Transcription
UNITED STATESNUCLEAR REGULATORY COMMISSIONTECHNICAL TRAINING DIVISIONDIGITALINSTRUMENTATION &CONTROL TRAININGE-114
Digital Instrumentation & Control TrainingPrefaceUNITED STATESNUCLEAR REGULATORY COMMISSIONTECHNICAL TRAINING DIVISIONCOURSE MANUAL DIGITAL I&C TRAINING (E-114)This manual is a text and reference document for the Digital Instrumentation & Control course. Itshould be used by students as a study guide during attendance at this course. This manual wascompiled by Altran Solutions under USNRC Technical Training Center contract NRC-38-07-390.The information in this manual was developed or compiled for NRC personnel in support of internaltraining and qualification programs. No assumptions should be made as to its applicability for anyother purpose. Information or statements contained in this manual should not be interpreted assetting official NRC policy. The data provided are not necessarily specific to any particular nuclearpower plant, but can be considered to be representative of the vendor design.USNRC Technical Training Center1.0-iRev. 20070905
Digital Instrumentation & Control TrainingEffective RevisionsLIST OF EFFECTIVE 0709054.0200709055.020070905USNRC Technical Training Center1.0-iiRev. 20070905
Digital Instrumentation & Control TrainingModule 1.0TABLE OF CONTENTS1.0COURSE INTRODUCTION. 11.1Introduction and Overview . 21.2Lessons Learned . 61.3Digital I&C Upgrade Process . 61.3.1Digital I&C Upgrade Process . 61.3.2Digital Modification Process . 71.3.3Digital Delta. 81.4Applications . 91.4.1Reactor Protection & Engineered Safeguards . 91.4.2Main Turbine Control . 121.4.3Protective Relays . 141.4.4Energy Conversion – Static Inverters . 171.4.5Variable Speed Drives . 191.5New Plant Licensing Delta . 22LIST OF FIGURESFigure 1-1Figure 1-2Figure 1-3Figure 1-4Figure 1-5Figure 1-6Figure 1-7Figure 1-8Figure 1-9Figure 1-10Figure 1-11Figure 1-12Figure 1-13Figure 1-14Figure 1-15Figure 1-16Figure 1-17Figure 1-18Figure 1-19Figure 1-20Figure 1-21Introduction. 25Outline . 26Importance of Instrumentation Issues to Safety Analysis . 27Defense in Depth Design Philosophy . 28Initial Licensing . 29Comparison of the Criteria of the Standard Review Plan Chapter 7 . 30Basic Framework for Life Cycle Processes . 31Oconee Digital RPS LAR Document Request (1 of 9). 32Oconee Digital RPS LAR Document Request (2 of 9). 33Oconee Digital RPS LAR Document Request (3 of 9). 34Oconee Digital RPS LAR Document Request (4 of 9). 35Oconee Digital RPS LAR Document Request (5 of 9). 36Oconee Digital RPS LAR Document Request (6 of 9). 37Oconee Digital RPS LAR Document Request (7 of 9). 37Oconee Digital RPS LAR Document Request (8 of 9). 38Oconee Digital RPS LAR Document Request (9 of 9). 39LERs from 1990-1993 Show Digital I&C System Failures . 40LERs from 1990-1993 Show Digital I&C System Failures (cont). 41Amir Shahkarami Quotation . 42Palo Verde Core Protection Calculator Event (1 of 2) . 43Palo Verde Core Protection Calculator Event (2 of 2) . 44USNRC Technical Training Center1.0-iiiRev. 20070905
Digital Instrumentation & Control TrainingFigure 1-22Figure 1-23Figure 1-24Figure 1-25Figure 1-26Figure 1-27Figure 1-28Figure 1-29Figure 1-30Figure 1-31Figure 1-32Figure 1-33Figure 1-34Figure 1-35Figure 1-36Figure 1-37Figure 1-38Figure 1-39Figure 1-40Figure 1-41Figure 1-42Figure 1-43Figure 1-44Figure 1-45Figure 1-46Figure 1-47Figure 1-48Figure 1-49Figure 1-50Figure 1-51Figure 1-52Figure 1-53Figure 1-54Figure 1-55Figure 1-56Figure 1-57Figure 1-58Figure 1-59Figure 1-60Figure 1-61Figure 1-62Figure 1-63Figure 1-64Figure 1-65Module 1.0Browns Ferry Data Storm (1 of 3) . 45Browns Ferry Data Storm (2 of 3) . 46Browns Ferry Data Storm (3 of 3) . 47Digital Upgrade Process . 48Influences on Digital I&C Upgrade Process. 49IEEE 1012 Software Life Cycle Process . 50TR-102348 Upgrade Process . 51Application of CRDITS . 52Application of CRDITS (continued). 