (DA S) -B. Identify Vulnerabilities.....

c. Modify Functional Reurmnst Remove Vu D. Implement Alternate Initiation Functions iv. Common Platform (30 min)A. Identify Issues B. Interpret Regulations
v. Review Objectives vi. Open Discussion and Feedback vii. Closing Remarks Diablo Canyon Power Plant Digital RPS Project 23 Digital TMR Design (March 2006)Isolated noin-1 E outputs to Process Gontrols Divetse Actuation

%Vsem Diablo Canyon Power Plant Digital RPS Project 24 TRICON PPS Functional Requirements March Design Protection System Analog Inputs-RCS FIlow--Turbine Impulse Pressure-Pressurizer Pressure-.. Pressurizer Level-Pressurizer Vapor Space NI Flux--RCS Narrow Range Temperatures--RCS Wide Range Temperatures--RCS Wide Range Pressure---NR Steam Generator Level.-lteni ine Pressure --Prss- Pressurizer Pressue NR Steam Generator Level--Containment Prepsura-[ C OPDT RCS FIow-Low -- .ZR Pressure-High EZR Pressure-Low (Note 1) 0-PZR Level-Hiqh -learn Generator Level Low-to --"od Leg :Terr-Low (LTOPS }-0-Loop Pressure-High (LToPSM ) ----ýLoop Pressure-Low (RHR Interiock))---- f P ZR Pressure-Low (Note 2)------PZR Pressure-Low P11 (Note 4)--Stearrilne Pressure-Lw


---w----St~ eemine Pressure Rate-Hlgh S- team Generator Level HIgh-High P1 4--*-Containment Pressure-High

,-Containmet Pressure High-High-------. Reactor Trip Bisiable Outputs to Existing SSPS To RNASA Engineered Safeguards Bistable Outputs to Existing SSPS Diablo Canyon Power Plant Digital RPS Project 25 Digital TMR Design* Redundant 4-channel Digital System Ii Each channel implemented in TRICON Triple Modular Redundant (TMR) processor m Analog outputs are isolated ahead of digital processors LI Outputs to DAS are isolated and independent oI Control System outputs are isolated and independent Ei PPS failure cannot cause control system excursion* Postulated DCCF could disable RTS and ESFAS functions concurrent with FSAR Chapter 15 accident or event* Manual action required to mitigate LBLOCA if DCCF disables redundant channels" Extensive DAS required to meet BTP HICB-19 acceptance criteria Diablo Canyon Power Plant Digital RPS Project 26 DAS Pro and Con" Pro: E: Meets current BTP-1 9 requirements (if necessary)" Con: El More complexity El More cost El More maintenance and testing El Testing or functional errors will challenge safety systems* Trip the reactor* Initiate engineered safeguards El Performs nuclear safety-related RTS and ESFAS functions but does not have to meet nuclear safety-related system requirements established by law:* No GDC requirements

  • Not required to be qualified* Not required to be redundant El More than minimally increases likelihood of spurious challenges to protection systems E] More significant threat to safe plant operation than DCCF it is intended to mitigate Diablo Canyon Power Plant Digital RPS Project 27 U7 Why is a DAS Needed?N BTP-19 Position 3: "If a postulated common-mode failure could disable a safety function, then a diverse means, with a documented basis that the diverse means is unlikely to be subject to the same common-mode failure, shall be required to perform either the same function or a different function...
  • Perform Defense-in-depth and diversity evaluation per NUREG/CR-6303 ni Identify design aspects that allow DCCF to disable a safety function* Modify the design to remove the limiting aspects and provide functional diversity Diablo Canyon Power Plant Digital RPS Project 28 New Functional Requirements" Modify the requirements to provide functional diversity In presence of a postulated single DCCF concurrent with a Chapter 15 event or accident: " Identify and correct physical vulnerabilities"l All safety functions must be performed by qualified safety-related systems"l Echelons of defense must be sufficiently independent to preclude-DCCF propagation among echelons" Identify and correct functional vulnerabilities ii Concurrent with a postulated DCCF in a single echelon, all FSAR Chapter 15 accidents and events must be mitigated automatically where automatic action is credited in the existing analysis (Conservative assumption to reduce licensing risk)* Evaluate FSAR Chapter 15 events and accidents to evaluate effectiveness of new requirements Diablo Canyon Power Plant Digital RPS Project 29 0 TRICON PPS Functional Requirements Evaluate for Vulnerabilities Typical ýrotectkni, Protection System Analog Inputs RCS Fl .-Turbine Impulse Pressure,--------Pressurizer Pressur--..Pressurizer Level-Pressurizer Vap Space Terrp.-NI Flux-- RCS Narrow Range Temperatures--

