SUMMARY OF THE WESTINGHOUSE INTEGRATED PROTECTION SYSTEM VERIFICATION AND VALIDATION PROGRAM B. M. Cook D. V. Gennaro W. J. Smith, Jr. M. S. Wojcik September, 1980 Approved: T. M. Anderson, Manager Nuclear Safety Division Westinghouse Electric Corporation P. O. Box 355 Pittsburgh, PA 15230 The Integrated Protection System (IPS) Prototype Verification and Validation Program was a coordinated program that demonstrated that the design objectives of the IPS as described in RESAR 414 were met. Definition of the design objectives and verification program were provided in WCAP-9153, "414 Integrated Protection System Prototype Verification Program," August 1977. WCAP-9153 was organized into two major parts: design principles and the verification program. These two major parts were further subdivided to cover design and verification of the hardware, software and the integrated system. This document presents a summary of what the verification and validation program covered in terms of hardware, software and the integrated system. It also is representative of what the NRC/ORNL reviewed by the technical audit process. #### ACKNOWLEDGEMENTS Westinghouse Nuclear Technology Division and Industry Systems Division joined in meeting the Westinghouse commitments to the Integrated Protection System Design Verification Program. Successful completion of this verification and validation process resulted directly from the close cooperation and fire efforts extended by the engineers, technicians, and support personnel of both divisions. # TABLE OF CONTENTS | | | | | Page | |-----|--------------|--------------------------------------------------|---------------------------------------------|------| | | ABSTR | ACT | | | | 1.0 | INTRODUCTION | | | 1-1 | | | 1.1 | Program | Management | | | | 1.2 | Sof twar | e Design and Verification | | | | 1.3 | Hardwar | e Design and Verification | | | | 1.4 | System | Integration and Validation | | | | 1.5 | NRC Rev | iew by Audits | | | | 1.6 | Ongoing | Effort | | | 2.0 | INTE | GRATED SY | STEM VERIFICATION SUMMARY | 2-1 | | | 2.1 | Methodo | ology of Integrated System Verification | | | | | 2.1.1 | Test Methodology | | | | | 2.1.2 | Test Cases | | | | | 2.1.3 | Input Signals | | | | | 2.1.4 | Conclusion | | | | 2.2 | Prerequ | uisite Integrated System Verification Tests | | | | | 2.2.1 | Preliminary Tests | | | | | 2.2.2 | Stage 1 Testing | | | | | 2.2.3 | Stage 2 Testing | | | | | 2.2.4 | System Verification Error Report Summary | | | | 2.3 | Integrated Protection System Simulated Transient | | | | | | Test | | | | | | 2.3.1 | Introduction | | | | | 2.3.2 | Test Case Generation | | | | | 2.3.3 | Acceptance Criteria | | | | | 2.3.4 | Transient Test Execution | | | | | 2.3.5 | Test Results | | | | | | | | | | | | Page | | |-----|------|-----------------------------------------------|------|--| | 3.0 | SYST | EM DESIGN SPECIFICATIONS SUMMARY | 3-1 | | | | 3.1 | Equipment Specification (E-Spec) | | | | | 3.2 | | | | | | | Composite Block Diagrams | | | | | | 3.3.1 Integrated Protection Cabinets (IPC) | | | | | | 3.3.2 Integrated Logic Cabinets (ILC) | | | | | | 3.3.3 ILC Interposing Logic & Power Interface | | | | | 3.4 | IPS Module List & Spec Sheets | | | | | 3.5 | IPS Software Standard | | | | | 3.6 | IPS Automatic Testing Requirements | | | | | 3.7 | IPS System Test Guidelines | | | | | 3.8 | References | | | | 4.0 | HARD | WARE VERIFICATION SUMMARY | | | | | 4.1 | Hardware Verified | | | | | 4.2 | Hardware Test Results/Error Incident Reports | | | | | 4.3 | QAC Analog Conditioning Card | | | | | | 4.3.1 QAC Equipment Performance Specification | | | | | | DS1177 (EPS) Summary Description | | | | | | 4.3.2 QAC Product Verification Test Procedure | | | | | | 6821A68 (PVTP) Summary Description | | | | | 4.4 | QAO Analog Output Card | | | | | | 4.1.1 QAO EPS DS1165 Summary Description | | | | | | 4.4.2 QAO PVTP 6821A62 Summary Description | | | | | 4.5 | QA1 Analog Input Point Card | | | | | | 4.5.1 QAI EPS DS1122 Summary Description | | | | | | 4.5.2 QAI PVTP 6821A60 Summary Description | | | | | 4.6 | QBI Digital Input Card | | | | | | 4.6.1 QBI EPS DS1175 Summary Description | | | | | | 4.6.2 QBI PVTP 6821A60 Summary Description | | | - 4.7 QBO -- Digital Output Card - 4.7.1 QBO EPS DS1174 Summary Description - 4.7.2 QBO PVTP 6821A64 Summary Description - 4.8 QCI -- Contact Input Card - 4.8.1 OCI EPS DS1189 Summary Description - 4.8.2 QCI PVTP 6921A69 Summary Description - 4.9 QDI -- Digital Input Card - 4.9.1 QDI EPS DS1141 Summary Description - 4.9.2 QDI PVTP 6821A70 Summary Description - 4.10 OMC -- Microcomputer Card - 4.10.1 QMC EPS DS1139 Summary Description - 4.10.2 QMC PVTP 6822A39 Summary Description - 4.11 QMD -- Data Link Controller Card - 4.11.1 QMD EPS DS1173 Summary Description - 4.11.2 QMD PVTP 6822A41 Summary Description - 4.12 QME -- Memory Extender Card - 4.12.1 QME EPS DS1166 Summary Description - 4.12.2 OME PVTP 6822A40 Summary Description - 4.13 QMS -- Two Port Shared Memory Card - 4.13.1 QMS EPS DS1179 Summary Description - 4.13.2 QMS PVTP 6822A42 Summary Description - 4.14 QPD, QPP -- Q-Line Crate Paddle Card - 4.14.1 QPD, QPP EPS DS1218 Summary Description - 4.14.2 QPD, QPP PVTP 7601A73 Summary Description - 4.15 QTB -- Time Base Card - 4.15.1 QTB EPS DS1248 Summary Description - 4.15.2 QTB PVTP 6821A61 Summary Description - 4.16 NAI -- Annunciator Interface Card - 4.16.1 NAI EPS DS1073 Summary Description - 4.16.2 NAI PVTP Summary Description - 4.17 NAC -- Analog Comparator Card - 4.17.1 NAC EPS DS1102 Summary Description - 4.17.2 NAC PVTP VR-76 Summary Description 4.18 NCI -- Input Card 4.18.1 NCI EPS DS1071 Summary Description 4.18.2 NCI PVTP VR-71 Summary Description 4.19 NCP -- Reactor Coolant Pump Speed Card 4.19.1 NCP EPS DS1188 Summary Description 4.19.2 NCP PVTP 6822A37 Summary Description 4.20 NDC -- Contact Input Card 4.20.1 NDC EPS DS1196 Summary Description 4.20.2 NDC PVTP 6821A79 Summary Description 4.21 NIL -- Integrated Logic Card 4.21.1 NIL EPS DS1128 Summary Description 4.21.2 NIL PVTP 6822A38 Summary Description 4.22 NMA -- Analog Mixing Amplifier Card 4.22.1 NMA EPS DS1104 Summary Description 4.22.2 NMA PVTP VR-67 Summary Description 4.23 NMO -- Momentary Output Card 4.23.1 NMO EPS DS1194 Summary Description 4.23.2 NMO PVTP 6821A77 Summary Description 4.24 NQO -- Quad Output Card 4.24.1 NOO EPS DS1187 Summary Description 4.24.2 NOO PVTP Summary Description 4.25 NQP -- Quad Loop Power Supply Card NOP EPS DS11005 Summary Description 4.25.1 4.25.2 NOP PVTP VR-50 Summary Description 4.26 NQT -- Quad Output Card 4.26.1 NOT EPS DS1184 Summary Description 4.26.2 NQT PVTP 6821A78 Summary Description 4.27 NRA -- Resistance Temperature Detector (RTD) Amplifier Card 4.27.1 NRA EPS DS1017 Summary Description 4.27.2 NRA PVTP VR-60 Summary Description 4.28 NTB -- Breaker Trip Bypass Card 4.28.1 NTB EPS DS1207 Summary Description 4.28.2 NTB PVTP 6821A75 Summary Description - 4.29 NTL -- Breaker Trip Logic Card - 4.29.1 NTL EPS DS1202 Summary Description - 4.29.2 NTL PVTP 6821A76 Summary Description - 4.30 M-BUS - 4.30.1 M-BUS EPS DS1243 Summary Description - 4.30.2 M-BUS PVTP Summary Description - 4.31 UIOB -- Universal Input/Output Bus - 4.31.1 UIOB EPS DS1144 Summary Description - 4.31.2 UIOB PVTP Summary Description - 4.32 Q-Line/7300 Series Power Supply - 4.32.1 EPS DS1203 Summary Description - 4.32.2 PVTP Summary Description - 4.33 Source Range Module (SRM) - 4.33.1 SRM SKRMP80177 Equipment Summary Description - 4.33.2 SRM T-925870 Test Summary Description - 4.34 Intermediate Range Module (IRM) - 4.34.1 IRM SKRMP80177 Equipment Summary Description - 4.34.2 IRM 2383A66 Test Summary Description - 4.35 Power Range Module (PRM) - 4.35.1 PRM SKRMP80177 Equipment Summary Description - 4.35.2 PRM 2383A67 Test Summary Description - 4.36 N-16 Power Monitor Module - 4.36.1 N-16 SKRMP80177 Equipment Summary Description - 4.36.2 N-16 T-925871 Test Summary Description - 4.37 Source Range Preamplifier (SRP) - 4.37.1 SRP SKRMP80177 Equipment Summary Description - 4.37.2 SRP T-925870 Test Summary Description - 4.38 High Voltage Power Supply Module (HVPSM) - 4.38.1 HVPSM SKRMP80177 Equipment Summary Description - 4.38.2 HVPSM 2383A47 Test Summary Description - 4.39 Safety Grade Digital Rod Position Indicator (SGRPI) - 4.39.1 SGRPI ES-953230 Equipment Summary Description - 4.39.2 SGRPI T-925873 Test Summary Description Page | .0 | SOFT | WARE VER | IFICATION SUMMARY | | | | | | |----|-------------------------------------------------------------------------|------------------------------------------------------------------------------|----------------------------------------|-----|--|--|--|--| | | 5.1 | Software | e Verified | 5-1 | | | | | | | | 100000 | Test Results/Error Incident Reports | | | | | | | | | | Support Modules | | | | | | | | | 5.3.1 | Software Performance Specifications | | | | | | | | | | (SPS)-0001-0063 Summary Description | | | | | | | | | 5.3.2 | 이 사이를 하게 하시네요 생각하게 되었습니다. | | | | | | | | | | (STS)-0001-0063 Summary Description | | | | | | | | 5.4 | Nuclear | Instrumentation Partrial Trips Process | | | | | | | | | | SPS-0100 Summary Description | | | | | | | | | 5.4.2 | | | | | | | | | 5.5 | Departure From Nucleate Boiling (DNB) and<br>Kilowatt Per Foot (KW/FT) Trips | | | | | | | | | | 5.5.1 | SPS-0200 Summary Description | | | | | | | | | 5.5.2 | STS-0200 Summary Description | | | | | | | | 5.6 | 5.6 Engineered Safety Features (ESF) Partial Trips | | | | | | | | | | 5.6.1 | SPS-0300 Summary Description | | | | | | | | | | STS-0300 Summary Description | | | | | | | | 5.7 Trip Logic Computer, Global Trip and Trip Enable Process | | | | | | | | | | | 5.7.1 | SPS-0400-0402 Summary Description | | | | | | | | | 5.7.2 | STS-0401, 0402 Summary Description | | | | | | | | 5.8 | Data Li | Data Link Controller Process | | | | | | | | | 5.8.1 | SPS-0500 Summary Description | | | | | | | | | 5.8.2 | STS-0500 Summary Description | | | | | | | | 5.9 Integrated Protection Cabinet Communications Bus Controller Process | | | | | | | | | | | 5.9.1 | SPS-0600 Summary Description | | | | | | | | | 502 | STS_0600 Summary Description | | | | | | | | | | | | | Pag | |------|-------------------------------------------------------|-------------|---------------|----------------|-----|-----| | 5.10 | Integrati | | ion Cabinet | Automatic | | | | | | | Summary Desc | ription | | | | | | | Summary Desc | | | | | E 11 | | | | | | | | 2.11 | 11 Integrated Logic Cabinet 2/4 Bypass Voting Process | | | | | | | | | SPS-0800 S | Summary Desc | ription | | | | | 5.11.2 | STS-0800 S | Summary Desc | ription | | | | 5.12 | Integrat | ed Logic Ca | abinet Autom | atic Tester | | | | | Process | | | | | | | | 5.12.1 | SPS-0900 S | Summary Desc | ription | | | | | 5.12.2 | STS-0900 S | Summary Desc | ription | | | | 5.13 | Main Con | trol Board | /Integrated | Logic Cabinet | | | | | Multiple | | | | | | | | | | | Description | | | | | | | | Description | | | | 5.14 | | | nal Selection | | | | | | 5.15.1 | SPS-1100- | 1102 Summary | Description | | | | | 5.14.2 | STS-1100- | 1102 Summary | y Description | | | | 4005 | NDIV | | | | | 6- | | | NDIX | | | (NDC) (Oak D4) | dan | | | | | | | (NRC)/Oak Ric | | | | | onal Laboratories (ORNL) Technical audit reports | | | | | | | | | | line Design | | | | | 6.3 | Definiti | on of Acro | onyms and Abb | breviations | | | | | | | | | | | 6.0 #### 1.0 INTRODUCTION Westinghouse has designed an Integrated Protection System (IPS) which is based on distributed digital processing technology. This design effort was conducted in compliance with accepted industry and regulatory standards and practices. The design bases for the IPS have been presented to the NRC in RESAR-414, which received a Preliminary Design Approval (PDA) in November of 1978. As a condition of the PDA, the NRC required that Westinghouse prove the design of the IPS by submitting it to a verification and validation program. Westinghouse's response to this condition is contained in report WCAP-9513, "414 Integrated Protection System Prototype Verification Program". This report, issued in August of 1977, was organized into two major parts which established the design principles and the verification program that was used during the development, test and operation phases of the prototype model. Design principles sections were included for the prototype system, as well as its software and hardware. Items such as program administration, documentation, design and development, and verification principles were addressed in these sections. The discussions of the verification program were also similarly arranged for the prototype system, and its software and hardware. Items included within these sections were the program administration, verification methods, documentation, and acceptance criteria. In order to conduct this verification and validation program, Westinghouse built a prototype of the IPS which consists of one complete channel set of equipment. All inputs from the field, control board and other channel sets are simulated as are the output loads of the system. The verification and validation program consisted of a series of inspections and tests, performed first on the individual hardware and software modules, then on subsystems. Finally, system level tests were performed on the entire IPS prototype, to verify the correctness of its design. This report describes the results of that verification and validation program. An audit program, by which the NRC reviewed this verification and validation program is also described. ### 1.1 PROGRAM MANAGEMENT The verification of the IPS prototype was conducted in such a manner to assure independence of the design and verification processes. The management organization of the program is shown in Figure 1-1 which shows that two Westinghouse divisions were involved, Nuclear Steam Supply System supplier (NS) and the Actual Equipment Supplier (AES). The NS provided the System Design Specification to the AES who produced the detailed system design documentation. These detailed documents, which consisted of schematic diagrams, Equipment Performance Specifications and Software Performance Specifications, were developed from the System Design Specifications and were reviewed and approved by the NS to verify consistent of the system design. At the AES facility, the design and verification effort was divided among distinct teams -- hardware and software design teams and hardware and software verification teams. After the hardware and software were designed and verified, they were integrated into the system where the overall system design was validated by testing. This testing was performed according to procedures written by the AES and approved by the NS, the responsibility for final approval of the system test results being the NS division. # 1.2 SOFTWARE DESIGN & VERIFICATION The documentation produced during the design and verification of the IPS software is shown on the left half of Figure 1-2. The software design team led by the chief programmer, produced the Software Performance Specifications based on the System Design Specification. These documents were reviewed and approved by the NS division. The software design team then produced the actual software and documented it by the Software Maintenance Manual, which contains the source code listings, relocatable object code and link loader output listings. The Software Performance Specifications and the Software Maintenance Manual were submitted to the verification team for design verification. Upon receipt of the Software Performance Specifications the software verification team, under the leadership of the chief verifier, produced the Software Test Specification for each software subsystem and each software module. This dor nent defined the inspections and tests that would be used to verify the software subsystems and modules. The inspections performed for the purpose of verification were generally done at the source code level, which was usually a high level, structured syntax language (some assembly language was used where close interface to the hardware or strict timing concerns required it). Testing of the software was done in a micorprocessor development system (MDS). For this verification, the software module under test was loaded together with a code which simulated the module inputs and recorded the module outputs. In thest tests the inputs were exercised over their entire ranges and all paths in the software module were executed. Software verification was performed on a "bottom-up" approach where the lowest modules were verified by themselves before being assembled into a larger software subsystem for further verification. At the subsystem level, module interfaces and the flow of data through the modules were verified. Any errors in the software which were discovered by the verification team were reported to the design team, along formalized channels, where they were resolved. Other communications between the teams, such as for clarification of the Software Performance Specifications, were also conducted procedurally using prepared question and response types of forms. A record of all of these error reports and communications is maintained by the chief programmer. A final record of the verification of each software module is provided in the Software Test Results Manual which is prepared by the verification team. This manual contains, in addition to the error reports discussed above, a complete detail of the test results. # 1.3 HARDWARE DESIGN & VERIFICATION The hardware was designed and verified by independent teams in a manner analagous to the software development. As indicated in the right half of Figure 1-2, the hardware design is documented by Equipment Performance Specifications, which contain the specific functional requirements for each printed card design, and the Equipment Maintenance Manual which includes detailed printed card schematics as well as the overall system schematic wiring diagrams. These documents are reviewed against the System Design Specification by the NS division to verify adequacy of the design. When the hardware design team was satisfied that the design of each printed circuit card design was correct, they submitted samples of the card, along with the design documentation, to the hardware verification team. This verification team prepared test procedures as documented in the Equipment Test Specification, and then executed those tests on various sample cards to verify that the design met the requirements of the Equipment Performance Specification. The results of these tests were documented in the Equipment Test Results Manual, which was transmitted to the NS division for approval. Again any design errors discovered by the verification team were reported and resolved through formal, traceable channels. # 1.4 SYSTEM INTEGRATION AND VALIDATION Upon the completion of the software verification and hardware verification, the two design branches were merged to form the overall system in the design verification process called system integration. This task was accomplished by the combined hardware and software design teams. Checkouts were performed to determine that the system was functioning prior to subjecting the system to validation testing. While these checkouts were not conducted using predefined test procedures, any errors found, either in software or hardware, were reported through the formal channels set up for the verification of the individual modules. When the design team was satisfied that the prototype was completely integrated and debugged, the formal system design validation testing was performed by a team which consisted of personnel from both the AES and NS divisions. The test procedures for the integrated system were written by the AES from a test specification which was prepared by the NS division. Responsibility for the approval of the test procedures and acceptance of the test results was held by the NS division. The documentation of the final system validation test is shown in Figure 1-2 as the System Verification Manual. The integrated system testing included the functional verification of the individual subsystems and the overall system response. This latter testing was performed by injecting computer generated, multivariate transients into the system inputs and recording its response. # 1.5 NRC REVIEW BY AUDITS At the completion of their review of RESAR-414, members of the NRC Instrumentation and Control Branch came to realization that a complete detailed review of a complex safety system, such as the IPS, would require too much effort to be handled by their normal review process. The NRC, therefore, proposed an audit process whereby Westinghouse was required to perform a complete formal design verification of the IPS while the NRC conducted audits of the results of the design verification. By the nature of this type of audit process, the auditors may probe as deeply as they wish into any area of the design verification, as a result the supplier must perform the entire verification with absolute rigor. The NRC applied the audit technique to the IPS verification in order to test this new approach to the regulatory review of the safety systems. The NRC contracted personnel from Oak Ridge National Laboratories for the audit reviews, and after the second audit the NRC staff did not participate directly in the process. Reports were transmitted by ORNL to the NRC after each audit to keep the staff abreast of the verification program. Copies of these reports are included in the Appendix of this document. The results of this trial audit review process were favorable. From the standpoint of the NRC, an indepth review of the IPS, part by direct inspection the remainder by induction, was obtained with only a small expenditure of resources, a total of eight audits being held each lasting approximately two days. From the viewpoint of a vendor the audit process is successful because it removes a large amount of the uncertainty involved with the regulatory review process. Westinghouse hopes to see continued use of this review technique in the future. In another trial review process, the NRC requested that a representative software sample be subjected to Software Sneak Analysis by the Boeing Company. This was done on the Data Link Controller software with the result that no errors were found in the executable code and only a few documentation discrepancies were noted. A more detailed evaluation of this analysis was sent to the NRC. # 1.6 ONGOING EFFORT The experience gained by Westinghouse in the IPS design verification program has been valuable. It has reaffirmed the principle that adequate design verification can be performed, with sufficient independence, within the design or anization. In fact, internal verification is superior to that which could be performed by an outside organization due to the intimate knowledge of the system provided by the verification team. During the course of the IPS verification program, an interaction problem between microcomputer busses was noted. This problem only occurred at elevated temperatures, therefore, it did not interfere with the system verification testing, which was conducted at room temperature. However, it did necessitate a redesign of the system hardware. The design changes will be reverified in a program that will be adapted from the principles learned by Westinghouse in the IPS design verification program. #### LEGEND: EIC - ENGINEER IN CHARGE AES - ACTUAL EQUIPMENT SUPPLIER NS - NSSS SUPPLIER (1) - CHIEF PROGRAMMER (2) - CHIEF VERIFIER Figure 1-1. Interdivisional 414 IPS Organization Figure 1-2. System Documentation Structure ### 2.0 INTEGRATED SYSTEM VERIFICATION SUMMARY # 2.1 METHODOLOGY OF INTEGRATED SYSTEM VERIFICATION #### 2.1.1 TEST METHODOLOGY It is the Westinghouse Nuclear Technology Division (NTD) practice that new equipment designs be verified to ensure that the equipment meets the requirements of the System Design Specification. In order to minimize the number of test cases required for a total integrated system test, it is necessary that a sufficient number and type of prerequisite tests be conducted. These discrete tests are just as important as the integrated tests since, it is then possible to justify the scope and depth of the integrated test. The system is designed from the top down, the system verification testing proceeds from the bottom up. This permits the proper operation of each sub unit of the system to be established prior to introducing into more complex interconnections within the system thus localizing problems to the lowest rung on the hierarchial ladder of the system. Additionally, the bottom up verification approach allows for the concentration of the interfaces within the system rather than the content of each sub unit at the later stages of the system verification testing. For the series of tests described by the test outline referenced in the System Design Specification, it is assumed that the following activities have taken place and thus credit has been taken for them when designing the tests. - All hardware modules have been verified to operate in accordance with their Equipment Performance Specifications (EPS). - All software modules and processes have been verified to operate in accordance with their Software Performance Specifications (SPS). The system has been functionally checked to ensure that signal paths are in accordance with design documentation. The test methodology defined by the referenced test outline begins with a series of overlapping tests in which each successive test pick, up new portions of the system, while including portions previously tested to ensure that both the new portion and the interfaces function correctly. In general, at each step in the test process, the test cases will be defined in such a way as to exercise the new portion to be tested and to ensure that interfaces between the new portion of the system under test and the preceeding portions are adequately verified. No attempt is made to retest portions previously tested. The scope of the hardware to be included in the system verification test is defined in WCAP-9153 and includes one Channel Set, a Digital Rod Position Indicating Cabinet, an Integrated Protection Cabinet, three Integrated Logic Cabinets and the Signal Selector. The remaining portions of the system will be simulated using appropriate equipment. The final set of tests is called the integrated system test and is conducted with all prototype system elements connected together. These tests are designed to verify two aspects of the total system. That the correct outputs change state as required in response to particular test cases, and secondly, that other outputs do not change state when they should not. This will be accomplished by monitoring key system ouputs for the appropriate status. #### 2.1.2 TEST CASES It is the Westinghouse NTD practice that test cases be defined for each step of the system verification testing which will ensure that the equipment being tested is exercised over its normal and abnormal range of inputs in a way that assures its proper operation in an actual plant situations. The test cases specified are appropriate to the intent of the test and may be selected with the knowledge of prior test runs. In particular, it is intended that where a series of overlapping tests is defined, that the test cases selected for the latter test make use of the knowledge gained from the earlier tests. Test cases are defined with cognizance being given to the internal and external architectural features of the system. For instance, if a circuit board or software module is used in several applications, a rigorous test of only one board or module is required while for the others, only a limited test, primarily to check interfaces, is made. This approach will also be used where multivariable inputs to a portion of the system occur. In general, the test cases are chosen so that one variable is exercised while others are held at a nominal value related to normal operating conditions. For complex circuits, specifically the DNBR and KW/FT, and the Trip Logic Modules, additional test cases are selected to ensure that the complex interactions within the circuits function properly. The test cases for the final integrated system verification test are selected to demonstrate that the system performs properly when subjected to inputs reflecting the plant conditions associated with selected accidents studied in Chapter 15 of the RESAR 414. The driving variables involved in each accident are manipulated while the others are held constant. #### 2.1.3 INPUT SIGNALS The input signals used for the system verification test are simulated. The simulations are such as to reproduce the type of signal produced by the actual sensor in a plant. Process noise or any other noise is not be simulated as this will obscure the information that is being collected, more specifically that the overall transfer function is in accordance with the system design specification. The two types of inputs used to exercise the system are steady state, and dynamic. Both types will be used depending on the nature of the information to be collected. For