53Development, Evaluation and Control. 54NRC-Industry TRG’s. 55TWG Structure. 56Project Plan Structure . 57Platform versus Application . 58Plant System. 59Teleperm XS Cabinets . 60Overall Teleperm Architecture . 61Teleperm XS Hierarchy . 61Teleperm XS Safety System Overview . 62Teleperm XS Safety System Architecture . 63Teleperm XS Reactor Trip System Architecture . 63Teleperm XS Engineered Safeguards Voters . 64Teleperm XS ESFAS Voter Configuration. 64Teleperm XS Monitoring & Service Interface . 65Teleperm XS Priority Logic Module . 65Old P2000 Equipment. 66New Speed Pickup Gear . 67New Speed Pickup Probes . 68New Dual LVDT Sensors on Governor Valves. 69Dual Servo Positioners for Each Governor Valve . 70Main Turbine Control System Network Architecture . 71New Equipment Mounted in Cabinets. 71Main Processor Chassis . 72Redundant Network . 73Human Machine Interface (HMI) . 74Main Screen . 75Main Turbine Overview Screen. 76Feedwater Pumps Overview . 77Tricon Diagnostics . 78Comparison of Protective Relaying Equipment from 1925 and 1994. 79Gas-Insulated Substation Bay with Integrated Control Cubicle. 79Single Unit Float UPS Configuration . 80New Reactor Licensing Applications . 81AP-1000 Passive Containment Cooling . 82USNRC Technical Training Center1.0-ivRev. 20070905
Digital Instrumentation & Control TrainingModule 1.0Figure 1-66 Advanced Control Room Concepts . 83Figure 1-67 ESBWR Control Room Layout . 84Figure 1-68 US APWR I&C System computerized Main Control Room. 85Figure 1-69 Slide 8 . 86Figure 1-70 Reg. Guide 1.206 Section C.III.5 Design Acceptance Criteria (1 of 4) . 87Figure 1-71 Reg. Guide 1.206 Section C.III.5 Design Acceptance Criteria (2 of 4) . 88Figure 1-72 Reg. Guide 1.206 Section C.III.5 Design Acceptance Criteria (3 of 4) . 89Figure 1-73 Reg. Guide 1.206 Section C.III.5 Design Acceptance Criteria (4 of 4) . 90Figure 1-74 EXAMPLE - Proposed DAC and Status Report – I&C and HMI – Sheet 1 . 91Figure 1-75 EXAMPLE - Proposed DAC and Status Report – I&C and HMI – Sheet 2 . 92Figure 1-76 EXAMPLE - Proposed DAC and Status Report – I&C and HMI – Sheet 3 . 93Figure 1-77 EXAMPLE - Proposed DAC and Status Report – I&C and HMI – Sheet 4 . 94Figure 1-78 EXAMPLE - Proposed DAC and Status Report – I&C and HMI – Sheet 5 . 95Figure 1-79 EXAMPLE - Proposed DAC and Status Report – I&C and HMI – Sheet 6 . 96Figure 1-80 EXAMPLE - Proposed DAC and Status Report – I&C and HMI – Sheet 7 . 97Figure 1-81 How a GT Works . 98Figure 1-82How a GT Works . 99Figure 1-83. 100USNRC Technical Training Center1.0-vRev. 20070905
Digital Instrumentation & Control Training1.0COURSE INTRODUCTIONWelcome to the Digital and Microprocessor Control Systems Course!This course addresses the latest developments onthe use of software based equipment on nuclear plantapplications. This has become increasingly importantas plants move into license renewal, and in consideration of obsolete equipment replacement upgrades.This course will provide a perspective on the guidelines and requirements of the Nuclear RegulatoryCommission, Electric Power Research Institute as wellas industry, consensus standards organizations andplant specific experience.Upon completion of this lesson the student willhave acquired the knowledge level necessary tounderstand the technical and regulatory fundamentalsof digital system design, installation, licensing andoperations and the key differences between digital andanalog equipment/systems in terms of their complexity, failure modes, assessment methods, and licensingissues and how they apply to nuclear power plantoperation.The course is divided into five modules or coursesections that encompass approximately one day each,although some are longer or shorted based on theamount of information that needs to be addressed. Thefive modules are: MODULE 1 – Introduction and Overview MODULE 2 – Architecture Overview MODULE 3 – Regulatory Concerns MODULE 4 – Qualification MODULE 