-RO S Wide Range Temperatures-- -s Wide Range Pressure--NR Steam Generat& Level--- steomline Pressure Pressurizer Pressure NR Steam Generato. Level-Conta nrretit Pressure-- Ap.Ii~TRICON Processor<<U-YOPDT OTDT CS Fow.L ---PZR Pressure-High 0 Reactor RBistable Ou ZR Pressure-Low (Note 1) -. Existing PZR Level-High" Steam Generator Level Low-Low----'-- -old Leg Temp-Low (LTOPS) --oop Pressure-High (LTOPS )-* T-Loop Pressure-Low (RHR Interlock))1-- Trip tputs to-PZR Pressure-Low (Note 2) ----PZR Pressure-Low P1I (Note 4) 0----Steamll Pressuce-Low-------S(eamline Pressure Rate-Hlgh-* --Steam Generator Level High-High P14--------,ontainnent Pressure-High-------* -.---uontainment Pressure High-Hight Engineered Safeguards Bistable Outputs to Existing SSPS Diablo Canyon Power Plant Digital RPS Project 30 0 FSAR Condition II Events (Assumed Cause is Control System Failure)m Credible control system DCCF m Credible protection system DCCF in Eagle 2 1 E Limited by electrical independence in proposed upgrade-Something else Diablo Canyon Power Plant Digital RPS Project 31 FSAR Condition II Events, continued m Digital Feedwater Control System m Loss of Normal Feedwater (LONF: 15.2.8)m Primary: SGNRL Low-Low* Diverse: AMSAC m Feedwater Malfunction (FWM: 15.2.10/15.2.1OA)" Primary: SGNRL High/High* Diverse: PR NI Flux High/Flux Rate High M Pressurizer Level Control System zi Spurious Safety Injection (SSI: 15.2.15)m Primary: Operator termination of SI Diablo Canyon Power Plant Digital RPS Project 32 FSAR Condition II Events, continued 0 Pressurizer Pressure Control System oi Accidental RCS Depressurization (15.2.12)" Primary: RTS Pressurizer Pressure-Low RT" Backup: ESFAS Pressurizer Pressure-Low SI/RT N Reactivity Control (mitigated by diverse NI flux trips)El Uncontrolled RCCA bank withdrawal from subcritical condition (15.2.1)ol Uncontrolled RCCA bank withdrawal at power (15.2.2)El Single Rod Cluster Control Assembly Withdrawal at Full Power (15.3.5)* Steam Dump Control ol Accidental Depressurization of the Main Steam System (15.2.13)" Primary: Steam Line Pressure Low SI (>P9)/Steam Line Isolation (<P9)* Backup: Diverse high neutron flux trips (all ranges)Diablo Canyon Power Plant Digital RPS Project 33 LOCA Events* SBLOCA: 15.3.1* LBLOCA: 15.4.1-Primary mitigation: PZR Pressure-Low SI-Backup: Containment Pressure-High SI" Primary and backup Engineered Safety Features disabled by same DCCF Diablo Canyon Power Plant Digital RPS Project4 34 PZR Pressure-Low SI m RT is initiated at 1950 psig o Does not initiate SI* SI is initiated at 1850 psig oi Also initiates RT through diverse SSPS" Eagle 21 Diversity Study credited operator action to mitigate both LOCA events* WCAP 7306: ri SI should be initiated within 1.5 minutes of SBLOCA ni More time available on LBLOCA due to passive injection" Substantially less than allowable time El AOO: 5 minutes ol DBA: 10 minutes" Provide alternate, independent Sl function o Conservative measure to reduce licensing risk[] Will improve real safety Diablo Canyon Power Plant Digital RPS Project 35 Steam Generator Water Level High-High P14 (TT, RT above P9, FWI)* Backup FWM protection in ESFAS o Current Setpoint 75%m: Prevents water carry-over to Main Steam System o Primary FWM mitigation provided by diverse NI Flux-High and NI Flux Rate-High* Replacement Steam Generators E New Setpoint 90%* Provide alternate, independent P14 function Ei Prudent measure to reduce equipment risk Diablo Canyon Power Plant Digital RPS Project 36 I¢I TRICON PPS Functional Requirements Alternate Protection Functions Protection System Analog Inputs RCS FIov " Turbine Impulse Pressure---- ressurlzer Pressure --Pressurizer Level Pressurizer Vapor Space Terr.p-Nt FlIux--RCS Narrow Range Temperatures- -RCS Wide Range Temperatures- -RCS Wide Range Pressure-- -N NR Steam Generator Level--t sieamline Pressure----Pressurlzer Pressure -*- NR Steam Generator Level--Containnent Pressure-- Typic~al Protetion, I TS Prceso I elceei Bistable Outputs to Existing SSPS Alternate Inlation S OTDT----------- RCS Flow-Low-------- -_ PZR


