Doosan HF Controls Carrollton, TX 75006 USADoosan HF Controls * 1624 West Crosby Road Suite 124 *...

June 1 8 th, 2010

Doosan HF Controls * 1624 West Crosby Road Suite 124 * Carrollton, TX 75006 USAPhone 469.568.6500 * Fax 469.568.6599 * www:hfcontrols.com

U.S. Nuclear Regulatory CommissionOffice of Nuclear Reactor RegulationDivision of Policy and RulemakingWashington, D.C. 20555-0001

!/

Attention:

Subject:

Reference:

Document Control Desk

Supporting Documents for HFC-6000 Safety Evaluation Report FinalQualification Closure

HFC-6000 Safety Control System

Docket number: 000-00731

Enclosed documents are the supporting documents for HFC-6000 Safety Evaluation ReportFinal Qualification Closure. HF Controls is submitting two versions of the documents:proprietary and non-proprietary. HF Controls is requesting the Commission to withhold theinformation in the proprietary version. The non-proprietary version of the documents is madeavailable for the public. The justification for the withholding is described in the document,"Justification for Proprietary Information Affidavit" in accordance with 10 CFR 2.390. Inaddition, the marking of the proprietary information and the non-proprietary information withinthe documents is listed in the document, "Proprietary Information Notice". The following'tablelists the documents in this submittal:

Document Name Revision ProprietaryNumber VersionDS901-000-06 System Component Design Specification C Z Yes El NoRR901-000-31 HFC-6000 Product Line Traceability H El Yes 0 NoRR901-000-41 HFC-6000 vs EPRI Operability B El Yes R1 NoRS901-000-37 SC, SAP, SEP, VHDL Software Requirements I El Yes R1 NoTN901-000-05 Addendum for TS901-000-23 A Z Yes El NoTN901-000-06 Addendum for TS901-000-29 A Z] Yes El NoTN901-000-07 Addendum for TS901-000-34 A _ _ Yes El NoTN901-000-08 Addendum for TS901-000-35 A IZ Yes El NoTN901-000-09 Addendum Testing to TP0402 (Working Copy) A Z Yes El NoTN901-000-12 Clarifications to Qualification Test Results A ZI Yes El NoTROO1-000-02 Application Software Objects Test Report B El Yes Z NoTS901-001-23 Additional OS Testing A R1 Yes E No

4~oI

~A 0~

Sincerely,

Ivan ChowV&V Team, Manager

Enclosures:1- The hard copies of documents in two versions:

Proprietary and Non-Proprietary2- Justification for Proprietary Information Affidavit3- Proprietary Information Notice4- A CD of the submitted documents in PDF format. The formats have been verified using

Adobe 6.0 preflight with preflight profile downloaded from NRC website.

CC: Jonathan Rowley, NRCU.S. Nuclear Regulatory CommissionOffice of Nuclear Reactor RegulationDivision of Policy and RulemakingSpecial Projects BranchMS: O-12D1

A. Hsu, E. Herchenrader, T. Gerardis, HF Controls

Justification for Proprietary Information Affidavit

(1) My name is Ivan Chow. I am the V&V Team Manager of Doosan HFControls (HFC) Corporation and as such, I have been specifically delegatedthe function of reviewing the proprietary information sought to be withheldfrom public disclosure in connection with nuclear power plant licensing andrulemaking proceedings, and am authorized to apply for its withholding onbehalf of Doosan-HFC Corporation.

(2) I am making this Affidavit in conformance with the provisions of 10 CFRSection 2.390 of the Commission's regulations and in conjunction with theDoosan HFC application for withholding accompanying this affidavit.

(3) I have personal knowledge of the criteria and procedures utilized by DoosanHFC in designating information as trade secret, privileged or as confidentialcommercial or financial information.

(4) Pursuant to the provisions of paragraph (b)(4) of Section 2.390 of theCommission's regulations, the following is furnished for consideration by theCommission in determining whether the information sought to be withheldfrom public disclosure should be withheld.

(a) The information sought to be withheld from public disclosure is ownedand has been held in confidence by Doosan HFC Corporation.

(b) The information is of a type customarily held in confidence by DoosanHFC and not customarily disclosed to the public. Doosan HFC has arational basis for determining the types of information customarily held inconfidence by it and, in that connection, uses a uniform method todetermine when and whether to hold certain types of information inconfidence. The application of our method and the substance of constituteDoosan HFC's policy and provide the rational basis required.

Under the Doosan HFC method, information is held in confidence if itfalls in one or more of several types of information, the release of whichmight result in the loss of an existing or potential competitive advantage asfollows:

. Its use by a competitor would reduce his expenditure of resourcesand improve his competitive position in the design, manufacture,installation, assurance of quality, or licensing a digital based I&Csystem.

o. It reveals cost or price information, production capacities, budgetlevels, or commercial strategies of Doosan HFC, its customers orsuppliers.

I of 3

o*o It reveals aspects of past, present or future Doosan HFC orcustomer funded development plans and programs of potentialcommercial value to Doosan HFC.

o* It contains patentable ideas, for which patent protection may bedesirable.

For this affidavit, all of the information marked proprietary is because its use by acompetitor would reduce his expenditure of resources and improve his competitiveposition in the design, manufacture, installation, assurance of quality, or licensing adigital based I&C system (type one above). This leads to a Doosan HFC need torestrict certain commercial information from the public to prevent its use bycompetitors and creating a commercial advantage for them to the detriment of DoosanHFC.

The development of the HFC-6000 system design is the result of many years ofdevelopment by uniquely experienced personnel in an intensive effort along with theexpenditure of a considerable sum of money. In order for competitors to duplicatethe Doosan HFC design and applicable information, similar technical programswould have to be performed and a significant manpower effort, having the requisitetalent and experience would have to be expended for the development of a digitaldesign to equal the HFC-6000 system design.

There are sound Doosan HFC policy reasons behind the Doosan HFC proprietarydesignation system which include the following:

a) The Use of such information by Doosan HFC gives Doosan HFC a competitiveadvantage over its competitors. It is therefore, withheld from disclosure to protectthe Doosan HFC competitive position.

b) It is information which is marketable in many ways. The extent to which suchinformation is available to competitors diminishes the Doosan HFC ability to sellproducts involving the use of the information.

c) Use by our competitors would put Doosan HFC at a competitive disadvantage byreducing their expenditure or resources at Doosan HFC expense.

d) Each component of proprietary information pertinent to a particular competitiveadvantage is potentially as valuable as the total competitive advantage. Ifcompetitors acquire components of proprietary information, any one componentmay be the key to the entire puzzle, thereby depriving Doosan HFC of acompetitive advantage.

e) Unrestricted disclosure would jeopardize the position of Doosan HFC in theworld market such as South Korea, and thereby give a market advantage to thecompetition in those countries.

2 of 3

(5) The information is being transmitted to the Commission in confidence and, underthe provisions of 10 CFR 2.390, it is to be received in confidence by theCommission.

(6) Available information has not been previously employed in the same original. Theinformation sought to be protected is not available in public sources or manner ormethod to the best of our knowledge and belief.

(7) The proprietary information sought to be withheld in the submittal is that which isappropriately marked by deletion, with brackets in some documents, in thefollowing HFC non-proprietary documents:

Document Number Name RevisionDS901-000-06 System Component Design Specification CTN901-000-05 Addendum for TS901-000-23 ATN901-000-06 Addendum for TS901-000-29 ATN901-000-07 Addendum for TS901-000-34 ATN901-000-08 Addendum for TS901-000-35 ATN901-000-09 Addendum Testing to TP0402 (Working Copy) ATN901-000-12 Clarifications to Qualification Test Results ATS901-001-23 Additional OS Testing A

AFFIDAVIT, STATE OF TEXAS, COUNTY OF DALLASBefore me, the undersigned authority, personally appeared Ivan Chow, who, being by meduly sworn according to law, deposes and says that he is authorized to execute thisAffidavit on behalf of Doosan HF Controls Corporation (HFC) and the averments of factset forth in this Affidavit are true and correct to the best of his knowledge, informationand belief:

Ivan Chow

Sworn to and subscribed ( LISA RUSHINGNotary PulcState of TexasBefore e this day Commission Expires1of

&/4) AUGUST24 2013.

N y/Notary Public _,

3 of 3

Proprietary Information Notice

On June 1 8 th 2010, Doosan HF Controls transmitted the following documents in bothproprietary and non-proprietary formats:

Document Name RevisionNumberDS901-000-06 System Component Design Specification CTN901-000-05 Addendum for TS901-000-23 ATN901-000-06 Addendum for TS901-000-29 ATN901-000-07 Addendum for TS901-000-34 ATN901-000-08 Addendum for TS901-000-35 ATN901-000-09 Addendum Testing to TP0402 (Working Copy) ATN901-000-12 Clarifications to Qualification Test Results ATS901-001-23 Additional OS Testing A

In order to conform to the requirements of 10 CFR 2.390 concerning the protection ofproprietary information submitted to the NRC, proprietary versions of the documentslisted above are marked "HFC Proprietary" on the title page and on each subsequent pagecontaining proprietary information. For the corresponding' non-proprietary versions, allproprietary information has been deleted, with brackets in some documents, such thatonly non-proprietary information remains. In addition, the deletion was done in themanner such that the formatting of the documents was preserved so that page numbers,headings and section numbers remain unchanged. Since the basis fbr deleting theinformation in all instances is to protect' Doosan HFC corporation confidentialcommercial information; there is no adjacent marking for each deletion as specified in2.390(b)(1)(a)(i)(B). Instead, in order to facilitate the review process, the locations of theproprietary information in each file are listed in the table below:

Document Number Locations of the proprietary informationas deleted in the non-proprietary version

DS901-000-06 Pages 1, 8-40TN901-000-05 Pages 1, 3-23TN901-000-06 Pages 1, 4-18TN901-000-07 Pages 1, 4-10TN901-000-08 Pages 1, 4-10TN901-000-09 (Work Copy) Pages 1, 3TN901-000-12 Pages 1, 3-10TS901-001-23 Pages 4 to 11

U.S.NRCUNITED STATES NUCLEAR REGULATORY COMMISSION

Protecting People and the Environment

Submittal DocumentsNon-Proprietary Version

Document Number Name RevisionDS901-000-06 System Component Design Specification CRR901-000-31 HFC-6000 Product Line Traceability HRR901-000-41 HFC-6000 vs EPRI Operability BRS901-000-37 SC, SAP, SEP, VHDL Software Requirements ITN901-000-05 Addendum for TS901-000-23 ATN901-000-06 Addendum for TS901-000-29 ATN901-000-07 Addendum for TS901-000-34 ATN901-000-08 Addendum for TS901-000-35 ATN901-000-09 Addendum Testing to TP0402 (Working Copy) ATN901-000-12 Clarifications to Qualification Test Results ATROO1-000-02 Application Software Objects Test Report BTS901-001-23 Additional OS Testing A

HF Controls

HF Controls Corporation

Design Specification

System Software Components

DSOO1-OOO--06 Rev C

Effective Date

Author

Reviewer

Approval

4/19/201,0

Eric Patrizii

Ivan Chow

Terrence A. Gerardis

I ICopyright 0 2010 HF Controls Corporation

1 of 40

HFC Control SystemsSystem Software Components Design Specification

Revision History

Date Revision Author Changes10/20/2003 0 B Han Initial12/30/2004 A A Han Release02/03/2010 B E Patrizi Added additional runtime diagnostics4/1/10 C E. Patrizi Revised to adhere to WI-ENG-203:

1. Reorganize the information of thedocument following section 5.1 of the WI.

2. Add software modules section to list themodules for the runtime diagnostic designchanges. Pre-developed software modulesnot related to the runtime diagnosticschanges are not added in this revision.

SCR 2595, 2596, 2598

DSOO 1-000-06 2 of 40 Rev C I


Table of Contents

1.0 SCOPE... ............................................................................................................................ 5

1.1 H ISTO RY .................................................................................................................... 51.2 P U R PO SE .................................................................................................................... 5

2.0 REFERENCES .................................................................................................................. 5

2.1 HFC INTERNAL DOCUMENTS ...................................................................................... 52.2 ABBREVIATION AND ACRONYMS .......................................................................... 5

3.0 TECHNICAL DESIGN ................................................................................................ 6

3.1 SYSTEM ARCHITECTURE ........................................................................................ 63.1.1 FUNCTIONAL SOFTWARE GROUPS ....................................................... 63.1.2 GENERIC SOFTWARE ............................................................................... 63.1.3 ENHANCED NETWORK INTERFACE ........................................................ 6

3.2 COMMUNICATION INTERFACE ................................................................................ 73.2.1 C-Link Protocol ............................................................................................ 73.2.2 Inter-Communication Link (ICL) Protocol .................................................. 73.2.3 Universal Communication Protocol (UCP) ................................................. 7

3.3 TIMING REQUIREMENTS ......................................................................................... 73.4 ACTIVATION .......................................................................................................... 73.5 DESIGN M ETHODOLOGY ......................................................................................... 83.6 SOFTWARE STRUCTURE ......................................................................................... 8

3.6.1 Design Description ....................................................................................... 93.6.1.1 Processor Initialization ........................................................................... 10

3.6.1.1.1 System Controller Initialization ........................................................ 103.6.1.1.2 Subordinate Processor Initialization ................................................. 12

3.6.2 Data Structures .......................................................................................... 133.6.2.1 M emory locations of diagnostic area ..................................................... 133.6.2.2 SUBPROC segment ............................................................................... 153.6.2.3 PUBM EM RDIR STR Structure ............................................................ 153.6.2.4 PREM EM RDIR STR Structure .............................................................. 163.6.2.5 PRSEGDIR STR Structure .................................................................... 163.6.2.6 DIAG STRUC Structure ......................................................................... 173.6.2.7 Controller Configuration Structure ......................................................... 193.6.2.8 Dynamic CRC M emory Configuration Structure .................................. 23

3.6.3 Data Flow .................................................................................................. 233.6.3.1 System Diagnostic Software .................................................................. 23

3.6.3.1.1 Power up initialization diagnostic software ...................................... 233.6.3.2 On-line diagnostic software .................................................................... 23

3.6.3.2.1 On-line diagnostic software for controller components .................... 243.6.3.3 On-line diagnostic software for memory components ........................... 26

3.6.4 Process Control .......................................................................................... 283.6.4.1 Self Test Operating M ode ...................................................................... 283.6.4.2 Run M ode ............................................................................................... 29

DSOO1-000-06 3 of 40 Rev C


3.6.4.3 Multitasking Operating Mode Applications Execution .......................... 313.6.4.4 Processor Synchronization ..................................................................... 333.6.4.5 Interface Functions .................................................................................. 34

4.0 SOFTWARE MODULES ......................................................................................... 34

4.1 OPERATING SYSTEM FILES .................................................................................... 344.1.1 M ajor fi les ................................................................................................... 344.1.2 System Processor Modules ........................................................................ 354.1.3 Modules for Enhanced Diagnostic ............................................................... 36

4.1.3.1 Common Modules for all SC, SAP, SEP ............................................... 364.1.3.1.1 C R C 16.A 10 ...................................................................................... 364.1.3.1.2 DYN DIAG.A1O ............................................................................. 364.1.3.1.3 RAM TST.A1O ............................................................................... 374.1.3.1.4 U CPT SK .A 10 ................................................................................... 384.1.3.1.5 U C PX 88.O PS .................................................................................... 384.1.3.1.6 U TILX 88.O PS ................................................................................. 384.1.3.1.7 D IA G ERR .IN C ................................................................................. 394.1.3.1.8 DYN DIAG.INC ............................................................................. 394.1.3.1.9 O SX 88.IN C ...................................................................................... 39

4.1.3.2 SC Modules - SBCP6INI.A10 ............................................................. 404.1.3.3 SAP Modules - SAPINI.A1O ................................................................ 404.1.3.4 SEP Modules - SEPINI.A10 .................................................................. 40

Index of Figures

Figure 1 - Configuration Structure Definition ...; .......................................................... 14

Index of Tables

Table 1 - On-line diagnostic software - mailbox validation ......................................... 24Table 2 - On-line diagnostic software and impact hardware ........................................ 24Table 3 - On-line diagnostic functions ......................................................................... 26

DSOO1-000-06 4 of 40 Rev C I


1.0 Scope

1.1 History

The system software components of HF Controls control systems are based around the filedproven "Rev 6.1" software version, with the following differences. The software is intended tobe organized into independent groups based on functionality. Software for all Intel x86processor based cards utilizes the same "generic" software modules. The capability of networkcalls has been expanded to support dynamic configuration other than using the predefined pathdefinition tables of the original Rev. 6 software.

1.2 Purpose

Revision A of this document provided design specification for the pre-developed software asdescribed in section 1.1. Requirements for the software design are listed in RS901-000-37,"SC, SAP, SEP, VHDL Software. Requirement Specification", SRS. Going forward, allupdates to this document will specify the designs for the changes in the system software andthe corresponding modules in accordance with WI-ENG-203, "Development ofSoftware/Firmware Design Specification". The updates shall have correspondingrequirements specified in the SRS.

2.0 References

2.1 ttFC Internal Documents

DS002-000-01 C-Link Protocol Design Specification, Rev. D

DS002-000-02 ICL Protocol Design Specification, Rev. E

DS002-000-03 UCP Design Specification, Rev. B

MS901-000-01 SBC06 Module Design Specification, Rev. F

MS901-000-05 SCG06 Module Design Specification, Rev. A

RS901-000-37 SC, SAP, SEP, VHDL Software Requirement Specification, Rev. H

WI-ENG-203 Development of Software/Firmware Design Specification, Rev B

2.2 Abbreviation andAcronyms

CPC Communication Protocol Controller

ICL Inter-Communication Link

PCC Peripheral Communication Controller

SAP Subordinate Asynchronous Program for PCC/ICL Processor

SC System Controller Program

SEP Subordinate Ethernet Program for CPC/C-Link Processor

DSOOI-000-06 5 of 40 Rev C I


3.0 Technical Design

3.1 System Architecture

Refer to MS901-000-01, "SBC06 Module Design Spec." and MS901-000-05, "SCG06Module Design Spec." for the system architecture to which the system software componentsare applied.

3.1.1 FUNCTIONAL SOFTWARE GROUPS

The purpose of software groups is to be able to include or omit a particular function as desiredwithout affecting any other software. This is accomplished by creating a group of softwaremodules that define any and all of their required parameters and/or support functions, exceptfor standard "operating system" parameters and functions. To accomplish this, each functionalmodule must include the assignment and allocation of all parameters and memory that itrequires. Each group must also provide any required initialization software that will beexecuted by the operating system during initialization of the card. Each software group isassigned a unique function code. This function code is used by the initialization software todefine which groups are to be made available for that particular configuration. This conceptallows software functions to be easily included in or deleted from other printed circuited cardscapable of performing that function. It also allows many different functional groups to beincluded in the firmware for a particular card, and through proper configuration only havethose required for a particular application be made available during initialization. This featurecan better utilize available memory and processor performance.

3.1.2 GENERIC SOFTWARE

The goal of generic software is to use the exact same software components wherever possible.Engineers configure selected components and dedicate them to particular application. Theapproach for accomplishing this is to separate all hardware dependent functions from theremainder of the software for a particular functional group. The software componentscontaining no hardware specific code can be used in any card requiring that function along withthe hardware specific code for that card. This requires that a standard interface exist betweenthe non-hardware specific modules and any hardware specific module. Also a standardinterface must exist for the "generic operating system".

3.1.3 ENHANCED NETWORK INTERFACE

The "Remote Status Array" has been expanded to support 256 remotes and to include a pathdefinition element and a "bridge" remote flag in the remote status word. This provides thecapability for a network call to any of 256 remotes system wide regardless of the topology ofthe system's communications network(s). The original Rev 6 software could only use networkcalls to send messages to remotes located on the same C-Link as the source remote. The newnetwork interface allows dynamic configurations, while keeping the network software interfacesimple. Items in the system, such as Operator Interface CRT stations (OIS), EngineeringWorkstations (EWS), and Historical Archive System (HAS) can be assigned remote numbers,making it much easier to transfer messages to these locations, and between these locations.

DSOO1-000-06 6 of 40 Rev C I


3.2 Communication Interface

3.2.1 C-Link Protocol

The SEP program is designed to handle the C-Link Protocol over two Ethernet communicationchannels. The detail design specification is defined in DS002-000-01 C-Link protocolComponent Design Specification.

3.2.2 Inter-Communication Link (ICL) Protocol

The SAP program is designed to handle the ICL Protocol over the ICL channels. The detaildesign specification is defined in DS002-000-02 ICL protocol Component DesignSpecification.

3.2.3 Universal Communication Protocol (UCP)

The HFC Universal Communications Protocol (UCP) is a general purpose protocol intended toallow information to be sent from any location within a system and received by any otherlocation within the system. The primary goal of the protocol is to allow any availablecommunications media and arrangement to be transparent to the original source and finaldestination of a message. Another goal is to provide a standardized software interface to thecommunications system, so that any applications layer software requiring the sending and/orreceiving of a message can achieve its goal independent of the arrangement of the systemconfiguration. Also, the creation of any new or different applications, requiringcommunications can be accomplished by adhering to the documented standardcommunications software interface procedure. The UCP is divided into multiple softwarelayers, with defined standard software interfaces between the various layers. This allowssoftware within the protocol to be expanded to support newly available hardwareconfigurations without violating the overall UCP requirements. These new softwareprocedures can interface with the other layers of the overall UCP thru the defined standardinterfaces. Another goal of the UCP is to provide general purpose communications capabilityin the most efficient manner possible. For example, every effort is made to eliminate the needof copying messages from one memory area to another.

The detail design specification is defined in DS002-000-03 UCP protocol Component DesignSpecification.

3.3 Timing Requirements

System response time requirement varies from different projects. Therefore, the design willsupport configuration of software components to provide optimal system response time.

3.4 Activation

The software described in this document covers all controller functionality. In general,activation can be best described as when power is applied. More specific activation detailscan be found for each software module as described in section 4.0

DSOO1-000-06 7 of 40 Rev C I


3.5 Design Methodology

All system utility software was strictly follow standard "Structured Programming" techniqueswhere ever possible. All parameter definitions, structure definitions, and macro definitionsrequired for more than one file should be specified in a single location (file), typically in an"INCLUDE" file.

The underlying principle behind the methodology is to be able to use the exact same files in asmany different applications during the software configuration process. In support of theprinciple, the software is organized in self-supporting modules that can be inserted or deletedas desired for various applications. This requires that modules define all of their requiredresources. All files within the module are divided into two categories. The first category of filescontains only applications specific information and contains no hardware specificrequirements. Any hardware specific information must be included in a dedicated file (or files).This provides the ability to include this module in different hardware by using all of the samefiles with the exception of the hardware specific file(s). New hardware specific files must becreated, and included in the module for this new hardware.

This method follows classical layered software techniques, where each layer supports differentaspects of the module. Applications layer software files should contain neither protocol layernor hardware layer information. Protocol layer files can be used on any hardware where thatprotocol is to be implemented. Hardware layer software files contain all hardware specificinformation for that protocol.

The software is designed to support two configurable controller platforms. These two platformsinclude multiple bus master controller platforms (such as "Multibus") and Personal Computer(PC) based platforms. The multiple bus master configuration can also be used to support singleboard applications. The macro "HWTYP" is used provide conditional assemble to supportthese two controller platforms.

For multi-processor controllers, the software requires that one processor called the"SYSTEM PROCESSOR" be responsible for overall controller initialization, resourceallocation, and overall controller monitoring. The "Operating System Software Component"supports two configurable versions, a "SYSTEM PROCESSOR" version and a"SUBORDINATE PROCESSOR" version. The macro "SYS PRO" is used to controlconditional assemble for creating either a system processor or subordinate processoroperating system version.

3.6 Software Structure

The software is divided into functional component types consisting of various executable and"INCLUDE" files. The following is an outline of the software files architecture. Depending onthe hardware and its required application, many of the items listed are selectable for differentapplications.

[

DS00 1-000-06 8 of 40 Rev C I


]

3.6.1 Design Description

This section presents descriptions of all system software components for this version. Itincludes HFC Generic Operating System (OS) and its utility software. The detail designdescriptions of OS are listed in DSOO 1-000-01, Operating System Component DesignSpecification.

DSOO1-000-06 9 of 40 Rev C I


3.6.1.1 Processor Initialization

]

3.6.1.1.1 System Controller Initialization

The system processor will initialize all global public memory areas. The following is a list ofpublic memory areas necessary to define the controller's configuration.

AREA STRUCTURE NAME FILE NAME

I

I

DSOO 1-000-06 10 of 40 Rev C I


DS001-000-06 11 of 40 Rev C I


]

3.6.1.1.2 Subordinate Processor Initialization

[

DSOO1-000-06 12 of 40 Rev C I


]

3.6.2 Data Structures

3.6.2.1 Memory locations of diagnostic area

The figure 1 illustrates the memory structure of the entire controller in Real Modeconfiguration. The diagnostic memory allocation and structure are also based upon thisconfiguration.

DSOO1-000-06 13 of 40 Rev C I


Figure I - Configuration Structure Definition

DSOO1-000-06 14 of 40 Rev C I


3.6.2.2 SUBPROC segment

[

3.6.2.3 PUBMEMRDIRSTR Structure

This structure defines the public memory allocation and related pointers. It is generic datastructure for HFC control systems.

I[I

DS001-000-06 15 of 40 Rev C I


]

3.6.2.4 PREMIEMRDIRSTR Structure

This is the structure of pointers direct to each processor's segment directory

]

3.6.2.5 PRSEGDIRSTR Structure

This data structure defines the processor related segment directories

[

DS001-000-06 16 of 40 Rev C I


]

3.6.2.6 DIAGSTRUC Structure

I I

This is the diagnostic data structures of diagnostic segment of each processor.

[I

DS001-000-06 17 of 40 Rev C I


DSOO1-000-06 18 of 40 Rev C I


3.6.2.7 Controller Configuration Structure

Figure 1 illustrates the memory allocation with defined data structure in HFC Real Modeconfiguration. [

]I

DS00 1-000-06 19 of 40 Rev C I


DSOO1-000-06 20 of 40 Rev C I


DSOO1-000-06 21 of 40 Rev C I


DSOO 1-000-06 22 of 40 Rev C , I


3.6.2.8 Dynamic CRC Memory Configuration Structure

The CRCMEM structure is used by the dyndiag.alO module's routines to determine whichareas of memory are to be runtime CRC checked. An array of these structures is setup in theHWTYPEINI.A10 file.

