Rev 00 to CENPD-396, 'Common Qualified Platform.'

ADD I',-�mkg � �nrdn�rinn Mi Ir�IA�r PnwAr

Common Qualified Platform Topical Report

A ODIN

Combustion Engineering Nuclear Power

COMMON QUALIFIED PLATFORM

TOPICAL REPORT

CENPD-396, Rev. 00

FEBRUARY 1999

CENPD-396 of 71

00EI• ý%,JUlILO~•l # i ,•lll••l r-:unu in ai Mvniv. Powe

Page 1 of 71CENPD-396

LEGAL NOTICE This notice was prepared as an account of work sponsored by Combustion Engineering, Inc. Neither Combustion Engineering nor any person acting on its behalf:

a. Makes any warranty or representation, express or implied including the warranties of fitness for a particular purpose or merchantability, with respect to the accuracy, completeness, or usefulness of the information contained in this report, or that the use of any information, apparatus. method, or process disclosed in this report may not infringe privately owned rights; or b. Assumes any liabilities with respect to the use of. or for damages resulting from the use of. any information, apparatus, method or process disclosed in this report.

ABB Combustion Engineering Nuclear PowerCommon Qualified Platform

Topical Report

TABLE OF CONTENTS

1. PURPOSE ..................................................................................................... 6

2. SCOPE ...................................................................................................... 7

3. REFERENCES .............................................................................................. 9

4. CODES AND STANDARDS ............................................................................ 11

5. COM MO N Q OVERVIEW ........................................................................... 34

5.1 Advant Controller 160 (AC160) .............................................................................. 35

5.1.1 AC160 Software .............................................................................................. 36

5.1.2 Input and Output Cards ..................................................................................... 37

5.1.3 Interface And Test Processor (ITP) .................................................................. 37

9OýMll 7 .............................................................................................................. aU

5.3 Flat Panel Display System (FPDS) ......................................................................... 38

5.3.1 Flat Panel Display System Software ............................................................... 38

5.3.2 Maintenance And Test Panel (MTP) ............................................................... 38

5.3.3 Operators Module ............................................................................................ 39

5.4 AF100 Communication ......................................................................................... 39

5.5 High Speed Link (HSL) Communication ................................................................ 39

6. COMMON Q PLATFORM .......................................................................... 41

6.1 Functional Requirements 14.��. •.9

6.2 System Description (Building Blocks) .................................................................. 41

9 1 00%tumr Q I°• • •VV•I

CENPD-396 Page 2 of 71

Common Qualified Platform ABB Combustion Engineering Nuclear Power Topical Report

6.2.1 Advant Controller ................................................................................................ 41

6.2.1.1 AC160 Hardware Description ...................................................................... 41

6.2.1.1.1 PM645C Processor Module .................................................................. 42

6.2.1.1.2 PM645C High Speed Link Communication Interface ............................. 45

6.2.1.1.3 Input/Output Subsystem ...................................................................... 46

6.2.1.2 AC160 Software Description ......................................................................... 48

6.2.1.2.1 Base Software ....................................................................................... 48

6.2.1.2.2 Application Software ............................................................................. 49

6.2.1.2.3 Software Tools ....................................................................................... 50

6.2.2.1 Flat Panel Display Hardware Description ...................................................... 52

6.2.2.1.1 Single Board Computer ......................................................................... 52

6.2.2.1.2 Flat Panel Display ................................................................................ 52

6.2.2.2 Flat Panel Display Software Description ...................................................... 53

6.2.2.2.1 Operating System .................................................................................. 53

6.2.2.2.2 Graphical User Interface ...................................................................... 53

6.2.2.2.3 Software Tools ....................................................................................... 53

6.2.2.3 Flat Panel Display System Applications ......................................................... 53

6.2.2.3.1 Operator's Module ................................................................................ 54

6.2.2.3.2 Maintenance and Test Panel (MTP) ..................................................... 54

6.2.3 Power Supply ..................................................................................................... 55

6.2.4 W atchdog Timer Module ..................................................................................... 55

6.2.5 Communication Subsystems ................................................................................ 56

6.2.5.1 Advant Field Bus 100 (AF 00) ...................................................................... 56

6.2.5.2 High Speed Link (HSL) ................................................................................ 56

6.2.5.3 External Communications ........................................................................... 57

6.3 Deterministic Perform ance ....................................................................................... 57

6.3.1 AC160 Deterministic Performance ...................................................................... 58

6.3.1.1 AC160 Application Program Execution Period ............................................... 58

6.3.1.2 Access to the AC160 Backplane .................................................................. 58

6.3.1.3 High Speed Link Communications ................................................................ 58



6.3.1.4 AF100 Com m unications ................................................................................ 58

6.3.1.4.1 Process Data Transfer ............................................................................ 58

6.3.1.4.2 Message Transfer ................................................................................ 58

6.3.1.4.3 Bus Master ............................................................................................ 58

6.3.2 Flat Panel Display System ................................................................................... 58

6.3.2.1 Datalink To External Systems ...................................................................... 58

6.4 System Diagnostics ................................................................................................ 60

6.4.1 AC160 Diagnostics .............................................................................................. 60

6.4.1.1 Processor ...................................................................................................... 60

6.4.1.2 I/O ..................................................................................................................... 60

6.4.1.3 High Speed Link ............................................................................................ 60

6.4.1.4 AF100 ............................................................................................................... 60

6.4.1.4.1 Redundant AF100 Interface (C1630/1) ................................................... 61

6.4.2 Flat Panel Display Diagnostics ........................................................................... 62

6.4.3 Autom atic Testing ................................................................................................ 62

6.4.4 Application W atchdog ......................................................................................... 62

6.5 System Interfaces ................................................................................................... 63

7. SO FTW A R E Q UA LITY ............................................................................... 63

7.1 Softw are Quality Assurance .................................................................................... 63

7.2 Softw are Configuration Managem ent ...................................................................... 63

7.2.2 Previously Developed Software ........................................................................... 63

7.3 Software VeIff cation and Validation ....................................................................... 63

7.4 Operation and Maintenance ..................................................................................... 63

8. EQUIPMENT QUALIFICATION ............................................................... 64

8.1 Com ponent Cycling and Bum -in ........................................................................... 64



ABB Combustion Engineerng Nuclear PowerCommon Qualified Platform

Topical Report

8.2 Environmental Testing ......................................................................................... 64

8.3 Seismic Testing ..................................................................................................... 67

8.4 Electromagnetic Interference (EMI) Testing ........................................................ 67

9. EQUIPMENT RELIABILITY .................................................................... 68

9.2 Mean Time Between Failures (MTBF) Analysis .................................................... 68

9.3 Operating History ................................................................................................... 68

10. DEFENSE-IN-DEPTH AND DIVERSITY ................................................ 68

11. COMMERCIAL GRADE DEDICATION PROGRAM ................................ 69

11.1 S cope ....................................................................................................................... 69

12. CONCLUSIONS ...................................................................................... 70

APPENDICES ................................................................................................ 71




1. Purpose

The purpose of this report is to describe a nuclear safety related I&C platform designed by ABB Combustion Engineering Nuclear Power (CENP). One common platform is being designed with a modular structure where various components can be applied to solve most utility needs for nuclear safety related applications, including component replacements and complete system upgrades. The platform is referred to as Common Qualified Platform; or, simply as "Common Q".

The Common Q platform is applicable to Post Accident Monitoring Systems, Core Protection Calculator Systems, Reactor Protection Systems, Plant Protection Systems, Engineered Safeguards Systems and other nuclear safety related applications. Applying one solution to all safety system applications will significantly reduce utility operation and maintenance costs, including technical support and spare parts. One solution also allows obsolescence management for the next 20 years.

The goal of this report is to seek review and approval from the U.S. Nuclear Regulatory Commission for the use of the Common Q Platform for nuclear safety-related systems.

Brackets in this document indicate proprietary information. The bracket denoting the end of a proprietary segment of this report may appear one or more pages following the bracket denoting the start of the proprietary segment. As a result care should be exercised in determining what information in this report is proprietary.




2. Scope

The scope of this report includes the hardware and software associated with the Common Q platform. The Common Q platform described herein encompasses design, qualification, reliability, defense-in-depth and diversity, and commercial grade dedication.

ABB CENP's licensing experience includes CPCs at eleven plants and other digital I & C safety related systems such as the Advanced Light Water Reactor (ALWR) design and System 80, for both the Reactor Protection System functions and for the Engineered Safety Features functions. System 80+ received NRC licensing approval in 1994 for these digital safety systems. The system 80+ licensing process has addressed the key issues of:

"* An environmental, seismic, and electromagnetic interference (EMI) testing and qualification program for digital I&C systems that is acceptable to the NRC

" A commercial grade dedication process for computer hardware and software that is acceptable to the NRC

" A verification and validation (V&V) process for computer software that is acceptable to the NRC

" A design and defense in depth evaluation process that addresses the NRC's concerns with respect to the potential for a common mode failure related to software and that meets current industry standards and licensing guidelines

In response to current utility needs, Common Q products will be used to replace obsolete components in Post Accident Monitoring Systems (PAMS) and Core Protection Calculator Systems (CPCS). Post Accident Monitoring Systems include Subcooled Margin Monitoring, Heated Junction Thermocouple Monitoring, Inadequate Core Cooling Monitoring and Qualified Safety Parameter Display systems. It is expected that these systems can be upgraded under 10 CFR 50.59 as a "digital to digital" upgrade, followed by a migration path that extends the Common Q application to replace Plant Protection Systems and Reactor Protection Systems through licensing amendments.

As Common Q components are added to update and replace analog I&C systems, full licensing review and approval by the NRC will be required. Where Common Q is implemented in CPC Plants, open loop PPS functions can be accommodated to validate system protective functions.

This topical report is structured with a main body and several appendices. The main body includes the basic platform description and addresses all of the key issues described in the Standard Review Plan, NUREG-0800, Revision 4. Each



appendix describes one system in a stand-alone environment. In other words, separate appendices will be prepared for the Post Accident Monitoring Systems, Core Protection Calculator System, Reactor Protection System, Plant Protection System and Engineered Safety Features System Actuation System. The information in the appendices include system configuration, failure mode and effects analysis, IOCFR50.59 assessment for digital to digital replacements, and other system specific information. The last appendix describes all systems in a fully integrated configuration. This appendix will also include a failure mode and effects analysis for all shared services and will assess common mode failure mechanisms.

CENPD-396 Page 8 of 71CENPD-396 Page 8 of 71


3. References

3.1 ABB PPC Document No. GKW F 310 708, "Advant Power Reliability and Availability, Reliability Data Sheet, Advant Controller 160 Including S600 I/O"

3.2 ABB Combustion Engineering Nuclear Operations Quality Assurance Manual for Service Related Activities, QAM-100, Fourth Edition

3.3 ABB Combustion Engineering Nuclear Operations Quality Procedure Manual, QPM-101

3.4 ABB Combustion Engineering Nuclear Power Instrumentation, Controls and Electrical Equipment Quality Assurance Program Description, QAM-400

3.5 ABB Document CE-CES-1 95-P, Software Program Manual For Common Q Systems, Revision 00

3.6 CENPD-255-A, Class 1 E Qualification - Qualification of Class 1 E Electrical Equipment, Revision 3, October 1985.

3.7 CEN-356(V)-P, Revision 01-P, Modified Statistical Combination of Uncertainties, July, 1987

3.8 ABB Advant Document 3BDS 003 340 B, "AC 110 System Software Extension"

3.9 ABB Advant Document GKW F 310 366 R0101, February 1997, "Data Base Elements Reference Manual"

3.10 ABB Advant Document GKWF 310 365 /en, July 1997, "PC Elements Reference Manual"

3.11 ABB Advant Document GKW F 310 361 en, July 1997, "Advant Controller 160 Product Configurations Documentation, Advant Power Product Guide," July 1997

3.12 ABB Advant Document GKW F 310 363 en, "Advant Controller 160 User's Guide"

3.13 ABB Advant Document 3BSE 000 506R0201, "Advant Fieldbus 100 User's Guide"

3.14 ABB Advant Document 3BSE 009 626R0201, "AMPL Configuration, Advant Controller 100 Series Reference Manual"




3.15 ABB Memo DPPS-97-011, April 17, 1997, Richard M. Manazir, "Minutes of Meeting in Mannheim with ABB Industrietechnik AG, February 17-28, 1997"

3.16 QNX Operating System - System Architecture for QNX 4.24, 2 nd Edition,

October 1997.

3.17 QNX Photon microGUI TProgrammers Guide, 2 nd Edition, December 1996

3.18 QNX Watcom Compiler & Tools User's Guide, First Edition, July 1996

3.19 S600 I/O Hardware, Advant Controller 160 Reference Manual, GFW F 310 364 R0101

3.20 not used

3.21 not used

3.22 ABB Atom, AB Report MOD 97 - 1250, "Oskarshamn 1 - Project Mod Evaluation of Collected Operating Experience for Advant Controller 110

3.23 ABB Power Plant Controls Report GKW F 310 291, Rev.0, "Survey of Operational Experience with Software Advant Controller AC160"

3.24 TUV Product Service GmbH, Automation, Software and Electronics IQSE Technical Report Of Software Approval (Proven In Use Demonstration) No. 960113399b/e March 4, 1998, Revision 1.0




4. Codes And Standards

This section identifies compliance to the codes and standards applicable for the COMMON Q designs.

Ikeren 8" Docu mnt Revision Tite/Conformance NOB,.

Date 1 RG 1.22 USNRC Regulatory Guide - Periodic 00

BTP HICB-8 Testing of Protection System 02/1972 BTP HICB-17 Actuation Functions (Safety

Guide 22)

The COMMON Q platform conforms to this RG, Branch Technical Position HICB-8 and -17, and IEEE Std 338 as described below:

A. Provisions are made to permit periodic testing of the complete COMMON Q system with the reactor shutdown or operating.

B. Provisions for testing the COMMON Q platform are incorporated via the Maintenance and Test Panels (MTP) and/or Interface and Test Processors (ITP) located in each COMMON Q cabinet. Testing each cabinet is performed using its MTP.

C. No provisions are made in the design of the COMMON Q platform at the system level to intentionally bypass an initiation or actuation signal that may be required during power operation (This does not include override functions that are part of the system). All trip channel bypasses are on a channel level to prevent

CENPD-396 Page 11 of7l

CENPD-396 Page I I of 71


Topical Report

2. RG 1.29

3. RG 1.47

an operator from inadvertently bypassing a trip function.

D. Manual testing for a COMMON Q platform channel is interlocked to prevent testing in more than one redundant channel simultaneously. When a trip channel is bypassed for manual testing, the bypass is indicated in the main control room.

E. Actuated devices which can not be tested during power operation, will be tested when the reactor is shut down.

F. An additional level of COMMON Q platform testing is provided by the PLC hardware self-diagnostic tests.

USNRC Regulatory Guide - Seismic Design Classification The COMMON Q platform equipment is designated as a system to be Seismic Category I. Those portions of the equipment whose continued function is not required are designated Seismic Category II and are designed so that the SSE will not cause a failure which will reduce the functioning of the COMMON Q platform safety function to an unacceptable level.

USNRC Regulatory Guide Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems Annunciator outputs are provided to


03

09/1978

00 05/1973



No.: No. Title/onforance.

indicate the bypassing of COMMON Q platform operating or trip channel bypasses where applicable.

4. RG 1.53 USNRC Regulatory Guide - 00 Application of the Single-Failure 06/1973 Criterion to Nuclear Power Plant Protection Systems Each system is designed so that credible single failures within the system shall not prevent proper protective action at the system level. See Sections 5 and 6 and the appendices of this report for system descriptions that implement these criterion. Single failures considered in the designs are addressed in the Failure Modes and Effects Analyses in the appendices.

5. RG 1.62 USNRC Regulatory Guide - Manual 00 Initiation of Protective Actions 10/1973 A. The COMMON Q RPS/ESFAS

initiation functions and actuations can be manually initiated.

B. Manual initiation of protective functions is provided at the system level.

C. Manual COMMON Q initiation switches are remotely located in the main control room. Manual ESFAS switches are located locally on the ESFAS cabinets.

D. The amount of equipment common to manual and automatic initiation paths is kept to a minimum. No credible single failure in the

cENPD-396 Page 13 of 71CENPD-396 Page 13 of 71


Topical Report

6. RG 1.75

BTP HICB-1 1

7. RG 1.89

8. RG 1.97

BTP HICB-10

manual, automatic or common portions of the COMMON Q will prevent initiation of a protective action by manual or automatic means.

E. Manual initiation requires a minimum of equipment consistent with the needs of A, B, C, and D above.

USNRC Regulatory Guide - Physical Independence of Electric Systems The COMMON Q platform conforms to this RG and BTP HICB-1 1 as described in the IEEE Std 384 compliance statement below in Section 4.26.

USNRC Regulatory Guide Qualification for Class 1 E Equipment for Nuclear Power Plants The COMMON Q conforms to this RG and IEEE Std 323 as follows. The environmental qualification of this equipment is by an appropriate combination of type testing and analysis as described further in Section 8.0 of this report.

Instrumentation for Light Water Cooled Nuclear Power Plants to Assess Plant Conditions During and Following an Accident Guidance on Application of Regulatory Guide 1.97


02

09/1978

01

06/1984

03

05/1983



Topical Report

The Post Accident Monitoring Systems deployed using the Common Q Platform shall conform to these requirements.

9. RG 1.100

10. DG 1045

BTP HICB-12

USNRC Regulatory Guide - Seismic Qualification of Electric and Mechanical Equipment for Nuclear Power Plants The seismic qualification of the COMMON Q equipment is in accordance with this RG and IEEE Std 344 as described below. The adequacy of the design is verified by a combination of testing and/or analysis for the performance of its safety functions during and after the equipment is subjected to the forces resulting from one SSE preceded by a number of DBEs. Refer to Section 8.3 for a further description of the seismic qualification efforts.

Proposed Revision 3 to Reg. Guide 1.105, "Instrument Spans and Setpoints" Guidance on Establishing and Maintaining Instrument Setpoints The instrument uncertainties calculation of the safety systems is in accordance with ISA-67.04. The instrument uncertainties for the CPC are factored in the Statistical Combination of Uncertainties (Reference 3.7).


02 06/1988



Topical Report

RG 1.118 USNRC Regulatory Guide - Periodic 02 BTP HICB-17 Testing of Electric Power and 06/1978

Protection Systems The Common Q conforms to this RG, IEEE Std 338 and HICB-17 as described in the compliance statement for RG 1.22, Reference 4.1.

12. RG 1.152

13. RG 1.153

BTP HICB-17

USNRC Regulatory Guide - Criteria for Programmable Digital Computers in Safety Systems of Nuclear Power Plants The Common Q conforms to this RG by following IEEE-ANS Std 7-4.3.2, which provides methods acceptable for designing software, verifying software, implementing software, and validating computer systems in safety related systems. Refer to the Common Q Software Program Manual (SPM), Reference 3.5 and refer to Section 7.0 for a further description of the basic elements of the SPM.

USNRC Regulatory Guide - Criteria for Safety Systems

This Reg. Guide endorses IEEE Std 603-1991, which establishes minimum functional and design requirements for the power, instrumentation, and control portions of safety systems for nuclear power plants. See the response to IEEE

01

11/1996

1996




Topical Report

603-1991 for Common 0 conformance. NUREG-800, BTP HICB-17 references this Reg. Guide as acceptance criteria.

14. RG 1.168

15. RG 1.169

16. RG 1.171

Verification, Validation, Reviews, and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants

The Common Q Validation and Verification plans conform to this RG as described in Section 7 of this report and in the Common Q SPM, Reference 3.5.

Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants

The Common Q design and implementation processes conform to this RG as described in the Common Q SPM.

Software Unit Testing for Digital Computer Software Used in Safety Systems of Nuclear Power Plants

The Common Q design and implementation processes conform to this RG as described in the Common Q SPM.


1997

1997



Topical Report

17. RG 1.172

18. RG 1.173

19. IEEE Std 74.3.2

20. ANSI/IEEE Std 279

Software Requirements Specifications for Digital Computer Software Used in Safety Systems of Nuclear Power Plants

The Common Q design documentation practices conform to this RG as described in the Common Q SPM.

Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants

The Common Q design and implementation processes conform to IEEE Std 1074-1995 as augmented by this RG, as described in the Common Q SPM for Common Q Systems, Reference 3.5.

IEEE Standard Criteria for Programmable Digital Computer Systems in Safety Systems of Nuclear Power Generating Stations

The Common Q conforms to this standard as augmented by RG 1.152 and described in the conformance statement for RG 1.152, Reference 4.12.

"Criteria For Protection Systems For Nuclear Power Generating Stations"

CENPD-396 Page 18of71

1997

1997

1993

1971


ABB Combustion Engineednq Nuclear PowerCommon Qualified Platform

Topical Report

BTP HICB-17

21. IEEE Std 323

22. IEEE Std 338

23. IEEE Std 344

The Common Q protection systems shall be designed and tested to conform to this standard. This standard has been replaced by IEEE603-1991.

IEEE Standard for Qualifying Class 1 E Equipment for Nuclear Power Generating Systems


IEEE Standard Criteria for the Periodic Surveillance Testing of Nuclear Power Generating Station Safety Systems


IEEE Recommended Practice for Seismic Qualification of Class 1 E Equipment for Nuclear Power Generating Stations



1983

1987

1987



Topical Report

24. IEEE Std 379

25. IEEE Std 383

26. IEEE Std 384

BTP HICB-11

IEEE Standard Application of the Single-Failure Criterion to Nuclear Power Generating Station Safety Systems

The Common Q conforms to this standard as augmented by RG 1.53 and described in the conformance statement for RG 1.53, Reference 4.4 A further description of the application of these criterion is provided in Sections 5 and 6 of this report.

IEEE Standard for Type Test of Class 1 E Electric Cables, Field Splices, and Connections for Nuclear Power Generating Stations

The Common Q conforms to this standard as below.

The aging and flame retarding qualification requirements of this standard are invoked on the Common Q custom internal wiring and cabling.

IEEE Standard Criteria for Independence of Class 1 E Equipment and Circuits

The Common Q platform conforms to this standard as augmented by RG 1.75 and Branch Technical Position HICB-1 1 as described below.

The Common Q PPS and CPC systems are composed of four


1994

1974

1992



Topical Report

27. IEEE Std 420

28. IEEE Std 494

29. IEEE Std 603

redundant cabinet assemblies which provide physical mechanical and electrical separation.

The independence and separation of redundant Class 1 E circuits within and between the Common Q assemblies is accomplished primarily through the use of fiber optic technology and as necessary 6 inch separation, barriers or conduits.

A further description of the application of these criterion is provided in Sections 5 and 6 of this report.

IEEE Standard for the Design and Qualification of Class 1 E Control Board, Panels and Racks.

The Common Q equipment conforms to this standard as augmented by and described in the compliance statements for the following IEEE Standards : -323 0, -338 (4.22), -383 (4.25), -384 (4.26), and -603 (4.29).

IEEE Standard Method for identification of Documents Related to 1 E Equipment.

The Common Q documentation conforms to this standard by having the term "Nuclear Safety Related" applied on the face of each document and drawing.

IEEE Standard Criteria for Safety

cENPD-396 Page 21 of 71

1982

1974

1991



Topical Report

BTP HICB-3 systems tor Nuclear F BTP HICB-5 Generating Stations

BTP HICB-9 The Common Q confc

BTP HICB-10 standard as augment4 Rev 00, 12/1985 and

BTP HICB-11 Technical Positions H BTP HICB-12 17-19 and 21. BTP HICB-17

irms to this ed by RG 1.153, Branch I1CB-3, 5, 9-12,

BTP HICB-18 BTP HICB-19 BTP HICB-21

30. IEEE Std 627

31. IEEE Std 730.1

32. IEEE Std 828

IEEE Standard for Design Qualification of Safety System Equipment used in Nuclear Power Plants

The Common Q qualification process conforms to this standard as described in Section 8 of this report and the conformance statements for IEEE Std 323 and RG 1.89.

IEEE Standard for Software Quality Assurance Plans

The Common Q design and implementation processes conform to this standard as described in Section 7 of this report and the Common Q SPM, Reference 3.5.

IEEE Standard for Software Configuration Management Plans

The Common Q design and


1980

1989

1990



Topical Report

33. IEEE Std 830

34. IEEE Std 1012

35. IEEE Std 1016

36. IEEE Std 1028

implementation processes contorm to this standard, augmented by RG 1.169, and as described in Section 7 of this report and the Common Q SPM, Reference 3.5.

IEEE Recommended Practice for Software Requirements Specifications

The Common Q design documentation practices conform to this standard, augmented by RG 1.172, and as described in the Common Q SPM, Reference 3.5.

IEEE Standard for Software Verification and Validation Plans

The Common Q Validation and Verification plans conform to this standard, augmented by RG 1.168, and as described in Section 7 of this report and in the Common Q SPM, Reference 3.5.

IEEE Recommended Practice for Software Design Descriptions

The Common Q design documentation practices conform to this standard as described in the Common Q SPM, Reference 3.5.

IEEE Standard for Software Reviews

and Audits

The Common Q SPM, Reference 3.5,


1993

1986

1987

1988



Topical Report

describes the software reviews and audits that will be performed per this standard.

37. IEEE Std 1042

38. IEEE Std 1074

39. ISA-$67.04

40. ANSI C37.90.1

IEEE Guide To Software Configuration Management

The Common Q SPM, Reference 3.5, includes the SCMP for Common Q systems, and uses this standard as a guide.

IEEE Std for Developing Software Life Cycle Processes

See response to Reg. Guide RG 1.173, Ref. 4.18.

Setpoints For Nuclear Safety Related Instrumentation Used in Nuclear Power Plants

For digital to digital replacements (i.e., CPC, QSPDS, etc.) the replacement Common Q system will be as accurate or more accurate than the system it is replacing, and will use existing field interfaces and setpoints. For analog to digital Common Q replacements (i.e., RPS, PPS, etc.), an assessment shall be made on the impact of any applicable setpoint analyses by the replacement system.

IEEE Standard Surge Withstand Capability (SWC) Tests for Protective


1987

1995

1994

1989



Reference Dcment Revision No. NoNo.