PZR (Note 1 --- PZR Pressure Low (Notes 2, 4)----Steam Generator Level Low-Low--------Steam Generator Level High-High

.14----Iý--Cold Log Terr*Low(LTOPS)-- -.-Lop Pressure-High (LTOPS )-- 0. To RNASA-Loop Pressure-Low (RHR Interlock)).-oJ -PZR4 Pressure-Low (Note 2)-----PZR Pressure-Low P1I (Note 4) -.Steamlinr Pressure-Low---------' w-.--Steemli~ne Pressure Rate-High--------e -Steam Generator Level Highi-High P 14----*.------Containrnen Pressiure-High---------i -Conitalnnor nt Pressure HlglHIh---- Legend: Altemate channel --Existing channel Diablo Canyon Power Plant Digital RPS Project 37 New Digita I TMR Design (Subdivided RTS and ESFAS)Isnaled noni- 1E outputs to Process Controls AMSAC Diablo Canyon Power Plant Digital RPS Project 38 Electrical & Data Independence propagate backward through Input Subsystem* DCCF in RTS or ESFAS cannot cause control system excursion that requires mitigation by the failed echelon o Exception: Loop Tavg (Reactor Control)ri Exception: Loop Hot Leg Temperatures (RVLIS)o Not practical to isolate and maintain accuracy ol Potential transients are slow and mitigated by diverse NIS* DCCF in control system cannot impair RTS or ESFAS protective function in DCCF in RTS or ESFAS cannot propagate to the other protection echelon* No equipment shared among echelons** No data communication within or among echelons* No database shared among echelons Isotated noo-1 E outputs t Process controls Am$cC Diablo Canyon Power Plant Digital RPS Project 39 New Architecture Advantages m Subdivides RPS into independent, redundant RTS and ESFAS processors m Sensors are still shared, BUT: 1:1 Control system signals are electrically isolated before they can be affected by another digital echelon z] RTS and ESFAS processors cannot affect each other's data n Inherent data isolation between RTS and ESFAS is provided by their input subsystems -data cannot propagate backward through the A/D converters n Digital subsystem faults cannot affect the analog signal n RTS and ESFAS do not communicate within or between echelons a No shared database or equipment Diablo Canyon Power Plant Digital RPS Project 40 .Advantages, continued* DCCF in RTS or ESFAS cannot cause control system excursion that requires mitigation by the failed echelon* DCCF in control system cannot impair RTS or ESFAS protective function* DCCF in RTS or ESFAS cannot propagate to the other protection echelon Diablo Canyon Power Plant Digital RPS Project 41 Triconex (Digital TMR)Process Protection System Process Protection System Rackls 1-16 Field Ingtrurvents i pdependent Class 11 Outputs tos* AMSAC* Digiat Feadwater Control System Auxiliary Feedwater Pump Runout Protection