instance, channels with not time dependent elements are adequately checked using slowly varying or incremented signals to establish gain and bistable accuracies whereas channels containing lead lag units, etc. are verified through the use of time varying signals whose dynamic characteristics are precisely known. Dynamic input signals consists of ramps and steps (the latter being a special case of the former). The rate of change and magnitude of these signals is chosen to be consistent with the response of the channels being tested. Steps are typically used to establish the time response of a channel and its transient response generally while ramps are used to demonstrate the correct system operation and signal polarity. Tests are run that demonstrate the proper operation of the system in response to out of range conditions. These tests are designed to drive the channels into saturation to ensure that the system responds in an orderly and timely manner when the out of range condition is removed. #### 2.1.4 CONCLUSION The overall approach to the system verification testing is based on a systematic series of overlapping tests which progress from detailed checks of small elements of the system to more limited checks of the total system. Test cases are selected to deal with the particular aspects of the system under consideration and test inputs are chosen to establish proper system operation for static and dynamic, normal an out-of-range signals. # 2.2 PREREQUISITE INTEGRATED SYSTEM VERIFICATION TESTS This section defines the objectives of each of the system tests and indicates the order required to perform each test to insure proper overlap testing. To show this overlap testing, it is necessary to define the various stages in which the tests were categorized. Preliminary testing is a series of tests on the Integrated Protection and Logic Cabinets, that tests the system on a component and subsystem basis. In Stage 1, the verification of the interelation of the components and subsystems is performed by testing the non-logic portion of the IPS consisting of the process transmitter inputs, transmitter power supplies, analog signal conditioning circuits, speed pickup input, Nuclear Instrumentation System (NIS) input, A/D converters, Safety Grade Digital Rod Position Indicator (SDRPI) data link input, time dependent functions, bistables and calculations. In Stage 2 all of the devices tested in Stage 1 are activated again and continues through the interposing logic of the system up to and including partial trips and ESF actuations. The Integrated System Tests Cases operate in the integrated system by simulating a series of plant accident conditions and comparing system results against precalculated results for such conditions. A more detailed description of Integrated System testing is described in Section 2.4, a list of prerequisite and other various tests with a brief description follows: #### 2.2.1 PRELIMINARY TESTS # 2.2.1.1 IPC Preliminary Tests #### 1. General Tests The objective of this section is to perform tests on cables and cabinet wiring, calibrate cards and burn-in the system prior to starting the subsystem tests. These tests are: a. Cables (1) a,c,e (5) a,c,e d. Burn-In (1) 7 a,c,e # 2. IPC Subsystem Tests The objective of this section is to verify each identifiable subsystem made up of verified software loaded into verified hardware prior to starting system verification tests. The subsystem tests consists of the following: a,c,e The subsystems involved are: (a) (b) (c) (d) (e) (f) (g) (h) (i) # 2.2.1.2 ILC Preliminary Tests #### 1. General Tests The objective of this section is to test cables and cabinet wiring, calibrate cards and burn-in the system prior to starting the subsystem tests. These objectives are similar to IPC General Test and are outlined below. a,c,e a,c,e (1) (2) 2-8 b. Cabinet Wiring Cards (3) (4) (5) Burn-In (6) a,c,e a,c,e 2. ILC Subsystem Tests The objective of this section is to verify each identifiable subsystem made up of verified software loaded into verified hardware prior to starting system verification tests. The subsystem tests consists of the following: The specific subsystems involved are as follows: a. Communications dus Controller # Objective The purpose of the Communications Bus Controller subsystem test is: a,c,e a,c,e 2-10 ]a,c,e b. ESF 2/4 Voting Logic Objective The purpose of the ESF 2/4 Voting Logic subsystem test is: a,c,e 7 a,c,e (3) (4) c. ESF System Level Logic Objective The purpose of the ESF System Level Logic subsystem test is: a,c,e (1) (2) (3) (4) (5) 5356A 2-12 d. ILC Demux/Mux Objective The purpose of the ILC Demux/Mux subsystem test is: (1) (2) (3) (4) (5) (6) e. Interposing Logic Objective The purpose of the Interposing Logic subsystem test is: a,c,e a,c,e (1) (2) (3) (4) f. Power Interface Objective The purpose of the "Power Interface" subsystem test is: (1) (2) 5356A 2-14 g. Maintenance Arming Objective The purpose of the "Maintenance Arming" subsystem test is: a,c,e (1) (2) h. Auto Tester Arming Objective The purpose of the "Auto Tester Arming" subsystem test is: (1) (2) (3) \[ \] (4) i. Auto l'ester # Objective The purpose of the Auto Tester subsystem test is: #### 2.2.2 STAGE 1 TESTING The objective of this section is to verify the operation of the nonlogic portion of the IPS consisting of the process transmitter inputs, transmitter power supplies, analog signal conditioning circuits, speed pickup input, NIS input, A/D converters, SDRPI data link input, time dependent functions, bistables and calculations. Operation of the Control Signal Selector is also verified during this stage. All outputs are monitored continuously. Stage 1 tests overlap with pre-requisite tests. 1. Static Test ### Objective The purpose of the Static Test is: - a. To verify that process input accuracies under static conditions meet the established requirements. - b. To verify that system scaling can be accomplished. - c. To verify system wiring up to A/D converter input, lead lag input, rate lag input or bistable input; termination assignments; A/D converter address assignments and signal polarities. This establishes that the input/output relationship confirms with the system drawings and that the software is functioning correctly. - d. To determine the output loading effects (both internal and external). - e. To ensure that there are no excessive hysteresis effects between 0 and 100% full range. - f. To verify all input and output data links are functioning properly. 2. Dynamic Tests for Analog Channels ## Objective The purpose of the Dynamic Tests for the Analog Channels is: - a. To verify the operation of all lead/lag functions and bistables implemented in hardware. - b. To verify that lead/lag and bistable outputs are input correctly to other sub-systems. - c. To verify that the IPC Automatic Tester is receiving the feedback signals correctly. - d. To verify that the Control Signal Selector, Plant Computer, ILC A and ILC B are receiving the status and trip signals correctly over data links. - 3. Dynamic Tests For ESF Channels # Objective The purpose of the Dynamic Tests for ESF Channels is: - a. To verify the <u>trip</u> and <u>reset</u> accuracy of all bistables implemented in software. - b. To verify that lead/lag, rate/lag, and bistable outputs are input correctly to other sub-systems. - c. To verify that the IPC Automatic Tester is receiving the feedback signals correctly. - d. To verify that the Control Signal Selector, Plant Computer, ILC A and ILC B are receiving the status and trip signals correctly over data links. 4. Dynamic Tests For NIS Channels #### Objective The purpose of the Dynamic Tests for NIS Channels is: - a. To verify that the software summators are calibrated properly. - b. To verify that software track/store is operating correctly. - c. To verify the <u>trip</u> and <u>reset</u> accuracy of all bistables implemented in software. - d. To verify that summator, track/store, rate/lag, and bistable outputs are input correctly to other subsystems. - e. To verify that the IPC Automatic Tester is receiving the feedback signals correctly. - f. To verify that the Control Signal Selector, Plant Computer, ILC A and ILC B are receiving the status and trip signals correctly over data links. - 5. DNBR and KW/FT Subsystem Test Cases # Objective The purpose of the DNB-KW/FT partial trips subsystem test is: - a. To verify that the DNB-KW/FT subsystem is calibrated correctly. - b. To verify that the DNB and KW/FT partial trip calculations perform correctly given numerous static and dynamic test cases. - c. To verify the data flow from the DNB-KW/FT subsystem to the 1) IPC Automatic Tester, 2) Signal Selector, and 3) Plant Computer. POOR ORIGINAL 6. Signal Selector Subsystem Test Cases #### Objective The purpose of the Signal Selector subsystem test is: - To verify that the Signal Selector subsystem is calibrated correctly. - t. To verify that the Signal Selector performs correctly given numerous test cases. ### 2.2.3 STAGE 2 TESTING The objective of this section is to verify the operation of the logic portion of the IPS. The verification is conducted by exercising the sensor inputs and monitoring the logic outputs for Reactor Trip and Engineered Safeguards Features. System and component manual actuations are also verified. Operation of Automatic testers in IPC, ILC and ICC is verified during this stage. Stage 2 tests overlap with Stage 1 tests. 1. Logic Tests for Analog Channels # Objectives The purpose of the Logic Tests for Analog Channels is: a. To verify that the logic from bistable outputs and from manual pushbuttons up to the inputs of 2/4 Reactor Trip Logic or 2/4 ESF Voting Logic is functioning properly. - b. To verify that the IPC Automatic Tester is receiving the feedback signals correctly. - c. To verify that Plant Computer, IPC II, IPC III, IPC IV, ILC A and ILC B are receiving the status and trip signals correctly over the data links. - 2. Logic Tests for ESF Channels The purpose of the Logic Tests for ESF Channels is: - a. To verify that the logic from bistable outputs, reactor breaker status contacts and manual pushbuttons up to the inputs of 2/4 Reactor Trip Logic or 2/4 ESF Voting Logic is functioning properly. - b. To verify that the IPC Automatic Tester is receiving the feedback signals correctly. - c. To verify that Plant Computer, IPC II, IPC III, IPC IV, ILC A and ILC B are receiving the status and trip signals correctly over the data links. - 3. Logic Tests for NIS Channels ### Objective The purpose of the Logic Tests for NIS Channels is: a. To verify that the logic from bistable outputs, turbine status contacts and manual pushbuttons up to the inputs of NIS High Voltage Power Supply Cutoff Logic, 2/c Reactor Trip Logic or 2/4 ESF Voting Logic is functioning properly. - b. To verify that the IPC Automatic Tester is receiving the feedback signals correctly. - c. To verify that Plant Computer, IPC II, IPC III, IPC IV, ILC A and ILC B are receiving the status and trip signals correctly over the data links. - D. Logic Tests for DNBR and KW/FT Trips The partial reactor trips have been tested during the DNBR and KW/FT subsystem static and dynamic tests. The purpose of the "Logic Tests for DNBR and KW/FT" partial trips is to verify that the automatic bypasses of the DNBR and KW/FT partial trips operate under the following circumstances: - a. Low reactor coolant flow in the loop associated with the channel set. - b. Failure of analog inputs to the DNB-KW/FT subsystem. - c. Failure of serial digital inputs to the DNB-KW/FT subsystem. - 4. Reactor Trip 2/4 Bypass Logic ### Objective The purpose of the Reactor Trip 2/4 Bypass Logic is: - a. To verify the logic of the NTL and NTB cards directly. - b. To verify the operation of one 2/4 BYPASS gate within the Trip Logic Computer with an exhaustive test (all 256 input combinations). - c. To verify the operation of all 2/4 BYPASS gates for four test cases. And in conjunction verify the proper transmission of partial trips and bypasses to Channel Sets II, III, and IV. - 5. IPC Automatic Tester The purpose of the IPC Automatic Tester verification is: - a. To check that the local and MCB located IPC Automatic Tester Panels are functioning correctly. - b. To check that the IPC Automatic Tester results are being printed correctly on the local terminal and at the plant computer. - c. To check that the IPC Automatic Tester is testing the IPC under normal conditions with no errors. - d. To check that the IPC Automatic Tester can detect properly the following types of errors: Channel Inaccuracy Dynamic unit Time Constant Inaccuracy Bistable Setpoint Inaccuracy Logic Fault Reactor Trip Fault Reactor Trip Response Time Abnormal Operation 6. ILC Train A Automatic Tester #### Objective The purpose of the ILC Automatic Tester Test is: - a. To verify that with the ILC System set up for normal operation, the tester functions properly transmitting the appropriate (idle-mode) information to the plant computer and for local displays. - b. To verify that the ILC Automatic Tester and the ILC System are functional in the auto test mode and the appropriate test results and other pertinent information are transmitted to the plant computer and local displays. - c. To verify that the ILC Automatic Tester detects errors pertinent to idle mode and test mode operations. - 7. Control Signal Selector Automatic Tester The purpose of the Control Signal Selector Automatic Tester subsystem test is: - a. To verify that the Control Signal Selector Automatic Tester is functional in the self test mode. - b. To verify that the Control Signal Selector Automatic Tester and the Signal Selector(s) are functional in the auto test mode. - c. To verify that the Control Signal Selector Automatic Tester detects errors. 2.2.4 SYSTEM VERIFICATION ERROR REPORT SUMMARY - a,c,e It will not be attempted to detail every problem and solution in this section, however, a list describing the problems is provided in this document and several random problems are listed in detail as examples of problem resolution. Ta,c,e The following section contains more detailed descriptions of several randomly chosen problems from each of the categories discussed, as well as the solution to these problems: \_a,c,e ERROR REPORT NO .: PROBLEM: ACTION TAKEN: ERROR REPORT NO .: PROBLEM: ACTION TAKEN: ERROR REPORT NO .: PROBLEM: ACTION TAKEN: ERROR REPORT NO.: PROBLEM: ACTION TAKEN: ERROR REPORT NO.: PROBLEM: ACTION TAKEN: ERROR REPORT NO .: PROBLEM: ACTION TAKEN: ERROR REPORT NO.: PROBLEM: ACTION TAKEN: -a,c,e ERROR REPORT NO .: PROBLEM: ACTION TAKEN FRROR REPORT NO .: PROBLEM: ACTION TAKEN: ERROR REPORT NO .: PROBLEM: ACTION TAKEN: ERROR REPORT NO .: PROBLEM: ACTION TAKEN: ERROR REPORT NO .: PROBLEM: ACTION TAKEN: ERROR REPORT NO.: PROBLEM: ACTION TAKEN: ERROR REPORT NO.: PROBLEM: ACTION TAKEN: ERROR REPORT NO .: PROBLEM: ACTION TAKEN: ERROR REPORT NO .: PROBLEM: ACTION TAKEN ERROR REPORT NO .: PROBLEM: ACTION TAKEN: 2-32 a,c,e # 2.3 INTEGRATED PROTECTION SYSTEM SIMULATED TRANSIENT TEST RESULTS #### 2.3.1 TEST OBJECTIVE The final phase of the integrated system testing was the Simulated Transient Testing. The objective of these tests was to demonstrate that the system is capable of responding to multivariate transients such as those the system would experience while performing its mission in the plant. This was accomplished by simulating plant transients on a digital computer, using safety analysis codes, recording those transients on an analog tape recorder and injecting them into the system prototype through its normal inputs. In order to coordinate this validation of the system to its design bases, the transients that were simulated were selected from the RESAR-414 Chapter 15 accident analysis. In general, the conservative assumptions and analysis, typical of reactor safety analyses, were not adhered to for these simulated transients, rather, "best estimate" analysis was used in that a single set of nominal plant parameters was used for all of the transients and the initial conditions were nominal plant values. This is consistent with the objective of this testing, ie, to show that the system responds to realistic transients. However, because the assumptions for the generation of these transients are different than those of the safety analyses, the results are not directly comparable. The results of these transient tests will be correlated to the system design bases by comparison to the Limiting Safety System Settings and accuracy requirements specified for the system. It should be noted that due to the broad scope of this type of testing, it is not practical to test all functions of the Integrated Protection System. The completeness required for total system validation is provided by the individual channel function tests which were performed in the remainder of the integrated systems tests. 5356A #### 2.3.3 DESCRIPTION OF TRANSIENTS The following paragraphs briefly describe the transient test cases performed including assumptions made and initial conditions. In each case, the last digits of the paragraph number is the test case number. #### 2.3.3.1 Uncontrolled Rod Withdrawal From Low Power . This transient is an uncontrolled power excursion caused by the continuous withdrawal of the control rods. Although it is usually analyzed with a subcritical initial condition, LOFTRAN is not capable of modelling a subcritical reactor core so the initial condition is taken as 1.0% nominal power. The transient is generated by ramping the reactivity insertion at 144 pcm/second. The expected actuations are the startup NIS reactor trips. ### 2.3.3.2 Uncontrolled Rod Withdrawal From Full Power This transient is similar to the previous one except that the initial plant condition is full power and the reactivity insertion rate is 60 pcm/second. The primary protective functions are reactor trips on high nuclear flux or a low DNB ratio. # 2.3.3.3 Uncontrolled Rod Withdrawal, N-1 Loop Operation This transient is like the previous except for the speed at which it progresses and the fact that a reactor coolant is taken out-of-service (pump shut off) as an initial condition, thus causing the DNB-KW/Ft. module to be automatically bypassed. The initial power is 70% and the reactivity insertion rate is 3.3 pcm/second. # 2.3.3.4 Dropped Rod Group This transient is initiated by the dropping of a control rod group into the core (negative reactivity step of 1000 pcm) causing an immediate decrease in reactor power after which the control system attempts to recover to the initial conditions. Due to the primary/secondary system power mismatch, the primary system temperature and pressure drop initially. The primary protective action is the dropped rod reactor trip which is armed by a sudden decrease in power and trips the reactor if the power rises above the minimum value following the event by more than 7%. ### 2.3.3.5 Partial Loss of Forced Reactor Coolant Flow This transient is generated by tripping one of the reactor coolant pumps and allowing it to coast down. The initial power level of the plant is 100%. The protective action is the low reactor coolant flow reactor trip. ### 2.3.3.6 Inadvertent Startup of a Reactor Coolant Loop This transient is the startup of a reactor coolant loop from the N-1 loop initial condition (70% power). The consequent surge of cold water leads to a power excursion in the reactor. ### 2.3.3.7 Loss of External Electrical Load This transient is simulated by stepping the steam flow out of the steam generators from its initial nominal value to zero as would be the case with rapidly closing turbine throttle valves. The steam dump system is assumed to be inoperative, thus, the primary and secondary system pressure rise rapidly. The principal protective action is the high pressurizer pressure trip. ### 2.3.3.8 Loss of Normal Feedwater This transient is simulated by stepping the feedwater flow to all four steam generators to zero. The immediate effect is a falling steam generator water level and an increase in the reactor coolant temperature due to the loss of heat sink. #### 2.3.3.9 Excessive Feedwater at Full Power Excessive feedwater, three times nominal to one steam generator, could possibly be caused by a failed control system or valve. It in turn causes a rising steam generator water level, which leads to a reactor trip, and a cooling of the primary system, which causes an increase i reactor power level due to the negative moderator coefficient of reactivity. #### 2.3.3.10 Excessive Load Increase An excessive load increase, simulated by a 10% increase in steam flow, causes the cooling of the primary system and, hence, the increase of the reactor power. Protection is provided by the overpower reactor trip functions. #### 2.3.3.11 Accidental Depressurization of the Primary System Although LOFTRAN is not specifically designed to handle this type of transient, it can be approximated by reducing the actuation setpoint for the pressurizer relief valves so that they effectively stick open. The principal protective actions are the low pressurizer pressure reactor trip and safety injection, and the low DNB ratio reactor trip. # 2.3.3.12 Accidental Depressurization of the Secondary System Although it was in the original plans to perform this transient, it was realized that it is, from the viewpoint of the integrated protection system response, identical to either Test Case #10 or Test Case #15, depending on the initial condition. It was therefore judged to be redundant and was deleted from the test plan. # 2.3.3.13 Complete Loss of Forced Reactor Coolant Flow This transient is generated in an identical manner to Test Case #5 except that all four of the reactor coolant pumps are tripped and allowed to coast down. For the injection of this transient into the prototype, the flow signals from the independent coolant loops will all be simulated by a single recorded channel. The primary protective functions are the low coolant flow and low pump speed reactor trips. #### 2.3.3.14 Small Primary System Break (LOCA) The small LOCA is simulated or the purpose of these tests as a steam generator tube rupture. The combination of this transient, the stuck pressurizer relief valve (Case #11) and the steam break (Case #15) span the gamut of fluid loss accidents and exercise the safety injection actuation functions as well as related functions. #### 2.3.3.15 Small Secondary System Break This transient is simulated as an eight inch diameter hole in the steam piping which discharges to the containment atmosphere. The initial condition of the plant is low power level (1.0% nominal) to maximize the effects of the cooldown. Again, safety injection actuation and its related functions provide the principal protection. ### 2.3.3.16 Rod Ejection The scenario of the rod ejection accident is that the housing of the control rod drive mechanism on a high worth rod ruptures and the consequent hydraulic forces thrust the rod out of the core. For this simulation, the rod ejection is simulated by a 200 pcm reactivity step, however, LOFTRAN is not capable of modeling the concurrent loss of coolant through the ruptured mechanism. This shortcoming was not considered to be significant, though, because of the other coverage of LOCA type transients. The principal protective actions for this transient are the reactor trips on high neutron flux and high rate of change of flux. #### 2.3.4 ACCEPTANCE CRITERIA As the simulated transients are injected into the integrated protection system prototype, the response of the system is measured by recording various actuation logic signals on strip chart recorders. These signals include system level actuation output, such as the reactor trip breaker actuation signal and the system level safety injection actuation, and certain internal signals, such as the individual partial trip signals that are the inputs to the Trip Logic Module. The acceptance of the test results is based on a comparison of the actual measured first occurance of the logic signal transitions to the predicted response of the system. It was determined in the development of the simulated transient test plan that, due to the limited availability of test equipment, it would not be practical to record the entire set of actuation signals identified for every transient case. Therefore, the subset of signals to be recorded for each test case was selected based on Table 031.31-1 of RESAR 414. This table indicates which of the protective functions of the integrated protection system may be expected to occur in the course of a given transient. This basis for the limitation of the recorded responses is justified by the concept that the purpose of this portion of the system validation testing is to demonstrate that the performance of the system is consistent with its design bases. The acceptance review of the transient test results is a two step process with the preliminary evaluation being based on the time of the first transition of the recorded logic actuations relative to the start of the transient. The observed elapsed times will be compared to expected values which are derived from the simulated transient data. These expected values are expressed as minimum and maximum evaluation times, whose derivation is discussed below. a,c,e 2-41 5356A The resulting acceptance criteria are listed for the recorded signals for each test case in Table 2.3.1 along with the observed values of the event times. As was noted in the Test Objective section, the measured responses of the integrated system during the transient tests are not directly comparable to the design basis transients analyzed in Chapter 15 of RESAR-414. However, the purpose of system validation testing is to demonstrate that the system design meets its functional requirements. Therefore, the final acceptance criteria for the integrated system transient tests are based on the design bases documents for the Integrated Protection System. The fundamental requirement of the system is that it initiate certain actions when its inputs exceed prescribed limits. This requirement forms the basis for the transient test acceptance criteria. The ACCEPT code, which calculated the preliminary evaluation range, was run again after the transient test results were known and the bistables input values were printed at the actual trip times noted during the tests. These inputs are then compared to limits derived from the system design basis documents to validate the system's functions. These acceptance limits are derived in the following manner. The Allowable Setpoint for each of the bistables is taken from the Limiting Safety System Settings section of the Technical Specifications (RESAR-414, Chapter 16). Then the specified channel accuracy is added to (subtracted from) each of the Allowable Setpoints yielding the "Safety Limit." These channel accuracies, which are taken from the 414 Standard Functional Requirements, contain allowance for sensor error as well as the inaccuracies of the cabinet located electronics. Since the sensors are not a part of the integrated system prototype, no additional error allowance is taken for the test setup. This acceptance analysis is conservative in that it does not take credit for the response time allowed for each function. By the time the actuations of the system are recorded, the inputs to the system have moved closer to the safety limit. The actual response time of the system is not verified as a part of these tests, rather it is measured by the IPC Automatic Test Subsystem and verified during the verification of that subsystem. The acceptance criteria generated in this way are listed in Table 2.3-1 for each transient and bistable. a,c,e 2.3.5 TEST RESULTS ANALYSIS Notes &,c,e Acceptance Value at Trip Acting Signal lime. Measured Evaluation Range (secs) Imin Imax lest Case Monitored Signals TABLE 2.3-1 TRANSIENI TEST RESULTS SUMMARY POOR ORIGINAL #### TABLE 2.3-1 (cont.) #### Notes: - Measured trip or actuation occurred outside of calculated evaluation range. - 2. No trip or actuation was predicted for this variable. - Lack of maximum evaluation criterion indicates that trip or actuation may not occur. TABLE 2.3-2 # KEY TO ACTING SIGNAL CODES | current | |---------| | | | | | | | | | | | minal | | minal | | minal | | power | | | | | | | | ond | | | | | | minal | | | TABLE 2.3-2 # KEY TO ACTING SIGNAL CODES | Mnemonic | Signal | Units | |----------|-------------------------------------------|-----------------------| | CONTP | Containment Pressure | psig | | IRNIS | Intermediate Range Neutron Flux | amps detector current | | PPLL | Pressurizer Pressure, Lead/Lag | psig | | | Compensated | | | PRZRL | Pressurizer Water Level | % of span | | PRZRP | Pressurizer Pressure | psig | | OKWFT | Maximum Kilowatts per Foot | kw/ft | | QN16 | N-16 Reactor Power | Fraction of nominal | | RCFLOW | Reactor Coolant Flow | Fraction of nominal | | RCPSPD | Reactor Coolant Pump Speed | Fraction of nominal | | RLNIS | Neutron Flux, Rate/Lag Compensa-<br>tion | Frac. of nom. power | | RX Trip | Reactor Trip | | | SGLVL | Steam Generator Water Level | % of span | | SRNIS | Source Range Neutron Flux | Counts per second | | TCLD | Cold Leg Temperature | °F | | TCLC | Cold Leg Temp., Lead/Lag Compen-<br>sated | °F | | TOTNIS | Total Neutron Flux, Power Range | Fraction of nominal | | | | | # 3.0 SYSTEM DESIGN SPECIFICATION SUMMARY In order to provide an overall definition of the System Design Specification (SDS), Westinghouse Nuclear Technology Division (NTD) provides a top level "Master Reference Document," to the Actual Equipment Supplier (AES) and other interested groups. This "Master Reference Document," together with its listed documentation references, is the Westinghouse NTD System Design Specification for the IPS Prototype. It includes specifications, system drawings, standards and procedure guidelines for manufacture and testing for both the hardware and software aspects of the system. The SDS is under revision control and the drawings and documents for the base line design are listed in the Appendix of this document. The AES receives the SDS when the purchase order is placed and any changes to the SDS are documented by the purchase order documentation. The drawings and documents submitted by the Supplier (AES) are controlled at Westinghouse NTD by the purchase order policies and procedures and all records are kept in an auditable file. The SDS (as referenced by the "System Specification Master Reference Document," SD-IPLS-593, Revision 2) for the IPS Prototype, consists of the following documents and drawings: # 3.1 EQUIPMENT SPECIFICATION (E-SPEC): Westinghouse E-Spec 953230: This E-Spec together with its listed references in Section 3.0 establishes technical and administrative requirements covering system related hardware phases of design, manufacture and testing of the IPS. The E-Spec contains specific requirements for: a,c,e 3.2 SYSTEM BLOCK DIAGRAM: Westinghouse Drawing 1218E17: This drawing represents the overall IPS architecture and its inter-connections. Specifically shown on this drawing are: a,c,e # 3.3 COMPOSITE BLOCK DIAGRAMS 3.3.1 INTEGRATED PROTECTION CABINETS (IPC) Westinghouse Drawing 8761096: These drawings represent the implementation of the system functional requirements, functional diagrams, flow diagrams, channel lists and other key documents for the IPC in both hardware and software. The protection functions contained in the Integrated Protection Cabinets and defined by these drawings are: la,c,e #### 3.3.2 INTEGRATED LOGIC CABINETS (ILC) Westinghouse Drawing 8761D98: These drawings represent the hardware and software implementation of the functional requirements, functional diagrams and key document for the ILC. The Train A Engineered Safeguard Features contained in the Integrated Logic Cabinets and defined by these drawings are: #### 3.3.3 ILC INTERPOSING LOGIC AND POWER INTERFACE Westinghouse Drawing 8763D47 These drawings represent the implementation of functional requirements, diagrams, system interlocks and electrical loads that the ILC control. Complete definition of all Train A load controls and position indication are defined. # 3.4 IPS MODULE LIST AND SPECIFICATION SHEETS Westinghouse SD-IPLS-462 The Module Equipment List is a reference document. It provides listings of all IPS hardware and software modules by process function and physical location. All entries have unique tag numbers that match the Composite Block Diagrams. From this unique tag number, the following additional reference information is provided in the Module Equipment List: Process Protection Function Module Description Module Spec Sheet No. Module Location Purchase Order No. Supplier Drawing References The Module Specification Sheets define the IPS nardware and software modules. Specifications for the various type modules typically contain the following: Module range Engineering Units Module Accuracy Temperature/resistance conversion tables Transfer functions Timing Alarm setpoints Algorithms Definitions of variables Applicable Standards Documentation references # 3.5 IPS SOFTWARE STANDARD: Westinghouse SD-IPLS-590: This Standard defines the Westinghouse NTD requirements for the IPS Software. The areas defined by this Standard area: Standard Scope Administration Requirements Design and Implementation Verification Documentation Installation and Maintenance #### 3.6 IPS AUTOMATIC TESTING REQUIREMENTS Westinghouse SD-IPLS-553: This document provides the design basis for the automatic testing of the IPS. The Protection System testing is divided into four classifications; automatic periodic test, continuous error checks, manual tests and special tests. The contents of this document are: Purpose Design Criteria Automatic Periodic Tests Continuous Error Checks Manual Testing Time Response Testing Special Tests # 3.7 IPS SYSTEM TEST GUIDELINES Westinghouse SD-IPL3-582: This document describes the integrated system verification test guidelines which are used as a basis for the System Test Procedure. It provides guidelines to verify that the IPS meets the Westinghouse NTD requirements of the System Design Specification. The contents of this document are: Purpose & Objective References Prerequisites Test Methods & Practices Test Procedures Acceptance Criteria Functional Test Guidelines Setup Data for Verification Tests #### 3.8 REFERENCES - WCAP-9153; "414 Integrated Protection System Prototype Verification Program." - WCAP-8899; "Westinghouse Model 414 Control System Signal Selector Device." - WCAP-8897; "Bypass Logic for the Westinghouse Integrated Protection System" -- Addendum 1. - 4. Sketch -- Trip Logic System for 414 IPS SKJS-092977-I. - WCAP-8587; "Methodology for Qualifying Westinghouse WRD Supplied NSSS Safety Related Electrical Equipment." #### 4.0 HARDWART VERIFICATION SUMMARY The purpose of the hardware verification program is to ensure that the equipment meets the performance requirements specified in the Equipment Performance Specifications (EPS). The Actual Equipment Supplier's (AES) hardware development group composes the EPS given design inputs from the AES's System Engineering group and Westinghouse NTD. The Westinghouse NTD inputs are provided in, and taken from, the System Design Specification (SDS) and participation by Westinghouse NTD in the AES product definition meetings. A standard format has been established for all EPS's and the performance requirements for the hardware are contained in Sections 7 and 12 of each EPS. In this report, sections of each EPS have been provided to give definition of why the piece of hardware was developed and how it operates. To obtain test results, Product Verification Test Procedures (PVTP) have been established by the AES to test the performance requirements for each piece of equipment covered in the EPS's, Sections 7 and 12. The test results from the PVTP are then compared to the EPS. Any errors found, discrepancies between the EPS performance requirements and actual test results, are recorded by a Request for Engineering Action (REA). Standard formats have been established for the PVTP's and the REA's. An identification of what hardware was verified, a summary of the test results and error incident reports and an EPS summary and a PVTP summary are contained in this section of the report. #### 4.1 HARDWARE VERIFIED Table 4.1 is a list, of what equipment was verified with reference to EPS numbers, PVTP numbers and the verification status. The verification status column entry is marked "passed" if testing has been completed and test discrepancies, if any, have been corrected. The error incident report summaries are in section 4.2 of this report indicating what discrepancies occurred and the actions taken to correct these discrepancies. # 4.2 HARDWARE TEST RESULTS/ERROR INCIDENT REPORTS As shown in Table 4.1, all hardware has been tested, verified and passed. For some equipment, during verification testing, errors were found. These errors were documented in error incident reports (Requests for Engineering Action, REA) as well as the action taken to fix the problem. In most cases, once the error was corrected, the verification tests were run again and the test results recorded. a,c,e This section of the report provides summaries of the errors found and the action taken to correct a problem. The errors are listed below in the order of the cards listed in Table 4.1. EQUIPMENT: EPS NO: PROBLEM: ACTION TAKEN: EQUIPMENT: EPS NO: PROBLEM: ACTION TAKEN: EQUIPMENT: EPS NO: PROBLEM: ACTION TAKEN: EQUIPMENT: EPS NO: PROBLEM: ACTION TAKEN: EQUIPMENT: EPS NO: PROBLEM: ACTION TAKEN: Pages 4-3 to 4-16 would appear blocked out in this format, therefore, are not being printed to conserve paper. - 1 - 4.3 QAC -- ANALOG CONDITIONING CARD - 4.3.1 QAC EQUIPMENT PERFORMANCE SPECIFICATION (EPS) DS1177 SUMMARY DESCRIPTION a,c,e a,c,e 4.3.1.1 Equipment Purpose: 4.3.1.2 Equipment Description: # 4.3.1.3 Salient Features 1. a,c,e 3. 2. 4. 5. 6. 4.3.1.4 Groups Provided a,c,e 4-18 #### 4.3.2 QAC PVTP 6821A68 SUMMARY DESCRIPTION #### 4.3.2.1 Purpose of Test The purpose of these tests is to verify that the QAC card performs as specified by the equipment performance specification DS1177, Revision 3. # 4.3.2.1 Equipment Tested #### 4.3.2.2.1 Identification - Westinghouse Industry Systems Division (ISD) series "Q" Analog Conditioning card — 2840A86. - Serial number assignment: | ASSEMBLY | STYLE | REV | | NAME | SN | |----------|-------|-----|---|-------|--------| | 2840A86 | G01 | В | 1 | QAC5 | 825279 | | 2840A86 | G01 | В | 1 | QAC5 | 825280 | | 2840A86 | G03 | C | 1 | QAC11 | 822921 | | 2840A86 | G04 | C | 1 | QAC12 | 817215 | # 4.3.2.2.2 Description and Specification Performance and environmental specifications are taken from Sections 7 and 12 of DS1177 for the analog conditioning card. #### 4.3.2.2.3 Test Details a,c,e - 4.4 QAO -- ANALOG OUTPUT CARD - 4.4.1 QAO EPS DS1165 SUMMARY DESCRIPTION - 4.4.1.1 Equipment Purpose: a,c,e 4.4.1.2 Equipment Description: a,c,e 4.4.1.3 Salient Features a,c,e 1. 2. 3. 4. 5. 6. 7. 8. # 4.4.1.4 System Configuration a,c,e 4.4.2 QAO PVTP 6821A62 SUMMARY DESCRIPTION #### 4.4.2.1 Purpose of Test: The purpose of these tests is to verify that the QAO card performs as specified by the equipment performance specification DS1165 Revision 3. #### 4.4.2.2 Equipment Tested: #### 4.4.2.1.1 Identification - Westinghouse ISD series "Q" ANALOG OUTPUT CARD; 2840A21 - 2. Serial number assignment: | ASSEMBLY | STYLE | REV | NAME | SN | |----------|-------|-----|---------|--------| | 2840A21 | G01 | F | 3 QA08 | 825896 | | 2840A21 | G02 | I | 4 QA08 | 826659 | | 2840A21 | G03 | J | 4 QA013 | 826662 | | 2840A21 | G04 | J | 4 QA013 | 826666 | | 2840A21 | G07 | F | 3 QA014 | 318183 | | | | | | | #### 4.4.2.1.2 Description and Specification Performance and environmental specifications are taken from Sections 7 and 12 of DS1165 for the analog output card. 4.4.2.1.3 Test Details General Approach a,c,e 4.5 QAI - ANALOG INPUT POINT CARD 4.5.1 QAI EPS DS1122 SUMMARY DESCRIPTION 4.5.1.1 Equipment Purpose | | Γ | | | | 7 a,c,e | |---|---------|----------------|---------|--|---------| | • | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | L | | | | J | | | 4.5.1.4 | System Configu | uration | | | | | Г | | | | a,c,e | | | | | | | | | | | | | | | | • | | | | | | | | | | | | | | | 4.5.1.5 | Operational S | ummarv | | | | | _ | oper acronar | | | 7 a,c,e | | | | | | | 1.010 | | | | | | | | | • | | | | | | | | | | | | | | _ | | | | | | | | | | | | | | | | | | | | | • | | | | | | | • | L | | | | 7 | \* \* # POOR ORIGINAL #### 4.5.2 DAI PUTP 6821A60 SUMMARY DESCRIPTION #### 4.5.2.1 Purpose of Test The purpose of these tests is to verify that the QAI card performs as specified by the equipment performance specification DS1122 Revision 2. #### 4.5.2.2. Equipment Tested #### 4.5.2.2.1 Identification westinghouse ISD series "Q" Analog input point card. Analog input point card -- 2840A19. #### 2. Serial number assignment: | ASSEMBLY | STYLE | REV | NAME | SN | |----------|-------|-----|---------|--------| | 2340A19 | G01 | K | 3 QAI8 | 821971 | | 2840A19 | G05 | G | 2 QAI19 | 86115 | | 2340A19 | G06 | J | 2 QAI27 | 809641 | | 2340A19 | G07 | J | 2 QAI28 | 818913 | # 4.5.2.2.2 Description and Specification Performance and environmental specifications are taken from Sections 7 and 12 of DS1122 for the analog input point card. 4.5.2.2.3 Test Details General Approach # 4.6 QBI -- DIGITAL INPUT CARD 4.6.1 QB: EPS DS1175 SUMMARY DESCRIPTION 4.6.1.1 Equipment Purpose a,c,e 4.6.1.2 Equipment Description a,c,e #### 4.6.1.3 Salient Features 4.6.2 QBI PVTP 6821A63 SUMMARY DESCRIPTION #### 4.6.2.1. Purpose of Test The purpose these of tests is to verify that the QBI card performs as specified by the equipment performance specification DS1175 Revision 2 a,c,e # 4.6.2.2 Equipment Tested #### 4.5.2.2.1 Identification - 1. Westinghouse ISD series "Q" Digital input card -- 2840A80 - 2. Serial number assignment: | ASSEMBLY | STYLE | REV | NAME | SN | |----------|-------|-----|---------|--------| | 2840A80 | G01 | А | 1 QBI1 | 811065 | | 2840A80 | G04 | А | 1 QBI10 | 807191 | | 2840A80 | G07 | А | 1 QBI13 | 812581 | | 2840A80 | G08 | А | 1 QBI14 | 804838 | | | | | | | 4.6.2.2.2 Description and Specification Performance and environmental specifications are taken from Sections 7 and 12 of DS1175 for the digital input card. a,c,e 4.6.2.2.3 Test Details General Approach 4-30 - 4.7 QBO -- DIGITAL OUTPUT CARD - 4.7.1 QBO EPS DS1174 SUMMARY DESCRIPTION - 4.7.1.1 Equipment Purpose a,c,e 4.7.1.2 Equipment Description #### 4.7.1.3 Salient Features 1. 2. 3. 4. 5. 6. #### 4.7.2 QBO PYTP 6821A64 SUMMARY DESCRIPTION ## 4.7.2.2 Purpose of Test The purpose of these tests is to verify that the QBO card performs as specified by the equipment performance specification DS1174 Revision 2. # 4.7.2.2 Equipment Tested #### 4.7.2.2.1 Identification - 1. Westinghouse ISD series "Q" Digital output card -- 2840A79 - 2. Serial number assignment: | ASSEMBLY | STYLE | REV | NAME | SN | |----------|-------|-----|--------|--------| | 2840A79 | G01 | 0 | 1 QB01 | 806468 | | 2840A79 | G01 | 0 | 1 QB01 | 807322 | | 2840A79 | G03 | 0 | 1 QB03 | 815273 | 4.7.2.2.2 Description and Specification Performance and environmental specifications are taken from Sections 7 and 12 of DS1174 for the digital output card. 4.7.2.2.3 Test Details General Approach # 4.8 QCI -- CONTACT INPUT CARD 4.8.1 QCI EPS DS1189 SUMMARY DESCRIPTION a,c,e a,c,e 4.8.1.1 Equipment Purpose 4.8.1.2 Equipment Description 4-34 #### 4.8.1.3 Salient Features 1) 2) 3) 4) 5) 6) 7) 8) 4.8.2 QCI PVTP 6821A69 SUMMARY DESCRIPTION #### 4.8.2.1 Purpose of Test 9) The purpose of these tests is to verify that the QCI card performs as specified by the equipment performance specification DS1189 Revision 2. a,c,e #### 4.8.2.2 Equipment Tested #### 4.8.2.2.1 Identification - A. Westinghouse ISD series "Q" Contact input card --- 7379A06 - B. Serial number assignment: | ASSEMBLY | STYLE | REV | NAME | SN | |----------|-------|-----|-------|--------| | 7379A06 | G01 | С | 20015 | 818482 | | 7379A06 | G01 | С | 20015 | 818503 | | 7379A06 | G02 | C | 20016 | 824459 | | 7379A06 | G02 | C | 20016 | 824459 | #### 4.8.2.2.2 Description and Specification Performance and environmental specifications are taken from Sections 7 and 12 of DS1189 for the contact input card. 4.8.2.2.3 Test Details General Approach # 4.9 ODI -- DIGITAL INPUT CARD 4.9.1 QDI EPS DS1141 SUMMARY DESCRIPTION 4.9.1.1 Equipment Purpose a,c,e a,c,e # 4.9.1.3 Salient Features 1) 2) 3) 4) 5) 6) 7) 4.9.2 QDI PVTP 6821A70 SUMMARY DESCRIPTION #### 4.9.2.1 Purpose of Test The purpose of these tests is to verify that the QDI card performs as specified by the equipment performance specification DS1141 Revision 5. ## 4.9.2.2 Equipment Tested #### 4.9.2.2.1 Identification A. Westinghouse ISD series "Q" Digital input card -- 2840Al3 #### b. Serial number assignment: | ASSEMBLY | STYLE | REV | NAME | SN | |----------|-------|-----|--------|--------| | 2840A13 | G02 | В | 30012 | 80660 | | 2840A13 | G04 | В | 3QDI4 | 80661 | | 2840A13 | G06 | F | 300111 | 809725 | #### 4.9.2.2.2 Description and Specification Performance and environmental specifications are taken from Sections 7 and 12 of DS1141 for the digital input card. #### 4.9.2.2.3 Test Details General Approach a,c,e a,c,e 5123A #### 4.10.2 QMC PVTP 6822A39 SUMMARY DESCRIPTION #### 4.10.2.1 Purpose of Test The purpose of these tests is to verify that the QMC card performs as specified by the equipment performance specifications DS1139 Revision 2. #### 4.10.2.2 Equipment Tested #### 4.10.2.2.1 Identification - A. Westinghouse ISD series "Q" MICROCOMPUTER CARD -- 2840A10 - B. Serial number assignment: | ASSEMBLY | STYLE | REV | NAME | SN | |----------|-------|-----|--------|--------| | 2840A10 | G02 | K | 2QMC10 | 917809 | | 2840A10 | G02 | K | 20MC10 | 915186 | | 2840A10 | G02 | K | 2QMC10 | 830445 | | | | | | | # 4.10.2.2.2 Description and Specification Performance and environmental specifications are taken from Sections 7 and 12 of OS1139 for the microcomputer card. 4.10.2.2.3 Test Details General Approach # 4.11 QMD -- DATA LINK CONTROLLER CARD QMD EPS DS1173 SUMMARY DESCRIPTION #### Equipment Purpose a,c,e 4.11.1.2 Equipment Description 4.11.2 QMD PVTP 6822A41 SUMMARY DESCRIPTION # 4.11.2.1 Purpose of Test The purpose of these tests is to verify that the QMD card performs as specified by the equipment performance specifications DS1173 Revision 3. # 4.11.2.2 Equipment Tested 4.11.2.2.1 Identification - A. Westinghouse ISD series "Q" DATA LINK CONTROLLER CARD -- 2840A83 - B. Serial number assignment: | ASSEMBLY | STYLE | KEV | NAME | SN | |----------|-------|-----|--------|--------| | 2840A83 | G01 | | 1QMD25 | 901054 | | 2840A83 | G02 | | 1QMD26 | 831776 | | 2840A83 | G03 | Κ | 1QMD23 | 901080 | 5123A 4-44 4.11.2.2.2 Description and Specification Performance and environmental specifications are taken from Sections 7 and 12 of DS1173 for the data link controller card. 4.11.2.2.3 Test Details General Approach 4.12 QME -- MEMORY EXTENDER CARD 4.12.1 QME EPS DS1166 SUMMARY DESCRIPTION 4.12.1.1 Equipment Purpose a,c,e 4.12.1.2 Equipment Description a,c,e 4-47 ## 4.12.2 QME PVTP 6822A40 SUMMARY DESCRIPTION ### 4.12.2.1 Purpose of Test The purpose of these tests is to verify that the QME card performs as specified by the equipment performance specification DS1166 Revision 2. # 4.12.2.2 Equipment Tested ### 4.12.2.2.1 Identification - A. Westinghouse ISD series "Q" MEMORY EXTENDER CARD -- 2840A15 - B. Serial number assignment: | ASSEMBLY | STYLE | REV | NAME | SN | |----------|-------|-----|--------|--------| | 2840A15 | G01 | ξ. | 2QME8 | 815224 | | 2840A15 | G02 | F | 2QME12 | 830350 | | 2840A15 | G04 | F | 2QME11 | 819996 | 4.12.2.2.2 Description and Specification Performance and environmental specifications are taken from Sections 7 and 12 of DS1166 for the memory extender card. 4.12.2.2.3 Test Details General Approach 4.13 OMS -- TWO PORT SHARED MEMORY CARD 4.13.1 QMS EPS DS1179 SUMMARY DESCRIPTION 4.13.1.1 Equipment Purpose 7 a,c,e 4.13.1.2 Equipment Description 4.13.2 QMS PVTP 6822A42 SUMMARY DESCRIPTION # 4.13.2.1 Purpose of Test The purpose of these tests is to verify that the QMS card performs as specified by the equipment performance specification DS1179 Revision 2. # 4.13.2.2 Equipment Tested # 4.13.2.2.1 Identification - A. Westinghouse ISD series "Q" TWO PORT SHARED MEMORY CARD -- 2840A80 - B. Serial number assignment: | ASSEMBLY | STYLE | REV | NAME | SN | |----------|-------|-----|--------|--------| | 2840A80 | G01 | М | 3QMS11 | 901464 | | 2840A80 | G01 | М | 3QMS11 | 901465 | | 2840A80 | G02 | М | 1QMS11 | 822169 | 4.13.2.2.2 Description and Specification Performance and environmental specifications are taken from Sections 7 and 12 of DS1179 for the two port shared memory card. a,c,e 4.13.2.2.3 Test Details General Approach - 4.14 QPD, OPP -- Q-LINE CRATE PADDLE CARD 4.14.1 QPD, QPP EPS DS1218 SUMMARY DESCRIPTION 4.14.1.1 Equipment Purpose - 4.14.1.2 Equipment Description 4.14.2 QPD, QPP PVTP 7601A73 SUMMARY DESCRIPTION ## 4.14.2.1 Purpose of Test The purpose of these tests is to verify that the QPD, QPP card performs as specified by the equipment performance specification DS 1218 Revision 2. # 4.14.2.2 Equipment Tested 4.14.2.2.1 Identification A. Westinghouse ISD series 'Q' Q-Line Wrapper cards 2840A77 and 2840A40. # B. Serial number assignment: | ASSEMBLY | STYLE | REV | NAME | |----------|-------|-----|------| | | | | | | 2840A77 | G01 | Ε | QPP | | 2840A77 | G02 | Ε | QPP | | 2840A77 | G02 | Ē | QPP | | 2840A40 | G01 | В | QPD | | 2840A40 | G02 | 3 | QPD | | | | | | 4-56 4.14.2.2.2 Description and Specification Performance and environmental specifications are taken from Sections 7 and 12 of DS 1218 for the Q-line crate paddle cards. 4.14.2.2.3 Test Details General Approach 4.15.2 QTB PVTP 6821A61 SUMMARY DESCRIPTION ### 4.15.2.1 Purpose of Test The purpose of these tests is to verify that the QTB card performs as specified by the equipment performance specification DS1148 Revision 2. # 4.15.2.2 Equipment Tested #### 4.15.2.2.1 Identification - A. Westinghouse ISD series "Q" ANALOG TIME BASE GENERATOR CARD; 2840A19 - B. Serial number assignment: | STYLE | REV | NAME | SN | |-------|------------|----------------|----------------------------| | G01 | Ε | 20181 | 817366 | | G02 | Ε | 2QTB2 | 805624 | | G03 | F | 2QTB5 | 824036 | | | G01<br>G02 | G01 E<br>G02 E | G01 E 2QTB1<br>G02 E 2QTB2 | 4.15.2.2.2 Description and Specification Performance and environmental specifications are taken from Sections 7 and 12 of DS1148 for the Analog Time Base Generator Card. 4.15.2.2.3 Test Details General Approach # 4.16 NAI - ANNUNCIATOR INTERFACE CARD 4.16.1 NAI EPS DS1973 SUMMARY DESCRIPTION ### 4.16.1.1 Equipment Purpose 4.16.1.2 Equipment Description 4.16.2 NAI PVTP SUMMARY DESCRIPTION #### 4.16.2.1 Purpose of Test The purpose of these tests is to verify that the NAI card performs as specified by the equipment performance specification DS1073. a,c,e Ta,c,e #### 4.16.2.2 Equipment Tested #### 4.16.2.2.1 Identification A. Westinghouse ISD series "N" Annunciator Interfaced card -- 2838A88 B. Serial number assignment: | ASSEMBLY | STYLE | REV | NAME | |----------|-------|-----|------| | 2838A88 | G06 | 9 | NAI | 4.16.2.2.2 Description and Specification Performance and environmental specifications are taken from Sections 7 and 12 of DS1073 for the annunciator interface card. 4.16.2.2.3 Test Details General Approach - 4.17 NAC -- ANALOG COMPARATOR CARD - 4.17.1 NAC EPS DS1102 SUMMARY DESCRIPTION a,c,e 4.17.1.1 Equipment Purpose 4.17.1.2 Equipment Description 4-65 # 4.17.2 NAC PVTP VR-76 SUMMARY DESCRIPTION ### 4.17.2.1 Purpose of Test The purpose of these tests is to verify that the NAC card performs as specified by the equipment performance specification DS1102 Revision 3. # 4.17.2.2 Equipment Tested #### 4.17.2.2.1 Identification A. Westinghouse ISD series "N" analog comparator card -- 2838A32 ### B. Serial number assignment: | ASSEMBLY | STYLE | REV | NAME | SN | |----------|-------|-----|-------|------| | 2838A32 | G01 | 4 | 3NAC1 | 3906 | | 2838A32 | G01 | 4 | 3NAC1 | 3907 | | 2838A32 | G01 | 4 | 3NAC1 | 3908 | | 2838A32 | G01 | 4 | 3NAC1 | 3909 | # 4.17.2.2.2 Description and Specification Performance and environmental specifications are taken from Sections 7 and 12 of DS1102 for the analog comparator card. #### 4.17.2.2.3 Test Details General Approach 4-67 # 4.18 NCI - INPUT CARD 4.18.1 NCI EPS DS1071 SUMMARY DESCRIPTION a,c,e a,c,e 4.18.1.1 Equipment Purpose 4.18.1.2 Equipment Description 4.18.2 NCI, PVTP VR-71 SUMMARY DESCRIPTION # 4.18.2.1 Purpose of Test The purpose of these tests is to verify that the NCI card performs as specified by the eq.ipment performance specification DS1071 Revision 2. - 4.18.2.2 Equipment Tested - 4.18.2.2.1 Identification - A. Westinghouse ISD series "N" Input card - B. STYLE 2837A86G01 Revision 5 Assembly Drawing 2837A86 Name 1NCI2 - 4.18.2.2.2 Description and Specification Performance and environmental specifications are taken from Sections 7 and 12 of DS1071 for the momentary output card. 4.18.2.2.3 Test Details General Approach # IMAGE EVALUATION TEST TARGET (MT-3) # MICROCOPY RESOLUTION TEST CHART # IMAGE EVALUATION TEST TARGET (MT-3) # MICROCOPY RESOLUTION TEST CHART OI WILL SZIMING 4.19 NCP -- REACTOR COOLANT PUMP SPEED CARD 4.19.1 NCP EPS DS1188 SUMMARY DESCRIPTION 4.19.1.1 Equipment Purpose a,c,e 4.19.1.2 Equipment Description a,c,e #### 4.19.2 NCP PVTP 6822A37 SUMMARY DESCRIPTION #### 4.19.2.1 Purpose of Test The purpose of these tests is to verify that the NCP card performs as specified by the equipment performance specification DS1188 Revision 3. ### 4.19.2.2 Equipment Tested #### 4.19.2.2.1 Identification A. Westinghouse JSD series "N" REACTOR COOLANT PUMP SPEED CARD 7379A05 ### B. Serial number assignment: | ASSEMBLY | STYLE | REV | NAME | SN | |----------|-------|-----|-------|--------| | 7379A05 | G01 | С | 3NCP3 | 906745 | | 7379A05 | G01 | C | 3NCP3 | 906746 | | 7379A05 | G02 | | NCP | 906749 | #### 4.19.2.2.2 Description and Specification Performance and environmental specifications are taken from Sections 7 and 12 of DS1188 for the reactor coolant pump speed card. #### 4.19.2.2.3 Test Devails General Approach | 4.20 NDC - CONTACT INPUT CARD | | |-------------------------------------------|-----------| | 4.20.1 NDC EPS DS1196 SUMMARY DESCRIPTION | | | 4.20.1.1 Equipment Purpose | ¬ a,c,e ● | | | 4,0,0 | | | | | | | | | | | | | | | | | 4.20.1.2 Equipment Description | | | 4.20.1.2 Equipment Description | 7 a,c,e a,c,e | 4.20.2 NDC PVTP 6821A79 SUMMARY DESCRIPTION ### 4.20.2.1 Purpose of Test The purpose of these tests is to verify that the NDC card performs as specified by the equipment performance specification DS1196 Revison 3. ### 4.20.2.2 Equipment Tested - 4.20.2.2.1 Identification - A. Westinghouse ISD series "N" Contact Input Card -- 7379A04 - 3. Serial number assignment: | ASSEMBLY | STYLE | REV | NAME | <u>SN</u> | |----------|-------|-----|-------|-----------| | 7379A04 | 601 | D | INDC1 | 317086 | | 7379A04 | G01 | 0 | INDC1 | 817084 | | 7379A04 | G01 | 0 | INDC1 | 817805 | | | | | | | 4.20.2.2.2 Description and Specification Performance and environmental specifications are taken from Sections 7 and 12 of DS1196 for the contact input card. 4.20.2.2.3 Test Details General Approach a,c,e 4.21 NIL - INTEGRATED LOGIC CARD 4.21.1 NIL EFS JS1128 SUMMARY DESCRIPTION 4.21.1.1 Equipment Purpose 4-76 ### 4.21.2 NIL PVTP 6822A38 SUMMARY DESCRIPTION ### 4.21.2.1 Purpose of Test The purpose of these tests is to verify that the NIL card performs as specified by the equipment performance specification DS1128 Revision 4. ### 4.21.2.2 Equipment Tested #### 4.21.2.2.1 Identification - A. westingnouse ISD series "N" INTEGRATED LOGIC CARD 2840A05. - B. Serial number assignment: | ASSEMBLY | STYLE | REV | NAME | SN | |----------|-------|-----|---------|--------| | 2840A05 | G01 | £ | 3 NIL 3 | 806623 | | 2840A05 | 302 | Ε | 3 NIL 2 | 810462 | | 2840A05 | G03 | Ε | 3 NIL 1 | 820395 | ### 4.21.2.2.2 Description and Specification Performance and environmental specifications are taken from Sections 7 and 12 of DS1128 for the i tegrated logic card. #### 4.21.2.2.3 Test Details General Approach a,c,e 4.22 NMA - ANALOG MIXING AMPLIFIER CARD 4.22.1 NMA EPS DS1104 SUMMARY DESCRIPTION 4.21.1.1 Equipment Purpose POOR ORIGINAL ~7 a,c,e 4.22.2 NMA PYTP VR-67 SUMMARY DESCRIPTION # 4.22.2.1 Purpose of Test The purpose of these tests is to verify that the NMA card performs as specified by the equipment performance specification DS1104 Revision 2. 4.22.2.2 Equipment Tested 4.22.2.2.1 Identification - A. Hagan Series 7300 Mixing Amplifiers Card (NMA) ----- Style 2838A34 - B. Serial Number Assignments ----- S/N 1524, 1525, 1526, 1527 4.22.2.2.2 Description and Specification Performance and environmental specifications are taken from Sections 7 and 12 of DS1104 for the analog mixing amplifier card. 4.22.2.2.3 Test Details General Approach a,c,e 4.23 NMO MOMENTARY OUTPUT CARD 4.23.1 NMO EPS DS1194 SUMMARY DESCRIPTION 4.23.1.1 Equipment Purpose a,c,e 2.23.1.2 Equipment Description a,c,e 4.23.2 VMD PVTP 5821A77 SUMMARY DESCRIPTION #### 4.23.2.1 Purpose of Test The purpose of these tests is to verify that the NMO card performs as specified by the equipment performance specification DS1194 Revision 1. # 4.23.2.2 Equipment Tested - 4.23.2.2.1 Identification - A. Westinghouse ISD series "N" Momentary Output card -- 7379A02. - 8. Serial number assignment: | ASSEMBLY | STYLE | REV | NAME | <u>SN</u> | |----------|-------|-----|-------|-----------| | 7379402 | G01 | 0 | 1NM01 | 826099 | | 7379A02 | G01 | 0 | 1NM01 | 826109 | | 7379A02 | G01 | 0 | 1NM01 | 826120 | 4.23.2.2.2 Description and Specification Performance and environmental specifications are taken from Sections 7 and 12 of DS1194 for the momentary output card. 4.23.2.2.3 Test Details General Approach # 4.24 NQO QUAD OUTPUT CARD 4.24.1 NQO EPS DS1187 SUMMARY DESCRIPTION a.c.e 4.24.1.2 Equipment Description a.c.e A fuse is provided for each circuit. 