Date Relays and Relay Systems.

The Common Q EMI/RFI qualification plans (described in Section 8.3 of this topical report) include testing using the oscillatory SWC test wave as defined in Section 2.2 of this standard.

41. EPRI NP- EPRI Guideline for Utilization of 1988 5652 Commercial Grade Items in Nuclear

Safety Related Applications

This guideline discusses four methods for use in commercial grade dedication: (1) special tests and inspections, (2) commercial-grade survey of supplier, (3) source verification, and (4) acceptable supplier/item performance record. ABB's practices encompass all 4 of these processes as follows:

Special tests and inspections are part of the Common Q qualification program that includes seismic, EMI/RFI and environmental testing of the commercial grade item (Section 8 of this report)

Commercial-grade survey of supplier, source verification, and acceptable supplier/item performance record is part of the Hardware and Software Commercial Grade Dedication Processes described in Section 11 and in Reference 3.4, QOP 401.


ABB Combustion Engineernna Nuclear PowerCommon Qualified Platform

ToDical ReDort

42. EPRI Topical Report TR-1 02323

43. EPRI Topical Report TR106439

44. MIL-STD461D

45. MIL-STD462D

EPRI Guidelines for Electromagnetic Interference Testing in Power Plants

The Common Q equipment conforms to this standard as described in Section 8.3 of this topical report. Susceptibility and emissions of the equipment are determined for both conducted and radiated signals.

EPRI Guideline on Evaluation and Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Applications

The Common Q Commercial Grade Dedication Program for its building blocks shall follow the guidelines outlined in this report.

Military Standard Electromagnetic Interference Characteristics Requirements for Equipment

The Common Q equipment is qualified in accordance with this Mil Std as augmented by EPRI TR-1 02323, Reference 4.42 and further described in Section 8.3 of this topical report.

Military Standard Electromagnetic Interference Characteristics, Measurement of


1997

1996

1993

1993



Topical Report

46. BTP HICB-14

47. BTP HICB-18

48. BTP HICB-19

49. BTP HICB-21

The Common Q equipment is qualified in accordance with this MIL STD as augmented by EPRI TR-1 02323, Reference 4.42 and further described in Section 8.3 of this topical report.

Guidance on SW Reviews for Digital Computer-Based I&C Systems

The Common Q program meets the intent of this BTP and is defined in the Common Q Software Program Manual.

Guidance on Use of Programmable Logic Controllers in Digital Computer-Based I&C Systems

The Common Q program meets the intent of this BTP and is defined in the Common Q Software Program Manual and its Commercial Grade Dedication Program as described in Section 11.

Guidance on Evaluation of Defense-in-Depth and Diversity in Digital Computer-Based I&C Systems

Defense-in-Depth and Diversity for specific systems are discussed in the appendices of this Topical Report.

Guidance on Digital Computer Real-Time Performance


I I


ABB Combustion Enjineednnl Nuclear PowerCommon Qualified Platform

Tooical ReDort

50. EPRI TR-1 07330

51. NUREG0737

52. NUREG0800

Common Q designs will be described in more detail in follow-up appendices to this Topical Report and will encompass the existing design parameters of the systems that are replaced.

Generic Requirements Specification for Qualifying a Commercially Available PLC for Safety-Related Applications in Nuclear Power Plants

The appendices in this topical report shall contain a conformance matrix indicating how the Common Q platform complies with this specification.

Clarification of TMI Action Plan Requirements

All Common Q Post Accident Monitoring Systems shall meet these requirements.

Chapter 7 of the USNRC Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants, Rev 4

The NRC will use this NUREG as the basis for their review of this topical report. Refer to the conformance statements for each Branch Technical Position listed herein.


1998

1980

1997


ABB Combustion Engineerinq Nuclear PowerCommon Qualified Platform

Topical Report

53. NUREG/CR- "Method for Performing Diversity and 1994 6303 Defense-in-Depth Analyses of

Reactor Protection Systems"

54. NUREG/CR6421

The appendices shall contain analyses executed according to this methodology.

A Proposed Acceptance Process For Commercial-Off-The-Shelf (COTS) Software in Reactor Applications

This NUREG shall be used as guidance when developing the Software Commercial Grade Dedication Plan for the Common Q COTS software (i.e., [ ] and ABB Advant). Section 11.1 discusses the Software Commercial Grade Dedication process.

55. 10 CFR 50 Appendix A

GDC 1: "Quality Standards and Records"

The Common Q Quality Assurance procedures shall conform to these criteria.

GDC 2- "Design Bases For Protection Against Natural Phenomena"

GDC 4: "Environmental And Dynamic Effects Design Bases"

Common Q hardware and software qualification procedures shall conform

1996



Topical Report

to these criteria.

GDC 12: "Suppression Of Reactor Power Oscillations"

The Common Q CPC implementation will still have the Local Power Density Trip function that addresses this criterion.

GDC 13: "Instrumentation And Control"

Common Q systems shall be designed and tested to meet this criterion.

GDC 19: "Control Room"

A Control Room interface (Flat Panel Display System) is provided for each Common Q system.

GDC 20: "Protection System Functions"

Common Q systems responsible for the functions defined in this GDC shall be designed and tested to conform to this criterion.

GDC 21: "Protection System Reliability and Testability"


ABB Combustion Engineering Nuclear Power


GDC 22: "Protection System Independence"

GDC 23: "Protection System Failure Modes"

GDC 24: "Separation of Protection and Control Systems"

GDC 25: "Protection System Requirements For Reactivity Control Malfunctions"

The Common Q Platform applications

support the following GDCs:

GDC 10: " Reactor Design"

The Common Q DPPS and CPC applications support this criterion. See appendices for details.

GDC 15: "Reactor Coolant System Design"

The DPPS High Pressure Trip is an example of a Common Q application supporting this criterion. See DPPS appendix for details.

GDC 16: "Containment Design"

The DPPS is a Common Q application that supports this criterion. See DPPS appendix for details.




Topical Report

GDC 28: "Reactivity Limits"

Both the CPC and DPPS Common Q applications (e.g., Variable High Power Trip or High Linear Power Trip) support this criterion.

GDC 29: "Protection Against Anticipated Operation Occurrences"

Both the CPC and DPPS Common Q applications support this criterion.

GDC 33: "Reactor Coolant Makeup"

Both the DPPS and ESFAS Common Q applications support this criterion. Refer to the DPPS and ESFAS appendices for details.

GDC 34: "Residual Heat Removal"

Common Q applications detailed in the appendices are not applicable to this criterion.

GDC 35: "Emergency Core Cooling"

The DPPS and ESFAS Common Q applications support this criterion.

cENPD-396 Page 32 of 71




GDC 38: "Containment Heat Removal"

The Common Q PPS application supports this criterion. Refer to the DPPS appendix for details.

GDC 41: uContainment Atmosphere

Cleanup"

GDC 44: "Cooling Water"

The Common Q PAMS application supports these criteria by displaying relevant variables. Refer to the PAMS appendix for details.

CENPD-396 Page 33 of 71Page 33 of 71CENPD-396


5. Common Q Overview

This section of the topical report gives a general overview of the Common Q system components. More details are provided in Section 6. Application of the Common Q to specific systems is given in the appendices.

Common Q by definition is Class 1 E, therefore all of its building blocks are Class 1 E. The Common Q platform consists of the following major building blocks which can be used to design a specific safety system:

0 Advant Controller 160 (AC160) with PM645C Processor Module (also used for Interface and Test Processor - ITP in figure)

0 Input and Output Cards 0 Power Supply • Flat Panel Display System (for Operators Module (OM) and

Maintenance/Test Panel (MTP) shown in figure) , Advant Fieldbus (AF100) Communication 0 High Speed Link (HSL) Communication

Figure 5 is a generic representation of how the building blocks are configured for a

safety system.

[ ]

ITP: Interface and Test Processor WDT: Watchdog Timer FOM: Fiber Optic Modem

Figure 5



5.1 Advant Controller 160 (AC160)

The AC160 is used for executing the protection algorithms for the Common Q applications.

ABB's Advant Controller 160 (AC1 60) is a high performance modular controller with multiprocessing capability for logic control. The processor module used in the Common Q applications is the PM645C.

AC160 is fully modular with modules mounted in 19" subracks. A typical Common Q configuration consists of processor module(s), I/O modules and communication modules contained in one or two subracks. Each rack can accommodate up to 10 modules.

To provide scalability in performance and reliability, up to six processor modules can be used concurrently in one controller. The processor modules within an AC160 controller share data with each other using the global memory resident on the AF100 Communication Interface (model C1630, coax or C1631, twisted pair; referred to in this document as C1630/1).

Each processor module supports two high speed communication links (HSL). The HSLs will be typically used in the broadcast mode to transmit data to other channels of the safety system. These data links are electrically isolated using fiber optic cable. The HSL is discussed in Sections 5.5 and 6.2.5.2.

The processors are programmed in the ABB Master Programming Language (AMPL). In addition to the logic constructs, this language provides logic block interfaces to the AFR00 network, global memory, I/O and the HSL. AMPL is discussed in Section 6.2.1.2.

Although the processor module has a built in watchdog timer module, an independent external watchdog timer is to be used in the Common Q systems. Depending on the specific system application, the watchdog timer can be used to annunciate a failure, actuate a channel trip, or set output states to predefined conditions. For example, the watchdog timer may be used to control the power to the relays on the digital output module. Isolation is provided for those applications where the watchdog timer is connected to external systems. The Watchdog Timer module is discussed in Section 6.2.4.

Fiber optic modems that have gone through a commercial grade dedication process will be used for electrical isolation from other safety channels and nonsafety systems.




5.1.1 AC160 Software

Software programming is done on a x86-based Personal Computer using the ABB AdvaBuild software development environment. The target code is generated and downloaded to the AC1 60 controller via the Personal Computer serial port. The AC160 software development environment is called AdvaBuild. The AdvaBuild product consists of the following utilities:

"* Application Builder "* AS100 Edit * Function Chart Builder * Bus Configuration Builder

The tools use the ABB Master Programming Language (AMPL). AMPL is based on a library of predefined function blocks, called Process Control (PC) elements, and database elements, called DB elements. The PC elements and DB elements are combined into programs that form a complete control function. Refer to Section 6.2.1.2 for more information on the AC160 software.

The Advant Controller 160 software consists of a real-time operating system [ ], task scheduler, diagnostic functions, communication interfaces, and

user application programs, all of which reside on flash PROM in the PM645C processor module. Refer to Section 6.2.1.2 for a more detailed description of the AC160 software.

The application program in an AC160 coexists with the other AC160 system software programs such as the diagnostic routines and communication interfaces. The task scheduler schedules the execution of all these different entities.

[ ] Data is acquired over the 1/0 backplane (BIOB), the AF1 00 communication interface and the high speed link (HSL) interface. The AC160 base software resides in the AC 160 CPU module flash PROM (non-volatile memory).

[ ]



Creation of the application program (PCPGM) utilizes the AdvaBuild software development environment that includes a function block library (PC element library). The programmer references the PC element library to create specific logic for the application. Refer to Section 6.2.1.2.2 for a description on how the software is developed.

The executable code for the standard set of logic blocks (PC elements) is part of the base software. In addition, custom PC elements can be created as an extension to the base software.

5.1.2 Input and Output Cards

The Advant Controller 160 uses the S600 I/O system. A range of I/O modules is available, covering analog and digital signals of various types. In addition, there are modules for temperature measurement and rotational speed measurement. The process signals are connected to the front of the I/O modules. S600 1/0 modules that will be used in Common Q applications are discussed in Section 6.2.1.1.3.

The system software in the Advant Controller 160 automatically checks that all I/O modules are operating correctly at system startup and by the application interfacing with the module. Reactions to errors are application specific and are discussed in the applicable appendices.

5.1.3 Interface And Test Processor (ITP)

In addition to the AC160 executing the protection algorithms for Common Q applications, some Common Q configurations (PPS and RPS) have another AC160 controller used for on-line testing.

The ITP is an independent AC160 chassis. It communicates with the MTP and the other AC160 chassis in the channel (executing protection algorithms) by way of a redundant AF100 network. The ITP is connected to optically isolated data links that allow all the ITPs in a multi-channel system to communicate to one another. The fiber optic data links provide isolation and the ITP provides communication buffering to protect against external channel faults.

The ITP is a testing system which performs continuous passive monitoring of expected outputs based on current inputs, and manually initiated automatic active testing. The ITP man-machine interface is the MTP. The combination of the ITP and MTP enhances maintenance and surveillance testing. Cross channel data is compared in the ITP for consistency. The status of the other channels is checked before any channel test is initiated.



5.2 Power Supply

The power supply is based on a 19" rack assembly with plug-in modules. Various modules are available to accommodate different output voltages.

The power supply will be designed for use by the processor, loop transmitters, digital logic, relays, and reed switch position transmitter circuits. Separate power supply modules will be used for these different functions where appropriate.

Redundancy will be available. Faults in one half of a redundant supply will not affect the other from operating normally. Redundant modules can be replaced while the power supply remains energized without disturbing the powered system.

The power supply will have features such as overvoltage and overtemperature protection, soft start, and high power factor.

5.3 Flat Panel Display System (FPDS)

The flat panel display system consists of the flat panel display with touch screen capability, a single board computer, and standard communication interfaces for communication to the Advant Controller and isolated external systems.

[ ]

5.3.1 Flat Panel Display System Software

The flat panel display is used for the Operator's Module and the Maintenance and Test Panel.

[ I There are two types of programming for the flat panel display: application programs written in C and displays built using a display builder.

5.3.2 Maintenance And Test Panel (MTP)

The Maintenance and Test Panel is a flat panel display system.

The MTP will be used for maintenance and test functions in each Common Q system channel. The MTP provides the means for the operator or technician to bypass a channel, initiate automatic tests, and display detailed system diagnostic messages.

The MTP interfaces to the AC160 via the redundant Advant AF100 communication bus. The MTP also has non-volatile memory, such as a solid state disc, used for storing maintenance information to support warm system starts using technician updated data.



5.3.3 Operators Module

The Operator's Module uses the same Common Q flat panel display system. The Operator's Module will be used for operator functions such as changing setpoints or viewing control rod positions. Non-volatile memory, such as a solid state disc, is used for operator setpoints or other applications where warm system starts using updated constants is needed.

For some systems such as the QSPDS, the functions of the Operator's Module and the MTP may be combined (see the appropriate appendix for details).

5.4 AFIO0 Communication

The Advant Fieldbus 100 (AF1 00) is a high performance bus, which will be used for intrachannel communications and, for ITP to ITP interchannel communications. Interchannel communications will be on a separate, isolated AF100 bus. Each bus will be fully redundant.

The Operator's Module, the MTP, the ITP, and the AC160 processor chassis are connected to the intrachannel bus.

The Advant Fieldbus 100 supports two different kinds of communication: process data and message transfer. Process Data transfer is managed through Cyclic Data Packets (CDPs). Each CDP is configured on the communication interface for a certain signal identity, cycle time, size and direction. Process data is always transferred cyclically on the Advant Fieldbus.

The message transfer services are implemented to enable stations on the Advant Fieldbus to send and receive messages. Message transfer is not performed cyclically, but only when one (or more) of the attached communication interfaces have something to send. Message transfer does not influence process data transfer in any way. Process data transfer remains deterministic since a certain amount of the Advant Fieldbus bandwidth is reserved for message transfer.

The Advant Fieldbus is deterministic and supports power up and power down of equipment on the bus.

5.5 High Speed Link (HSL) Communication

Each PM645C module actually contains both an application processor and a dedicated HSL communications processor. Depending on the system configuration requirements, one PM645C module may perform both application and communication processing.

The HSL will be used to transmit broadcast data to other channels in a multi-channel system. The HSL is a serial RS 422 link using High Level Data



Link Control (HDLC) protocol with a 3.1 Mbits/second transfer rate. Each PM645C has one independent transmit link (output to two ports) and two independent receive links. The transmit data is optically isolated and transmitted to the other channels. Receive links on multiple PM645Cs are used to receive data from each of the other channels.

The data links are true broadcast only and meet the communication isolation requirements of IEEE 7-4.3.2.

Multiple HSLs may be used to provide redundancy for the interchannel communication.




6. Common Q Platform

6.1 Functional Requirements

Functional Requirements for each application of the Common Q platform is discussed in application specific appendices to this topical report. The following applications shall be defined in the appendices:

"* Core Protection Calculator (CPC)

"* Reactor Protection System (RPS)

"* Plant Protection System (PPS)

"* Post Accident Monitoring Systems (PAMS)

"* Engineered Safety Features Actuation System (ESFAS)

The specific appendix for each of the above systems will be submitted independently of the base topical report. Additional applications of the Common Q building blocks may also be submitted in additional specific appendices.

6.2 System Description (Building Blocks)

The Common Q Platform is based on the idea of using a consistent set of qualified building blocks that can be used for any safety system application. The building blocks are:

1. Advant Controller

2. Flat Panel Display

3. Power Supply

4. Watchdog Timer Module

5. Communication Subsystems

6.2.1 Advant Controller

Advant Controller 160 is part of the ABB Advant Power family. It is used in applications that require high availability and redundancy.

6.2.1.1 AC160 Hardware Description

The Advant Controller 160 (AC160) consists of a number of hardware modules that can be configured in a chassis. These hardware modules fall into the general categories of processor, inputs and outputs, and communications.


Common Qualified Platform

ABB Combustion Engineering Nuclear Power Topical Report

ABB's Advant Controller 160 is a high performance modular controller for logic control with multiprocessing. Advant Controller 160 and its S600 I/O can be used stand-alone or it can communicate with other controllers.

The controller is specifically designed for high speed PLC type applications, but it also brings considerable problem solving power to all analog signal handling and arithmetic applications. Advant Controller 160 covers a wide range of programmable functions such as logic and sequence control, analog data handling, arithmetic, and pulse counting.

Advant Controller 160 is fully modular with modules mounted in 19" subracks. The subracks are designed for rear mounting. A minimal Advant Controller 160 configuration consists of one or two subracks containing the processor module, a power supply module and up to 18 I/O and communication modules.

In order to extend the number of I/0 modules, up to 7 I/O stations may be connected to the controller, each consisting of up to two subracks.

By using redundant communication interface modules to Advant Fieldbus and to I/O extension bus, redundant power supply modules and redundant external power, the availability of the Advant Controller 160 can be increased as needed to achieve high reliability and availability. When operated in the redundant mode, failure of one of the redundant items does not interfere with the continued operation of the other. Redundant modules can be replaced during operation of the system.

To provide scalability in performance and reliability, up to six processor modules can be used concurrently in one controller. By adding one or more processor modules, the performance of the controller can be easily extended to meet the requirements of any specific application.

The processors share data with each other using the global memory contained in the AF100 Communication Interface (C1630/1).

Advant Controller 160 is designed to operate in demanding environments. A hardened enclosure assists in protecting the printed circuit boards from mechanical and electrostatic damage.

6.2.1.1.1 PM645C Processor Module

The hardware for Advant Controller 160 consists of processor modules, communication modules, I/O modules and process connectors, subracks, cable ducts and power supplies.

The subracks and cable duct are designed for wall mounting or mounting in cabinets. Normally they are mounted in cabinets. The modules are housed in a





sheet steel enclosure, which assists in protecting the circuit boards. The

enclosure has openings at the top and bottom for air convection.

[ ]

Processor Module

Although four different types of processor modules are available for Advant Controller 160, only the PM645C will be used.

The PM645C features important for Common Q Applications are the following:

" The PM645C processor module consists of two hardware sections, the processing section with microprocessor and memory for the application program and the communication section with a separate microprocessor and memory for the communication signal exchange to other controllers.

" A Motorola MC68360 processor (application processor), 1 Mbyte nonvolatile memory (Flash PROM) for the user built application and 2 Mbytes of nonvolatile memory (Flash PROM) for the system software and 2 Mbytes of Static RAM (SRAM). At startup, the application and system software are copied from the nonvolatile memory into the SRAM memory where it is executed.

" The memory is not expandable. The system software flash PROM holds the controller system software executed in run time. The user flash PROM holds the controller system configuration and application program which is loaded to the RAM at system start.

"* An RS-232-C port dedicated for connection of Advant Station 100 Series Engineering Stations (used for system maintenance and programming).

"* A second Motorola MC68360 processor for HSL communications, with an extra 512 Kbytes nonvolatile memory (Flash PROM) for the system software and an extra 2 Mbytes SRAM is provided for communications.

" All PM645C processor modules contain two RS-422 ports (high speed serial links) for signal and data exchange between processor modules for application and system purposes called Link 1 and Link 2.

Subrack

The 10-position controller subrack is the primary subrack of the Advant Controller 160. It provides dedicated positions for processor modules, communication, and bus extender modules. There is a two-digit thumbwheel



switch for setting the station address. The individual module address is given by its position in the subrack.

The bus connector links the controller subrack to an optional extension subrack via a bus cable. The 10-position extension subrack extends the number of I/0 modules of a station. The individual module address is given by its position in the subrack.

Up to seven additional subrack pairs (1/0 stations) can be connected if additional

I/0 requirements apply.

Diagnostic Functions

Advant Controller 160 performs a variety of diagnostic and supervision functions to continuously monitor the correct operation of the whole system. Each of the modules has diagnostic functions. The CPU module monitors the system as a whole by collecting all the diagnostic information and checking the consistency of the hardware configuration and the application software.

The supervision functions are subdivided into the following groups:

"• Problem detection

"• Signaling the nature of the problem

"• Automatic reaction to problems

Each module is equipped with two LED indicators, FAULT and RUN. During normal operation, the green RUN LED is lit on all modules. The red FAULT LED lights only if a problem occurs on the module. The status of the modules and of the I/O signals is also indicated by the associated DB (database) elements in the application program.

Missing modules are also signaled by the function supervising the configuration on the associated (DB) elements. The PC (process control/application) program can process the status signals on the DB elements in the same way as other signals. This feature provides the capability to include error-handling routines in application programs. Severe problems (e.g., component errors) in the processor module stop the processor module. These errors also switch an internal relay in the processor module. For Common Q applications, stopping the processor will also cause an external and independent watchdog timer to timeout.

The diagnostic function displays an error code on the front of the CPU module to facilitate fault tracing.

The CPU checks the consistency of the module configuration specified by the DB elements and the actual configuration of the modules. This check is




performed each time a module is switched on before it is switched to RUN. If the module installed does not correspond to the type of module specified by the module DB element, then the module is not switched to RUN and the error is indicated on the associated channel DB elements.

[ ]

The following indicators are on the front of the PM645C processor module:

"• The green LED, RUN1, indicates that the processing section of the PM645C is operational.

"* The green LED, RUN2, indicates that the communication section of the PM645C is operational.

"• The red LED, FAULT, indicates a severe fault and normally the processor module must be replaced.

"* The diagnostic display indicates the processor module operating mode:

P-= startup

P1 normal operation

P3 = stop after initialization

P4 = CPU is not running an application

P5 = loading application program from PROM

P6 = engineering station is connected

PL = waiting for download of system software

PU = loading system software option (enabling options)

xx = error code (If a two digit number (xx) is visible, the system has stopped and the number represents an error code).

6.2.1.1.2 PM645C High Speed Link Communication Interface

The PM645C processor module contains two high-speed communication links (Link 1 and Link 2) provided for signal exchange. The HSLs are serial RS-422 channels with HDLC protocol with a speed of 3.1 MBaud on each channel. The HSLs are used in the broadcast mode and function to transmit data to other channels of the safety system. The data links are isolated using fiber optic modems.




Each link transmits the same data, i.e. there is only one transmit data table available to the application program. However, the data can be sent to two different locations. The receivers of each HSL are independent and can receive different data independently.

6.2.1.1.3 Input/Output Subsystem

The Advant Controller 160 uses the S600 IO system. A range of I/O modules is available, covering analog and digital signals of various types. In addition, there are modules for temperature measurement, pulse counting, position measurement and rotational speed measurement applications. The process signals are connected to the front of the I/O modules.

The controller may contain up to 75 I/O modules. The maximum number of I/O signals for an Advant Controller 160 is 1500. The actual CPU load depends on the configured cycle times for the application program. Function element execution times are documented in Reference 3.12.

All I/O modules may be replaced while the system is powered (and typically in test mode). Removing the front connector disconnects the process signals. A newly inserted module is automatically put into operation if the system identifies the module as being of the correct type and without faults.

The following module types are listed to show the variety of modules available. The specifications for any module used in a specific application will be reviewed before inclusion into the design for that system.

Analog Input Modules

[ ]

Analog Output Modules

[ I Digital Input Modules

[ ] Digital Output Modules

[ ]

Pulse Counting Module

[ ] Status of I10 signals




A yellow LED for each signal connected to the process indicates the status of the digital signals (DI, DO):

"* Digital input signals: The signal status LED is located in the input signal path, i.e., it directly indicates input current.

"* Digital output signals: The signal status LED indicates the output signal status.

" Checks the process voltage supply and fuses for process signals. Fuses or circuit breakers are the most frequent cause of missing process signals.

Unused Supervised Inputs

Unused analog inputs must be terminated appropriately in order to avoid error detection and signaling by the processor modules. The signals must also be set to OFF / Inactive in the database. Inactive signal values are not updated in the database.

Calibration of Analog Input and Outputs

During the course of manufacture, all measurement and output ranges of analog I/O modules are calibrated at an ambient temperature of 25°C. Normally, the modules need no further calibration. If the accuracy is outside the specified limits (e.g., due to component failure), the module must be replaced. There are no calibration adjustments.

The analog modules are designed in such a way that component aging has little affect on specified accuracy. This is the result of:

" Use of high quality, low drift components. For example, the analog circuits do not include any potentiometers (which are often the cause of drift problems).

" Use of self calibration techniques in modules of high specified accuracy (high end modules). The self calibration techniques are based on high precision resistors and on voltage sources with extremely low drift due to temperature and aging.

The system software in the Advant Controller 160 automatically checks that all I/O modules are operating correctly. In the event of a defective or missing module (e.g., during replacement), the module and associated signals are flagged at the "ERR" terminal of the data base elements. The signal value (VALUE) is not updated as long as the error persists. Common Q applications shall monitor the ERR terminal for each DB element.




