Part 21 Report - 1997-072
ACCESSION #: 9704080133
Victoreen, Inc.
April 1, 1997
VICTOREEN
U. S. Nuclear Regulatory Commission
Document Control Center
Washington, DC 20555
Reference: 10CFR21 Report of Noncompliance dated January 30, 1997
Model 960 RDU Fixed Display and Outputs
Subject: Corrective Action and Close-out, 10CFR21 Report of
Noncompliance
Model 960 RDU Fixed Display and Outputs
Gentlemen:
Further to our notification dated January 30, 1997, this letter has been
prepared to provide formal notification of the corrective action
performed, and to close-out the subject 10CFR21 Report of Noncompliance.
General Description:
For Safety-Related applications, the Model 960 microprocessor based
digital radiation monitoring system (DRMS) consists of a local radiation
processor (LCU or LRP) and a remote, control room located, display and
control unit (RDU or SRD). In this design, the LCU is configured as a
"master," stand alone, radiation input processor. The RDU operates as a
"slave" control and indication device, driven by the LCU. The LCU
communicates with the RDU via a dedicated serial communication link. The
design also supports interface with a supervisory computer, electrically
isolated from the Safety Related components via a fiber optic isolation
system.
The subject Report of Noncompliance identifies the potential for the
microprocessor in the RDU to "lock up." In this mode, the RDU will not
respond to status and value information transmitted from the LCU. That
is, the RDU digital display and analog outputs will stop updating, and
the RDU alarm relays will not change state to indicate a radiation alarm
or monitor fail condition. Note that this notification does not apply to
the digital display, analog output and relay contact outputs originating
directly from the LCU. Only the display, analog and relay outputs
originating from the RDU are affected.
6000 Cochran Road
Cleveland, Ohio 44139-3395
(216) 248-9300
FAX (216) 248-9301
810-421-8287
U. S. Nuclear Regulatory Commission
April 1, 1997 -- Page 2 of 4 Pages
Victoreen Corrective Action:
1. The PG&E RDU hardware was simulated in out test department. The
event described has been replicated, identifying the potential for a
"lock up" to occur. Further analysis of the RDU operation has identified
that a momentary loss of AC power may result in a "lock up." This was
simulated by rapidly toggling the AC power switch on and off. By rapidly
cycling the AC power switch, a "lock up" condition was produced
approximately one (1) out of ten (10) times.
2. To correct the problem, Victoreen has implemented the following
modifications to the test RDU:
- Design Change Request No. 3CR47-97 was issued to revise the RDU
operating firmware to include a WRITE operation to the analog output
module at the end of each microprocessor cycle. The WRITE operation
is used to reset a Watchdog counter circuit.
- A Watchdog counter circuit has been added to the RDU. The
Watchdog counter has been designed to time out in three (3) seconds
and output a pulse to reset the microprocessor. Receipt of the
analog output WRITE operation will reset the counter and permit
normal operation to continue.
- An AC power sense circuit has been added to the RDU. The circuit
monitors the AC line voltage, and outputs a PWRFL pulse if the AC
line voltage drops below a nominal 90 v AC. The PWRFL pulse will
hold the microprocessor in a RESET state until the AC line voltage
returns to normal. This action prevents operation of the
microprocessor under low Vcc conditions, where the validity of the
memory addressing operations may be questionable, and the potential
for a "lock up" condition exists.
- Job Request No. 3JR7-97 was issued to implement the above
functions, resulting in the design of the Model 960WD-200 Watchdog
timer and AC voltage sense module. The design of the circuitry is
based on similar circuitry that has been shown to be effective in
preventing "lock ups" in the LCU. This module, along with the
change to the RDU operating firmware, has been shown to effectively
prevent "lock ups" on our test RDU.
U. S. Nuclear Regulatory Commission
April 1, 1997 -- Page 3 of 4 Pages
- The operation of the microprocessor controlled isolator was also
evaluated. Although a Watchdog circuit and voltage monitor are not
included in the design of the isolator, a "lock up" of this
microprocessor will result in the display of a Communications Fail
message on the computer console. Because the computer system is not
considered Safety Related, and is isolated from the LCU or RDU via a
fiber optic isolation system, additional protection is not required
to ensure the integrity of the Safety Related portion of the
monitor.