  • Pressurizer Pressure Control* Pressurizer Level Control S o.
  • Reactor Control (Turbine Power).Steam Dump Control 11, * , Hotwelf Level Control* RVLIS Racks 1-5 Racks 6-10 Racksll 1-3 Racks 14-16 Pro Set I Prot Set I1 Prot Set Ill Prot Set IV RTS ESFAS RTS EsFAS RTS ESFAS RTS ESFAS Hardwired Controls &k Indications (Typ for all Prot Sets)Isolated Data Links to PPC (Typ for all Prot Sets)Isolated Analog Outputs to Non-Criical Controls & indicationsl " )Typ for all Prot Sets)Reactor Control JTavq)Diablo Canyon Power Plant Digital RPS Project 42 Critical Control Systems (Digital TMR):TMR Control .Systems Fleldlnstrunels;
  • trm .Part of Rack 18 (Control Set 1)Rack 26 (ConIlol Set 3)l " - Inpu~ts fromn PPS En MTCS DFWCS MFPSCS Rurout Col TMR Control T (Tric)Systems CC3 HMIm (Typical for TMR Systems)FIV-11110111-11U]

Diablo Canyon Power Plant Digital RPS Project4 43 M Triconex (Digital TMR)Process Control System New Process Control System Racks 17-32 (Similar for Process Instrument Panels PIAIPIBIPIC and Instrument Rack (RI)Inputs from PPS to NSSS Control Systems Hardwired Controls &Indications (Typ for Racks 17--32)1 E.11: FSAR Section 7,7 Process Controls." Pressurizer Pressure" Pressurizer Level* Rod Control (Note 1)* Rod Speed & Direction* (Reactor Control Note 2)* Steam Dump MDAFWP Runout Control (Racks 18 & 26)Notes: 1. Rod Control Systemis not part of Racks 17-32 but is assumed to be diverse, 2. Tave will be calculated in RTS and transmitted by hard wire to the control system=Diablo Canyon Power Plant Digital RPS Project 44 m Process Control Rack Consolidation (Only control functions illustrated) Control Set I 17 18 19 20 SaDullp (Stea line S;,, Ste.m Header Press, MDAFWP Runotit Protection S FW Header Pressure to OFWVCS (PT-50a)7 PZR Level PZR Relief Tank Pressure ISteam Generator 1/4 Pressure____VCT Level Control Set 2 2t 22 23 24 1lE P~(ZR Level adDrcin(e4 S: Tref to Rod Speed and Direction (Set4)::I;F7l : Turbine Power to Rod Speed and Direction (Set 4)%..: : >,:: ; :, : Stearn.GanefatorlIM4Pressure Control Set 3 25 26.27 II MDAFWP Runout Protection MDAFWP Disrh Press (to Runout Protection) Refueling WaOer Storage Tank Level .Control Set 4.28 29 30 31 I7 Delta T/Tavg to Rod Speed & Direction PZR Lref Atct High Tavg to Steam Dump (Set 1)Letdown .X Outlet Pressure Letdown HX Outlet Temperature VCT Level Rod Withdraw Limit to Rod Cfrl Logic Cab Compensated Terrperattre Error to Rod Control Rod Control Auct High Tavg to PZR Level, Lref (Set 2)SIG Wide Range Level to DFWCS Diablo Canyon Power Plant Digital RPS Project 45 Keep It Simple[ Architecture ri Simple compared to adding DAS o Echelons are independent ri Redundantchannels within an echelon are independent

  • Function Block Programming (IEC-61131-3)