The I/O module runs a self-testing routine following power-up and during operation. Provided, no serious defect is detected, the red LED (FAULT) extinguishes. The system software checks that:

"* The module is in the correct position

"* The module is of the right type

"* The module is not defective

"* The process connector is in place

If all these points are in order, the green LED (RUN) lights, the error flag on the data base element is reset, and the module switches to the operating mode.

Bus extender C1615

In addition to its function as a bus extension, the bus extender module C1615 installed in the basic station (i.e., the station with the processor modules) contains the communication and bus cable supervision functions.

"* The green LED (RUN) indicates that the bus extender is operational.

"* The red LED (FAULT) indicates a severe fault and normally the bus extender module must be replaced.

"* The green LED (TRANSFER) indicates, by flashing, data read and write via the extension bus.

If the green LED (TRANSFER) on a C1610 does not light, all outputs on the I/O station are set to "0".

6.2.1.2 AC160 Software Description

The Advant Controller 160 Software consists of a real-time operating system [ ], AC160 task scheduler, diagnostic functions, communication interfaces, and user application programs, all of which reside on flash PROM in the PM645C processor module. Refer to section 6.4.1 for a description of diagnostic functions, and sections 6.3.1.2-4 for a description of the communications.

6.2.1.2.1 Base Software

Processor system software consists of the standard AC 160 system software products developed by ABB Industrial Systems, AB [ ]. The system software [ ] executes the control units of the application program, diagnostics routines and communication interfaces to the I/O backplane (BIOB), the AF1 00 Communication Interface and the High Speed Link (HSL) interface. The AC160 base software resides in the AC 160 CPU module flash PROM (non-volatile



memory). This software is under configuration control and its version is identified

in the manner shown in Figure 6.2.1.2-2.

[ ]

Figure 6.2.1.2-2 Base Software Identification

There are software options available that add functionality to the PLC that are layered on top of the base software. Common Q applications are not expected to require any options to the base software.

6.2.1.2.1.1 [ ] Real Time Operating System

[ ]

6.2.1.2.1.2 AC160 Kernel

The application program and its control modules in an AC160 coexist with the other AC160 system software programs such as the diagnostic routines and communication interfaces. The AC160 task scheduler schedules the execution of all these different entities based on predefined priorities, the assigned cycle time of the control modules and their entry in the cycle time table. The cycle time table is used to assign priorities to control modules with the same cycle time.

6.2.1.2.1.3 Function Block Library

The executable code for the standard set of logic blocks (PC elements) is part of the base software. In addition, custom PC elements can be created and flashed as an extension to the base software. [ ]

6.2.1.2.2 Application Software

Creation of the application program (PCPGM) utilizes the AdvaBuild software development environment that includes a function block library (PC element library). The programmer references the PC element library to create specific logic for the application.

The application program is written in the AMPL (ABB Master Programming Language) language and consists of a PC (process control) part and a DB (database) part.

The software for each application of Common Q is described in the Appendices to this topical report.



6.2.1.2.2.1 PC Part

The PC part of a user application program describes the control algorithm and the control strategy. It contains the PC elements (logic blocks), their interconnections and the connections to the DB elements. A PC program can be divided into several executable units (control modules), each consisting of PC elements. Each executable unit can be given its own cycle time and its own execution conditions. PC elements are the smallest "building blocks" in a PC program.

The I/O modules continuously scan and store values independent of control module execution. When the control module executes, its first operation is to get the process input values over the Backplane I/O Bus (BIOB) from the 1/0 modules.

[ I]

On processor initialization or restart, the application program is reloaded from

FPROM into RAM and then started.

6.2.1.2.2.2 Database Part

The DB part in an Advant Controller 160 contains the DB elements which are used to configure the controller. DB elements in an Advant Controller 160 system describe the following items:

> The hardware configuration of the Advant Controller 160 system: processor module, I/O modules and Communication interfaces (e.g., HSL and AFR00)

> Common data elements (e.g., global data)

> Connection between the hardware and the common data elements (e.g., Data Set Peripheral (DSP) for AF100 communication and DB elements for the HSL)

6.2.1.2.3 Software Tools

Software programming is done on an x86-based PC and then the target code is generated and downloaded to the AC160 controller via the PC serial port. The AC160 software development environment is called AdvaBuild which is a product of ABB Industrial Systems. The AdvaBuild product consists of the following utilities: Application Builder, AS100 Edit, Function Chart Builder and Bus Configuration Builder. The tools use the ABB Master Programming Language (AMPL). AMPL is based on function blocks, called PC elements,




which are combined with each other into programs which form a complete

control function.

For further description see References 3.9 and 3.10.

These tools can be used for on-line programming of the controller. However, for safety-related Common Q applications, this capability will be controlled administratively with additional password protection.

6.2.1.2.3.1 Type Circuits

AdvaBuild supports the development of type circuits. A type circuit is a logic block composed of PC elements that can be used many times in a control program. The same tool (Function Chart Builder) is used for both type circuit and control program development. Once a type circuit is developed it can be used in a control program just like any other PC element.

Although the type circuit appears as a single block, each PC element in the type circuit becomes part of the application program, much like a macro represents a set of language instructions. Therefore, the purpose of type circuits is to increase readability of the control program and to provide configuration control for a set of code, and not for performance enhancement or memory conservation.

The type circuit is considered a module and therefore must undergo documented module tests when used in protection class software as described in the Software Program Manual (Reference 3.5).

6.2.1.2.3.2 Custom PC Elements

Custom PC elements appear as standard PC elements with input and output terminals when inserted in a control program. They are developed outside of the AdvaBuild development environment and then added to the library of PC elements. Once in the library, the custom PC element is available for the programmer to use in a control program.

The custom PC element is developed using the system software extension option for the AC 160 that allows custom PC elements to be added to the controller. The tools used to develop the custom PC element include a C compiler (MCC68K) and linker (LNK68K) from Mentor Graphics Microtec division. The linker generates a Motorola S-Record image file for the PC element. This image file is downloaded to the AC160 processor module's flash




PROM using the AC160 tool AC1601LO. Reference 3.8 describes the methodology for creating these elements.

The design process for a custom PC element requires the programmer to define the inputs and outputs of the module prior to coding the algorithms. This enforces a methodical design approach to building software modules.

Unlike a type circuit, which is a cluster of PC elements, a custom PC element increases the performance of the execution of a program because it is only one PC element. Therefore, sophisticated logic that would require many PC elements can be encapsulated into a single custom PC element.

The custom PC element shall be classified as a module and therefore undergo documented module tests as described in Section 7 for protection class software and the Software Program Manual (Reference 3.5).

6.2.2 Flat Panel Display System

The Flat Panel Display System consists of an x86 Single Board Computer for display and communication programs and a Flat Panel VGA interface for displays.

The flat panel display will be used for the operator display and, maintenance/test functions. This would include displaying real-time process data, entering setpoint data, starting surveillance tests, and displaying system status.

6.2.2.1 Flat Panel Display Hardware Description

The flat panel display system consists of the flat panel display with touch screen capability, a single board computer, and standard communication interfaces for communication to the Advant processor and other systems.

6.2.2.1.1 Single Board Computer

The single board computer is based on [ ]. There is an interface to the Advant AF100 communication bus so data can be communicated with the Advant processors. Other standard interfaces such as Ethernet and serial links are available for communications to external systems over fiber optic cables. The most typical external system that the FPDS will interface to is the Plant Computer. Typical Plant Computer interfaces are Ethernet or serial data link. Non-volatile memory, such as a solid state disc, is used for operator setpoints or other applications where warm system starts using updated constants is needed.

6.2.2.1.2 Flat Panel Display




The flat panel display is a color TFT display that is readable under high ambient

light conditions. The display has touch screen capability.

6.2.2.2 Flat Panel Display Software Description

The software used for the Flat Panel Display is described in the following sections.

6.2.2.2.1 Operating System

[ ]

6.2.2.2.2 Graphical User Interface

I I Each Common Q system will have specific HMI response time requirements. The acceptance tests for a specific Common Q application will validate the drawing API performance.

6.2.2.2.3 Software Tools

There are two areas of programming for the Flat Panel Display: application programs written in C and displays built using a display builder.

6.2.2.2.3.1 C Application Programming Tools

The [ ] enforces the development of application programs in ANSI C (ANSI X3.159-1989, "American National Standard for Information Systems Programming Language C"). Any text editor can be used for creating and editing the source code. All application programs for the Flat Panel Display shall be written in ANSI C.

6.2.2.2.3.2 Display Building Tools

The [ ] supports the development of HMI displays for the Flat Panel Display. It contains a symbol library and a visual display building tool that allows the creation of graphical displays. The visual display building tool, [ ] for the runtime implementation of the display. [ ]

6.2.2.3 Flat Panel Display System Applications

The Flat Panel Display System will be used for two subsystems for the Common Q Platform:

> The Operator's Module (OM)



> The Maintenance and Test Panel (MTP)

6.2.2.3.1 Operator's Module

The Operator's Module (OM) software shall reside on the Single Board Computer (SBC) of the Flat Panel Display. It will consist of one or more software programs (units) written in ANSI C [ ]. The OM is a control room device that allows operators to monitor the system channel.

6.2.2.3.2 Maintenance and Test Panel (MTP)

The Maintenance and Test Panel (MTP) is also a Flat Panel Display System application. It too shall have software units custom written in ANSI C and units generated by [ ] software. This software will perform maintenance and test functions for the Common Q Platform.

The MTP shall provide the following functions:

> The means for the operator to bypass the channel and initiate diagnostic tests on the system, and display the results

> The means for loading and changing setpoints

> The data link interface (serial or network) to external systems

6.2.2.3.2.1 Manually Initiated Automatic Tests

The MTP provides the means for the operator to bypass a channel and initiate automatic tests (tests controlled by the system). These initiations shall be transmitted to the Interface and Test Processor (ITP - an AC160 processor in the Common Q platform) through the AF 00 network. The ITP shall transmit the results of the test back to the MTP for display. The MTP shall also display any anomalies detected by the ITP from its passive testing (monitoring system operation without injecting test signals).

6.2.2.3.2.2 Loading/Changing Setpoints

The operator can load either a batch set of setpoints or can change an individual setpoint. In either case validation procedures shall be executed that will ensure data integrity. When setpoints are changed, they are transmitted over the AF1 00 network to the AC 160. The AC 160 shall transmit these changes back to the MTP for verification. The MTP software then shall compare the setpoints received from the AC 160 with those stored on the MTP or entered by the operator. Any deviations shall be displayed and alarmed on the MTP. The operator can then reload the setpoints if there are any discrepancies.




6.2.2.3.2.3 Data Link Interface To External Systems

There shall be a software program that transmits predefined data packets over a data link to an external system. The AC160 processors shall transmit data over the AF1 00 network at predefined intervals to the MTP. The data link interface program in the MTP shall read this data off the AF1 00 network, format a data link packet, and transmit it to the external system.

6.2.3 Power Supply

The power supply is based on a 19" rack assembly with plug modules. Various modules are available to accommodate the different output voltages anticipated. The modules will be similar in design to and based on prior power supply components and design.

The power supply will be designed for use by the processor, loop transmitters, digital logic, relays, and reed switch position transmitter circuits. Separate power supply modules may be used for these different functions.

Redundancy will be available using diode auctioneering which provides bumpless transfer upon module failure. Faults in one half of a redundant supply will not affect the other from operating normally. Redundant modules can be replaced while the power supply remains energized without disturbing the powered system.

The power supply will have overvoltage and overtemperature protection. Undervoltage and overvoltage will be indicated.

The power supply will be configured so that it is not near its maximum loading to extend its life. Supplemental cooling will be provided if needed to also extend the life of components.

Sufficient hold up time (approximately 40 milliseconds) will be provided to allow momentary loss of external power due to bus transfer.

Soft start will be provided so that external sources powered by inverters will not be adversely affected.

The use of PVC will be minimized.

6.2.4 Watchdog Timer Module

An external and independent watchdog timer module is used to monitor the activity of the processing system. The watchdog timer module has a separate timing circuit and detects the lack of activity. Depending on the specific system application, the watchdog timer can be used to annunciate a failure, actuate a channel trip, or set output states to predefined conditions. For example, the watchdog timer may be used to control the power to the relays on the digital




output module. Isolation is provided for those applications where the watchdog

timer is connected to external systems.

6.2.5 Communication Subsystems

There are three types of communications that will be used in the Common Q Platform:

> AF100 network communications for intrachannel communications

> HSL (High Speed Link) serial communications for interchannel communication,

> External communications.

6.2.5.1 Advant Field Bus 100 (AF1 00)

The AF1 00 network is used for intrachannel communications. Advant Fieldbus 100 is a high performance fieldbus, which is used for communication between Advant Controllers and the Flat Panel Display System. The AC 160 controllers and the Flat Panel Display System can be connected as nodes on the AF1 00 network.

The Advant Fieldbus 100 supports two different kinds of communication: process data and message transfer. Process data is dynamic data used to monitor and control a process, while message transfer is used for parameters, program loading and for diagnostic purposes.

For a description of the deterministic characteristics of the AF1 00 communications refer to Section 6.3.1.4.

6.2.5.2 High Speed Link (HSL)

Data communications between PM645C processor modules from one Common Q redundant channel to another is referred to as planned data exchange. Several PM645C processor modules can communicate with one another via its high speed serial links (HSL). Within the PM645C processor module construction are two printed circuit boards:

1. the processor module itself which contains the flashed base software, and

2. a communication module that performs the HSL communications between PM645C processor modules.

Each PM645C processor module has two high speed serial links (HSL). Each HSL consists of two half duplex serial communication lines. Therefore the PM645C processor module uses four HSL channels: two transmit and two




receive channels. The transmit data is the same on both links because it is sent out in parallel.

For a more detailed discussion of the HSL operation, refer to the Section 6.3.1.3, High Speed Link Communications.

6.2.5.3 External Communications

External communications are communications between the Common Q platform and external computer systems. The Flat Panel Display system is the interface component between the Common Q Platform and these external systems. The interface to external systems can be either serial or Ethernet.

The purpose of external communications is to send calculated data from the Common Q system to the external system. Because of the hardware separation between the two communication paths in the Flat Panel Display System (i.e., separate Ethernet/serial interface card and AF100 interface card) and software separation (i.e., separate buffers for each interface), the propagation of fatal errors to the safety algorithms in the AC160 due to communication faults from non-safety systems interacting with the Common Q system are avoided. The Flat Panel Display System meets the requirements of IEEE 7-4.3.2 Annex G for communication independence.

6.3 Deterministic Performance

This section describes how the Common Q Platform is designed to guarantee deterministic performance. The AC160 subsystem design requires deterministic operation for the following reasons:

> It will execute Class 1 E protection or monitoring algorithms.

> It will interface to the PPS/RPS or Reactor Trip System and to the annunciator System.

Refer to Section 6.4.1.1 for a description of verification checks performed on the downloaded software.

Because the Flat Panel Display System is used for HMI input and output and is used for transmission of data to non-safety monitoring systems, the design requires less determinism in its operation, but the design must ensure that errors or failures in its hardware and software components are isolated from the AC 160-based subsystems.

The following subsections describe how these goals are achieved in the design of these two building blocks.




Topical Report

6.3.1 AC160 Deterministic Performance

6.3.1.1 AC160 Application Program Execution Period

1 ]

6.3.1.2 Access to the AC160 Backplane

[ ]

6.3.1.3 High Speed Link Communications

[ ]

6.3.1.4 AF100 Communications

[ ]

6.3.1.4.1 Process Data Transfer

6.3.1.4.2 Message Transfer

[ ]

6.3.1.4.3 Bus Master

1 ]

6.3.2 Flat Panel Display System

The Flat Panel Display System interfaces to the protection algorithms executing in the ACI60 subsystem portions of Common Q by way of the AF 00 network, and it interfaces to non-safety systems by an optically isolated datalink. The Flat Panel Display System must ensure the integrity of its interface to the safetycritical side and ensure that its interface to non-safety systems and its own operation does not adversely effect the operation of the safety-critical side. The Flat Panel Display System meets the requirements of IEEE 7-4.3.2 Annex G for communication independence.

6.3.2.1 Datalink To External Systems

The datalink connecting the Flat Panel Display System to external systems can be either a serial or Ethernet datalink. In the case of a serial link, the communication shall be unidirectional broadcast.

The Ethernet datalink may use an interactive protocol like TCP/IP where, on the physical layer, acknowledgments from the non-safety system occur. Having this



interaction with a non-safety system occur at the Flat Panel Display System isolates the protection algorithms running in the AC160 nodes from faults associated with the communication.

There are two communication interfaces in the Flat Panel Display System which are isolated from each other (i.e., two separate interface cards). Should a failure in communications to a non-safety system occur causing the Flat Panel Display System to halt, the safety-critical applications in the AC160 controllers can continue to operate unimpeded. It is possible that the Flat Panel Display System has control of the AF 00 bus master at the time it ceases to operate. As discussed in previous sections, the bus master will be assumed by another node if it fails, so the AF1 00 network can continue to operate without the Flat Panel Display in operation.




6.4 System Diagnostics

6.4.1 AC160 Diagnostics

6.4.1.1 Processor

One component of the AC 160 base software is the internal diagnostics that are executed continuously during controller operation. Diagnostic functions monitor system operation and report any faults detected. The monitoring functions include an internal watchdog, bus supervision and memory checking. The internal diagnostics check for process, system and device errors. Each type of error is combined into a single bit in a status word. This status word is read by both the system diagnostic routines and the AC 160 database element when referenced within an application program.

During system start-up, the hardware of the PM645C processor module is tested. The following tests are performed:

1 ]

6.4.1.2 I/O

Diagnostics of I/O and communication modules are executed by interrogating all modules for errors. The S600 modules have self-contained diagnostics the results of which are reported to the PM645C base software diagnostics routine via a device status word. Refer to Reference 3.19 for a description of the I/O module diagnostics.

6.4.1.3 High Speed Link

High Speed Link (HSL) diagnostics are executed to detect physical layer failures and failures of the communication link to another PM645C processor module. The physical layer of the HDLC protocol is secured through a cyclic redundancy check (CRC). If three (3) bad CRCs occur consecutively, the HSL will be marked failed. A keep-alive signal is transmitted over the HSL every 25 milliseconds if an application program has requested no transmission. When a PM645C processor module has not received data for 150 milliseconds, the HSL is considered failed. All detected errors are reported to the application program.

6.4.1.4 AF100

The AF1 00 uses bus mastership to continuously monitor the status of the nodes on the bus. For a description of the operation of the bus master, refer to Section 6.3.1.4.3.

The AF1 00 communication interface, C1630/1, monitors the validity of the data sets it is suppose to receive. If no data has been received for four cycles for the



data set (i.e., 4 X CYCLETIM designation for the data set) or when the communication interface has failed, the database element for the data set will be flagged as failed. The control module programming will constantly monitor the database element flag and perform the appropriate error processing.

6.4.1.4.1 Redundant AF1 00 Interface (C1630/1)

The AC160 redundant C163011 configuration provides on-line surveillance of these cards to ensure that they are in operational condition in case a failover is required. A switchover is cyclically forced once per hour through the system software of the controller. The forced switchover does not impact the deterministic operation of the Data Service Protocol (DSP). The switchover command is ignored when the primary C1630/1 is in one of the following states:

"• Is Bus Master

"• Is in the process of Bus Configuration Management on the AF 100 Bus (transferring/receiving bus configuration data to another node)

"* Is in the middle of a Service Data Transfer (Non deterministic Message Transfer)

It may take several seconds for the switchover to actually occur. The several seconds of delay is preparation time for the switchover. The procedure for the switch over is as follows:

" One processor is designated as service data master (which maintains information about which C1630/1 is presently the primary). This processor queries the backup C1630/1 for readiness and then requests the primary C1630/1 to perform a switchover.

" When the primary C1630/1 is ready it enters the backup state.

" Once the service data master detects the primary has switched to backup, it immediately instructs the other C1630/1 to enter the primary state.

The delay between disabling the primary and enabling the backup C1630/1's cyclic transmission is approximately three milliseconds. This will cause some DSPs (deterministic data packets) to lose one cycle's worth of data. This will not cause an error because a time out error does not occur until four consecutive cycles have been lost. The consequence of this hourly switch over is that AF1 00 nodes may receive one cycle old values for some DSPs. The DSP cycle times will be configured such that the loss of one cycle will not impact the applications using the data.

Upon detection of any error that would jeopardize the operation of the AC160 controller, the primary C1630/1 enters the passive state. [ ], and the processor modules will thus become aware of the situation. Using an engineering



workstation to interrogate the error buffer, the diagnostics information can be obtained to find the cause of the problem.

In case of a forced switchover due to a C1630/1 failure, any ongoing service data (non-deterministic Message Transfer) communication will be aborted and restarted with the new primary C1630/1. If restarting from scratch is not possible, the communication with the originator of the service data message will be aborted, and the originator can then retry the transfer.

6.4.2 Flat Panel Display Diagnostics

Each application program interface (API) call [ ] provides a status. The application program will have an error handler to appropriately dispatch the error when it occurs. The Appendices will address the disposition of errors.

6.4.3 Automatic Testing

[ ]

6.4.4 Application Watchdog

The design of the Common Q platform includes a software watchdog in each application program and external hardware watchdogs to override the activation outputs of the safety system should the processor halt. Each program will update a counter or toggle a binary each execution cycle. A hardware device (e.g., Watchdog Module) will monitor the binary toggle. The counter will be monitored by another application on another processor. When the monitoring application detects the counter not changing for a predefined period of time, it will assume the application has halted and will take appropriate error handling action. The Appendices will address the disposition of errors.

For the operator or technician, a blinking heartbeat symbol on the Flat Panel Display shall provide indication that the display system is in operation.




ABB Combustion Enaineering Nuclear Power

6.5 System Interfaces

The following example (see Figure 6.5-1) is used to illustrate the use of Common Q building blocks to design a system. The example chosen is a possible implementation of the Core Protection Calculator System (refer to the CPCS Appendix for the official CPCS Common Q configuration).

Overview

The Core Protection Calculator System (CPCS) is composed of four channels. Each CPCS channel contains a processor to read field inputs, share CEA position signals (RSPTs), perform DNBR and LPD calculations, and provide a trip output (digital output) for 2/4 logic in the RPS. For each channel, there is a CPCS Operator's Module in the control room and a local display for maintenance and test.

CPC Processor

1 ]

7. Software Quality

Computer software is essential to the design and operation of a Common Q System. [

7.1 Software Quality Assurance

1 I

7.2 Software Configuration Management

[ ]

7.2.2 Previously Developed Software

[ I

7.3 Software Verification and Validation

1 I

7.4 Operation and Maintenance

[ I

cENPD-396 Page 63 of 71Page 63 of 71CENPD-396


8. Equipment Qualification

The qualification program plan for the Common Q Platform equipment will be implemented using a combination of type-test and/or analyses. Where type testing is the qualification method, it will be performed on non-deliverable equipment. The planned Common Q Platform overall qualification phases are depicted in Figure 8-1. The Common Q Platform equipment qualification program shall subject the equipment to Component Cycling, EMI/RFI testing, environmental testing, and seismic testing.

FIGURE 8-1 PLANNED COMMON Q QUALIFICATION PHASES

A qualification plan will be issued defining the details associated with each phase of the qualification test. Figure 8-2 shows an overview of a typical qualification test timeline for the Common Q equipment.

8.1 Component Cycling and Burn-in

Electromechanical aging (component cycling) could be a factor for some of the equipment and the appropriate test specimens will be aged for a minimum of 3000 cycles, simulating an end of life condition. The component cycling test will be the first qualification test performed.

An electrical burn-in test will be conducted on the equipment prior to testing to alleviate any infant mortality that may exist. The details of this burn in test will be defined in the qualification test plan.

8.2 Environmental Testing

The Common Q Platform equipment is Class 1 E and will be qualified to the applicable requirements of IEEE Std 323-1983, as augmented by RG 1.89 and CENPD-255-A, Reference 3.6. Since this equipment is located in mild environments (main control room and/or auxiliary electrical equipment rooms), the method of qualification will be by test and analysis.

The Common Q Platform equipment will be subjected to a temperature/humidity test to demonstrate its environmental qualification. The ambient outside cabinet environmental parameters are defined in Table 8.2-1. This table depicts the expected normal and abnormal environment where the cabinet containing the Common Q equipment is located.



The environmental design parameters for the Common Q Platform equipment mounted inside the cabinet is shown in Table 8.2-2. These requirements are derived from Table 8.2-1 assuming a maximum temperature rise of 18°F inside the cabinet.

The Common Q test fixture will be subjected to qualification testing to meet the environmental design requirements in Table 8.2-2. IEEE-323, for determining the qualification test profile, requires certain margins be applied to the environmental parameters to account for reasonable uncertainties in demonstrating satisfactory performance and normal variations in commercial production to assure the equipment can perform under the most adverse conditions specified. The environmental test program to achieve this goal will subject the test specimen to the expected ranges of temperature and humidity plus, margins to meet the intent of IEEE-323. The specimen will be held at each temperature (800F, 137°F, & 400F) for a minimum of eight hours. The environmental test profile is shown in Figure 8-3. Figure 8.2-3 shows the environmental test profile to which the Common Q equipment will be tested in order to insure operation at the environmental conditions defined in Table 8.2-2.

An analysis shall be performed for each application to insure that the design basis temperature (test temperature minus the IEEE-323 margin requirement) of the Common Q equipment is not exceeded when installed in the cabinet. The analysis will demonstrate, using extrapolated test data, that individual component and equipment temperature specifications are not exceeded within the cabinet/enclosure when the cabinet is exposed to the environmental conditions as specified in Table 8.2-1.

EMI testing will be successfully completed before the environmental tests are performed.




Table 8.2-1 Cabinet Environmental Design Requirements

] Notes:

(1) At or above 800F, the moisture content is that which produces 90% RH at 80OF (dewpoint of 770F).

(2) Outside normal range

Table 8.2-2 Common Q Equipment Environmental Design Requirements

[ ] Notes:

(1) At or above 800F, the moisture content is that which produces 90% RH at 800F (dewpoint of 770F).