4.24.2 NQO PVTP 6821A73 SUMMARY DESCRIPTION # 4.24.2.1 Purpose of Test The purpose of these tests is to verify that the NQO card performs as specified by the equiment performance specification DS1137 Revision 2. # 4.24.2.2 Equipment Tested 4.24.2.2.1 Identification - A. Westinghouse ISD series "N" QUAD OUTPUT CARD, 2840A57. - B. Serial number assignment: | ASSEMBLY | STYLE | REV | NAME | SN | |----------|-------|-----|-------|--------| | 2840A57 | G01 | 0 | 2NQ03 | 818108 | | 2840A57 | G01 | D | 2NQ03 | 818121 | | 2840A57 | G01 | D | 2NQ03 | 818117 | 4.24.2.2.2 Description and Specification Performance and environmental specifications are taken from Sections 7 and 12 of DS1187 for the QUAD OUTPUT CARD. a.c.e 4.24.2.2.3 Test Details General Approach a,c,e 4.25 NOP QUAD LOOPS POWER SUPPLY 4.25.1 NQP EPS DS1005 SUMMARY DESCRIPTION 4.25.1.1 Equipment Purpose a,c,e 4.25.1.2 Equipment Description a,c,e 4-87 # 4.25.2 NOP PVTP VR-50 SUMMARY DESCRIPTION # 4.25.2.1 Purpose of Test The purpose of these tests is to verify that the NQP card performs as specified by the equipment performance specification DS1005 Revision 1. # 4.24.2.2 Equipment Tested #### 4.25.2.2.1 Identification - A. Quad Loop Power Supply (NQP) Card - B. 7300 Series, Style 2822A97G01 Assembly Drawing 2822A97 Serial Numbers DENO5-08, 09,10 4.25.2.2.2 Description and Specification Performance and environmental specifications are taken from Sections 7 and 12 of DS1005 for the Quad Loop Taken Supply Card. 4.25.2.2.3 Test Details General Approach a,c,e 4.26 NQT — QUAD OUTPUT CARD 4.26.1 NQT EPS DS1184 SUMMARY DESCRIPTION 4.26.1.1 Equipment Purpose a,c,e 4.26.1.2 Equipment Description a,c,e 4.26.1.3 Salient Features a,c,e 4.26.2 NQT PVTP 6821A78 SUMMARY DESCRIPTION # 4.26.2.1 Purpose of Test The purpose of these tests is to verify that the NQT card performs as specified by the equipment performance specification DS1184 Revision 1. # 4.26.2.2 Equipment Tested #### 4.26.2.2.1 Identification - A. Westinghouse ISD series "N" Quad 3 Amp 120 VAC output card --7379A03. - B. Serial number assignment: | ASSEMBLY | STYLE | REV | NAME | SN | |----------|-------|-----|-------|--------| | 7379A03 | G01 | D | 2NQT2 | 828216 | | 7379A03 | G01 | D | 2NQT2 | 828224 | | 7379A03 | G01 | D | 2NQT2 | 828226 | 4.26.2.2.2 Description and Specification Performance and environmental specifications are taken from Sections 7 and 12 of DS1184 for the Quad 3 Amp 120 VAC Output Card. 4.26.2.2.3 Test Details General Approach a,c,e 4-92 | 4.27 NRA RESISTANCE TEMPERATURE DETECTOR (RTD) AMPLIFIER CARD | | |---------------------------------------------------------------|---| | 4.27.1 NRA EPS DS1017 SUMMARY DESCRIPTIONS | | | 4.27.1.1 Equipment Purpose | ٦ | | | | | 4.27.1.2 Equipment Description | _ | | | 1 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 4.27.2 NRA PYTP VR-60 SUMMARY DESCRIPTION # 4.27.2.1 Purpose of Test The purpose of these tests is to verify that the NRA card performs as specified by the equipment performance specification DS 1017 Revision 2. # 4.27.2.2 Equipment Tested #### 4.27.2.2.1 Identification - A. Hagan Series 7300 RTD Amplifiers - (1) RTD Amplifier Card ----- Style 2837A15G02 For platinum and nickel probes -- with output signal characterizer. - B. Serial Number Assignments: GO2 RTD Amplifier Cards ----- S/N 177, 178 and 179 4.27.2.2.2 Description and Specification Performance and environmental specifications are taken from Sections 7 and 12 of DS 1017 for the RTD Amplifier card. for the memory extender card. 4.27.2.2.3 Test Details General Approach a,c,e 4-96 4.28 NTB BREAKER TRIP BYPASS CARD 4.28.1 NTB EPS DS1207 SUMMARY DESCRIPTION 4.28.1.1 Equipment Purpose a,c,e 4.28.1.2 Equipment Description The NTB is a special purpose card which is part of the Westinghouse 414 IPS. #### 4.28.2 NTB PVTP 6821A75 SUMMARY DESCRIPTION # 4.28.2.1 Purpose of Test The purpose of these tests is to verify that the NTB card performs as specified by the equipment performance specification DS1207 Revision 2. # 4.28.2.2 Equipment Tested 4.28.2.2.1 Identification - A. Westinghouse ISD series "N" Breaker Trip Bypass card 2840A98 - B. Serial number assignment: | ASSEMBLY | STYLE | REV | NAME | SN | |----------|-------|-----|-------|--------| | 2840A98 | G01 | 8 | 2NTB1 | 826086 | | 2840A98 | G01 | В | 2NTB1 | 826069 | | 2840A98 | G01 | В | 2NTB1 | 826072 | # 4.28.2.2.2 Description and Specification Performance and environmental specifications are taken from Sections 7 and 12 of DS1207 for the breaker trip bypass card. #### 4.28.2.2.3 Test Details Genera' Approach -, a,c,e 4.29 NTL -- BREAKER TRIP LOGIC CARD 4.29.1 NTL EPS DS1202 SUMMARY DESCRIPTION 4.29.1.1 Equipment Purpose 4.29.1.2 Equipment Description a,c,e # 4.29.2 NTL PVTP 6821A76 SUMMARY DESCRIPTION # 4.29.2.1 Purpose of Test The purpose of these tests is to verify \*. at the NTL card performs as specified by the equipment performance specification DS1202, Revision 2. # 4.29.2.2 Equipment Tested 4.29.2.2.1 Identification - A. W ISD series "N" Breaker Trip Logic Card 2840A99 Revision C - B. Serial number assignment: | ASSEMBLY | STYLE | REV | NAME | SN | |----------|-------|-----|-------|--------| | 2840A99 | G01 | C | 2NTL2 | 826575 | | 2840A99 | G01 | C | 2NTL2 | 826576 | |---------|-----|---|-------|--------| | 2840A99 | G01 | С | 2NTL2 | 826577 | 4.29.2.2.2 Description and Specification Performance and environmental specifications are taken from Sections 7 and 12 of DS1202 for the breaker trip logic card. 4.29.2.2.3 Test Details General Approach -a,c,e . 10 # 4.30 M-8US 4.30.1 M-BUS EPS DS1178 SUMMARY DESCRIPTION 4.30.1.1 Equipment Purpose a,c,e 4.30.1.2 Equipment Description a,c,e #### 4.30.2 M-BUS PVTP SUMMARY DESCRIPTION This information will be provided in a future revision of this document as part of the reverification process. - 4.31 UNIVERSAL INPUT/OUTPUT BUS (UIOB) - 4.31.1 UIOB EPS DS1144 SUMMARY DECRIPTION 4.31.1.1 Equipment Purpose a,c,e 4.31.1.2 Equipment Description 4.31.2 UIOB PVTP SUMMARY DESCRIPTION This information will be provided in a future revision of this doc ment as part of the reverification process. - 4.32 Q-LINE/7300 SERIES POWER SUPPLY - 4.32.1 POWER SUPPLY EPS DS1203 SUMMARY DESCRIPTION - 4.32.1.1 Equipment Purpose # 4.32.2 POWER SUPPLY PVTP SUMMARY DESCRIPTION This information will be provided in a future revision of this document as part of the reverification program. 4.33 SOURCE RANGE MODULE (SRM) 4.33.1 SRM EPS SKRMP80177 EQUIPMENT SUMMARY DESCRIPTION 4.33.1.1 Equipment Purpose 4.33.2 SRM PVTP T-925870 TEST SUMMARY DESCRIPTION # 4.33.2.1 Purpose of Test The purpose of these tests is to verify that the Source Range Module performs to the functional requirements of System Specification SKRMP80177 Revision 1. # 4.33.2.1 Equipment Tested The IPS Nuclear Instrumentation System Source Range Module - DWG. 1061E19 GO1 Serial No. 0001 #### Reference Documents: | Source Range Preamp Assy | 6079074 | |--------------------------------|------------| | Source Range Preamp Card Assy | 1061E21 | | NIS Module Assy | 1061E19414 | | Module Power Card Assy | 1061E06 | | Log Pulse Integrator Card Assy | 1061E11 | | Post Amp/Disc. Card Assy | 1061E20 | | Wiring List | 2383A22 | # 4.33.2.3 Test Details General Approach \_, a,c,e # 4.34.1.3 Salient Features a,c,e 4.34.2 IRM 2383A66 TEST SUMMARY DESCRIPTION # 4.34.2.1 Purpose of Test The purpose of these tests is to verify that Intermediate Range Module performs to the functional requirements of System Specification SKRMP80177 Revision 1. # 4.34.2.2 Equipment Tested The IPS Nuclear Instrumentation Intermediate Range Module, - DWG 1061E19 GO2 Serial No. 01 #### Reference Documents: IR Module Assembly 1061E19G02 Module Power Assy 1061E06 Wire List 2383A54 Log Level Amplifier Assy 1061E15G01 Westinghouse PWRSD Spec. Sheet No. NIS-5 Tag NY35Al Westinghouse NICD Level II Specification SK 92277.01 Log Level Amp Design Justification SK JS-10-14-77 # 4.34.2.3 Test Details General Approach: - a,c,e # 4.35 POWER RANGE MODULE (PRM) 4.35.1 PRM SKRMP 80177 EQUIPMENT SUMMARY DESCRIPTION 4.35.1.1 Equipment Purpose a,c,e 4.35.1.2 Equipment Description a,c,e 4.35.1.3 Salient Features a,c,e # 4.35.2 PRM PVTP 2383A67 TEST SUMMARY DESCRIPTION # 4.35.2.1 Purpose of Test The purpose of these tests is to verify that the Power Range Module performs the functional equirements of SKRMP80177, Revision 1. # 4.35.2.2 Equipment Tested The IPS Nuclear Instrumentation System Power Range Module - DWG. 1061E19 GO3 Serial No. 001. #### Reference Documents: | Power Range | Module Assembly | 1061E19 | |--------------|-----------------------|------------| | Power Range | Module Wire Data List | 2383A25 | | Power Range | Amplifier Assembly | 1061E26 | | | r Supply Assembly | 1061E06 | | Shorting Pla | | 3377C40G01 | # 4.35.2.3 Test Details General Approach: a,c,e 4.36 N-16 POWER MONITOR MODULE 4.36.1 N-16 POWER MONITOR EPS SKRMP80177 EQUIPMENT SUMMARY DESCRIPTION 4.36.1.1 Equipment Purpose The purpose of these tests is to verify that the N-16 Power Monitor Module performs the functional requirements of SKRMP80177, Revision 1. # 4.36.2.2 Equipment Tested The IPS N-16 Power Monitor Module - DWG. 1061E19 G04 Serial No. 001 a,c,e # Reference Documents: | Module Assembly | 1061E19 | |-------------------------|---------| | Printed Wiring Assembly | 1061E42 | | Wire List | 2383A24 | # 4.36.2.3 Test Details General Approach: 4.37.2 SRP PVTP T-925870 TEST SUMMARY DESCRIPTION # 4.37.2.1 Purpose of Test The purpose of these tests is to verify that the Source Range Preamplifier performs to the functional requirements of System Specification SKRMP80177, Revision 1. # 4.37.2.2 Equipment Tested The IPS Nuclear Instrumentation System Source Range Preamplifier - DWG. 6079DT1 GO1 Serial No. 0001 ### Reference Documents: | Source Range Preamp Assy. | 6079074 | |---------------------------------|---------| | Source Range Preamp Card Assy. | 1061E21 | | 414 NIS Module Assy. | 1061E19 | | Module Power Card Assy. | 1061E06 | | Log Pulse Integrator Card Assy. | 1061811 | | Post Amp/Disc. Card Assy. | 1061E20 | | Wiring List | 2383A22 | # 4.37.2.3 Test Details General Approach a,c,e - 4.38 HIGH VOLTAGE POWER SUPPLY MODULE (HVPSM) - 4.38.1 HVPSM EPS SKRMP80177 EQUIPMENT SUMMARY DESCRIPTION - 4.38.1.1 Equipment Purpose ### 4.38.1.2 Equipment Description a,c,e 4.38.1.3 Salient Features a.c.e ### 4.38.2 HVPSM PVTP 2383A74 TEST SUMMARY DESCRIPTION The purpose of these tests is to verify that the High Voltage Power Supply Module performs the functional requirements of SKRMP80177. ### 4.38.2.1 Equipment Tested The IPS Nuclear Instrumentation Subsystem, High Voltage Power Supply Module - DWG. 1061E34 GO1 Serial No. 0001 ### Reference Documents: Source Range Preamplifier Source Range Module Intermediate Range Module 6079074G01 1061E19G01 1061E19G02 Power Range nodule Power Monitor Module High Voltage Power Supply 1061E19G03 1061E19G04 1061E34G01 4.38.2.2 Test Details General Approach: | | a,c,e | |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------| | | | | [경기 경기 기계 기계 경기 기계 | | | ##################################### | | | | | | # 50kg (1) 10kg | | | | _ | | 4.39 SAFETY GRADE DIGITAL ROD POSITION INDICATOR (SGRPI) | | | The state of s | | | 4.39.1 SGDRPI EPS ES-9553230 EQUIPMENT SUMMARY DESCRIPTION | | | | | | 4.39.1.1 Equipment Purpose | _ a,c,e | | | | | | | | | | | | | | | | | | | | | 9 | | | | | | | | | | | | | | 4.39.1.2 Equipment Description | _ a,c,e | | [F.K. 조심하다] 전 2018년 1일 | | | | | | 부딪쳤다. 하는 그리고 맛있는데 그는 그 그 그는 | | | | | | | | | 그리트 그 아이들은 얼마나 사람이 되었다면 하는데 | | | | - 0 | | | | 4.39.2 SGDRPI PVTP T-925873 TEST SUMMARY DESCRIPTION # 4.39.2.1 Purpose of Test The purpose of these tests is to verify that the Power Range Module performs the functional requirements of Engineering Specification 953230 Revision O. # 4.39.2.2 Equipment Tested The Safety Grade Digital Rod Position Indication System - DWG. 1061E35 Serial No. 0001 Reference Documents: Temperature Sensor Assembly 6080067 Data Cabinet Schematic 1061E35 a,c,e 4.39.2.3 Test Details General Approach: TABLE 4.1 HARDWARE VERIFIED | Mnemonic | Equipment Name | EPS Number | PVTP Number | Verification States | | |------------------|---------------------------------|---------------|----------------------------|---------------------|-------| | | | | | | a,c,e | | QAC | Analog Conditioning Card | DS1177 | 6821A68 | | | | QAO | Analog Output Card | DS1165 | 6821A62 | | | | QAI | Analog Input Point Card | DS1122 | 6821A60 | | | | QB1 | Digital Input Card | DS1175 | 6821A63 | | 1 | | QBO | Digital Output Card | DS1174 | 6821A64 | | | | QCI | Contact Input Card | DS1189 | 6921A69 | | | | 100 | Digital Inpot Card | DS1141 | 6821A70 | | | | QMC <sup>2</sup> | Microcomputer Card | DS1139 | 6822A39 | | | | QMD <sup>2</sup> | Data Link Controller Card | DS1173 | 6822A41 | | | | QMB | Micro Bus Buffer Card | Not Available | Not Available 1 | | | | QME <sup>2</sup> | Memory Extender Card | DS1166 | 6822A40 | | | | QMS <sup>2</sup> | 2 Port Shared Memory Card | 0S1179 | 6822A42 | | | | QPD,QPP | Q-Line Crate Paddle Card | DS1218 | 7601A73 | | | | QTB | Time Base Card | DS1148 | 6321A61 | | | | NAI | Annunciator Interface Card | DS1073 | Not Available <sup>1</sup> | | | | NAC | Analog Computer Card | DS1102 | VR-76 | | | | NCI | Input Card | DS1071 | VR-71 | | | | NCP | Reactor Coolant Pump Speed Card | DS1188 | 6822A37 | | | | NDC | Contact Input Card | DS1196 | 6821A79 | | | | NIL | Integrated Logic Card | DS1128 | 6822A38 | | 3 L | | NMA | Analog Mixing Amplitude Card | DS1104 | VR-67 | | | | Min | Analog Mixing Amplitude Card | 031104 | | | | TABLE 4.1 HARDWARE VERIFIED (cont) | Mnemonic | Equipment Name | EPS Number | PVIP Number | Verification Status | _a,c,e | |---------------------|---------------------------------|------------|---------------|---------------------|--------| | NMO | Momentary Output Card | DS1194 | 6821A77 | | | | NQO | Quad Output Card | DS1187 | 6821A73 | | | | NQP | Quad Loop Power Supply Card | DS1005 | VR-50 | | | | NQT | Quad Output Card | DS1184 | 6821A78 | | | | NRA | RTD Amplifier Card | DS1017 | VR-60 | | | | NTB | Breaker Trip Bypass Card | 0\$1207 | 6821A75 | | | | NTL | Breaker Trip Logic Card | 051202 | 6821A76 | | | | MBus | micro-bus | DS1243 | Not Available | | | | Mx-Bus <sup>2</sup> | Micro-bus | DS1244 | Not Available | 1 | | | UIOB | Universal I/O Bus | DS1144 | Not Available | 1 | | | N/A | Q-line/7300 Series Power Supply | 051203 | Not Available | 1 | | | N/A | Source Range Module | SKRMP80177 | T-925870 | | | | N/A | Intermediate Range Module | SKRMP80177 | 2383A66 | | | | N/A | Power Range Module | SKRMP80177 | 2383A67 | | | | | | | | | | HARDWARE VERIFIED (cont) | Mnemonic | Equipment Name | EPS Number | PVTP Number | Verificati | ion Status | |----------|----------------------------|------------|-------------|------------|------------| | | | | | - | -da,c,e | | N/A | N-16 Power Range Module | SKRMP80177 | T-925871 | | | | N/A | Source Range Pre-amplifier | SKRMP80177 | 7-925870 | | | | N/A | High Voltage Power Supply | SKRMP80177 | 2383A47 | | - | | N/A | Safety Grade Digital RPI | ES-953230 | T-925873 | | | | | | | | | | N/A = not applicable ### NOTES: - 1. This information was not available at the time of printing and will be supplied in a future revision of this document as part of the reverification process. - 2. These cards are tested at room temperature only. All are undergoing modifications that will correct problems resulting from operation at higher temperatures. A future revision of this document which will cover the reverification process will include all testing done on the modified boards and will include information on the new Mx-Bus and QMB card which are part of these modifications. # 5.0 SOFTWARE VERIFICATION SUMMARY The purpose of the software verification program was to demonstrate that the IPS software performed the function defined by the Software Performance Specification (SPS), to review protection system software with respect to its testabilty, and to generate documentation sufficient to accommodate independent second party review. The Actual Equipment Supplier (AES) writes the SPS given design inputs from their software development group and Westinghouse NTD. The Westinghouse NTD inputs are provided in, and taken from the System Design Specification (SDS) and participation by Westinghouse NTD in the AES software development meetings. A standard format has been established for all SPS's and the performance requirements for the software processes are contained in two areas. The first area is the top level process SPS which defines the overall subsystem performance; the second area is the lower level process SPS which defines a specific process through sub-system decomposition. In this report, sections of each top level SPS have been provided to give definition of the purpose and the services performed by the process. To obtain test results, Software Test Specifications (STS) have been established by the Supplier (AES) to test the performance requirements of each Software Performance Specification (SPS). The test results from the STS are then compared to the SPS. Any errors found, discrepancies between the SPS, its code and the actual test results, are recorded via a Verification Error Report Form. The error report form states what the error or discrepancy was and what was done to correct the problem. A standard format was established for the STS's and the format of the error report is consistent because it is a standard form. This section contains a summary of what software was verified; summary of the test results and error incident reports; an SPS summary and a STS summary. # 5.1 SOFTWARE VERIFIED Table 5.1 is a table of major sub-system software that was verified. For each major software sub-system, the table references mnemonics, process names, SPS numbers (see note), STS numbers (see note), and the verification status. The software error incident report summaries are in section 5.2 of this report, detailing all software test discrepancies found and actions taken to correct them. NOTE: The SPS and STS numbers given in table 5.1 represent blocks of numbers assigned to each major sub-system. Not all consecutive numbers are used in these block assignments. See sections 5.3-5.14 of this report for complete listings of all SPS's and STS's. # 5.2 SOFTWARE TEST RESULTS/ERROR INCIDENT REPORTS As shown in table 5.1, the IPS all software has been tested and verified as meeting specifications. For some software processes, during verification testing, errors were found. These errors were documented in error incident reports (Verification Error Report (VER)) as well as the action taken to correct the problem. This section of the report summarizes the errors found and the action taken. The errors are listed in the order of the major sub-system listed in table 5.1. SOFTWARE SUB-SYSTEM: System Support Modules VER NO: 007 SPS NO: SPS0009 PROBLEM: | | | | | a,c,e | |---|---------------|----------------------------------|-----------|--------| | | ACTION TAKEN: | | | | | _ | | | | | | | REFERENCE: | L | | | | | SOFTWARE | | | | | _ | SUB-SYSTEM: | System Support Modules | VER NO: 0 | 22 | | | SPS NO: | SPS0013 | | a,c,e | | | PROBLEM: | | | | | | ACTION TAKE: | | | | | | REFERENCE: | L | | | | | SOFTWARE | | | | | | SUB-SYSTEM: | System Support Modules | VER NO: 0 | 26 | | | SPS NO: | SPS0037 | | a,c,e | | | PROBLEM: | | | | | | | | | | | | ACTION TAKEN: | | | | | _ | REFERENCE: | L | | ل | | • | SOFTWARE | | | | | | SUB-SYSTEM: | DNBR-KW/FT Partial Trips Process | VER NO: 0 | 03 | | | SPS NO: | SPS0228 | | _a,c,e | | • | PROBLEM: | | | | | | ACTION TAKEN: | | | | | • | | | | | | | REFERENCE: | | | | | SOFTWARE SUB-SYSTEM: SPS NO: PROBLEM: ACTION TAKEN: | DNBR-KW/FT Partial Trips Process SPS0230 | VER NO: 004 | a,c., | |-----------------------------------------------------|---------------------------------------------------|-------------|-------| | REFERENCE: | | | _ ( | | SOFTWARE SUB-SYSTEM: SPS NO: PROBLEM: | DNBR-KW/FT Partial Trips Process SPS0222 | VER NO: 008 | a,c,e | | ACTION TAKEN:<br>REFERENCE: | | | | | SOFTWARE SUB-SYSTEM: SPS NO: PROBLEM: | DNBR-KW/FT Partial Trips Process SPS0215 | VER NO: 009 | a,c,e | | ACTION TAKEN:<br>REFERENCE: | | | | | SOFTWARE SUB-SYSTEM: | Engineering Safety Features Partial Trips Process | VER NO: 011 | | a,c,e PROBLEM: ACTION TAKEN: REFERENCE: Engineering Safety Features SOFTWARE Partial Trips Process VER NO: 012 SUB-SYSTEM: SPS NO: SPS0335 a,c,e PROBLEM: ACTION TAKEN: REFERENCE: Engineering Safety Features SOFTWARE VER NO: 023 Partial Trips Process SUB-SYSTEM: SPS0300 SPS NO: a,c,e PROBLEM: 1 a,c,e ACTION TAKEN: REFERENCE: SOFTWARE SUB-SYSTEM: Trip Logic Computer Process VER NO: 001 a,c,e SPS0424, SPS0425 SPS NO: PROBLEM: ACTION TAKEN: REFERENCE: SOFTWARE Trip Logic Computer Process VER NO: 020 SUB-SYSTEM: SPS0410 SPS NO: a,c,e PROBLEM: ACTION TAKEN: REFERENCE: SOFTWARE IPC & ILC Communications VER NO: 013 SUB-SYSTEM: Bus Control Process SPS NO: SPS0611 a,c,e PROBLEM: | • | ACTION TAKEN: | | | 7,c,e | |---|-----------------------------|----------------------------------------------|-------------|-----------------------| | | REFERENCE: | | | | | | SOFTWARE<br>SUB-SYSTEM: | IPC & ILC Communications Bus Control Process | VER NO: 014 | 1 | | | SPS NO:<br>PROBLEM: | SPS0613 | | ☐ a,c,e | | | ACTIO ' TAKEN: | | | | | | REFERENCE: | | | 7 | | | SOFTWARE | IPC & ILC Communications | | | | | SUB-SYSTEM:<br>SPS NO: | Bus Control Process SPS0613 | VER NO: 01 | ء مرور و<br>ما مرور و | | • | PROBLEM: | | | | | | ACTION TAKEN:<br>REFERENCE: | | | ] | | | SOFTWARE | IPS & ILC Communications | | | | | SUB-SYSTEM: | Bus Control Process | VER NO: 01 | | | | SPS NO:<br>PROBLEM: | SPS0612 | | _a,c,e | | | ACTION TAKEN: | | | | | | | | | | REFERENCE: SOFTWARE IPC & ILC Communications VER NO: 017 Bus Control Process SUB-SYSTEM: SPS0612 SPS NO: -a,c,e PROBLEM: ACTION TAKEN: REFERENCE: SOFTWARE IPC & ILC Communications VER NO: 018 Bus Control Process SUB-SYSTEM: a,c,e SPS0612 SPS NO: PROBLEM: ACTION TAKEN: REFERENCE: SOFTWARE IPC & ILC Communications VER NO: 019 Bus Control Process SUB-SYSTEM: a,c,e SPS0612 SPS NO: PROBLEM: ACTION TAKEN: REFERENCE: 5-8 ARORA | • | SOFTWARE SUB-SYSTEM: SPS NO: PROBLEM: | IPC & ILC Communications Bus Control Process SPS0615 | VER NO: 021 | a,c,e | |---|---------------------------------------|------------------------------------------------------|-------------|---------| | • | ACTION TAKEN: | | | | | | REFERENCE: | | | | | | SOFTWARE SUB-SYSTEM: SPS NO: PROBLEM: | IPC Automatic Tester Process SPS0721 | VER NO: 025 | ] a,c,e | | • | ACTION TAKEN: | | | | | | REFERENCE: | | | | | • | SOFTWARE SUB-SYSTEM: SPS NO: PROBLEM: | IPC Automatic Tester Process SPS0722 | VER NO: 035 | a,c,e | | • | ACTION TAKEN: | | | | | • | REFERENCE: | | | | | SOFTWARE SUB-SYSTEM: SPS NO: PROBLEM: | IPC Automatic Tester Process SPS0752 | VER NO: 036 | a,c,e | |---------------------------------------|--------------------------------------|-------------|-------| | ACTION TAKEN: | | | | | REFERENCE: | | | 1 | | SOFTWARE SUB-SYSTEM: SPS NO: PROBLEM: | IPC Automatic Tester Process SPS0753 | VER NO: 033 | a,c,e | | ACTION TAKEN: | | | | | REFERENCE: | | | 1 | | SOFTWARE SUB-SYSTEM: SPS NO: PROBLEM: | IPC Automatic Tester Process SPS0754 | VER NO: 030 | a,c,e | | ACTION TAKEN: | | | | | SOFTWARE | | | _ | | | IPC Automatic Tester Process SPS0755 | VER NO: 028 | a,c,e | | ACTION TAKEN: | | | | REFERENCE: | | SOFTWARE<br>SUB-SYSTEM: | ILC Automatic Tester Process | VER NO: 029 | | |---|-------------------------|------------------------------|-------------|--------| | | SPS NO: | SPS0755 | | a,c,e | | | PROBLEM: | | | | | | | | | | | • | ACTION TAKEN: | | | | | | | | | | | | REFERENCE: | | | ] | | | SOFTWARE | | | | | | | ILC Automatic Tester Process | VER NO: 032 | | | • | SPS NO:<br>PROBLEM: | SPS0755 | | 7 | | | | | | | | | ACTION TAKEN: | | | | | | REFERENCE: | | | 7 | | | SOFTWARE | | | | | | SUB-SYSTEM: | IPC Automatic Tester Process | VER NO: 034 | | | | SPS NO: | _SPS0755 | | a,c,e | | • | PROBLEM: | | | | | | ACTION TAKEN: | | | | | | REFERENCE: | | | TO THE | | SPS NO:<br>PROBLEM:<br>ACTION TAKEN: | IPC Automatic Tester Process SPS0757 | VER NO: 031 | a,c,e | |-----------------------------------------|--------------------------------------------|-------------|---------| | REFERENCE: | | | 1 | | SOFTWARE SUB-SYSTEM: SPS NO: PROBLEM: | ILC Automatic Tester SPS0922 | VER NO: 024 | a,c,e | | ACTION TAKEN:<br>REFERENCE:<br>SOFTWARE | | | | | SUB-SYSTEM:<br>SPS NO:<br>PROBLEM: | ILC Automatic Tester SPS0932 | VER NO: 027 | a,c,e | | ACTION TAKEN: | | | | | REFERENCE: | | | | | SOFTWARE SUB-SYSTEM: SPS NO: PROBLEM: | Control System Signal Selection<br>SPS1122 | VER NO: 005 | _ a,c,e | | ACTION TAKEN: | | | | | | a,c,e | |------------------------------------|--------------------|--------------|-------------|---------|-----|-------| | REFERENCE: | | | | | | | | SOFTWARE | | | | VED NO | 006 | | | | SPS1115 | System Signa | 1 Selection | VER NO: | 006 | a,c,e | | ACTION TAKEN: | | | | | | | | REFERENCE: | | | | | | J | | SOFTWARE | | | | | | | | SUB-SYSTEM:<br>SPS NO:<br>PROBLEM: | Control<br>SPS1165 | System Signa | 1 Selection | VER NO: | 010 | a,c,e | | ACTION TAKEN: | | | | | | | | REFERENCE: | | | | | | | # 5.3 SYSTEM SUPPORT MODULES The System Support Modules are used throughout the major sub-system processes. In most instances, the purpose or description of each module is in its title. Because there are numerous System Support Modules, not all modules will be described in this summary. The modules that have been selected are the ones that perform in a functional manner. The selected modules are summarized in Section 5.3.1. A complete listing of all Software Performance Specifications for the System Support Modules is as follows: SYSTEM SUPPORT MODULES a,c,e ### 5.3.1 SPS0001 - 0063 SUMMARY DESCRIPTION The following modules have been selected from the system support modules to be discussed: # 5.3.1.1 SPS0023 - Process Raw Analog Input Data (PRWAID) ### A. ABSTRACT This procedure processes raw analog input data. 3. SERVICES PERFORMED a,c,e 3.3.1.2 SPS0025 - Leading Controller Output Configuration Procedure (Leadlag) A. ABSTRACT This procedure computes the output of a leading controller or lag controller. B. SERVICES PERFORMED a,c,e # 5.3.1.3 SPS0026 - High Setpoint Comparators Output Caluclation (COMPHI) ### A. ABSTRACT This procedure determines the output of a comparator-like high setpoint for a given input, considering the deadband. ### B. SERVICES PERFORMED # 5.3.1.4 SPS0030 - Two Out of Four Partial Trip/Bypass ### A. ABSTRACT This procedure returns logical values of a partial trip command and an alarm command to the caller based on a 2 out of 4 vote of the four partial trip and four bypass inputs. B. SERVICES PERFORMED a,c,e a,c,e \_\_ a,c,e 5.3.1.5 SPS0032 - Ratelag Controller Output Computation Procedure (RAGELG) ### A. ABSTRACT This procedure computes the output of a ratelag controller B. SERVICES PERFORMED # 5.3.2 STS0001 - 0063 SUMMARY DESCRIPTION The following STS's correspond to the system support modules above. ### 5.3.2.1 STS0023 ### A. NAME Test specification for "PROCESS RAW ANALOG INPUT DATA" (PRWAID) # B. ABSTRACT This module calculates the integer representation of a raw analog input. This module also determines the hardware status (Normal, problem) and the sensor status (Normal, overrange). C. TEST ENVIRONMENT D. METHODOLOGY OF TEST INPUT GENERATION a,c,e ### E. REFERENCE: Date and Revision Level of STS March 19, 1979 Rev. 01 Date and Revision Level of SPS December 15, 1978 Rev. 01 # 5.3.2.2 STS0025 ### A. NAME Test Specifications for Leadlag Controller Output Computation Procedure LEADLG ### B. ABSTRACT This module computes the output of a LEADLAG controller or LAG controller C. TEST ENVIRONMENT \_ a,c,e D. METHODOLOGY OF TEST INPUT GENERATION \_ a,c,e E. REFERENCE: Date and Revision Level of STS March 19, 1979 Rev. 01 Date and Revision Level of SPS December 15, 1978, Rev. 01 5.3.2.3 STS0026 A. NAME Test Specifications for COMPHI - High Setpoint Comparator Module B. ABSTRACT This procedure determines the output of a comparator with high setpoint, considering deadband. C. TEST ENVIRONMENT a,c,e None a,c,e D. METHODOLOGY OF TEST INPUT GENERATION a,c,e ### E. REFERENCES: Date and Revision Level of STS March 12, 1979, Rev. 01 Date and Revision Level of SPS March 10, 1979, Rev. 01 ## 5.3.2.4 STS0030 ### A. NAME Test Specification for two out of four partial trip/bypass logic (BY20F4) ### B. ABSTRACT The procedure being tested returns logic values of a breaker trip command and an alarm command to the caller based on a 2 out of 4 vote of the partial trip and bypass inputs. It accomplishes this by use of a look-up table, and consequently, can be verified using BOOLEAN (logic) expressions. C. TEST ENVIRONMENT D. METHODGLOGY OF TEST GENERATION a,c,e ### E. REFERENCE Date and Revision Level of T December 20, 1978 Rev. 01 Date and Revision Level of SPS December 15, 1978 Rev. 01 ### 5.3.2.5 STS0032 ### A. NAME Test specification for RATELAG controller output computation procedure (RATELG) ### B. ABSTRACT This procedure computes the output of a RATELAG controller C. TEST ENVIRONMENT a,c,e 5-30 4696A D. METHODOLOGY OF TEST INPUT GENERATION 5-32 #### E. REFERENCE Date and Revision Level of STS, March 14, 1979 Rev. 01 Date and Revision Level of SPS, December 15, 1978 Rev. 01 ## 5.4 NUCLEAR INSTRUMENTATION (NIS) PARTIAL TRIPS PROCESS (NISTPL) ### 5.4.1 SPS0100 