]3.6.3 Data Flow

3.6.3.1 System Diagnostic Software

[

]

3.6.3.1.1 Power up initialization diagnostic software

]

3.6.3.2 On-line diagnostic software

DS00 1-000-06 23 of 40 Rev C I


3.6.3.2.1 On-line diagnostic software for controller components

II

I

Table 1 - On-line diagnostic software - mailbox validation

Step Controller Function Hardware Diagnostic NoteInvolved Software

1 Subordinateprocessor

2 SystemProcessor

3 SystemProcessor

Table 2 - On-line diagnostic software and impact hardware


DSOO 1-000-06 24 of 40 Rev C I


1 ICLmicroprocessorin primarymode controller

2 Microprocessoron I/O card

3 ICLmicroprocessorsin both primaryand secondarycontrollers

4 Microprocessoron I/O card

5 ICLmicroprocessorsin both primaryand secondarycontrollers

II

]

DSOO1-000-06 25 of 40 Rev C I


]

3.6.3.3 On-line diagnostic software/for memory components

Table 3 - On-line diagnostic functions


1 Primary

2 Primary

3 Primary

4 Primary

DSOO1-000-06 26 of 40 Rev C I


5 Secondary6 Secondary

7

Secondary

8

Secondary

9

Primary

andSecondary

5 Secondary

6 Secondary

7 Secondary

8 Secondary

9 PrimaryandSecondary

[

DSOO1-000-06 27 of 40 Rev C I


1

3.6.4 Process Control

3.6.4.1 Self Test Operating Mode

I

DS0O1-000-06 28 of 40 Rev C I


]

3.6.4.2 Run Mode

I

DSOO1-000-06 29 of 40 Rev C I


DSOO1-000-06 30 of 40 Rev C I


]

3.6.4.3 Multitasking Operating Mode Applications Execution

I

DSOO1-000-06 31 of 40 Rev C I


DSOO 1-000-06 32 of 40 Rev C I


]

3.6.4.4 Processor Synchronization

I

DSOO1-000-06 33 of 40 Rev C I


3.6.4.5 Interface Functions

The operating system provides several interface functions that are available to all applicationsto use during multi-tasking operation. The detail design specifications of all interface functionsare listed in DSOO1-000-01 OS Component Design Specification.

4.0 Software Modules

All code for the operating system and its utility software, wherever possible, were configuredto be in the same "Code Segment". All local RAM memory required by the operating systemis configured to be in the same "Data Segment", including all processor stack areas. Thisallows any task or function to access any operating system memory variable using the "SS"register.

4.1 Operating System files

The following is a generic list of the software files required by the OS component software.Some of these modules are hardware specific. The hardware specific modules will have adifferent name for each type of hardware. This is represented in the list below by the phrase"HWTYPE". The module for a specific hardware type will have this phrase replaced by aunique name for that hardware.

4.1.1 Major filesii

DS001-000-06 34 of 40 Rev C I


1

4.1.2 System Processor Modules

[

DS00 1-000-06 35 of 40 Rev C I


]

.4.1.3 Modules for Enhanced Diagnostic

4.1.3.1 Common Modules for all SC, SAP, SEP

4.1.3.1.1 CRC16.A1O

4.1.3.1.1.1 Algorithm[

]

4.1.3.1.1.2 Activation

]

4.1.3.1.1.3 Entry and Exit/Process Control

]

4.1.3.1.2 DYNDIAG.A10

4.1.3.1.2.1 Algorithm[

DS001-000-06 36 of 40 Rev C I


1" 4

4•:• 4!ii ! ii~!!!!i•i!i!!?!i i•l? !iiii~i i~i

* 44' 4<4.


[

4.1.3.1.2.3 Entry and Exit/Process Control

[

]

4.1.3.1.3 RAM TST.A1O

This module performs the runtime RAM test functions.

4.1.3.1.3.1 Algorithm

I

DSOO 1-000-06 37 of 40 Rev C I


]


None of the routines are tasks within the OS but they are called directly from the OS tasks.

4.1.3.1.3.3 Entry/Exit and Process Control[

]

4.1.3.1.4 UCPTSK.A10

This module moves the OS timer stack variables to memory variables to prevent changes tostack variables when the task is inactive. No new algorithm is introduced.

4.1.3.1.5 UCPX88.OPS

This module performs the registers, task stack area, TCB and data line tests during runtime.

4.1.3.1.6 UTILX88.OPSThis module is created from the deposition of UCPX88.OPS to keep UCPX88.OPS under2,000 lines of code. It contains the code added to support the TCB and stack checking.

4.1.3.1.6.1 Algorithm

]4.1.3.1.6.2 Activation

[

4.1.3.1.6.3 Entry/Exit and Process Control[

]

DSOO1-000-06 38 of 40 Rev C I


4.1.3.1.7 DIAGERR.INC

It is the header file for specifying diagnostic error types. The changes for supporting theruntime diagnostic are the following equates:

4.1.3.1.8 DYNDIAG.INC

It is the header file to use for using the diagnostic functions. The data structures are:[

4.1.3.1.9 0SX88.1NC

This is an OS support include files. The changes for supporting the runtime diagnostic arethe following macros:[

DSOO1-000-06 39 of 40 Rev C I


4.1.3.2 SC Modules - SBCP6INI.A 10

This module performs the initialization of the SC processor. The changes for supporting theruntime diagnostics are:

4.1.3.3 SAP Modules - SAPIN.A 10

This module performs the initialization of the SAP processor. The changes for supportingthe runtime diagnostics are:[

4.1.3.4 SEP Modules - SEPINIAO10

This module performs the initialization of the SEP processor. The changes for supporting theruntime diagnostics are:

II

DSOO1-000-06 40 of 40 Rev C I

HF Controls

HFYCONTROLS CORPORATION

HFC-6000 Product Line (Pre-Developed Software - PDS)

TRACEABILITY MATRIX

R90t-O000-31 Rev H

,,7

K> :•

(' , ; • ,

Effective Date

Author

Reviewer

Approval

6-16-10

Nathan Reid

Charles McKinney

Ivan Chow

CopyrightP 2010 HF Controls Corporation

1 of 19

Traceability Matrix for SC, SAP, SEP, VHDL SW

Revision HistoryDate Revision Author Changes

12/21/08 A J. Taylor Initial Revision7/13/09 B J. Taylor Revised to:

1. Add customer technical specificationsection for top level system criticalcharacteristics.

2. List software requirements only3. List ERDI 111/0 cards only4. Remove Module Level and Hardware

Assembly columns and top levelrequirement list

9/24/09 C I. Chow Revised to:1. Add revision number to reference

document.2. Correct a few reference errors

10/2/09 D I. Chow Revised to:1. Correct the source code part number typo2. Add 40041-902 HFC-6000 Product Line

Component 19" Backplane TestProcedures

11/16/09 E I. Chow Revised to:1. Expand requirement traceability to CQ4

blocks and equation interpreter2. Ensure forward and backward traceability

for each requirement and source codecomponent.

3. Consolidate the Prototype Test andProduction Test columns into a single testcolumn.

1/13/10 F I. Chow Revised to include updated requirements forRS901-000-37 Rev. G

4/26/10 G I. Chow Revised to include updated requirements forRS901-000-37 Rev. H

6/8/10 H N. Reid Reference CR 2010-0131Revised to:1. Include expanded requirements for

RS901-000-37 Rev. I about terminationutilities.

2. Include documentation for firmware CRCchecking documented in DS001-000-06.

3. Include documentation for DS002-000-03,Appendix A UCP Messages For Inter-processor Communication, Rev. A.

RR901-000-31 2 of 19 Revision H I


Table of Contents

1.0 INTRODUCTION ........................................................................................ 4

2.0 TRACEABILITY MATRIX ...................................................................... 4

3.0 ABBREVIATIONS ..................................................................................... 4

4.0 REFERENCE DOCUMENTS .................................................................. 15

5.0 ATTACHMENTS ...................................................................................... 18

Table 1. HFC-6000 ERD 111 Pre-Developed Software (PDS) Traceability Chart ...... 5



1.0 INTRODUCTION

This document presents a traceability matrix for the HFC-6000 product line within theERDI 1 project. The purpose of this project was to qualify the platform used in ERDI 11in nuclear safety-related applications for United States Nuclear Power Plants.

2.0 TRACEABILITY MATRIX

The traceability matrix consists of a multi column table. The purpose and content of thematerial in each column is as follows:

Requirement Definition

Design Phase Reference

Source Code Reference

Source Code Review

Test

Contains the list of requirements. The first listing containsthe requirements list from the product line specification.Subsequent entries list the requirements for individualcomponent modules. This tabulation includes componentshaving both hardware and software functions.Requirements for strictly structural components have beengenerally omitted.

Lists the document and paragraph that addresses thespecific requirement listed. The document reference islisted without a paragraph reference if the entire documentapplies to a particular requirement.

Lists the source codes which are used for implementing therequirements.

Lists the document number assigned to the source codereview for an individual program or program file.

Lists the document number and paragraph reference for thetest that verifies a particular requirement.

3.0 ABBREVIATIONS

C-Link Communication LinkCPC Communication Protocol ControllerCPLD Complex Programmable Logic deviceCRC Cyclic Redundancy CheckDIP Dual In-Line PackageHFC HF ControlsICL Intercommunications LinkI/0 Input/OutputLED Light Emitting diodePLC Programmable Logic ControllerPROM Programmable Read-Only MemoryRAM Random Access Memory



Table 1. HFC-6000 ERDI I I Pre-Developed Software (PDS) Traceability Chart

Design Phase Reference Source Code Reference Source Code Review Test

Requirement DefinitionRS901-000-37 SC, SEP, SAP, CPLD Requirements for HFC-SBC06/ECS-SBC06 : "v -J...• ..

3.1 SC Firmware - Part Number 9120905-XX •'. . :•

I. The firetware shall provide the following functional capabilities during initialization before tasking operation:: U U __: ,

a. The HIFC-SBC06 hardware includes a set of onboard hardware DIP switches and jumpers for defining configuration DS001-000-01 ¶2.1 SBCp6INI Al0 SR001000073 TS901-000-02, ¶5.4

parameters. The firmware shall read these DIP switches and jumpers as part of its initialization sequence to obtain DS901-000-01 ¶5.1.1.1configuration parameters essential for controller operation. Table I lists the minimum configuration data to be supplied MS901-000-01 ¶4.1, 4.3, 4.4.1, 4.6

by the DIP switches and jumpers.b. The firmware shall configure chip select registers for the processor. It shall execute diagnostic tests for RAM, EPROM, DS001-000-01 ¶2.1 SBCP6NI. Al1 SROOI-000-073 TS901-000-02, ¶5.5

FLASH, and Dual Ported Memory (redundant remotes only). If the test results are satisfactory, the firmware shall MS901-000-01 ¶3.4. 4.4.1 SBCP6TST.AI0 SROO1-000-074 TN901-000-09, ¶3.8, 3.9

continue initialization and shall create the tasking environment for the pre-configured tasks. If the test results fail, the DS901-000-01 ¶5.1.1.1 PROM TST .Al SR001-000-070firmware shall report the error and stop executing. DSOO1-000-01 ¶3.6.3.1.1 RAM TST. A1l SROOI-000-071

CRC16. All SROO1 -000-060

c. The initialization routine shall initialize the hardware for operation. DSOO1-000-01 ¶2.1 SBCP6INI. PlO SROOI-000-073 TS901-000-02. ¶5.4DS901-000-01 ¶5.1 HW1000003.AlO SROOI-000-126

SYS INIT.All SROOI-000-158

d. The finnware shall also initialize particular software environment based on predefined configuration values for the DSOOI-000-01 ¶2.1, 3.1 SBCP6INI .Al SROO1-000-073 TS901-000-02, ¶5.4

processor. The firmware shall create data structures for storing the information. DS901-000-01 ¶5.1.2 BCCRCHA.ASM SROOI-000-014BLRQINI .AO SROO1-000-058CRC1A6.AO S ROO1-000-060IOIFPMEM.AlO SROO1-000-1 29MEMINIT.A10 SROOI-000-067SYSMEM.AlO SROO1-000-077X3INIT .A0 SROOI-000-139XC4INIT.AlO SROOI-000-141

e. The firmware shall initialize software structures for monitoring subordinate processors. This requirement includes DSOO1-000-01 ¶2, 2.1, 3.1 SYSMEM.A10 SROOI-000-077 TS901-000-02, ¶5.4setting configuration options for the subordinate processors and control of initialization sequence. SUB INIT.A10 SR001-000-075 TN901-000-09, ¶3.3

f The firumware shall support "write protection" option, ie. if the board is set to "write protect", firmware and application MS901-000-01 ¶4.1 SBCPINI .AIO SROOI-000-073 TS901-000-02, ¶5.1Iprogram cannot be updated during operation. BC CRCHA.ASM SR001-000-014

2. The firmware shall provide deterministic task scheduling: :, D' : , .. • , , .UX, . .7, ,.. z '

a. The firmware shall provide timing services based on lOins tick time. DSO0I-000-01 ¶2.4, 2.8,3.2 BCTDSRA.ASM SROOI-000-017 TS91-000-02,¶5.4, 5.9CQ3TIMER.AlI SROO1-000-115 TP0402 ¶4.6CQ4TMR.A10 SROO1-000-119OSTIMER.Al0 SROO1-000-068UCPX88. OPS SROOI-000-083

b. During nonnal operation, the firmware shall execute a task within regular intervals. This is referred to as tfte "context DSOOI-000-01 ¶2.2- 2.6,4 UCPX88.OPS SROO1-000-083 TS901-000-02, ¶5.9

switch" and is a configurable time period ACTIVA.A10 SROOI-000-056c. The firmware shall provide the following utilities for a task to give control back to the task scheduler: DSOO1-000-01 ¶$2.3.1 UCPX88.OPS SROO1-000-083 TS901-000-02, ¶5.9

RELINQ.Ai SROOI-000-072EXIT.A10 SROO1-000-065DELAY. A1l S ROO1-000-063OS TIMER.AIO SR0OI-000-068

i. Relinquish DSOOI-000-01- ¶2.3.1.1 UCPX88.DPS SROOI-000-083 TS901-001-23, ¶5. 1. 1.1DSOOI-000-01 ¶2.3.1,2 UCPX88.DPS SROOI-000-083 TS901-001-23, ¶5.1.1.2

ii. Delay DSOO1-000-01 ¶2.3.1.4 UCPX88.0PS SROOI-000-083 TS901-001-23, ¶5.1.2.1DSOO1-000-0 1¶2.3.1.5 UCPX88. DPS SROOI-000-083 TS901-001-23, 15.1.2.2

iii. Exit DSOOI-000-01 ¶2.3.1.3 UCPX88.0SP SROO-000-083 TS901-001-23, ¶5.1.4.1

DS001-000-01 "[2.3.1.6 UCPX88. OPS SROO-000-083 TS901-001-23, ¶5.1.4.2

iv. Remove DS001-000-01 ¶2.3.1.7 UCPX88.O PS SROOI -000-083 TS901-001-23, ¶5.1.3

d. The firmware shall support synchronization among difierent processors. DSOO1-000-01 ¶2.9 UCPX88.OPS SROOI-000-083 TS901-000-02, ¶5.9

RR901-000-31 5 of 19 Revision H

Traceability Matrix for SC, SAP, SEP, VHDL SWDesign Phase Reference Source Code Reference Source Code Review Test

Requirement Definitionf. The firmware shall allow tasks to be added during startup by configuration. DS001-000-01 ¶3.1.1.1, 3.1.1.5 UCPX88 .01PS SROOI-000-083 TS901-000-02, ¶5.9

e. The finnware shall allow tasks to be either dormant or active. If the task is dormant, the firmware shall allow the DS001-000-01 ¶3.1.1.2 -3.1.1.5 UCPX88.0PS SRO0I-000-083 TS901-000-02,¶5.9

dormant tasks to be activated during operation by running tasks.g. The firmware should support grouping of scheduled tasks. DSOOI-000-01 ¶2.4 UCPX88. OPS SROOI-000-083 TN901-000-09, $3.6h. The finrware should support task priority as long as the main task is ensured to be executed at least once within a DS0OI-000-01 92.4 UCPX88. OpS SR001-000-083 TN901-000-09, ¶3.7

context switch time.3. The firmware shall provide alarm notifications through LED's and system resources. MS901-000-01 ¶4.4,1 ALARM3 .A10 SR001-000-013 TS901-000-02, ¶5.6

ALARM4. A10 SR001-000-020BCALSMA.ASM SROOI-000-154FALREC.A10 SROOI-000-007

4. The firmware shall support redundancy and failovera. In a redundant remote, the firmware shall support either a primary or secondary operation when it starts up. DSOOI-000-01 912.9 SBCPbINI. Al SROOI-000-073 TS901-000-02 ¶5.10

DS0OI-000-08 ¶2.1MS901-000-01 ¶2.2, 3.7

b. As the primary controller firmware, it shall perform overall state monitoring and coordination for the controller. It shall DS001-000-01 $2.9 SBCP6INI .Al0 SROOI-000-073 TS901-000-02 T5.10also run the specific application program for the process under control. DSOOI-000-08 $2.4, 4.2 UcPXg8. 0PS SROOI-000-083

MS901-000-01 ¶2.2, 3.7 BC IOSSB.ASM SROOI-000-015c. As the secondary controller firmware, it shall function as a hot spare to take over operation on failure of the primary DSOOI-000-01 ¶2.9 SBCP6INI .A10 SROOI-000-073 TS901-000-02 ¶5.10

controller. Equalization of the application shall be performed from the primary controller to the secondary controller. DS001-000-08 ¶4.1 UCPX88. OPS SROO-000-083MS901-000-01 ¶2.2, 3.7 BCDROPA.ASM SR0OI-000-001

BLKCPY . AlO SR001-000-002BLKRCV. Al SR001-000-003C4COPY.A10 SR001-000-004C4SRCV.Al0 SR001-000-005DPMVER. Al0 SROOI-000-006FALREC. A10 SR001-000-007SYSINI .Al0 SROO1-000-076XCQ3CPY. A10 SROO1-000-009XCQ3RCV. All SROOI-000-010

XDPMXFR.AIO SROO1-000-011XFALCPY .AlO SROO1-000-012XXEQUAL.A10 SROO1-000-086

d. The firmnware shall synchronize with the subordinate processors tdrrun at the same operation mode, i.e. either primary or DSOOI-000-01 ¶2.9 SBCP61INI. A10 SR001-000-073 TS901-000-02 ¶5,10

secondary. DSOO1-000-08 ¶4.3 SYSPRI. A1 SROOI-000-008MS901-000-01 ¶2.2, 3.4, 3.7 I UCPX88. OPS SROOI-000-083UCPTSK .Al SROOI-000-079

e. The firmware shall support options for mnaintenance failover. MS901-000-01 T3.7 XXEQUAL.A10 SR001-000-086 TS002-000-01 ¶7.3.4

DSOO1-000-08 ¶2.5, 3.3DS901-000-0l ¶2.4.1.3

5. The firmware shall include a program task that executes the equation interpreter module. The requirements for the MS901-000-01¶2.3 CQ41NI.Al0 SROOI-000-1 16 (See CQ4 and Equationequation interpreter are found in Appendix B. The equation interpreter also processes analog block modules. The DS001-000-02 ¶2.4 CQ41NT.A10 SROOI-000-1 17 Interpreter Section below)requirements for the analog blocks are found in Appendix A DS001-000-03 CQ4MEM.AI0 SR001-000-118

DSOOI-000-09 BCIOSSB.ASM SR001-000-015EQUINI. A1 SROOI-000-064EQUMEM.AI0 SROO1-000-124

(See attachments for (See CQ4 and Equation

CQ4 and Equation Interpreter sections below)Interpreterr-equirement traces. )

6. The firmware shall provide sanity and watchdog checking. DS001-000-08 ¶2.4, 4.2 UTILTSK.A1 0 SROOI-000-085 T8901-000-02, ¶5.4

DS901-000-01 ¶2.4.1.2 TN901-000-09, ¶3.2___TP0402,__4.7

7. The firmware shall perform status checking of the subordinate processors. DSOO1-000-08 ¶2.4, 4.2 SYSPRI. A10 SROO1-000-008 TN901-000-09, T3.3

DS901-000-01 ¶2.4.1.2 SYSINI .A0 SROO1-000-0768. The firmware shall perform loop checking of the equation interpreter. DS001-000-08 ¶2.4, 4.2 SYSINI .A0 SROOI-000-076 TN901-000-09,¶3.3

DS901-000-01 $2.4.1.2 TS901-000-02, o5.5

RR901-000-31 6of 19 Revision H


Requirement DefinitionTP0402, T4.7

9. The firmware shall verify if the equation interpreter has completed at least once during a context switch. DSOOI-000-01 ¶2.4 BCIOSSB.ASM SROO1-000-015 TN901-000-09, ¶3.1EQUINI. AlO SR001-000-064

_SYSINI .AO SROOI-000-076

10. The firmnware shall provide database management to handle data output occurring in regular basis. MS901-000-0l ¶3.3 DBMTSK.Al0 SROOI-000-061 TS901-000-02, ¶5.9.8DBMOTL. AO SROOI-000-062PSLC3DBM.A10 SR001-000-114

11. The firmware shall support UCP messaging. The requirements for the UCP are found in section 3.4 of this document. MS901-000-01 ¶3.3 UCPX88. OPS SROOI-000-069 TS901-000-02, ¶5.7DS002-000-01 ¶2.5 PNMEMGR.A1O SRO0I-000-121

EQMSGTSK. ASM SROOI-000-084UNDEFTSK. AlO SROOI-000-079UCPTSK.A10 (See UCP section below)

(See UCP section belowfor its requirementtraces)

12. The firmware shall support dynamic database (DDB) broadcasting. See C-Link requirements for the details of the MS901-000-01 ¶3.3 DDBINIT.AlO SROOI-000-120 TS901-000-02, ¶5.9

DDB data requirements in section 3.2 of this document. BLRQINI. AlO SROO1-000-058BLRQMEM.A1 0 SR001-000-059BLRQ. ASM SR001-000-057

13. The firmware shall support 1/0 simulation. MS901-000-01 ¶3.4.1 IOSTSK .A0 SRR001-000-130 TS004-000-12

14. The firmware shall monitor remote status. MS901-000-01 ¶3.4 STATSK. P0O SROOI-000-138 TS901-000-02, ¶5.4, 5.5PKTXHG.AlO SR001-000-134 TP0402, ¶4.7INITOD.PlO SRO0I-000-127IOCSXFR.AlO SR00l-000-128PIPXFR.A10 SR0OI-000-133RESET. Pl0 SR001-000-135SET.lO SRO0t-000-136

15. Tihe firmware shall support MSS UCP communication. MS901-000-01 ¶3.3 OFLTSK. Al 0 SR002-000-001 TS901-000-02, ¶5.11

16. The firmware shall provide a timer service. DS001-000-01 ¶2.8 UCPX88. OPS SR001-000-083 TN901-000-09, ¶3.5OS TIMER.AI0 SR001-000-068

17. The firmware shall provide runtime diagnostics for the following: .. . . . .. . . . . .. :..: ........

Interrupt Vector Table DS001-000-06 ¶4.1.3.2 SBCP6INI. AlO SR001-001-026 TS901-001-022-TD6-TC5

DSOO1-000-01 ¶3.6.3.3.9Task Stack Area DSOOI-000-06 ¶4.1.3.1 CRC1 6.A10 SROO1 -001-010 TS901-001-022-TD6-TC2

DSOOI-000-01 ¶3.6.3.3.7 DYNDIAG.AlO SROOI-001-003 TS90t-001-022-TD6-TC4SBCP6INI.A10 SROOI-001-026UCPTSK.AI0 SR0O1-001-007UCPX88.0PS SROOI-001-008UTILX88.OPS SROOI-001-009

TCB Area DSOOI-000-06 ¶4.1.3.1 CRC16.A!O SROOI-001-010 TS901-001-022-TD6-TCIDSOOI-000-01 ¶3.6.3.3.7 DYNDIAG.AI0 SROOI-001-003 TS901-001-022-TD6-TC3

SBCP6INI .AIO SROOI-001-026UCPTSK.A10 SROOI-001-007UCPX88 OPS SR0O1-001-008UTILX88. OPS SR0O1-001-009

Firmware PROM/Flash DSOO1-000-06 ¶4.1.3.1 CRC16.Al0 SROOI-001-010 TS901-001-022-TD6-TC6

DSOO1-000-01 ¶3.6.3.3.9 DYNDIAG.AIO SROO1 -00l1 -003SBCP6INI. AIO SROO1-001-026UCPTSK.AI0 SROO1-001-007UCPX88. OPS SROO1-001-008UTILX88.OPS SR0OI-001-009

CPU Register (Including CS and [P) DSOOI-000-06 ¶4.1.3.2 SBCP6INI. A10 SROOt-001-026 TS901-001-022-TD6-TC7DSOOI-000-01 ¶3.6.3.3.8 TS901-001-022-TD6-TC8

TS901-001-022-TD6-TC9

CPU Data Lines DSOOI-000-06 ¶4.1.3.2 CRC16.AiO SROOI-001-010 TS901-001-022-TD6-TCIODSOOI-000-01 ¶3.6.3.3.8 DYN DIAG.AlO SROOI-001-003 TS901-001-022-TD6-TC II



Requirement DefinitionRAM TST.AlO SROO1-001-006SBCP6INI .A1O SROO1-001-026UCPTSK.A1O SROO]-001-007UCPX88.OPS SROO1-001-008UTILX88.OPS SROO1-001-009

Application Flash DSOOI-000-06 ¶4.1.3.2 CRC16 .A10 SROOI-001-010 TS901-001-022-TD6-TC6

DSOOI-000-01 ¶3.6.3.3.1 SBCP6INI .AIO SROOI-001-026UCPTSK.A10 SROO1-001-007UCPX88.0PS SROOI-001-008UTILX88.OPS SROO-001-009DYN DIAG.Al SRO0t-001-003

3.2 SEP C-Link Firmnware Part Number 9120907-XX .• .-I. The firmware shall provide the following functional capabilities during initialization before tasking operation: ; .... ,., .'--. : :'.-,,*< i : , ,.. ...

a. The firmware shall configure chip select registers for the processor. It shall execute diagnostic tests for RAM, EPROM, DSOOI-000-01 ¶2.1 SEPCPC .Al SR002-000-014 TS90I-000-02, ¶5.5

FLASH, and Dual Ported Memory. If the test results are satisfactory, the firmware shall continue initialization and DS901-000-01 ¶5.1.1.1 SEPINI .A1 SR002-000-015 TN901-000-09,¶3.8, 3.9

shall create the tasking environment for the pre-configured tasks. If the test results fail, the firmware shall report the MS901-000-01 ¶3.4 SEPTST. Al0 SR002-000-016

error and stop executing. DSOOI-000-01 ¶3.6.3.1.1 RAM TST.AlI S RO01-000-071PROMTST.A10 SROOI-000-070CRC16. Al SR0I1-000-060

b. The initialization routine shall initialize the hardware for operations. DSOOI-000-01 ¶2.1 SEPINI. A10 SR002-000-015 TS901-000-02, ¶5.4, 5.5

DS901-000-01 ¶5.1 NICINIT.All SR002-000-028

c. The firmware shall also initialize particular sofhvare environment based on pre-defined configuration values for the DSOO1-000-01 ¶2.1, 3.1 SEPINI.Al SR002-000-015 TS901-000-02, ¶5.4, 5.5

processor. The firmsware shall create data structures for storing the information. DS901-000-01 ¶5.1.2 SUB INIT. Al SROOI-000-075CPCINI. Al SR002-000-042DATAINIT . Al SR002-000-019

d. After successful completion of its local initialization, the firmware shall remain in a wait state until the main processor DSOOI-000-01 ¶2.9 SEPINI .Al SR002-000-015 TS901-000-02, ¶5.4

enables overall operation of the remote. MS901-000-01 ¶3.4

2. The firmsware shall provide deterministic task schedunling: .. ; - -... ".: ,,- -:

a. The firmware shall provide timing services based on lOims tick time DSOOI-000-01 ¶2.4, 28.83.2 SEPINI. Al SR002-000-015 TS901-000-02, ¶5.4, 5.5