5 – Software/Firmware LifecycleConceptsUSNRC Technical Training CenterModule 1.0Each of these modules will be covered with a detailed review of the major elements in both slides andreview of text references, where applicable. A fulloutline of these is included in Figure 1-1, Figure 1-2,Figure 1-3, Figure 1-4 and Figure 1-5At the end of each day, a review of the day andQ&A session will be conducted to address concernsand additional information needed by the students. Ifthe instructors don’t have the information handy, anassignment to follow-up and provide the students withthe information will be taken and provided sometimeduring the week.Module 1 Introduction & Overview:Module 1 is the first of five modules in the DigitalInstrumentation & Control Training Course. Thepurpose of this module is to assist the trainee inunderstanding the subjects to be covered this week ineach of the five modules and to address the reasonswhy digital systems are being introduced in nuclearpower plants and to see some examples of actualupgrades.Learning ObjectivesAfter completing this module, you should be ableto:1. Explain the importance of instrumentation issuesto safety analysis2. Be able to state what are the major issues indigital safety system analysis and approval byNRC3. Explain, in general terms, the general format forNRC review of digital systems using the SRPand all associated guidelines and standards fromNRC and industry.4. Be able to provide an overview of digital systemfailures that have occurred and the root cause oftheir failure.1.0-1Rev. 20070905
Digital Instrumentation & Control Training5. Explain the process for digital I&C upgradefollowing the roadmap developed by NRC andindustryModule 1.0 6. Provide an overview of the various stages of themodification process followed for both hardwareand software in completing the upgrades to newdigital systems.7. Provide an overview of the regulatory deltabetween existing and new reactor licensing andthe details of requirements to be reviewed in anynew reactor licensing for instrumentation andcontrols.1.1 Introduction and OverviewThe purpose of this module is to provide an overview of the course and to describe why instrumentation issues are important to safety analysis for nuclearpower plants. The objectives of this module are toaddress the main issues of: Importance of Instrumentation Issues to SafetyAnalysis Digital Safety System Issues NRC SRP Update Process General Design Criteria (GDC) in Appendix Aof the Code of Federal Regulations (CFR), Title10 , Part 50o establish high level minimum requirementsand principal design criteria whichoaddress design, implementation, construction,testing, and performance requirementsoapply to structures, systems, and componentsimportant to safety10 CFR 50.55a (h)o addresses the design of I&C systems performing safety functionsoincorporates IEEE 603/IEEE 279oinvolves design bases, redundancy, independence, single failures, qualification, bypasses,status indication, and testingAppendix B of 10 CFR 50 establishes QualityAssurance (QA) requirementsPlants are converting from analog to digital for avariety of reasons including the following: Analog systems are experiencing excessive driftbecause of agingEPRI I&C Programs Vendors are discontinuing analog product linesReferences Difficulty in obtaining product support forexisting systems Some plants want to take advantage of digitalsystem flexibilityThe basis of the defense in depth design philosophy is addressed from 10 CFR 50, including explicitdefinition of the three barriers. Figure 1-4 shows theimpact of the safety analyses on plant operations anddocumented in the Technical Specifications.10 CFR 50 defines the technical basis for instrumentation and control acceptance criteria in thefollowing sections:We show examples of older and now newer designs of plant control rooms – provide differentchallenges to the reviewer in that much more emphasison digital platforms is required.We have learned by example from other safetycritical industries such as: USNRC Technical Training Center1.0-2Federal Railroad AdministrationRev. 20070905