Customer Action:
1. Attachment A lists users of the Model 960 DRMS that are known to
initiate ESFAS operations from the RDU. In the close-out letter for
these applications, an upgrade to add the 960WD-200 module to the RDU
hardware, will be made available. Design upgrade packages to provide
"lock up" protection for Safety-Related monitors will be available within
90 days from the date of this letter. Installation will be based upon
the schedule established by the user.
2. Attachment B lists users of the Model 960 DRMS that DO NOT use the
RDU to generate Safety-Related ESFAS actions. These users will be
formally notified of the potential for the RDU to "lock up". For these
users, the "lock up" condition will be readily evident to the operator
via the lack of the normal statistical fluctuation of the digital
display. Verification of the current radiation value may be obtained
from the LCU or, when supplied, from the supervisory computer system.
Because the frequency of occurrence is small, Safety-Related control
functions are not affected, and a method of detecting a "lock up" exists,
the close out letter to these users states that an upgrade to the
existing design is not considered mandatory. Users will be further
advised that operation of the RDU may be verified by periodically
actuating the monitor Check Source.
U. S. Nuclear Regulatory Commission
April 1, 1997 -- Page 4 of 4 Pages
Root Cause Analysis:
From our review of the original design of the Model 960 system, the
master/slave relationship between the LCU and RDU assumed ESFAS
interlocks would be obtained from relays located in the LCU, and
incorporation of a Watchdog timer or an AC power sense circuit in the RDU
was not warranted. The Nonmaskable interrupt was used to recover from a
transient by forcing the processor to restart its mail loop every 0.25
seconds. This concept was substantiated by the successful operation of
the installed RDUs for over 12 years (e.g. from 1984 through 1997). In
addition, the original system design for PG&E included a serial interface
to a supervisory computer. Although the computer system has not been
installed, this interface, which was to be routed through the RDU,
included a communications fail routine that was designed to provide a
fail message on the supervisory computer console. Because of the
successful operation in the past, the need for additional microprocessor
protection was not considered when the system design, to include ESFAS
outputs actuated from the RDU, was implemented. The root cause,
therefore, was basing the design on prior operating experience, and not
requiring the performance of a test to verify operation during short term
supply voltage transients.
We thank you for your cooperation in this matter. Please advise if you
have any questions or comments of the information provided here-in.
Best Regards,
Andrew W. Lasko
Technical Support Manager
Linda S. Nash, Corporate Director,
Regulatory Affairs and Quality Assurance
Attachment A
960 Monitor Installations,
Safety Related RDU ESFAS Outputs
Mandatory Upgrade Required
Customer/Plant: Type: Ship Sales Control
Date: Order: Outputs:
PG&E/Diablo Canyon 1, 2 IIA 91/93 35554 RDU
RDU = Control Outputs available at RDU
Attachment B
960 Monitor Installations,
No Safety Related ESFAS Outputs at RDU
Upgrade NOT Required, - Notification Only
Customer/Plant: Type: Ship Sales Control
Date: Order: Outputs:
Bechtel/KEPCO/KORI 3, 4 I 83/85 260032 LCU
Bechtel/KEPCO/Yonggwang 1, 2 I 84/86 370001 LCU
Tractebel/Tihange 1 I 85/86 49021 N/A
Tractebel/Tihange 2 I 85 69014 N/A
Electrobel/Tihange 3 I 85 89036 N/A
PSE&G/Salem 2 I 86 860020 LCU
PSE&G/Salem 2 I 86 780018 LCU
Con Edison/Indian Point 2 II 86/87 830023 LCU
Con Edison/Indian Point 2 II 87/90 190004 LCU
GPU/TMI 1 II 87 960024 LCU
KEPCO/KORI 1, 2 IIA 92 36726 LCU
Proray/Jose Cabrerra IIA 93 55885 N/S
KEPCO/KORI 1, 2; Wolsung 1 IIA 93 58047 LCU
Electrobel/Tihange 3 IIA 96 71320 N/A
LCU = Control Outputs available at LCU
N/A = RDU configured as LCU
N/S = Not Supplied
*** END OF DOCUMENT ***
Page Last Reviewed/Updated Wednesday, March 24, 2021