UCPX88. PS SROI-000-083 TP0402 T4.6

b. During normal operation, the firmnware shall execute a task within regular intervals DSOOI-000-01 ¶2.2-2.6,4 UCPX88. OPS SR0I1-000-083 TS901-000-02, ¶5.4, 5.5

c. The firnware shall provide utilities for a task to give control back to the task scheduling. DS001-000-01 ¶2.3.1 UCPX88.OPS SR0OI-000-083 TS901-000-02, ¶5.4, 5.5

i. Relinquish DSOO1-000-01 ¶2.3.1.1 UCPX88.UPS SROOI-000-083 TS901-001-23, ¶5.1.1.1

DSOO1-000-0 1 ¶2.3.1.2 UCPX88. OPS SROII-000-083 TS901-001-23, ¶5.1.1.2

ii. Delay DS001-000-0l ¶2.3.1.4 UCPX88.UPS SROOI-000-083 TS901-001-23, ¶5.1.2.1

DSOOI-000-01 ¶2.3.1.5 UCPX88.0PS SROOI-000-083 TS901-001-23, ¶5.1.2.2

iii. Exit DS0OI-000-01 ¶2.3.1.3 UCPX88. oPS SROOI-000-083 TS901-001-23, ¶5.1.4.1

ODS001-000-01 ¶2.3. .1,6 UCPX 88 PS SR0O0-000-083 TS901-001-23, T5.1.4.2

iv. Remove DSOI-000-01 ¶2.3.1.7 UCPX88. OPS SROO-000-083 TS901-001-23, ¶5.1.3

d. The firmware shall allow tasks to be added during startup by configuration. DSOO-000-00 1 ¶3.1.1.1. 3.1.1.5 UCPX88. OPS SR0OI-000-083 TS901-000-02, ¶5.4, 5.5

e. The firmware shall also allow tasks to be activated during operation by running tasks. DSOO1-000-0 1 ¶3.1. 1.2 - 3.1.1.5 UCPX8 8.OPS SRO01-000-083 TS901-000-02, ¶5.4, 5.5

3. The firmware shall provide alarm notifications through LED's and system resources. MS901-000-01 ¶4.4.1 UCPX88. OPS SR011-000-083 TP0402, ¶4.5TS901-000-02, ¶5.4, 5.5

4. The firmware shall support redundancy and failover ,., ... <. ..- , .... - [. " .• -

a. In a redundant remote, the firmiware shall support either a prinmry or secondary operation automatically by matching the DS0OI-000-01 ¶2.9 SEPINI. Al SR002-000-015 TP0402 ¶4.7

state of the SC processor. DS001-000-08 ¶2.1 TS90t-000-02, ¶5.4, 5.5

RR9O~ ~ DS-0I000-0 T2.19ReiioRR901-000-31 8of 19 Revision H


Requirement DefinitionMS901-000-01 $3.7

b. Operating on the primary controller, the SEP firmware shall perform dynamic data (DDB) broadcast after initialization DS002-000-01 ¶4 DBMUTL .Al SROOI-000-062 TP0402 T14.7or failure. DDBPROC.Al 0 SR002-000-020 TS002-000-03 ¶7.1

c. As the secondary SEP firmware, it shall disable transmitting via the Etlhemet ports. In secondary, only communication DS002-000-01 ¶5.3.2, 5.3.2.2, 5.3.3.2 SEPINI .A0 SR002-000-015 TP0402 ¶4.7monitoring is etabled. NICINIT.Al SR002-000-028

d. Ihmediately afler beginning operation of the C-Link, the primary SEP controller shall begin an initialization sequence DS002-000-01 ¶$2.2, 3.1.1 SEPINI .A10 SR002-000-015 TP0402 ¶4.7in which it determines the total number of remotes ott the C-Link and its position within a token-passing sequence. TS002-000-03 ¶7.1

e. Between successive tiasterships of broadcasting data, both tlte primary and secondary SEP processors will receive data DS002-000-01 ¶5.3.3.2 DDBPROC.A10 SR002-000-020 TP0402 ¶4.7from lthe C-Link. The SEP ftrinware shall move that data to appropriate areas of public memory. For tlte secondary ANSffFLG.A10 SR002-000-017 TS002-000-03 ¶7.2.1SEP processor, the SEP firmware shall not process the dynamic database (DDB) filter data ATOKEN. Al SR002-000-018

DATAINIT .Al SR002-000-019GETPKT .Al SR002-000-021INTRRECV. Al SR002-000-022INTRTRAN .Al SR002-000-023LLCRECV.A10I SR002-000-024LLCTRAN. Al SR002-000-025PKTPRE P. Al SR002-000-029PTOKEN .AI SR002-000-030RECVHAN. Al SR002-000-031RESSND. A1 SR002-000-032RTNMSG. AO SR002-000-033SENDPKT. Al0 SR002-000-034TIMEOHAN. AO SR002-000-036TIMEIHAN.AlO SR002-000-037TIME2HAN .Al SR002-000-038TRANSERR .Al SR002-000-039TRANSHAN. Al0 SR002-000-040

5. The finatware shall support UCP messaging. Tite requirements for the inter-processing messaging are found in section MS901-000-01 ¶3.3 UCPTSK.A1O SR001-000-079 TS901-000-02, ¶5.73.4 DS002-000-01 ¶2.5, 5.2, 5.3 See UCP section below TS002-000-03 ¶7.1

DS002-000-03 for its requirementtraces.

6. The firnswarc shall depend on hardware CRC32 to validate data packets. DS002-000-01 ¶2.1, 2.3.2, 5.4.1 SEPINI. Al SR002-000-015 TS002-000-03 ¶7.3NICINIT.AlO SR002-000-028

7. When the SEP firmware receives updated data front the C-Link, it shall copy that data from its local private memnsory to DS002-000-01 ¶5.3.3.3, 5.4 ANSWFLG.Al0 SR002-000-017 TP0401 ¶4.3.2the public memory array. ATOKEN. A0 SR002-000-018 TP0402 ¶4.5

DATAIN IT. Al SR002-000-019 TS002-000-03 ¶7.2GETPKT .AI SR002-000-021

INTRRECV. Al SR002-000-022INTRTRAN. Al SR002-000-023LLCRECV. Al SR002-000-024LLCTRAN. Al SR002-000-025LPBKCHK. Al0 SR002-000-026

LPBKDRV. AIl SR002-000-027PKTPRE P.Al SR002-000-029PTOKEN. Al SR002-000-030RECVHAN. Al SR002-000-031RESSND .Al SR002-000-032RTNMSG. Al2 SR002-000-033SENDPKT. Al0 SR002-000-034TIMEOHAN. All SR002-000-036TIMEIHAN.AlI SR002-000-037TIME2HAN. Al SR002-000-038TRANSERR. All SR002-000-039TRANSHAN.Al0 SR002-000-040

8. The SEP firmware shall provide error counters to track error conditions on the C-Link. MS901-000-01 ¶3.3 LLCRECV. Al SR002-000-024 TP0402 ¶4.5

RR901-000-31 9 ofl19 Revision H


Requirement DefinitionLLCTRAN. Al SR002-000-025 TS002-000-03, ¶7.3

9. The SEP firmware shall make the C-Link error counters readily available in the public memory. DS002-000-01 '[2.4 LLCRECV.A10 SR002-000-024 TP0402 ¶4.5LLCTRAN. Al0 SR002-000-025 TS002-000-03, ¶7.3

10. The SEP firmware shall report its operational status to the main processor in regular time intervals MS901-000-01T ¶3.4 UCPTSK.A10 SROOI-000-079 TS901-000-02 ,5.41I. The finrware shall support a Token Passing method which is designed to ensure deterministic communication. DS002-000-01 ¶2.2, 3.1, 5.4.1 PTOKEN.A10 SR002-000-030 TRO02-000-15 ¶ 4.3, 4.4

ATOKEN. Al0 SR002-000-018a. Only the master of the token can broadcast data. DDBPROC. A10 SR002-000-020b. Each node on the link shall check the mastership at regular tfire intervals. RTNMSG.Al0 SR002-000-033c. Each node shall acknowledge and pass control of the network at its turn, even if it has no messages to broadcast. TIME 1HAN.A10 SR002-000-037d. The token and the DDB data to be broadcasted constitute a packet. TIME2HAN .AlO SR000-000-038

TRANSERR. AIl SR002-000-039Multiple masterships in one token passing cycle shall be prohibited. An error report shall be generated if multiple passtokens are received from other nodes within one token passing cycle.

12. The firmware shall operate on redundant IEEE 802.3 NIC channels (channel I and channel 2) with a separate NIC and DS002-000-01 T15.4.1, 5.4.1.2 NICINIT.A10 SR002-000-028 TR002-000-15 ¶ 4.3, 4.4

dedicated receive/transmit buffer ring for each channel.DS002-000-01 ¶2.3, 5.4.1.2 RECVHAN. A!0 SR002-000-031 TR002-000-15 $ 4.513. Upon reception of a broadcast packet on one channel, the firmware shall wait for a maximum of 512 ps on the other LPBKCHK.A10 SR002-000-026

channel. If the same message is not received on the other channel within this period, a fault exists in the system. This LPBKDRV.A10 SR002-000-027fault condition of channel errors will result in an error report.14. Tbe firmware shall provide recovery methods for the following fault scenarios: DS002-000-01 ¶3.2 RECVHAN.A10 SR002-000-031 TR002-000-15 ¶ 4.5

TIMEOHAN. Al0 SR002-000-036

a. Lost token - a node fails to pass token or communication error TIME1HAN. Al SR002-000-037b. Lost remote -a node stops claiming token TIME2HAN.A10 SR002-000-038c. New remote online TRANSERR.A10 SR002-000-039

so that "Master for a Moment" MFM token passing on the link.

15. It shall support input filter function according to application defined message types, DS002-000-01 ¶3.2 DBMUTL.A10 SR0101-000-062 TR002-000-15 ¶ 4.3, 4.4DDBPROC. A10 SR002-000-020

16. The firmware should provide a method for handing messages and tasks waiting oil a message. DSOO-000-01 ¶2.3.1.5 UCPX88. OPS SR001-000-083 TN901-000-09, ¶3417. The finrware shall provide runtime diagnostics for the following: , : • .. .>,,

Interrupt Vector Table DSOOI-000-06 ¶4.1.3.4 SEPINI .A10 SRO02-001-007 TS901-001-020-TD6-TC5DS001-000-0l1 ¶3.6.3.3.9

Task Stack Area DS001-000-06 ¶4.1.3.1 CRC26, Al0 SROO1 -001-010 TS901-001-020-TD6-TC2DS001-000-0 1 ¶3.6.3.3.7 DYNDIAG.Al0 SROO1 -001 -003 TS901-001-020-TD6-TC4

SEPINI. A0 SR002-001-007UCPTSK .A0 SROO1-001-007UCPX88.OPS SROO1-001-008UTILX88.OPS SROO1-001-009

TCB Area DS0OI-000-06 ¶4.1.3.1 CRC1 6. Al SROOI-001-010 TS901-001-020-TD6-TC IDS001-000-01 ¶3.6.3.3.7 DYNDIAG.AIl SROOI-001-003 TS901-001-020-TD6-TC3

SEPINI .Al0 SR002-001-007UCPTSK.Al0 SRO0I-001-007UCPX88. OPS SR00-001-008UTILX88.OPS SR001-001-009 _

Firmware PROM/Flash DS001-000-06 ¶4.1.3.1 CRC16.AI SR001-001-010 TS901-00l-020-TD7-TC IDS001-000-01 ¶3.6.3.3.9 DYNDIAG.AIl SROOI-001-003

SEPINI .AI SR002-001-007UCPTSK.AI SR001-001-007UCPX88.OPS SR001-001-008UTILX88.OPS SR001-001-009

CPU Register (Including CS and IP) DSOI-000-06 ¶4.1.3.4 SEPINI .All SR002-001-007 TS901-001-020-TD8-TC IDSOOI-000-01 ¶3.6.3.3.8 TS901-001 -020-TD8-TC2

I_ I TS901-001-020-TD8-TC3



Design Phase Reference Source Code Reference Source Code Review Test

Requirement DefinitionCPU Data Lines DS001 -000-06 ¶4.1.3.4 CRC1 6. A10 SROOI-001-010 TS901-001-020-TD9-TCI

DS001-000-01 ¶3.6.3.3.8 DYNDIAG.AlO SROOI-001-003 TS901-001-020-TD9-TC2RAMTST.AlO SROOI-001-006SEPINI .A10 SR002-001-007UCPTSK.A10 SROOI-001-007UCPX88.OPS SROOI-001-008UTILX88.OPS SROO1-001-009

3.3 SAP ICL Firmnware - Part Number 9120906-XX .- - -- - . 2K.. . .

1. The firmware shall provide tite following functional capabilities during initialization before tasking operation: -"- . .: > - iv..,,-. :

a. The finriware shall configure chip select registers for the processor. It shall execute diagnostic tests for RAM, EPROM, DS001-000-01 ¶2 1 SAPINI .A0 SR002-000-004 TS901-000-02, ¶55

and FLASH. If the test results are satisfactory, the firmnware shall continue initialization and shall create the tasking DS901-000-01 ¶5. 1. 1.1 SAPTST .AlO SR002-000-006

environment for the pre-configured tasks. If the test results fail, the firmware shall report the error and stop executing. MS901-000-01 ¶3.4 RAM TST.A1O SROO1-000-071

DSOO1-000-01 ¶3.6.3.1.1 PROMTST.AI0 SROO1 -000-070CRC16. AO SR001-000-060

b. The firmware shall initialize tile hardware for operations. DSOOI-000-01 ¶2.1 SUBINIT .A10 SROO01 -0110-075 TS901-0100-02, ¶5.4, 5.5

DS901-000-01 $_5.1Ic. The firnware shall also iiitialize particular software environment based on pre-defined configuration values for the DSO0I-000-01 ¶2.1, 3.1 SAPINI .Al SR002-000-004 TS901-000-02, ¶5.4, 5.5

processor. Tite firmware shall create data structures for storing the itformation. DS901-000-01 ¶5.1.2 SUB INIT.A10 SR001-000-075

d. As a minimum, the firmware shall include all valid commiand codes and definitions for all message structures for the DS002-000-02 ¶3 QIOTSK.A10 SR002-000-002 TS901-000-02, ¶5.4, 5.5

ICL protocol. Ie. After successfil completion of its local inlitialization, the finrware shall retaain in a wait state until the main processor DSOO1-000-01 ¶2.9 QIOTSK.A1O SR002-000-002 TS901-000-02, ¶5.4, 5.5

enables overall operation of tile remote. MS901-000-01 T3.42. The firmware shall provide deterministic task scheduling: > .. -. ' - :. 7 . i .. ..

a. The firmware shall provide timing services based on Innis tick time. DSOO1-000-0l ¶2.4, 2.8, 3.2 UCPX88.OPS SROOI-000-083 TS901-000-02,¶5.4, 5.5TP0402 T4.6

b. During nonral operation, the firmware shall execute a task within regular intervals DSOO1-000-0 ¶2.2 - 2.6, 4 UCPX88. OPS SROOI-000-083 TS901-000-02,¶5.4, 5.5ACTIVA.A1O SROOI-000-056

c. The firmware shall provide utilities for a task to give control back to the task scheduling. DSOO1-000-01 ¶2.3.1 UCPX88 OPS SROO1-000-083 TS901-000-02, 5.4, 5.5

i. Relinquish DSOO1-000-01 ¶2.3. 1.1 UCPX 88.OPS SR001-000-083 TS901-001-23, ¶5. 1. 1.1DSOO1-000-0I ¶2.3.1.2 UCPX88. OPS SROO1-000-083 TS901-001-23, ¶5.1.1.2

ii. Delay DSOO1-000-01 ¶2.3.1.4 UCPX 88. OPS SROO1 -000-083 TS901-001-23, ¶5.1.2.1

DSOOI-000-01 ¶2.3.1.5 UCPX88. OPS SR001-000-083 TS901-001-23, T15.1.2.2

iii. Exit DSOOI-000-01 ¶2.3.1.3 UCPX88. OPS SROOI-000-083 TS901-001-23, ¶5.1.4.1DSOOI-000-01 ¶2.3.1.6 oCPx 88. OPS SROOI-000-083 TS901-001-23. ¶5.1.4.2

iv. Remove DSOO1-000-01 ¶2.3.1.7 UCPX 88. OPS SROOI-000-083 TS901-001-23, ¶5.1.3

d. The firmware shall allow tasks to be added during startup by configuration. DSOO1-000-01 $3.1 .1.1, 3.1.1.5 UCPX88. OPS SROOI-000-083 TS901-000-02, ¶5.4, 5.5

e. The firmware shall also allow tasks to be added during operation by running tasks. DSOO1-000-01 T13.1.1.2 - 3.1.1.5 UCPX88. OPS SROOI-000-083 TS901-000-02, T5.4, 5.5

3. The firmware shall support alarm notifications through LED's and system resources. DSOOI-000-01 ¶4.4.1 QIOTSK. A1O SR002-000-002 TS901-000-02, ¶5.6

4. The firmware shall perfonn a scan cycle. During each scan cycle, tle firmnware shall poll each configured [CL station in DS002-000-02 ¶2.2, 3 QIOTSK.AlO SR002-000-002 TS002-000-01, ¶7.1, 7.2

tile sequence provided by tile configuration table. Each poll message shall be constructed to include: message code, CRC16.A1O SROO-000-060 TP0402 ¶4.5

address field, data field, and CRC16 Q10381NO. AlO SR002-000-010QIO38IN .Al0 SR002-000-01 IQTOINI .A

10 SR002-000-012

QIOUTL .AlO SR002-000-013

5. The finnware shall support redundancy and failover: ,,. - " -"

a. In a redundant remote, tite firnware shall support cither a primary or secondary operation automatically by matching the D3S001-000-01 ¶2.9 SAPINI. AO SR002-000-004 TP0402 ¶4.5state of the SC processor DS001-000-08 ¶2.1 TS002-000-01, ¶7.3

MS901-000-01 ¶2.2, 3.7b. In a redundant mode, the firmware shall send a secondary Ioopback message to one configured station between scan DS002-000-02 ¶2.3, 2.4 QIOTSK .AO SR002-000-002 TS002-000-01, ¶7.3.2

cycles. That station will retain status of the secondary toopback operation during a subsequent scan. QI0381N0.A10 SR002-000-0:0QIO38INI .A0 SR002-000-0 I

RR901-000-31 I1I of 19 Revision 1-


Requirement DefinitionQOINI .Al0 SR002-000-012QIOUTL. Al SR002-000-013

c. In a redundant mode, the secondary SAP processor finnovare shall monitor secondary loopback requests. When it DS002-000-02 ¶2.3, 2.4 QIOTSK.A!I SR002-000-002 TSO2-000-01, ¶7.3.2receives such a request message, it shall return a secondary loopback response to the I/O card that sent the request Q1038IN0. Al SR002-000-010

QI0381NI .AI0 SR002-00I0-01 IQIOINI .AI SR002-000-012QIOUTL .AI SR002-000-013

d. The primary SAP processor firmware shall write the address for any ICL station that fails to respond to its poll message DS002-000-02 ¶2.4 QI0TSK.A10 SR002-000-002 TP0402 ¶4.5to a fixed location in DPM. The secondary SAP processor firmware shall read that area of DPM and attempt to poll the Q10381N0 .A10 SR002-000-010 TS002-000-01, ¶7.3.3ICL station over its link. If the ICL station responds to this poll, the secondary SAP processor shall pass the response QI038IN1 .AO SR002-000-011data to the primary SAP processor via DPM. QIOINI. AO SR002-000-012

QIOUTL AlO SR002-000-0136. The firmware shall support UCP messaging. The requirements for the UCP messaging are found in section 3.4 of this MS901-000-01 ¶3.5.1 UCPMEMGR.A10 SR001-000-080 TP0402 ¶4.5

document. DS002-000-02 ¶3.3.1 UC PNMN A10 SR00 1-000-081 TS901-000-02, ¶5.7UCPNTW. Al 10 R001-000-082UCPTSK .All SROOI-000-079

7. The SAP code shall define fixed timeout delays for response timeout. DS002-000-02 ¶2.2 QI0TSK.A1O SR002-000-002 TP0402 ¶4.5TS002-000-01, T7.1, 7.3

8. When the processor receives a response message from one of the stations, the SAP firmware shall perform a CRCI6 DS002-000-02 ¶2.2. 3.0, 3.6 QIOTSK.AlO SR002-000-002 TP0402 ¶4.5validity check. If the CRC is not valid, the firmware shall log the error and reject the message. If the message is valid, Q038IN0.A10 SR002-000-010 TS002-000-01, ¶7.2it shall transfer all data received to the appropriate location of public memory. All error conditions reported by the QIO38INl .Al0 SR002-000-011conamunication hardware shall be logged. QIOINI. All SR002-000-012

QIOUTL. Ai SR002-000-013CRC16. Al0 SROO-000-060

9. The firmware shall monitor all error conditions and provide information through system resources. DS002-000-02 ¶2.2 QI OTSK. A10 SR002-000-002 TS002-000-01, ¶7.3.2QIO38IN0.AIA SR002-000-010QIO38IN1. AI SR002-000-01 IQIOINI .A0 SR002-000-012QIOUTL .A0 SR002-000-013

10. The lirntware shall report its operational status to the main processor in a regular time intervals. MS901-000-01 T13.4 JCPTSK.A1I SROOI-000-079 TS901-000-02 15.47T. The firmware shall provide runtime diagnostics for the following: A:7. % •IC2I 5 j v-1 < 1 • . •,• . ;• -..

Interrupt Vector Table DSOO1-000-06 ¶4.1.3.3 SAPINI .Al SR1112-001 -013 TS901-001-021 -TD2-TC5

DSOO1-000-01 T3.6.3.3.9Task Stack Area DSOO1-000-06 ¶4.1.3.1 CRC! 6.Al2 SROO1 -001-010 TS901-001-021-TD2-TC2

DSOOI-000-01 ¶3.6.3.3.7 DYN DIAG.Al0 SRO01-001 -003 TS901-001-021 -TD2-TC4SAPINI. A10 SR002-001-013UCPTSK.Al! SROO1-001-007UCOPX88.OPS SROOI-001-008UTLXSg .OPS SRO01-001-009

TCH Area DSOOI-000-06 ¶4.1.3.1 CRC16.Al SROOI-001-010 TS901-001-021-TD2-TCI

DS001-000-01 ¶3.6.3.3.7 DYNDIAG.AIA SROOI-001-003 TS901-001-021 -TD2-TC3SAPINI. Al SR002-001-013UCPTSK.A10 SRO01-001-007UCPX88.OPS SROO1-001-008UTLX88.O0PS SR0OI-001-009

Firmware PROM/Flash DSOO1-000-06 ¶4.1.3.1 CRC16.Al1 SROI0-001-010 TS901-001-021-TD3-TCI

DSOOI-000-01 ¶3.6.3.3.9 DYNDIAG.Al0 SROOI-001-003SAPINI. Al SR002-001-013UCPTSK .AI SR001-001-007UCPX88.ops SR001-001-008UTLX88.OPS SRO0(-001-009

CPU Register (Including CS and 1P) DS001-000-06 ¶4.1.3.3 SAPINI. Al0 SR002-001-013 TS901-001-02 I-TD4-TC IIDSI-000-01 3.6.3.3.8 1TS901-001-02 I -TD4-TC2

RR901-000-31 12 of 19 Revision 14


Requirement DefinitionTS901-001-021 -TD4-TC3

CPU Data Lines DS0O0-000-06 ¶4.1.3.3 CRC 16. A 10 SROOI-001-010 TS901-001-021 -TD5-TC I

DSOOI-000-01 ¶3.6.3.3.8 DYNDIAG.AlO SROO1-001-003 TS901-001-021 -TD5-TC2RAM TST.AlO SROOI-001-006SAPINI. AO SR002-001-013UCPTSK .AIO SROO1-001-007UCPX88.OPS SROOI-001-008UTLX88. OPS SR001-001-009

3.4 Universal Communication Protocol - - - - - .7. - -14 . --

I. A message sent using UCP shall identify the source task, destination task, request type, and request data. DS002-000-03 ¶2.1, 3.1, 3.2 UCPMEMGR.A10 SROOI-000-080 TS901-000-02 ¶5.4, 5.6, 5.8,UCPNMN.A10 SROOI-000-081 5.9, 5.10UCPNTWf. AlO SROOI-000-082UCPTSK. AlO SROOI-000-079

2. The request types shall include, but is not limited to, read data, write data, diagnostic request and download DS002-000-03 ¶3.1 UCPMEMGR.A10 SROOI-000-080 TS901-000-02 ¶5.4, 5.6, 5.8,UCPTSK. AlO SROOI-000-079 5.9,5.10

3. If the request requires a response, the destination task shall create a UCP message with the appropriate response data DS002-000-03 ¶3, ¶4 UCPMEMGR.A10 SROOI-000-080 TS901-000-02 ¶5.4, 5.6, 5.8,

and send it to the source task UCPNMN. AlO SROOI-000-081 5.9,5.10UCPNTW. AlO SROOI-000-082

4. The UCP shall support communication between processors on the same controller board. DS002-000-03 ¶3. ¶4 UCPTSK.A10 SROOI-000-079 TS901-0l00-02 ¶5.4, 5.6, 5.8,

DS002-000-03 ¶A.2 5.9, 5.10

5. The UCP shall support communication between processors on a controller and a MSS DS002-000-03 ¶3, ¶4 UCPMEMGR. AlO SR001-000-080 TS901-000-02, ¶5.7

UCPNMN.A1o SROO-000-081UCPNTW.AlO SROOI-000-082

3.5 VHDL PROGRAM CODE - - ..... .. . 7 - ..... '--: .<, - .

3.5.1 HFC-SBC06/ECS-SBC06 Controller . 7 r1. Iltshall manage the following hardware signals: •,,

1 J .-4.:.1. >... . ... .... ,' '. •<•: • 7i -

a. Address Decoding: I/O Addresses, Multiplexed address logic, Page Select Logic MS901-00-01 - ¶38; SBC6_CHSEL SBC6_CHtSEL.vhd SR004-000-001 TS901-000-02 - ¶5.4

DS901-000-75 - ¶3.2 (all) TRO02-000-12 - ¶ 1.4.2TROO1-000l-06 - ¶5.0.3TRO02-000-05 - ¶5.0.3

b. Data conversion between different sized busses of the SC, SEP and SAP processors on the hardware assembly MS901-000-01 -¶3.8; PBUSIF PBUSIF. vhd SR004-000-004 TS901-000-02 - ¶5.4

DS901-000-75 -¶3.2.2.2, 3.32. It shall allow reading ofconfiguration switches and controlling diagnostic LED displays. MS901-000-01 -¶3.8; SBC C-HSEL SBC6 CHSEL.vhd SR004-000-001 TR0O2-000-12¶5.4

DS901-000-75 -¶3.2.1.2 TR002-000-12 -¶1.4.2TROOI-000-06 - ¶5.0.2TRO02-000-05 - ¶5.0.2

3. It shall provide a lOims timer interrupt MS901-000-01 -¶3.8; SBC6_CHSEL SBC6 CHSEL.vhd SR004-000-001 TS901-000-02 -¶5.4