(2) Outside normal range

[ 8 Figure 8-3 Environmental Test Profile




8.3 Seismic Testing

0 [ ] 8.4 Electromagnetic Interference (EMI) Testing

The Common Q equipment will be qualified in accordance with MIL Std 461 D, MIL Std 462D, and as augmented by EPRI TR-1 02323. Susceptibility and emissions testing of the equipment will be performed for both conducted and radiated signals. The tests will be performed on each system in various modes of operation such that successful completion of the test demonstrates that the safety system function has not been compromised and the equipment performs within its design specifications.

The basis for selecting the specific tests, test methods, test levels and susceptibility criterion will be based on the EPRI TR-1 02323 guidelines.

If the tests show that susceptibilities exist in the range of interest, then the following assessments shall be performed:

1) Further evaluations of test data and analyses shall be performed which determine that the susceptibilities pose no hazard to the safe operation of the equipment.

2) A site survey shall be required to verify the actual environment at the equipment location does not exceed the susceptibility level.

EMI testing will be successfully completed before environmental and seismic qualification testing is performed.

CENPD-396 Page 67 of 71CENPD-396 Page 67 of 71


Topical Report

9. Equipment Reliability 1 ]

9.2 Mean Time Between Failures (MTBF) Analysis

I ]

9.3 Operating History

[ ]

[ ]

10. Defense-In-Depth And Diversity

The Common Q building blocks form a basis that can be used in the design of safety systems. The defense-in-depth strategy will be described in detail in the appendices.





11. Commercial Grade Dedication Program

11.1 Scope

I I




Common Qualified Plafform Topical Report

12. Conclusions

I I



ABB Combustion EnaineerinQ Nuclear Power


APPENDICES

Appendices for the following systems will be added to this topical at a later date.

1. Post Accident Monitoring System (PAMS)

2. Core Protection Calculator (CPC) System

3. Plant Protection System (PPS)

4. Engineered Safety Features Actuation System (ESFAS)


"'%PIP

ABB Combustion Engineering Nuclear Power Combustion Engineering, Inc. 2000 Day Hill Road Post Office Box 500 Windsor, CT 06095-0500 Telephone: (860) 285-9678 Fax: (860) 285-4117


Common Qualified Platform Post Accident Monitoring Systems

4li I',



CENPD-396 Appendix I April 1999

CENPD-396 Appendix I Page I of 21

LEGAL NOTICE

This notice was prepared as an account of work sponsored by Combustion Engineering. Inc. Neither Combustion Engineering nor any person acting on its behalf:

a. Makes any warranty or representation, express or implied including the warranties of fitness for a particular purpose or merchantability, with respect to the accuracy. completeness. or usefulness of the information contained in this report, or that the use of any information, apparatus, method, or process disclosed in this report may not infringe privately owned rights; or

b. Assumes any liabilities with respect to the use of, or for damages resulting from the use of. any information, apparatus, method or process disclosed in this report.



Table of Contents

Section Title Cover Table of Contents

Page 1 2

A1.0 Purpose and Scope ............................................................ 4 Al.1 PAMS Functional Requirements ......................................... 4

AI. 1.1 PAMS Overview ................................................................. 4 Al 1. 1.1 PAMS Maintenance and Test Panel Functions .................... 8 Al1. 1.2 PAMS Inputs ........................................................................ 8 A1.1.1.3 PAMS Outputs .................................................................... 8 A1.1.1.4 PAMS Bypasses ................................................................. 9 A1.1.1.5 PAMS Failure Modes .......................................................... 9 A1.1.1.6 PAMS Human Machine Interface ......................................... 9 Al1. 1.7 PAMS Functional Diversity .................................................. 9

Al.1.2 PAMS Functional Requirements Detail ............................... 9 A1.1.2.1 PAMS Design Bases ........................................................... 10

AI.1.2.1.1 PAMS Design Basis Events ............................................... 11 A1.1.2.1.2 PAMS Timing .................................................................... 11

Al.1.2.2 PAMS System Requirements ............................................ 11 A1.1.2.2.1 PAMS Overall System Design Requirements .................... 11 Al.1.2.2.1.1 Single Failure Requirement ......................................... 11 Al.1.2.2.1.2 Separation Requirements ............................................ 11 Al.1.2.2.1.3 Power Source Requirement .......................................... 11 Al.1.2.2.1.4 Availability Requirements ............................................. 11 Al.1.2.2.1.5 Quality Assurance ........................................................ 11 Al.1.2.2.1.6 Indication Requirement ................................................ 11 Al.1.2.2.1.7 PAMS Display Location ............................................... 12 Al.1.2.2.1.8 PAMS Isolation ............................................................. 12 Al.1.2.2.1.9 Testing, Calibration and Maintenance Requirements ...... 12 Al.1.2.2.1.10 Environmental and Seismic Qualification ................... 12 AI.1.2.2.1.11 Operability Requirements ......................................... 12 Al .1.2.2.1.12 Alarm and Annunciation Requirements ...................... 12 Al.1.2.2.1.13 Accuracy Requirements ............................................ 12 AI.1.2.2.1.14 Timing Requirement .................................................... 12 Al.1.2.2.1.15 Testing Requirements ................................................ 13 Al.1.2.2.1.16 Codes and Standards ................................................ 13 Al.1.2.2.2 PAMS Inputs ............................................................... 13 Al.1.2.2.3 PAMS Outputs .......................................................... 13 Al.1.2.2.4 PAMS Program Structure ........................................... 13 Al.1.2.2.10.4 PAMS Displays .......................................................... 13 Al. 1.2.3 Operator Interface I Operator's Module ....................... 13 Al.1.2.3.1 Operator's Module Displays ....................................... 14

CENPD-396 Appendix I Page 2 of 21

Common Qualified Platform ABB Combustion Engineering Nuclear Power Post Accident Monitoring Systems

Al.1.2.3.2 Operator Inputs to the Operator's Module ....................... 14 A1.1.2.4 Maintenance and Test Panel Interface ........................... 14 A 1.1.2.4.1 M TP Displays .................................................................. 14 Al.1.2.4.2 Operator / Technician Inputs to the MTP ......................... 14

A1.2 System Description .......................................................... 14 A 1.2.1 O verview ......................................................................... 14

A1.2.1.1 PAMS Processor Overview .............................................. 14 A1.2.1.2 PAMS OM Overview ........................................................ 15 A1.2.1.3 MTP Overview .................................................................. 15 A1.2.1.4 PAMS Watchdog Timer ................................................... 15

A1.2.2 PAMS Design Implementation .......................................... 15 A1.3 Hardware Description ..................................................... 15 A1.7 10 CFR 50.59 Evaluation ................................................. 15

A1.7.1 Safety Evaluation Summary ............................................. 16 A1.7.2 Unreviewed Safety Question Determination .................... 16

A 1.7.2.1 M alfunctions .................................................................... 16 A1.7.2.1.1 Effects on the Probability of Occurrence of Previously

Evaluated Malfunction of Equipment Important to Safety ...... 16 A. 1.7.2.1.2 Effects on the Consequences of a Previously Evaluated

Malfunction of Equipment Important to Safety ................... 16 A. 1.7.2.1.3 Possibility of a Malfunction of a Different Type than

Previously Evaluated ........................................................ 16 A .1.7.2.2 A ccidents ......................................................................... 16

A.1.7.2.2.1 Effect on the Probability of Occurrence of Previously Evaluated Accidents .......................................................... 16

A.1.7.2.2.2 Effects on the Consequences of Previously Evaluated A ccidents .......................................................................... . 16

A1.7.2.2.3 Possibility of an Accident of a Different Type than Previously Evaluated ......................................................................... . . 16

A.1.7.2.3 Impact on the Margin of Safety .......................................... 17 A. 1.7.3 Safety Determination .......................................................... 17

A 1.8 R eferences ......................................................................... 18



ABB Combustion Engineering Nuclear Power Post Accident Monitoring Systems

A1.0 Purpose and Scope

The purpose of this Post Accident Monitoring System (PAMS) appendix is to provide the functional requirements and the conceptual design description of the PAMS.

The scope of the PAMS appendix is to provide the functional requirements and the conceptual design of the system based on Common Q components. The requirements include PAMS functional design, testing, major Man Machine Interface functions, system block diagrams, and the interface with the Plant Monitoring Computer / plant Safety Parameter Display System. The system hardware and software descriptions, the complete system interface requirements and the failure modes and effects analysis are also included.

Each PAMS system is comprised of two redundant and isolated channels. Instruments needed to produce the signals used by the PAMS are not included in the PAMS requirements.

The PAMS includes one or more of the following subsystems: "* Inadequate Core Cooling Monitoring System (ICCMS) /

Subcooled Margin Monitor (SMM) / Core Exit Thermocouple Monitoring System (CETMS)

"* Heated Junction Thermocouple (HJTC) System / Reactor Vessel Level Monitoring System (RVLMS)

"* Qualified Safety Parameter Display System (QSPDS) / typically includes all of the above

Brackets in this document indicate proprietary information. The bracket denoting the end of a proprietary segment of this report may appear one or more pages following the bracket denoting the start of the proprietary segment. As a result, care should be exercised in determining what information in this report is proprietary.

A1.1 PAMS Functional Requirements

A1.1.1 PAMS Overview

A specific PAMS implementation includes one or more of the following subsystems: * Heated Junction Thermocouple (HJTC) System / Reactor

Vessel Level Monitoring System (RVLMS)




"* Subcooled Margin Monitor (SMM) "* Core Exit Thermocouple Monitoring System (CETMS) "• Inadequate Core Cooling Monitoring System (ICCMS), which

includes an SMM, a CETMS, and an HJTC System (HJTCS) "* Qualified Safety Parameter Display System (QSPDS), which

includes all of the above systems.

The PAMS is a Class 1 E safety related alarm and display system. Each PAMS system consists of two independent channels of equipment (Channels A & B) which acquire and process two channels of inputs. The two channels of equipment are located in one or more cabinets, depending upon the plant. The channels are physically separated and electrically isolated from each other. The details of the PAMS signal transducers are discussed in this appendix only to the extent necessary to understand the use of their outputs, which are used as inputs to the PAMS data acquisition equipment.

Depending upon the implementation, the PAMS system channel inputs may include plant process signals, core exit thermocouples (CETs) and heated junction thermocouples (HJTCs).

Depending upon the implementation, each PAMS system channel may provide HJTCSheater power outputs, and provides analog output values for display on meters / recorders, contact outputs for use by the plant annunciator system, isolated serial data link data for display on an Operator's Module (OM), and isolated serial data link data for use by the Plant Monitoring Computer (PMC) or the primary Safety Parameter Display System (SPDS).

Each channel of the SMM monitors pressurizer pressure, hot and cold leg temperatures to detect and alarm subcooling margin.

Each channel of the CETMS monitors core exit thermocouple temperatures to detect and alarm inadequate core cooling conditions.

Each channel of the HJTCS/ RVLMS monitors 8 heated / unheated thermocouple pairs to provide the reactor vessel collapsed liquid level above the core. When a split HJTC probe is used, a separate level measurement is provided for the Upper Head and for the Plenum.

Each channel of the ICCMS monitors CET temperatures, pressurizer pressure, hot and cold leg temperatures, and 3




unheated thermocouple temperatures in the reactor head, to detect and alarm Inadequate Core Cooling (ICC) conditions. Saturation margins are calculated for the Reactor Coolant System (RCS) hot and cold leg temperatures, the reactor vessel head (using the top 3 unheated thermocouples), and at the core exit.

Each channel of the QSPDS provides the combined functions of the ICCMS (i.e., SMM, CETMS and HJTCS/ RVLMS systems). Additional Regulatory Guide 1.97 safety related parameters are also monitored, alarmed and displayed as a backup to the plant Safety Parameter Display System (SPDS).

The relationship of these individual PAMS systems is shown in the following figure:

I QSPDS

t MCNISRG

1.97

CETM HHJJTCS

Variables

Since the QSPDS functions encompass the ICCMS / SMM / CETMS and the HJTCS/ RVLMS functions, the PAMS functional requirements and descriptions provided herein are based upon those for the generic ABB QSPDS, Reference Al.8.1.

Plant specific PAMS designs can be developed from those defined in this appendix.

The PAMS block diagram is provided in Figure Al.1.1-1. The PAMS design is based on the AC160 system components and the S600 I/0 equipment, collectively referred to as the Common Q building blocks, discussed in the body of this topical report. Each aspect of the block diagram is discussed in the following sections. Section A1.3.1.1 provides a summary of the components and their use, as shown in the Figure.



Post Accident Monitoring Systems

Figure AI.1.1-1 PAMS Block Diagram

[ ]



A1.1.1.1 PAMS Maintenance and Test Panel Functions

Each PAMS channel communicates with a Maintenance and Test Panel (MTP) located in the PAMS channel cabinet. The MTP is comprised of a flat panel display system, as discussed in the body of this topical report. [ I

A1.1.1.2 PAMS Inputs

The generic PAMS inputs include the inputs required to support the Inadequate Core Cooling detection function (i.e., the combined CETMS / HJTCS/ ICCMS / SMM functions) and typical inputs as required to support the backup Safety Parameter Display System (SPDS) function (see discussion below). It is expected that the number and type of specific SPDS inputs may vary from plant to plant.

The PAMS system uses two sets of inputs, one per channel, for all input parameters. A list of input types is provided below. Some spare inputs are also included in the count.

In addition, each PAMS channel monitors its cabinet temperature and actuates a digital output if the temperature is greater than or equal to a predefined setpoint. At least 2 inputs shall be used for monitoring this temperature.

All the digital inputs described below apply only for a PAMS which includes QSPDS functions. Many of the analog inputs described are not needed for the ICC condition monitoring. All the analog inputs shown in Table Al.1.2.3.1-2 are used by the ICC condition monitoring function of PAMS, and are the minimum number of inputs for the for the ICC monitoring function.

The PAMS inputs can be summarized as follows:[ ]

9 The PAMS inputs may be further described as follows:[]

A1.1.1.3 PAMS Outputs

The two PAMS channels process the channel inputs so as to provide ICC condition monitoring, including reactor vessel level monitoring, and provide the following outputs: . contact digital outputs



"* analog outputs "* data link outputs to the MTP and to the PAMS Operators'

Module (OM) "* The MTP, discussed in Section Al.1.1.1, provides a serial data

link interface to the plant Safety Parameter Display System (SPDS).

The OM and the MTP are discussed below, in Section Al.1.1.6, PAMS Human Machine Interface.

A1.1.1.4 PAMS Bypasses

I I

A1.1.1.5 PAMS Failure Modes

The PAMS shall be designed for operation under component failure or loss of electrical power as defined in the Failure Modes and Effects Analysis (FMEA) in Section A1.6.

Since the proposed PAMS channel implementation includes extensive hardware and software diagnostic capability, as well as redundant channel design features, the channel is fault tolerant to a great extent. Fault tolerance is discussed in Section A1.3.

A1.1.1.6 PAMS Human Machine Interface

The PAMS Human Machine Interface (HMI) is provided by the OM and the MTP. Additional PAMS operator interfaces are described in Section Al.1.2.2.7, Program Interfaces. The HMI shall be designed per accepted Human Factors Engineering (HFE) principles. Both the MTP and OM shall include display and diagnostic capabilities unavailable in the present design. HMI provisions are described in sections A1.1.2.3 (OM) and A1.1.2.4 (MTP).

A1.1.1.7 PAMS Functional Diversity

I ]

A1.1.2 PAMS Functional Requirements Detail

CENPD-396 Appendix 1 Page 9 of 21


This document is a generic document describing the functional and design requirements for a PAMS upgrade. The functional requirements defined herein include all the functions presently implemented in ABB's QSPDS.

The PAMS described in this appendix includes the Inadequate Core Cooling (ICC) detection function and the Reactor Vessel Level Monitoring System (RVLMS) function. This section describes how the ICC and RVLMS functions in the PAMS are used to detect ICC conditions along with other instruments.

Additional PAMS input variables are based on the QSPDS design,

which serves as a backup SPDS.

The scope of information in this section includes:

1. The design bases for the PAMS upgrade;

2. A compilation of functional and design requirements and criteria for the PAMS based on the functional design specification, Reference A1.8.1.

3. Documentation of the ABB approach to meeting the design bases of Section Al. 1.2.1 in this document, and in Section 5 of Reference A1.8.1.

4. Specification of the functions, inputs, application software algorithms, and display requirements for the design bases of Section Al.1.2.1.

A description of the PAMS upgrade display design requirements is included in Sections Al.1.2.2.10.4, Al.1.2.3.1, and Al.1.2.4.1.

For a specific plant PAMS upgrade, additional documents are required in conjunction with this document as described in the SPM, Reference A1.8.9.

[ I

A1.1.2.1 PAMS Design Bases

The PAMS design bases are the same as those in Reference A1.8.1 for ABB's QSPDS, and are as follows: 1. [ 1



A1.1.2.1.1

[ ]

A1.1.2.1.2


The PAMS channels shall have a response time consistent with that of the present QSPDS implementation, as defined in Section Al.1.2.2.5, Programming Timing and Input Sample Rates.

A1.1.2.2 PAMS System Requirements

The PAMS system requirements are defined in the following sections.

A1.1.2.2.1 PAMS Overall System Design Requirements

The following subsections define how the overall design requirements for the QSPDS, discussed in Reference A1.8.1, apply to the PAMS.

A1.1.2.2.1.1 Single Failure Requirement

[ I

A1.1.2.2.1.2 Separation Requirements

[ ]

A1.1.2.2.1.3 Power Source Requirement

[ I

A1.1.2.2.1.4 Availability Requirements

[ ]

A1.1.2.2.1.5 Quality Assurance

The quality assurance of the PAMS shall utilize the ABB CE Quality Assurance Procedures Manual as augmented by the Common Q Software Programming Manual, Reference A1.8.9.

A1.1.2.2.1.6 Indication Requirement

CENPD-396 Appendix I

PAMS Design Basis Events

PAMS Timing

Page 11 of 21


A ] A1.1.2.2.1.7 PAMS Display Location


The PAMS display device shall be capable of control panel mounting (surface cutouts), similar to present QSPDS displays.

A1.1.2.2.1.8 PAMS Isolation

I ]

A1.1.2.2.1.9 Testing, Calibration and Maintenance Requirements

[ ]

A1.1.2.2.1.10 Environmental and Seismic Qualification

I I

A1.1.2.2.1.11 Operability Requirements

The PAMS shall be capable of operation during the following plant operating modes:

Power operation Hot standby Hot Shutdown Start-up Cold Shutdown

PAMS operation during normal and abnormal conditions is discussed in Section Al. 1.2.2.1.4.

A1.1.2.2.1.12 Alarm and Annunciation Requirements

[ I

A1.1.2.2.1.13 Accuracy Requirements

I I

Al.1.2.2.1.14 Timing Requirement

I I


O

O

0

0

0

Page 12 of 21


A1.1.2.2.1.15

[ ]

A1.1.2.2.1.16

[ ]

A1.1.2.2.2 PAMS Inputs

I ]

The accuracies for the PAMS inputs are defined in Section Al.1.2.2.6.

I ]

Al.1.2.2.4 PAMS Program Structure

The PAMS software development, testing, verification and validation will be in accordance with the Software Program Manual for Common Q Systems, Reference A1.8.9.

I I

A1.1.2.2.10.4 PAMS Displays

PAMS displays are provided on the OM and the MTP. The OM and MTP are described in Sections Al.1.2.3 and Al.1.2.4, below.

A1.1.2.3 Operator Interface I Operator's Module

I I

The OM shall be capable of being located in the control room. It is comprised of the same flat panel display system hardware as the MTP. The OM shall be mounted to facilitate operator input via its touch screen if possible. If use of the touch screen is not practical, operator entry shall be via a Page Control Module (PCM). Operator entries by either the touch screen or the PCM shall have the same effect.

I I


Testing Requirements


Codes and Standards

Al.1.2.2.3 PAMS Outputs

Page 13 of 21



Additional information on the OM is provided in Section A1.3.2

A1.1.2.3.1 Operator's Module Displays

See Section Al.1.2.4.1 for a discussion of OM indications when the Bypass permissive is actuated and when it is un-actuated.

A1.1.2.3.2 Operator Inputs to the Operator's Module

I I

A1.1.2.4 Maintenance and Test Panel Interface

The MTP shall be located in the PAMS channel cabinet. It is comprised of the same flat panel display hardware as the OM. The MTP shall be mounted in the cabinet so that use of the optional PCM is not required.

[ I

Additional information on the MTP is provided in Section A1.3.3

A1.1.2.4.1 MTP Displays

I I

A1-.1.2.4.2 Operator I Technician Inputs to the MTP

I I

Detailed design requirements for the Bypass and test initiation input displays will be specified during the PAMS design phase.

System Description

Overview

I I

PAMS Processor Overview


A1.2

A1.2.1

A1.2.1.1

Page 14 of 21

Common Qualified Platform Post Accident Monitoring SystemsABB Combustion Engineering Nuclear Power

[ I

A1.2.1.2 PAMS OM Overview

[ I

A1.2.1.3 MTP Overview

[ I

A1.2.1.4 PAMS Watchdog Timer

[ I

A1.2.2

A1.3

A1.7 10 CFR 50.59 Evaluation

This evaluation addresses the generic issues associated with the replacement of the existing Post Accident Monitoring System (PAMS) with a system based upon the Common-Qualified Platform, as delineated in this appendix.

[ I

This evaluation is required because of the replacement of the existing post accident monitoring system with a Common-Qualified Platform-based system. Post Accident Monitoring capability is required by NUREG 0737, is reflected in plant Technical Specifications, and is described in the plant Final Safety Analysis Report (FSAR).


PAMS Design Implementation

0 [ ]

Hardware Description

I I

Page 15 of 21



A1.7.1 Safety Evaluation Summary

[ ]

A1.7.2 Unreviewed Safety Question Determination

A1.7.2.1 Malfunctions

[ ]

A1.7.2.1.1 Effects on the Probability of Occurrence of Previously Evaluated Malfunction of Equipment Important to Safety

[ I

A. 1.7.2.1.2 Effects on the Consequences of a Previously Evaluated Malfunction of Equipment Important to Safety

[ ]

A. 1.7.2.1.3 Possibility of a Malfunction of a Different Type than Previously Evaluated

I I

A.1.7.2.2 Accidents

I I

A. 1.7.2.2.1 Effect on the Probability of Occurrence of Previously Evaluated Accidents

I ]

A.1.7.2.2.2 Effects on the Consequences of Previously Evaluated Accidents

[ ]

A1.7.2.2.3 Possibility of an Accident of a Different Type than Previously Evaluated

I I



A.1.7.2.3 Impact on the Margin of Safety

[ ]

A.1.7.3


Safety Determination

I ]



A1.8 References

The following is a list of references, codes, standards, and guidelines upon which the PAMS design is based. These documents are applied as referred to in this appendix.

ABB Documents

A1.8.1 Functional Design Specification for a Qualified Safety Parameter Display System, NPROD-ICE-3201, Rev. 02,11/30/82.

A1.8.2. Functional Design Description for the Qualified Safety Parameter Display System for San Onofre Nuclear Generating Station Unit 2, 1370-ICE-3218, Rev. 02, 12/14/83.

A1.8.3 Functional Design Specification for the Reactor Vessel Level Monitoring System, NPROD-ICE-3200, Rev. 02.

A1.8.4 Functional Design Description for the Qualified Safety Parameter Display System Displays for San Onofre Nuclear Generating Station Unit 2, 1370-ICE-3220, Rev. 01.

A1.8.5 ACI 10 2.3 System Software Functional Description #BDS 005 438

A1.8.6 Functional Design Description for the Reactor Vessel Level Monitoring System, NPROD-ICE-3200, Rev. 03.