Digital Instrumentation & Control TrainingModule 1.0 Federal Aviation Administration Watts Bar – RTD bypass Power grids Foreign nuclear power agenciesSequoyah – RPS/ESF signal conditioning/process sense Chemical industry NASADiablo Canyon Power Plant– RPS/ESF signalconditioning/process sense Turkey Point – EDG sequencer Haddam Neck – AFW control South Texas – QSPDS ANO2 – Core Protection CalculatorThe major I&C systems subject to review by theNRC are listed below, based on sections in the NRCStandard Review Plan: Protection Systems Engineered Safety Features Actuation Systems(ESFAS) Licensing was seen as problematic Safe Shutdown Systems Information Systems Important To SafetyConcern about new characteristics and failuremodes Interlock Systems Important To Safety Control SystemsUtilities and Regulators were adjusting processes to accommodate digital issues Diverse I&C Systems (e.g., Anticipated Transient Without Scram [ATWS] mitigation system) Work was needed to establish a consensusapproach Data Communications Systems Essential Auxiliary Supporting Systems (e.g.,heating ventilation, and air conditioning[HVAC] systems)A number of plants have attempted digital modifications under 10 CFR 59 over the past number ofyears. These include:The key issues in the early plant upgrades include:In 1995, based on ACRS recommendations, theNRC staff undertook a task to update NUREG 0800Standard Review Plan (SRP) Chapter 7 (completed in1997) to address lessons learned in digital upgrades todate. The SRP was updated again in 2007. Theobjectives of this update included: Maintain Regulatory Basis Incorporate lessons learned – ALWR reviews Haddam Neck – Full RPS/ESFAS changeout Incorporate lessons learned – Retrofits D.C. Cook - Signal conditioning portion ofRPS/ESF Incorporate operating experience Describe criteria for Retrofits and ALWRsZion – Signal conditioning/process sense portionof RPS/ESF Update for latest standards referencec Also, a number of plants have requested prior staffreview as follows – just as examples:USNRC Technical Training CenterThis set of changes, basically involved no fundamental changes to the SRP but format changes tosupport additional guidance as follows:1.0-3Rev. 20070905
Digital Instrumentation & Control TrainingModule 1.0 General Requirements and Guidance in Section7.1Also, six new NRC Regulatory Guides were established as follows: Adds References to new Regulatory Guides andBTPs on Digital Issues Highlight Review Areas, Acceptance Criteria,and Review Process for Digital SystemsR.G. 1.168 – Verification, Validation Reviewsand Audits (IEEE 1012 & 1028) Add discussion of Standard Plant ReviewsR.G. 1.169 – Software Config. Mgmt (IEEE 828& 1042) Add References to digital systems guidance R.G. 1.172 – Software Requirements Spec.(IEEE 830) R.G. 1.170 – Software Test Documentation(IEEE 829) R.G. 1.173 – Software Life Cycle (IEEE 1074) R.G. 1.171 – Software Unit Test (IEEE 1008)Three new SRP Sections were added and threeappendices were revised in 1997 as follows: 7.0 – Introduction 7.8 – Diverse Actuation (ATWS and DiverseBackup) 7.9 – Data Communication 7.0-A – Describes process for Digital Reviews 7.1-C – Describes IEEE 603 review 7.1-A – Addresses Part 52, Revision to Part 50and new Regulatory GuidesA number of new Branch Technical Positions onspecific areas of focus were developed and included inthe SRP, as follows: Software Reviews – BTP-14 Defense in Depth and Diversity – BTP-19 Real Time Performance – BTP-21 On-Line and Periodic Testing – BTP-17 Design Certification – BTP-16 PLCs – BTP-18 Non-Digital Topics – BTP 10,11,12 & 13Figure 1-6 provides a comparison of the criteriathat the SRP Chapter 7 provides on the major