DS901-000-75 -¶3.2.1.8 TRO02-000-12 -¶1.4.2TROO 1-000-06 - ¶5,0.1TRO02-000-05 - ¶5.0.1

4. It shall include a clock for SOE event time tagging. The clock shall be based on a counter which will count in 100 MS901-000-01 -¶3.8; SBC6_SHARB SBC6_SHARB.vhd SR004-000-003 TS901-000-02 -¶5.4

microsecond increments. The counter size will be large enough to hold a 100 year count. MS901-000-01 -T¶3.9DS901-000-75 - ¶3.4.2.1

5. It shall arbitrate the access of each memory category by the individual microprocessors to achieve shared memory. MS901-000-01 -¶3.8; SBC6_SHARB SBC6_SHARB.vhd SR004-000-003 TS901-000-02 -¶5.4, 5.6, 5.7,

DS901-000-075 -¶3.4.2.2 5.8, 5.9, 5.10

6. It shall control the RESET/READY logic for the subordinate processors. MS901-000-01 -¶3.8; SBC6_386C SBC6_386C.vhd SR004-000-002 TS901-000-02 -¶5.4DS901-000-75 - ¶3.3.2.3 TRO02-000-12 ¶T1.4.1

TROOI-000-03 - ¶5.0.1TR002-000-03_-__5.0.-


Traceability Matrix for SC, SAP, SEP, VHDL SWDesign Phase Reference Source Code Reference Source Code Review Test•

Requirement Definition7. It shall provide chip selection and internal register access to the NIC interface MS901-000-01 -¶3.8; SBC_386C SBC6_386C.vhd SR004-000-002 TS901-000-02 -¶5.4, ¶5.6

DS901-000-75 - ¶3.3.2.1 TR002-000-12 ¶ 1.4. 1TRO01-000-03 -¶5.0.2TR002-000-03 - ¶5.0.2

3.5.2 HFC-DPM06 -. ''2 : .4• - -+ -<-.." •:

I. It shall enable the A-side and B-side controllers to read the value of the dip switches used to configure the remote MS901-000-01 -¶3.10 SBC6_DPM.vhd SR004-000-O05 TS9 1-000-02 -¶5.4, 5. 10number, the maximum number of remotes, and sequence identifier, DS901-000-75 -¶3.5.2 TP0402 - ¶4.7

2. Itshall enable each ontrollertoreadhfe sanityand primary status ofthe othercontroller. MS901 -000-01 -¶3.10,¶4.4.2 SBC6_DPM.vhd SR004-000-005 TS901-000-02 -¶5.10DS901-000-75 -¶3.5.2 TP0402 - 14.7

3. It shiall control operation of the status LEDS used to indicate sanity statts and primary status of both the A-side and B- MS901-000-01 -T¶3.10 SBC6_DPM.vhd SR004-000-005 TS901-000-02 - ¶5.10side controllers, and maintenance failover enabled. 'DS901-000-75 - ¶3.5.2 TP0402 - ¶4.7

4. It shall toggle the current state of the A-side and B-side controller s in response to a momentary pushbutton switch MS901-000-01 -¶3.110 SBC6_DPM.vhd SR004-000-005 TS901-000-02-¶5.10located on the front panel (one controller toggles to the primary state and the other toggles to the secondary state) DS901-000-75 -¶3.5.2 TP0402 - ¶4.7

5. It shall toggle the current stat of the A-side and B-side controllers in response to a loss of sanity on the primary MS901-000-01 -¶3.10 SBC6 DPM.vhd SR004-000-005 TS901-000-02 -¶5.10controller if the secondary controller is sane. DS901-000-75 - ¶3.5.2 TP0402 - ¶4.7

RR901-000-31 14 ofl9 Revision H


4.0 REFERENCE DOCUMENTS

Document Number/Title Revision400419-02 HFC-6000 Controller Test Procedure (19" Backplane) C400444-02 AI8M, Test Procedure B400449-02 HFC-AI4K Test Procedure B700901-04 HFC-DPM06 Requirement Specification C700901-05 HFC-SBC06 Requirement Specification B700901-06 HFC-6000 1O Requirements Specification, FDSOO1-000-01, Operating System Component Design Specification, CDSOO 1-000-02, Equation Interpreter Component Design Specification BDSOO1-000-03, CQ4 Block CDSOOI-000-06, System Component Design Specification CDSOO1-000-08, Redundancy and Failover Component Design spec CDS002-000-0 1, C-Link Protocol Design Spec DDS002-000-02, ICL Protocol Design Specification EDS002-000-03, UCP Protocol Component Design Specification BDS901-000-01 SBC06 DPM06, Module Detailed Design Specification DDS901-000-02 10 Board Module Detailed Design Specification BDS901-000-03 DO8J, Module Detailed Design Specification BDS901-000-04 DI1161, Detail Design Specification B.DS901-000-05 DC33 Detailed Design Specification D1DS901-000-06 DC34 Detailed Design Specification DI1DS901-000-07 A116F Detailed Design Specification EDS901-000-08 A08F Detailed Design Specification DDS901-000-11 A18M Detailed Design Specification CDS901-000-12 A14K Detailed Design Specification CDS901-000-75 HFC-SBC06 CPLD Design Specification CMS901 -000-01 SBC06 Module Design Specification GMS901-000-02 10 Board Module Design Specification C_RS901 -000-01 HFC-6000 Product Line Requirement Specification FRS901-000-37 SC, SAP, SEP, VHDL SW Requirement Specification ISR001-000-001 CSR00 1-000-002 CSR00 1-000-003CSR00 1-000-004 CSR001-000-005 CSR001-000-006 CSR00I-000-007 CSR001-000-008 CSR00 1-000-009 CSR001-000-010 CSR00 1-000-0 11 CSR001-000-012C


Traceability Matrix for SC, SAP, SEP, VHDL SWSROO1-000-013 cSROOI-000-014 CSROO1-000-015 ESROO1-000-017 CSRO01-000-018 CSROO 1-000-020 CSROO1-000-056 CSROO1-000-057 CSROO1-000-058 CSROO1-000-059 CSROO 1-000-060 BSROO 1-000-061 CSROO1-000-062 CSROO1-000-063 CSROO 1-000-064 ESROO1-000-065 CSROO1-000-067 CSROO1-000-068 CSROO1-000-069 CSROO1-000-070 BSROO1-000-071 BSROO1-000-072 CSROO1-000-073 CSROO1-000-074 CSROO1-000-075 CSRO0 1-000-076 ESROO1-000-077 CSROO1-000-079 CSROO1-000-080 CSR00 1-000-081 CSR001-000-082 CSR001-000-083 CSR001-000-084 CSR00I-000-085 CSR00I-000-086 CSR0 1 -000- 114 BSR00 1-000- 115 BSR00 1-000- 116 BSR00 1-000- 117 BSR001-000-1 18 BSR00 1-000- 119 BSR001-000-120 BSR001-000-121 BSR001-000-122 BSR001-000-123 BSR00 !-000-124 BSR001-000-125 B


Traceability Matrix for SC, SAP, SEP, VHDL SWSRO01-000-126 BSROO1-000-127 BSROO1-000-128 BSROO1-000-129 BSROO1-000-130 BSROO1-000-131 BSROO1-000-132 BSROO1-000-133 BSR001-000-134 BSROO1-000-135 BSROO1-000-136 BSROO1-000-137 BSROO1-000-138 BSROO1-000-139 BSROO1-000-140 BSROO1-000-141 BSROO1-000-142 BSROO1-000-154 BSROO1-000-155 BSROO1-001-003 ASROO1-001-006 ASROO1-001-007 ASROO1-001-008 ASROO1-001-009 ASROO1-001-010 ASROO1-001-026 ASR002-001-007 ASR002-001-013 ASR002-000-001 CSR002-000-002 CSR002-000-003 CSR002-000-004 CSR002-000-005 CSR002-000-006 CSR002-000-010 BSR002-000-01 1 BSR002-000-012 BSR002-000-013 BSR002-000-014 ASR002-000-015 ASR002-000-016 ASR002-000-017 ASR002-000-018 ASR002-000-019 ASR002-000-020 ASR002-000-021 ASR002-000-022 A


Traceability Matrix for SC, SAP, SEP, VHDL SWSR002-000-023 ASR002-000-024 ASR002-000-025 ASR002-000-026 ASR002-000-027 ASR002-000-028 ASR002-000-029 ASR002-000-030 ASR002-000-031 ASR002-000-032 ASR002-000-033 ASR002-000-034 ASR002-000-035 ASR002-000-036 ASR002-000-037 ASR002-000-038 ASR002-000-039 ASR002-000-040 ASR002-000-041 ASR002-000-042 ASR004-000-001 ASR004-000-002 ASR004-000-003 ASR004-000-004 ASR004-000-005 ATN901-000-09 Addendum to TP0402-Rev.F BTSO0 1-000-01 Component Test Procedure ATS002-000-01 ICL Functional Test ATS002-000-03 C-Link Functional Test ATS901-000-02 SBC06 DPM06 Prototype Test CTS901-000-04 All 6F Prototype Test BTS901-000-05 AI4K Prototype Test DTS901-000-07 AI8M Prototype Test BTS901-000-08 AO8F Prototype Test CTS901-000-09 DC33 Prototype Test DTS901-000-10 DC34 Prototype Test DTS901-000-11 DI161 Prototype Test BTS901-000-12 DO8J Prototype Test BTS901-000-23 Additional OS Testing ATS901-000-63 HFC-6000 23 Inch Controller Rack Production Test Procedure BTRO02-000-14, ICL Baseline Test Report ATRO02-000-15, C-Link Baseline test report A

5.0 ATTACHMENTSAttachment A - Traceability Matrix for CQ4 Requirements, Rev AAttachment B - Traceability Matrix for Equation Interpreter Requirements, Rev B



Attachment C - Traceability Matrix for I/O Modules, Rev A


HF Controls

HFC-6000 Qualification System

vs EPRI TR 107330

Operating Envelope

RR901-000-41

Rev. -B

Effective Date:

Prepared By:

Reviewed By:

Approved By:

6/18/2010

Ivan Chow

Jonathan Taylor

Ed Herchenrader

1 of 16

HFC-6000 Qualifying System vs EPRI TR 107330 Operating Envelope

Revision History

Date Revision Preparer Changes

2/4/10 A I. Chow Initial Revision6/11/10 B I. Chow Revised to correct the accuracy, response time,

timer dataCR 2010-0131

TABLE OF CONTENTS

ion PageSection

1.0

2.0

2.12.22.3

3.0

3.13.23.2.13.2.23.2.33.2.43.2.53.33.3.13.3.23.3.3

4.0

Desc

INTRODUCTIO

ript

N ...................................................................................... 3

REFERENCES AND ACRONYM S ....................................................... 3

Industry References .................................................................................... 3HFC References .......................................................................................... 4Acronyms ..................................................................................................... 4

HFC-6000 SYSTEM VS EPRI TR 107330 OPERATING ENVELOPES.5

General Performance ................................................................................ 5Environment Stress .................................................................................. 10Temperature and Humidity Stress .......................................................... 10Seismic Acceleration Tolerance ............................................................... 10Radiation Exposure Survivability .......................................................... 12Electro-Magnetic / Radio Frequency Interference (EMI/RFI) ................ 12Electrical Sustainability ............................................................................ 14Other Considerations .............................................................................. 15System Analyses ....................................................................................... 15Qualification Tests .................................................................................. 15Set of M odules ............................................................................................... 15

SUMM ARY .............................................................................................. 16

LIST OF TABLES

Table 1 - General Perform ance ..................................................................................... 5Table 2 - Seism ic Test Results ...................................................................................... 10Table 3 - EMJ/RFI Susceptibility Test Results ............................................................ 12Table 4 - EM/ERFI Emission Test Results .................................................................... 13Table 5 - Electrical Sustained Test Results .................................................................. 14

LIST OF FIGURES

Figure 1 - Seismic Acceleration Spectrum for HFC-6000 Test Specimen ....................... 11

RR901-000-41 2 of 16 Rev. B


1.0 IntroductionThis document describes the differences between the operating envelope of the HFC-6000Safety Control System qualifying through HFC project ERD 111 and the one specified inEPRI TR 107330-1996.

The HFC-6000 systems have been deployed as plant control systems for several nuclearpower plants in Korea with plant-specific configurations. In project ERDI 11, theHFC-6000 system was configured generically so that it could encompass a wide range ofapplications. Overall, the qualification results demonstrated an operating envelope thatmet or performed better than most plant-specific system conditions or acceptance criteria.

References to this document are listed in section 2.0.

In section 3.0, the operating envelope of HFC-6000 system and comparison to EPRI TR107330-1996 acceptance criteria are listed. The operating envelope is based on thequalification test results of the system and software enhancements afterward.RR901-000-37, ERD 111 Performance Envelope provides the description of how theenvelope is constructed. In the "Remarks" column, less than favorable/completedperformances, deviations, as compared to EPRI acceptance criteria are noted in bold-facedfonts. The deviation summary is listed in section 4.0.

When the HFC-6000 platform is configured for use with a plant-specific application, theimpacted deviations required for that application will undergo a retesting with the intent ofmeeting all applicable plant-specific acceptance criteria. The results of this retesting areexpected to meet or perform better than the acceptance criteria of EPRI TR 107330-1996 inrelated areas.

2.0 References and Acronyms

2.1 Industry References

EPRI TR 107330 Generic Requirements Specification for Qualifying a CommerciallyAvailable PLC for Safety-Related Applications in Nuclear PowerPlants, 1996

EPRI TR 102323 Guidelines for Electromagnetic Interference Testing in PowerPlants, Revision 1

IEEE C62.45 Recommended Practice on Surge Testing for Equipment Connectedto Low-Voltage (1000 V and Less) AC Power Circuits

RR901-000-41 3 of 16 Rev. B


2.2 HFC References

TN901-000-05 Addendum for TS901-000-23 Environmental Test Report, Rev. A

TN901-000-06 Addendum for TS901-000-29 Post Qualification Test Report, Rev. A

TN901-000-07 Addendum for TS901-000-34 Seismic Retest In House Test Report, Rev. A

TN901-000-08 Addendum for TS901-000-35 Seismic Retest Report, Rev. A

TN901-000-12 Clarifications to Qualification Test Results, Rev. A

TS901-000-22, ERD1 11, Baseline Testing Summary Report, Rev B

TS901-000-23, Environmental Test Report, Rev. C

TS901-000-25, EMI-RFI Test Report, Rev. C

TS901-000-28, Isolation Test Report, Rev. C

TS901-000-34, Seismic Retest In House Test Report, Rev. B

TS901-000-35, HFC6000 Seismic Retest Report, Rev. B

2.3 Acronyms

EMI Electro-Magnetic Interference

EPRI Electrical Power Research Institute

IEEE Institute of Electrical and Electronics Engineers

HFC Doosan HF Controls/HF Controls

NRC Nuclear Regulatory Commission

OBE Operating Basis Earthquake

PLC Programmable Logic Controller

RFI Radio Frequency Interference

RTD Resistive Temperature Detector

SSE Safe Shutdown Earthquake

TSAP Test System Application Program

TTL Transistor - Transistor Logic

RR901-000-41 4 of 16 Rev. B


3.0 HFC-6000 System vs EPRI TR 107330 Operating Envelopes

3.1 General Performance

The following table shows the general performance specification of HFC-6000 qualifying system.

Table 1 - General Performance

DeScriptions . HFC-6000 Performance EPRI Acceptance Remarks" " Criteria

EPRI TR 107330-1996A. Accuracy

16 Al Channels, 4mA to 20mA HFC-AI161Accuracy • + 0.1% over the entire range 4.3.2.1.2.B Perform better than

+ 0.35% of the entire range EPRI spec.

Linearity Linearity is demonstrated as the 5-step 5.3.A Accuracy Met EPRI spec.measurements can be plotted in a liner graph which A minimum five point

can fit the data with . _+0.1% accuracy: linearity check shall be madeon the analog I/O modules.

Linearity

20F

10--aie

0 20 40 60 80 100

Burst of Events (10% - 90% _< + 0. 1% accuracy at both 10% and 90% 5.4.A Perform better than

Step Wave Response) the analog I/O meets the EPRI spec.accuracy specification afteradjustment for loop time

effects

RR901-000-41 5 of 16 Rev. B


Descriptions .HFC-6000 Performance-- . . EPRIAcceptance Remarks

Criter~ia

EPRI TR173-1996

8 AO Channels, 4mA to 20inA HFC-AO8FAccuracy + 0.32 % over entire range 4.3.2.1.2.B Met or perform better

+ 0.32% of the entire range than EPRI spec.

Linearity Linearity is demonstrated as the 5-step 5.3.A Accuracy Met EPRI spec.measurement can be plotted in a liner graph which A minimum five pointcan fit the data with +0.32% accuracy: linearity check shall be made

on the analog 1/0 modules.

Linearity

20 -

18.

0 20 40 60 80 100

Burst of Events (10% - 90% + 0.32% accuracy at both 10% and 90% response 5.4.A Met EPRI specs.

Step Wave Response) the analog 1/0 meets theaccuracy specification afteradjustment for loop timeeffects

8 RTD 1000 Input Channels HFC-AI8MAccuracy Channels + 2'C accuracy for the 5-step 4.3.2.1.3.C Met EPRI specs.

measurements + 2 'C accuracy

70, 210, 350, 490, 630

RR901-000-41 6 of 16 Rev. B


Descriptionso- - - HFC-6000 Performance, -, . . .. EPRI Acceptance RemarksCriteriaEPRITR 107330-1996

Linearity Linearity is demonstrated as the 5-step 5.3.A Accuracy Met EPRI spec.measurement can be plotted in a liner graph which A minimum five pointcan fit the data with + 2°C accuracy: linearity check shall be made

on the analog 1/0 modules.

Linearity

700 -

600 1 6

500 -- oo{400

200 1

100

0 20 40 60 80 100

4 Pulse Input Channels HFC-AI4KAccuracy Rate Mode at 12 bit mode: 4.3.2.3.1.E Met EPRI sepc.

< + 0.1% at over the measured range 50Hz to Less than or equal to 0.1%

20k1Hz over the range

Accumulate Mode: 4.3.2.3.1 .E Met EPRI spec.Prescaler at 100, the accuracy is less than 0.1% Less than or equal to 0.1%

over the range

Linearity Linearity is demonstrated as the 5-stepmeasur•ment orI50Hz, 5k1-z, 10klHz, 15kHz, 19.5kHzcan be plotted in a liner graph which can fit the datawith +0.1% accuracy:

RR901-000-41 7 of 16 Rev. B


Descriptions .HFC-6000 Performance-... -- EPRI Acceptance RemarksCriteria

____________________......__,__ = EPRI TR 107330-1996

Linearity

25000

20000 . . . .

15000 -

10000 IM82 - * .- Iu

50000 080A989 -

0 5000 10000 15000 20000 25000

B. Response TimeDigital Response Time < 180ms 4.2.1 .A - lOOms or less The response time can

Analog Response Time 200ms to 380ms 4.2.1.A - IOOms or less be made lower withplantL specificimplementations. For

this, the requiredresponse time for theplant application isrequired to be met so

this is not considered tobe a major deviation.

C. 1/O Points (Points in parentheses were configured in thequalifying system)

Discrete 1/0 848 Digital 1/0 points for maximum configuration 4.2. .B - 400 discrete 1/0 Better than EPRI spec.(409 Digital 1/0 points) points

Analog 1/0 848 Analog 1/0 points for maximum configuration 4.2. .C - 100 analog 1/0 Better than EPRI spec.

(108 Analog 1/0 points) points

RR901-000-41 8 of 16 Rev. B


Decrtiptions HFC-6000 Performance ••PI. Acceptance RemarksCriteriaEPRI-TR 107330-1996, __________

Combined 1/0 848 1/0 points for any combinations of analog and 4.2.1 .D - 50 analog and 400 Better than EPRI spec.digital 1/O points discrete 1/O points(409 Digital I/O and 108 Analog I/O points)

D. Discrete Input Channels HFC-DC33, DC34, D1161 5.3.C - Trip and reset points Met acceptance criteria.Operate within the manufacturer's specs shall be within the

manufacturer's spec.E. Discrete Output Channels HFC-DC33, DC34, DO8J 5.3.D - Output states shall be Met acceptance criteria.

Operate within the manufacturer's specs within the manufacturer'sspec.

F. Serial Communication C-Link, ICL 5.3.E bit rates, signal levels, Met acceptance criteria.Channels Operate within manufacturer's specs. and pulse shapes shall be

within the specification ofthe protocol used.

G. Timer Function • + 1% of the timer setpoint value 4.4.3.F, 5.3.G - Variation Met acceptance criteria.shall be no greater than +I %,+3 scan cycles.

H. Failover Function Within lOOms, the failover completes successfully. 5.3.1, 4.3.4.7 - A successful Met acceptance criteria.failover should occur withthe manufacturer's failoverrequirements.

i. Loss of Power Response When power is lost, all digital output channels are 5.3.3 - All 1/0 shall move to Met acceptance criteria.on the deenergized states and all analog outputs the power off default and (No DC power sourcesassume a preset failsafe states. When power is power on default states and are used in HFC-6000stored, the digital and analog outputs would change normal operation shall system.)states only by valid controller output images. resume after restoration of

power.

RR901-000-41 9 of 16 Rev. B


3.2 Environment Stress

3.2.1 Temperature and Humidity StressFigure 4-4 of EPRI TR 107330 was used as the testing envelope for the HFC-6000 qualifying system. The overall variations are listedbelow:

1. Temperature range - 140 'F to 40 'F

2. Relative Humidity (RH) range - 5% RH - 90% RH non-condensing.

HFC-6000 system has demonstrated operability under these conditions in accordance with EPRI specifications. Performances of theanalog I/O cards have shown no significant deviations from the baseline performance.

3.2.2 Seismic Acceleration Tolerance

Table 2 shows the test results of HFC-6000 system in the seismic tests. Figure 1 shows the seismic tolerance spectrum, which HFC-6000used in the testing.

Table 2 - Seismic Test Results

Descriptions HFC-6000 Qualifying Condition and EPRI Acceptance Criteria • RemarksPerformance EPRI TR 107330-1996

Seismic Spectrum Safe Shutdown Earthquake (SSE) - lOg Figure 4-5 Maximum SSE of 14gmaximum acceleration. See figure 1. SSE - 14g maximum acceleration could not be obtained dueOperating Basis Earthquake (OBE) - lOg OBE - 9.75g maximum acceleration to the limitation of themaximum acceleration. See figure 1. laboratory equipment.

Operability One controller fails over to the secondary 4.3.9 - System shall continue to Met EPRI specs.controller during the first run of the SSE. operate while subjecting to 5 OBEsOne Al module stopped but resumed and i SSEs. All connections shalloperation after reset. remain intact, all modules shall remainThe test specimen was subjected to 6 OBE fully inserted, and no parts fall off.tests and 2 SSE tests.

RR901-000-41 10 of 16 Rev. B


HORIZONTAL AND VERTICAL.oFERATIN3 BASIS EARTHOLIAKE AND SAFE SHUTDOWN EARThQUAKE

REQUIRED RESPONSE SPECTRUM•

- I -I= -

*Fr eqUe n cy H-zi

0.1

I-----t.bc h Lin-t .. 23... -E S• E

Figure 1 - Seismic Acceleration Spectrum for HFC-6000 Test Specimen

RR901-000-41 11 of 16 Rev. B


3.2.3 Radiation Exposure SurvivabilityEPRI TR 107330 4.3.6. l.D and 4.3.6.2.D require the system must be operable within specification for radiation exposure of up to 1000RADS. While actual tests exposing HFC-6000 system to such radiation was not performed, analysis was done for the system for suchradiation exposure. The analysis concluded that HFC-6000 system does not show any vulnerability to such level of radiation exposure.There is no anomaly or deviation from the EPRI specifications.

3.2.4 Electro-Magnetic / Radio Frequency Interference (EMI/RFI)

The testing for EMI/RFI was performed in accordance with EPRI TR 102323-Ri. As stated in EPRI TR 107330 section 6.3.2, theEMI/RFI susceptibility tests shall be performed at 25%, 50%, 75% and 100% of the specified levels. However, due to schedulingconflicts and availability of the laboratory time, only 100% of all EMI/RFI susceptibility tests were performed. The susceptibility testsresults are summarized in Table 3 below.

Table 3 - EMI/RFI Susceptibility Test Results

Tests. HFC-6000 Performance EPRI Acceptance Criteria RemarksEPRI TR 102323-RI

RS 101 Not performed Not mentioned. RG 1.180 Revision 1 2003 statedEquipment that is not intended tobe installed in areas with strongsources of magnetic fields (e.g.CRTs, motors, cable bundlescarrying high currents) could beexempt from this test.

RS 103 Overall function operates normally EPRI TR 107330 6.3.2 - 25%, 50%, Met accepted criteria exceptexcept C-Link at below 70MHz 75% and 100% of radiated signal C-Link at 10 Vim signal

1OV/m from IOld-lz to 1GHz strength at below 70MHz.CS 101 All function operates normally EPRI TR 107330 6.3.2 - 25%, 50%, Met EPRI acceptance criteria.

75% and 100% of radiated signal6.3Vrms level from 30 Hz to 50 kHz

CS 114 The system operation degraded when EPRI TR 107330 6.3.2 - 25%, 50%, Deviated from 50kHz toexposed to the 103 dBttA from 50kHz 75% and 100% of test signal of 400MHz.to 400MHz. 103dB~tA from 50 kHz to 400 MHz

RR901-000-41 12 of 16 Rev. B


The summary of emission tests for HFC-6000 is shown in table 4.

Table 4 - EMI/RFI Emission Test Results

Tests HFC-6000 Perforimance EPRI Acceptance Criteria RemarksEPRI TR 102323-Rl

RE 101 All magnetic field emissions between Figure 7-2 shows the emission limits. All emissions met EPRI30Hz and IOOkkHz were within limits. 102323 acceptance criteria.

RE 102 Electric field emissions exceeded the Figure 7-4 shows the emission limits. Deviated from 30 MHz tolimits at various frequencies between: 800 MHz.30 MHz to 800 MHz.

CE 101 All emissions between 30Hz and 50 kHz Figure 7-1 shows the emission limits. All emission met EPRIon all power leads were within limits. 102323 acceptance criteria.

CE 102 Emissions were within specified limits Figure 2-1 shows the emission limits. Deviations at 110.2 kHz.except at 110.2 kHz.

As listed in tables 3 and 4, the HFC-6000 system shows deviations in both CS 114 and RS 103 tests at 100% radiated signal levels andthe emissions of the HFC-6000 system are over the limits of RE 102 and CE 102 tests. Note that these results were measured under thecondition that the HFC-6000 system was without a cabinet. These deviations will be eliminated when the HFC-6000 system is put insidea cabinet.

RR901-000-41 13 of 16 Rev. B


3.2.5 Electrical Sustainability

Table 5 shows a summary of electrical sustainability vs the requirements of EPRI TR 107330.

Table 5 - Electrical Sustained Test Results

Sustainability Tests IHFcA6000 Performance EPRI Acceptance Criteria RemarksEPRI TR 1073304996

Surge Withstand System operates normally 6.3.5 - peak amplitude of 3kV of Met acceptance criteria.throughout the test. various surge waveforms specified in

IEEE C62.45Power Quality The tests were performed 3 times 4.6.1.1 - Power Quality Tolerance Met 1077330 - 4.6.1.1.A, D, E,Tolerance during the qualifying process: F and I acceptance criteria.