A1.8.7 Class 1 E Qualification, Qualification of Class 1 E Electrical Equipment, CENPD-255A, Revision 3,10/85

A1.8.8 Qualification of C-E Instrumentation Equipment, CENPD-182

A1.8.9 Software Program Manual for Common Q Systems, CE-CES-1 95

P, Revision 0

Codes and Standards

A1.8.10 10 CFR 50 Licensing and Utilization of Production Facilities, Appendix A, General Design Criteria (GDC) 1. GDC 1, Quality Standards and Records 2. GDC 2, Design Bases for Protection Against Natural

Phenomenon 3. GDC 3, Fire Protection 4. GDC 4, Environmental and Missile Design Bases 5. GDC 13, Instrumentation and Control



6. GDC 18, Inspection and Testing of Electric Power Systems 7. GDC 24, Separation of Protection and Control Systems

A1.8.11 10 CFR 50, Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Facilities

A1.8.12 Regulatory Guide 1.75, Physical Independence of Electric Systems, Revision 2, 9/78

A1.8.13 Regulatory Guide 1.89, Qualification of Class 1E Equipment for Nuclear Power Plants, Revision 1, 6/84

A1.8.14 Regulatory Guide 1.97, Instrumentation for Light Water Cooled Nuclear Power Plants to Assess Plant Conditions During and Following an Accident, Revision 3, 5/83

A1.8.15 Regulatory Guide 1.100, Seismic Qualification of Electric Equipment for Nuclear Power Plants, Revision 2, 6/88

A1.8.16 Regulatory Guide 1.118, Periodic Testing of Electric Power and Protection Systems, Revision 2, 6/78

A1.8.17 Regulatory Guide 1.152, Criteria for Programmable Digital Computers in Safety Systems of Nuclear Power Plants, Revision 1, 11/96

A1.8.18 Regulatory Guide 1.153, Criteria for Safety Systems, 1996

A1.8.19 Regulatory Guide 1.168, Verification, Validation, Reviews, and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, 1997

A1.8.20 Regulatory Guide 1.169, Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, 1997

A1.8.21 Regulatory Guide 1.171, Software Unit Testing for Digital Computer Software Used in Safety Systems of Nuclear Power Plants

A1.8.22 Regulatory Guide 1.172, Software Requirements Specifications for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, 1997



A1.8.23 Regulatory Guide 1.173, Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, 1997

A1.8.24 NUREG-0588, Interim Staff Position on Environmental Qualification of Safety Related Electrical Equipment, Revision 1, 7/81

A1.8.25 NUREG-0696, Guidelines for Emergency Response Facilities,

Revision

A1.8.26 NUREG-0700, Guidelines for Control Room Design Reviews

A1.8.27 NUREG-0737, Clarification of TMI Action Plan Requirements, 1980

A1.8.28 NUREG-0814, Methodology for Evaluation of Emergency Response Facilities

A1.8.29 NUREG-0835, Human Factors Acceptance Criteria for the Safety Parameter Display System

A1.8.30 NUREG/CR-6421, A Proposed Acceptance Process for Commercial Off the Shelf (COTS) Software in Reactor Applications, 1996

A1.8.31 IEEE 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations

A1.8.32 IEEE 603-1991, Standard Criteria for Safety Systems for Nuclear Power Generating Stations

A1.8.33 IEEE 308-1974, Standard Criteria for Class 1 E Electric Systems for Nuclear Power Generating Stations

A1.8.34 IEEE 323-1983, Standard for Qualifying Class 1 E Equipment for Nuclear Power Generating Stations

A1.8.35 IEEE 338-1987, Standard Criteria for the Periodic Surveillance Testing of Nuclear Power Generating Station Safety Systems

A1.8.36 IEEE 344-1987, Recommended Practice for Seismic Qualification of Class 1 E Equipment for Nuclear Power Generating Stations

A1.8.37 IEEE 384-1992, Standard Criteria for Independence of Class 1 E Equipment and Circuits



A1.8.38 IEEE 7-4.3.2-1993, Standard Criteria for Programmable Digital Computer Systems in Safety Systems of Nuclear Power Generating Stations

A1.8.39 ANSI/ANS 4.5-1980, Criteria for Accident Monitoring Functions in Light Water Cooled Reactors

A1.8.40 ANSI/ANS 4.6-Draft, Functional Criteria for On-Line Monitoring Transient Reconstruction in Light Water Reactors

A1.8.41 ANSI/ANS MC96.1-1975, Temperature Measurement Thermocouples

A1.8.42 ASME Steam Tables, Thermodynamic and Transport Properties of Steam, Sixth Edition

A1.8.43 ISA-$67-04, Setpoints for Nuclear Safety Related Instrumentation Used in Nuclear Power Plants, 1994

A1.8.44 ANSI C37.90.1, Standard Surge Withstand Capability (SWC) Tests for Protective Relays and Relay Systems, 1989

A1.8.45 EPRI NP-5652, Guideline for Utilization of Commercial Grade Items in Nuclear Safety Related Applications

A1.8.46 EPRI Topical Report TR- 02323, Guidelines for Electromagnetic Interference Testing in Power Plants, 1997

A1.8.47 EPRI Topical Report TR- 06439, Guideline on Evaluation and Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Applications, 1996

A1.8.48 MIL-STD-461 D, Military Standard Electromagnetic Interference Characteristics Requirements for Equipment, 1993

A1.8.49 MIL-STD-462D, Military Standard Electromagnetic Interference Characteristics, Measurement of, 1993

A1.8.50 EPRI TR- 07330, Generic Requirements Specification for Qualifying a Commercially Available PLC for Safety Related Applications in Nuclear Power Plants


AL It 1D


kBB Combustion Engineering Nuclear PowerCommon Qualified Platform

Core Protection Calculator System

A I It


Common Qualified Platform Core Protection Calculator System

CENPD-396

Appendix 2

May 1999

ENPID 396 Appendix 2 Page 1 of 27

LEGAL NOTICE

This notice was prepared as an account of work sponsored by Combustion Engineering, Inc. Neither Combustion Engineenng nor any person acting on its behalf:

a. Makes any warranty or representation, express or implied including the warranties of fitness for a particular purpose or merchantability, with respect to the accuracy, completeness. or usefulness of the information contained in this report, or that the use of any information, apparatus. method, or process disclosed in this report may not infringe privately owned rights; or

b. Assumes any liabilities with respect to the use of. or for damages resulting from the use of, any information, apparatus, method or process disclosed in this report.

Common Qualified Platform ABB Combustion Engineering Nuclear Power Core Protection Calculator System

TABLE OF CONTENTS

TABLE O F CONTENTS .............................................................................................. 2

LIST OF FIGURES .................................................................................................... 4

LIST OF TABLES ................................................................................................... 4

A2.1 FUNCTIONAL REQUIREMENTS ................................................................... 5

A2.1.1O verview : .................................................................................................... 5 A2.1.1.1 Operator's Module Functions ............................................................. 6 A2.1.1.2 Maintenance and Test Panel (MTP) Functions: ................................. 6 A2.1.1.3 CEA Position Display Functions: ...................................................... 6 A2.1.1.4 CPC/CEAC Channel Inputs: ............................................................. 7 A2.1.1.5 CPC/CEAC Channel Outputs: ........................................................... 7 A2.1.1.6 DNBRPLPD Trip Channel Bypassing during Periodic Testing: ........... 8 A2.1.1.7 Operating Bypasses: ......................................................................... 8 A2.1.1.8 Failure Modes: .................................................................................. 9 A2.1.1.9 Human M achine Interface: .................................................................. 9 A2. 1.1.10 Functional Diversity: ........................................................................... 9

A2.1.2 CPC Functional Requirem ents Detail: ...................................................... 9 A2.1.2.1 CPC Design Basis: ........................................................................... 9 A2.1.2.2 System Requirements: ....................................................................... 10

A2.1.2.2.1 Inputs: ....................................................................................... 10 A2.1.2.2.2 Outputs: ..................................................................................... 11 A2.1.2.2.3 Program Structure: ..................................................................... 12 A2.1.2.2.4 Program Timing and Input Sample Rates: ................................. 13 A2.1.2.2.5 Operator Interface: .................................................................... 14 A2.1.2.2.6 Operator Input: ............................................................................ 15 A2.1.2.2.7 Initialization: .............................................................................. 15 A2.1.2.2.8 Interlocks and Permissives: ....................................................... 15 A2.1.2.2.9 Algorithm Implementation: ........................................................ 16

A2.1.3 CEAC Functional Requirem ents Detail: .................................................. 17 A2.1.3.1 CEAC Design Basis .................................................................... 17 A2.1.3.2 Functional Design and Computer Design Requirements ............ 17

A2.1.3.2.1 Inputs: ....................................................................................... 17 A2.1.3.2.2 Outputs: ..................................................................................... 17 A2.1.3.2.3 Program Structure: .................................................................... 18

CENPD 396 Appendix 2 Page 2 of 27


A2.1.3.2.4 A2.1.3.2.5 A2.1.3.2.6 A2.1.3.2.7 A2.1 .3.2.8 A2.1.3.2.9

A2.1.3.3 A2.1.3.3.1 A2.1.3.3.2 A2.1.3.3.3 A2.1.3.3.4

A2.1.3.4 A2.1.3.5 A2.1.3.6


Program Tim ing and Input Sample Rates: ................................. 18 Program Interfaces ..................................................................... 18 CEAC Failure Flags: ................................................................. 18 Case 2 Deviation Flag: .............................................................. 19 Reactor Power Cutback Flag: .................................................... 19 Scaling Flag: .............................................................................. 19 Operator Interface: ...................................................................... 19 CEAC Failed Sensor Stack ......................................................... 20 CEAC Channel Trip Snapshot .................................................. 20 CEAC Fail .................................................................................. 20 Operator Input: .......................................................................... 20 Initialization: .............................................................................. 21

Testing Requirements: ............................................................... 21 Algorithm Description: ............................................................... 21

A2.2 SYSTEM DESCRIPTION .............................................................................. 22

A2.2.1 Overview ..................................................................................................... 22 A2.2. 1.1 CPC/CEAC Processor Assembly Overview: ................................ 22

A2.2.2CPC Design Implementation: .................................................................... 24

A2.7 References .................................................................................................... 25

A2.8 PROPOSED TECHNICAL SPECIFICATION CHANGES .............................. 27

A2.8 PROPOSED TECHNICAL SPECIFICATION CHANGES ......................... 125



No.

A2.1-1

A2.3.1-1

A2.4.2-1

No.


LIST OF FIGURES

Title Page

CPC Block Diagram ............................................................ 40

Front View Of PM645C Processor Module ................................ 61

AC160 Software Configuration Block Diagram ........................... 82

LIST OF TABLES

Title

A2.1.2-1

A2.1.2-2

A2.1.2-3

A2.1.3-1

A2.6-1

A2.8-1

Paae

CPC PROCESS INPUT SIGNALS ..........................................

CPC O UTPUT SIGNALS .....................................................

PROGRAM EXECUTION AND INPUT SAMPLING RATES .........

CEAC OUTPUT SIGNALS ....................................................

CPC FAILURE MODES AND EFFECTS ANALYSIS ..................

PROPOSED LCO 3.3.1 INSERT A ........................................

19

21

26

31

91

125



A2.0 DIGITAL CORE PROTECTION CALCULATOR SYSTEM (CPCs)

The purpose of this Core Protection Calculator System (CPCS) appendix is to provide the functional requirements and conceptual design of the CPCS.

The scope of this CPCS appendix is to provide the functional requirements and conceptual design of the system based upon common-Q components. These requirements include CPC functional design, testing, major Man Machine Interface functions, system block diagrams, and the interface with the analog Plant Protection System (PPS) or Digital Plant Protection System (DPPS). Since the implementation of the CPCS is functionally identical in both the PPS and DPPS case, the abbreviation "PPS" shall be used throughout this appendix. Any differences in the CPC implementation necessitated by the substitution of a DPPS for a PPS will be addressed in the Integrated Solutions Appendix.

Brackets in this document indicate proprietary information. The bracket denoting the end of a proprietary segment of this report may appear one or more pages following the bracket denoting the start of the proprietary segment. As a result, care should be exercised in determining what information in this report is proprietary.

A2.1 FUNCTIONAL REQUIREMENTS

A2.1.1 Overview:

The CPCS shall generate trip and pretrip signals on Low Departure from Nucleate Boiling Ratio (Low DNBR) and High Local Power Density (High LPD), as well as CEA Withdrawal Prohibit (CWP) signals to the PPS, in the form of binary (contact) inputs. The PPS shall use these and other inputs to automatically actuate a Reactor Trip (RT) whenever the monitored processes violate predefined limits in at least two of the four redundant PPS channels.

The CPC system consists of four channels of equipment (Channels A, B, C, & D). The four channels of equipment are located inside the Auxiliary Protective Cabinet (APC), where the channels are physically separated and isolated from each other. The CPCS contains four CPC/Control Element Assembly Calculator (CEAC) systems, one per channel. Each CPC channel provides contact outputs to its respective PPS channel.

Each CPC/CEAC channel shall communicate with a CPC Operator's Module mounted in the Control Room. Each of the four Operator's Modules is fiber optically isolated from its associated CPC channel. The Operator's Module shall be used for CPC/CEAC channel monitoring, to provide the capability to manually



alter addressable constants, to initiate channel operating bypass at low power levels, and to initiate periodic surveillance testing.

The CPC/CEAC system shall include manually initiated automatic test capability for determining system operability. It shall also perform automatic hardware diagnostic testing. It shall be possible to initiate surveillance testing from the Operator's Module, or from a locally mounted maintenance and test panel (MTP). Except as noted below, the functions of the CPC/CEAC are identical to those in the present design.

A2.1.1.1 Operator's Module Functions Each CPC channel shall have an Operator's Module (OM) mounted in the main control room. The Operator's Module shall be the primary means by which the operator communicates with the CPC and associated CEACs during normal operation. The OM shall have enhanced display capability as compared to the present OM implementation.

The Operator's Module shall have a flat panel display from which the following can be performed: [ I.

A2.1.1.2 Maintenance and Test Panel (MTP) Functions: A locally mounted MTP in each CPC channel shall interface with its associated CPC/CEAC. [ I

A2.1.1.3 CEA Position Display Functions: A single non-Class 1 E CEA Position Display (CEAPD) shall be mounted on the main control board. The CEAPD shall provide CEA position-related information on a large screen display, and shall be connected to the CPC/CEAC system MTPs in all four channels by fiber-optically isolated ethernet connections. The display shall also provide alarm on CEA Deviations, CEA Sensor failure, and data-link failure. Several display formats will be available. Operator display format and CPC/CEAC channel input selection shall be via an Operator's keypad located on the main control board.

The proposed CEAPD provides enhanced CEA position monitoring as compared to the present CEAC CEA position display on the Main Control Board. [ I.



A2.1.1.4 CPClCEAC Channel Inputs:

The CPC/CEAC system uses four redundant sets of inputs, one set per channel, for all input parameters except CEA position. CEA position is provided by two Reed Switch Position Transmitter (RSPT) inputs on each CEA. [ ].

A2.1.1.5 CPClCEAC Channel Outputs:

The CPC channels process the channel inputs so as to provide DNBR and Local Power Density protection, and generate appropriate trip and pretrip binary (contact) output signals to their associated PPS channels.

The CPCS provides the following contact outputs to the PPS:

"* Low DNBR-Trip

"* High Local Power Density Trip

"* Low DNBR Pretrip

"* High Local Power Density Pretrip

"* CEA Withdrawal Prohibit (CWP)

The PPS will process the CPC-generated inputs so as to produce a reactor trip on Low DNBR or High Local Power Density if at least two CPC channels indicate a trip condition in the same parameter. [ ]. The Low DNBR and High LPD pretrip signals are processed in the PPS for indication and annunciation purposes. The CWP input is processed in the PPS so as to produce a CEA Withdrawal Prohibit to the Control Element Drive Mechanism Control System (CEDMCS) if any two or more of the four CPCs indicate a CWP condition. [ ].

Each CPC channel also provides several output contacts, via interposing relays, for annunciator use, as defined in Section A2.1.2.2.2.

Each CPC channel provides the following analog outputs for use in indicators and

recorders on the control board:

"* DNBR Margin (difference between DNBR and trip setpoint)

"* kW/ft Margin (difference between LPD and trip setpoint)

"* Calibrated Ex-core Power (adjusted for CEA shadowing and cold leg temperature shadowing)



* RCS Flow (used during startup testing, but no dedicated indicator on MCB)

The above listed CPC trip, pretrip, and CWP outputs to the PPS and analog outputs to the main control board are functionally identical to the outputs provided by the CPC in the present design.

A2.1.1.6 DNBR/LPD Trip Channel Bypassing during Periodic Testing:

Placing a CPC/CEAC channel in a periodic test mode shall only be possible if both the Low DNBR and High LPD trips are trip channel bypassed in the associated PPS channel. Trip channel bypassing these parameters within the PPS channel effectively bypasses the Low DNBR and High LPD trip contacts in that PPS channel, changing the RPS logic to a two out of three from the normal two out of four for these trip functions. [ ].

The trip channel bypasses of the Low DNBR and High LPD trips shall be manually inserted in each channel from the PPS Bistable Control Panel, which shall communicate trip channel bypass status to the associated channel CPC MTP to enable CPC/CEAC testing. The trip channel bypasses shall allow for channel maintenance and surveillance testing at power per the requirements of IEEE Std. 338 and IEEE Std. 603, as augmented by USNRC Reg. Guide 1.22.

The interlock requiring trip channel bypassing of the DNBR-Low and LPD-High trips prior to initiation of CPC testing is functionally identical to the present design.

[ I

A2.1.1.7 Operating Bypasses:

The operating bypass of the CPC channel shall be manually performed from the CPC OM or MTP when the Ex-core safety channel wide range neutron flux monitoring system indicates that power is low enough to warrant bypassing of the DNBR and LPD protection afforded by these trips. As in other operating bypasses performed in the PPS channel, the bypass is automatically removed when reactor power rises above the bypass permissive setpoint. The DNBR-Low and LPD-High pretrip signals shall be affected by the operating bypass in the same manner as the trip signal.

This operating bypass capability is functionally identical to that in the present design. [ ].



A2.1.1.8 Failure Modes: The CPC/CEAC system shall be designed for fail safe operation under component failure or loss of electrical power as defined in the Failure Modes and Effects Analysis (FMEA).

Since the proposed CPC channel implementation includes extensive hardware and software diagnostic capability, as well as redundant channel design features, the channel is fault tolerant to a great extent. Fault tolerance is discussed in Section A2.3.1.2.

A2.1.1.9 Human Machine Interface:

CPC/CEAC Human Machine Interface (HMI) shall be designed per accepted Human Factors Engineering (HFE) principles. Both the CPC and OM shall include display and diagnostic capabilities unavailable in the present design. HMI provisions are described in section A2.4.3.

A2.1.1.10 Functional Diversity:

0 [ ]

A2.1.2 CPC Functional Requirements Detail:

This section compares the functional design of the existing CPC/CEAC system with its proposed Common Q replacement. The proposed CPC/CEAC system shall meet or exceed the functional requirements of the existing system, as defined below.

The system requirements identified herein are defined to assure that the hardware/software configuration is compatible with the reactor protective algorithms. Requirements are specified in the area of input/output, protection program interaction, operator interface, and initialization. These requirements are derived from CPC Functional Design Requirements document, 00000-ICE-3208 Revision 08 (Reference 2.7.1).

A2.1.2.1 CPC Design Basis: The Low DNBR and High Local Power Density trips, (1) assure that the specified acceptable fuel design limits on departure from nucleate boiling and centerline fuel melting are not exceeded during Anticipated Operational Occurrences (AOOs), and (2) assist the Engineered Safety Features Actuation System (ESFAS) in limiting the consequences of certain postulated accidents.



The auxiliary trip feature of the CPCS, which opens the Low DNBR and High LPD trip contacts, will satisfy the following additional design bases:[ ]

The replacement CPC/CEAC channels shall satisfy the above requirements by running safety-related protection algorithms functionally identical to those in the present CPC implementation. In the proposed implementation, a fatal CPC processor fault condition shall de-energize the CPC hardware watchdog timer, opening the Low DNBR and High LPD trip and pretrip outputs, as well as other outputs defined in Section A2.1.2.2.2. Test, maintenance, or initialization, shall force a "CPC Fail" condition, which shall open the Low DNBR and High LPD channel trip contacts.

The proposed CPC implementation has significant fault tolerance. [ ]. These features are defined in the FMEA and described in Appendix section 2.3. Low DNBR and High LPD channel trips will be forced whenever a channel module or component failure is detected which would impact the ability of the channel to perform its safety-related function.

The following list of processor fault conditions is accommodated by the existing CPC implementation. The disposition of each condition in the proposed CPC implementation is addressed below:[ ]. Response of the CPC channel to failure of the CEAC or Communications Processors is addressed in Section A2.3.1.2.1. The CPC processor and CEAC processor are each equipped with separate watchdog timers. The effect of CPC or CEAC watchdog timer timeout on the channel contact outputs is addressed in Section A2.1.2.2.2.

A2.1.2.1.1 CPC Timing: The replacement CPC/CEAC channels shall have a response time consistent with that of the present CPC implementation, as defined in Appendix Section A2.1.2.2.4.

A2.1.2.2 System Requirements: A2.1.2.2.1 Inputs: The following table lists the CPC process input signals for each channel. The accuracy requirements given in the table reflect those in the present CPC implementation, and establish the maximum allowable uncertainty introduced by the conversion of input signals to internal binary format. The accuracy requirements are based upon the total uncertainties attributable to the following:

"* Loading effects "* Reference voltage supply regulation "* Electrical noise "* Linearity "A ND converter power supply sensitivity "* Quantization




Table A2.1.2-1 [ ]

A2.1.2.2.2 Outputs: The output signals for each CPC channel are listed in Table A2. 1.2-2.

The two trip output signals are used in the Plant Protection System for DNBR and LPD reactor trips.

[ ]

All six contact outputs actuate operator alarms. The analog outputs for DNBR Margin, LPD Margin, and neutron flux power are required to drive analog meters that are monitored by the operator in the control room. The analog output for coolant mass flow rate is required for comparison of CPC calculated flow to measured flow during startup testing.




Table A2.1.2-2

CPC OUTPUT SIGNALS

Signal Type Range Low DNBR Trip (Note 1) Contact Output 0, 1 (logical)

Low DNBR Pretrip (Note 1) Contact Output 0, 1 (logical) High LPD Trip (Note 1) Contact Output 0, 1 (logical)

High LPD Pretrip (Note 1) Contact Output 0, 1 (logical) CEA Withdrawal Prohibit (Note 1) Contact Output 0, 1 (logical)

CPC Sensor Failure (Note 1) Contact Output 0, 1 (logical) DNBR Margin Analog 0-10 (unitless) LPD Margin Analog 0-25 (KW/Ft)

Calibrated Neutron Flux Power Analog 0-200 (% of rated power)

Core Coolant Mass Flow Rate Analog 0-2 (fraction of I design flow)

The first five conditions listed above are indicated or annunciated through the PPS interface. The sixth, CPC Sensor Failure, is annunciated from contacts within the CPC channel.

Annunciator Contact Outputs:

Provisions will be made within the CPC Channel to provide the following annunciator contact outputs: [ ]

The CPC Fail annunciation requirement is derived from the existing CPC Functional Requirements. The CEAC Fail, CEAC Sensor Fail, and CEA Deviation output requirements are specified in the CEAC Functional Design Requirements document, 00000-ICE-3234, Revision 06, as identified in Appendix section A2.1.3. The requirement for CEAC Inoperable output is consistent with the present CPC implementation. Annunciation provisions for Operating Bypasses are required to comply with RG 1.47, as specified in the Common Qualified Platform Topical Report Section 4, Codes and Standards. [ ].

A2.1.2.2.3 Program Structure:

The CPC design basis requires that the system calculate conservative, but relatively accurate, values of DNBR and peak linear heat rate. In order to achieve a system time response sufficient to accommodate the limiting design basis events, additional dynamic calculations of DNBR and peak linear heat rate are required. The dynamic calculations must provide conservative estimates of DNBR and peak



linear heat rate based on changes in the process variables between successive detailed calculations of DNBR and peak linear heat rate. The calculations of DNBR and peak linear heat rate must also be separated into different programs. The grouping of the detailed calculations must be such that the execution interval of each program reflects the time interval over which the dynamic adjustments to the parameters, calculated in that program, are valid.

0 The resultant protection software consists of four interdependent programs and one subroutine that is accessible to the first two programs[ ]

The replacement CPCS shall run functionally identical CPC safety-related algorithms to the existing CPCS, so that program structure will remain unaffected. Software changes will be restricted to those required to reflect new hardware platform features, such as diagnostics and error handling, and backplane communications between CPC and CEAC in the proposed system. None of these changes will impact the safety-related aspects of CPC software.

* In the existing CPCS, the TRIPSEQ Subroutine compares the minimum DNBR, quality margin, and peak local power density to their respective pretrip and trip setpoints. Whenever a setpoint is violated, the appropriate contact output is actuated. [ I

In the proposed CPCS, the above functionality will be replicated. [ ]

A2.1.2.2.4 Program Timing and Input Sample Rates: Execution of the four previously described programs is scheduled on a priority

basis. The execution frequency of each protection program is fixed, based upon the required CPC time response. In addition, the more frequently executed programs are assigned a higher priority. The required execution frequencies are specified in Table A2.1.2-3. [ I

Communication among the protection programs must be controlled to assure that the output of a program is based on a consistent set of inputs. Therefore, it is necessary to ensure that the input to a program is not changed until after the execution of the program is complete. The executive will be prohibited from interrupting a protection program while it is reading input from the output of another protection program. In addition, no protection program may be interrupted while it is transferring its output data or while a trip sequence routine is being executed.



Table A2.1.2-3 [ ]

A2.1.2.2.5 Operator Interface: The reactor operator shall be informed of the status of a CPC channel by three mechanisms:

* The system generates alarms to alert the operator to abnormal events

The operator interrogates the system using the OM or MTP to determine the current value of a particular parameter

* The operator reads one of three meters driven by the CPC analog outputs

The proposed CPCS will retain all of the above capabilities, and will display all of the same parameters. [ ]



Some of these features are described below:

CPC Failed Sensor Stack:

The failed sensor stack logs CPC sensors out of range. Presently, up to six sensors are logged. When a sensor changes state the sensor ID is entered at the top of the stack, and all elements in the stack are shifted downwards one position, with the last entry discarded. Sensor out of range high, sensor out of range low, and sensor in range are identified with a +, -, and 0, respectively. For each failure, the time of sensor failure is also logged. In the present display it is necessary to scroll through 18 consecutive point IlDs to obtain the preceding information.

[ I

CPC Channel Tripped Snapshot:

In the present CPC design, when a trip is generated in a CPC channel a snapshot of CPC variables required for display is transmitted to a buffer, and made available using a teletype. An addressable constant is provided to reset (clear) the buffer. The value of the addressable constant is also a flag indicating the status of the buffer. A "1" indicates a full buffer, and a "0" indicates an empty buffer. Resetting the buffer PID from 1 to 0 clears the buffer. The snapshot is for the first trip after the buffer is cleared. An auto-restart shall not clear the buffer.

[ I

A2.1.2.2.6 Operator Input: The operator shall be able to change addressable constants using the OM or the MTP. [ ]. It shall not be possible to modify any value not identified as an addressable constant.

A2.1.2.2.7 Initialization: The CPC must be capable of initializing to steady state operation for any allowable plant operating condition. [ ] Until initialization is complete, all trip outputs must be set in a tripped state.

The proposed CPC design will also meet the above requirements.

A2.1.2.2.8 Interlocks and Permissives: A means shall be provided to permit bypassing of the trip and pretrip contact outputs for a CPC channel when reactor power as indicated by the corresponding PPS flux power signal is less than 10 -4 %. In addition, a means shall be provided to adjust the bypass setpoint up to at least 1 % power. The bypass shall be implemented such that it must be manually implemented at the input/output device for each CPC channel. A means, such as a key switch, must be provided to



prevent initiation of the bypass by unauthorized personnel. The bypass must be automatically removed from each CPC channel when the PPS neutron flux signal indicates that power is above the bypass setpoint.

The proposed CPC design will also meet the above requirement.

A2.1.2.2.9 Algorithm Implementation: The safety-related algorithms in the CPC channel will be functionally identical to those described in Reference 1.

It will be necessary to change some of the implementation details to accommodate the new platform, as described in this Appendix. However, these changes shall not negatively impact the functionality of safety-related CPC or CEAC algorithms.