focusareas in digital upgrades.USNRC Technical Training CenterFigure 1-7 provides an overview of an example ofthe new Regulatory Guide 1.173 and the associatedIEEE 1074, and how they address the basic frameworkfor life cycle processes.The SRP was again updated in 2007 with the following changes: Added Section 7.1-D – IEEE 7-4.3.2-2003 Updated to conform with latest standardsreferenced (IEEE 7-4.3.2, Used new terminology for “auxiliary supportingfeatures” per IEEE 603-1991 Deleted reference to Reg Guide 1.153 - nowcovered by 1999 version 10 CFR 50.55a(h) Updated for EMI/RFI – Reg. Guide 1.180 Added reference to Reg. Guide 1.204 Added ITAAC/DAC criteria and Reg Guide1.206The revised SRP provides significant benefit toboth the industry and the NRC as follows: No impact on existing systems SRP and Regulatory Guides are Guidance Only1.0-4Rev. 20070905
Digital Instrumentation & Control Training Developers will benefit from known acceptanceapproaches to designing digital systemsFor license amendment applications, the followingguidance is provided in the SRP update: Selected portions will be used Depth of review depends on safety significanceand complexity Only review differences from previouslyapproved designs Defense in Depth and Diversity applicable toRPS and ESFAS onlyAn example is provided in Figure 1-8 throughFigure 1-16 to address the NRC document requestsfor Oconee License Application Request (LAR) vs.normal document availability (all submitted at onetime). These figures cover all of the life cycle phasesfrom project definition to operations and maintenance.There are significant areas of interest in NRC Research to address the major focus areas that are neededto address all aspects of licensing digital upgrades.An example listing of the main focus areas receiving attention in NRC Research today are included inthe following:Module 1.0The Electric Power Research Institute (EPRI) isalso heavily involved in developing guidelines as astandard roadmap for digital upgrades. The utilitygoals for digital upgrades include the following: Maximize plant capacity/output levels Achieve and maintain high reliability Achieve and maintain high availability Maintain high levels of safety Maintain high levels of operator awareness ofplant and equipment states Minimize the likelihood of human errors Integrate fault tolerance and fault recovery intosystems (from both human and equipment errors/failures) Use commercially available productsThe utility goals for digital upgrades are alsobased on the expanded use of digital technologycapabilities, which include: Process large data volumes Data validation techniques Extensive diagnostic capabilities Integrated diagnostic and predictive algorithms System based early fault detection Intelligent displays, e.g. alarm filtering Operations/maintenance/engineering advisorysystems EMI/RFI Qual. Environmental Qual. Automated processes Lightning Protection Guidelines Requirements AssessmentElectronic procedures with information andcontrol Diagnostic and Fault Tolerance Multi-media capabilities Operating SystemsA complete review of the ongoing work in NRCResearch will be covered in Module 3 – RegulatoryConcerns.USNRC Technical Training CenterThe implementation using digital systems will introduce a set of secondary issues as follows: Radiation sensitivities Reliability and availability concerns1.0-5Rev. 20070905