1. Pre-qualification/Baseline2. Environment stress process3. During seismic acceleration

Electrostatic Discharge Subjected to 8 kV contact discharges EPRI TR 102323-RI Appendix B, Met acceptance criteria(ESD) Susceptibility and 15 kV air discharges of ESD test section 3.5

waveforms. No degradations to thesystem.

Class 1E/Non-Class 1E Sustain isolation voltage limits: 4.6.4 - apply 250 V dc and 600 V ac Met 250 V dc acceptanceIsolation 1. 250 V dc voltage each for 30 seconds criteria.

2. 600 V ac (283 V ac tested on For 600 V ac limit, some testssome modules) only showed 283 V ac limit due

to the limitation of testequipment but not the system.

RR901-000-41 14 of 16 Rev. B


3.3 Other Considerations

3.3.1 System AnalysesThe system analyses of HFC-6000 system were found to have the deviations in thefollowing areas:

1. Availability/Reliability EPRI TR 107330-4.2.3.3

a. Common Cause Failures were not considered

b. Surveillance Intervals were not considered

2. Setpoint Analysis Support EPRI TR 107330-4.2.4 was not performed

These analyses / inputs were considered to be project-specific or plant-specific. That wasthe reason they were omitted. These areas will be inputs to any plant specific application inthe determination of availability/reliability and setpoints in accordance with ISA 67.04.

3.3.2 Qualification TestsAll the applicable required tests of the operability and prudency tests specified in EPRI TR107330 section 5.3 and 5.4 were performed in the qualification process.

Since there is no coprocessor in the HFC-6000 system, 5.3.F, "Coprocessor OperabilityTest", was not part of the operability tests. For the "Failure to complete scan detection"test, it was decided that "Failover Operability" test could be used to cover that test. "NotApplicable for the HFC-6000 System" as stated in the qualification Master Test Plan wasmisleading and should be replaced as "Included in Failover Operability Test"'.

The Burst of Events (BOE) tests performed on the HFC-6000 system deviated from EPRITR 107330 5.4.A and were due to the scope of HFC-6000 system. The HFC-6000 systemdoes not cover the complete list of modules specified in 5.4.A. The TR 5.4.D, FaultSimulation Test, was covered by the "Failover Operability" test in the operability test set.

3.3.3 Set of ModulesEPRI TR 107330 provides guidelines for a broad spectrum of equipment intended to beused in nuclear power plants. As stated in section 1.4.2, page 1-6:

"A particular PLC platform may encompass a subset or superset of the requirements ofthis specification."

The HFC-6000 qualifying system as specified in the Topical Report, Rev. C, contains asubset of modules specified in EPRI TR 107330. Those modules, which are not includedin the current qualifying system, include:

1. Voltage-based Analog Modules - EPRI TR 107330-4.3.2.1.1

2. Thermal Couple (TC) Modules - EPRI TR 107330-4.3.2.1.4

3. Discrete AC Input Modules - EPRI TR 107330-4.3.2.2.1

4. TTL Input and Output Channels - EPRI TR 107330-4.3.2.2.3 and 4.3.3.2.4

RR901-000-41 15 of 16 Rev. B


5. Human/Machine Interface (HMI) Modules - EPRI TR 107330-4.5

Requirements related to these modules are not considered and, therefore, no deviationswith regard to the acceptance criteria related to these modules were discovered. However,HFC may file in the future an addendum to our Topical Report to include some or all ofthese modules as part of the available HFC-6000 nuclear safety platform.

4.0 SummaryOverall, the HFC-6000 system performance is favorably better than the operatingrequirements from EPRI specifications. The only major deviation from EPRIspecifications are related to the EMI/RFI compatibility. As stated above, when installedinside a cabinet, these deviations should be eliminated. HFC is committed to rerun theEMI/RFI tests and environment stress tests with future licensees / applicants to provideevidence to support this claim.

RR901-000-41 16 of 16 Rev. B

HF Controls

f- ,'

4W CONTROLS CORPORATION

HFC 56000 Controller and HFC-DPM06\,""SC, SAP, SEP Firmware,

VHDL Program Code Requirements Specification

RS90r-000-37 Rev I

UL

Effective Date:

Author:

Reviewer:

Approval:

6/3/2010

Eric Patrizi

V'

y A,

Gre orv Rochford


Copyright© 2010 HF Controls Corporation

1 of 17

SC, SAP, SEP, VHDL Program Code Requirement


10/17/06 AG J Taylor Draft1/12/07 A J Taylor Preliminary release8/18/09 B Gregory Rochford Revised to use SEP processor consistently

in the document.Updated firmware part numberinformation for SC, SEP, and SAP.Part of SCR 2492 resolution.

10/06/09 C G. Rochford CR2009-052211/11/09 D G. Rochford CR2009-0539

1. Expand requirements to include analogblocks and equation interpreter, UCP, C-Link and ICL2. Enhance requirements for SC, SAP,SEP and VHDL3. Follow guidance in WI-ENG-202

12/15/09 E G. Rochford Clarify requirements for the SBC6 DPMCPLD; Clarify C-Link requirements;Update appendices revisions

12/22/09 F J. Hall Add requirements for traceability fromdesign

1/7/10 G G. Rochford Revise requirements to address:1. Clarity for completeness of required

functions2. Importance ranking

2/3/10 H E. Patrizi Added runtime diagnostic requirements5/27/10 I E. Patrizi Expand requirements explicitly specifying

the following task termination methods:1. Relinquish2. Delay3. Exit4. Remove

RS901-000-37 2 of 17 Rev. I I


Table of Contents

Section Title Page

1.0 Introduction 41.1 Purpose ...................................................................................................... 4

1.2 S co p e ................................................................................................................. 4

1.3 Definitions, Acronyms, and Abbreviations ................................................. 4

1.4 References .................................................................................................. 5

1.5 Overview .................................................................................................... 5

2.0 Overall Description 52.1 Product PerspectivE ...................................................................................... 5

2.2 Product Functions ........................................................................................ 5

2.3 User Characteristics ...................................................................................... 6

2.4 Constraints .................................................................................................. 6

2.5 Assumptions and Dependencies .................................................................. 6

3.0 Specific Requirements 63.1 SC Firmware Requirements ......................................................................... 6

3.2 SEP firmware Requirements ....................................................................... 10

3.3 SAP Firmware Requirements .................................................................... 13

3.4 Universal Communication Protocol ............................................................ 15

3.5 VHDL Program Code ................................................................................. 15

4.0 Appendices 16

RS901-000-37 3 of 17 Rev.I


1.0 INTRODUCTION

1.1 PURPOSE

This document defines overall requirements for individual softwarecomponents/firmware which make up the platform firmware to be used by the HFControls (HFC) controller assemblies.

1.2 SCOPE

This document covers requirements for the SC, SEP, and SAP firmware code forcontrollers used in HFC control systems. The HFC-SBC06 and ECS-SBC06 assembliesinclude one each of these controller types. Functional differences in the operation of thefirmware will be determined by hardware configuration, which will be detected by thecode during its initialization sequence. Collectively, the software components/firmwareprovide a platform or operating system for applications to be executed to controlassociated I/O devices. Specific requirements demanded from the applications areaddressed in a project-by-project basis. The requirements described in this document areto indicate the overall capabilities the platform can provide.

1.3 DEFINITIONS, ACRONYMS, AND ABBREVIATIONS

1.3.1 Definitions

Deterministic Timing

Platform Software

SAP Processor

SEP Processor

SC Processor

Timing is deterministic if the time delay between stimulus andresponse has a guaranteed maximum and minimum. (NRCBTP 7-14 2007.)

Operating System type software which provides applicationinterfaces to monitor and control hardware.

ICL/PCC Processor or processor executes the SAIP firmware

C-Link/CPC Processor or processor executes the SEP firmware

Main processor or processor which executes the SC firmware

1.3.2 Acronyms and Abbreviations

C-Link

CPC

HFC

ICL

LED

MSS

NRC

NIC

PCC

SAP

SC

Communication Link

Communication Protocol Controller

Doosan HF Controls / HF Controls

Inter-Communication Link

Light Emitting Diode

Maintenance Sub-System for out of system programming

Nuclear Regulatory Committee

Network Interface Card

Programmable Communication Controller

Subordinate Synchronization Processor

System Control

RS901-000-37 4 of 17 Rev. I


SEP Subordinate Ethernet Processor

UCP Universal Communication Packet

V&V Verification and Validation

TCB Task Control Block

1.4 REFERENCES

700901-04 HFC-DPM06, Requirements Spec, Rev C

700901-05 HFC-SBC06, Requirements Spec, Rev B (Hardware)

NRC RG 1.172 Software Requirements Specifications for Digital ComputerSoftware Used in Safety Systems of Nuclear Power Plants,September 1997

RS901-000-01 HFC-6000 Product Line-Requirements, Rev. F

WI-ENG-202 Development of Software/Firmware Requirements Specification

1.5 OVERVIEW

In section 2, the overall descriptions of the software are described based on productperspective, product functions, user characteristics, constraints, assumptions anddependencies. In section 3, detail requirements of specific software components aredescribed.

2.0 OVERALL DESCRIPTION

2.1 PRODUCT PERSPECTIVE

The software product described in this document can be characterized as platformsoftware for HFC-6000 or ECS product line. HF Controls uses this software product tocreate an operation system platform for specific project to execute applications forperforming Instrumentation and Control (I&C) functions. The core platform has beenused for over 15 years. The requirements described in this document, although specificfor HFC-SBC06/ECS-SBC06, cover the complete platform the software productprovides.

2.2 PRODUCT FUNCTIONS

The HFC-SBC06 hardware assembly is designed for installation in a standard HFC-6000chassis. The hardware assembly has one SC processor section, one SAP processorsection, and one SEP processor section. The SC processor is designated as the mainprocessor. It executes the application program and monitors overall status for thecontroller. The SAP and SEP processors operate independently of the SC processor andindependently of one another. The SAP processor controls scan cycles with configuredI/O modules via a serial ICL. The SEP processor controls redundant serial interfaceswith the C-Link to enable controller-to-controller communication. The HFC-SBC06controller is typically configured to control one or more field processes via a combinationof discrete and analog I/O signals. It may be configured for either redundant or nonredundant operation.

The ECS-SBC06 hardware assembly is designed for installation on a special backplane inan ECS-06B I/O rack assembly. This controller assembly will use the same SC, SEP, andRS901-000-37 5 of 17 Rev. I


SAP firmware as the HFC-SBC06 assembly. Consequently, it will be functionallyequivalent to the HFC-SBC06 assembly except that it will communicate with ECS-1200NQ-Series I/O modules.

2.3 USER CHARACTERISTICS

The user interacts with the software product through hardware configuration/settings.There is no direct user software interaction without going through applications executedon the software product. In other words, the user characteristics are determined ordefined by the applications.

2.4 CONSTRAINTS

Since the software product is used in a nuclear power plant environment and theapplication to be executed on the software product can be safety-critical applications, thesoftware product is subject to HFC software V&V procedure for any changes ormodifications. In addition, the requirements described in this document shall adhere tothe guidance set forth in NRC RG 1.172

2.5 ASSUMPTIONS AND DEPENDENCIES

The requirements described are re-constructed as part of the required process for itsdedication to be used in nuclear safety application in accordance to EPRI TR 106439.Project specific requirements such as system response time should be addressed at thesystem level.

3.0 SPECIFIC REQUIREMENTS

The "shall" requirements are mandatory and the "should" requirements are ranked to beless important.

3.1 SC FIRMWARE REQUIREMENTS

The main processor executes the SC firmware, which provides an operating system to:

* Monitor and control the hardware module which it runs on

* Execute digital and analog applications for monitoring and controlling field I/Odevices.

The following are the specific requirements for the firmware:

1. The firmware shall provide the following functional capabilities during initializationbefore tasking operation:

a. The HFC-SBC06 hardware includes a set of onboard hardware DIP switches andjumpers for defining configuration parameters. The firmware shall read these DIPswitches and jumpers as part of its initialization sequence to obtain configurationparameters essential for controller operation. Table 1 lists the minimumconfiguration data to be supplied by the DIP switches and jumpers

RS901-000-37 6 of 17 Rev. I


Table l. DIP Switches and Jumpers Configuration Data

Switch/Jlumper JFunctionConfiguration Switches on HFC-SBC06/ECS-SBC06 Assembly

00 - RUN mode (normal operation)SW4-1 CO - Offline mode (no application code runs)SW4-2 OC - SIMULATION mode

CC - TEST mode.

SW4-3 Not used

SW4-4 Not used

SW4-5 C = DPM enabled - required for redundant controller configuration

SW4-6 C = Sanity enabled - required for maintenance failover function

SW4-7 C = SAP and SEP firmware download enabled

SW4-8 C = System processor firmware download enabled

Jumpers on HFC-SBC06 Assembly

Ji Controls program boot operation for the main processor:* When the jumper is installed, the main processor boots from PROM. If

the contents of PROM differ from that in flash, the code will be copiedto flash memory.

" When the jumper is removed, the main processor boots and operatesfrom firmware installed in its flash memory.

J8 Controls program boot operation for the SEP/C-Link and SAP/ICLprocessors:* When the jumper is installed, the C-Link and ICL processors boot and

run from onboard PROM. If S2 is positioned toward the board (writeenable), the firmware can be transferred to flash memory for theseprocessors.

* When the jumper is removed, the C-Link and ICL processors boot andoperate from firmware installed in their flash memories.

W2 Controls the Mode Select function for the network interface controller ofchannel 0:• With jumper installed on pins 1 and 2, TX+ is positive relative to TX- at

the transformer primary during idle states.* With jumper installed on pins 2 and 3, TX+ and TX- are the same

voltage during idle states.W3 Unused. The jumper should be installed on pins 1 and 2.

W5 Controls the Mode Select function for the network interface controller ofchannel 1:* With jumper installed on pins 1 and 2, TX+ is positive relative to TX- at

the transformer primary during idle states.* With jumper installed on pins 2 and 3, TX+ and TX- are the same

I_ voltage during idle states.W6 Unused. The jumper should be installed on pins 1 and 2.

RS901-000-37 7 of 17 Rev. I I


Switch/Jumper Function

J5 The operation of the transmit function for U 1 and U3 are not affected by PRI/or SANE/ status.

El, E2 Control internal timing options of the SYS/SC processor. These jumpersshould remain unused.

Configuration Switches on HFC-DPM06 AssemblyEight-position DIP switch identifies the binary sequence number for this remote onthe C-Link. When more than one remote exists, the sequence ID should be assignedin the order that the remotes are configured on the link. Valid sequence numbervalues are between zero and max remotes (SW4).

SW2 Eight-position DIP switch identifies the binary remote ID assigned to this remote.As a minimum, the firmware will accept codes from 0 to 255 as valid.

Eight-position DIP switch identifies the maximum number of remotes on the C-SW4 Link. As a minimum, the firmware will accept C-Link sequence codes from 0 to 31

as valid.

b. The firmware shall configure chip select registers for the processor. It shallexecute diagnostic tests for RAM, PROM, FLASH, and Dual Ported Memory(redundant remotes only). If the test results are satisfactory, the firmware shallcontinue initialization and shall creates the tasking environment for the pre-configured tasks. If the test results fail, the firmware shall report the error andstop executing.

c. The initialization routine shall initialize the hardware for operation.

d. The firmware shall also initialize particular software environment based onpredefined configuration values for the processor. The firmware shall create datastructures for storing the information.

e. The firmware shall initialize software structures for monitoring subordinateprocessors. This requirement includes setting configuration options for thesubordinate processors and control of initialization sequence.

f. The firmware shall support "write protection" option, i.e. if the board is set to"write protect", firmware and application program cannot be updated duringoperation.

2. The firmware shall provide deterministic task scheduling:

a. The firmware shall provide timing services based on 1 Oms tick time.

b. During normal operation, the firmware shall execute a task within regularintervals. This is referred to as the "context switch" and is a configurable timeperiod.

c. The firmware shall provide the following termination utilities for a task to givecontrol back to the task scheduling:

i. Relinquish

The calling/terminating task shall still be marked as an active task. (Seebullet f.)

RS901-000-37 8 of 17 Rev. I

SC, SAP, SEP, VHDL Promram Code Requirement

ii. Delay

The calling/terminating task shall still be marked as an active task but shallbe invoked during the next cycle with a delay set by the task.

iii. Remove

The calling/terminating task shall be removed from the task scheduling list.

iv. Exit

The calling/terminating task shall be marked as dormant task.

d. The firmware shall support synchronization among different processors.

e. The firmware shall allow tasks to be added during startup by configuration.

f. The firmware shall allow tasks to be either dormant or active. If the task isdormant, the firmware shall allow the dormant tasks to be activated duringoperation by running tasks.

g. The firmware should support grouping of scheduled tasks.

h. The firmware should support task priority as long as the main task is ensured tobe executed at least once within a context switch time.

3. The firmware shall provide alarm notifications through LED's and system resources.

4. The firmware shall support redundancy and failover:

a. In a redundant remote, the firmware shall support either a primary or secondaryoperation when it starts up.

b. As the primary controller firmware, it shall perform overall state monitoring andcoordination for the controller. It shall also run the specific application programfor the process under control.

c. As the secondary controller firmware, it shall function as a hot spare to take overoperation on failure of the primary controller. Equalization of the applicationshall be performed from the primary controller to the secondary controller.

d. The firmware shall synchronize with the subordinate processors to run at the sameoperation mode, i.e. either primary or secondary.

e. The firmware shall support options for maintenance failover.

5. The firmware shall include a program task that executes the equation interpretermodule. The requirements for the equation interpreter are found in Appendix B. Theequation interpreter also processes analog block modules. The requirements for theanalog blocks are found in Appendix A.

6. The firmware shall perform sanity and watchdog checking.

7. The firmware shall perform status checking of the subordinate processors.

8. The firmware shall perform loop checking of the equation interpreter.

9. The firmware shall verify if the equation interpreter has completed at least onceduring a context switch.

10. The firmware shall provide database management to handle data output occurring inregular basis.

RS901-000-37 9 of 17 Rev. I


11. The firmware shall support UCP messaging. The requirements for the UCP are foundin section 3.4 of this document.

12. The firmware shall support dynamic database (DDB) broadcasting. See C-Linkrequirements for the details of the DDB data requirements in section 3.2 of thisdocument.

13. The firmware shall support I/O simulation.

14. The firmware shall monitor remote status.

15. The firmware shall support MSS UCP communication.

16. The firmware shall provide a timer service.

17. The firmware shall provide runtime diagnostics for the following:

Interrupt Vector Table

Task Stack Area

TCB Area

Firmware PROM/FLASH

CPU Registers (excluding CS and IP)

CPU Data Lines

Application FLASH

3.2 SEP FIRMWARE REQUIREMENTSThe SEP processor on the HFC-SBC06 and ECS-SBC06 cards runs the SEP firmware,and it controls two 10BASET Ethernet links that are compliant with requirements ofIEEE 802.3. These links provide the controller interface with the redundant C-Link.Functional operation of the SEP processor will implement the major functionalrequirements for this firmware.



a. The firmware shall configure chip select registers for the processor. It shallexecute diagnostic tests for RAM, PROM, FLASH, and Dual Ported Memory. Ifthe test results are satisfactory, the firmware shall continue initialization and shallcreates the tasking environment for the pre-configured tasks. If the test resultsfail, the firmware shall report the error and stop executing.

b. The initialization routine shall initialize the hardware for operations.

c. The firmware shall also initialize particular software environment based on pre-defined configuration values for the processor. The firmware shall create datastructures for storing the information.

RS901-000-37 10 of 17 Rev. I I


d. After successful completion of its local initialization, the firmware shall remain ina wait state until the main processor enables overall operation of the remote.


a. The firmware shall provide timing services based on lOims tick time.

b. During normal operation, the firmware shall execute a task within regularintervals.


i. Relinquish

The calling/terminating task shall be marked as an active task. (See bullet e.)

ii. Delay

The calling/terminating task shall be marked as an active task but shall beinvoked during the next cycle with a delay set by the task.

iii. Remove


iv. Exit


d. The firmware shall allow tasks to be added during startup by configuration.

e. The firmware shall allow tasks to be either dormant or active. If the task isdormant, the firmware shall allow the dormant tasks to be activated duringoperation by running tasks.

3. The firmware shall provide alarm notifications through LED's and system resources.

4. The firmware shall support redundancy and failover

a. In a redundant remote, the firmware shall support either a primary or secondaryoperation automatically by matching the state of the SC processor.

b. Operating on the primary controller, the SEP firmware shall perform dynamicdata (DDB) broadcast after initialization or failover.

c. As the secondary SEP firmware, it shall disable transmitting via the Ethernetports. In secondary, only communication monitoring is enabled.

d. Immediately after beginning operation of the C-Link, the primary SEP controllershall begin an initialization sequence in which it determines the total number ofremotes on the C-Link and its position within a token-passing sequence.

e. Between successive masterships of broadcasting data, both the primary andsecondary SEP processors will receive data from the C-Link. The SEP firmwareshall move that data to appropriate areas of public memory. For the secondarySEP processor, the SEP firmware shall not process the dynamic database (DDB)filter data.

RS901-000-37 11 of 17 Rev. I I


5. The firmware shall support UCP messaging. The requirements for the inter-processing messaging are found in section 3.4 of this document.

6. The firmware shall depend on hardware CRC32 to validate data packets.

7. When the SEP firmware receives updated data from the C-Link, it shall copy that datafrom its local private memory to the public memory array.

8. The SEP firmware shall provide error counters to track error conditions on the C-Link.

9. The SEP firmware shall make the C-Link error counters available in the publicmemory.

10. The SEP firmware shall report its operational status to the main processor in regular

time intervals.

11. The firmware shall support a Token Passing method which is designed to ensuredeterministic communication.

a. Only the master of the token can broadcast data.

b. Each node on the link shall check the mastership at regular time intervals.

c. Each node shall acknowledge and pass control of the network at its turn, even if ithas no messages to broadcast.

d. The token and the DDB data to be broadcasted constitute a packet.

Multiple masterships in one token passing cycle shall be prohibited. An error reportshall be generated if multiple pass tokens are received from other nodes within onetoken passing cycle.

12. The firmware shall operate on redundant IEEE 802.3 NIC channels (channel 1 andchannel 2) with a separate NIC card and dedicated receive/transmit buffer ring foreach channel.

13. Upon reception of broadcast packet on one channel, the firmware shall wait for amaximum of 512 ýts on the other channel. If the same message is not received on theother channel within this period, a fault exists in the system. This fault condition ofchannel errors will result in an error

14. The firmware shall provide recovery methods for the following fault scenarios:

a. Lost token - a node fails to pass token or communication error

b. Lost remote - a node stops claiming token

c. Token collisions

so that "Master for a Moment" (MFM) token passing on the link.

15. The firmware shall support input filter function according to application definedmessage types.

16. The firmware should provide a method for handling messages and tasks waiting on amessage.

RS901-000-37 12 of 17 Rev. I I




Task Stack Area

TCB Area

Firmware PROM/FLASH


CPU Data Lines

3.3 SAP FIRMWARE REQUIREMENTS

Both HFC-SBC06 and ECS-SBC06 assemblies contain one SAP processor that controlscommunication with I/O modules configured on its ICL. The processor will control twophysical ICL channels that will function as a single logical link controllingcommunication with up to 64 physical slave stations.



a. The firmware shall configure chip select registers for the processor. It shallexecute diagnostic tests for RAM, PROM, and FLASH. If the test results aresatisfactory, the firmware shall continue initialization and shall creates the taskingenvironment for the pre-configured tasks. If the test results fail, the firmwareshall report the error and stop executing.

b. The firmware shall initialize the hardware for operations.

c. The firmware shall also initialize particular software environment based on pre-defined configuration values for the processor. The firmware shall create datastructures for storing the information.

d. As a minimum, the firmware shall include all valid command codes anddefinitions for all message structures for the ICL protocol.

e. After successful completion of its local initialization, the firmware shall remain ina wait state until the main processor enables overall operation of the remote.


a. The firmware shall provide timing services based on 10ms tick time.

b. During normal operation, the firmware shall execute a task within regularintervals.


i. Relinquish

The calling/terminating task shall be marked as an active task. (See bullet e.)

ii. Delay

RS901-000-37 13 of 17 Rev. I I


The calling/terminating task shall be marked as an active task but shall beinvoked during the next cycle with a delay set by the task.

iii. Remove


iv. Exit


d. The firmware shall allow tasks to be added during startup by configuration.

e. The firmware shall also allow tasks to be added during operation by runningtasks.

f. The firmware shall allow tasks to be either dormant or active. If the task isdormant, the firmware shall allow the dormant tasks to be activated duringoperation by running tasks

3. The firmware shall support alarm notifications through LED's and system resources.

4. The firmware shall perform a scan cycle. During each scan cycle, the firmware shallpoll each configured ICL station in the sequence provided by the configuration table.Each poll message shall be constructed to include: message code, address field, datafield, and CRC 16.

5. The firmware shall support redundancy and failover

a. In a redundant remote, the firmware shall support either a primary or secondaryoperation automatically by matching the state of the SC processor.

b. In a redundant mode, the firmware shall send a secondary loopback message tooneconfigured station during each scan cycle. That station will return status ofthe secondary loopback operation during a subsequent scan. The primary SAPprocessor firmware shall maintain a count of secondary loopback errors.

c. In a redundant mode, the secondary SAP processor firmware shall monitorsecondary loopback requests. When itreceives such a request message, it shallreturn a secondary loopback response to the I/O card that sent the request.

d. The primary SAP processor firmware shall write the address for any ICL stationthat fails to respond to its poll message to a fixed location in DPM. Thesecondary SAP processor firmware shall read that area of DPM and attempt topoll the ICL station over its link. If the ICL station responds to this poll, thesecondary SAP processor shall pass the response data to the primary SAPprocessor via DPM.

6. The firmware shall support UCP messaging. The requirements for the UCPmessaging are found in section 3.4 of this document.

7. The SAP code shall define fixed timeout delays for response timeout.

8. When the processor receives a response message from one of the stations, the SAPfirmware shall perform a CRC16 validity check. If the CRC is not valid, thefirmware shall log the error and reject the message. If the message is valid, it shalltransfer all data received to the appropriate location of public memory. All errorconditions reported by the communication hardware shall be logged.

RS901-000-37 14 of 17 Rev. I I


9. The firmware shall monitor all error conditions and provide information throughsystem resources.

10. The firmware shall report its operational status to the main processor in a regular timeintervals.



Task Stack Area

TCB Area

Firmware PROM/FLASH


CPU Data Lines

3.4 UNIVERSAL COMMUNICATION PROTOCOL

Universal Communications Protocol (UCP) is an HFC proprietary point-to-point protocolthat allows data to be transferred among (operating system) tasks in a multi-layerdistributed HFC control system. The UCP shall support the following requirements:

1. A message sent using UCP shall identify the source task, destination task, requesttype, and request data.

2. The request types shall include, but is not limited to, read data, write data, diagnosticrequest and download.

3. If the request requires a response, the destination task shall create a UCP messagewith the appropriate response data and send it to the source task.

4. The UCP shall support communication between processors on the same controllerboard.

5. The UCP shall support communication between processors on a controller and aMSS.

3.5 VHDL PROGRAM CODE

3.5.1 HFC-SBC06/ECS-SBC06 Controller

The VHDL code on the controller shall support the following requirements:

1. It shall manage the following hardware signals:

a. Address Decoding: I/O Addresses, Multiplexed address logic, Page Select Logic

b. Data conversion between different sized busses of the SC, SEP and SAPprocessors on the hardware assembly.