Ei High level symbolic application development El Simplifies implementation of requirements and testing[] Functional Specifications can be precisely written to avoid defects ri Protection Logic is very simple El All specified requirements can be tested El Non-specified (unintended) functions can be identified and eliminated Diablo Canyon Power Plant Digital RPS Project 46 U Traditional Software Programming (C++)(Basis for Current V&V Guidance)BOOL CWatchdogApp::lnitlnstance0 HWND hWndOid;HWND hWnd;//Check if an instance is already active. If so,make old instance active,//show it, and bail out..hWndOId = ::FindWindow(NULL, DOGWINDOWNAME); if(NULL != hWndOld)hWnd = ::SetActiveWindow(hWndOld); BOOL bRet = ::ShowWindow(hWndOId, SWSHOWNORMAL); exit(O);AfxEnableControlContainero; H Standard initialization / If you are not using these features and wish to reduce the size// of your final executable, you should remove from the following/the specific initialization routines you do not need.#ifdef _AFXDLL Enable3dControls0; H Call this when using MFC in a shared DLL#else Enable3dControlsStatico; H Call this when linking to MFC statically

  1. endif CWatchdogDIg dig;m.pMainWnd

= &dlg;int nResponse = dlg.DoModal0; if (nResponse == IDOK)// TODO: Place code here to handle when the dialog is// dismissed with Exit else if (nResponse == IDCANCEL)H TODO: Place code here to handle when the dialog is I/ dismissed with Cancel H Since the dialog has been closed, return FALSE so that we exit the// application, rather than start the application's message pump.return FALSE;Diablo Canyon Power Plant Digital RPS Project 47 Typical Control Program (DFWCS Steam Flow/Feedwater Flow Error Controller) Diablo Canyon Power Plant Digital RPS Project4 48 Pressurizer Pressure-High/Low Reactor Trip RTS Implementation with TS1 131 Function Blocks PZR Pressure Protection High/Low Pressure Reactor Trips'1 Bistable Hysteresis = 1%Span (1250 psi) = 12.5 psi High Trip -Output Deenergizes Above Se pornt Low Trip.-p Output Deenergizes Below " Setpoint cPC455C RT<value>PZR Pressure Low Prot I RT Outputto SSPS Diablo Canyon Power Plant Digital RPS Project 49 SSPS Implementation Pressurizer Pressure-Low Primary and Alternate Safety Injection Actuation 791011-1 76G )afre, T 1 34-1 T6 o T8.$6 EfL9 76 'I ar K1131 S503A-5 (A417-15)CR131 10 2 $50.39-0 (A417-113) R21 K201 *S503&-7 (A418.-1)GR0 10] r 2 S503C-5 (A4 17-17')L20 ID 2 K34 S5O3&-5 (A417-16)1034 2 503A-6 (A41771.12) 10 `CN4 444 9503A-7 (A418-.15) 10 2 S5JC.6 (A417.1 111 E4011 10 "2 Fundamental SSPS.functional requirements are unaffected: m] RTS and ESFAS coincident logic mi Semiautomatic testing"i Reactor Trip UV outputs"i ESFAS component outputs and safeguards testing w] Monitoring and indication Diablo Canyon Power Plant Digital RPS Project 50 Summary* Alternate actuations provide functional diversity" No standalone DAS o If a postulated single DCCF disables an echelon, alternate protection functions ensure that FSAR Chapter 15 acceptance criteria continue to be met.ii The alternate functions will mitigate the event automatically if automatic actuation is credited in the FSAR to mitigate the event, even LBLOCA o RTS and ESFAS functions continue to be performed by the RTS and ESFAS* Qualified* Redundant* Meet all Protection System GDC" Small requirements change provides sufficient functional diversity to reduce or eliminate DAS scope* All safety functions are performed by qualified safety-related systems L] All FSAR Chapter 15 accidents and events are mitigated automatically where automatic action is credited in the existing analysis Ei Alternate initiation functions ensure automatic SI when required in presence of DCCF in either RTS or ESFAS concurrent with LOCA M Conservative measures to reduce licensing risk n] No AMSAC impact* Application software in redundant processors within an echelon is different o Reduces DCCF opportunity

  • Real plant safety is enhanced Diablo Canyon Power Plant Digital RPS Project 51 0 Agenda i. Introduction (15 min)A. Who's Here B. Industry Issues Discussion (Why are we here?)c. Meeting Objectives ii. Review March Architecture (20 min)iii. Proposed Architecture (60 min)A. Discuss Diverse Actuation System (DAS)B. Identify Vulnerabilities
c. Modify Functional Requirements to Remove Vulnerabilities D. Implement Alternate Initiation Functions.A..Ident~ify Is uesv.....