SUMMARY DESCRIPTION #### A. ABSTRACT Process Description - This process evaluates the nuclear inscrumentation subsystem partial trip outputs. It provides the plant signals data and other intermediate calculated results to the communications bus shared memory for access by the automatic tester and the plant computer. Nuclear Instrumentation Subsystem Description - The primary function of the nuclear instrumentation subsystem (NIS) is the protection of the reactor core by monitoring of the neutron flux and generation of appropriate trips and alarms for various phases of reactor operating and shutdown conditions. It also provides a secondary control function by indicating reactor status during startup and power operation. The subsystem's logic is contained in the integrated protection cabinets. The nuclear instrumentation subsystem monitors the reactor power from the source range through the intermediate range and power range up to 200 percent of full power output. This is accomplished by means of thermal neutron flux detectors located in instrument wells in the primary shield adjacent to the reactor vessel. The system provides indication, control, and alarm signals for reactor operation and, protection, as follows: ### Source Range The four source range channels use proportional counters. Neutron flux, as measured in the primary shield area, produces current pulses in the detectors. These pulses are applied to solid-state preamplifiers and are then transmitted to solid state amplifiers and discriminators located in the integrated protection cabinets. These channels provide source range flux level information, reactor trip protection, and alarm signals to the reactor control and protection system. They are also used at shutdown to provide a reactor containment alarm for any inadvertent increase in reactivity. ### Intermediate Range Four intermediate range channels utilize four compensated ionization chambers. Direct current from the ion chamber is transmitted to solid state logarithmic amplifiers in the integrated protection cabinets. These channels indicate the intermediate flux level and also provide high neutron flux alarm signals and trip signals. The channels also provide a permissive signal to allow manual initiation of a source range level trip bypass (BLOCK), and removal of the high voltage from the source range detectors when the flux level is in the intermediate range. The permissive signal automatically reactivates the source range channels on decreasing flux level. ## Power Range Four sets of power range measurements are provided, one for each protection channel set. Each utilizes four individual uncompensated ionization chamber currents. The high neutron flux rate reactor trips, included with the power range protection system, provide core protection in the event of a dropped rod bank or in the event of a rod ejection. \_\_a,c,e C. NUCLEAR INSTRUMENTATION (NIS) PARTIAL TRIPS MODULES \_\_a,c,e 5.4.2 STS0100 SUMMARY DESCRIPTION A. NAME Test Specification for NIS Partial Trips Process - NISTPL B. ABSTRACT This process evaluates the nuclear instrumentation partial trips outputs by monitoring neutron flux level from source range through intermediate range and power range up to 200 percent of full output power. It also provides indication, control, and alarm signals to the Communications Bus Shared Memory for use by the Automatic Tester and the Plant Computer. C. TEST ENVIRONMENT \_ a,c,e a,c,e D. METHODOLOGY OF TEST INPUT GENERATION a,c,e #### E. REFERENCE Date and Revision level of STS March 6, 1979 Rev. 01 Date and Revision Level of SPS, January 9, 1979 Rev. 01 ## 5.5 DEPARTURE FROM NUCLEATE BOILING (DNB) AND KILOWATT PER FOOT (KW/FT) PARTIAL TRIPS PROCESS (DNBRKW) ### 5.5.1 SPS0200 SUMMARY DESCRIPTION #### A. ABSTRACT This subsystem calculates the DN3R and KW/FT partial trips. It also provides calculated information, passed-on information and status information to the communications bus. ### B. SERVICES PERFORMED C. DEPARTURE FROM NUCLEATE BOILING (DNB) AND KILOWATT PER FOOT (KW/FT) PARTIAL TRIPS MODULES 5.5.2 STSO200 SUMMARY DESCRIPTION A. NAME Test Specifications for DNBR KW/FT Partial Trips Process (DNKWFT) B. ABSTRACT This process consists of nineteen calls to external procedures. Six of the calls are performed during restart time, and the remaining thirteen calls comprise the execution loop. C. TEST ENVIRONMENT a,c,e 5-52 ### E. REFERENCE Date and Revision Level March 16, 1979, Rev. 1 Date and Revision Level of SPS January 9, 1979, Rev. 1 # 5.6 ENGINEERED SAFETY FEATURES (ESF) PARTIAL TRIPS 5.6.1 SPS-0300 SUMMARY DESCRIPTION #### A. ABSTRACT The ESF process monitors the plant signals and provides initiation of protective functions upon approach to abnormal plant conditions in a nuclear power plant. The plant signals represent measured temperature, pressure, fluid flow, fluid level in tanks or vessels, or pipes associated with primary and secondary plant and related systems. This process calls on several external procedures which are developed to specifically monitor and generate the status of the above plant signals. The calculated ESF partial trip status data is provided to the ESF logic computer of the Integrated Logic System via data link. This process provides the plant signals data and other intermediate calculated results to the communications ous shared memory for access by the automatic tester and the plant computer. a,c.e #### B. SERVICES PERFORMED 5-61 This Page was Inadvertently Left Blank. ## 5.6.2 STS0300 SUMMARY DESCRIPTION ## A. NAME Test Specification for 'ESF' Engineered Safety Features Process. ## B. ABSTRACT The ESF Processor is part of the IPS. It monitors and processes primary plant data (e.g. temperature, pressure, flow, level, etc.), and transmits partial trip and bypass signals to the integrated logic cabinets based on these and other plant signals. #### C. TEST ENVIRONMENT 1. Overall Environment | TABLE I INPUT a,c,e | 2. | Other modules required: | | _a,c,e | |----------------------|----|-------------------------|---------------|--------| | TABLE I INPUT a,c.e | 3. | Input | | • | | | Γ | | TABLE I INPUT | a,c,e | | | | | | | | | | | | | | | | | | | | | | | | • | | | | | | | | | | | | | | | | | | • | | | | | | | | | | | | | TABLE I INPUT 5-65 a,c,e TABLE I INPUT TABLE I INPUT TABLE I INPUT 4. Output TABLE II INPUT a,c,e TABLE II INPUT 5-70 TABLE II INPUT a,c,e TABLE II INPUT TABLE II INPUT a,c,e TABLE II INPUT TABLE II INPUT TABLE III OUTPUT a,c,e TABLE IV OUTPUT D. METHODOLOGY OF TEST INPUT GENERATION a,c,e a,c,e 1. Type of Input Expected 2. Type of Test Input 3. Reasoning Behind The Choice a,c,e # E. REFERENCE: Data and Revision Level of STS April 22, 1979, Rev. 01 Date and Revision Level of SPS January 8, 1979, Rev. 01 # 5.7 TRIP LOGIC COMPUTER, GLOBAL TRIP AND TRIP ENABLE PROCESS ### 5.7.1 SPS0400-0402 SUMMARY DESCRIPTION #### A. ABSTRACT The main function of the trip logic module subsystem is to operate the pair of reactor trip breakers associated with the channel set in which it resides. The logic used to trip the breakers is two out of four partial trips with bypass. In order to do this, it receives partial trip requests from the protection modules in this and (via data links) the other three channel sets. It also receives manual bypass requests from switches and automatic bypass requests from the automatic testing subsystem, from this and the other three channel sets. It is also responsible for transmitting partial trip and bypass information, via data links, to the trip logic computers in the other three channel sets. In addition to these tripping functions, it performs in-line self testing, and provides status, error and trip sequence information to the communications bus processor for transmission to the automatic tester and the plant computer. #### B. SERVICES PERFORMED 1. Trip logic computer 2. Reactor trip system architecture Table 5 Channel Set Identification 3. Functional logic of trip logic subsystem a,c,e 5-84 4. Implementation of bypasses at the partial trip level Table 6 Truth table of the trip enable function a,c,e TABLE 7 Truth table of the global trip function (cont) a,c,e | 5. | Reactor | Trip | Breaker | Bypass | | a,c,e | |-----|----------|------|---------|--------|--|-------------------| | | Neuc co. | | | | | 7 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - 1 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - 1 | | | | | | 1 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - 1 | | | | | | | | | | | | | | | | | | | | | | | | - 1 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - 1 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 11 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The same of | | | | | | | | | | | | | | | | | | | | | | | | The second second | | 1 | | | | | | | a,c,e 6. Communications 7 a,c,e Trip sequence information consists of three first out trip indicators which are reset and recalculated when the logic initiates a trip of the channel set's trip breakers. Breaker trip first out indicates whether the trip was initiated by the partial trip logic, the global trip logic, multiple global bypass, or other (manual trip or maifunction). Partial trip first out indicates which of the trip logic units was first to become tripped. Global trip first out indicates which of the partial trip functions was first to activate the global trip. TRIP LOGIC COMPUTER MODULES 5.7.2 STS0401-402 SUMMARY DESCRIPTION A. NAME Trip Logic Computer Process B. ABSTRACT The trip-logic computer is composed of two main processes, the Global Trip process and the Trip Enable Process represented by STS0401 and STS0402 respectively. The following pages will outline both processes. 5.7.2.1 STS0401 DESCRIPTION SUMMARY A. NAME Global Trip Process (GTPROC) B. ABSTRACT This subsystem calculates the global trip and operates the global trip relay. It calculates the partial multiple bypass trip alarm. It monitors the bypass status, the tripping status and the failure status of the trip logic hardware, the data links, and the trip enable processor. It determines trip sequence first-out information. It provides status and trip sequence information, via the communications bus shared memory, to the automatic tester and to the plant computer. It provides status information, via data links, to the trip logic computers in the other three channel sets. It provides trip logic status as a digital output to the engineered safety features and nuclear instrumentation subsystems. a, c, e a,c,e a,c,e C. TEST ENVIRONMENT 1. Overall Environment 2. Other Modules Require: 3. Input Data 5-95 a,c,e 5-98 47154 a,c,e 4. Output Data a,c,e # TABLE 8 # TRIP LOGIC COMPUTER DATA LINK MESSAGE FORMAT | Message Byte | | Data Byte | |--------------|-----------------------------------|-----------| | Number | Description | Number | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Pages 5-102 to 5-111 would appear | | | | blocked out in this format, | | | | therefore, are not being | | | | printed to conserve paper. | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | D. METHODOLOGY OF TEST INPUT GENERATION a,c,e 1. Type of Test Input Expected 5-112 2. Reasoning Behind Test \*,c,e # 5.7.2.2 STS 0402 Description Summary #### A. NAME Test Specification for the "Trip Enable Processor" (TRIPENA). #### B. ABSTRACT The process, TRIPENA, calculates the partial enables and outputs them to the trip logic hardware. It also passes them to the global trip processor via shared memory and then to the communications bus for use by the plant computer and automatic tester. It calculates the multiple bypass trip enable based on information from the data links and from the global trip processor. This is output to the multiple bypass trip enable relay and, via shared memory, to the global trip processor. It outputs from the serial port a test character which is used by the global trip processor to monitor the continuity of the breaker trip circuits. It performs error checking on the data link messages from the other three channel sets and does in-line testing of the trip enable processor, error information is passed through the trip enable/global trip shared memory. ### C. TEST ENVIRONMENT 1. Overall Environment 2. Other modules that must be present a,c,e | _ | | |---------------|--| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 2 / 4 0-4- | | | 3. Input Data | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | a,c,e 4. Output Data - a,c,e 7 a,c,e D. METHODOLOGY OF TEST INPUT GENERATION 1. Type of Input Expected a,c,e 2. Type of Test Input Ta,c,e 3. Reason Behind Choice # E. REFERENCES: Data and Revision Level of SPS January 2, 1979, 01 5-120 This page inadvertently left blank This page inadvertently left blank # 5.8 DATA LINK CONTROLLER PROCESS 5.8.1 SPS0500 SUMMARY DESCRIPTION ### A. ABSTRACT This subsystem is for the communication of data over an asynchronous, simplex, medium speed data link. This subsystem also provides for buffer management in a shared memory environment. B. SERVICES PERFORMED a,c,e 5-124 4706A - a,c,e 5-125 a,c,e C. DATA LINK CONTROLLER PROCESS # 5.8.2 STS0500 SUMMARY DESCRIPTION A. NAME Test Specif' ation for QMD Subsystem - QMDMN B. ABSTRACT This subsystem is for the communication of data over an asynchronous, simplex, medium speed data link. This sybsystem also provides for buffer management in a shared memory environment. #### C. TEST ENVIRONMENT 1. Overall Environment a,c,e 2. Other Models That Must Be Present 7 a,c,e 3. Input Data 7a,c,e 5-129 4. Output Data AT STATE OF THE PERSON ASSESSMENT PRESENTED THE W 19878.32 AND REPORTED SANTETERS CARREST CONSISTENCE FOR SANTESCHIEF The second section is a second section of the second secon are well, respectively and interpretation and the first side of the COLD TO SERVICE AND ADDRESS OF THE A # D. METHODOLOGY LE TEST INPUT GENERATION 1. Type of Input Expected 2. Type of Test Input 3. Reasoning 3-mi Conice ### E. REFERENCES Date and Revision Level of STS February 12, 1979, Rev. 00 Date and Revision Level of SPS December 30, 1978, Rev. 01 a,c,e - a,c,e - PROCESS (CBCIPC) - 5.9.1 SPS0600 SUMMARY DESCRIPTION - A. ABSTRACT This subsystem moves data among snared memories. The snared memories are with both function microprocessors and \_ata link controllers. Trefference to the control of the self-residence of the control B. SERVICES PERFORMED 7ª,c,e C. INTEGRATED LOGIC AND PROTECTION CABINET COMMUNICATIONS BUS CONTROLLER a,c,e 5.9.2 STS0600 SUMMARY DESCRIPTION A. NAME Integrated Protection Cabinet Communications Bus Controller (IPCCBC) #### B. ABSTRACT This process performs its function by calling subordinate external procedures. The function of the communication bus controller is to move data among the shared memories. This data can be moved directly from the shared memory of one functional microprocessor to the shared memory of another, as is the case in the data moved to the Automatic Tester or it can be data moved to the shared memory of a data link controller as for PAMS, the Signal Selector and the Plant Computer. In addition to the general function of moving data among shared memories, the IPC communications bus controller processes analog inputs for the signal selector device and reports status information of the nuclear analog channels. This information is retrieved from analog and digital input cards on the UIOB. The Automatic Tester can direct the CBCIPC to send a test message instead of the IPC message whenever it outputs to the Plant Computer. Then for a specified number of times each message sent to the plant computer will be the same message from the tester. At restart all snared memories are cleared (set to zero). #### C. TEST ENVIRONMENT 1. Overall Environment [ ] \*,c,e 2. Other Modules That Must Be Present - a,c,e 3. Input Data \_, a,c,e April 6, 1979, Rev. 01 Date and Revision Level of SPS, March 1, 1979, Rev. 01 # 5.10 INTEGRATED PROTECTION CABINET AUTOMATIC TESTER PROCESS 5.10.1 SPS700 SUMMARY DESCRIPTION #### A. ABSTRACT The purpose of the IPC Automatic Tester is to perform an automatic. periodic test on that portion of the protection system contained within the Integrated Protection Cabinet. Simulated input signals are injected into the protection modules and the functions of the various IPC subsystems are tested to verify that the reactor trip request and ESF actuation requests are generated correctly. Operator interface is through tester control panels in the results center and the IPC, through plant computer print-outs, and, optionally, through a local keyboard/ printer device connected to the tester processor. The structure of the tester process includes a real-time synchronization routine, routines to handle data transfer between the tester and several data link processors, a routine to handle results data transfer, and test sequencing routines. The test sequencing routines control the execution sequence of all the individual test routines. Test feedback from the IPC modules is primarily via communications bus shared memory. Test results are reported primarily through the communications bus shared memory, thence, ultimately, to the plant computer. #### B. SERVICES PERFORMED 1. Introduction - Integrated Protection Cabinet Functions a.c.e a,c,e 2. Purpose of the Automatic Test a,c,e 5-144 4706A a,c,e 3. Operator Control of the Automatic Test a,c,e 5-148 a,c,e 4706A a,c,e 4. Automatic Tester Subsystem Architecture a,c,e a,c,e 5-150 4706A - a,c,e a,c,e 5-152 4706A a,c,e 5. Tester Process 7 a,c,e 4706A a,c,e 5-156 4706A a,c,e 5-158 a,c,e a,c,e TABLE 10 MAJOR TEST SEQUENCES 3 1 a,c,e 2 . 3 - 4 5 6 . 7 8 9 - C. INTEGRATED PROTECTION CABINET AUTOMATIC TESTER MODULES - a,c,e a,c,e delice material med flow by Provent ## 5.10.2 STS0700 SUMMARY DESCRIPTION #### A. NAME Test specification for Integrated Protection Cabinet (IPC) Automatic Tester PTPROC. #### B. ABSTRACT The purpose of the IPC Automatic Tester is to perform an automatic, periodic test on that portion of the protection system contained within the Integrated Protection Cabinet. Simulated input signals are injected into the protection modules and the functions of the various IPC subsystems are tested to verify that the reactor trip request and ESF actuation requests are generated correctly. Operator interface is through tester control panels in the results center and the IPC, through plant computer print-outs, and, optionally, through a local keypoard/ printer device connected to the tester processor. The structure of the tester process includes a real-time synchronization routine, routines to nandle data transfer between the tester and several data link processors, a routine to handle results data transfer, and test sequencing routines. The test sequencing routines control the execution sequence of all the individual test routines. Test feedback from the IPC modules is primarily via communications bus shaped memory. Test results are reported primarily through the communications bus shared memory. #### C. TEST ENVIRONMENT Overall Environment a,c,e 2. Other Modules That Must Be Present a,c,e. ALL WHEN IN THE RESIDENCE AND ADDRESS OF THE PARTY the form at innet Embelled A THE PARTY OF THE PARTY. 3. Input Data Ta,c,e | 4. Output Data D. METHODOLOGY OF TEST INPUT GENERATION a.c.e | | | ] a,c,e | |--------------------------------------------------------------------------------------------------|----|--------------------------------------|---------| | D. METHODOLOGY OF TEST INPUT GENERATION 1. Type of Input Expected 2. Type of Test Input a,c,e | | Γ | a,c,e | | 1. Type of Input Expected 2. Type of Test Input a,c,e | | | | | 2. Type of Test Input a,c,e | 0. | METHODOLOGY OF TEST INPUT GENERATION | | | | | 1. Type of Input Expected | a,c,e | | | | | | | 3. Reasoning Behind Choicea,c,e | | 2. Type of Test Input | a,c,e | | 3. Reasoning Behind Choice | | | | | | | | | | | | | | E. REFERENCES: Date and Revision Level of STS, Dec 19, 1979 Rev. 01 Date and Revision Level of SPS, May 11, 1979 Rev. 01 5.11 INTEGRATED LOGIC CABINET 2/4 BYPASS VOTING PROCESS (VP20F4) 5.11.1 SPS0800 SUMMARY DESCRIPTION A. ABSTRACT This process receives partial trip and bypass status information from the four integrated protection cabinets over four optical data links. It combines the status information in a 2/4 bypass calculation and outputs the results to the interposing logic of the integrated logic cabinet. In addition the process will output directly some unvoted trips that are associated with its own channel set and some logic resets and arms to reset interposing logic latches at the end of an automatic test and arm interposing logic during the automatic test. 8. SERVICES PERFORMED a,c,e This page inadvertently left blank C. TEST ENVIRONMENT 1. Overall Environment 2. Other Modules That Must Be Present 3. Input Data 4706A 5-172 a,c,e a,c,e a,c,e a,c,e 4. Output Data \_, a,c,e D. METHODOLOGY OF TEST INPUT GENERATION 1. Type of Input Expected a,c,e 2. Type of Test Input a,c,e 3. Reasoning Benind Choice a,c,e a,c,e # E. REFERENCES: Date and Revision Level of STS January 26, 1979, Revision 01 Date and Revision Level of SPS January 5, 1979 Revision 01 ## 5.12 INTEGRATED LOGIC CABINET AUTOMATIC TESTER PROCESS ### 5.12.1 SPS0900 SUMMARY DESCRIPTION #### A. ABSTRACT This process performs in-line tests, initialization of QMD's and QAC's, an Al/A2 comparison, and a check of the panel for test initiation. If a test is requested, the process proceeds to test a specified cabinet half or both cabinet halves in sequence. To test the interposing logic, selected datalink signals are injected and the resulting interposing logic output signal is compared to internally stored signals. To test the two-out-of-four voter logic all permutations of the trip and bypass status information for all selected bits are injected and the resulting interposing logic testpoint value is compared to an internally calculated value. All test results are reported to the communications bus shared memory after each individual test. After the completion of all interposing logic tests and all 2/4 tests, the interposing logic latches are reset and the test results are reported to the panel. If the panel reset actuation is detected during the automatic test, the signal injection/result comparison logic is bypassed, the interposing logic latches are reset, and the test is terminated. #### B. SERVICES PERFORMED 1. Introduction - Integrated Logic Cabinet Ta,c,e ¬a,c,e 2. Purpose of the Automatic Tester ¬a,c,e 5758A a,c,e 3. Operator control of the Automatic Tester Panel 7a,c,e 5-178 4. Automatic Tester Subsystem Architecture Ta,c,e ma,c,e 5. Operator control of the Automatic Test Console a,c,e 5-184 5758A 5 187 6. Tester process C. INTEGRATED LOGIC CABINET AUTOMATIC TESTER MODULES ¬a,c,e ## 5.12.2 STS0900 SUMMARY DESCRIPTION ## A. NAME Test Specification for "Integrated Logic Cabinet Automatic Tester" Process (LTPRCS). #### B. ABSTRACT This process performs 1) the standard in-line confidence tests, 2) comparisons of the outputs of the redundant ILC nalves (called the A1/A2 comparison) and, upon initiation by the operator via the integrated logic test panel, 3) automatic tests of the integrated logic and the two-out-of-four voter logic (2/4). C. TEST ENVIRONMENT 1. Overall Environmenc 2. Other Modules That Must Be Present 3. Input Data 7 a,c,e a,c,e a,c,e 4. Output Data a,c.e D. METHODOLOGY OF TEST INPUT GENERATION 1. Type of Input Expected a,c,e a,c,e 2. Type of Test Input 1 a,c,e ma,c,e 3. Reasoning Benind Choice a,c,e E. REFERENCES Date and Revision Level of STS, June 15, 1979 Rev. 01 Date and Revision Level of SPS, March 27, 1979 Rev. 01 5.13 MAIN CONTROL BCARD/INTEGRATED LOGIC CABINET MULTIPLEXING 5.13.1 SPS1000-1004 SUMMARY DESCRIPTION a,c,e A. ASTRACT The primary function of this subsystem is to carry information from (to) the MCB to (from) the ILC. B. SERVICES PERFORMED a,c,e C. MAIN CONTROL BOARD/INTEGRATED LOGIC CABINET MULTIPLEXING MODULES 5.13.2 STS1001 THRU 1004 SUMMARY DESCRIPTION A. NAME Main Control Board/Integrated Logic Cabinet Multiplexing. ## E. ABSTRACT The multiplexing process is composed of four sub-processes; Main Control Board Multiplexing Process (MCBTWO); Main Control Board Multiplexing Process (MCBONE), Integrated Logic Cabinet Processor Master Process (ILCMTR) and Integrated Logic Cabinet Processor Auxiliary Processes (ILAUX1, ILAUX2). These are represented in STS 1001 thru 1004 respectively and is outlined in the following pages. # 5.13.2.1 STS1001 SUMMARY DESCRIPTION A. NAME Test Specification for "Main Control Board Processor Two" B. ABSTRACT This subsystem inputs an image of the command status, outputs an image of the response status, transmits the input image to integrated logic cabinet master processor, ILC(M) and receives the response status from ILC(M). - C. TEST ENVIRONMENT - 1. Overall Environment [ ] a,c,e 2. Other Modules that must be present. ¬ a,c,e 3. Input Data T a,c,e 4. Output Data a,c,e 5-201 a,c,e D. METHODOLOGY OF TEST 1. Type of Input Expected a,c,e 2. Type of Test Input Ta,c,e 3. Reasoning Behind Choice 7 a,c,e #### E. REFERENCES: Data and Revision Level 15 March 1979, Rev. 01 Date and Revision Level of SPS 4 January 1979, Rev. 01 ## 5.13.2.2 STS1002 SUMMARY DESCRIPTION A. NAME Test Specification for "Main Control Board processor One" #### B. ABSTRACT This subsystem inputs an image of the command status, and transmits the input image to the integrated logic cabinet master processor, ILC(M). - C. TEST ENVIRONMENT - 1. Overall Environment a,c,e a,c,e 2. Other Modules That Must Be Present 5-203 3. Input Data ] a,c,9 4. Output Data a,c,e D. METHODOLOGY OF TEST 1. Type of Input Expected a,c,e 5-204 Γ 2. Type of Test Input 1 a,c,e a,c,e 3. Reasoning Behind Choice a,c,e #### E. REFERENCES: Date and Revision Level of STS, 7 March 1979, Rev. 01 Date and Revision Level of SPS, 8 January 1979, Rev. 01 # 5.13.2.3 STS1003 DESCRIPTION SUMMARY ### A. NAME Test Specification for "Integrated Logic Cabinet Command Processor Master". ## B. ABSTRACT This subsystem inputs command information from the data link processor, and outputs it to the auxiliary processors and to the field. This subsystem also inputs response information from the field and the auxiliary processors, and outputs this information to the communication processor and the data link processor. | C. TEST ENVIRONMENT | | |---------------------------------------|---------| | 1. Overall Environment | 7 a,c,e | | | | | 2. Other Modules That Must Be Present | a,c,e | | | | | 3. Input Data | 7 a,c,e | | | a, c, c | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 4. Output Data a,c,e | | a,c,e | |----------------------------|---------| | | | | | | | D. METHODOLOGY OF TEST | • | | 1. Type of Input Expected | | | | 7 a,c,e | | | | | 2 Type of Test Japut | | | 2. Type of Test Input | 7 a,c,e | | 2 Passanian Rehind Chaica | | | 3. Reasoning Behind Choice | | | | 7 a,c,e | | L | | | E. REFERENCES: | | | Date and Revision Level | | 5-208 8 March 79, Rev. 01 6 January 79, Rev. 01 Date and Revision Level of SPS | • | 5.13.2.4 STS1004 SUMMARY DESCRIPTION | | |---|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------| | | A. NAME | | | • | Test Specification for "Integrated Logic Cabinet Processor Auxiliary". | | | | B. ABSTRACT | | | • | This subsystem inputs command information from the ILC (M) Processor and outputs it to the field. This subsystem also inputs response information from the field and outputs this information to the ILC (M) Processor. | | | | C. TEST ENVIRONMENT | | | | 1. Overall Environment | □a,c,e | | • | | | | | 2. Other Modules That Must Be Present | | | | Γ | Ta,c,e | | | L | | | | 3. Input Data | | | • | | a,c,e | | • | | | | • | | | | | A Output Data | _ | | D. METHODOLOGY OF TEST | | |------------------------------------------------------------------------|----------| | 1. Type of Input Expected | | | | 7 a,c,e | | | | | 2. Type of Test Input | | | | a,c,e | | | _ | | 3. Reasoning Behind Choice | 7 | | | a,c,e | | | | | E. REFERENCES: | | | Date and Revision Level of STS | | | 12 March 79, Rev. 01 | | | Date and Revision Level of SPS, | | | 9 January 79, Rev. 01 | | | 5.14 CONTROL SYSTEM SIGNAL SELECTION DEVICE | | | 5 14 1 CDC1100 thru 1102 SUMMARY DESCRIPTION | | | 5.14.1 SPS1100 thru 1102 SUMMARY DESCRIPTION | - a,c,e | | | 4,0,0 | | | | | | | | A. ABSTRACT | | | This subsystem initializes and starts the signal selector process. It | | | receives control signals from all four Integrated Protection Capinets. | | It then calls the proper subordinate selecting procedure, depending on the number and type of input control signals from the protection cabinets. The subordinate selecting procedures compare each group of redundant signals and screen out those which are determined to be unacceptable in comparison to the other signals. The number of valid signals, their values, and their average are passed on to the control channel. Alarm BITs are set for single and multiple signal invalidation. The next cycle of control signals is received, and the comparison and validation sequence is repeated. ### B. SERVICES PERFORMED 5.14.2 STS1100 thru 1102 SUMMARY DESCRIPTION A. NAME: Control System Signal Selection Device B. ABSTRACT: The Control System Signal Selection process is