2. It shall allow reading of configuration switches and controlling diagnostic LEDdisplays.

3. It shall provide a 1 Oms timer interrupt.

RS901-000-37 15 of 17 Rev. I I


4. It shall include a clock for SOE event time tagging. The clock shall be based on acounter which will count in 100 microsecond increments. The counter size will belarge enough to hold a 100 year count.

5. It shall arbitrate the access of each memory category by the individualmicroprocessors to achieve shared memory.

6. It shall control the RESET/READY logic for the subordinate processors.

7. It shall provide chip selection and internal register access to the NIC interface.

3.5.2 HFC-DPM06

The VHDL code on the DPM06 card supports the following functions:

1. It shall enable both the A-side and B-side controllers to read the value of the dipswitches used to configure the remote number, the maximum number of remotes, andsequence identifier

2. It shall enable each controller to read the sanity and primary status of the othercontroller

3. It shall control operation of the status LEDs used to indicate sanity status and primarystatus of both the A-side and B-side controllers, and maintenance failover enabled.

4. It shall toggle the current state of the A-side and B-side controllers in response to amomentary pushbutton switch located on the front panel (one controller toggles to theprimary state and the other toggles to the secondary state)

5. It shall toggle the current state of the A-side and B-side controllers in response to aloss of sanity on the primary controller if the secondary controller is sane

4.0 APPENDICES

Appendix A - C04 Analog Block Requirements

Appendix A, CQ4 Common Requirements, Rev. B

Appendix 1, CQ4AAV Block, Rev. A

Appendix 2, CQ4AIC Block, Rev. A

Appendix 3, CQ4ANO Block, Rev. A

Appendix 4, CQ4AVG Block, Rev. B

Appendix 5, CQ4CAL Block, Rev. A

Appendix 5A, CQ4ADD Block, Rev. A

Appendix 5B, CQ4DIV Block, Rev. A

Appendix 5C, CQ4MUL Block, Rev. A

Appendix 5D, CQ4SUB Block, Rev. A

Appendix 6, CQ4CHP Block, Rev. B

Appendix 7, CQ4CHR Block, Rev. A

Appendix 8, CQ4CTF Block, Rev. A

RS901-000-37 16 of 17 Rev. I I


Appendix 9, CQ4CUT Block, Rev. A

Appendix 10, CQ4DHA Block, Rev. C

Appendix 11, CQ4DLA Block, Rev. C

Appendix 12, CQ4DLT Block, Rev. A

Appendix 13, CQ4FLO Block, Rev. B

Appendix 14, CQ4FTC Block, Rev. B

Appendix 15, CQ4HSL Block, Rev. B

Appendix 16, CQ4LLG Block, Rev. B

Appendix 17, CQ4LSL Block, Rev. B

Appendix 18, CQ4MAB Block, Rev. B

Appendix 19, CQ4MAV Block, Rev. A

Appendix 20, CQ4MSL Block, Rev. B

Appendix 21, CQ4MSS Block, Rev. B

Appendix 22, CQ4PAT Block, Rev. A

Appendix 23, CQ4PID Block, Rev. B

Appendix 24, CQ4PLY Block, Rev. A

Appendix 25, CQ4RAS Block, Rev. C

Appendix 26, CQ4RMP Block, Rev. C

Appendix 27, CQ4RTO Block, Rev. B

Appendix 28, CQ4SQR Block, Rev. B

Appendix 29, CQ4SSL Block, Rev. B

Appendix 30, CQ4SSR Block, Rev. B

Appendix 31, CQ4XTR Block, Rev. B

Appendix B - Equation Interpreter Requirements

Appendix B, Equation Interpreter Requirements, Rev. D

RS901-000-37 17 of 17 Rev. I I

HF Controls

4HF-CONTROLS CORPORATION

,'ý,">HFC-6000 Product Line

Addeniduiimito TS901-000-23 Rev CEnvironmental Test Summary Report

V

,RevWA\ ]i,, .7 ' ,

Effective Date 12/9/2009

Author/Title Jonathan Taylor

Reviewer/Title Charles McKinney

Approval/Title Ed Herchenrader

I< . I

CopyrightP 2009 HF Controls Corporation

1 of 23

Addendum for TS901-000-23 Rev C


12/2/09 AO J. Taylor Draft12/7/09 A J. Taylor Initial release

Table of Contents

1.0 INTRODUCTION ...................................................................................... 3

2.0 SC O PE .......................................................................................................... 3

3.0 ERATTA ....................................................................................................... 3

3.1 Paragraph 6.1.3 - Results ........................................................................... 33.2 Paragrapn 6.1.4 - Anomalies ....................................................................... 33.3 Paragraph A.2 - Automatec Accuracy Test ............................................ 43.4 Table A.2.2 ................................................................................................... 53.5 Paragraph A.5 - Digital Response Time test ............................................. 53.6 Paragraph A.7 - Communication test ...................................................... 53.7 Paragraph A.9 - Digital BOE test ............................................................. 63.8 Paragraph A.10 - Analog BOE test ........................................................... 63.9 Paragraph B.2 - Automated Al Accuracy Test ....................................... 73.10 Paragraph B.5 - Digital Response time Test .......................................... 113.11 Paragraph B.9 - Communication Operability ....................................... 133.12 Paragraph B.10 - Timer Test .................................................................... 193.13 Paragraph C.3 - Analog BOE Test ........................................................ 20

TN901-000-05 2 of 23 Rev A


1.0 INTRODUCTION

This document is an addendum for TS901-000-23, Environmental Testing SummaryReport, Rev C. The purpose of this addendum is to correct errors in content and analysisin the baseline test report. The reason for issuing these corrections as an addendum ratherthan a new revision to document TS901-000-23 is to optimize the review process beingundertaken by the Nuclear Regulatory Commission (NRC) personnel.

2.0 SCOPE

This addendum corrects errors of content and errors in the analysis of data contained inRev C of TS901-000-23. It also restores some of the data erroneously deleted from thereport during preparation of the previous revisions.

3.0 ERATTA

Corrections are listed in the order of contents in TS901-000-23 Rev C. The referenceindicates whether the replaces the corresponding contents of the base document or merelyaugments it.

3.1 PARAGRAPH 6.1.3 - RESULTS

3.2 PARAGRAPN 6.1.4 - ANOMALIES

[

TN901-000-05 3 of 23 Rev A


]

3.3 PARAGRAPH A.2 - AUTOMATEC ACCURACY TEST

II

Table A.2.1. Automated AI Accuracy TestBaseline Data

ine Starp .. gon ilueof 2,AO,81,1Iogged Value De.via.ion.l,BL.506 - Value of ].AL88.1

, Time-Stamp Algorithm Yaiue of 1,AO6,921! .. gged Value' Deviation

2,BL,215 - Value ol ],AO,921__ _ __ _ __ _ __ _ __ _ _I I__ _ _ _ I I__ _ _ _ _ _ 1 _ _ _ _ __ _ _ _ _

+ + t I-

Pre-Environmental TestTime Stamp [ Algorithm Value of 2,AO,81 J• !0ggYlaue 7 Devladgn:

1,BL,506 - Value of l.AI,881

+

TN901-000-05 4 of 23 Rev A


Tim-e Stamp, m!orithm Value 0f:.,,ql 921 LoggedýValueý Deviation

?,BL,215 - Value (?f l.AO,92l

4- 4- 4 4-

-I- ± 4 4-

4- 4- 4 4

-4- ± t 4-

+ + 4-i

3.4 TABLE A.2.2

]

3.5 PARAGRAPH A.5 - DIGITAL RESPONSE TIME TEST

II

I

3.6 PARAGRAPH A.7 - COMMUNICATION TEST

II

I

TN901-000-055of3RA 5 of 23 Rev A


Table A.7.1. C-Link Error Counters at Pre-Environmental Test.

•Tag Name Time Stamp Value Description

1,C0,10 CPC Counter1,C0,10 CPC Counter1,C0,10 CPC Counter1,C0,11 CPC Counter

1,C0,11 CPC Counter1,C0,11 CPC Counter1,C0,11 CPC Counter3,C0,10 CPC Counter3,C0,10 CPC Counter3,C0,10 CPC Counter3,C0,11 CPC Counter

3,C0,11 CPC Counter

3.7 PARAGRAPH A.9 - DIGITAL BOE TEST

[

I

3.8 PARAGRAPH A.10 - ANALOG BOE TEST

II

I

TN901-000-05 6 of 23 Rev A


Table A.10-1. Analog BOE - Pre Environmental TestAl BOE Channels

10% 90%Channel Max A Max A Test

From 10% From 90%1,AI,882 1

(1,BL,510) 2

1,AI,884 1(1,BL,514) 2

1,AI,901 1(1,BL,516) 2

AO BOE Channels10% 90%

Channel Max A Max A TestMax Ave Min Max Ave Min rm 0From 10% From 90%

1,AO,843 I(2,BL,201) 2

I,AI,924 1(2,BL,209) 2

Al to AO BOETest I Test 2

1,BL,510 [2,BL213 [ Deviation 1,BL,510 2,BL213 Deviation

________ I___ I___________L____________I ___________ ____________ ___________

4. 4. 4 4 4-

4 4. 4 +

4 + 4 -4.-.

4 4 4 4 .4-

4 4 4 4 .4

4 4 + +

4 4 + 4 .4-

I

3.9 PARAGRAPH B.2 - AUTOMATED Al ACCURACY TEST

[

I

TN901-000-05 7 of 23 Rev A


Table B.2.1. Al Accuracy Test during Environmental StressTest at Hieh Temperature

Time Stamp Algorithm Value of 2,AO,81 Logged ValueDeviationi

l,BL.506 - Value of lIA,88]

+ + 4

+ + 4 4-

-4- -4- + 4-

,'~-,0: ime Stamp , - [ Algorithm IVaIueoUf O,921 Logge'd9alue Deviation

2,BL,215 - Value of]L,AO,921

F F 1

F F 4 4-

F F 1 4-

i i 4 4-

Test Durinz Ramiv Down I..... ..t.mp J Algorithm Va.ue.of2,Ao, ged Value eDev6ationr

1,BL,506 - Value of],AL881

F gr•ime Stamp _Algorithm Value of 1,AO,921 Logged Value uDeviation

2,BL.2.15 - Value of'],40,921

F _______________________________________ __________________ I _______________________ __________________ 1--4 4 F F-

TN901-000-05 8 of 23 Rev A


Test Durin2 Ramp Down 2

Tes

Tes

Time Stamp Algo ith'm _Value42f;AO81 Logged Value' Deviiati-ni

IBL,506- Value of l,Ai.881

Time Sta............ Value of .AO,92. Logged Value Deviation

2,BL,215 - Value of 1,AO ,921

st at Low Temperature

I gQrith' tValue of 2,___'6,8_

l,BL,506- Value of J,A, 881

>Time Stamnp ,iAIli-rithm. Value of 1,AO,9211 Logige'Dd Value 1-Deviation

2,BL,215 - Value of l.AO,921

st at Ambient Temperature 1'I i I meStamp T _lgorithm Vatue of 2,AO,81 'Logged ValueDev•eiation.

I.BL,506 Value oflAI.881

Time Stamp Aloihtn Valu of l,AO,92ij LoggedV.aiue Deviation]2,BL,215 - Value of L.AO,921

TN901-000-05 9 of 23 Rev A


Test at Ambient Temperature 2Time i Algorithm Value of 20,A,81, Logged Vaeue Deviation

I,BL,506 - Value of 1,A].88]

Time Stamip Algorithm Value of 1A0,921 Logged Value Deviation

2,BL,215 - Value of 1.AO,921

Test at Ambient Temperature 3Time Stamp .L ýAIgorithm IValue Of 2,AO;81 JLoggedNVaiue UDeViation,

1,BL,506- Vahli of I,Al.881

Time Stamp Algorithm . Value of I,AO,921 Logged Value Deviation'2,BL,215 - Value ofl.AO,921

I

TN901-000-05 10 of 23 Rev A


I

3.10PARAGRAPH B.5 - DIGITAL RESPONSE TIME TEST

I

Table B.5.1. Automated Digital Response Time Test Results.

Baseline Results (ms)Log Point S0461714 S0490012

MIN AVE MAX MIN AVE MAX4,DI,14,DI,24,DI,34,DI,44,DI,54,DI,64,DI,74,DI,8 - 4,DI,9

High Temperature Phase Test Results (ms)Log Point S0531712 S0532049

MIN AVE MAX MIN AVE MAX4,DI,14,DI,24,DI,34,DI,44,DI,54,DI,64,DI,7

TN901-000-05 I1I of 23 Rev A


Ramp Down Phase Test Results (ms)Log Point S0541158


Low Temperature Phase Results (ms)Log Point S0550657 S0550948


Ambient Phase Test Results (ms)Log Point S0551442 S0551656


TN901-000-05 12 of 23 Rev A


3.11PARAGRAPH B.9 - COMMUNICATION OPERABILITY

Table B.9.1.1. C-Link Error Counters - 140 'F.

Tag Name Time~ Stamp Value Description

1,c0,101,C0,111,C0,113,C0,1 1

3,C0,1 13,C0,10

B.9.2 Ramp Down Period

[

TN901-000-05 13 of 23 Rev A


[

Table B.9.2-1. C-Link Errors during Ramping Down Period.

Tag Name Time Stamp Value Description

1,C0,10 CPC Counter1,C0,10 CPC Counter1,C0,10 CPC Counter

1,C0,11 CPC Counter

1,C0,11 CPC Counter

1,C0,11 CPC Counter1,C0,11 CPC Counter3,C0,10 CPC Counter3,C0,10 CPC Counter3,C0,11 CPC Counter3,C0,11 CPC Counter3,C0,11 CPC Counter3,C0,11 CPC Counter3,C0,11 CPC Counter

3,C0,11 CPC Counter3,C0,11 CPC Counter3,C0,11 CPC Counter3,C0,11 CPC Counter3,C0,11 CPC Counter

3,C0,11 CPC Counter3,C0,11 CPC Counter

3,C0,11 CPC Counter3,C0,11 CPC Counter3,C0,11 CPC Counter3,C0,11 CPC Counter3,C0,11 CPC Counter3,C0,11 CPC Counter3,C0,11 CPC Counter3,C0,11 CPC Counter3,C0,11 CPC Counter

3,C0,11 CPC Counter3,C0,11 CPC Counter3,CO,111 CPC Counter3,C0,11 CPC Counter

3,00, 11 C__________ PO Counter

[

I

TN901-000-05 14 of 23 Rev A


Table B.9.2.2. ICL Error Counters - Ramp Down Period

Station Car sart End ýCh ,angei Start Time ~Stop Time Duration CommentsTye CutCountf_______

Remote 1 d-h-m-s

0 KPD16

1 KPD16

3 KPD16

5 KDI16

6 KDO87 KDO8

9 PCC03 PCC069 PCC03 PCC0610 PCC06 PCC0610 PCC06 PCC061,6 KD116 Rack 2

'179 KPDIQ6. Rack 219 KD8I6, Rack 220 : iKPD6 ,___ I Rack 2

22 KD116 Rack 223 KDO8 Rack 224 KDO8 Rack225, KDII6 Rack 226 KPDI6 0"11p Rack 236 KD11637 KDI16

38 KDO8 ___

39 KDO840 KD0848 KAIO49 KA0 16

50 KAIO __

51 KAIO52 KA116 ______

53 KA11654 KAO856 KAI857 KAIO58 KAI8 A14K59 KAI8 AI4K60 KAI8

[

TN901-000-05 15 of 23 Rev A


ITable B.9.3.1. C-Link Error Counters at 40'F.

Tag Name .Time Stamp Valueii Description

1,C0,11 CPC Counter1,CO,11 CPC Counter1,CO,11 CPC Counter

3,CO,11 CPC Counter

3,CO,11 CPC Counter

3,CO,11 CPC Counter

3,CO,11 CPC Counter3,CO,11 CPC Counter3,CO,11 CPC Counter

1,C0,10 CPC Counter

3,C0,10 CPC Counter

]

Table B.9.3.2. ICL Error Counters at 40 'F.

'Card 'Sta rt EndStat..e Change ,Start Ti Stop Time' Duration CmmentsTye Count ~Count

Remote 1

0 KPD16

1 KPD16

3 KPD16

5 KDI16

6 KDO8

7 KDO8

9 PCC03 PCC069 PCC03 PCC06

10 PCC06 PCC06

10 PCC06 PCC0616 KDI16

17 KPD16

19 KDI16

TN901-000-05 16 of 23 Rev A


ýstation•Card - Start End mehang St Time Stop T Du CSType Count CountChne SatTm StpT Dutinomns

20 KPD1622 KDI1623 KDO824 KD0825 KDI1626 KPD1636 KD11637 KDI1638 KD0839 KD0840 KDO848 KAIO49 KA0850 KAIO51 KAIO52 KAI1653 KAI1654 KAO856 KAI857 KAIO0 KAI8 AI4K0 KAI8 AI4K

60 KAI8

B.9.4 At Ambient Room Temperature

Table B.9.4.1. C-Link Error Counters at Ambient Room Temperature.

1ame Time Stamp Value Description

1,C0,11 CPC Counter1,C0,11 CPC Counter1,CO,11 CPC Counter3,CO,11 CPC Counter3,CO,11 CPC Counter3,CO,11 CPC Counter

1,C0,10 CPC Counter3,00,10 GPO Counter

TN901-000-05 17 of 23 Rev A


[

1.

Table B.9.4.2. ICL Error Counters at Ambient Room Temperature.

Station Card Start End .......... t im top Time Duration Comments______ 1Type Count CountChne Sat ~to Tm Dutinomns

Remote 1 d-h-m-s0 KPD161 KPD163 KPD165 KD1166 KDO87 KDO80 PCC03 PCC060 PCC03 PCC060 PCC06 PCC060 PCC06 PCC0616 KD11617 KPD1619 KDI1620 KPD1622 KDI1623 KDO824 KDO825 KD11626 KPD1636 KDI1637 KDI1638 KDO839 KDO840 KDO848 KAIO49 KAO850 KAIO51 KAIO52 KAI1653 KA11654 KAO856 KAI857 KAIO0 KAI8 A14K0 KAI8 AI4K

60 KAI8

TN901-000-05 18 of 23 Rev A


3.12PARAGRAPH B.10 - TIMER TEST

Table B.10.1. Automatic Timer Test ResultsS0532049 Averaged 4,D1,11 4,DI,12

Period Ave Value A Jitter Ave Value A JitterHigh On

Temp Off

Test Total

S0550948 Averaged 4,DI,11 4,DI,12

Period Ave Value A Jitter Ave Value A JitterLow On

Temp Off

Test Total

S0551656 Averaged 4,D1,11 4,DI,12

Period Ave Value A Jitter Ave Value A JitterAmbient On

Test

(used as Off

baseline) Total

I

TN901-000-05 19 of 23 Rev A


]

3.13PARAGRAPH C.3 - ANALOG BOE TEST

II

TN901-000-05 20 of 23 Rev A


I

Table C.10.1. Analog BOE - Environmental Stress Test SummaryAl BOE Channels

10% 90%Channel Max Max Test

Max Ave Min Deviation Max Ave Min Deviation

PT1

PT21,AI,882 HT

(1,BL,510) LT

A

PT1

PT21,AI,884 HT

(1,BL,514) LT

APT1PT2

1,AI,901 HT

(1,BL,516) LT

A

AO BOE Channels

TN901-000-05 21 of 23 Rev A


Al to AO BOEPre Test 1 Pre Test 2

1,BL,510 2,BL213 Deviation 1,BL,510 2,BL213 Deviation

HT LT1,BL,510 2,BL213 Deviation 1,BL,510 2,BL213 Deviation

TN901-000-05 22 of 23 Rev A


AT I AT

1,BL,510 I 2,BL213 I Deviation I 1,BL,510 I 2,BL213 Deviation

I. 4 1

i i .1 i4

4. 4 .4 .4 .4-

4. + 4 .

4. + *4 .4 .4

TN901-000-05 23 of 23 Rev A

HF Controls

f

IHF CONTROLS CORPORATION

x<?HFC-6000 Product Line

Addenidumto TS901-000-29 Rev B

PostKQualification Testing Report

\ :TN901-000-06

\;C-

•. (7)•¢ )


Author/Title Jonathan Taylor



Copyrightc 2009 HF Controls Corporation

1 of 18

2 of 18

Addendum for TS901-000-29 Rev B


12/2/09 AO J. Taylor Draft12/08/09 A J Taylor Initial issue

Table of Contents

1.0 INTRODUCTION ....................................................................................... 4

2.0 SCO PE .......................................................................................................... 4

3.0 ERA TTA ..................................................................................................... 4

3.1 Paragraph PQ.A.2 - Manual 4-20 mA Channel Accuracy ..................... 43.2 Paragraph PQ.A.6 - Automated Analog Accuracy Test ......................... 53.3 Paragraph PQ.A.7 - Digital Response Time Measurement .................... 73.4 Paragraph PQ.A.9 - Discrete Input Operability Test ............................. 93.5 Paragraph PQ.A.10 - Discrete Output Operability Test ........................ 93.6 Paragraph PQ.A.11 - Communication Operability Test ...................... 123.7 Paragraph PQ.A.12 - Timer Test ................................. 143.8 Paragraph PQ.B.2 - Digital Input/Output BOE Test ............................ 163.9 Paragraph PQ.B.4 - Serial Port Failure Test ........................................ 18

TN901-000-06 3 of 18 Rev A


1.0 INTRODUCTION

This document is an addendum to TS901-000-29, HFC-6000 Post Qualification TestingSummary Report, Rev B. The purpose of this addendum is to correct errors in contentand analysis in that report. The reason for issuing these corrections as an addendumrather than a new revision to document TS901-000-29 is to optimize the review processbeing undertaken by the Nuclear Regulatory Commission (NRC) personnel.

2.0 SCOPE

This addendum corrects errors of content and errors in the analysis of data contained inRev B of TS901-000-29. It also restores some of the data erroneously deleted from thereport when Rev B was created from Rev A.

3.0 ERATTA

Corrections are listed in the order of contents in TS901-000-29 Rev B. The referenceindicates whether this material replaces the corresponding contents of the base documentor merely augments it.

3.1 PARAGRAPH PQ.A.2 - MANUAL 4-20 MA CHANNEL ACCURACY

Table PQ.A.2-1. Manual Al Channel Accuracy Data

TN901-000-06 4 of 18 Rev A


[

]

3.2 PARAGRAPH PQ.A.6 - AUTOMATED ANALOG ACCURACY TEST

[

TN901-000-06 5 of 18 Rev A

Addendum for TS901 -000-29 Rev B

Table PQ.A.6-1. Automated AIAccuracv Test -Post Qualification,BL,506 Time Sta1,AI,188 Algorithm 2,AO,81 Al Channel

Stamp Log Value Value Value Accuracy(%)

2,AI,69 1,13BL506 1,AO,921 AO.Channel•BL.:5' ..... : Time Stampi : Log'Value Value 'Value Accuracy.(%)

Table PQ.A.6-2. Automated AIAccuracy Test - Baseline Data

81,_BL,506 Time'Stamp .,A!,188 Algorithm, 2,AO,81 A IChannelaLogValue Value Value : Accuyac•.(%

2;BL.21 Time Stamp 2,AI,69 1,BL,506 1,AO,921 AO Channel:;BL,215_ Time Stamp Log Value Value Value Accuracy (%)

II

I

TN901-000-06 6 of 18 Rev A


3.3 PARAGRAPH PQ.A.7 - DIGITAL RESPONSE TIME MEASUREMENT

Automated Test Execution

The automated response time test was executed twice in conjunction with the BOEtest and then multiple times as a background test for other tests. Table PQ.A.7-1provides a summary of the results from this test over the entire duration of testing inthe order of test execution. The same points were logged for the baseline test and thepost qualification test. The data from the seismic retest only included four points toreduce the total number of transitions being logged by the SOE. In each case, thecascaded signals (4,DI,1 through 4,DI,7) provide a measure for the equation cycletime, and the remaining two points provide a direct measure of system response time.

Table PQ.A.7-1. Automated Digital Response Time Test Results.

Baseline Results (ms)Log Point S0461714 S0490012

MIN AVE MAX MIN AVE MAX4,DI, 14,DI,24,DI,34,DI,44,DI,54,DI,64,DI,74,DI,8 - 4,DI,9

Post Qualification Test Results (ms)Log Point S1631624 S1631643

MIN AVE MAX MIN AVE MAX4,DI, 14,DI,24,DI,34,DI,44,DI,54,DI,64,DI,74,DI,8-4,DI, 16

TN901-000-06 7 of 18 Rev A


In-House Pretest forSeismic Retest (ms)SOE Equation Cycle Time (ms) Response Time (ms)

Record 4,DI,2 4,DI,3 4,DI,8 - 4,DI,9MIN AVE MAX MIN AVE MAX MIN MAX

S2390200S2441200S2441209

Post Seismic Test (ms)

SOE Equation Cycle Time (ms) Response Time (ms)Record 4,DI,2 4,D1,3 4,DI,8 - 4,DI,9

MIN AVE MAX MIN AVE MAX MIN MAXS2671220S2671435

I

I

TN901-000-06 8 of 18 Rev A


3.4 PARAGRAPH PQ.A.9 - DISCRETE INPUT OPERABILITY TEST

[ ]

Table PQ.A.9-1. Discrete Input Operability Test Results

Crd Type Under-Test

Base"line fetD1161 DC347 1)(33

Set Voltage Threshold (V)

Max Input Voltage (V)

Dropout Voltage (V)__

Card Tyipe Under Test

.Post QuiDification Test ..DI 161 DC34 . . .. DC33

1 2 3Ae13Ave 1 2 Ave



Dropout Voltage (V)

______________a rd I) pceUnder Test _ __

, Seismic Pre Test D1161 __ _, _ _ _ __ D..33____ 2__ 3 __ A__ 3 ~Ave~1~ J2~ 1 kve\



Dropout Voltage (V)

]

3.5 PARAGRAPH PQ.A.10 - DISCRETE OUTPUT OPERABILITY TEST

I ]

120 VAC DO Channel Operability (Section 4.4.2)

[

I

TN901-000-06 9 of 18 Rev A


Table PQ.A.10-1. 120 VAC Output Channel Parameters.

P..rameter . .. Set Coi..C.liit U.... ' .. Cici Reset Coil Circuit,.

Coil ResistanceSupply voltage set to 90.0 ±0.5 vac at 47 HzPeak off-on response voltagePeak in-rush currentSteady-State output (rms)On state voltage dropPeak reverse EMF

Off state leakageSupply voltage set to 130.0 ±0.5 vac at 47 Hz

Peak off-on response voltagePeak in-rush currentSteady-State output (rms)On state voltage dropPeak reverse EMFOff state leakage

[

TN901-000-06 10 of 18 Rev A


1

125 VDC DO Channel Test (Section 4.4.3)

[

I

Table PQ.A.10-2. 125 VDC Output Channel Parameters.

Parameter Set Coil Circuit• , ResetCoil Circuit

Coil ResistanceSupply voltage set to 90.0 ± 0.5 vdcPeak off-on response voltagePeak in-rush currentSteady-State outputOn state voltage dropPeak reverse EMFOff state leakageSupply voltage set to 140.0 + 0.5 vdcPeak off-on response voltagePeak in-rush currentSteady-State outputOn state voltage dropPeak reverse EMFOff state leakage

[

TN901-000-06 11 of 18 Rev A


3.6 PARAGRAPH PQ.A.11 - COMMUNICATION OPERABILITY TEST

[

I

ICL Error Counters

I

ITable PQ.A.11-1. ICL Error Counters During Post Qualification Test.