.....B. Interpýt Reguains. Q.v. Review Objectives vi. Open Discussion and Feedback vii. Closing Remarks Diablo Canyon Power Plant Digital RPS Project 52 TV NUREG-0800 Standard Review Plan= Appendix 7.1-C cautions: m A digital computer-based design using shared databases and process equipment can propagate a common-cause failure of redundant equipment o Software programming errors can defeat hardware redundancy Diablo Canyon Power Plant Digital RPS Project 53 Digital Common Cause Failure (DCCF) Basis* 10 CFR Part 50, Appendix A, GDC 22, requires means to prevent the loss of a safety function due to common-cause failure caused by environmental conditions. m A single common-cause failure in the software used in redundant channels of digital computer-based I&C system could potentially lead to loss of an entire safety function, similar to environmental causes.Diablo Canyon Power Plant Digital RPS Project 54 Echelon Interdependencies (Common Cause Failure Opportunities)" Physical Ei Rack consolidation E Common platform* Electrical E Shared sensors, power supplies* Environmental o Temperature, humidity" Digital" Operating System" Shared software" Shared features (timekeepers)"l Application Program* Same functional Requirements Diablo Canyon Power Plant Digital RPS Project 55 Common Cause Failure Concerns (SECY-91-292) m Defined Echelons of Defense: ni Control System m Prevents process excursions into unsafe operation region rz Reactor Trip System (RTS)m Rapidly reactivity in response to uncontrolled excursion cI Engineered Safety Features Actuation System (ESFAS)m Removes heat and maintains integrity of cladding, vessel and containment Ei Monitoring and Indication m Information that enables operators to respond to events Diablo Canyon Power Plant Digital RPS Project 56 Common Platform Three Echelons of Defense" Control System E Prevents process excursions into unsafe operation region" Reactor Trip System (RTS)El Rapidly reactivity in response to uncontrolled excursion" Engineered Safety Features Actuation System (ESFAS)o Removes heat and maintains integrity of cladding, vessel and containment

  • Monitoring and Indication Eo Information that enables operators to respond to events Diablo Canyon Power Plant Digital RPS Project 57 Potential Echelon Interactions m Control System ol Tricon o] Woodward s Reactor Protection System"i Nuclear Instrumentation (Sense)"l Direct Inputs (Sense)Ei Tricon (Sense)ol SSPS (Command)ol DAS c-m Engineered Safety Features Actuation System El Tricon (Sense)El SSPS (Command)i -DA-S .e-tjco, -r- ; f e:,- ý* Monitoring and Indication El Tricon ol Sufficient for mitigation/shutdown Diablo Canyon Power Plant Digital RPS Project 58 Manage DCCF* DCCF is credible o National Research Council Report* Limit DCCF Opportunities Ew Built-in Quality,* .Limit DCCF Impact r" Defense-in-Depth" Diversity Diablo Canyon Power Plant Digital RPS Project 59 0 DCCF Causes m Operating System o Shared software L. Shared features (timekeepers)