composed of two subprocesses; Control Signal Selector process and Control Signal Selector Tester Process. These two subprocesses are represented by STS1101 and STS1102, respectively and will be outlined in the following pages. ## 5.14.2.1 STS 1101 Summary Description A. NAME: Test Specification for the Control Signal Selector Process (SIGSEL). B. ABSTRACT: This subsystem initializes and starts the signal selector process. It receives control signals from all four Integrated Protection Cabinets. It then calls the proper subordinate selecting procedure, depending on the number and type of input control signals from the protection cabinets. The subordinate selecting procedures compare each group of redundant signals and screen out those which are determined to be unacceptable in comparison to the other signals. The number of valid signals, their values, and their average are passed on to the control channel. Alarm bits are set for single and multiple signal invalidation. The next cycle of control signals is received, and the comparison and validation sequence is repeated. | C. TEST ENVIRONMENT | • | |---------------------------------------|---------| | 1. Overall Environment | | | | a,c,e | | | | | 2. Other Modules that must be Present | | | | a,c,e | | | | | 3. Input Data (General) | _ | | Γ | 7 a,c,e | | | | | | | | | | | | | | | | | | | | | • | | | | | | | | | | | | _ | a,c,e 4. Output Data (General) a,c,e 7 a,c,e 5-218 5-220 a,c,e D. Methodology of Test Input Generation 1. Type of Input Expected a,c,e 2. Type of Test Input a,c,e a,c,e 3. Reasoning Behind Choice a,c,e E. REFERENCES Date and Revision Level of STS February 25, 1979, Rev. 01 Date and Revision Level of SPS J wary 5, 1979, Rev. 01 5.14.2.2 STS1102 SUMMARY DESCRIPTION A. NAME: Test Specification for Control Signal Selectro Tester Process (SELTST) #### B. ABSTRACT: The process, SELTST, initializes and starts the Signal Selector Tester process. The execution loop of this process has two primary test functions. The first function is the in-line, or passive, test. This test is based on the fact that the signal selector device is actually two redundant devices, each of which is performing all of the signal selections. Since each of these devices is receiving the same inputs and operating on them with the same algorithm, they will achieve the same result. The in-line test will continuously compare the outputs of the two signal selectors. If a discrepancy is found in the outputs, then an alarm is actuated to notify the operator of a signal selector malfunction. A light on the automatic test panel is also activated. The second test function is the automatic, or operator-initiated, test. Upon initiation by the operator, via the automatic test panel, this test will inject simulated process signals by replacing the data links coming from the integrated protection cabinets. The automatic test will demonstrate that single signals can be rejected and revalidated and that pair of signals can be rejected and locked-out from revalidation per the signal selector design basis. Each redundant selector may be tested separately while the other provides data to the plant control system. The test results function also initiates a software reset of both signal selector processes. #### C. TEST ENVIRONMENT 1. Overall Environment [ ] a,c,e 2. Other modules that must be present: [ ] a,c,e 3. Input Data ] a,c,e 5-229 a,c,e 4. Output Data a,c,e 5-233 D. METHODOLOGY OF TEST INPUT GENERATION 1. Type of Input Expected a,c,e 2. Type of Test Input a,c,e 3. Reasoning Behind Choice a,c,e E. REFERENCES Date and Revision Level of STS, March 19, 1979, Rev. 01 Date and Revision Level of SPS, February 27, 1979, Rev. 01 ## TABLE OF MAJOR SUB-SYSTEM SOFTWARE VERIFIED | | Process Name | SPS Number | STS Number | Verification Status | |-----------|----------------------------|------------|------------|---------------------| | | | | | [ ] a,c,e | | MNEMONIC | System Support Modules | SPS0001 - | STS0001 - | | | | | SPS0063 - | STS0063 | | | NISTPL | Nuclear Instr. Partial | SPS0100 - | STS0100 - | | | | Trips Process | SPS0125 | STS0125 | | | DNBRKW | Departure Nucleate Boiling | SPS0200 - | STS0200 - | | | | kilowatt/ft Partial Trips | SPS0232 | STS0232 | | | ESFPTP | Eng. Safety Features | SPS0300 - | STS0300 - | | | 23 | Partial Trips Process | SPS0336 | STS0336 | | | GLOTRIP | Trip Logic Computer | SPS0400 - | STS0400 - | | | TRIPENA | Process | SPS0454 | STS0454 | | | QMDMN | Data Link Controller | SPS0500 - | STS0500 - | | | Q. D. III | Process | SPS0551 | STS0551 | | | CPCIPC | IPC a ILC Communications | SPS0600 | STS0600 - | | | CBCIPC | Bus Control Process | SPS0650 | STS0650 | | | IPCATP | IPC Automatic Tester | SPS0700 - | STS0700 - | | | | Process | SPS0758 | STS0758 | | | VP20F4 | ILC 2/4 Bypass Voting | SPS0800 - | STS0800 - | | | | Process | SPS0824 | STS0824 | | | ILCATP | ILC Automatic Tester | SPS0900 - | STS0900 - | | | | | SPS0944 | STS0944 | | | MCBILCM | MCB/ILC Multiplexing | SPS1000 - | STS1000 - | | | | 나는 내내가 먹다 막다 그렇다 | SPS1036 | STS1036 | | | SIGSEL | Control System | SPS1100 - | STS1100 - | | | SSTEST | Signal Selection | SPS1166 | STS1166 | L | 5-23/ - 6.0 APPENDIX - 6.1 NRC/ORNL Technical Audit Reports - NOTE: Portions of the information and figures originally supplied by Westinghouse NTD appears as attachments to the following NRC/ORNL reports. Some of this material has been retyped for purposes of clarity and replaces the originals. Other than retyping handwritten or poorly copied material, no other alterations to these reports were made. #### OAK RIDGE NATIONAL LABORATORY OPERATED BY UNION CARRIDE COR. ORATION POST OFFICE BOX X - Januar 29, 1979 Leo Beltracchi Instrumentation & Controls Systems Branch Division of Systems Safety Office of Muclear Reactor Regulation U. S. Nuclear Regulatory Commission Washington, DC 20555 Dear Lco: Audit of Westinghouse Verification and Validation Activities for RESAR-414 On January 23-25, 1979, I participated in the audit visit to the Westinghouse ISD Division in Pittsburgh, Pennsylvania. This letter is to serve as a formal communication of my verbal summary presented to you during our meeting of January 24. My major points are summarized as follows: - The Westinghouse personnel were very cooperative in providing information in a highly organized and efficient manner. In addition to making the job easier, this cooperation, I feel, provides for a more accurate assessment of the V&V activities on this project. - 2. The most striking deficiency in the V&V activity was the lack of formality in the independent verification of the software performance specifications. This lack of formality, in particular, resulted in nonstandard procedures by various specification reviewers. In addition, the notations and terminology for depicting inconsistencies or errors was the choice of the individual reviewer and therefore difficult to follow. The lack of documentation was evidenced by the difficulty exhibited by one reviewer in attempting to reconstruct the review process which had been conducted only four or five months ago. - 3. The above discrepancies and deficiencies appear to have been recognited in part by later proposed revisions to the procedures and the formality of the content of the software specification documents. This remains to be reviewed at a future date. However, the draft documents that have been informally submitted indicate that the majority of these problems will be handled in future revisions to the procedure. # POOR ORIGINAL Leo Poltracchi Page 2 January 29, 10/9 The above represent my summary observations. In the event more particular details are required to substantiate these assertions, I would be able to provide those on request. Sincerely, J. 8. Sullock # UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D. C. 20055 8/51 8 - 8 19/9 MEMORANDUM FOR: R. M. Satterfield, Chief, Instrumentation and Control Systems Branch, DSS FROM: L. Beltracchi, Instrumentation and Control Systems Branch, DSS THRU: M. Srin vasan, Section Leader, Instrumentation and Control Systems Branch, DSS SUBJECT: AUDIT OF RESAR-414 INTEGRATED PROTECTION SYSTEM DEVELOPMENT JAMUARY 23-25, 1979 #### Summary The objective of the audit was to complete our evaluation of WCAP 9153 /Ref. 2/ and to evaluate verification activities associated with the specifications of the design. The audit plan, agenda, and the review guidelines are presented as enclosures to this report. The overview material presented by Westinghouse in support of the audit is contained in enclosure 4. Our evaluation concluded that WCAP 9153 /Ref. 2/ does not adequately represent the verification activities audited. Wastinghouse stated that the report would be revised to reflect the verification activities. Should the revised WCAP 9153 properly reflect these verification activities, we anticipate that we would approve the report. Our evaluation of the verification of the Preliminary Software Specifications to the System Design Specifications concluded that a verification was conducted. Our concerns were that informal procedures for the identification of discrepancies could be mis-interpreted and thus result in the introduction of errors in the design. However, as stated in our consultants report presented in enclosure 5, we noted that this discrepancy has been recognized in part by proposed revisions to the procedures to document the final software specifications. We will evaluate the adequacy of the corrective actions in a future audit of the Final Software Performance Specifications. Contact: L. Beltracchi X27233 -2- Our audit also evaluated the independence of the verification personnel with respect to the design personnel. We concluded that an adequate degree of independence existed as the specifications were generated by the Westinghouse Industry System Division and were verified by personnel from Westinghouse's Nuclear Division. Additional audits will be required to complete the staff's avaluation of the verification and validation activities for the RESAR-414 Integrated Protection System. Details of the current audit are presented in enclosure 1. A list of audit attendees is presented as enclosure 6. L. Beltracchi Enclosures: As stated cc: S. Hanauer R. Satterfield M. Srinivasan P. O'Rielly J. Joyce J. B. Bullock (ORIL) ## ENCLOSURE 1 # POOR ORIGINAL #### Audit Details The staff, assisted by a consultant, conducted an audit of the development activities of the RESAR-414 Integrated Protection System (IPS). The audit was conducted at the Westinghouse Industry System Division, located in O'Hara Township, the State of Pennsyvania. The audit was started on the morning of January 23, 1979 and was completed on the morning of January 25, 1979. Our consultants evaluation of the audit is presented as enclosure 5.0. The RESAR-414 IPS is a safety system whose design is based on microprocessors and digital components. The staff's preliminary evaluation of this design is presented in our Safety Evaluation Report , Ref. 1/. A description of Westinghouse's program for functional verification of the RESAR-414 IPS is presented in WCAP 9153 /Ref. 2/. The purpose of the audit was to complete the staff's evaluation of WCAP 9153 and to conduct an evaluation of specification verification activities. A plan and agenda for the audit were prepared by the staff (Enclosure 2) and were forwarded to Westinghouse on January 17, 1979. The purpose of forwarding the plan and agenda was to allow Westinghouse time to prepare and assemble the specific information and personnel required for the audit. The guidelines that the staff used to audit the <sup>1</sup> The consultant was Mr. J. B. Bullock, Oak Ridge National Laboratory verification activities are contained in Enclosure 3. These guidelines related to the design, construction, and operation of reactor protection systems, were used by the staff in conducting the audit. #### January 23, 1979 The audit began with a brief overview presentation of the IPS Design and Verification Program presented by Westinghouse. The slides used during the presentation are contained as enclosure 4.1. The staff stated its objectives for the audit as presented in enclosure 2. In a discussion of WCAP 9153, Westinghouse presented enclosure 4.2. This enclosure defines the design, development and verification activities for both the hardware and the software for the IPS. This enclosure also provides an overview of the activities discussed in WCAP 9153. In our audit of specifications and verification activities, the staff limited its efforts to the evaluation of the System Design Specifications (SDS), the Preliminary Software Performance Specifications (SPS), and the Equipment Performance Specifications (EPS). In the discussion on the System Casign Specifications, Westinghouse presented enclosure 4.3 and enclosure 4.4. In discussing enclosure 4.3, the methodology for generating and verifying the System Design Specifications was explained. Westinghouse's Nuclear Division generated functional requirements, logic diagrams, and engineering flow diagrams as components of the SDS's. Enclosure 4.4 is the System Specification Master Reference Document. The SDS's serve as the documented specifications of a purchase System Division. The Westinghouse Industry System Division is responsible for completing the design and fabricating the IPS. Westinghouse stated that the verification activities for the SDS's consisted of a review for similarity of requirements with requirements for other plants and the use of design reviews to verify specifications of new components. As a methodology, we found it acceptable and proceeded to evaluate its implementation. Mestinghouse stated that the Preliminary Software Performance Specifications were generated by the Industry System Division and were verified with respect to the SDS's by the Muclear Division. The staff selected the pressurizer pressure signal as a signal to audit and trace through the components of the IPS. Me concentrated our evaluation on the verification activities associated with the software and hardware used to process the pressure signal. At our request, Mestinghguse defined the documentation associated with the pressure signal. The documentation consisted of the E-Spec, system block drawings, the SPS's and the EPS's. In evaluating the SDS's, we learned that MCAP 8397, Addendum 1 /Ref. 3/ was in practice a part of the SDS's but was nowhere uniquely defined as part of the SDSs. Me noted this as a procedural deficiency in the SDS's. However, we did verify that time and error budgets for the pressurizer pressure signal were documented in the SDS's and appeared reasonable in value. Our audit continued by tracing the pressurizer pressure signal thru the ONBR and Kw/Ft functions within the IPS. We also audited the processing of the pressurizer pressure signal through the ESFAS. In evaluating the procedures by which the SPS's were verified with respect to the SDS's, we requested that several Mestinghouse personnel who performed the verification present how the specifications were verified, illustrate how discrepancies were identified and define the means by which these discrepancies were conveyed to the specification designer. After several presentations, we concluded that a lack of uniformity existed in the designation of discrepancies. Our concern was that a poorly designated modification could be misinterpreted and thus result in an error to the design of the IPS. Our evaluation also noted that a change procedure did exist and was being used. Mestinghouse stated that the Final Software Performance Specification would contain all identified revisions and contain more technical information than the preliminary specifications. The staff did no aluate the Final Software Performance Specifications at this time but will do so at a later date. (Also, see our consultants report, enclosers 5). Our audit also noted that MCAP 2153 did not reflect the scope and depth of the specification verification activities for the design. Although we detected procedural deficiencies, considerable evidence existed in the form of documentated discrepancies to conclude that a substantial verification effort had occured. Westinghouse recognized the deficiency # POOR ORIGINAL in WCAP 9153 and stated that the report would be revised and redocketed. Should the revised WCAP 9153 properly reflect these verification activities, we anticipate that we would approve the report. ### January 24, 1979 The staff completed the audits of the SPS's and the EPS's on January 24th. As a matter of documentation convenience, we have reported our total avaluation of the SPS's in the previous section titled January 23, 1979. Our evaluation of the varification activitied for the EPS's are discussed in the subsequent paragraphs. We conducted our evaluation of the EPS's and verification activities in the same manner as our evaluation of the SPS's. We requested that verifiers of EPS's present the specifications verified, illustrate and discuss discrepancies identified and discuss the resolution of the discrepancies Westinghouse stated that the EPS's were generated by ISD and were verified by the Nuclear Division. In evaluating the EPS's, we noted that they could not be verified to the SDS's. The decomposition of the SDS's to the EPS's contained an intermediate step which consisted of block diagrams of the major subsystems. The subsequent decomposition of the block diagrams resulted in the EPS's. Westinghouse stated that the block diagrams were verified to the SDS's and that the EPS's would be verified at a later step in the development. We also noted that this decomposition and verification were not defined by the overview presented by enclosure 4.2. Westinghouse stated that enclosure 4.2 would be modified for both hardware and software to reflect the actual decomposition and verification activities. We understand that the revised version is to be incorporated in WCAP 9153. The verification activities associated with the design of the hardware for processing of the pressurizer pressure signal and the reactor coolant pump speed signal were evaluated. The verification of the ISD system level drawings for these signals was conducted by the Nuclear Division. We had the verifier discuss the processing of the subject signal and describe how he identified and documented discrepancies. The resolution of discrepancies were presented as revised system level drawings. Based on the system level drawings, documented discrepancies, and resolution to descrepancies evaluated, we concluded that the verification activities of the system level drawings to the System Design Specifications were in conformance with the guidelines presented in enclosure 3. The staff will evaluate the verification activities associated with the EPS's at a future audit. # POOR ORIGINAL #### REFERENCES - NUREG 0491, "Safety Evaluation Report, Standard Reference System RESAR-414" Docket No. STN 50-572, November 1978. - WCAP 9153, "414 Integrated Protection System Prototype Verification Program" August 1977. (Proprietary) - 3. WCAP 8397, Addendum 1, "Bypass Logic For The Westinghouse Integrated Protection System" October 1977. (Proprietary) ### . AUDIT - . 1. EVALUATE VERIFICATION ACTIVITY FOR FUNCTIONS DESCRIBED IN SCOPE. - -- CONFORMANCE TO YAY GUIDELINES - -- DISCREPANCY IDENTIFICATION AND RESOLUTION - -- QUALIFICATION OF VERIFICATION TEAM - -- INDEPENDENCE OF VERIFICATION TEAM - 2. FOR MARGINAL PORTIONS OF VERIFICATION, AUDIT DEVELOPMENT DIVERSITY #### SCHEDULE - 1. TENTATIVE AUDIT DATES: JANUARY 23 AND 24, 1979 - 2. FORWARD AGENDA TO WESTINGHOUSE POOR ORIGINAL PRELIMINARY DEVELOPMENT SPECIFICATION VERIFICATION AUDIT SCOPE: WCAP 9153\* SYSTEM DESIGN SPECIFICATIONS \* PRELIMINARY SOFTWARE PERF. SPECIFICATION\* EQUIPMENT PERFORMANCE SPECIFICATION\* FUTURE AUDIT ACTIVITIES & SCHEDULE PLAN: #### STAFF (1) REVIEW DOCUMENTS IN SCOPE (2) REVIEW MEETING HANCOUTS OF 12/1/78, 12/15/78 #### WESTINGHOUSE - (1) DEFINE VERIFICATION ACTIVITIES IN THE (\*) DOCUMENTS DEFINED IN THE AUDIT SCOPE, HAVE THESE DOCUMENTS AND THEIR RELATED VERIFICATION ACTIVITIES AVAILABLE FOR AUDIT. ALSO, DISTINGUISH BETWEEN VERIFICATION ACTIVITIES AND DIVERSE DEVELOPMENT ACTIVITIES. IDENTIFY EACH OF THESE ACTIVITIES FOR THE SPECIFICATIONS IDENTIFIED IN THE AUDIT SCOPE. - (2) ON A PROGRAM BASIS, DEFINE VERIFICATION ACTIVITIES FOR HARDWARE DESIGN AND QUALIFICATION (COMPLETE FIGURE 2) - (3) DEFINE ACTIVITIES BY GRGANIZATIONS ON FIGURES 1 AND 2 - (4) SUPPORT VERIFICATION AUDIT # POOR ORIGINAL #### EXECUTE #### AGENDA #### DAY 1 - A.M. JANUARY 23, 1979 - INTRODUCTION . - SCOPE & OVERVIEW OF AUDIT - . OVERVIEW OF FIGURES 1 AND 2 BY WESTINGHOUSE - AUDIT SYSTEM DESIGN SPECIFICATIONS - P.M. JANUARY 23, 1979 - AUDIT PRELIMINARY SOFTMARE PERFORMANCE SPECIFICATIONS - . DEFINE VERIFICATION ACTIVITIES - · EVALUATE DISCREPANCY IDENTIFICATION A D RESOLUTION - · EVALUATE QUALIFICATION OF VERIFICATION TEAM - . EVALUATE INDEPENDENCE OF QUALIFICATION TEAM - . EVALUATE CONFORMANCE TO VERIFICATION GUIDELINES # POOR ORIGINAL #### DAY 2 A.M. - JANUARY 24, 1979 - -- AUDIT EQUIPMENT PERFORMANCE SPECIFICATIONS - · DEFINE VERIFICATION ACTIVITIES - · EVALUATE DISCREPANCY IDENTIFICATION AND RESOLUTION - · EVALUATE QUALIFICATION OF VERIFICATION TEAM - . EVALUATE INDEPENDENCE OF QUALIFICATION TEAM - · EVALUATE CONFORMANCE TO VERIFICATION GUIDELINES P.M. - JANUARY 24, 1979 - -- STAFF CAUCUS - -- SUMMARY MEETING WITH WESTINGHOUSE INITIAL RESULTS OF AUDIT - -- DISCUSS WCAP 9153, V&V EFFORTS AND SCHEDULE INDEPENDENCE PROGRAM FOR MODIFICATION AFTER INITIAL QUALIFICATION #### EVALUATION WRITE MINUTES OF AUDIT (TRIP REPORT) WRITE LETTER TO WESTINGHOUSE ON V AND V PROGRAM COMPLETE THESE TASKS BY 1 FEBRUARY 1979 FIGURE 2. HARDWARE DESIGN, VERIFICATION AND VALIDATION #### ENCLOSURE 3 #### VERIFICATION AND VALIDATION GUIDELINES The Verification and Validation (V and V) program plan will define and describe the activities presented below: - The program plan shall define the steps within the development of the digital computer based safety system. - 2. The program plan shall define the verification activities for each step of the development. - 3. The program plan shall define and describe the tools utilized for each verification activity. The verification tools shall be independent from the design, development and qualification tools used for the project. The tools may consist of analysis tools, test tools and evaluation tools. - 4. The program plan shall define the documentation required to record the results of verification activities. All discrepancies resulting from verification activities are to be documented. The resolution of the discrepancies shall be auditable by an independent party. - 5. The program plan shall define the validation activities for the project. POOR ORIGINAL - 6. The program clan shall define and describe tools utilized for each validation activity. The validation tools shall be independent from the development tools used for the project. Exceptions to this requirement must be justified by the applicant. - 7. The program plan shall define the documentation required to record the results of validation activities. All discrepancies resulting from the validation activities are to be documented. The resolution of the discrepancies shall be auditable by an independent party. - 8. The program plan shall define and describe the independent and competent organization selected to perform the verification and validation activities. The independence of the selected organization shall be justified in terms of its management, personnel, analysis tools, test tools, and financial arrangements with the safety system development organizations. The independent organization shall be further described in terms of the qualifications of personnel to perform the verification and validation activities. - 9. The program plan shall define a schedule for the verification and validation activities. The applicant's development schedule for the safety system shall also be defined. The schedule sequence between development activities and the verification and validation activities shall also be defined. POOR ORIGINAL #### ENCLOSURE 4.1 #### NRC TECHNICAL AUDIT # IPS DESIGN VERIFICATION PROGRAM # PRELIMINARY DEVELOPMENT SPECIFICATION VERIFICATION AUDIT | 8:30<br>9:15 | 1. | WESTINGHOUSE INTRODUCTION AND BRIEF OVERVIEW OF IPS DESIGN AND VERIFICATION PROGRAM - JMG | |----------------|----|-------------------------------------------------------------------------------------------| | 9:15<br>9:45 | 2. | NRC INTRODUCTION SCOPE AND OVERVIEW OF AUDIT | | 9:45<br>10:00 | | COFFEE BREAK | | 10:00<br>10:45 | 3. | PWR DESIGN INPUT TO ISD | SDS (SYSTEM DESIGN SPECIFICATION) COMMUNICATION PROCEDURES - WJS DESIGN AND REVIEW PROCESS - EJM 10:45 4. ISD DESIGN DOCUMENTS 11:30 EPS (EQUIPMENT PERFORMANCE SPECS) SPS (SOFTWARE PERFORMANCE SPECS) PURCHASE ORDER STRUCTURE 11:30 5. QA TOUR OF ISD 12:15 TUE. A.M. AGENDA # CONCEPTUAL DEVELOPMENT ORGANIZATION NO COST PURCHASE ORDER # IPS MANUFACTURING & VERIFICATION ORGANIZATION Purchase Order for Manufacturing & Verification of Prototype IPS System Level Activities Westinghouse ISD Detailed Design & Manufacturing E. Madera Westinghouse PWR System Level Verification J. B. Reid IPS HARDWARE AND SOFTWARE DESIGN & VERIFICATION Westinghouse ISD Design EPS & SPS E. Madera Westinghouse ISD Hardware Verification (Card Level) M. Kosco D. Smith Westinghouse ISD Software Verification Module & Process-Sub System Level D. Jones I. Kotovsky PWR-SD Document Flow Chart IPS 414 INTEGRATED PROTECTION SYSTEM SYSTEM SPECIFICATION MASTER REFERENCE DOCUMENT #### SD-IPLS-593 | REVISION | DATE | |----------|---------| | 0 | 4-24-78 | | 1 | 7-14-78 | | 2 | 6-1-79 | #### 1.0 PURPOSE: The purpose of this System Specification Master Reference Document is to provide definition of the System design documentation that WPWRSD uses (in conjunction with the prototype purchase order documents) to specify, manufacture and test the 414 Integrated Protection System Prototype. #### 2.0 SCOPE: This "Master Reference Document," together with its listed documentation references, is the $\underline{W}$ PWRSD System Specification for the 414 Integrated Protection System Prototype. It includes specifications, system drawings, standards and procedures for both the hardware and software aspects of the System. #### 3.0 DOCUMENTATION REFERENCES: The System Specification, for the 414 Integrated Protection System Prototype, consists of the following: A. Equipment Specification (E-Spec): W E-Spec 953230: This specification together with its listed references in Section 3.0 establishes technical and administrative requirements covering system related hardware phases of design, manufacture and testing of the 414 IPS. Specifically, this contains: a,c,e 3.0 (Continued) B. System Block Diagram: W Drawing 1218E17: This drawing represents the overall Integrated Protection System architecture and its inter-connections. Specifically shown on this drawing are: - C. Composite Block Diagrams: - 1. Integrated Protection Cabinets; W Drawing 8761D96: These drawings represent the implementation of the system functional requirements, functional diagrams, flow diagrams, channel lists and other key documents in both hardware and software. The protection functions contained in the Integrated Protection Cabinets, and defined by these drawings are: a,c,e 1 a,c,e Composite Block Diagrams: a,c,e Integrated Logic Cabinets; 2. W Drawing 8761D98: These drawings represent the hardware and software implementation of the functional requirements, functional diagrams and key documents. The Engineered Safeguard Features contained in the Integrated Logic Cabinets (Train A), and defined by these drawings are: a,c,e Integrated Logic Cabinets Interposing Logic 3. & Power Interface; > These drawings represent the implementation of functional requirements, diagrams, system interlocks and electrical loads that the Integrated Logic Cabinets control. Complete definition of all Train A load controls and position indication are defined. #### 3.0 DOCUMENTATION REFERENCES: (Continued) D. Integrated Protection System Module Equipment List Module Specification Sheets W SD-IPLS-462 The Module Equipment List is a reference document. It provides listings of all Integrated Protection System hardware and software modules by process function and physical location. All entries have unique tag numbers that match the Composite Block Diagrams. From this unique tag number, the following additional reference information is provided in the Module Equipment List: Process Protection Function Module Description Module Spec Sheet No. Module Location Purchase Order No. Supplier Drawing References The Module Specification Sheets define the Integrated Protection System hardware and software modules. Specifications for the various type modules typically contain the following: Module range Engineering Units Module Accuracy Temperature/resistance conversion tables Transfer functions Timing Alarm setpoints Algorithms Definitions of variables Applicable Standards Documentation references #### 3.0 DOCUMENTATION REFERENCES: (Continued) E. Integrated Protection System Software Standard: W