•Station Card Start End Count Sta rt, Sto DurationT1yp~e Count County Diff ATime> Time

Remote 10 KPD16

1 KPD163 KPD165 KDI16

6 KDO87 KDO8

9 PCC03 __ _ __ _ _ __-_

TN901-000-06 12 of 18 Rev A


SStto a to •-Card , Start End 'Count Start stop DurationType Count Count. _ TTmeim• Tim:e

Remote 19 PCC0310 PCC0610 PCC06 ______

16 KD11617 KPD1619 KDI1620 KPD16

22 KDI1623 KDO824 KDO825 KDI1626 KPD1636 KDI1637 KDI1638 KDO839 KDO840 KDO848 KAIO49 KAO850 KAIO51 KAIO52 KA116 _-.___

53 KAI1654 KAO8 _____ ......56 KA18 ___

57 KAIO58 KAI8 __.. ...

59 KA18 ___ ___

60 KAI8

Remote 30 KPD161 KDO82 KAIO

II

TN901-000-06 13 of 18 Rev A


I

C-Link Error Counters

[

I

Table PQ.A.11-2. C-Link Error Counters During Post Qualification Test.

Tag Name Time Stamp Value Description1,C0,10

1,C0,113,C0,10

3,C0,11

3.7 PARAGRAPH PQ.A.12 - TIMER TEST

II I

Manual Timer Test

The manual timer test produced the following results:

0 1-sec timer5/1-sec timner

Total period = [Total period = [

]]

Jitter =[Jitter = [

]I

Automated Timer Test

Table PQ.A. 12-1 presents the results of the automated timer tests from the beginningthrough the end of formal testing in the sequence that the test were conducted.

TN901-000-06 14 of 18 Rev A


Table PQ.A.12-1. Automatic Timer Test Results

S0551656 Averaged 4,D1,11 4,DI,12Period Ave Value A Jitter Ave Value A Jitter

Baseline OnTest Off

Total

S1671050 Averaged 4,DI,11 4,DI,12Period Ave Value A Jitter Ave Value A Jitter

Post OnQualifi- OffcationTest Total


In OnHouse OffPretestbefore

Seismic TotalRetest


Seismic OnPost Test Off

Total

II

TN901-000-06 15 of 18 Rev A


]

3.8 PARAGRAPH PQ.B.2 - DIGITAL INPUT/OUTPUT BOE TEST

I

I

4,DI,28 On Period Off Period Transfer Delay (ms)(1,DO,648) (sec) (sec) Max Ave Min

Baseline S0490456

Post Qual S1631624

Post Qual S1690831*

HFC Pretest S21401316BOE1 S2661610Post Test S2671435

TN901-000-06 16 of 18 Rev A


4,DI,32 On Period Off Period Transfer Delay (mns)(1,DO,688) (sec) (sec) Max Ave Min

Baseline S0490456Post Qual S1631624Post Qual S1690831HFC Pretest S21401316BOE1 S2661610Post Test S2671435

4,DI,33 On Period Off Period Transfer Delay (ins)(1,DO,682) (sec) (sec) Max Ave Min

Baseline S0490456Post Qual S1631624Post Qual S1690831HFC Pretest S21401316BOE1 S2661610Post Test S2671435

4,DI,34 (2,DO9,101) 4,DI,35 (2,DO,105)On Period (sec) Off Period (sec) On Period (sec) Off Period (sec)

Baseline S0490456

Post Qual S1631624

Post Qual S1690831

HFC Pretest S21401316BOEI S2661610Post Test S2671435

[

I

TN901-000-06 17 of 18 Rev A


3.9 PARAGRAPH PQ.B.4 - SERIAL PORT FAILURE TEST

[I ]

PQ.B.4.2, C-Link Failure Test (Section 4.2.1)

1

I

Table B.4-2. Digital BOE Abnormal Transitions in C-Link Failure Test

Time 4,Di,28 4,D1,29 4,13I,30 4,131,31 4,DI1,32 4,MI,33~ 4,13I,34 4,DI,35 4,13I,36j Stamp Transition Transition Transition Transition ransition ransition ransition ransition Transition

(s) (s)~ (S s s) () ()(s)

BreakoutNormal

TX Pin Float

Short Ground

Short RX Pin

Regular Cable

TN901-000-06 18 of 18 Rev A

HF Controls

HF CONTROLS CORPORATION

HFC-6000 Product Line

Addenfdumto TS901-000-34 Rev BSeismic Retest: In-house Testing Summary Report

T•901-000-07

'Rev A

Effective Date

Author/Title

Reviewer/Title

Approval/Title

Copyright©

12/9/2009

Jonathan Taylor

Charles McKinney

Ed Herchenrader

12009 HF Controls Corporation

1 of 10

2 of 10



12/3/09 AO J. Taylor Draft12/9/09 A J. Taylor Initial issue

Table of Contents

1.0 IN TR O D U C TIO N ......................................................................................... 4

2 .0 S C O P E ........................................................................................................... . . 4

3.0 E R A T T A ..................................................................................................... . . 4

3.1 Paragraph 6.4.2 - R esults ............................................................................. 43.2 Paragraph 6.4.3 - anom alies ......................................................................... 53.3 Paragraph A.2 - Manual 4-20 mA Al Channel Accuracy ............................ 53.4 Paragraph A.7 - Digitasl Response time Measurement ................................ 53.5 Paragraph A. 1I - Communication Operability Test ...................................... 63.6 Paragraph A. 12.2 - Automated Timer Test ................................................. 63.7 Paragraph B.2 - Digital Input/Output BOE Test .......................................... 73.8 Paragraph B.4. - Serial Port Failure Tests ................... I ............................... 8

TN901-000-07 3 of 10 Rev A


1.0 INTRODUCTION

This document is an addendum for TS901-000-34, Seismic Retest In-house Testingsummary Report, Rev B. The purpose of this addendum is to correct errors in contentand analysis in Rev B of the test report. The reason for issuing these corrections as anaddendum rather than a new revision to document TS901-000-34 is to optimize thereview process being undertaken by the Nuclear Regulatory Commission (NRC)personnel.

2.0 SCOPE


3.0 ERATTA


3.1 PARAGRAPH 6.4.2 - RESULTS

[

TN901-000-07 4 ofl10 Rev A


3.2 PARAGRAPH 6.4.3 - ANOMALIES[I

3.3 PARAGRAPH A.2 - MANUAL 4-20 MA Al CHANNEL ACCURACY

[ ]Table A.2-1. Manual Al Channel Accuracy Data from In-house Test for Seismic

Retest.

'SaicSe (- 1nput to Al Card Obutput f romn Al card A2 n Mesrd T u Indicated Cluae AlChannel.

~equivalent) Test~ Level SP Sg.nlAcry(%oN.. Signal Level (SigA)a differenc4,

(rmA) M i~o N _______ ~~: '1030507090

3. AARP . IIAL EPNETM ESRMN

TN901-000-07 5 ofl10 Rev A


Table A.7-2. Automated Digital Response Time Test Results.

SOE Equation Cycle Time (ms) Response Time (ms)Record 4,DI,2 4,DI,3 4,DI,8 - 4,DI,9

MIN AVE MAX MIN AVE MAX MIN MAX

3.5 PARAGRAPH A.11 - COMMUNICATION OPERABILITY TEST[

]

3.6 PARAGRAPH A.12.2 - AUTOMATED TIMER TEST

I ITable A.12-3. Automatic Timer test Results from In-house Test for Seismeic Retest

S0551656 Averaged 4,DI,11 4,DI,12

Period Ave Value A Jitter Ave Value A JitterBaseline On

Test

Off

Total

S2661002 Averaged 4,DI,11 4,DI,12

Period Ave Value A Jitter Ave Value A JitterIn House OnSeismicPretest Off

Total

TN901-000-07 6 ofl10 Rev A


]3.7 PARAGRAPH B.2 - DIGITAL INPUT/OUTPUT BOE TEST

TN901-000-07 7 ofl10 Rev A


Log Point ON (sec) OFF (sec) Transfer Delay (ins)Range Range Max Ave Min

4,DI,28 (1,DO,648)4,DI,32 (1,DO,688)4,DI,33 (1,DO,682)4,DI,34 (2,DO,101)4,DI,35 (1,DO,105)

3.8 PARAGRAPH B.4. - SERIAL PORT FAILURE TESTS

I I

B.4.2 C-Link Failure Test

TN901-000-07 8 ofl10 Rev A


Table B.4-2. Digital BOE Abnormal Transitions in C-Link Failure Test of In-houseTest for Seismic Retest.

~4113,28'-4DI3 4,D31,33..:~~~ DI 4 < 4,DI,35~

~b~§ Time, Transition Time>Tasto Time~ Transition~ Time Transition Time ~Transition.Sap (9)Y Stamip (s) Stampj -(s) Stamnp (s) Stamp (s

BreakoutNormal

TX Pin Float

Short Ground

Short RX Pin

Regular Cable

Figure B.4-4. BOE Control Signal versus TSAP Analog Input Signals in Remote 1During C-Link Failure Test of In-house Test for Seismic Retest.

Figure B.4-5. TSAP Al signal (1,AI,882, 1,BL,510) versus Corresponding TSAP AOSignal (1,AO,922, 2,BL,213) During C-Link Failure Test of In-house Test for

Seismic Retest.

TN901-000-07 9 ofl10 Rev A

Addendum for TS901-00O-34 Rev B


d

a>., ~

~

>1>

~

~ ~

~i2~ ~

Figure B.4-6. Single Loop Controller Analog BOE Source Signal versus TSAP Aland TSAP Al versus TSAP AO During C-Link Failure Test of In-house Test for

Seismic Retest.

TN901-000-07 10 of 10 Rev A

HF Controls

IHF-CONTROLS CORPORATION

.wHFC-6000 Product Line

Addenidum ,to TS901-00o-35 Rev BSeisniuic Retest Summary Report

.-TN9O1.-000-08

"K-

,Re~v-A


Author/Title Jonathan Taqylor



Copyrighto 2009 HF Controls Corporation

1 of 10

2 of 10



12/3/09 AO J. Taylor Draft12/9/09 A J. Taylor Initial Release

1.0

2.0

3.0

3.13.23.33.43.5

Table of Contents

IN TRO D U CTION .......................................................................................... 4

SCO PE ........................................................................................................ 4

ERA TTA ....................................................................................................... 4

G eneral Form atting ...................................................................................... 4Paragraph 7.2.4 - A nom alies ....................................................................... 4Paragraph A .7 - Tim er Test ......................................................................... 4Paragraph A . 11 - D igital BO E Test ............................................................. 6Paragraph A .13 - D igital Response Tim e Test ............................................. 8

TN901-000-8 3 oflO0 Rev A


1.0 INTRODUCTION

This document is an addendum for TS901-000-35, Seismic Testing Summary Report,Rev B. The purpose of this addendum is to correct errors in content and analysis in RevB of the test report. The reason for issuing these corrections as an addendum rather thana new revision to document TS901-000-35 is to optimize the review process beingundertaken by the Nuclear Regulatory Commission (NRC) personnel.

2.0 SCOPE


3.0 ERATTA


3.1 GENERAL FORMATTING

When Rev B of TS901-000-35 was created, Microsoft Word changed the formatting ofnumbers for tables and figures in Attachment A from A.NN-N to 0.NN-N, but referencesin text remained unchanged. References in this document will follow the original format.

3.2 PARAGRAPH 7.2.4 - ANOMALIES

Replace the last bullet on page 11 concerning the timer function.

[

3.3 PARAGRAPH A.7 - TIMER TEST

The format of the table number on p 33 of TS901-000-35 Rev B should be changed toTable A.7-1 and Table A.7-2. Replace the content of these two tables with the followingmaterial.

TN901-000-8 4 of 10 Rev A


Table A.7-1. Automated Timer Test Results


On

Baseline OffTest

Total

S2390208 Averaged 4,DI,11 4,DI,12

Period Ave Value A Jitter Ave Value A JitterIn House OnPretest

Off

Total

S2661002 Averaged 4,DI,11 4,DI,12

Period Ave Value A Jitter Ave Value A JitterPretest On

At Wyle

Off

Total

S2670819 Averaged 4,DI,11 4,DI, 12

Period Ave Value A Jitter Ave Value A JitterDuring OnOBE2

Off

TotalS2670838 Averaged 4,D1,11 4,DI,12


Off



Off

Total




During OnSSE

Off


Period Ave Value A Jitter Ave Value A JitterPost Test On

Off

Total

[

3.4 PARAGRAPH A.11 - DIGITAL BOE TEST

[



I

4,DI,28 On Period Off Period Transfer Delay (ms)(1,DO,648) (sec) (see) Max Ave Min

HFC Pretest S21401316

Wyle Pretest S2661015

Wyle PretestS2661038

OBE1 S2661610

OBE2 S2670819

OBE3 S2670918OBE4 S2670938OBE5 S2670954

SSE S2671028Post Test S2671435





OBE1 S2661610

OBE2 S2670819

OBE3 S2670918OBE4 S2670938OBE5 S2670954SSE S2671028

Post Test S2671435





OBEI S2661610

OBE2 S2670819

OBE3 S2670918OBE4 S2670938OBE5 S2670954

SSE S2671028Post Test S2671435



4,DI,34 2,DO,101) 4,DI,35 D2,D0,105)On Period (sec) Off Period (sec) On Period (sec) Off Period (sec)

HFC Pretest S21401316Wyle Pretest S2661015Wyle PretestS2661038

OBE1 S2661610OBE2 S2670819OBE3 S2670918OBE4 S2670938OBE5 S2670954SSE S2671028Post Test S2671435

3.5 PARAGRAPH A.13 - DIGITAL RESPONSE TIME TEST

Table A.13-1. Automated Digital Response Time Test Results.

In-House PretestSOE Equation Cycle Time (ms) Response Time (ms)


S2390200_______________S2441200S24412091

TN901-000-8 8 ofl10 Rev A


Pretest at WyleSOE Equation Cycle Time (ms) Response Time (ms)

Record 4,DI,2 I 4,DI,3_ 4,D1,8 - 4,DI,9$60S60 MIN AVE MAX MIN AVE MAX MIN MAXS2661002 _____ ____ _____________ __ ___

S2661038,________

During OBEl (No response time data preserved)SOE Equation Cycle Time (ms) - Response Time (ms)

Record 4,DI,2 4,DI,3 4,DI,8 - 4,DI,9S2661451 MIN AVE MAX MIN AVE MAX MIN MAX

S2661610 ________ ___

During OBE2SOE Equation Cycle Time (ms) Response Time (ms)

Record 4,DI,2 4,DI,3 4,DI,8 - 4,DI,92 9MIN AVE MAX MIN AVE MAX MIN MAX

S2670819 ~===~ ________During 0BE3

SOE Equation Cycle Time (mns) Response Time (ms)Record 4,DI,2 4,DI,3 4,DI,8 - 4,DI,9

MI701 M1N AVE MAX_ MIN AVE MAX MIN MAX

S2670918 J 1I__During OBE4

SOE Equation Cycle Time (ms) Response Time (ms)Record 4,DI,2 4,DI,3 4,DI,8 - 4,DI,9

$2670938 MIN AVE MAX MN AVE MAX MIN MAX

During OBE5SOE Equation Cycle Time (ms) Response Time (ms)

Record 4,D1,2 4,DI,3 4,DI,8 - 4,DI,9MIN AVE MAX MN AVE MAX MIN MAX

S2670954

During SSESOE Equation Cycle Time (ms) Response Time (ms)

Record 4,DI,2 4,DI,3 4,DI,8 - 4,DI,9

S 2 MIN AVE MAX MIN AVE MAX MIN MAX

Post TestSOE Equation Cycle Time (ms) Response Time (ms)


S2671220$2671435

TN901-000-8 9 of 10 Rev A


II

I

TN901-000-8 10 of 10 Rev A

HF Controls

DOOSAN HF CONTROLS CORPORATION

Addendum to TP0402 Rev, F

TN901-000-09

Rev. A

Effective Date

Author/Title

Reviewer/Title

Approval/Title

Copyright" 2009 LDaosan HF Controls Coilaration

444t P-ge 1 of / Page I of 3

Addendum to TP0402 Rev. 1..'

Revision History

ate R ev isio n A 0. .o..1.. . C h a n g es

12 709 A [T. Gerardlis ]Initial Release

TABLE OF CONTENTS

1.0 P U R P O S E ............................................................................................................................... 3

2 .() S C O P E .................................................................................................................................... 3

3.0 T E S T C A S E S ......................................................................................................................... 3

3.1 V ALIDA'IINGi C. M I. ExI-CU'n'T O N OF A PPLICATION 3....................................................... 33.1. / Prnocedures ...... ................................... ............. 3

TN901-000-09 Page 2 of' 3 lcv.v A

Addendum to TP0402 Rev. FI

1.0 PURPOSIE

This document serves Ls an addendum to TP0402 rev. F, Operability Test Procedures ForQuailif cation Program. The purpose for Fthis document is to amend tests wh ich h ad perlormed butwere not listed in that procedure.

2.0 SCOPE

Although the test cases were done to the E1RD1 Ill qualification system, 1,he same test cases can heapplied in general for validating requ~lirem1ent for checking iF an application executes one completecycle within a context switch.

3.0 TEST CASES

3.1 Validcuir/g Coml)lele Execulioll (vlApplicalion

3.1.1 Procedures

InitialI.Setup test rack application p~rogram to include thne IFollowing eqtuations:

;DELAY LOOP

CO 7000 = VA,C0

L002 ;

INC CO, 7000

JUMP Lu0002 I F (CO, 7000 IT VA,2500) AND (PL, 1048 AND D:, 133)

JUMP L 0002 IP (CO, 7 o00o r' , V, 2,500) AND (/FIL, 1048 AND 131, 1,32)

(2500( counter value was set to execute less than 10 passes/see)2. Connect simulation switch to D1, 133 input channel

3. Download application to remote

4. Select A controller and set D1, 133 input channel ON.

5, Observe FL, 1097 in ON state reporting that one pass was not completedwithin one context switch.

Conclusion•:

TN90 1-000-09 Page 3 t)F3 P cv. ATN901-000-09 Page 3 of`"3 Rev. A

HF Controls

"HF CONTROLS CORPORATION

HFC-6000 Product Line

Clarifications;-to Qualification Test Results

TN1'"T-N,901-000-12

R&vA

Reviewer Chrlesv, Mcine

Approval IvnCo

C...-,F .o rl Cpi

M ,,:,)7"

"C '/

.- " /

Effective Date 6-18-10 "-......

Author Jon Taylor

Reviewer Charles McKinney

Approval Ivan Chow

[ ICopyright© 2009 HF Controls Corporation

1 of 11

Clarifications to Qualification Test Results


6/17/10 AO J. Taylor Draft

Table of Contents

1.0 Purpose ............................................................................................................ 3

2.0 Scope ....................................................................................................................... 3

3.0 References .......................................................................................................... 3

4.0 Corrections to TN901-000-05 ........................................................................... 3




TN901-000-12 2 ofl11 Rev A


1.0 PURPOSE

This document contains corrections to TN901-000-05 Rev A through TN901-000-08 RevA. The reason for producing this document rather than issuing a new revision to thesefour documents is twofold:

* The total sum of the corrections to these documents is relatively minor.* Rev A of these documents have already been supplied to the NRC reviewers, and

formal submission of five new documents would delay final completion of the review.

2.0 SCOPE

The content of this document is limited to correction of omissions or errors detectedwhile documenting the final performance envelope for the ERD111 Test Specimen.Corrections for each document will be assembled together in a separate subsection of thisdocument to facilitate identification.

3.0 REFERENCES

TN901-000-05TN901-000-06TN901-000-07TN901-000-08

Addendum for TS901-000-23 Rev C, Rev AAddendum for TS901-000-29 Rev B, Rev AAddendum for TS901-000-34 Rev B, Rev AAddendum for TS901-000-35 Rev B, Rev A

4.0 CORRECTIONS TO TN901-000-05

The content of Table A.2.1 on page 4 is revised to correct the time stamp data as shown.

Table A.2.1. Automated AI Accuracy TestBaseline Data

Ilo >, Time Stamp . . . ..g.rithm.... ........... ..... te on

I.BL506- Value of l,A1,881

-Time Stamp, _ Algorithm. Value off 1,AO92 1 Loggedy:alue Deviatin

2.BL,215- Valueof ],AO,921

The last sentence was added to paragraph B.9.2 to clarify the conditions in theenvironmental chamber at the time the communications operability test was run. Thistest was supposed to have been run at the end of high temperature period. It was actually

TN901-000-12 3 ofl11 Rev A


run in the middle of the ramp down period when the temperature in the test chamber hadjust reached 400 F.

B.9.2 Ramp Down Period

During the ramp down period from high temperature, the Communication Operabilitytest was performed at 2/23/04 from 12:59 to 13:08. (Note: The first entry in TableB.9.2.1 has a timestamp of 11:33:06. Because the HAS was configured to logchanges in value, this entry indicates that 1,CO,10 changed to a value of 0 at that timeand then remained at that value until 13:14:24.) According to the Wyle temperaturechart the temperature inside the test chamber had already reached 40' F at the timethis test was run.

The last sentence was added to paragraph 3.12 on page 19 to explain why the timer datain Table B.10-1 is different from that found in the original test report TS901-000-23 RevC.

3.12 PARAGRAPH B.10 - TIMER TEST

Replace subsections B.10.1 through B.10.3 with the following material. All timervalues have been recalculated from the raw data because the values in the originaltest report could not be reproduced.


The content of Table PQ.A.6-2 on page 5 is revised to correct the time stamp data asshown.

Table PQ.A.6-2. Automated AIAccuracy Test - Baseline DataTime Stamp 1,A1,188 Algorithm 2,AO,81 AI Channel

IBL.506 Log Value Value Value Accuracy(%)

S Time S2,AI,69 1,BL,506 1,AO,921 AO Channel2.BL.215 Time Stamp Log Value Value Value Accuracy (%)

The following data was added under paragraph 3.5 on page 9 because the DO operabilitydata was included in the test data but omitted from the original test report. The twosubsequent table numbers were changed to reflect the addition of this table.

TN901-000-12 4 ofll Rev A


Relay DO Channel Operability (Section 4.4.1)

The following results are compared between baseline and post test data.

Table PQ.A.10-1. HFC-DO8J Relay DO Characteristics

Test Base Line Post Test

The following paragraph 3.10 needs to be added for correcting the Analog BOE test datacalculation in original TS901-000-29 document.

3.10 PARAGRAPH PQ.B. 3 - ANALOG BOE TEST

Replace table PQ.B.3-1 with the following content.

Table PQ.B.3-1. TSAP Al Channel Readings and Deviations from BOE SourceSignal in Post Qualification Test.

(1, BL, 510) (1,BL,514) (1,BL,516)

i10% Measurement (o

Deviation ~From 10% (%),

Num of Measurements

90% Measurement'(%)

DviationFrom 90%/(%)

NNum of Measurements.


[

TN901-000-12 5 ofll1 Rev A



The following corrections for TS901-000-35 Rev B are needed:

Replace the content of paragraph A.6 - Communication Operability in TS901-000-35Rev B with the following material.

A.6.1 C-Link Operablitv Test

There were no C-Link communication errors reported during Pre Tests. During OBEtests and SSE test, only remote 4 showed errors. Remote 4 was connected to C-Linkonly while the SOE data was being retrieved. Test specimen remote and SLC remotehad no C-Link communication errors.

A.6.2 ICL Operablity Test

Detailed ICL operability data was not captured correctly during the second seismictest, but this data is available for the pre test, OBE3, OBE4, OBES, SSE, and post testfrom the first seismic test. Controller power was lost during OBEl and OBE2,invalidating the error log results. The Tables A.6.2-1 through A.6.2-4 presentdetailed error logs for the pre test, OBE3, SSE, and post test runs.

TN901-000-12 6 ofll1 Rev A


Table A. 6.2-1 Pre Test ICL Communication erability Test Results

Card Start ~EndStation T ype Count Count Change -Start Time Stop Time Duration Comments

0, KPD16' 1 :: KPD16

3 KPD165 KDI166, KDO8:7 KDO8

•:i'9 : 'PCC03::::9.:: ' PCC03

10 PCC0610 PCC0616 KD11617- KPDI 6 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

19 KDI16 _________ _ _ _ _ _ _ _ _ _ __ _ _ _

20 KPD1622 KDI1623 - KDO8'24 KDO825 KDI1626 KPD16

36 KDI16

-37, KDI16,38 - KDO8

39 KDO840 KDO8.48 KAIO

49 KA08

50 KAIO51 KAIO52 KAI16'53 KA116

54 KAO856 KAI857 KAIO58 KAI859 KAI860 KAI8 I I

TN901-000-12 7 of 11 Rev A


Table A.6.2-2. OBE3 ICL Communication Operability Test Results

Card" ýýStart End, Stationý....,pe Count Count Change Start Time Stop Time Duration. Comments.

-0 KPD16.1- KPD16

3- KPD16

:5 KDI16'!6 ,: KDO8

.7 KDO8

9. PCC03'::9: i: PCC03

1:@d0::(i; PCC0610 PCC06

17 KPD161 i' ••9i•:. KD116

: ,: 20: KPD1622 KD116

:-:• 23::i.' KDO8' 24 ':KDO8

• '25 ::' KDI16

,26,o KPD16-36 KD11637 KDI 16

.38 KDO839 KDO8

-40 'KDO848 KAIO49 KA08:50 KAIO

51 .KAIO

52 KAI 16':53 KAI116

54 KA08

:56 KAI857 KAIO58 KA1859 KA18

160 KA18

TN901-000-12 8 of 11 Rev A


Table A.6.2-3. SSE ICL Communication erability Test Results

,:Cardm Start End. :,Station Type Count Count Change Start Time Stop Time. Duration. Comments

0 KPDD16

I KPD16

:3 KPD16:5 KDI16

:6. KDO8

:7 KDO8

9. PCC03

9ý PCC03

10 PCC06

10 PCC06

16 KDI16

17 KPD16 ___________

19 KDI16

"20 KPD16

- 22 KD116

S23. :KDO8

24 KDO8

25 KDI16

,26 KPD16

36 KDI1637 KD116

38 KDO8

,39, KDO8

40 KDO8

48 KAIO

S49, ! KAO8

:':50 : KAIO

51 KAIO

.52 KA116

:53 KAI16

54 KAO8

56 KAI857 KAIO

58 KAI8

59 KAI8

60 KAI8 I

TN901-000-12 9 of 11 Rev A


Table A. 6.2-4. Post Test ICL Communication Operability Test Results

SCatrde Start EndStation Type Count, Count Change Start Time Stop Time Duration Comments

0 KPD16

I• :1 •KPD16

3 KPD16

5 KDI16

6 KD08

7 KD08

9 PCC03

9 PCC03

10 PCC06

10 PCC06

16 KD11617 KPD16

19 KD116 _ _ _ __ _ _ _ _ _ _ _ _ _ _ _ _ _

20 KPD16

22 KDI16

23 KD08

24 KDI81

,26&," KPD16

36 KDI16

37 KDI16

38 KDO8

39 KD08 __ _____ __ _ _ _ _ _ _ _ _ _ _ _

40 KDO8

48 KAIO

49 KAO8

50 KAIO

51 KAIO

52 KAI 16

53 KAI 16

54 KAO856, KAI8

57 KAIO

58 KAI8

59 KAI8

60 KAI8

Not that only the PCC06 cards logged any ICL errors during, the test interval. Thefact that a negative error count is recorded in table A.6.2-3 indicates that the errorcounters rolled over during the test interval.