A2.1.2.2.10 Testing Requirements: The CPC shall be designed to permit periodic testing on demand. During testing, it shall be necessary to trip channel bypass the Low DNBR and High LPD reactor trip to enable operation of test software. Performance of CPC software testing will result in a CPC Fail condition, opening the Low DNBR and High LPD trip contacts.

A2.1.3 CEAC Functional Requirements Detail:

The system requirements identified herein are defined to assure that the hardware/software configuration is compatible with the reactor protective algorithms. Requirements are specified in the area of input/output, protection program interaction, operator interface, and initialization. These requirements are derived from CEAC Functional Design Requirements document, 00000-ICE-3234 Revision 06 (Reference 2.7.3).

[ ]

A2.1.3.1 CEAC Design Basis The function of the CEAC is to scan all CEA positions, and, based upon any single CEA deviation within a CEA subgroup, to calculate the single CEA position-related penalty factors necessary to ensure that the CPCs calculate conservative approximations to the actual core peak LPD and DNBR during single CEA-related anticipated operational occurrences, which require CPC protection. The CEAC must also be capable of detecting a reactor power cutback event.

A2.1.3.2 Functional Design and Computer Design Requirements

A2.1.3.2.1 Inputs: [ I

1. The CEAC shall calculate the magnitude of CEA deviation penalty factors based upon CEA position sensor input data obtained from each RSPT. The components of the Penalty Factors are determined from the following data: [ I

The proposed CEACs shall retain the preceding program structure, and shall implement functionally identical safety-related algorithms.

A2.1.3.2.2 Outputs: The existing output signals for each CEAC are listed in Table A2.1.3-1.



TABLE A2.1.3-1 [ ]

A2.1.3.2.3 Program Structure:

A2.1.3.2.4 Program Timing and Input Sample Rates: [ ] The algorithm required for this purpose is time-oriented, with a calculation scheduling rate and update period that are compatible with overall CEAC/CPC system response requirements. The execution period is the maximum time in seconds from the time CEA RSPT sensors are scanned to the time the CEAC calculated outputs are updated with new information from that input scan and calculation. The calculations shall be scheduled in such a manner that the update requirements are met.

There are two CEAC update periods:[ ]

A2.1.3.2.5 Program Interfaces In the present design, communication between the CEAC output and the CPC must be rapid and simple, since each CEAC provides its output to all four CPC channels via a one-way isolated data link. The output to the CPCs must not change until after the execution of the CEACs has been completed. [ I

The proposed CEAC replacements will have the capability of transmitting the same information to the associated CPC channels. [ ] Thus, the format of the information transfer will change, as described in Section A2.1.3.2.2, though the content, as far as CPC/CEAC functionality is concerned, will remain the same.

A2.1.3.2.6 CEAC Failure Flags:

The CEAC Failure Flag, presently transmitted as part of the 16 bit buffer, is set true whenever either of the following conditions exists:[ ] CEAC processor faults resulting in CEAC failure are the same as those resulting in CPC failure, as described in Section A2.1.2.1.

Sensor validity checks (out of range, rate of change) are performed by the CEAC. If either check is failed the sensor failure flag is set.



A2.1.3.2.7 Case 2 Deviation Flag: The CASE 2 Deviation Flag, presently transmitted as part of the penalty factor

word, is set true whenever either or both of the following conditions exists: [ I

In the proposed CPC/CEAC implementation, the functionality of the Case 2 Deviation Flag will remain the same. [ I

A2.1.3.2.8 Reactor Power Cutback Flag: The Reactor Power Cutback Flag, presently transmitted as part of the penalty factor word, is set true whenever the following conditions exist: [ ]

In the proposed CPC/CEAC implementation, the functionality of the RPC Flag will remain the same. [ ]

A2.1.3.2.9 Scaling Flag: Presently, after the DNBR and LPD penalty factors have been calculated, the penalty factor is compared to set limits, and the scaling flag, part of the penalty factor word, applied.

In the proposed CPC/CEAC implementation, the functionality of DNBR and LPD penalty factor scaling will remain the same. [ ]

A2.1.3.3 Operator Interface: The reactor operator shall be informed of the status of a CEAC channel by three mechanisms:

1. The system generates alarms to alert the operator to CEA sensor failures or excessive CEA deviation.

2. The CEA Position Display (CEAPD) Monitor displays the position of the individual CEAs arranged into subgroups and control groups utilizing a bar graph representation, the floating point values of the two penalty factors, and a flag to indicate the cause of any alarms.

3. The CPC/CEAC OM or MTP can be used to display CEAC inputs, selected intermediate variables, and outputs.

The proposed CEACs will retain all of the above capabilities, and will display all of the same parameters. [ I.

Some of these features are described below:



A2.1.3.3.1 CEAC Failed Sensor Stack The failed sensor stack logs CEAC sensors (RSPTs) out of range. Presently, up to six sensors are logged. When a sensor changes state the sensor ID is entered at the top of the stack, and all elements in the stack are shifted downwards one position, with the last entry discarded. Sensor status (active/inactive) is identified. For each failure, the time of failure is also logged. In the present display it is necessary to scroll through 18 consecutive point IDs to obtain the preceding information.

I ]

A2.1.3.3.2 CEAC Channel Trip Snapshot A snapshot of CEA positions, penalty factors, and time of deviation occurrence is initiated by:

[ I

The input CEA positions and resulting penalty factors are stored in a stack. A time tag is included in the stack. An addressable constant is provided to clear the buffer. The CEAC fail indication shall be saved through auto restarts.

I I

A2.1.3.3.3 CEAC Fail CEAC Fail indication is transmitted to the CPC channel under the following conditions:

[ I

In the proposed CPC/CEAC implementation, the functionality of CEAC Fail indication will remain the same. [ ]

The CEAC Fail condition shall cause CEAC Trouble annunciation.

A2.1.3.3.4 Operator Input: The Operator shall be able to change addressable constants from the Operators Module. Addressable constants can only be changed when a manual interlock is satisfied. It shall not be possible to modify any value not identified as "addressable".



In the proposed CPC/CEAC implementation, the operator shall be able to change addressable constants from the OM or MTP. [ ] As in the present design, it shall not be possible to modify any value not identified as Addressable.

A2.1.3.4 Initialization: The CEACs shall be capable of initializing to steady state operation for any allowable plant operating condition. [ ]. Until initialization of a CEAC is complete, the CEAC failure flag shall be set.

A2.1.3.5 Testing Requirements: The CEAC shall be designed to permit periodic testing of the CEAC penalty factor algorithm on demand. During testing, the CPC shall be informed that the CEAC is in test. CEAC testing in the proposed CEAC implementation shall meet the functional requirements of the existing system.

Proposed testing implementation:

[ I

A2.1.3.6 Algorithm Description: The replacement CEAC safety-related algorithms shall be functionally identical to those in the existing CEAC system. It will be necessary to change some of the implementation details to accommodate the new platform, but the safety-related algorithms and timing requirements will not be altered. [



Figure A2.1-1 CPC Block Diagram ]

A2.2 SYSTEM DESCRIPTION

The CPC/CEAC system is comprised of four redundant channels (A, B, C, and D as depicted on Figure A2.1-1, "CPCS Block Diagram") that perform the necessary calculation, bistable, and maintenance/test functions. The system includes four redundant Operators Modules, one per CPC/CEAC channel, located on the Main Control Room panels. One CPC/CEAC channel is associated with each PPS channel, and provides Low DNBR trip and pretrip, High LPD trip and pretrip, and CWP discrete (contact) outputs to its associated PPS channel. Four redundant channels are provided to satisfy single failure criteria and improve plant availability.

The CPC/CEAC Processors in each channel receive channelized process sensor analog inputs, to perform the detailed DNBR and LPD calculations, and provide the associated bistable trip functions.

A2.2.1 Overview

The CPC System will be installed into the auxiliary protective cabinet (APC), physically separate from the PPS, as in the present CPC/CEAC system.

[ ]

A2.2.1.1 CPC/CEAC Processor Assembly Overview:

The CPC/CEAC processor assembly in each channel consists of two chassis:

1) The controller subrack, that contains the PM645C processors, global memory, communications, and RCP Speed Pulse Count input modules.

2) The I/0 subrack, that contains the I/0 modules.

I ]

As described in the Functional Requirements section of this Appendix, Section A2.1, the channel inputs consist of hot and cold leg temperature, RCS pressure, RCP speed, and CEA position via RSPTs. [ ]



I ]

CPC/CEAC processing of this CEA position input is functionally unchanged from that in the present design. [ ]

Operator's Module Overview:

There are four CPC Operator's Modules, one for each channel, mounted in the main control room. The CPC OM is implemented using a Flat Panel Display System. [ ]

Maintenance and Test Panel Overview:

There is one MTP in each CPC/CEAC channel, implemented using a Flat Panel Display System identical to that of the Operator's Module, used for diagnosing the system, providing electrically isolated communications to external systems, and displaying the same information as the Operator's Module. The MTP is local to the CPC processors and is the primary man-machine interface for routine maintenance and surveillance testing by plant technicians.

I ]

Watchdog Timer:

The CPC and CEAC processor modules each contain an external Watchdog Timer Module (WDT). If the CPC or CEAC processor fails to refresh this module, the module will open its respective trip and annunciation output contacts.

The CPC WDT will cause the CPCS to generate Low DNBR and High Local Power Density channel trips to the PPS. This provides a failsafe condition should the CPCS computer system fail. Internal system diagnostics are contained within the AC160 as well. As described in Appendix section 2.2, the CPC Watchdog Timer module also opens the following contact outputs, placing them in an alarm state:

"* DNBR Pretrip "* LPD Pretrip " CWP "* CPC Trouble "* CPC Sensor Fail

The CEAC WDT will cause the CEAC processor to indicate alarm conditions for both CEAC outputs in that channel. As described in Appendix section A2.1.3.2.2, the CEAC Watchdog Timer module opens the following contact outputs, placing them in an alarm state:



0

S

0


CEAC Trouble CEAC Sensor Fail CEA Deviation

[ ]

A2.2.2 CPC Design Implementation:

The CPC design implementation: [ I

The CPC architecture is designed to minimize potential single failures and improve system reliability. CPC equipment that performs safety-related functions is designed for simplicity to maximize system reliability and availability. This philosophy results in maximum system availability under single random failure conditions.

[ ]

The trip, pretrip, and CWP outputs to the PPS are channelized such that these outputs are provided only in the associated PPS channel.

I I



A2..3


HARDWARE DESCRIPTION [ I

A2.7 References

The following list of references is specifically addressed in this Appendix.

A2.7.1

A2.7.2

A2.7.3

A2.7.4

A2.7.5

A2.7.6

A2.7.7

A2.7.8

A2.7-9

A2.7-1 0

A2.7-11

A2.7.12

CPC Functional Design Requirements, 00000-ICE-3208, Revision 08

CEAC Functional Design Requirements, 00000-ICE-3234, Revision 06

Common Qualified Platform Topical Report, CENPD-396-P, Rev. 00, February, 1999.

IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations, IEEE 603-1991

IEEE Standard Criteria for the Periodic Surveillance Testing of Nuclear Power Station Safety Systems, IEEE Std. 338-1987

USNRC Regulatory Guide-Periodic Testing of Protection System Actuation Functions (Safety Guide 22), Regulatory Guide 1.22.

Guidance on Defense-In-Depth and Diversity in Digital Computer Based I&C Systems, BTP HICB-19

Methods for Performing Diversity and Defense In depth Analyses of Reactor Protection Systems, NUREG/CR-6303-1994

Arkansas Nuclear One Unit 2 Safety Evaluation Report, Appendix D, Supplement 1, Docket No. 50-368.

USNRC Regulatory Guide-Bypassed and Inoperable status Indication for Nuclear Power Plant Safety Systems, Regulatory Guide 1.47, Rev. 00

IEEE Standard Criteria for Independence of Class 1 E Equipment and Circuits, IEEE Std 384-1992

IEEE Standard Application of the Single Failure Criterion to Nuclear Power Generating Station Safety Systems, IEEE Std 379-1994



A2.7.13

A2.7.14


USNRC Regulatory Guide-Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems, Regulatory Guide 1.53, Rev. 00

USNRC Standard Review Plan for the Review of Safety Analysis reports for Nuclear Power Plants, Chapter 7, NUREG 0800-1997, Rev. 04




A2.8 PROPOSED TECHNICAL SPECIFICATION CHANGES

Attached Insert A is to be located in Standard Technical Specifications for Combustion Engineering Plants, NUREG 1432, Rev. 1, LCO 3.3.1 "RPS Instrumentation-Operating (Digital)". Existing Conditions E, F, and G, will become Conditions I, J, and K.


AL11111


IkBB Combustion Engineering Nuclear PowerCommon Qualified Platform

Digital Plant Protection System

AkIIIII Combustion Engineering Nuclear Power



CENPD-396

Appendix 3

July 1999

CENPD 396 Appendix 3 Page I of 34

LEGAL NOTICE

This notice was prepared as an account of work sponsored by Combustion Engineering, Inc. Neither Combustion Engineering nor any person acting on its behalf:


b. Assumes any liabilities with respect to the use of, or for damages resulting from the use of, any information, apparatus, method or process disclosed in this report.

Common Qualified Plafform ABB Combustion Engineering Nuclear Power Digital Plant Protection System

TABLE OF CONTENTS

TABLE OF CONTENTS ............................................................................................. 2

LIST OF FIGURES .................................................................................................... 4

LIST OF TABLES ..................................................................................................... 4

A3.0 DIGITAL PLANT PROTECTION SYSTEM (DPPS) ....................................... 5

A3.1 FUNCTIONAL REQUIREMENTS ................................................................... 8

A3.1.1 Overview: ................................................................................................. 8 A3.1.1.1 General Functional Requirements (Reference 1, Section 2.1) .............. 9 A3.1.1.2 Reactor Protection System Functional Requirements (Reference 1, .....

Section 2.2) ......................................................................................... 9 A3.1.1.3 Engineered Safety Features Actuation System Functional Requirements

(Reference 1, Section 2.3) ................................................................. 15 A3.1.1.4 Remote Control Module Functions ...................................................... 18 A3.1.1.5 Maintenance and Test Panel (MTP) Functions: ................................. 20 A3.1.1.6 Interface and Test Processor (ITP) functions: .................................... 21 A3.1.1.7 DPPS Channel Inputs: ......................................................................... 22

A3.1.1.7.1 Analog Inputs ........................................................................... 22 A3.1.1.7.2 Contact Pretrip/Trip inputs ........................................................ 23 A3.1.1.7.3 ENFMS Inputs ............................................................................ 23 A3.1.1.7.4 Remote Shutdown Panel Contact Inputs: ................................. 24

A3.1.1.8 DPPS Channel Outputs: .......................................................... 24 A3.1.1.8.1 RPS Initiation Contact Outputs ................................................. 24 A3.1.1.8.3 Other DPPS Contact Outputs: ................................................... 25 A3.1.1.8.4 Indicator Analog Outputs .......................................................... 27

A3.1.1.9 Failure Modes: ........................................................................... 27

A3.2 SYSTEM DESCRIPTION .............................................................................. 27

A3.2.1 Overview .................................................................................................. 27

A3.3 HARDWARE DESCRIPTION ........................................................................ 29

A3.3.1 Mechanical ............................................................................................... 29


Common Qualified Platform ABB Combustion Engineering Nuclear Power Digital Plant Protection System

FIGURE A3.3-1: TYPICAL DIGITAL PLANT PROTECTION SYSTEM CABINET 30

A3.3.2 Electrical ................................................................................................ 31

A3.3.3 PLC Configuration ................................................................................ 31

A3.6 FAILURE MODES AND EFFECTS ANALYSIS (FMEA) ................................ 32

A3.6.3 Conclusions ......................................................................................... 32

A3.8 REFERENCES .............................................................................................. 33

A3.9 PROPOSED TECHNICAL SPECIFICATION CHANGES .............................. 34



LIST OF FIGURES

No. Title Paqe

A3.2-1 PPS BASIC BLOCK DIAGRAM 55 A3.2-2A DPPS CHANNEL A BLOCK DIAGRAM 60 A3.2-2B DPPS CHANNEL A BLOCK DIAGRAM 61 A3.2-2C DPPS CHANNEL A BLOCK DIAGRAM 62 A3.2-2D DPPS CHANNEL A BLOCK DIAGRAM 63 A3.2-3 DPPS/DESFAS TRAIN A BLOCK DIAGRAM 64 A3.3-1 TYPICAL DIGITAL PLANT PROTECTION SYSTEM CABINET 70 A3.3-2 DPPS CHANNEL A CONFIGURATION BLOCK DIAGRAM 74 A3.3-3 TYPICAL RPS INITIATION LOGIC 75 A3.3-4 INTERFACE AND TEST PROCESSOR BLOCK DIAGRAM 81 A3.3-5: INTERFACE BETWEEN DESFAS TRAIN ITPs and DPPS ITPs 86 A3.3.6 DESFAS CONFIGURATION BLOCK DIAGRAM 87 A3.4-1 DPPS BISTABLE LOGIC BLOCK DIAGRAM 102 A3.4-2 FALLING TRIP BISTABLE LOGIC 103 A3.4-3 MANUALLY RESET VARIABLE SETPOINT 104 A3.4-4 RATE LIMITED VARIABLE SETPOINT 105 A3.4-5 OPERATING BYPASS LOGIC 106 A3.4-6 DISCRETE BISTABLE LOGIC 107 A3.4-7 TESTING BLOCK DIAGRAM 108 A3.4-8 ITP LOGIC BLOCK DIAGRAM 118 A3.6-1 DPPS FMEA BLOCK DIAGRAM 128 A3.6-2 DESFAS FMEA BLOCK DIAGRAM 129 A3.7-1 COMMON-Q DPPS CONFIGURATION 173 A3.7-2 SEPARATE RPS/ESFAS CONFIGURATION 174 A3.7-3 DPPS WITH SINGLE PROCESSOR RACK/TRAIN 175 A3.7-4 DPPS WITH MULTIPLE ESFAS LCLs 176 A3.7-5 DPPS WITH DIVERSE BISTABLES 177

LIST OF TABLES

No. Title Page

A3.1-1 ANALOG INPUT ASSIGNMENTS 37 A3.6-1 FAILURE MODES AND EFFECTS ANALYSIS 130



A3.0 DIGITAL PLANT PROTECTION SYSTEM (DPPS)

The purpose of this Digital Plant Protection System (DPPS) appendix is to provide the functional requirements and conceptual design of the DPPS.

The scope of this DPPS appendix includes implementation of both the Reactor Protection System (RPS) and Engineered Safety Features Actuation System (ESFAS) based upon common-Q components. These requirements include DPPS functional design, testing, major Man Machine Interface functions, system block diagrams, and the interface with the Core Protection Calculators, Power Sources, Annunciators, Plant Computer, and other equipment.

This appendix addresses DPPS upgrades applicable to both the RPS and PPS generation of plants. For both RPS and PPS plants, it is possible to upgrade only the RPS, or only the ESFAS, or both the RPS and ESFAS. This appendix specifically addresses the most comprehensive case, namely that of replacing both the RPS and ESFAS. Considerations involved in replacing a subset of this equipment (RPS or ESFAS only) are also discussed, but to a lesser extent.

The scope of this Appendix is limited to replacement of the equipment located in the PPS cabinet and ESFAS Auxiliary Relay Cabinets (ARCs). Sensors and related signal conditioning equipment external to the PPS cabinet, and final actuated devices (trip circuit breakers, ESF valves, pumps and other equipment) are not to be altered by this DPPS upgrade, and are addressed only as an interface.

PPSIRPS Background

Philosophically, the Plant Protection System (PPS) is composed of both RPS and ESFAS functions. In the earlier Combustion Engineering (C-E) plants, the RPS and ESFAS were separate physical entities, with the RPS supplied by the NSSS Vendor, and the ESFAS typically falling within the Architect Engineers scope of supply. These earlier C-E plants with separate RPS and ESFAS implementations include:

"* Palisades

"* Fort Calhoun

"* Millstone Unit 2

"* Calvert Cliffs Units 1 and 2



0 St. Lucie Units 1 and 2.

In this appendix, these plants, employing separate RPS and ESFAS implementations, are referred to as "RPS" plants.

C-E plants of more recent design combine the RPS and ESFAS functions into one common cabinet, referred to as a "PPS" cabinet. The PPS cabinet includes the bistable trip functions and two-out-of-four logic to initiate both the reactor trip and ESFAS function actuation. Plants employing a PPS cabinet also have two separate ESFAS cabinets which house the train A and Train B component actuation relays, as well as local indication, manual actuation, and selective two out of four actuation logic. These are designated Auxiliary Relay Cabinets (ARCs) Train A and Train B.

These more recent U.S. C-E plants with RPS and ESFAS implementations in a

common PPS cabinet include:

"• Arkansas Nuclear One-Unit 2 (ANO-2)

"* San Onofre Units 2 and 3 (SONGS 2 and 3)

"* Waterford Unit 3 (WSES-3)

"* Palo-Verde Units 1, 2, and 3 (PVNGS).

In this appendix, these plants, employing a common RPS and ESFAS in a PPS cabinet are referred to as "PPS" plants.

In both the RPS and PPS generation of plants, fundamental RPS design features have remained essentially unchanged since the first CE plant (Palisades) was built. These features include four separate and redundant sensor and bistable channels providing outputs to six two-out-of-four coincidence matrices, whose output is provided to the RPS actuation devices that are arranged in a selective two out of four logic. This configuration ensures that no single failure can either result in an inadvertent trip or prevent a legitimate trip from occurring. For all plants except Palisades and Fort Calhoun, this final selective two out of four logic is implemented using Reactor Trip Circuit Breakers (RTCBs) actuation devices. For the two plants listed, DC clutch power supplies are used in lieu of RTCBs, but the basic selective two-out-of-four configuration of initiation (K) relay inputs is identical for both designs. This similarity lends itself to a common DPPS replacement design.

For PPS-generation plants, the fundamental RPS design features were replicated for actuation of the ESFAS functions. This includes separate and redundant



sensor and bistable channels providing outputs to six two-out-of-four coincidence matrices, whose output is provided to a selective two out of four logic. In the PPS plants, the sensor and bistable channels are sometimes shared with the RPS function. For example, Low Pressurizer Pressure provides both a reactor trip and an ESFAS actuation (SIAS, in this case). In the ESFAS, the final selective two out of four logic is implemented separately for each train, in the associated Train A or Train B ARC.

The ESFAS in RPS generation plants varies in implementation from plant to plant, but generally includes four sensor channels and a separate two out of four coincidence logic (sometimes multiple logic) for each function in each train. Thus, the ESFAS implementation in RPS-generation plants is not incompatible with that in the PPS-generation plants, though implementation details differ.

PPSIRPS CPC Implementation Differences:

The basic RPS implementation described above is applicable to the RPS design in all CE plants. Specific reactor trips and operating bypass functions do differ slightly from plant to plant, but these differences may be easily accommodated in the DPPS upgrade without any significant change to the fundamental design. For the purposes of this appendix, the intent is to replicate existing trip functions at each plant. Implementation of existing trips, presently based on analog hardware, with digital technology, offers the opportunity for significant enhancements to those trip functions. However, no changes to existing functions are proposed by this upgrade at this time. It is anticipated that setpoint changes will occur due to the absence of instrument drift considerations in digital hardware.

Although the most significant difference between "RPS" and "PPS" generation plants is the incorporation of the ESFAS into the latter, another significant difference between these generations of plants is in the implementation of the Core Protection Calculator (CPC) function. The CPCs provide protection from Anticipated Operational Occurrences (AOOs) which could violate plant Safety Limits associated with Departure from Nucleate Boiling Ratio (DNBR) and Local Power Density (LPD).

In the RPS generation of plants, this protection was afforded by two trip functions, the Thermal Margin/Low Pressure (TM/LP) and the Axial Power Distribution (APD) trips. The trip setpoints for these functions are somewhat complex variables, and are calculated in analog computers (analog core protection calculators) physically located in the lower part of the RPS cabinet. The implementation of the CPCs in these RPS plants is thus presently based upon analog technology, and though complex by the standards of other trip functions, is relatively straightforward, and lends itself well to implementation in a digital bistable processor without the need for any additional equipment. Thus, for the RPS plants, the CPC-based TM/LP and LPD trip functions will be implemented in the bistable processors in the DPPS upgrade.



I I In the PPS generation of plants, the previously described protection is afforded by the Low DNBR and High Local Power Density (Hi-LPD) reactor trips. These are very complex functions as compared to their analog counterparts, and are calculated in separate stand-alone digital computers mounted in an Auxiliary Protective Cabinet (APC). The APC provides a contact input to the PPS cabinet for Low DNBR trip and pretrip, High LPD trip and pretrip, and CEA Withdrawal Prohibit (CPC-CWP). For the purposes of this appendix, it is assumed that the CPCs will remain separate from the PPS. Thus, these contact inputs to the PPS will continue to exist for the DPPS upgrade.

Remote Control Module

Each DPPS Channel shall communicate with a DPPS Remote Control Module (RCM) mounted in the Control Room. Plants have the option of retaining their existing RCM, implemented in hardware, or replacing this device with a standard Common-Q flat panel display-based RCM. For the purposes of this appendix, the flat panel-based RCM replacement is considered the standard design. The following discussion therefore applies to the flat-panel implementation. [ I

In RPS-generation plants, the RCM may be implemented in the RPS cabinet, since there is no RCM feature in the present design. In PPS-generation plants, the RCMs shall also monitor the status of the ESFAS trains.

[ ]

A3.1 FUNCTIONAL REQUIREMENTS

A3.1.1 Overview:

The DPPS shall fulfill functions of the existing PPS, RPS or ESFAS, as appropriate. For the purposes of this Appendix, the functional requirements for the 3410 Mwt class of plants shall be used as reference. These include ANO-2, SONGS 2 and 3, and WSES-3. For other plants, functional requirements are similar, and will be addressed by the plant-specific upgrade installation.

The following section lists functional requirements and design bases as delineated in Reference 1, "Functional Description for Plant Protection System", 00000-ICE3201-Rev. 02, issued 03/02/76. The purpose of this section is to demonstrate the extent of DPPS upgrade compliance with basic PPS system requirements.