Digital Instrumentation & Control Training Materials issues Maintenance issues Learning curve for peopleNext, we will review a few digital failures thathave occurred over the past number of years in thenon-nuclear and nuclear arena. They are addressed inthe slides in Section 1.1 as well as in the handouts atthe back of the section.For nuclear related implementation, the set ofdocumented failures, noted by the NRC is shown inFigure 1-17 and Figure 1-18. These provide thecategories and quantities of failures documented inLER’s reviewed by the NRC from licensees from 1990to 1993, as an example.Additional new failure data is provided in Section1.2 of this course.Next, we review a set of references from EPRI,NRC and industry to address all aspects of digitalupgrades. Many of these references will be addressedin detail during the course.Finally, we review the need for digital upgrades,with a quote from Amir Shahkarami, Exelon SeniorVice President, in Figure 1-19 and the organization ofthe NRC-Industry Technical Working Groups (TWG)and their progress to date.Module 1.0software failures. Recent examples include the PaloVerde Core Protection Calculation (CPC) event inFigure 1-20 and Figure 1-21and the TVA BrownsFerry Unit 3 data storm in Figure 1-22 through Figure1-24.The following systems are reviewed in the slidesincluded in Section 1.2: Digital Radiation Monitoring Upgrade Digital Feedwater System Upgrade Digital Annunciator System Upgrade Digital Turbine Control System UpgradeThe moral of these stories is as follows: Even a Watchdog Can Bite Its Owner Just Because They Installed It Before YouDoesn’t Mean They Looked First Just Because Their System Hasn’t CrashedDoesn’t Mean Your System Won’t If You Look Before You Leap, You Can SaveYourself a World Of Hurt1.3Digital I&C Upgrade Process1.3.1Digital I&C Upgrade ProcessThe purpose of this section is as follows:1.2Lessons LearnedThe purpose of this section is to review a numberof nuclear power plant digital upgrades that have beeninstalled and have not performed as expected.First, a review of the failure data from varioussources is reviewed. Then examples from LicenseeEvents Reports that addressed digital system failuresare analyzed. These involved both hardware andUSNRC Technical Training Center Provide background and a brief history of digitalI&C upgrades and associated regulatory issues Explain the importance of “process” whenimplementing digital upgrades Show that any modification involves development, evaluation and control processesThe objectives for the student that we will addressas part of this section are to:1.0-6Rev. 20070905
Digital Instrumentation & Control TrainingModule 1.0 Understand why processes are important fordigital upgrades Prepared Regulatory Guides endorsing IEEEStandards Discuss the types of processes involved in adigital I&C modification Revised Standard Review Plan Developed Revision 4 to NUREG-0800,Standard Review Plan, Chapter 7 (I&C) Performed research and developed NUREGreportso Use of high-level languages NUREG/CR6463 Explain how computer and software relatedprocesses relate to traditional processes in nuclear plant modificationsThis section provides a review of the history ofdigital system upgrades, from a regulatory perspective,since the late 1980’s: The digital I&C upgrade processguideline from EPRI was developed to provide aroadmap, following the issue of the NRC StandardReview Plan (SRP).The major issues identified in the digital I&C upgrade process are: Use of software and potential for softwarecommon cause failure Effects of electromagnetic interference (EMI) Use and control of equipment for configuringcomputer-based systems Commercial dedication of digital equipment thatincludes softwareFigure 1-25 provides an overview of the digitalupgrade process from the proposal stage thru theoperations stage.oAdequacy of digital sampling rate and otherperformance concerns NUREG-1709Figure 1-26 provides and overview of the influences on digital upgrade process that relate to thedevelopment of and consensus with the roadmapapplied to the digital process. While the incorpo
Digital Instrumentation & Control Training Preface USNRC Technical Training Center 1.0-i Rev. 20070905 UNITED STATES NUCLEAR REGULATORY COMMISSION TECHNICAL TRAINING DIVISION COURSE MANUAL DIGITAL I&C TRAINING (E-114) This manual is a text and reference document for the Digital Instrumentation & Control course. It