.Application Programs Ez Same Functional Requirements Diablo Canyon Power Plant Digital RPS Project 60 Single Failure Criterion (IEEE-603-1998 Section 5.1)" "The safety systems shall perform all safety functions required for a design basis event in the presence of: oi Any single detectable failure within the safety systems concurrent with all identifiable but non-detectable failures.ri All failures caused by the single failure.ri All failures and spurious system actions that cause or are caused by the design basis event requiring the safety functions." The single failure could occur prior to, or at any time during, the design basis event for which the safety system is required to function. The single-failure criterion applies to the safety systems whether control is by automatic or manual means. IEEE Std. 379-1994 provides guidance on the application of the single-failure criterion. IEEE Std. 7-4.3.2-1993 addresses common cause failures for digital computers. Diablo Canyon Power Plant Digital RPS Project 61 0 Single Failure Criterion Guidance (I EEE-379-2002)" Section 6.3.2: ri "A probabilistic assessment shall not be used in lieu of the single-failure analysis. However, reliability analysis, probability assessment, operating experience, engineering judgment, or a combination thereof, may be used to establish a basis for excluding a particular failure from the single-failure analysis. For further guidance in performing reliability analyses and probabilistic assessments, see IEEE Std 352-1987 and IEEE Std 577-1976." Allows judgment that the likelihood of a specific, credible common-mode/cause failure is so small as to be negligible Io The judgment must be supported Diablo Canyon Power Plant Digital RPS Project 62 Limit DCOF Opportunities: TRICON System Quality.Triple Modular Redundant" No Single Point of Failure" Designed from the ground up as an industrial safety and critical control system" Wide use as safety & critical control across industries oi > 7000 systems in service ol > 410,000,000 hours without a failure to perform on demand m] Non-safety system same as 1 E system" Full internal diagnostics, self testing and self calibration" Designed to maintain operation with multiple failures, properly report failures, and allow on-line repairs Diablo Canyon Power Plant Digital RPS Project 63 Limit DCCF Opportunities: TRICON System Quality, continued m Defensive Measures Inherent in Tricon System ri Deterministic n Software does not alter itself* Change only through hardware failure or specific human intervention o] Cyclical* Fixed (non-interruptible) execution sequence ri Focus on safety 0 Avoid unneeded functions oi Avoid generic susceptibilities m Asynchronous processors m Process functions not based on real-time clock m Avoid communication between redundant Tricons Diablo Canyon Power Plant Digital RPS Project 64 Inherent Tricon System Defensive Measures, continued" Static resource allocation o Avoid software failure due to insufficient resources nz Avoid multitasking" Modularity Ei Dissociated modules -not affected by failures of other modules* Self-Surveillance oz Reduce frequency of unsafe failures o Prevent accumulation of undetected failures" Quality Ei Field-proven hardware and operating system ii Applications software developed using structured process (IEEE Std 1012)Diablo Canyon Power Plant Digital RPS Project 65 Limit DCCF Opportunities: TRICON Operating System Quality I TRICON OS not explicitly discussed in SER ol NUREG-6303 Appendix treats DCCF in OS as subset of entire range of DCCF* Simple* Failures are related to service demands* Risk of DCCF in TRICON OS is much less than risk of DCCF in applications (IEEE 379 Section 6.3.2; NUREG/CR-6303 Appendix): El Simple o1 Cyclic El Non-multitasked E: Independent of process loading/events

  • Blind to the process* Unaffected by service demands El Asynchronous
  • Internal -between Tricon processors
  • External -between redundant channels* Triconex Product Advisory Notices (PAN)El Describe system issues and fixes El Only 14 issued since early 1980's* >410,000,000 operating hours* >7,000 systems* Two (#10, 11) address trapped processor in terms of potential DCCF Source 0 Erratic control program behavior o Discrete outputs freeze -do not go to pre-defined safe state o Caused by bad programming o Corrected by firmware fix Diablo Canyon Power Plant Digital RPS Project 66 Limit DCCF Opportunities:

Application Program Quality" Generate and install high-integrity software" High-quality development and implementation processes improve likelihood of a good product but do not guarantee it m] EPRI TR-108831 (Requirements Specifications)"i IEEE-1012 (Verification & Validation Plan)"i IEEE-1233 (Requirements Specifications) ri- IEC 61131-3 (Programming Languages)" BTP HICB- 14, Software Reviews for Digital Computer-Based I&C Systems, System Software and Hardware Development Process.Diablo Canyon Power Plant Digital RPS Project 67 U ': i, ~ ~ Application Program Quality, continued-Function Block Programming (IEC-61131-3) Ei High level symbolic application development rm Ease of writing oi Ease of review o Ease of test*Ei Formal specification becomes SDD* Functional Specifications can be precisely written to avoid defects'z Protection Logic is very simple o All specified requirements can be tested-ii Non-specified (unintended) functions can be identified and eliminated Diablo Canyon Power Plant Digital RPS Project 68 0 Application Program Quality m PG&E Lifecycle Process (CF2.1D9)rm Based on IEEE-1012 o Required for all in-house software development m Imposed on all software development vendors Diablo Canyon Power Plant Digital RPS Project 69 PG&E Software Lifecycle Design Phase (Design Engineering) Diablo Canyon Power Plant Digital RPS Project 70 Limit DCCF Impact* Defense-in-Depth