TN901-000-12 10 of 11 Rev A


Add the final sentence to existing paragraph 3.3 in TN901-000-08 to indicate why valuesfor timer data differ from those in test report TS901-000-35 Rev B.

3.3 PARAGRAPH A.7 - TIMER TEST

The format of the table number on p 33 of TS901-000-35 Rev B should be changed toTable A.7-1 and Table A.7-2. Replace the content of these two tables with thefollowing material. All values for timer data were recalculated from the raw databecause the values in the original test report could not be duplicated.

TN901-000-12 11 ofll1 Rev A

Application Software Object Test Report

HF Controls

\HFCONTROLS CORPORATION

-HFC-6000 Control System

ERDI 111.'Conirol System Qualification Program

Application Software Objects Test Report

KT~Ro01 000-02

Rev, B-,\-

Effev ,t 1

I~~ of1

'S,°

E ffective Date 12/10/2009

Author/Title Ivan Chow



HF Controls Proprietary

Copyright© 2009 HF Controls Corporation



3/16/05 A Steve Yang Initial Release12/10/09 B I. Chow Revised to use ATP0402 Rev. B, C, and D

results

Table of Contents1. PU RPO SE AN D SCOPE ................................................................................ 42. References ........................................................................................................ 43. Abbreviations and A cronym s ........................................................................ 44. CQ4 Block Test Results ................................................................................... 54.1 A larm function test ......................................................................................... 54.2 ATW function test .......................................................................................... 54.3 AIC block test ................................................................................................. 54.4 AN O block test .............................................................................................. 54.5 ADD block test .............................................................................................. 54.6 AV G block test .............................................................................................. 54.7 CAL block test ................................................................................................. 64.8 CHP block test ................................................................................................ 64.9 CHR block test ................................................................................................. 64.10 CTF block test ................................................................................................. 64.11 CUT block test ................................................................................................. 64.12 DHA block test .............................................................................................. 64.13 DIV block test ................................................................................................. 74.14 DLA block test ........................................... 74.15 DLT block test ................................................................................................ 74.16 FLO block test ................................................................................................. 74.17 FTC block test ................................................................................................. 74.18 H SL block test ................................................................................................. 84.19 LLG block test ................................................................................... ............. 84.20 LSL block test ........................................... 84.21 M A B block test .............................................................................................. 84.22 M AV block test ............................................................................................... 84.23 M SL block test ................................................................................................. 94.24 M SS block test ................................................................................................ 94.25 M U L block test .............................................................................................. 94.26 PID block test ................................................................................................. 94.27 PLY block test ............................................................................................... 104.28 RA S block test .............................................................................................. 104.29 RM P block test ............................................................................................... 104.30 RTO block test .............................................................................................. 104.31 SQR block test .............................................................................................. 104.32 SSL block test .............................................................................................. 114.33 SSR block test .............................................................................................. 114.34 SUB block test .............................................................................................. 114.35 XTR block test .................................................................................................. 11

TR0O1-000-02 2 of 13 Rev. B


5.5.15.25.35.46.7.

Equation statem ent test results .......................................................................... 11Boolean prim itive operation tests ..................................................................... 11Logical decision operatior tests .................................................................... 12Arithem etic type operator tests .................................................................... 12Assignm ents test ........................................................................................... 12Issues reported from the last test .................................................................. 12Conclusion .................................................................................................... 13

00-02 3 of 13 Rev. BTROO1--0


1. PURPOSE AND SCOPE

This document summarizes the tests performed on the ASO for the procedures completedas part of ATP0402 Rev. B, Rev. C and Rev. D, Application Software Objects Test Plan.ATP0402 provides a comprehensive test procedure for software objects that have a directimpact on the application code or that can be accessed by application code while runningon the HFC-SBC06 controller. Such objects are designated as application softwareobjects (ASO). The scope of testing included both functional operation and exceptionconditions for the following ASOs:

" Processing algorithms (called CQ4 blocks) used for analog control functions

* Mathematical operations executed directly by the equation interpreter without callinga CQ4 block

" Boolean operations executed directly by the equation interpreter

" Logic decision, assignment, and arithmetic operators

Rev. B is a revised version to Rev. A in which some procedures were "Red-Lined"during the test. The complete Rev. B procedures were performed. Rev. C is created foradditional "Red-Lines" plus additional test cases. Rev. D is created due to some "Red-lines" in Rev. C. Only the additional test cases in Rev. C and additional test cases in Rev.D were performed. This report is based on the completed test results based on allrevisions B, C and D. Additional test cases were added to ensure complete validationsfor the requirements of CQ4 and Equation Interpreter modules.

2. REFERENCES

EPRI TR-107330

ATP0402ATP0402WCB IATP0402WCC1

ATP0402WCD1

Generic Requirements Specification for Qualifying a Commer-cially Available PLC for Safety-Related Applications in NuclearPower Plants

Application Software Objects Test PlanCompleted working copy of ATP0402 Rev. BCompleted working copy of ATP0402 Rev. C (only additional testcases were performed.)Completed working copy of ATP0402 Rev. D (only additional testcases were performed.)

3. ABBREVIATIONS AND ACRONYMS

ASO Application Software ObjectsCSM Control Switch ModuleDDB Dynamic DataBaseEWS Engineering WorkstationHFC HF ControlsPC Personal Computer

TROO 1-000-02 4 of 13 Rev. B


4. CQ4 BLOCK TEST RESULTS

Tests were performed per the procedure ATP0402 Rev. B, C & D. (For Rev. C and Rev.D, only additional test cases were tested.) The test results were recorded at the end of theprocedure. The following summarizes the test results for each analog block tested. Testson the Boolean operations executed directly by the equation interpreter and the logicdecision, assignment, and arithmetic operators are summarized in Section 5.

In the CQ4 block test, the Alarm Function and the ATW function were tested as commonfeatures.

4.1 ALARM FUNCTION TEST

The alarm functions were tested using the test cases. These cases included a combinationof the high trigger, low trigger, high alarm, low alarm with selected various deadbandvalues. An ADD block was used for the test. Tests showed that the alarm functionworked as expected.

4.2 ATW FUNCTION TESTA cascade of three blocks was used for testing the ATW function. Tests showed that theATW functioned as expected.

4.3 AIC BLOCK TEST

AIC block algorithm has been extensively tested when it was converted from 12 bits to15 bits. The untested functions such as negative output zero, output span, compensationinput, filtering, and square root were tested per ATP0402 Rev. B and Rev. C. Becausethese functions are common to all of the conversion cases in the AIC block, they weretested only in one conversion. Test results showed that the AIC block performed asexpected.

4.4 ANO BLOCK TEST

The ANO block was tested for a combination of local variable input, block input, localmode conversion of 4-2OmA and 0-1 0V, cascade mode conversion of 4-20mA and 0-10V. All test cases showed correct results as expected.

4.5 ADD BLOCK TESTThe ADD block was tested to verify that the algorithm can add up to eight floating-pointinputs to produce an output value. When ATW processing was enabled, input 1 wasverified to be correct. All other inputs were any combination of floating point or variablevalues. No errors were found during the test of this block.

4.6 AVG BLOCK TESTThe AVG block was tested for the function of adding up to eight floating-point inputsand dividing the resulting value by the number of configured inputs. The results showedthat the output produced was as expected.

TROO1-000-02 5 of 13 Rev. B


4.7 CAL BLOCK TESTThe CAL block was tested for its functionality of performing general-purpose calculation(mode 0), add (mode 1), subtract (mode 2), multiply (mode 3), divide (mode 4), Xv(mode 5), and Log xY (mode 6). Test results showed that the algorithm performed asexpected.

4.8 CHP BLOCK TESTThe CHP block algorithm transforms its input into a second-order polynomial. Testswere performed for different input varying from valid value input, valid block input, andinvalid input. Valid input produced valid output. Invalid input produced invalid output.The test also validated the proper clamping functions.

4.9 CHR BLOCK TESTThe CHR block algorithm produces a linear approximation for a function defined by aseries of (X, Y) ordered pairs. Each time the CHR block is called, it compares the currentvalue of its input with the range of specified X values. If the input is outside this range,the block automatically clamps the output to the Y value corresponding to either themaximum or the minimum X value. When the input is between two consecutive Xvalues, the block uses linear interpolation to calculate a value for the output.

Test cases were constructed to test the CHR algorithm. The results showed that thealgorithm worked as expected.

4.10 CTFBLOCKTEST

The CTF block algorithm simply coverts an integer value from a designated CO pointinto a floating-point number. Test cases were used for testing the CTF functionality.Valid input produced valid output. Invalid input produced invalid output. The test alsovalidated the proper clamping functions.

4.11 CUT BLOCK TESTThe CUT block algorithm uses a digital control flag to determine its response to callsfrom the CQ4 interpreter. If the block is inactive or if the control flag is set TRUE, thealgorithm simply returns control to the interpreter without updating its output. However,when the block is active and the flag is FALSE, the algorithm adds the analog input to thecurrent value of its output to produce an output value.

Test results from all the test cases showed that the CUT algorithm performed its functionnormally as expected.

4.12 DHA BLOCKTESTThe DHA block algorithm compares its input with a specified alarm value to control adigital alarm flag. Additionally, the block permits the user to supply a non-zerodeadband value to introduce hysteresis between transitions of the digital alarm flag asinput changes with respect to the alarm value. Test cases were used to test the DHAalgorithm. Different input configured generated expected output for controlling a digitalFL.

TROO1-000-02 6 of 13 Rev. B


4.13 DIV BLOCK TESTThe DIV block algorithm performs simple division of the value of Input 1 by the productof all other input values. Test cases were constructed to test the DIV algorithm. The testresults showed the algorithm performed its function as expected.

4.14 DLA BLOCKTEST

Similar to the DHA block, the DLA block algorithm compares its input with a specifiedalarm value to control a digital alarm flag. Additionally, the block permits the user tosupply a non-zero deadband value to introduce hysteresis between transitions of thedigital alarm flag as input changes with respect to the alarm value.

Test cases were generated to test the functionality of the DLA block. The test resultsproved that the DLA generated an output to control a digital FL based on a value and ablock input.

4.15 DLT BLOCK TEST

The DLT block enables the user to introduce a transfer delay of up to 10 block executioncycles into an analog value. The block supports two modes of operation: absolute andincrement. If the absolute mode is selected, the block output is set to the oldest valuefrom the memory array. If increment mode is selected, the block calculates the change invalue from the starting reference value and adds this calculated parameter to the previousoutput value.

Test cases were constructed to test the DLT block. The test produced the expectedresults.

4.16 FLO BLOCK TEST

The FLO block algorithm computes a factor that can compensate flow measurements forvariations in temperature, pressure, or composition. The algorithm consists of a quotientwith up to four terms and a square root option.

Test cases were used to perform the FLO block test. Valid input values including outputvalues provided by a constructed block were used to generate valid output. Invalid inputproduced invalid output.

4.17 FTC BLOCK TESTThe FTC block algorithm converts a floating-point value to a positive integer between 0and 65535. This integer is then written into the memory location of a specified CO point.

Test cases were constructed to test the FTC block. Valid input produces valid output.Invalid input generated an error but the last reading of the counter value was used for theoutput.

TRO01-000-02 7 of 13 Rev. B


4.18 HSL BLOCK TEST

The HSL block selects the input having the greatest value and uses that value for theblock output.

Test cases were used to test the HSL block. For all of the test cases, the results showedthat the algorithm performed as expected. The ATW function worked properly. Validinput produced valid output and invalid input generated errors with the last good readingof the output for its output.

4.19 LLG BLOCK TEST

The LLG block algorithm responds to abrupt changes in its input signal by introducing acontrolled phase lag or phase lead into its output. The LLG can be used as a purecalculation block, a component of feed forward, or for decoupling control schemes thatrequire sophisticated ATW processing.

Ten cases were constructed to test the LLG block.

The increment mode was tested with a positive minimum clamp, in which case the blockbecame incrementing without stopping by itself. So the minimum clamp had to beselected as a non-positive number or disabled, and the max clamp had to be some non-negative value or disabled.

4.20 LSL BLOCK TEST

Opposite to the HSL block, the LSL block selects the input having the smallest value anduses that value for the block output.

Test cases were used to test the LSL block. For all of the test cases, the results showedthat the algorithm performed as expected. The ATW function worked properly. Validinput produced valid output and invalid input generated errors with the last good readingof the output for its output.

4.21 MAB BLOCK TEST

The Manual/Automatic with Bias (MAB) block provides four operating modes, each ofwhich produces a corresponding meter face display on the JCRT.

Tests were performed on the MAB block using Single Pt, Hand Load, CRT M/A, andCRT M/A B modes. Manual was used for the Single Pt and Hand Load mode. Bothmanual and auto were used for CRT M/A and CRT M/A B mode. Clamping functionwith INC or DEC was tested. Various Bias values were used. No discrepancies werefound.

4.22 MAV BLOCK TEST

The Moving Average (MAV) block algorithm maintains a record of input values from anumber of most recent processing cycles to provide the basis for moving averagecalculations. The number of most recent processing cycle is programmable.

TR0O 1-000-02 8 of 13 Rev. B


Test cases were used for testing the MAV block function. The results showed that thealgorithm performed its function as expected.

4.23 MSL BLOCK TEST

The Median Select (MSL) block algorithm selects the median of its inputs as its outputvalue. Operation of this block is similar to that of the HSL and LSL blocks. The MSLblock provides ATW and bias calculation options to hold the other inputs near the medianvalue.

Test cases with value input, block input and invalid input were tested. The resultsshowed that the algorithm worked as expected.

4.24 MSS BLOCK TESTThe Multiple Signal Select (MSS) block algorithm uses the value of a designated COpoint to select one of eight inputs as data source. The value of this CO point is controlledby the equations portion of the system program.

Test cases were constructed for testing the function of the MSS block. The test provedthat the MSS block algorithm worked as expected.

4.25 MUL BLOCK TESTThe Multiply (MUL) block algorithm performs a pure multiply calculation for all theinputs.

Test cases were constructed with a combination of the floating point values and blockinputs. The multiplication results were correct. Max and min clamping worked asexpected. Invalid input generated an error but the output kept the last reading.

4.26 PID BLOCK TESTThe Proportional-Integral-Derivative (PID) block executes an algorithm that processesinformation from analog sensors and operator inputs to regulate a full-position output foran external field device. The various configuration parameters permit the applicationdesigner to produce a control algorithm based on proportional only, integral only,derivative only, or all three functions simultaneously.

The PID block was tested with Proportional only, Integral only, Proportional andIntegral, and Proportional Integral and Derivative under a constructed closed loop setup.The test was conducted under various conditions including the reverse mode, auto mode,and enabling or disabling proportional condition. With various input values for the gain,time constant, process variable, and setpoint, the algorithm obtained or approached theexpected output value.

The test showed that the basic functionality of the PID block was correct.

TROO1-000-02 9 of 13 Rev. B


4.27 PLY BLOCK TESTThe polynomial (PLY) block algorithm calculates an eighth-degree polynomial equationand stores the result in the PLY block output location.

Test cases with valid input from static constant and output of another block as well asinvalid input showed that the valid input produced expected valid output, and invalidinput produced an error.

No abnormality was observed.

4.28 RAS BLOCK TESTThe Ratio Station (RAS) block controls a full-position output based on an operator-selected ratio value. This function permits the operator to modify the output value duringoperation by altering the ratio.

Test cases were constructed for performing the RAS block test. Test showed that theoutput values were generated as expected. Clamp function was working properly.Invalid input generated an error but the output kept the last good reading.

4.29 RMP BLOCK TESTThe Ramp (RMP) block produces an analog output that increases or decreases a mini-mum amount from its previous output value. This function commonly is used in ananalog control loop to limit the rate of change in a variable supplied to the input of adownstream block.

Test cases constructed for performing the RMP block were executed and the output weregenerated as expected.. Clamp function was working properly. Invalid input generatedan error but the output kept the last good reading.

4.30 RTO BLOCK TESTThe Ratio (RTO) block receives two required input values and two optional SP values.During normal operation, the block algorithm computes both the ratio of the two requiredinputs and the product of one input with a selected SP value. The value of the ratiooutput can be used to control displays and alarm/trigger processing. The value resultingfrom the multiplication generally is used to provide feed forward input for control loops.

During normal processing cycles, the block fetched its input parameters and tests forconditions requiring initialization. If initialization was not required, the block calculatednew values for RATIO and output and processes alarms. During normal processingcycles, the block processed alarms based on both the absolute magnitude of RATIO andon the rate of change in RATIO. Test cases were constructed using two inputs and a SPvalue. The clamp function worked as expected. The output was recorded from the blockinterface box Calc Ratio, of which output values were as expected.

4.31 SQR BLOCK TESTThe Square Root (SQR) block is a pure calculation block generating a full-positionoutput that produces the square root of its input.

TR00 1-000-02 10 of 13 Rev. B


Test cases were constructed to validate the functionality of the SQR block. Test resultsshowed that the algorithm worked correctly as expected.

4.32 SSL BLOCK TESTThe Signal Select (SSL) block selects one of two analog inputs based on the value of adigital flag.

Test cases were used to test the SSL block. No abnormality was found during test.

4.33 SSR BLOCK TEST

The Signal Select with Reset (SSR) block selects one of two analog inputs based on thevalue of a digital flag. Operation of this block is similar to SSL except that it resets thedigital flag at the end of every processing cycle.

Test cases were constructed for the testing. Test showed that the SSR algorithm wasworking correctly.

4.34 SUB BLOCK TESTThe Subtract (SUB) block has two distinct uses that depend on the status of ATWprocessing. If ATW 'is disabled, the SUB block performs the arithmetic operation of firstadding Input 2 through Input 7 and then subtracting the result from Input 1. This blockshould not be included in a cascade path when ATW processing is disabled. When ATWis enabled, the SUB block function commonly is used to combine feedback and feedforward control signals to produce an SP value for a secondary control block (usuallyPID, RTO, or ANO block).

Test cases were constructed for testing the SUB block. The results showed that thealgorithm worked correctly.

4.35 XTR BLOCK TEST

The Transmitter (XTR) select block monitors either two or three transmitter inputs forquality and deviation.

Test cases were generated for testing the XTR block. There was no abnormality found.

5. EQUATION STATEMENT TEST RESULTS

HFC Equation statements are handled by Equation Interpreter. The following summariesthe test results for Boolean operations executed directly by the equation interpreter, thelogic decision statements, assignment statements, and arithmetic operators.

5.1 BOOLEAN PRIMITIVE OPERATION TESTSThe set of primitive Boolean operations consists of AND, OR, and NOT. Test cases wereconstructed for a combination of the above operations. Test results showed that in all ofthe cases for a combination of the AND, OR, and NOT operators, the output generatedwas expected. No abnormality was found.

TRO0 1-000-02 11 of 13 Rev. B


5.2 LOGICAL DECISION OPERATIOR TESTSThe logic decision operators consist of EQ, GT, LT, EQGT, and EQLT symbols.

Logic EQ: the operator returns a TRUE value when both arguments are numericallyequal.Logic GT: the operator returns a TRUE value when the argument on the left side has agreater numeric value than the argument on the right side.Logic LT: the operator returns a TRUE value when the argument on the left side has asmaller numeric value than the argument on the right side.Logic EQGT: the operator returns a TRUE value when the argument on the left side isnot less than the argument on the right side.Logic EQLT: the operator returns a TRUE value when the argument on the left side isnot greater than the argument on the right side.

FL and CO were used for testing these operators. Test results showed that the decisionoperators worked correctly.

5.3 ARITHEMETIC TYPE OPERATOR TESTS

The following operators cause the equation interpreter to perform the indicated algebraicoperation and return either an integer or a floating-point number.

+ Add two numbers- Subtract two numbers* Multiply two numbers

/ Divide two numbers (integer or floating-point numbers only)

Test cases were constructed for validating the arithmetic type operators.

5.4 ASSIGNMENTS TEST

Assignment =, Reset R= , Set S=, and Preset P= were tested using different test cases.The test results showed that all of the assignments operators worked as expected.

6. ISSUES REPORTED IN THE LAST REPORT (REPORTED IN CR 2005-0357)

a. LLG blockThe increment mode was tested with a positive minimum clamp, in which case the blockbecame incrementing without stopping by itself. So the minimum clamp had to beselected as a non positive number or disabled, and the max clamp had to be some nonnegative value or disabled.

d. MAB blockIn Hand Load and CRT M/A modes, pressing INC and Dec targets increased to morethan 80.0 and decreased to less than 20.0. So the algorithm restrictions 20.0<value<80.0is not true.

The MAB clamping was not working as other blocks clamping function. If outout<=min, applying min cloak would not clamp the output to the minimum; if output > max,applying max clamping would not clamp the output to maximum.

TRO01-000-02 12 of 13 Rev. B


In CRT M/A B mode, when Auto was used, the INC and DEC targets in the meterfacewere not working.

b. Arithmetic divisionWhen divided by zero, a counter generated a zero result, which was not as expected.

Resolution:Condition a - LLG block. The tester misunderstood the use of the ramping condition.For LLG block, the clamping is for the rate and not for the actual output. There is noissue with that block

Condition d - MAB block. MAB does not have restrictions for the range as stated in theCR. The statement in the CR is not true. In addition, the clamping for MAB is designeddifferent than the other blocks to avoid any bumps in the output. There are no issues withthe block.

Condition b - Arithmetic divisionDivided by zero for the counter type will not generate error. This issue is resolved byspecifying the counter arithmetic usage of the equation interpreter in the users' guide.

7. CONCLUSION

ATP0402 Rev. B, Rev. C and Rev. D (Only additional test cases in Rev. C and Rev. Dwere performed.) were successfully conducted and no anomalies were found with theapplication objects. The issues reported from last tests performed with ATP0402 Rev. Awere resolved. They were related to block usage in testing and were not related to designdefects or application defects. All the functionalities of the CQ4 analog algorithm blockswere verified successfully.

TROO 1-000-02 13 of 13 Rev. B

HF Controls

,DOOSAN HF CONTROLS CORPORATION

Additional OS Testing

TS901-001-23 Rev. A

\ Effictive Date 6/11/2010

\ N.NA

(• .:.j> ::. .

Author/Title

Reviewer/Title

Approval/Title

Nathan Reid ,

,\,- /-.-' /Gregory Rochford ' .


I l iCopyright© 2010 Doosan HF Controls Corporation

Page 1 of 11


Revision History

Date Revision Author Changes

6/1/10 A N. Reid Initial Revision

TABLE OF CONTENTS

1.0 PU RPO SE AN D SCO PE ...................................................................................................... 3

1.1 PURPOSE ............................................................................................................................... 31.2 SCOPE ................................................................................................................................... 3

2.0 REFEREN CES .............................................................................................................................. 3

3.0 FEA TURE S TO BE TESTED ................................................................................................ 3

4.0 TEST EQUIPMENT AND SOFTWARE ............................................................................. 3

4.1 SOFTW ARE TO BE TESTED ............................................................................................... 34.2 TEST SETUP ........................................................................................................................... 4

5.0 TEST PR O CED U RE S ................................................................................................................. 4

5.1 TEST CASES .......................................................................................................................... 45.1.1 Relinquish .................................................................................................................... 45.1.2 D elay ............................................................................................................................ 65.1.3 Rem ove ......................................................................................................................... 85.1.4 Exit ............................................................................................................................... 9

6.0 Q A RE C O RD S ........................................................................................................................... 11

LIST OF TABLES

Table 1: Tested Com m ands ............................................................................................................ 3

TS901-001-23 Page 2 of I1I Revision A


1.0 PURPOSE AND SCOPE

1.1 Purpose

This document serves as an addendum to HFC-6000 baseline operation system testing.The purpose for this document is to explicitly validate 7 termination utility functionsspecified in the design documents for supporting the requirements listed in RS901-000-37 SC, SAP, SEP, VHDL Requirement Specifications, Rev. I. The tests described in thisdocument shall be incorporated into the validation testing procedure in any futurereleases of the baseline operating system.

1.2 Scope

These tests apply to baseline operating system applications: SC, SAP, SEP. These testsalso apply to any operating system modules which base on the core task schedulingsupplied by the Pre-Developed Software platform which SC, SAP, SEP are based upon.

2.0 REFERENCES

DSOOI-000-01QPP 11.1RS901-000-37TS901-001-20TS901-001-21TS901-001-22WI-ENG-205WI-VV-002

Operating System Component Design Specification, Rev. CTest ControlSC, SAP, SEP, VHDL Software Requirements, Rev. IERD1 11 SEP Component Tests, Rev. BERD 111 SAP Component Tests, Rev. BERD 111 SC Component Tests, Rev. BDevelop SW test procedureDevelop VV test documentation

3.0 FEATURES TO BE TESTED

Operating System task relinquish, termination, and delaycommands will be tested:

functionality. The following

Table 1: Tested Commands

RelinquishForgoDelayWait

RemoveExit

Self-Suspend

4.0 TEST EQUIPMENT AND SOFTWARE

4.1 Software to be tested

Test engineer shall record the operation system module these tests are applied to:

Module: Build Date: Checksum:

Test Procedure for the module:

TS901-001-23 Page 3 of 11 Revision A


Test engineer shall follow the test procedure listed above to set up the environment forperforming these additional tests.

4.2 Test Setup

1. Set up the system chassis with two SBC06's and one DPM06.2. Connect the Microtek PowerPack In-Circuit Emulator to the processor being

tested.3. Connect the Microtek PowerPack In-Circuit Emulator to the PC.4. Run the PowerPack SLD emulator software on the connect PC.5. Load the software under test into the emulator and download.

5.0 TEST PROCEDURES

5.1 Test Cases

The following test cases will verify the correct functionality of the operating system.Remember to remove all breakpoints after each test case.

5.1.1 Relinquish

5.1.1.1 RELINQ

I

TS901-001-23 Page 4 of I11 Revision A


Passing this test means the RELINQ operating system command works correctly.

5.1.1.2 FORGO[



]

Passing this test means the Forgo operating system command works correctly.

5.1.2 Delay

5.1.2.1 DELA

II



]

5.1.2.2 WAIT

I



]

5.1.3 Remove

TS901-001-23 Page 8 of I I Revision A


5.1.4 Exit

5.1.4.1 EXIT

TS901-001-23 Page 9 of I1I Revision A


5.1.4.2 SSUSPE

I

TS901-001-23 Page 10 of I I Revision A


Completed by: Date:

6.0 QA RECORDS

The test technician shall record the results of the test on Attachment 7.1 of QPP 11.1 andforward the completed attachment to the reviewing engineer. Attachment 7.1 is the QArecord generated by this test procedure. The signed and completed Attachment 7.1 shallbe forwarded to document control by the reviewing engineer.

The reviewing engineer is responsible for recording the information contained inAttachment 7.1 of QPP 11.1 in the "Test Reports" access database.


Doosan HF Controls Carrollton, TX 75006 USADoosan HF Controls * 1624 West Crosby Road Suite 124 *...

Documents

Transcript of Doosan HF Controls Carrollton, TX 75006 USADoosan HF Controls * 1624 West Crosby Road Suite 124 *...