SD-IPLS-590: This Standard defines the WPWRSD requirements for the IPS Software. The areas defined by this Standard are: Standard Scope Administration Requirements Design and Implementation Verification Documentation Installation and Maintenance F. Automatic Testing Requirements: W SD-IPLS-553: This document provides the design basis for the automatic testing of the Integrated Protection System. The Protection System testing is divided into four classifications; automatic periodic test, continuous error checks, manual tests and special tests. The contents of this document are: Purpose Design Criteria Automatic Periodic Tests Continuous Error Checks Manual Testing Time Response Testing Special Tests G. System Test Guidelines, (414 IPS Verification Test Outline); W SD-IPLS-582: This document describes the system verification test guidelines which are used as a basis for the System Test Procedure. It provides guidelines to verify that the IPS meets the WPWRSD requirements of the System Specification. The contents of this document are: Purpose & Objective References Prerequisites Test Methods & Practices Test Procedures Acceptance Criteria Functional Test Guidelines Setup Data for Verification Tests CHULUSUNE 3 #### OAK RIDGE NATIONAL LABORATORY OPERATED BY UNION CARBIDE CORPORATION POOR ORIGINAL POST OFFICE BOX X OAK RIDGE, TENNESSEE 37830 January 29, 1979 Leo Beltracchi Instrumentation & Controls Systems Branch. Division of Systems Safety Office of Nuclear Reactor Regulation U. S. Nuclear Regulatory Commission Washington, DC 20555 Dear Lec: Audit of Westinghouse Verification and Validation Activities for RESIR-414 On January 23-25, 1979, I participated in the audit visit to the Westinghouse ISD Division in Pittsburgh, Pennsylvania. This letter is to serve as a formal communication of my verbal summary presented to you during our meeting of January 24. My major points are summarized as follows: - 1. The Westinghouse personnel were very cooperative in providing information in a highly organized and efficient manner. In addition to making the job easier, this cooperation, I feel, provides for a more accurate assessment of the V&V activities on this project. - 2. The most striking deficiency in the V&V activity was the lack of formality in the independent verification of the software performance specifications. This lack of formality, in particular, resulted in nonstandard procedures by various specification reviewers. In addition, the notations and terminology for depicting inconsistencies or errors was the choice of the individual reviewer and therefore difficult to follow. The lack of documentation was evidenced by the difficulty exhibited by one reviewer in attempting to reconstruct the review process which had been conducted only four or five months ago. - 3. The above discrepancies and deficiencies appear to have been recognized in part by later proposed revisions to the procedures and the formality of the content of the software specification documents. This remains to be reviewed at a future date. However, the draft documents that have been informally submitted indicate that the majority of these problems will be handled in future revisions to the procedure. # POOR ORIGINAL Leo Beltracchi Page 2 January 29, 1979 The above represent my summary observations. In the event more particular details are required to substantiate these assertions, I would be able to provide those on request. Sincerely, J. 8. Bullock #### NRC TECHNICAL AUDIT PWR-SD D. V. Gennaro PWR-SD J. B. Reid J. M. Gallagher PWR-SD E. J. Madera ISD ISD G. Remley PWR-SD B. G. Croley ISD-Verification I. Kotovsky D. J. Jones ISD ICSB-NRC L. Beltracchi ICSB-NRC Joe Joyce J. B. Bullock W. J. Smith Jr. ORNL PWR-SD · ISD Don Smith PWR-SD Sarry Sarnett Len Stanga ISD-PRODUCT ASSURANCE ## ' NRC TECHNICAL AUDIT D. V. Gennaro T. B. Reid E. J. Madera B. G. Croley D. N. Katz J. M. Gallagher L. Beltracchi Joe Joyce J. B. Bullock B. Barnett Len Stanga G. W. Remley PWR-SD PWR-SD W ISD W PWR W PWR N PWR NRC-ICSB ICSB-NRC ORNL PWR ISD-Product Assurance W ISD #### ENCLOSURE 6.3 #### NRC TECHNICAL AUDIT | D. | V. Gennaro | |----|--------------| | J. | B. Reid | | E. | J. Madera | | G. | Remley | | 8. | G. Croley | | D. | Jones . | | J. | M. Gallagher | | J. | Joyce | | J. | B. Bullock | | L. | Beltracchi | L. Stranga B. Barnett | PHR-SD | |----------| | PWR-SD | | W ISD | | W ISD | | PWR-SD | | ISD | | PWR-SD | | NRC-ICSB | | ORNL | | NRC-ICS3 | | ISD | | PWR-SD | #### OAK RIDGE NATIONAL LABORATORY CARBIDE CORPORATION UNION CARBIDE CORPORATION POST OFFICE BOX X OAK RIDGE, TENNESSEE 37830 May 2, 1979 POOR ORIGINAL R. M. Satterfield, Chief Instrumentation and Control Systems Branch Division of Systems Safety Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555 Dear Sir: #### Trip Report on Westinghouse RESAR-414 V&V Audit-2 Based on our telecon of March 7, 1979, it was understood that ORNL would assume primary responsibility for planning and conducting the second V§V audit of the Westinghouse RESAR-414 design. Consequently, a proposed date and agenda was prepared and transmitted to NRC and Westinghouse (See Attachment #1). The audit was conducted by J. B. Bullock, E. B. Johnson and W. H. Sides of ORNL with L. Beltracchi serving as a observer for the NRC staff. The complete list of attendees is given in Attachment #2. #### Recommendations - 1) We feel Westinghouse needs to provide a documented description of the V&V philosophy and its implementation for the RESAR-414 hardware modules. The description should also address the procedures for qualifying, controlling and using standard or special test software packages needed for hardware V&V. - 2) Future revisions of the procedures manual for preparing a software test specification should include more specific detail on units notation, and criteria for branch and mange testing of each software module. #### Scope The scope of the audit was to review the composition, activities, and plans of the Westinghouse independent verification and validation teams for both hardware and software. DUPLICATE DOCUMENT Entire document previously entered into system under: NO 79050804 No. of pages: #### Audit Summary The audit was conducted in the same basic format and atmosphere as the previous V&V audit performed by the NRC staff (See Memo from L. Beltracchi to R. M. Satterfield, Re: Audit of RESAR-414 dated April 8, 1979). Detailed minutes are shown in Attachment #3. The highlights are summarized as follows. During the review of the software V&V efforts and team qualifications, descriptions of the background and experience was presented by the management personnel. We concurred with their judgment that suitably qualified people had been assigned to the V&V task. No major problems were noted in the software V&V effort relating to software test specification (STS) development. However, during our discussions of the detailed procedures to be followed by each team member when preparing an STS, we noted that a few items were not formally listed in the procedure guide, such as the important criteria of 1) full range testing of all inputs, and 2) extent of testing, including testing of all branches. These criteria were being used, however, by the chief verifier when reviewing and approving each STS. It was also noted that the conventions of notation of number type or numerical base were not formalized nor closely followed by all team members. These problems, although not major, should be corrected in future revisions of the procedure manuals. (See Recommendation No. 2) The hardware review resulted in a need for better understanding of the Westinghouse position on hardware V&V. Unlike the software V&V team the hardware group has apparently based their approach to the verification task on the "black box" philosophy. The degree of independence from the design group maintained by the V&V team was also difficult to ascertain. (See Recommendation No. 1) A second concern was generated by the degree and manner in which "test" software is used for the hardware verification. Because of the digital nature of the hardware boards, it is natural to rely on software packages for many of the input data generation and output results operations. However, this software must be treated like lateratory test equipment with respect to quality control, accuracy, calibration. The were not able to assess this latter aspect during this audit however in will be covered in a future audit. The subject of independent software sneak analysis was discussed with the understanding that Westinghouse would consider the matter during the next two weeks. Sincerely, 1-00 ORIGINAI J. B. Bullock cwl Attachments #### OAK RIDGE NATIONAL LABORATORY OPERATED BY UNION CARBIDE CORPORATION NUCLEAR DIVISION POST OFFICE BOX X OAK RIDGE, TENNESSEE 37830 July 9, 1979 R. M. Satterfield, Chief Instrumentation & Controls System Branch Division of System Safety Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555 Dear Sir: ### TRIP REPORT ON WESTINGHOUSE RESAR 414 V&V AUDIT - 3 On June 6-8 1979 the ORNL V&V Audit Team completed its Technical Audit #3 of the RESAR 414 protection system. Listed below are the detailed minutes of the audit including a summary and recommendations. #### Summary and Recommendations The audit was conducted in the same format procedure as previous V&V audits with no major serious problems encountered. All outstanding items from previous audits as noted below have been adequately resolved by commitments from Westinghouse to incorporate the indicated changes as additions to their procedures. A few outstanding items were generated as a result of this audit. However, they do not appear to be major issues and they are expected to resolve during the course of the next audit. Tentative plans for scheduling an audit of the integrated system test plans were made for the week of July 23, 1979. ## Minutes of Technical Audit of Westinghouse V&V, June 6-8, 1979 The V&V Audit Team, consisting of J. B. Bullock, E. B. Johnson, and W. H. Sides of ORNL, met with Westinghouse personnel. Mr. John Gallagher of W-NTD presided for Westinghouse. Meeting attendees were introduced (see Attachment I for attendance lists for each of the three days). Mr. Bullock presented the scope of the audit, which was the review of outstanding items from the second audit and the review of verification test results for both hardware and software. The agenda as modified during the meeting is shown in Attachment II Mr. G. W. Remley of M-ISD revi Westinghouse to design verifia module structure, generation o modules. DUPLICATE DOCUMENT Entire document previously entered into system under: ANC No. of pages: 301 #### OAK RIDGE NATIONAL LABORATORY UNION CARBIDE CORPORATION NUCLEAR DIVISION POOR ORIGINAL OAK RIDGE, TENNESSEE 37830 August 13, 1979 R. M. Satterfield, Chief Instrumentation and Control Systems Branch Division of Systems Safety Office of Nuclear Regulatory Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555 Dear Sir: #### Trip Report on Westinghouse RESAR-414 V&V Audit #4 The fourth RESAR-414 V&V audit was conducted at W-NTD in Monroeville, Pennsylvania on July 23-24, 1979. The V&V Audit Team, consisting of J. B. Bullock, E. B. Johnson, and W. H. Sides, of ORNL, met with Westinghouse personnel. Mr. John Gallagher of W-NTD presided for Westinghouse. Meeting attendance for the two days is listed in Attachment I. Mr. Bullock presented the scope of the audit, which was the review of outstanding items from the third audit and the review of the Integrated System Test Specifications. The agenda as modified during the meeting is Attachment II. #### Open Items from the Third Audic One of the two outstanding items from the previous audit was the procedure used for generating the expected results that are a part of the Software Test Specifications (STS). Its Rotovsky of W-ISD presented an example of the calculations of the expected results for the DNBR Test Specification. The Audit Team concluded that the concerns it had expressed in this area during the revious audit had been resolved. The second outstanding item from the previous audit was the Hardware Test Procedures and Test Results for the been obtained for the QM cards. completed. Because the Test Re D to the Audit Team, this remains DUPLICATE DOCUMENT Entire document previously entered into system under: ANO 7908170 419 No. of pages: 4 August 13, 1979 #### Review of Integrated System Test Specifications The Audit Team began the review of the Integrated System Test Specifications. The specs were based on a draft Westinghouse document "414 Integrated Protection System (IPS) Verification Test Outline." This document was produced by W-NTD as a part of the System Design Specification (SDS). A discussion ensued regarding the methodology for formulating the integrated system tests. It was Mr. Bullock's view that the integrated system should be tested using input variables which simulate plant operating conditions. It was Westinghouse's view that the integrated system should be tested against the SDS. Discussion continued regarding the methodology used to formulate the tests contained in the Verification Test Outline. It is the Westinghouse view that, since the SDS are generated from the integrated system functional requirements imposed by the plant performance requirements, testing the integrated system against the SDS is sufficient, and testing by plant simulation is unnecessary. Mr. Bullock indicated, however, that multi-variable 1 out testing using simulated plant input variables may be required to verify the integrated system can perform the intended safety functions. It was re ommended that Westinghouse consider writing a document that would describe their methodology and philosophy for integrated system testing for use in future audits. Because of a lack of DNBR test case data, a supplemental audit was planned for early September to continue review of the system test cases and procedures and of the QM card test results analysis. The Audit Team requested to be present for some of the integrated system tests, which will probably occur in October. Westinghouse agreed to inform the team of the task schedule. It is estimated that the final audit will probably occur about January, 1980. We obtained copies of the following draft documents during this audit visit, however, because of the large quantity and the detailed nature of the information, we have elected not to include copies of the naterial with this report. Copies can be readily made available by writing or calling the undersigned. The documents are: - 1. 414 Integrated System Verification Test Outline Rev. 0 8/78 - 2. Product Verification Test Procedure-Microcomputer QMC 5/79 Please feel free to call us if you have any further questions on the subject trip. T B Bullook cwl cc: J. L. Anderson E. B. Johnson W. H. Sides POOR ORIGINAL #### OAK RIDGE NATIONAL LABORATORY ON BATTLE BY UNION CARBIDE CORPORATION NUCLEAR DIVISION POST OFFICE BGX X OAK RIDGE, TENNESSEE 37830 November 28, 1979 R. M. Satterfield, Chief Instrumentation & Controls System Branch Division of System Safety Office of Nuclear Regulatory Commission Washington, DC 20555 Dear Sir: #### Trip Report on Westinghouse RESAR-414 Audit - 5. On November 1, and 2, 1979 the ORNL V&V Audit Team, consisting of J. B. Bullock, E. B. Johnson, and W. H. Sides, met with Westinghouse personnel at ISD in Pittsburgh, PA. Mr. John Gallagher of W-NTD presided for Westinghouse. Meeting attendance for the two days is listed in Attachment I. Mr. Bullock presented the scope of the audit, which was the review of outstanding items from the fourth audit, review of the format of the summary document for the verification program, the selection of benchmark test cases from Chapter 15 of RESAR 414 to be used in integrated system verification, and review of the IPS simulator. The agenda as modified during the meeting is Attachment II. The Test Results and status of verification of the QM-series (microprocessor) cards were reviewed. Mr. Brian Reid described two problems which surfaced during testing. The first problem, involving crosstalk among the conductors in ribbon cables, was discovered and resolved prior to card verification testing. The second, involving crosstalk between M-buses, was discovered during verification testing at temperatures above room temperature when the M-bus cables were packed together. The system, including cards and interconnecting cabling, was observed to function as designed at room temperature but malfunctioned at elevated temperatures >90°F. Westinghouse-NTD proposes to redesign the affected part of the system and resubmit the new design for testing and verification. In addition, W-ISD procedures for tests prior to verification testing will be modified to include tests involving both cards and interconnecting (ribbon) cables. Westinghouse-NID also proposes to continue the verification of the software using the integrated hardware system but restricting the tests to room temperature conditions and separated M-bus cables. The V&V Audit Team concurs with this approach by noting that, with the room temperature and separation restrictions, the hardware proposed to be used to verify the integrated software will have been verified. Because the above problems are a type of TMI problem, Mr. Bullock pursued the general question of the vulnerability of the integrated hardware system to EMI internally generated and from external sources. It was stated by Westinghouse that, in general, EMI testing is considered part of a required series of qualification tests which are separate from (and later than) verification testing. Such required qualification testing (such as seismic, EMI, and other environmental testing) will be done on the completed cabinets. The results of the verification testing of the integrated system at room temperature will be submitted for final review at the next audit. The redesign and verification of the modified system will be completed at a later date. The Audit Team next reviewed the proposed format for a topical report which will summarize the Westinghouse Verification and Validation program. Mr. W. J. Smith presented the proposed Table of Contents for review of completeness. Mr. Bullock suggested an expansion of the proposed Introduction to include a description of V&V philosophy. In addition, a reordering of some of the major sections was suggested. The Audit Team next reviewed the selection of tests from Chapter 15 of RESAR 414 which Westinghouse proposes to use for stage 3 benchmark tests for system verification. A list of the Chapter 15 tests, including indication of those selected as benchmark tests, was provided to the Audit Team before the audit via a letter from J. M. Gallagher to J. B. Bullock, dated October 16, 1979 (ESD-JMG-261). Mr. B. M. Cook, W-NTD, discussed the selection criteria and, in addition, presented the proposed method to include the effects of process signal noise on the integrated system performance. The list of Chapter 15 tests and the criteria for benchmark test selection are shown in Attachment III. The tests are intended to verify the integrated system will properly respond to dynamic inputs simulating the design basis events. Input signals to the IPS will be generated using various design and transient analysis codes which simulate the NSSS. These codes will generate digital data files which will be used to produce analog signals by digital-to-analog conversion. Process noise will be generated from a digital white noise source, filtered to simulate the spectra of process noise typical of an operating plant and added to the signals in the data files. Tests will be conducted both with and without process noise included in the signals. The procedures and acceptance criteria for this testing are presently being written. The Audit Team concurs with this approach with the additional recommendation that the selection of benchmark tests from Chapter 15 assure that all sequences of trips which appear in Chapter 15 are included in the benchmark test cases. Mr. Bullock then discussed the subjects of software sneak analysis and defense-in-depth with Mr. Gallagher. The results of these discussions are shown in Attachment IV and Attachment V respectively. The Audit Team next reviewed the capability and structure of the IPS simulator. Mr. G. W. Remley, W-ISD, presented the system architecture and functions. The simulator is used in testing an integrated protection cabinet (IPC), an interposing logic cabinet (ILC), and a rod position indicating (RPI) cabinet. The remaining three IPCs and an ILC, the input sensors, the integrated control cabinet (ICC), plant computer interface, post accident monitoring (PAM) cabinet, and the loads on the ILC are simulated. Cards developed and verified for the IPS are used in the simulator and interface. Consoles provide system communication and documentation of tests and results. The audit Team made a brief tour to view the simulator facility and the cabinets under test. The next audit, which will cover the results of the integrated system verification tests at room temperature, was proposed for January or February, 1980. Sincerely, 5. B. Bullock JBB:1s Attachments cc: J. L. Anderson VE. B. Johnson W. H. Sides POOR ORIGINAL #### Attendance - 11/1/79 | E. J. 1 | Madera | W | - | ISD | |---------|----------------|-----------------------------|----|-----| | G. W. | Remley | W | | ISD | | M. S. | Wojcik | W | | NTD | | W. J. | Smith, Jr. | W | - | NTÔ | | J. B. | Reid | W | _ | NTD | | J. M. | Gallagher, Jr. | $\overline{\mathbb{A}}$ | - | NTD | | В. М. | Cook | $\overline{N}$ | - | NTD | | Е. В. | Johnson | OR | NL | | | W. H. | Sides | OR | NL | | | J. B. | Bullock | OR | NL | £ | | J. Mes | meringer | $\underline{\underline{W}}$ | - | | ## Attendance 11-2-79 | В, | М. | Cook | W IP | |----|-----|------------|-------| | J. | В. | Reid | W IP | | W. | J. | Smith, Jr. | W IP | | М. | s. | Wojcik | W IP | | G. | 2. | Gajdzik | W ISI | | Ε. | J. | Madera | W ISI | | s. | Ма | rcum | W ISI | | J. | C. | McCann | W ISI | | G. | W. | Remiey | W ISD | | J. | М. | Callagher | W NTD | | D. | ٧. | Gennaro | W NTD | | E. | Ste | ernheim | W R&D | | J. | В. | Bullock | ORNL | | E. | В. | Johnson | ORNL | | W. | н. | Sides, Jr. | ORNL | ### Agenda Westinghouse RESAR-414 Audit #5 ## November 1, 1979 9:00 a.m. - Scope and overview of Audit Agenda - Review of Outstanding Items from previous audits Status of QM cards - Review V&V Programs Summary documentation format for completeness - Lunch ## 1:00 p.m. - Review System verification test cases, including selection criteria, acceptance criteria, and implementation methodology - Review methodology for process-signal noise implementation, including basis for acceptance of test results # November 2, 1979 8:30 a.m. - Review IPS simulator capability - Audit team caucus #### 11:00 a.m. - Exit Summary & Discussions - Software sneak analysis - Defense-in-depth | TABLE | E 19 | AGE | 3 | PLEC ! | 27.46 | |-----------|------|-----------|----|--------|-------| | 1.6341.1- | 25.0 | Philip C. | ъ. | UE 3.1 | Sec. | | | | | | | | SENCHMARK TEST CASES | RESIR-414<br>CHEPTER IS SECTION | ACCIDENT NAME | STAGE 3 BEHCHMARK<br>TEST CASE NUMBER | INITIAL<br>CONDITION | REMARKS | |---------------------------------|-----------------------------------------------------------------------------------------------|---------------------------------------|----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------| | 15.1 | All Condition ! Events -<br>Normal Operation & Operational<br>Translents. | Not Selected | | Condition I events do not lead to actuation of the IPS. | | 15.2.1 | Uncontrolled Rod Cluster<br>Control Assembly Bank Witndrawal<br>from a Subcritical Condition. | ľ | Hot Standby | | | 15.2.2 | Uncontrolled Rod Cluster Control | 2 | Full Power | N-Loop | | | Assembly Bank Withdrawal at Power | 3 | ~75% Power . | N-1 Loop. The loop out of service is not<br>the one which would cause the bypass of<br>the prototype channel. | | | | | | | | 15.2.3 | Rod Cluster Control Assembly<br>Misclignment (Grop of a single<br>full length RCCA group) | 1,500.40 | Full Power | The case of the dropped ACCA group is selected as the benchmark because it is the smallest of the rod misalignment cases which is detectable by the IPS. | | 15.2.4 | Uncontrolled Boron Dilution | Not Selected | | This transient is adequately covered by<br>Test Case 1 | | 15.2.5 | Partial Loss of Forced Reactor | 5 | Full Power | | | 15.2.6 | Startup of an Inactive Reactor<br>Coolant Loop | 6 | ~75% Power | | | 15.2.7 | Loss of External Electrical Load and/or Turbine Trip | 7 | Full Power | | | 15.2.8 | Loss of Normal Feedwater | 8 | Full Power | | | 15.2.9 | Loss of Offsite Power to the<br>Station Auxiliaries (Station<br>Blackout) | Not Selected | - | This transient is adequately covered by the combination of Test Cases 3 and 13. | | 15.2.10 | Excessive Heat Removal Due<br>to Feedwater System Malfunctions | 9 | Full Power | The full power case where a feedwater valve fails open yields the largest reactivity transient. | | RES R-414<br>CHAPTER IS SECTION | ACCIDENT NAME | STAGE 3 BENCHMARK<br>TEST CASE NUMBER | INITIAL<br>COMDITION | REM | |---------------------------------|---------------------------------------------------------------------------------------------------|---------------------------------------|----------------------|-------------------------------------------------------------------------------------------------------------------------------| | 15.2.11 | Excessive Load Increase Incident | 10 | Full Power | | | 15.2.12 | Accidental Depressurization of<br>the Reactor Coolant System | n | Full Power | | | 15.2.13 | Accidental Depressurization of<br>the Hain Steam System | 12 | No Load | | | 15.2.14 | Inadvertent Operation of ECCS<br>During Power Operation | Not Selected | | Since the shutoff head of the SI pumps is less than the normal primary mystem pressure, no transient results from this event. | | 15.3.1 | Loss of Reactor Coolent from<br>Reptured Pipes or from Cracks<br>In Large Pipes | 14 | Full Power | | | 15.3.2 | Minor Secondary System Pipe | Not Selected . | | Chapter 15 analysis covered by 14.5.2 | | 15.3.3 | Inadvertent Loading of a Fuel<br>Assembly into an Improper<br>Position | Not Selected | - | No automatic IPS action results from this event. | | 15.3.4 | Complete Loss of Forced<br>Reactor Coolant Flow | 13 | Full Power | | | 15.3.5 | Single Rnd Cluster Control<br>Assembly Withdrawal at<br>Full Power | Not Selected | | This event is adequately covered by<br>Test Case 2 | | 15.4.1 | Major Resitor Colant System Pipe Ruptures | Not Selected | | The mitigation of this event is not dominated by the automatic action of the IPS. Small LOCA's are covered in Test Case 13. | | 15.4.2 | Major Secondary System Pipe<br>Rupture | 15 | Hot Standby | | | 15.4.3 | Steam Genera or Tube Rupture | Not Selected | *** | This event is adequately covered by<br>Test Case 14. | | 15.4.4 | Single Reactor Coolant Pump<br>Locked Rotor | Not Selected | | This event is adequately covered by<br>Test Case 5. | | 15.4.5 | Fuel Handling Accident | Not Selected | | No automatic IPS action results from this event. | | 15.4.6 ORIGINAL | Rupture of a Control Rod<br>Drive Hechanism Housing (Rod<br>Cluster Control Assembly<br>Ejection) | 16 | Full Power | | | RECORDER | | NOTES | SENSOR<br>TAG NUMBER | |----------|-----------------------------|-----------|----------------------| | 1 | Excore NIS - Channel A | . + - 1 | NE-41A | | 2 | Excore, NIS - Channel B | A # 10 10 | NE-41B | | 3 | Excore NIS - Channel C | i.e. | NE-41C | | 4 | Excore NIS - Channel D | | NE-410 | | _ 5 | TN-16 Detector Signal | | JE-410A | | 6 | Cold Log Temperature | | TE-451 | | 7 | Pressurizer Pressure | | PT-455 | | 8 : | Pressurizer Water Level | | LT-465 | | 9 | - Reactor Coolant Loop Flow | (1) | FT-416 | | 10 | Reactor Coolant Pump Speed | (2) | SE-475 | | 11 | Steam Generator Water Level | | LT-571 | | 72 | Feedwater Flow | | FT-510 | | 13 | Steamline Pressure | (3) | PT-514 | | | Source Range NIS | (4) | NE-31 | | 14 | Containment Pressure | (3) | PT-937 | | | Intermediate Range NIS | . (4) | NE-35 | | 1 | | | | # NOTES: - (1) Input to four channels (416, 426, 436, 446) on Test Case 13 Only. - (2) Signal is a Pulse Train, 0 to 50 Hz. - (3) Test Cases 2 through 16. - (4) Test Case 1. \*General Note: Actual recorder channels used for each test case will be specified at a later date. POOR ORIGINAL from WRD-NTD-Electrical Systems Development WIN 249-4305 Date November 5, 1979 Subject Integrated Protection System Software Sneak Circuit Analysis REF: ESD-JMG-272 J. B. Reid D. V. Gennaro/J. Mesmeringer E. Sternheim - R&D-601 E. J. Madera - WISD G. Remley - WISD cc: K. F. Cooper . D. W. Call R. A. Wiesemann R. Colborn - WISD B. Bullock - ORNL The IPS software sneak circuit analysis to be performed by Boeing for the NRC through the technical assistance of ORNL was discussed at the recent ORNL audit of the IPS design verification program. The agreements reached with J. B. Bullock with respect to this analysis are as follows: - 1) Mr. Remley of ISD will supply to NTD the information requested in R. M. Satterfield's letter to