  • Diversity Diablo Canyon Power Plant Digital RPS Project 71 BTP HICB-19 D3 Guidance m Three Objectives:
1. Verify that adequate diversity has been provided in the design to meet the criteria established by the NRC's requirements.
2. Verify that adequate defense-in-depth has been provided in a design to meet the criteria established by the NRC's requirements.
3. Verify that the displays and manual controls for critical safety functions initiated by operator action are diverse from computer systems used in the automatic portion of the Reactor Protection System and ESFAS.Diablo Canyon Power Plant Digital RPS Project 72 Evaluating Diversity (Regulatory Position)* NUREG/CR-6303 i Examine architecture to determine extent of postulated failures n Evaluate impact of postulated failures on plant accident analyses* 10 CFR 100 acceptance limits are relaxed due to low failure likelihood Diablo Canyon Power Plant Digital RPS Project 73 Protection Against Common Design Errors m Design diversity o Different internal design mi Different vendor's equipment E Not effective unless perform different.functions m Functional diversity D Components perform completely different functions Em More effective than design diversity Diablo Canyon Power Plant Digital RPS Project 74 U ~~A: _ ~ ---Requirements Must Be Different m The system will always fail when a functional design error is challenged if: mThe flawed requirements are implemented in different equipment w The flawed requirements are implemented differently in the same equipment Diablo Canyon Power Plant Digital RPS Project 75 Analogy" PC's on the desktop rm Running Windows XP (same OS)m NUREG 6303 Appendix excludes OS as a source of CCSF* What is the probability of 2 (or more) failing concurrently?

n Y2K type issues m Related to synchronous processes o What else? Applications?

  • Asynchronous

-Different application software Diablo Canyon Power Plant Digital RPS Project 76 N Summary.-* Proposed design provides independence between echelons: ol Independent Control System m] Independent RTS ol Independent ESFAS" Proposed design provides independence within echelons ol Software in redundant channels is not identical ol Reduces DCCF opportunity in redundant channels* Monitoring and indication functions associated with intact echelons are not affected by a single failed echelon" Not affected: "l Existing AMSAC"l Existing SSPS"l Existing NIS" Electrical isolation prevents control/protection interaction due to DCCF" Data isolation prevents DCCF propagation within and among echelons" Architecture limits impact of echelon interactions" Architecture limits DCCF propagation Diablo Canyon Power Plant Digital RPS Project 77 How Diverse is Diverse Enough?m Design-Meets criteria m Equipment -Criteria not met o Defensive measures: m Limit DCCF Impact m Limit DCCF Opportunity" Software -Meets criteria" Functional -Meets criteria m Signal-Meets criteria m Human -Meets criteria Diablo Canyon Power Plant Digital RPS Project 78 U Bottom Line: m Does the proposed approach using common platform and operating systems in multiple echelons violate regulations? Diablo Canyon Power Plant Digital RPS Project 79 I1 Agenda i. Introduction (15 min)A. Who's Here B. Industry Issues Discussion (Why are we here?)c. Meeting Objectives ii. Review March Architecture (20 min)iii. Proposed Architecture (60 min)A. Discuss Diverse Actuation System (DAS)B. Identify Vulnerabilities

c. Modify Functional Requirements to Remove Vulnerabilities D. Implement Alternate Initiation Functions iv. Common Platform (30 min)A. Identify Issues B. Interoret Reaulations Diablo Canyon Power Plant Digital RPS Project 80 A Meeting Objectives

= Present current approach and architecture = Feedback requested from the NRC" Does the approach meet NRC Guidance?.NOT "Can we install it in the plant?"" Identification of weak points that will require more justification i Issues with the architecture or approach Em Suggestions on format and content (e.g., NUREG/CR-6303 Section 5)m Open discussion on any technical issues Diablo Canyon Power Plant Digital RPS Project 81}}