A3.1.1.1 General Functional Requirements (Reference 1, Section 2.1)

" "The PPS shall continuously monitor selected safety-related parameters such as neutron flux, reactor pressurizer pressure, steam generator pressure, and level etc,) in a reliable fashion, in order to assure a known plant status at all times except during refueling".

The proposed DPPS installation shall comply with the above by reliably monitoring the same parameters and providing plant status information that is at least equivalent to the existing installation.

"* "The PPS automatically initiates plant protective action in the form of actuation of appropriate systems whenever the monitored selected plant parameters reach predetermined levels where plant protection is required."

The proposed DPPS installation shall comply with the above by actuating the same systems (RPS and ESFAS, as appropriate) subject to the same trip setpoint considerations as the present design. It is anticipated that setpoints may change somewhat because of reduced uncertainty associated with digital implementation, but compliance with established setpoint methodology as required by the Bases of NUREG 1432, "Standard Technical Specifications Combustion Engineering Plants" will be maintained. Though not specifically addressed in this Appendix, the versatility of a DPPS upgrade in accommodating more complex trip functions (e. g. variable setpoints vice fixed setpoints, compensation of neutron flux power for temperature (cold leg temperature shadowing), etc), makes it possible to more reliably and accurately monitor relevant variables, and provide protection as required.

" "The PPS provides alarms and, in some cases, limiting signals to control systems, whenever the monitored selected plant parameters approach the predetermined levels where plant protection would be required."

The proposed DPPS will provide the same alarms, and will provide additional diagnostic information in a user-friendly format, It will therefore be an enhancement over the existing system. The same limiting signal to control systems (i. e. the CEA Withdrawal Prohibit) will also be provided.

A3.1.1.2 Reactor Protection System Functional Requirements (Reference 1, Section 2.2)

"* "The RPS shall consist of measurement channels, logic, and those circuits necessary to effect reliable and rapid reactor shutdown (reactor trip) if any one



or a predetermined combination of the monitored conditions reach a limiting safety system setting. The system function is to protect the core and reactor coolant system pressure boundary.

"The measurement channels consist of sensors, signal conditioning equipment

and trip bistables. These channels provide trip signals to the coincidence logic.

"A two-out-of-four coincidence of like trip signals is required to generate a

reactor trip signal.

"The reactor trip signal opens the reactor trip circuit breakers, thus deenergizing the Control Element Drive Mechanism Coils, allowing the shutdown and regulating Control Element Assemblies (CEAs) to drop into the reactor core."

SThe proposed DPPS installation will satisfy all of the preceding requirements. Measurement channels are unaffected by the DPPS upgrade, as existing inputs will be used. The use of bistables feeding two-out-of-four coincidence logic remains, though existing hardware performing these functions will be replaced with digital bistable processors and local coincidence logic processors performing the same functions described above. The existing reactor trip circuit breakers, their configuration, and relationship to the CEDMCS will be unaffected by the DPPS upgrade. [ ]

This appendix assumes either the four or eight RTCB configuration. In some cases (Palisades and Fort Calhoun) there may be four initiation contacts deenergizing clutch power supplies in lieu of RTCBs. In all cases, the basic selective two out of four logic used in the initiation circuitry is the same.

The RPS Provides trips for the following conditions:

1. High Linear Power Level Trip. This trip uses the average of the three excore linear subchannel flux signals. This trip function includes audible and visual pretrip indication.

The proposed DPPS installation shall satisfy the above requirements for a high linear power level trip and pretrip. It should be noted that in some plants, the trip function is a variable high power trip. In the case of PVNGS, a rate limited function is employed on an increasing signal. In the RPS plants, the trip setpoint must be manually reset upwards as power level is increased. Minimum and Maximum trip setpoint values are also included. These trip function variations can be accommodated on a plant-specific basis.



2. High Logarithmic Power Level. This trip uses the wide range (logarithmic) ex-core channel output. A trip results when power increases above a preset value. The trip may be manually bypassed when power level rises above 10 -4 % RTP. This trip function includes audible and visual pretrip indication.

The DPPS installation shall satisfy the above requirements for a high logarithmic power level trip, manual bypass capability, and pretrip indication. It should be noted that RPS-generation plants do not have a High Logarithmic Power Level trip. These plants do usually employ a "Rate of Change of Power-High" trip based upon wide range neutron flux indication. The rate of change of power is automatically bypassed when power level is below I X 10 -4 % or above approximately 15 % power in these plants. The DPPS installation shall be capable of replicating this function for the RPSbased plants, including bypass operation.

3. High Local Power Density Trip. The High LPD trip is a contact input from the CPC channel. It ensures maintenance of the LPD safety limit during AQOs. This trip function includes audible and visual pretrip indication.

For PPS-generation plants, the DPPS implementation shall accommodate the High LPD trip and Pretrip contact inputs from the CPC auxiliary protective cabinets. Though not explicitly stated in the functional requirement for this trip, the trip may be manually bypassed when below a preset power level as indicated by the ex-core wide range channel. This manual bypass feature shall also be accommodated in the DPPS design.

For RPS plants, the High LPD trip function does not exist. However, these plants usually employ an analogous High APD trip implemented in analog computer hardware. This trip is a function of the Axial Shape Index (ASI) and average channel ex-core power as indicated by the Power Range Nuclear Instrumentation (NI) safety channel. In the RPS-generation plants, this trip is implemented in the existing RPS cabinet without the use of external CPCs. Similarly, in the DPPS implementation, the High APD trip function shall be incorporated into the bistable processor trip algorithms, without requiring any additional CPC hardware. In the RPS plants, the APD-High trip is automatically bypassed when below a given power level (nominally 15%), as indicated by the power range nuclear instrumentation safety channel. This feature will be replicated in the DPPS. It should be noted that this automatic bypass feature is usually implemented with the same bistable responsible for bypassing the High Rate of Change of Power and Loss of Turbine reactor trips. In one RPS-generation plant, this bypass function has been separated from these other functions. In the DPPS design, it shall be possible to have separate bistable setpoints for each bypass function, if desired.



4. Low DNBR Trip. The Low DNBR trip is a contact input from the CPC channel. It ensures maintenance of the DNBR safety limit during AQOs. This trip function includes audible and visual pretrip indication.

For PPS-generation plants, the DPPS implementation shall accommodate the Low DNBR trip and Pretrip contact inputs from the CPC auxiliary protective cabinets. Though not explicitly stated in the functional requirement for this trip, the trip may be manually bypassed when below a power level as indicated by the ex-core wide range channel. This manual bypass feature shall also be accommodated in the DPPS design.

For RPS plants, the Low DNBR trip function does not exist. However, these plants usually employ an analogous Thermal Margin/Low Pressure (TM/LP) trip implemented in analog computer hardware. This trip is a function of RCS Pressure, the Axial Shape Index (ASI) and average channel ex-core power as indicated by the Power Range Nuclear Instrumentation (NI) safety channel, and Delta T power. In the RPS-generation plants, this trip is implemented in the existing RPS cabinet without the use of external CPCs. Similarly, in the DPPS implementation, the TM/LP trip function shall be incorporated into the bistable processor trip algorithms, without requiring any additional CPC hardware.

5. High Pressurizer Pressure Trip. The high pressurizer pressure trip function trips the reactor when RCS pressure reaches a high preset value. This trip function includes audible and visual pretrip indication.

The proposed DPPS installation shall satisfy the above requirements for a high pressurizer pressure trip and pretrip. It should be noted that in the RPSgeneration of plants, the high pressurizer pressure trip also provides a signal to open Power Operated Relief Valves (PORVs). PORVs do not exist at PPS-generation plants. In the DPPS implementation, the ability to open PORVs shall be retained for RPS generation plants.

6. Low Pressurizer Pressure trip. The low pressurizer pressure trip is provided to trip the reactor when measured pressurizer pressure falls to a low preset value. This trip function includes audible and visual pretrip indication.

The proposed DPPS installation shall satisfy the above requirements for a low pressurizer pressure trip and pretrip. In the PPS generation of plants, this function trips the reactor and simultaneously initiates a Safety Injection Actuation Signal (SIAS). RPS-generation plants do not have an explicit Low Pressurizer Pressure trip, since this low pressure trip feature is a floor (minimum) setpoint in the TM/LP trip function. In the RPS-generation of plants, the ESFAS function is independent of the RPS. The DPPS


Common Qualified Platformn ABB Combustion Engineering Nuclear Power Digital Plant Protection System

implementation shall replicate all existing features on both generations of plants. Should the implementation be for an RPS and ESFAS upgrade in an RPS-generation plant, the option shall exist for simultaneous RPS trip and ESFAS actuation, as in the PPS generation of plant. It shall also be possible to retain separate RPS and ESFAS trips setpoints for this function.

7. High Steam Generator Water Level trip. This trip function trips the reactor when RCS steam generator level in either steam generator reaches a high preset value. This trip is equipment protective only, and is not required by the safety analysis. This trip function includes audible and visual pretrip indication.

The proposed DPPS installation shall satisfy the above requirements for a high steam generator level trip and pretrip. In the PPS-generation of plants, there are presently two SG-specific high level trips. RPS-generation plants do not have High-SG level trips. The DPPS shall replicate existing functionality in both cases.

8. Low Steam Generator Water level Trip. This trip function trips the reactor when RCS steam generator level in either steam generator reaches a low preset value. This trip function includes audible and visual pretrip indication. In many PPS-generation plants, this trip also serves as an input to the Emergency-Feedwater Actuation System (EFAS) logic. In some plants, the EFAS SG level trip input is derived from separate wide range SG level transmitters, and the EFAS actuation setpoint is significantly lower than the reactor trip setpoint. In the PPS-generation plants, the low SG water level trip includes two SG-specific trip functions. In the RPS-generation plants, the auctioneered lower of both SGs is provided to a single bistable trip unit.

The proposed DPPS installation shall satisfy the above requirements for a low steam generator level trip and pretrip, and shall replicate existing capabilities.

9. Low Steam Generator Pressure Trip. This trip function trips the reactor when steam generator pressure in either steam generator reaches a low preset value. This trip function may be manually reset by the operator to permit an orderly plant shutdown. This trip includes audible and visual pretrip indication. In PPS-generation plants, this trip also provides a Main Steam Isolation Signal (MSIS).

In RPS generation plants, there is no capability to manually reset (decrease) the trip setpoint during system depressurization. However, there are


Common Qualified Platform ABB Combustion Engineering Nuclear Power Digital Plant Protection System.

provisions for manual bypass of the trip function as SG pressure is decreased.

In the PPS-generation plants, the low SG water level trip includes two SGspecific trip functions. In the RPS-generation plants, the auctioneered lower of both SGs is usually provided to a single bistable trip unit.

The proposed DPPS installation shall satisfy the above requirements for a low steam generator pressure trip and pretrip, and shall replicate existing capabilities, including setpoint reset (for PPS-generation plants), and system operating bypass (for RPS-generation plants).

10. High Containment Pressure trip. This trip function trips the reactor when containment pressure reaches a high preset value. This trip function includes audible and visual pretrip indication. In many PPS-generation plants, this trip also serves as an input to the Containment Isolation Actuation Signal (CIAS) and SIAS. In some cases, separate High Containment Pressure trips are employed for these ESFAS functions.

The proposed DPPS installation shall satisfy the above requirements for a high containment pressure trip and pretrip.

11. Loss of Load (Loss of Turbine) trip. This trip function trips the reactor when the turbine trips above a preset power level. This trip is equipment protective and is not required for plant safety. The trip is automatically bypassed below a certain power level (15% to 55%, depending on the plant), consistent with steam bypass capability. PPS plants employing a reactor power cutback system do not have this trip function. Most RPSgeneration plants use the same ex-core linear power safety channel bistable to provide this bypass as well as high-rate of change of power trip bypass and high APD trip bypass.

The proposed DPPS installation shall satisfy the above requirements for a loss of load trip, including bypass feature. For RPS-generation plants, it shall be possible to separate the bypass functions for the loss of load, high rate of change of power, high APD trip functions.

12. Manual Actuation. A manual reactor trip is provided to permit the operator to manually trip the reactor. Actuation of two adjacent pushbuttons in the control room will cause interruption of the AC power to the CEDM power supplies. Two sets of trip pushbuttons are provided.

The proposed DPPS installation shall retain this manual trip capability, as described above.



Other RPS Trips: There are several other plant-specific trip functions, such as the low flow trip (based upon SG primary side differential pressure), high seismic trip, (based upon seismic horizontal and vertical accelerometer contact inputs to the PPS) and low RCP Speed trip (for some RPS plants only) not specifically addressed in the Functional Description document. These plantspecific trips shall have their functionality replicated in the DPPS design.

Other RPS Trip Bypasses: In some cases, operating bypasses of installed trips have been made on a plant-specific basis that are not reflected in the Functional Description document. These include, for example, a low RCS temperature-dependent bypass permissive of the steam generator water level trips, and a low power bypass of the low flow trip. These plant-specific bypasses shall have their functionality replicated in any DPPS installation.

A3.1.1.3 Engineered Safety Features Actuation System Functional Requirements (Reference 1, Section 2.3)

"The instrumentation and controls associated with the ESFAS shall consist of measurement channels, logic, and those circuits associated with the generation of each actuation signal.

"The measurement channels consist of sensors, signal conditioning equipment

and trip bistables. The sensors monitor selected plant parameters and provide signals to the bistable trip devices. Trip signals are provided by the trip bistables if the monitored selected plant parameter reach (sic) predetermined setpoints. Two-out-of-four coincidence of like initiating trip signals from four independent measurement channels is required to generate actuation signals to the actuation devices associated with each individual actuated component in the ESFAS. Each actuation system logic, including test features, is similar to the logic for the reactor protective system.

"uThere is one actuation system for each of the ESF systems; each actuation system is identical except that specific inputs (and bypasses where provided) vary from system to system and the actuated devices are different..."

> The proposed DPPS installation will satisfy all of the preceding requirements. Measurement channels are unaffected by the DPPS upgrade, as existing inputs will be used. The use of bistables feeding two-out-of-four coincidence logic remains, though existing hardware performing these functions will be replaced with digital bistable processors and local coincidence logic processors performing the same functions described above. The existing subgroup relays providing contact inputs to the various ESF component

CENPD 396 Appendix 3 Page 15 of34


control circuits will most likely be replaced with new equivalent relays, though

this is not a necessary requirement of the DPPS upgrade. [ ]

The ESFAS Provides trips for the following conditions:

1. Safety Injection Actuation Signal (SIAS). This ESFAS function is typically initiated by two-out-of-four low pressurizer pressure or two-out-of-four high containment pressure signals. In the PPS plants the pressurizer pressure trip signal may be manually reset by the operator to permit an orderly plant shutdown. A manual bypass may be initiated below a predetermined pressurizer pressure trip function includes audible and visual pretrip indication.

Parameters providing a SIAS differ somewhat from plant to plant. However, pressurizer pressure is common to all. In the RPS-generation plants there is no low pressurizer pressure reset capability. However, a manual SIAS block (bypass) is provided below a permissive pressurizer pressure setpoint to enable depressurization without initiating the SIAS function.

The proposed DPPS installation shall satisfy the above requirements for a SIAS actuation, including bypass or reset feature, modified as necessary to meet plant-specific requirements.

[ ]

2. Recirculation Actuation Signal (RAS). This ESFAS function is typically initiated by two-out-of-four low refueling water tank level signals. Unlike other ESFAS functions, some PPS plants do not include provisions for manual actuation of the RAS on the main control board, due to concern about premature actuation of this function.

The proposed DPPS installation shall satisfy the above requirements for a RAS actuation, modified as necessary to meet plant-specific requirements. Implementation considerations for different plant generations are as described under the SIAS discussion.

3. Containment Isolation Actuation Signal (CIAS). This ESFAS function is typically initiated by two-out-of-four high containment pressure signals.

In some plants, low pressurizer pressure or high containment radiation is also a CIAS initiator.

The proposed DPPS installation shall satisfy the above requirements for a CIAS actuation, modified as necessary to meet plant-specific requirements.



Implementation considerations for different plant generations are as described under the SIAS discussion.

4. Containment Cooling Actuation System (CCAS). Some PPS-generation plants employ a CCAS function. For other plants, containment cooling actuation is a subsidiary SIAS function. This function has the same inputs as the automatic SIAS (two out of four low pressurizer pressure or two-outof-four high containment pressure), though it is provided with a separate manual trip capability from that provided for SIAS. For plants equipped with a CCAS function, pressurizer pressure bypass and setpoint reset use the same pushbuttons and switches provided for SIAS.

The proposed DPPS installation shall satisfy the above requirements for a CCAS actuation for those plants with this feature.

5. Containment Spray Actuation System (CSAS). This function is initiated on a two out-of-four high-high containment pressure AND a simultaneous twoout-of-four SIAS.

Inputs to CSAS differ somewhat between plants. Because of the potential cleanup problem which would result from an inadvertent CSAS, most plants employ some interlocking feature requiring some aspects of an initiating signal, such as SIAS, in addition to High-High containment pressure. In RPS-generation plants, this interlocking may not be an explicit requirement for SIAS, but a functional mechanical interlock, such as having the SIAS start the containment spray pump, but requiring a CSAS on High-High containment pressure to open the spray header isolation valve.

The proposed DPPS installation shall satisfy the above requirements for a CSAS actuation, modified as necessary to meet plant-specific requirements.

6. Main Steam Isolation Signal (MSIS). The MSIS is actuated by two-out-offour low steam generator pressure signals from each steam generator. The steam generator pressure signal may be manually reset by the operator to permit an orderly plant shutdown.

Some plants employ additional inputs, such as high containment pressure or high containment radiation for this function. The ability to manually reset this setpoint downwards is restricted to the PPS generation of plants. In the RPS-generation, a manual block (bypass) is permitted when steam generator pressure is below a permissive setpoint.

The proposed DPPS installation shall satisfy the above requirements for a MSIS actuation, modified as necessary to meet plant-specific requirements.



7. Emergency Feedwater Actuation Signal (EFAS). The EFAS initiates auxiliary feedwater on low water level to the intact steam generator (s) following a steam line break or loss of feedwater accident. It is initiated on a two out of four logic basis to a steam generator if that steam generator meets the conditions for either of the following:

A. The steam generator's water level trip exists without the low steam generator pressure trip present.

B. The steam generator's water level trip exists and this steam generator's pressure is greater than the pressure in the other by a predetermined differential pressure.

EFAS-1 Logic pertains to SG 1, and EFAS 2 logic pertains to SG 2.

EFAS logic differs somewhat between plants. The above described "feed only good generator" (FOGG) logic is used only at the 3410 Mwt group of plants (ANO-2, SONGS 2 and 3, WSES 3). PVNGS uses a variation without the Low Pressurizer Pressure input. RPS-generation plants are more variable in EFAS design. In many cases, there is no FOGG logic, and low SG level is the only input. In these RPS plants, low SG level in either SG may feed both SGs.

The proposed DPPS installation shall satisfy the above requirements for a MSIS actuation, modified as necessary to meet plant-specific requirements.

8. Manual Actuation.

Each of the ESFAS signals may be initiated from the control room by switches with the exception of RAS.

There are plant-specific cases where RAS may be initiated from the control board.

The proposed DPPS implementation shall retain the existing manual actuation capability.

A3.1.1.4 Remote Control Module Functions

Each DPPS channel shall communicate with a DPPS Remote Control Module (RCM) mounted in the Control Room. Plants have the option of retaining their existing RCM, implemented in hardware, or replacing this device with a standard



Common-Q flat panel display-based RCM. For the purposes of this appendix, the flat panel-based RCM replacement is considered the standard design. The following discussion therefore applies to the flat-panel implementation. Each of the four RCMs is fiber optically isolated from its associated DPPS channel. The RCM shall be used for DPPS channel monitoring, to provide the capability to manually alter addressable constants (selected calibration values, including ex-core power range neutron flux; as well as pretrip and trip setpoints) subject to key switch control, to initiate channel operating bypass subject to permissive requirements, and to initiate periodic surveillance testing.

In RPS-generation plants, the RCM may be implemented in the RPS cabinet, using the MTP, since there is no RCM feature in the present design. In PPSgeneration plants, the RCMs shall also monitor the status of the ESFAS trains.

The DPPS system shall include fully automatic or manually initiated automatic test capability for determining system operability. It shall also perform automatic hardware diagnostic testing. It shall be possible to initiate surveillance testing from the Remote Control Module, or from a locally mounted maintenance and test panel (MTP).

The RCM shall be the primary means by which the operator communicates with the DPPS during normal operation. The RCM shall have enhanced display capability as compared to the present analog RCM implementation, and shall be able to perform some additional functions.

The Remote Control Module shall have a flat panel display from which the following can be performed:

"* Provide overall RPS/ESFAS status monitoring, including trip, pretrip, bypass, LCL status

" Monitor operator-selectable DPPS-related point IDs. These include status bits, setpoints, and intermediate calculated variables.

" Change Addressable Constants (Setpoints) under key switch control. These include pretrip, trip, bypass permissive, and ex-core power calibration values.

" Perform an Operating Bypass of various trip functions, via key switch, subject to permissive constraints.

" Perform setpoint resets for bistable functions requiring manual reset (Low Pressurizer Pressure, Low SG Pressurizer)

" Monitor channel alarm conditions, including the ability to perform limited diagnostics



"* Perform periodic surveillance testing

"• Place any bistable trip parameter in trip.

"• Declare one of the two bistable processors in a channel failed.

A3.1.1.5 Maintenance and Test Panel (MTP) Functions: A locally mounted MTP in each DPPS channel shall interface with its associated channel. The DPPS MTP shall also be capable of monitoring the status of both DESFAS ARCs using status information transmitted to the DPPS from the DESFAS Interface and Test Processors (ITPs) over dedicated high speed links. The MTP shall have the same displays and functions as the Remote Control Module, including the ability to initiate periodic testing. In addition, the MTP shall perform the following:

"• Serve as the primary display link to the channel Interface and Test Processor

"* Service a data link to the Plant Monitoring System (PMS) via Ethernet

connection

" Provide for Periodic Response Time testing

" Perform on-line monitoring of its associated DPPS channel processors.

" Provide Maintenance functions, including the means for downloading revised DPPS channel software, subject to a hardware interlock, and interrogating the DPPS channel error buffers to access detailed diagnostic information on module failures.

"* Provide the ability to trip channel bypass any PPS trip parameter, subject to a hardware interlock and software constraints (a trip function may be bypassed in only one channel at a time).

The DESFAS cabinet MTP shall be of similar construction and capabilities as the DPPS MTP. There shall be one DESFAS MTP in each ARC. The DESFAS MTP shall perform the following:

"* Serve as the primary display link to the channel Interface and Test Processor

"* Provide for Periodic manually initiated component relay testing



" Perform on-line monitoring of its associated DPPS channel processors.

" Provide Maintenance functions, including the means for downloading revised DESFAS LCL channel software, subject to a memory protection interlock, and interrogating the DPPS channel error buffers to access detailed diagnostic information on module failures..

" Perform LCL automatic, manually initiated automatic, or manual LCL testing.

" Perform Trip Channel Bypassing of any input channel, subject to normal trip channel bypassing constraints (only one channel at a time may be bypassed). This feature is necessary if the HSL data link from a DPPS channel to an ARC is lost. Any discrepancy in bypass status between ARCs and DPPS will be indicated and annunciated via the DESFAS ITP HSL connection to the DPPS channels.

A3.1.1.6 Interface and Test Processor (ITP) functions:

Each DPPS channel and DESFAS train has an ITP. The ITP performs continuous passive monitoring and either fully automatic, manually initiated automatic, or manually initiated testing of the associated channel. The man-machine interface for the ITP is the MTP. All four DPPS ITPs receive DESFAS status information from both DESFAS trains, via one way (broadcast mode) dedicated HSLs from the DESFAS ITP in each train. DPPS channel ITPs communicate with each other for cross channel and test status monitoring through a subordinate interchannel AF 100 network. This network shall be separate from the intrachannel AF1 00 network in each DPPS channel, and shall not perform any class 1 E function. Connection of this AF1 00 ITP network between channels shall be via fiber-optically isolated devices, such that no electrical fault within a DPPS channel may propagate to the processors or other circuitry in the other channels. This ITP data link is described in the mair6 body of the topical report, CENPD-396-P.

Analog Input Module comparison monitoring

The channel ITP shall compare the outputs of the two redundant analog input modules in each channel, and indicate any discrepancies. The interchannel ITP data link is not required for this comparison.

Cross Channel Monitoring

Cross channel monitoring is considered an important feature of the DPPS design, providing the ability to detect individual channel failures by cross channel comparison, and ensuring proper DPPS channel response to test signals



generated by DPPS ITPs during automatic bistable testing. DPPS cross-channel communication of this status information, which is not required to perform any 1 E function, is accomplished by four-channel monitoring of DPPS parameters through the isolated ITP interchannel data-link.

A3.1.1.7 DPPS Channel Inputs: The DPPS system uses four redundant sets of inputs, one set per channel, for all input parameters. The inputs to be monitored are the same as those used in the present plant-specific PPS/DPPS implementation. Within each channel, redundant pairs of analog input modules are used, with each analog input module pair servicing one of the two bistable processor modules. Redundant analog input module outputs are compared for agreement by the channel ITP.

For reference purposes, inputs include:

A3.1.1.7.1 Analog Inputs The following are the analog channel trip inputs:

* Linear (Power Range) Power Level from the Excore Neutron Flux Monitoring System, typically 0 to 200%, 0 to 10 Vdc analog voltage, one per DPPS channel.

* Logarithmic (Wide Range) Power Level from the Excore Neutron Flux Monitoring System, typically 1 x 10 -- % to 200%, 0 to 10 Vdc analog voltage, one per DPPS channel.

"* Narrow Range Pressurizer Pressure, typically 1500 psia to 2500 psia, 1 to 5 or 0 to 10 Vdc analog voltage, one per channel.

"* Wide Range Pressurizer Pressure, typically 0 to 3000 psia, 1 to 5 or 0 to 10 Vdc analog voltage, one per channel.

" Steam Generator Level, Narrow Range (some implementations also have a separate wide range input for EFAS actuation), 0 to 100%, typically corresponding to approximately a 15 foot span, 1 to 5 or 0 to 10 Vdc analog voltage, one per steam generator per channel.