B. Croiey on the subject matter (see referenced letter). This information will be supplied in the form of hard copy and computer cards per the agreement reached in the meeting. A list of this information is given in Attachment 1. - 2) NTD will transmit this information to R. M. Satterfield with the necessary proprietary affidavit which will be prepared by R. A. Wiesemann per agreement reached with him in earlier discussions. If possible, the information should be hand carried to Bethasda by B. M. Cook the latter part of the week of Nov. 5. - 3) Mr. J. B. Bullock will submit a copy of the final work statement for Boeing to $\underline{W}$ for our information. - 4) Any communications for the purpose of clarification of the information supplied by W will be coordinated by J. B. Bullock and will be conducted by telephone conferences or meetings in Pittsburgh. Mr. Remley of ISD will represent W in any such discussions. | SPS's FOR DATA LINK CONTROLLER SUBSYSTEM | a,c,e | |---------------------------------------------------|-------| | | | | | | | | | | | | | | | | BER 19 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 | | | SPS's FOR DATA LINK CONTROLLER INTERFACE | a,c,e | | | 7 | | | | | DATA LINK CONTROLLER SUBSYSTEM PROGRAM LISTINGS | | | - DATA CTAN CONTROCLEN SOBSTSTEN PROGRAM CASTANGS | a,c,e | | | | | | | | | | | | | | | | | | | | | | | | | | DATA LINK CONTROLLER INTERFACE PROGRAM LISTINGS | a,c,e | | | | | | | | **** | | | DATA LINK CONTROLLER SOURCE CODE | a,c,e | | | | | | | | | | | | | | | | | | | # DATA LINK CONTROLLER INTERFACE SOURCE CODE a,c,e 3 3 3 DATA LINK CONTROLLER OBJECT CODE a,c,e 2 2 2 2 2 2 2 2 2 2 2 2 DATA LINK CONTROLLER INTERFACE OBJECT CODE a,c,e 2 2 2 EXAMPLE APPLICATION INTERFACE PROGRAM LISTING a,c,e # NOTES: (Form of Transmittal) 1 - Hard Copy 2 - Cards 3 - Hard Copy and Punch Cards Hom WRD-NTD-Electrical Systems Development WIN 249-4305 Dute November 5, 1979 Subject ORNL Technical Follow of W Response to Concerns Identified in NUREG-0493 to K. F. Cooper cc: T. M. Anderson R. J. Slember J. C. Mesmeringer D. C. Richardson L. A. Campbell J. B. Reid B. M. Cook E. J. Madera - WISD G. Remley - WISD LJ. B. Bullock - ORNL This subject was discussed during the meeting between ORNL and $\frac{W}{W}$ which was held at WISD on Nov. 1st and 2nd. At this meeting a general strategy for the conduct of the Defense in Depth Program was submitted by W to ORNL for their agreement. This strategy was based upon the results of the Aug. 30th meeting with the NRC to discuss W's response to concerns identified in NUREG-0433. A summary of the meeting which was issued by the NRC is attached to this letter. The general strategy discussed with ORNL on Nov. 2, 1979, contained the following points: - 1) W will submit a report on the analysis methodology to CRNL to be followed at a later date by a proposed test program. - 2) ORNL will perform evaluation of the analytical methodology in . terms of scope and depth and the test program in terms of completeness and provide results of these evaluations to $\underline{W}$ . - 3) W will present results of the analysis and the test program and an assessment of the practicality of the methodology to ORNL for their evaluation and independent assessment of practicality. - 4) Results from these activities will form the basis for continuation of the defense-in-depth program beyond Sept. 30, 1980. POOR ORIGINAL - this evaluation are needed by W by Jan. 30, 1979. - 3) At the end of the first quarter of 1980 W will also submit to ORNL, with a copy to R. Satterfield, the proposed test program and supporting analysis to demonstrate that the IPS performs as analyzed. This test program will be performed utilizing the IPS prototype system. - 4) ORNL should perform an evaluation of this test program with respect to the completeness of the program in terms of demonstrating that the IPS peforms as analyzed. The results of this evaluation are needed by W by May 30, 1980. - In early August W will present the to-date results of the analysis and the test program and their assessment of the practicality of the methodology to ORNL. - 6) Prior to Sept. 30, 1980 ORNL should formulate and recommend to the NRC the activities necessary to complete the defense-in-depth and diversity assessment of the integrated protection system. By copy of this letter I request that J. B. Bullock provide comments on the detailed plan as given herein with the intent of establishing the ORNL follow program referenced in the NRC Summary of the Aug. 30th meeting. J. M. Gallagher, Jr. Consulting Engineer Control & Electrical Systems JMG/mlm Attachment. OR ORIGINAL # NUCLEAR REGULATORY COMMISSION WASHINGTON, D. C. 20555 \* ... SEP 2 0 1979 MEMORANDUM FOR: Rod Satterfield THRU: Tom Dunning FROM: Joe Joyce SUBJECT: SUMMARY OF AUGUST 30, 1979 MEETING TO DISCUSS WESTINGHOUSE'S RESPONSE TO CONCERNS IDENTIFIED IN NUREG-0493, AND THE PROGRESS OF THE V&V PROGRAM A meeting was held with members of the staff and Westinghouse on August 30, 1979 in Bethesda, Maryland. Westinghouse requested a meeting so that they could (1) present to the staff a description of the methods and approach to be used in responding to NRC concerns identified in NUREG-0493; and (2) discuss the progress of the Verification and Validation program on RESAR-414. A list of attendees is provided in Enclosure 1. # Defense in Depth (NUREG-0493) - 1. B. Cook of Westinghouse described the defense in depth study program now underway at Westinghouse with emphasis on: - O Defense in depth view of plant I&C system vs. single failure view of plant I&C system. - O Fault tree methodology including source of information for development of I&C system model. - O Model building procedure including use of overlays to include specific types of CMFs such as calibration errors. - O Testing for defense in depth with emphasis on interactions between functions identified in block structure. The presentation is summarized in the overhead slides in Enclosure 2. - 2: The staff stated that the study program was valuable in that it appeared to offer a systematic approach to dealing with various classes of common mode failures as well as non-mechanistic common mode failures. The staff also expressed a concern with respect to the practicality of the methodology in terms of the magnitude of the analysis (number of cut sets, etc.). - 3. The NRC will make arrangements to follow the Westinghouse program through the technical assistance of ORNL. POOR ORIGINAL 1. B. Reid of Westinghouse presented an overview of the IPS design verification process with a clarification as to the activities covered in WCAP-9153 and the activities performed as part of the manufacturing and systems integration test which are outside the scope of work included in the WCAP. Mr. Reid also presented a revision to the System Verification Test Philosophy based upon discussions with J. B. Bullock (ORNL) held during the 4th audit of the IPS design verification program. These presentations are summarized in Enclosure 3. - 2. Mr. Bullock stated that the addition of test cases selected to demonstrate that the system performs properly when subjected to inputs reflecting the plant conditions associated with accidents studies in Chapter 15 of RESAR-414 resolved one of his major concerns. - The resolution of another of his Major concerns the addition of noise to represent actual plant signals will be subject at the next audit of the IPS design verification program. - 4. W. J. Smith of Westinghouse presented a discussion of material to be supplied by Westinghouse to the NRC to serve as documentation of the design covered by the NRC audic program. This presentation is summar in Enclosure 4. - 5. J. B. Bullock (ORNL) stated that the documentation described appeared to be complete enought to provide adequate summary documentation for the system that was audited. He also stated that the contents of the summary document should be the subject of a future audit in order to provide a final conclusion on its completeness. He suggested that the various items listed in the table of contents include the number of pages associated with the Westinghouse file on each item. - 6. R. Satterfield stated that the staff was not prepared to make a judgment regarding the adequacy of the design verification program. While he indicated that the ORNL audit reports will provide part of the basis that judgment, he also said that more staff work would be required before that judgment could be made. Mr. Satterfield agreed to forward copies of all "NL audits to Westinghouse. - 7. R. Satterfield acknowledged that the NRC had identified revisions to MCAP-9153 that were necessary for their approval of the report. (Contained in L. Beltracchi's letter to Satterfield on the subject Audit of RESAR 414 IPS Development, January 23-25, 1979). He further stated, however, that because of manpower limitations he was not presently in a position to commit a review of the revisions and final acceptance. Consequently, the NRC approval of MCAP-9153 remains an open item. Joe Joyce | . 1 | 13 | 1000 | MA | |-----|----|------|-------| | U. | | Joy | to be | J. M. Gallagher B. M. Cook J. B. Reid W. J. Smith, Jr. G. W. Remley B. G. Croley J. II. Bickel V. A. Moore T. G. Dunning M. Srinivasan R. M. Satterfield J. B. Bullock S. H. Hanauer\* \*Part time USNRC/ICSB N NTD W NTD W NTD M NTD W ISD W NTD . ACRS/USNRC USNRC/PS USNRC/ICSB USNRC/ICSB USNRC/ICSB ORNL USNRC/PS POOR ORIGINAL # OAK RIDGE NATIONAL LABORATORY GRERATED RY UNION CARBIDE CORPORATION POST OFFICE BOX X OAK RIDGE, TENNESSEE 37830 March 17, 1980 R. M. Satterfield, Chief Instrumentation & Controls System Branch Division of System Safety Office of Nuclear Regulatory Commission Washington, DC 20555 Dear Sir: Trip Report on Technical Audit - 6 of Westinghouse RESAR-414 V&V Program. On February 28 and 29, 1980, the ORNL V&V Audit Team, consisting of J. B. Bullock, E. B. Johnson, and W. H. Sides, met with Westinghouse personnel at ISD in Pittsburgh, PA. Mr. John Gallagher of W-NTD presided for Westinghouse. Meeting attendance for the two days is listed in Attachment I. Mr. Bullock presented the scope of the audit, which was the review of outstanding items from the fifth audit (including the status of the memory bus design), the audit of the test results of the QM series cards ambient tests, and review of the Systems Verification Test Program. The agenda as modified during the meeting is Attachment II. Mr. Gallagher gave a brief description of a reorganization within the Water Reactor Division which involved some Westinghouse personnel in the V&V program. It was stated that the reorganization will not affect the V&V program. Mr. Reid.reviewed the status of the M bus. The redesign effort has been expanded from the MX bus only, to include the M bus. The redesign will provide greater noise immunity and greater common mode protection (10V). Changes include adding termination to all M bus lines, limiting the bus to 48 cm length, and use of TTL bipolar drivers and col will be used to take advantage will affect the QME, QMS, and QMD will be added. The changes will pding or retesting of software is modifications are made to the DUPLICATE DOCUMENT Entire document previously entered into system under: ANO 8004080505 No. of pages: receivers 15 hardware (or software), affected parts of the system must be reverified. A method for handling such partial reverification should be a part of the verification and validation program. The audit team intends to audit the reverification of the hardware affected by the modifications mentioned above. Westinghouse intends to complete the verification and validation of the present system, as contained in WCAP 8150, using the old M bus design operating at room temperature, by the end of FY 1980. Completion of verification and validation of the system with the new cards is expected in early 1981. Mr. Remley described the system verification testing. The V&V testing is preceded by standard hardware tests on components (cards. cables) and with the system assembled. While not part of the V&V test program, V&V testing assumes that these tests have been completed. (See General tests in Attachment III). Errors found during testing are documented beginning with the V&V testing phase. A software integration test also precedes the V&V testing phase, analogous to initial "smoke tests" of hardware PC cards. Errors found in the software during the integration test are documented, handled, and counted as in the V&V testing phase. The Audit Team does not object to this additional testing which is not part of the V&V procedure provided (1) errors and resulting changes are documented and properly handled using V&V procedures, and (2) that errors found are examined to determine whether they would have been found during the required V&V testing in order to assure the adequacy of the V&V tests and reocedures. In addition, all errors found during the V&V process should be examined to determine whether they should have been found in previous steps of the V&V procedure, in order to assure the adequacy of V&V testing. Mr. Remley reviewed the errors found to date in the System Verification Testing. (See Attachment IV). Of the 26 errors found, 9 were wiring errors, 13 were software errors, 3 were PC card design errors, and 1 was in system specification. Of the 13 software errors, 30% were in the handling of flags and all but 1 occurred in the tester programs. This may imply a need for special verification method of the use of flags or an inadequate V&V of the tester. One of the PC card errors was a design error in the Intel 8251 chip. The Audit Team reviewed the results of the QM series PC cards at ambient temperature. Mr. McCann described the test procedure and reviewed the eight Requests for Engineering Action (REA) which resulted from errors found. Mr. Gupta described the status of the system verification testing. The configuration of the system during testing was described including #### OAK RIDGE NATIONAL LABORATORY OPERATED BY UNION CARBIDE CORPORATION NUCLEAR DIVISION POST OFFICE BOX X OAK RIDGE, TENNESSEE 37830 August 29, 1980 Mr. R. M. Satterfield, Chief Instrumentation & Controls Systems Branch Division of Systems Integration Office of Nuclear Reactor Regulation U. S. Nuclear Regulatory Commission Washington, DC 20555 Dear Sir: ## Trip Report on RESAR-414 V&V Audit - 7 On July 21-23, 1980, the ORNL V&W Aught Team, consisting of J. B. Bullock, E. B. Johnson, and W. H. Sides, met with Westinghouse personnel at ISD in Pittsburgh, FA. Mr. John Gallagher of W-NTD presided for Westinghouse. Dr. W. C. Lipinski, representing the Advisory Committee on Reactor Safety of the NRC, also attended the sessions. W. H. Sides and E. B. Johnson were not present for the session July 23. Meeting attendance for the three days is listed in Attachment I. Mr. Bullock presented the scope of the audit, which was a review of the M and MX bus designs, a discussion of errors detected by the V&V effort, a review of the test plan for the integrated system verification tests, and a demonstration of the completed system including ad hoc testing. The agenda for July 21-22 is Attachment II. The problem which occurred in the operation of the system at elevated temperatures (>60°C) was reviewed. As was discussed in previous audits, the problems appeared as crosstalk in long cables. The M and MX (extended) buses were redesigned as was the threshhold of the logic circuits. The new design was reviewed in April, 1980, by a team consisting of Westinghouse personnel in ISD, NTD, Westinghouse R&D and two outside academic consultants. As a result of this review, a report was written which included a number of action items. These items have resulted in the redesign of four printed circuit. boards (QME, QMD, QMS, and QMD) and one back plane. The changes have been incorporated in the hardware design specifications and the cards have been sent to the manufacturing group. The new printed circuit boards will be available by the end of October. There were no changes in the software. (The review did not include the software, and a groundrule was established for the redesign that the software not be affected). The complete new bus has been tested, fully loaded, at room temperature and at elevated temperatures up to 60-65°C with no apparent problems. Testing will continue to determine the level of noise immunity. An IEEE surge generator will be used as an external noise source. (These tests were not performed on the old M bus design). Verification of the hardware redesign is scheduled for completion in December, 1980, and revalidation of the hardware/software system in February, 1981. The audit team next reviewed the hardware and software errors detected by the V&V effort. In the V&V process (WCAP 9153), a System Design Specification (SDS) is written and proceeds to the System Performance Specification (SPS). The SPS is verified against the SDS. The hardware is designed and the software code is written and verified against the SPS. The fully assembled system is verified against the SDS in the integrated system testing. At the module and subsystem level, 36 software errors and 67 hardware errors were detected. These have been discussed in previous audits. In the integrated system tests (3), 127 errors were reported, including 6 in software and the remainder in hardware. In the hardware, 36 were in the IPC and ILC Automatic Testers (not previously possible to subject to complete testing), 63 were wiring errors, 5 were printed circuit card design errors, and 11 were random printed circuit card failures. The audit team reviewed a list of these and selected a few for further attention. One error resulted from a misinterpretation of the SPS by the programmer, apparently due to the lack of inclusion of the equation to be rogrammed. As a result, an erroneous equation was created by the programmer and not adequately questioned by the verifier. The verifier assumed the validity of the equation and proceeded to verify that the implemented software correctly . Ived the equation. The audit team expressed the concern that the incident may represent a weakness in the degree of independence expected in the V&V team. A detailed investigation of the software test specifications was recommended to insure that similar errors have not been created and left undetected by the integrated system testing. On July 22, Mr. Bruce Cook presented the Simulated Transient Test Results Report, shown in Attachment 3, which should be noted as Westinghouse Proprietary Preliminary Results. Following the presentation by Mr. Cook, discussion centered principally around the corpleteness and accuracy of the system simulations. In particular, it was questioned by Dr. Lipinski as to whether or not the results could be directly related to the Chapter 15 transients. Westinghouse reiterated the position that the Chapter 15 simulation testing was beyond the normal testing for the systems functional verification in that their original understanding of the requirement was that of the multivariable nature of the testing rather than to show direct agreement with Chapter 15 results. The matter was left for further discussion on the following day. Following discussions on the nature of the noise simulation provided by the transient simulator, Mr. Sides recommended that the general magnitude of the noise signals be reviewed by Dr. Gopal for general reasonableness. August 29, 1980 In preparation for the demonstration of the transient test case runs, it was noted that excessive noise in the system was affecting the interpretation of some of the results, and furthermore, that the tape recorder drive mechanism was experiencing some operational difficulties. In our discussions about the ad hoc test cases recommended by the audit team, it was revealed that the input testing for the various signals had not been expressly designed to bracket the worst rates or magnitudes that could be encountered during operation. This resulted in the request for ad hoc tests which would step signals from their minimum to their maximum values as opposed to the normal 25% steps used in the system verification. These tests were successfully demonstrated by Westinghouse for the audit team. In all instances, the system performed in a normal and acceptable manner. Later discussions revealed the automatic test routines typically applies signals in a step-wise manner and, although not by design, will in fact perform the bracket type testing which earlier seemed to have been overlooked. Requests for ad hoc tests involving partial power outages or total power outages to the system were declined with the explanation that the system was known to be incapable of performing an automatic restart at the present time. The system is currently being modified to respond to temporary power interruptions with automatic restarts, as will be demonstrated in the final qualification testing with the M bus design in February 1981. The question of the response of the system to the extraction and reinsertion of circuit boards received considerable discussion prior to the system demonstration. Westinghouse expressed their position that the system was not designed to tolerate or to permit such activities, and it generally felt that the design would be fail-safe. The main protection against this main activity was argued to be a locked instrument cabinet with administrative controls enforced by the operational staff. Dr. Lipinski requested ad hoc tests to demonstrate the response of the system. In summary, it was noted that only one or two cards failed to indicate to the operator by way of an annunciator or trip that they had been removed. The afternoon session consisted of the planned demonstrations of transient cases played from the tape recorder, which subsequently malfunctioned and resulted in a postponement of these tests. The ad hoc testing, as discussed above, was accomplished with the indicated results and a session was planned for the following morning to discuss the overall audit results. The draft version of the Westinghouse WCAP-9739 entitled "Summary of the Westinghouse Integrated Protection System Verification and Validation Program" was reviewed briefly. The main discussion returned to the topic of the previous day relating to the extent to which the transient tests could be related to the Chapter 15 transients, and in particular, whether or not the simulated transient data could be reanalyzed or arranged to more clearly indicate the system is capable of performing its required functions to appropriately cope with the Chapter 15 transients. Westinghouse agreed to review the arrangement of the data and the analyses and make a future presentation with the objective of more closely relating the results to the Chapter 15 transients. In addition, it was requested that some test cases be presented or evidence of verification be made available for the ACCEPT Program. In conclusion, the audit team requested a demonstration of the transient testing in which an operational tape recorder would be available. Westinghouse was also asked to take a more detailed look at the noise problem and its origins for the test arrangement and in particular, to provide better DC amplifiers in the event this is concluded to be the prime noise source. It was observed that the simulated noise efforts by the test planners were probably being rendered useless in the presence of high experimental equipment noise sources. A tentative date was set for early September for a revisit to resolve these matters. Sincerely 8. B. Bullock JBB/djg Attachments cc: (w/o attachments) J. L. Anderson E. B. Johnson W. H. Sides 6.2 IPS Prototype Baseline Design The following sheets compose the IPS Prototype Baseline Design, a list of all ISD documents defining the 'as built' Integrated Protection System and its components.\* \*Please note that the attached list is presently incomplete and will be completed and updated at a later date. a,c,e This entire section is considered proprietary and the pages would appear bracketed as shown here. There were 42 pages to the section. 6.3 Definition of Acronyms and Abbreviations A/D Analog to Digital, refers to signal conversion AES Actual Equipment Supplier AMD Advanced Micro Division APU Arithmetic Process Unit, the component of a computer that performs arithmetic operations Aux Auxiliary CAMAC A standard for high speed serial interface Communications Bus - a communicative link between system modules C-Bus CCI Contact Closure Input, input signal from a mechanical switch C & ES Control and Electrical Systems CG Cabinet Ground CMOS Complimentary Metal Oxide Semiconductor CPU Central Process Unit, the main part of a computer excluding peripherals CRT Cathode Ray Tube D/A Digital to Analog, refers to signal conversion Demultiplexing, refers to the separation of several signals that Demux were combined to send along a single path DEO Development Engineering Order, a document which specifies corrective changes to a given system component DIM Director Inter-Module, an internal logic signal Departure from Nucleate Boiling, the transition from local to bulk \*DNB boiling within a reactor DS Design Specification EMI Electromagnetic Interference EMR Electromagnetic Radiation Equipment Performance Specification, defines functional requirements of a given system component Engineered Safeguards Feature EPS ESF FET Field Effect Transistor GO abbreviation for Group, referring to design variations on drawings H abbreviation for the Hexadecimal numbering system HVPS High Voltage Power Supply HVPSM High Voltage Power Supply Module ICC Integrated Control Cabinet IEEE Institute of Electrical and Electronic Engineers ILC Integrated Logic Cabinet 1/0 Input/Output IPC Integrated Protection Cabinet IPL Integrated Protection and Logic IPLS Integrated Protection and Logic System IPS Integrated Protection System IRM Intermediate Range Module, a subsystem of the nuclear instrumentation system whose measurements span certain reactor core power levels ISD Industry Systems Division kw/ft kilowatts per foot, units of reactor core power LED'S Light Emitting Diodes LSB Least Significant Bit, the least significant digit of a binary number MCB Main Control Board MDS Microprocessor Development System MSB Most Significant Bit, the most significant digit of a binary number Mux Multiplexing, the combining of several signals in order to transmit over a single path N/A Not Applicable NIS Nuclear Instrumentation System, a system that monitors reactor power by measuring neutron flux by means of excore detectors NR Narrow Range NRC NS Nuclear Regulatory Commission NSSS Supplier NSSS Nuclear Steam Supply System Nuclear Technology Division NTD ORNL Oak Ridge National Laboratories PAMS Post Accident Monitoring System PH2 abbreviation for Phase 2 PM Power Monitor PRM Power Range Module, refers to a subsystem of the Nuclear Instrumentation System activated by certain reactor core power levels PROM Programmable Read Only Memory, a computer or microcomputer component that permanently stores linary information PVTP Product Verification Test Procedure, a document describing the tests necessary to verify that a system component meets its design specification 0-line Westinghouse ISD microprocessor - controller based product line RAM Random Access Memory, a computer or microcomputer component that stores data on a temporary basis R.C. Reactor Coolant RCP Reactor Coolant Pump REA Request for Engineering Action, a document which describes a problem with a system component encountered during testing and requests corrective action RESAR Reference Safety Analysis Report RHR Residual Heat Removal RIO Remote Input/Output RPI Rod Position Indicator, a device indicating control rod position in a reactor RTD Resistance Temperature Detector R5232 an interface standard for data links RX Receive Software Engineering Order, description of corrective action to SEO software SDS System Design Specification, a document describing the functional requirements of the entire Integrated Protection System SG -Shield Ground Safety Grade Digital Rod Position Indicator SGDRPI - SI Safety Injection Serial Number S/N SOM Start of Message SP Setpoint SPS Software Performance Specification - a document that completely describes the functions of a given piece of software SR Source Range SRM Source Range Module, a subsystem of the Nuclear Instrumentation System certain reactor core power levels SRP Source Range Preamplifier Signal Selector, a device within the IPS capable of selecting SS valid signals and rejecting signals that are in error STS Software Test Specification, a document describing the tests necessary to verify that a given piece of software meets its design specification Surge Withstand Capability, ANSI C37.90a-1974 SWC Test Result Manual, a test results summary for a given piece TRM of software Test Procedure TP Transmit TX Universal Asynchronious Receiver-Transmitter, a serial data link UART controller UIOB Universal Input/Output Data Bus UV Undervoltage Verification and Validation V and V - Workspace, a segment of computer or microcomputer memory set aside WKS for certain data WR Wide Range Water Reactors Division WRD