"* Steam Generator Pressure, typically 0 to 1200 psia, I to 5 or 0 to 10 Vdc analog voltage, one per steam generator per channel.

" Containment Pressure, Narrow Range, typically -4 psig to +20 psig, 1 to 5 or 0 to 10 Vdc analog voltage, one per channel (some installations use a contact input from a pressure switch for this function).

"* Containment Pressure, Wide Range, typically 0 to 70 psig, I to 5 or 0 to 10 Vdc analog voltage, one per channel.



"* Steam Generator primary side differential pressure, I to 5 or 0 to 10 Vdc analog voltage, one per RCS loop per channel (some installations use a contact input from the process protective cabinet for this low flow trip function).

"* Refueling Water Storage Tank Level, typically 1 to 5 or 0 to 10 Vdc analog voltage, one per channel.

A3.1.1.7.2 Contact Pretrip/Trip inputs The following are the typical contact (digital) channel trip inputs. Wetting voltage to contacts to be supplied by DPPS channel:

"* Low DNBR Trip, from Core Protection Calculator (PPS-generation plants only)

"* High Local Power Density Trip from Core Protection Calculator (PPSgeneration plants only)

"* Low DNBR Pretrip, from Core Protection Calculator (PPS-generation plants only)

"* High Local Power Density Pretrip from Core Protection Calculator (PPSgeneration plants only)

"* CPC CEA Withdrawal Prohibit (CWP) from CPC (PPS-generation plants only)

"* Loss of Turbine (Loss of Load) trip from Turbine Pressure Switch

A3.1.1.7.3 ENFMS Inputs The following are Ex-core Neutron Flux Monitoring System (ENFMS) safety channel bistable (digital) inputs to each DPPS channel.

" Power Trip test Interlock:

"Trouble" bistable contact input. This input will cause channel trips in Low DNBR and LPD High if the Nuclear Instrumentation channel is placed in test or fails.

" High Log Power Bypass Permissive

"Log 1" bistable permits manual bypass of the high log power trip when above setpoint. Since the DPPS also receives the analog log power input directly, an alternate (preferred) implementation of this bypass permissive is to provide a software based permissive. In the RPS-generation plants, this input is used to enable the Zero Power Mode Bypass.

"* CPC Bypass permissive



Some PPS plants employ a separate "Log 2" bypass permissive to enable bypass of the low DNBR and High Local power Density trips when below setpoint. Other plants use the high log power trip bypass bistable for this additional function. Though this is retained as an input for reference purposes, the preferred implementation would be to generate this bypass permissive in software. In RPS-generation plants, an analogous bistable is used to bypass the high rate of change of power trip.

* Linear Power (Linear 1)

In PPS plants with a loss of load trip, this bistable, sensed from ENFMS linear power circuitry is used to automatically bypass the loss of load trip. In RPSgeneration plants, this input is used to bypass the rate of change of power trip above setpoint, and to bypass the loss of load and Hi APD trips below setpoint. This input is retained for reference purposes, though the preferred implementation in the DPPS will be to provide a software bistable function separately for each of these trips.

A3.1.1.7.4 Remote Shutdown Panel Contact Inputs:

" Low Pressurizer Pressure Setpoint Reset This input from the Remote shutdown Panel (required by GDC 19) allows low Pressurizer Pressure trip manual setpoint reset during depressurizations/cooldowns to avoid SIAS initiation.

" Low Steam Generator Pressure Setpoint Reset This input is similar to that for the low pressurizer pressure trip, but affects the Low SG Pressure trip, preventing MSIS actuation on a depressurization/cooldown from outside the control room.

" Low Pressurizer Pressure Bypass This bypass from the remote shutdown panel defeats the low pressurizer pressure trip when RCS pressure is below the permissive setpoint (typically 400 psia), preventing inadvertent SIAS actuation during a cooldown/depressurization from outside the control room.

A3.1.1.8 DPPS Channel Outputs: The DPPS channels process the channel inputs so as to provide the required RPS trips and ESFAS actuations. Other than three outputs for low pressurizer pressure and low steam generator trip setpoint indicators, all outputs are digital.

A3.1.1.8.1 RPS Initiation Contact Outputs In the case of the RPS, relay (contact) outputs are provided to each RTCB for undervoltage and shunt trip actuation. DPPS convention is to deenergize channel



output relays on a trip. The undervoltage relay contact output is normally open

(NO) on a trip, and the shunt trip relay contact is normally closed (NC) on a trip.

[ I

A3.1.1.8.3 Other DPPS Contact Outputs: Each DPPS channel and DESFAS train provides several contact outputs for a variety of purposes. These include:

1. Annunciation:

* Trip/Pretrip Annunciation: Each trip or pretrip will have a DPPS-cabinet mounted annunciator output contact

* Trip Channel Bypass: Trip Channel Bypass of any parameter in a given channel will be annunciated.

* Operating Bypass Each Operating Bypass (i. e. Low Pressurizer Pressure) will be annunciated. In the case of the High Log Power Bypass, annunciation will exist if the bypass permissive is available but the channel has not yet been bypassed. This latter feature prevents annunciation during normal (at power) plant operation, and is consistent with the present design.

Trouble: The PPS trouble annunciator shall be expanded in scope from its present implementation to include a number of additional diagnosticrelated conditions. The initiator for this annunciation will be indicated on the RCM and MTP. Detailed diagnostics on system failures are available on the MTP. The DESFAS shall be equipped with similar annunciation. Specific DESFAS failures may be diagnosed on the DESFAS MTP, as in the DPPS.

Power Supply Trouble: Separate DPPS and DESFAS annunciation shall be retained for power supply trouble conditions.

* [ ]

2. CEA Withdrawal Prohibit



There is one CWP contact output to the CEDMCS in the DPPS cabinet. The CWP contact is opened if there is a pretrip condition indicated in at least two of the four DPPS channels in High Pressurizer Pressure, or if the CPC-CWP input is received from two out of four channels. This is a non-safety related output not credited in the accident analysis. RPS plants have similar though slightly different initiators for this function.

3. CPC Trip Channel Bypass

A contact output to the Core Protection Calculator is provided in each DPPS channel. This output is a permissive to enable CPC testing only if both the DNBR-Low and LPD-High trips are bypassed in that channel.

The trip channel bypasses shall allow for channel maintenance and surveillance testing at power per the requirements of IEEE Std. 338 and IEEE Std. 603, as augmented by USNRC Reg. Guide 1.22.

The interlock requiring trip channel bypassing of the DNBR-Low and LPDHigh trips prior to initiation of CPC testing is functionally identical to the present design. However, in the present PPS/CPC design, a CPC Test panel in the PPS performs the trip channel bypass interlock function and enables CPC or CEAC testing via a CPC/CEAC select switch if both the DNBR and LPD trips are trip channel bypassed. This Test Enable signal is transmitted from the PPS to the CPC or CEAC as a binary (contact) input.

4. Contact outputs to remote shutdown panel

"* Low Pressurizer Pressure pretrip status to remote shutdown panel

This output provides indication that the low pressurizer pressure trip should be manually reset during depressurization from the remote shutdown panel.

"* Low SG pressure pretrip status to remote shutdown panel

This output provides indication that the low SG pressure trip should be manually reset during depressurization from the remote shutdown panel

"* Low Pressurizer pressure Bypass permissive and bypass status (bypass/no bypass)

These contact outputs provide indication to the operator that RCS pressure is below the permissive setpoint, and provide bypass status




* Sequence of Events

Each trip will have a means of indicating the trip sequence of events. In this appendix, the SOE will take the form of a dedicated contact output per trip, replicating the existing configuration.

A3.1.1.8.4 Indicator Analog Outputs

The following analog outputs (0 to 10 Vdc) are provided from the DPPS channel:

S

S

S

Low Pressurizer Pressure Trip Setpoint Low Steam Generator Pressure 1 Trip Setpoint Low Steam Generator Pressure 2 Trip setpoint.

A3.1.1.9 Failure Modes: The DPPS/DESFAS system shall be designed for fail safe operation under component failure or loss of electrical power as defined in the Failure Modes and Effects Analysis (FMEA).

A3.2 SYSTEM DESCRIPTION

The DPPS is comprised of four redundant channels (A, B, C, and D as depicted on Figure A3.2-1 "DPPS Basic Block Diagram"), that perform the necessary bistable, coincidence, initiation logic and associated maintenance/test functions. The system includes four redundant Remote Control Modules located on the Main Control Room panels, one for each channel. Four redundant channels are provided to satisfy single failure criteria and improve plant availability.

A3.2.1 Overview

The Bistable Processors in each DPPS channel receives channelized process sensor analog inputs, discrete & analog signals from the Ex-Core detector system and discrete signals from the CPC to perform the Bistable Trip functions. Process input configuration is unchanged from the existing PPS design.




[ I



A3.3 HARDWARE DESCRIPTION

The DPPS is composed of a four bay cabinet assembly which house the PLC equipment, Excore Neutron Flux Monitoring System (ENFMS) electronics chassis, maintenance and test equipment, internal power supplies, RPS and ESFAS initiation circuits, initiation relays, fiber optic isolation devices and other miscellaneous equipment.

The system includes four channelized Remote Control Modules (RCM) to be located on the plant Main Control Board.

The following sections provide an overview description of the DPPS.

A3.3.1 Mechanical

The four bay cabinet is consistent with existing PPS implementations. For new installations, there is also the option of using four single bay cabinets located either in four separate rooms or located together in one room, adjacent to each other. For the purposes of this appendix, it is assumed that a single four bay design will be utilized, consistent with existing RPS and PPS installations. See Figure A3.3-1 for typical cabinet layout.

Each cabinet bay is approximately 36 inches wide, 90 inches high and 54 inches deep. The cabinet design includes forced air cooling and is designed to be welded to floor embedments. The cabinet has front and rear access doors. A viewing window on the front door provides visibility of the controls and status information for ENFMS electronics and MTP display.



FIGURE A3.3-1:

Common Qualified Platform Digital Plant Protection System

TYPICAL DIGITAL PLANT PROTECTION SYSTEM CABINET

SHOWN WITH FROINT DrOORS REMOVED

File: F[G631.SKD FJS 01/07/98



A3.3.2 Electrical

A. Power

Each cabinet assembly receives power from a different separate and isolated 120 Vac vital instrument bus. Electrical power is not shared between channels allowing for complete electrical separation and isolation. Multiple pairs of internal AC/DC power supply outputs are auctioneered to provide enhanced fault tolerance.

B. Separation and Isolation

The DPPS Cabinet contains Class 1 E and Associated Circuits which are separated and isolated in accordance with IEEE 384, as augmented by Reg. Guide 1.75.

The cabinet door alarm switches, the internal cabinet temperature detectors, the cabinet fans and their wiring are Associated Circuits. Classification as Associated Circuits is required whenever separation from Class 1 E circuits is not possible. Similar to past protection system designs, annunciator and test circuits are treated as Associated since they are not separated from the Class 1 E circuits within the same DPPS cabinet. The testing, maintenance and indication items on the MTP/ITP are also Associated Circuits.

The quality requirements for associated circuits within the DPPS cabinet is essentially the same as for Class 1 E. The associated circuit equipment is procured and installed in the same manner as Class I E circuits. Associated circuits are not required to operate during seismic conditions.

A3.3.3 PLC Configuration

The PLC configuration for a typical single DPPS channel is illustrated on block diagram Figure A3.3-2. This configuration utilizes the ABB Advant Controller AC160 product line of PLC equipment, as described in the main body of the topical report, CENPD-396-P. Since this PLC product line will continue to evolve with improved capabilities and performance, it is anticipated that newer modules may be substituted as they are developed and qualified for nuclear safety system applications.

I I




A3.6 FAILURE MODES AND EFFECTS ANALYSIS (FMEA)

[ I

The DPPS system is designed so that any single failure in any channel will not prevent proper protective action of other DPPS channels, or inhibit operation of the DPPS at the system level. The failure modes and effects analyses for this system shows that no single failure will defeat more than one of the four redundant DPPS channels. Similarly, no single failure within the DESFAS channel will either cause an inadvertent ESFAS function actuation nor inhibit a legitimate actuation, other than failures affecting one component actuation relay.

The FMEA addresses all credible outputs from the DPPS (e.g. communications failures, stalls, etc.); not all possible causes of the failure condition. At the hardware interface level, the FMEA bounds all cases by considering the worst case effects at the computer module outputs.

[ I

A3.6.3 Conclusions

The analysis demonstrates that the design is capable of performing its protective functions for all of the single failures considered in the analysis. It is further noted that this capability exists with concurrent presence of the single failure and legitimate bypass (es) in the system.



[ ]

Common Qualified Platform Digital Plant Protection System

A3.8 REFERENCES

1. "Functional Description for Plant Protection System", 00000-ICE-3201 -Rev. 02, issued 03/02/76.

1. NUREG/CR6303-1994, "Methods for Performing Diversity and Defense in Depth Analyses of Reactor Protection Systems"

3. NRC Branch Technical Position BTSP HICB-19, "Guidance on Defense in Depth

and Diversity in Digital Computer-based I&C Systems"

4. System 80+ final Safety Evaluation Report

5. NUREG 1432, "Standard Technical Specifications Combustion Engineering Plants", Revision 1, April, 1995.

6. "Software Program Manual for Common Q Systems", CE-CES-1 95-P, Rev. 00,

7. Common Qualified Platform Topical Report, CENPD 397-P, Rev. 00




A3.9 PROPOSED TECHNICAL SPECIFICATION CHANGES

The attached Technical Specification corrections are to be located in Standard Technical Specifications for Combustion Engineering Plants, NUREG 1432, Rev. 1. [ ]

[ I

The proposed changes are considered the minimum required to reflect the migration to a DPPS-based design for both the RPS and ESFAS functions. These TS reflect such major changes as the substitution of four LCL processors for the six existing coincidence matrix channels. Additional action statements were incorporated for cabinet high temperature alarm and excessive number of processor failures in a given period (12 hours). These are analogous to existing requirements imposed on the present CPC channels, which are also of a digital (computer-based) design.

[ I


AL1It111


Common Q Topical Report Integrated Solution Appendix

AL It 11


Common Qualified Platform Integrated Solution

CENPD-396 Appendix 4

July 1999

CENPD-396 Appendix-4 Page 1 of 11


Page 1 of 11CENPD-396 Appendix-4

LEGAL NOTICE

This notice was prepared as an account of work sponsored by Combustion Engineering, Inc. Neither Combustion Engineering nor any person acting on its behalf:


b. Assumes any liabilities with respect to the use of. or for damages resulting from the use of, any information, apparatus, method or process disclosed in this report.

A ll Combustion Engineering Nuclear PowerCommon Q Topical Report

Integrated Solution Appendix

TABLE OF CONTENTS

A4. 1 Introduction .................................................................................................... 3 A4.2 Functional Requirements ................................................................................ 3 A4.3 System Description ......................................................................................... 3

A4.3. 1 Safety System Description ................................................................... 3 A4.3.1.1 CPCS and PPS Level I ........................................................................ 3 A4.3.1.2 PPS Level 2 (RPS/ESFAS) ................................................................ 4 A4.3. 1.3 Diverse M anual Actuation of ESFAS ................................................... 5 A4.3.1.4 HM I Devices ....................................................................................... 5

A4.3.2 Non-Safety Control System ................................................................. 5 A4.3.2.1 General Description ........................................................................... 6 A4.3.2.2 Safety System Interfaces ..................................................................... 7 A4.3.2.3 Hardware Description ......................................................................... 7

A4.3.3 Defense-In-Depth and Diversity .......................................................... 9 A4.3.4 NRC Scope Of Review ....................................................................... 9

A4.3.4. 1 Integration of Shared Services ............................................................. 9 A4.3.4.2 ESFAS Level 3 Loop Controllers ...................................................... 10 A4.3.4.3 Defense-in-Depth and Diversity ........................................................ 10 A4.3.4.4 Interface Between Safety and Non-Safety Channels ............................... 11 A4.3.4.5 M ulti-channel Operator Station Control ................................................. 11 A4.3.4.6 Independence of Main Control Room and Remote Shutdown Panel ....... I I

CENPD-396 Appendix-4 Page 2 of 11Page 2 of 11

m • •

CENPD-396 Appendix-4

ABB Combustion Engineering Nuclear PowerCommon Q Topical Report


A4.1 Introduction

The purpose of this appendix is to describe the implementation of the Common Qualified Platform for an integrated configuration incorporating multiple safety systems. This appendix will demonstrate how the various Common Q services [

.[ ]

A4.2 Functional Requirements

The functional requirements for the integrated solution remain the same for each system incorporated. For detailed descriptions of the applicable functional requirements, refer to the Topical Appendices for the PAMS, CPCS, and PPS.

A4.3 System Description

A4.3.1 Safety System Description

Figure 1 is a functional diagram of the integration [ ] using the Common Q Platform. This diagram depicts one functional channel of a 4-channel integrated safety system.

Figure 1

[ ]

A4.3.1.1 CPCS and PPS Level 1

communications and ] ] process interface I/O modules.

For a complete description of the [ ] interchannel communications [ ] refer to the main body of the Common Q Topical Report.

The PPS [ ] is shown with its interchannel [ ] communication [ ] and [ ] process interface modules. This PPS [ ] executes the

bistable functions based on the process signals it reads in [ ]. It transmits its bistable results[ ] to the [ ] RPS and ESFAS[ ], for


[ [

. • •

Page 3 of 11

Common Q Topical Report A Combustion Engineering Nulear Power Integrated Solution Appendix

two out of four coincidence logic processing and component/system actuation.

A4.3.1.2 PPS Level 2 (RPS/ESFAS)

The PPS [ ] consists of the Reactor Protection System (RPS) and the Engineered Safety Features Actuation System (ESFAS). [ ] These [

] receive bistable status from all four channels [ ], and then perform the two-out-of-four local coincidence logic. In the case of the RPS, there is a direct interface to the Reactor Trip Switchgear [ ].

[ I


A U Combustion Engineering Nuclear PowerCommon Q Topical Report


A4.3.1.3 Diverse Manual Actuation of ESFAS

For large scale implementations of an I&C upgrade, there are some levels of diversity required for some of the safety functions. One of these safety functions is the manual actuation of Engineered Safety Features Actuation Systems. The manual actuation bypasses the complex portion of the safety system [ ] for the manual initiation.

[ I

A4.3.1.4 HMI Devices

A4.3.1.4.1 PAMI Displays and Operators Module

There is an extension to the in-channel [ ] network [ supports the integrated displays for the safety systems.

] that

The Post Accident Monitoring Instrumentationllndication (PAMI) displays are connected to this network. [ ] I/O and calculated data is then transmitted over the in-channel [ ] bus for display on the PAMI [ ]. [I ]

[ ]

Both the PAMI and Operators Module displays employ the Common Q [ ] technology described in the topical report.

A4.3.1.4.2 The Integration Of HMI Devices

The advantage of the Common Q Platform becomes most apparent in the integrated solution. Each of the stand-alone safety systems (PPS, ESFAS, PAMS, CPCS) require both an Operators Module that would be located in the Control Room, and a Maintenance and Test Panel (MTP) that would be located in the safety cabinet. These HMI devices would all employ the same Common Q Flat Panel Display System hardware and software technology.

I I

A4.3.2 Non-Safety Control System


SE eaCommon Q Topical Report Combustion Engineering Nuclear Power Integrated Solution Appendix

Figure 3 is a functional diagram of the Integrated Solution architecture for non-safety control using ABB technology. [1]

Figure 3[

A4.3.2.1 General Description

The top level functions are segmented as follows:

"* Data Processing System "* Main Control Room * Remote Shutdown Panel * Office Workstations

A4.3.2.1.1 Data Processing System

This system performs high level, computational intensive functions [ ]. The Data Processing System (DPS) uses the Plant Data Network to provide DPS calculation results to external users. This network usually uses a standard communication medium like Ethernet and a standard protocol like TCP/IP. [ I

The DPS is also connected to the [ ] Information Network. This communication path allows the DPS to communicate to the Operator Station [ I. [

A4.3.2.1.2 Main Control Room Operator Stations

The Operator Stations have two data communication paths. There is the [ ] Information Network [ ]. The other connection is to the Plant Data Network[ ]. [ ]

[ I

A4.3.2.1.3 Remote Shutdown Panel

The Remote Shutdown Panel would have the same similar functionality for non-safety control as described for the safety systems. The MCR Transfer Switch [ ] would then allow [ ] commands from the Remote


AB BCombustion Engineering Nuclear PowerCommon Q Topical Report

Inteqrated Solution ADpendixShutdown Panel [ ]. The functionality of the MCR transfer switch is

described in the Nuplex 80+ CESSAR-DC, Section 7.4.1.1.10.

A4.3.2.2 Safety System Interfaces

• [ ]

A4.3.2.2.1 Manual Control of a Safety System Component

[ I

A4.3.2.2.2 Data Acquisition of Safety System Signals

The [ ] linkage between the safety systems and non-safety control system is the process instrument signals. These process instrument signals are

] fed to the non-safety control systems [ ]. [

A4.3.2.3 Hardware Description

This section provides a description of the non-safety control system components [ ]. I ]

A4.3.2.3.1 OS500 Workstation

[ ]

The [ 1 500 Operator Station can I ] be [ ] interface board [ ] configured with one or two high-resolution monitors, an alphanumeric or function keyboard, a mouse or trackball. The workstations run appropriate combinations of ABB AdvaCommand and Advalnform software for on-line HMI display capability.

Figure 4

CENPD-396 Appendix-4 Page 7 of 11CENPD-396 Appendix-4 Page 7 of 11

A B Combustion Engineering Nuclear PowerCommon Q Topical Report


OS 500 Workstation

A4.3.2.3.2 AC450 Controller

The Advant Controller 450 is a controller that supports high-end functionality such as logic, sequencing, closed-loop control (including self-tuning adaptive control), positioning, and drive control. It can support up to 5400 I/O points, using local and remote interfaces.

Figure 5 AC450 Controller

CENPD-396 Appendix-4 Page 8 of 11CENPD-396 Appendix-4 Page 8 of 11

AB BCombustion Engineering Nuclear PowerCommon Q Topical Report


[ ]A4.3.2.3.3 Masterbus 300 Network

The MasterBus 300 is an [ ] communication bus used in plant and control networks to handle high data transmission rates [ ]. MasterBus 300E (extended) supports radio or satellite transmission for geographically distributed processes. [ ]

A4.3.3 Defense-In-Depth and Diversity

I I

A4.3.3.1.1 AC160 Common Mode Failure

[ I

A4.3.3.1.2 AF100 Common Mode Failure

[ I

A4.3.3.1.3 Operators Module or MTP Common Mode Failure

I I

In addition, the Position 4 manual initiation switches provide another level of diverse actuation of safety systems should the FPDS become disabled.

A4.3.3.1.4 Level 3 Controllers

[ I A4.3.4 NRC Scope Of Review

The purpose of this appendix is to obtain the NRC's approval [1. [1

A4.3.4.1 Integration of Shared Services

I I


Common Q Topical Report A BB Combustion Engineering Nuclear Power Integrated Solution Appendix

1 Bus This bus is still dedicated to one safety channel for in-channel

communications. [ ][

[ ]

Interface and Test Processor (ITP) The ITP's function, described in the PPS appendix, interfaces with the PPS [ ] and ESFAS [ ]. [ I

Maintenance and Test Panel (MTP) The MTP [ ] and its functions are described in the PAMS, CPC and PPS appendices. In those appendices, each safety system had a dedicated MTP for system diagnostics and maintenance for each channel. Each channel will still have a dedicated MTP [ ]. [ ]

Operators Module (OM) The same is true for the OM. [ ] Each safety channel will still have dedicated OMs[ ]. [ ]

A4.3.4.2 ESFAS Level 3 Loop Controllers

I ]

A4.3.4.3 Defense-in-Depth and Diversity

] This concept [ ] is supported in Nuplex 80+ CESSAR-DC:

A control signal from each switch is directed to Loop Controllers which are PLC based devices at the lowest level in the digital control hierarchy.... Under normal plant operating conditions, the Loop Controller provides output signals to the plant components in response to digitized input signals received through a communication network interface. The hardwired manual input signal from the control room switches will override input data received from the network communication interface to actuate the plant components. Diverse manual actuations status indication is provided in the main control room.

Reliability of implementing this override function at the Loop Controller PLC can be assured due to the simplicity of the device. The software in the Loop Controller PLC's resides in memory that is typically less than 6 Kbytes. The PLC responds to a limited number of digital input signals which direct the software to start or stop a pump, or open or close a valve with consideration of only a limited number of interlocking signals. Testing will be performed on loop controller PLC's for which the manual override function is implemented to assure that a common mode failure of the protective system soflware will not prevent the hardwired manual signals from actuating their associated ESF functions. This feature of the System 80+ design provides an additional level of protection against a postulated common mode failure of protective system software.1

'Nuplex 80+ CESSAR-DC, Section 7.3.1.1.6


ABB Combustion Engineering Nudear PowerCommon Q Topical Report


[ I

A4.3.4.3.1 Hardware Qualification Plan for Non-Safety Control Systems

The Common Q hardware qualification plan is targeted for components used in safety-related systems. [

[ I

This approach [ ] has been shown generically in the Nuplex 80+ CESSAR-DC to provide acceptable plant safety analysis performance [ I.

A4.3.4.4 Interface Between Safety and Non-Safety Channels

The testing and cross channel functions of the ITP are described in the PPS appendix of this topical report. [ ] The function of inter-channel test is described in the PPS appendix. [ ]

[ I

[ I

A4.3.4.5 Multi-channel Operator Station Control

I I

A4.3.4.6 Independence of Main Control Room and Remote Shutdown Panel

[ ]Main Control Room (MCR) and the Remote Shutdown Panel (RSP) [ ] are isolated [ ]to ensure that a fire in the MCR or RSP does not propagate[].

[ ]

CENPD-396 Appendix-4 Page 11 of 11Page 11 of 11

i • •


AL It It


Rev 00 to CENPD-396, 'Common Qualified Platform.'

Documents

Transcript of Rev 00 to CENPD-396, 'Common Qualified Platform.'