enclosure 3 to uap-hf-13235 - supplemental response to

Docket No. 52-021MHI Ref: UAP-HF-13235

Enclosure 3

UAP-HF-13235Docket No. 52-021

Supplemental Response to Request for Additional InformationNo. 992-6999 (SRP 07.09)

November 2013(Non-Proprietary)

RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION

11101/2013

US-APWR Design Certification

Mitsubishi Heavy Industries

Docket No.52-021

RAI NO.: No.992-6999

SRP SECTION: 07.09 - Data Communication Systems

APPLICATION SECTION: 07.09 - Data Communication Systems

DATE OF RAI ISSUE: 2/15/2013

QUESTION NO.:07.09-26

GDC 24 states, "The protection system shall be separated from control systems to the extentthat failure of any single control system component or channel, or failure or removal fromservice of any single protection system component or channel which is common to thecontrol and protection systems leaves intact a system satisfying all reliability, redundancy,and independence requirements of the protection system. Interconnection of the protectionand control systems shall be limited so as to assure that safety is not significantly impaired."

IEEE Std. 603-1991 (incorporated by reference via 10 CFR 50.55a(h)) requiresdemonstration of interdivisional independence and high reliability as well for safety systemdesign. DI&C-ISG- 04, Staff position 1.3 states, in part, that functions that are not necessaryfor safety, even if they enhance reliability, should be executed outside the safety system.ISG-04, Staff Position 1.3, further states, in part, that "A safety channel should not receiveany communication from outside its own safety division unless that communication supportsor enhances the performance of the safety function. Functions that are not necessary forsafety, even if they enhance reliability, should be executed outside the safety system."

Appendix E (1.3) of the technical report MUAP-07004-P, Rev. 7, states, in part, "The controlfrom the operational VDU reduces the task burden of accessing controls through separatetrain safety-related HSIS. Reducing task burden frees mental resources to improve situationawareness and reduce human performance errors. In addition, due to the advancedgraphical user interface, the operational VDU is less prone to human performance error, thanthe safety VDU, therefore it is the preferred interface for all control actions. Multi divisionalcontrol from the operational VDU is expected to result in an overall improvement in plantsafety-rerated [sic], as demonstrated through HFE full scope simulator testing."

Since the justification provided for conformance ISG-04 Staff Position 1.3 in MUAP-07004-Pis largely based on human factors engineering, the NRC staff coordinated review of theinterface between the operational VDU and safety systems with Chapter 18 reviewers atNRC. Even though the safety evaluation of HFE (DCD Chapter 18) agrees that havingcentralized controls at the operational VDU does offer reduction in operator task burden,there is no evidence that the control of safety equipment from operational VDU enhances the

07.09-1

performance of safety function One-way communications from safety to non-safety systemsmakes all of the safety system information available at operational VDU that could be usedby the operator to access the need for any manual action. With availability of the multi-divisional safety display, manual operator actions can be performed from the safety VDUwith reduced burden.

The staff requests the applicant to provide the following:

1. Sufficient evidence associated with the HFE full scope simulator testing or aquantitative analysis to demonstrate that the use of operational VDU to operatesafety equipment enhances the performance of the safety function.

2. An ITAAC that adequately verifies testing for normal and abnormal data transmissionconditions for all non-safety to safety interfaces.

ANSWER:1.Answer to the question-I was formally submitted by the letter, UAP-HF-1 3209 dated8/26/2013.

2.Regarding manual controls of safety-related components from O-VDUs, the followingfunctions will be verified by ITAAC to ensure normal and abnormal data transmission formanual operations from O-VDUs:

(1) Manual operations of the safety-related components from O-VDUs

(2) Priority logic between S-VDUs and O-VDUs (i.e., overrides of O-VDU by S-VDU)

(3) Priority logic between safety signals and O-VDUs (i.e., overrides by safety signal)

(4) Disable manual operations of safety-related components from O-VDUs by safety-related disable switch on S-VDUs

Per item (1), MCR/RSC Control ITAAC in each system (e.g., Table 2.4.4-5 ITAAC #8, #10.aand #12) verifies safety-related component control from O-VDUs. In addition, MHI revisesTable 2.5.1-6 ITAAC 4 and Table 2.5.2-3 ITAAC 7, and adds Table 2.5.2-3 ITAAC 8 to verifymanual safety system actuation from O-VDUs. Refer to the amended response to RAI 936-6466 Revision 3, Question 14.03.05-45 under UAP-HF-13097 dated 4/18/2013.

Per item (2), ITAAC Table 2.5.1-6 #25.a verifies item (2) above. Refer to the amendedresponse to RAI 945-6452 Revision 3, Question 14.03.11 under UAP-HF-13085 dated4/3/2013.

Per item (3), ITAAC Table 2.5.1-6 #25.b verifies item (3) above. Refer to the amendedresponse to RAI 945-6452 Revision 3, Question 14.03.11 under UAP-HF-13085 dated4/3/2013.

Per item (4), ITAAC Table 2.5.1-6 #25.a verifies item (4) above. Refer to the amendedresponse to RAI 945-6452 Revision 3, Question 14.03.11 under UAP-HF-1 3085 dated4/3/2013.

07.09-2

In addition, ITAAC to verify displays on O-VDUs is added to existing MCR/RSC DisplayITAAC in each system (e.g., Table 2.4.4-5 ITAAC #11). Refer to the amended response toRAI 945-6452 Revision 3, Question 14.03-6, 14.03-7, and 14.03-8 under UAP-HF-13085dated 4/3/2013.

Compliance with the ISG-04 regarding communication faults is achieved through theMELTAC platform (hardware and basic software) which has been adequately analyzed, andthe results are described in MUAP-1 3018 (JEXU-1 015-1009 will be resubmitted as MHIdocument MUAP-13018), ISG-04 Conformance Analysis Technical Report. Tests of theMELTAC platform will be conducted to demonstrate that the data communication system(DCS) can mitigate all the design-basis communication faults result in abnormal datatransmission conditions listed in Attachment 2-2 which covers all communication faultsdescribed as example in ISG-04 Staff Position 1.12. The tests of the as-built PSMS asdescribed in ITAAC#4 of Table 2.5.1-6 will be conducted to demonstrate that all normal datatransmission conditions. These test results will adequately demonstrate that the DCS canmitigate the design-basis communication faults results in abnormal data transmissionconditions, and can perform all required normal data transmission conditions from all non-safety systems to safety systems (PSMS).

Further, MHI adds a new ITAAC #6.iii to Table 2.5.6-1, as shown in Attachment-I, todemonstrate that the communication processors used for the DCS can mitigate all the designbasis communication faults as identified in the design basis document shown in Attachment2-1 and 2-2. Type tests will be conducted at the factory by using prototype systems whichare same design of as-build systems which will be applied to the US-APWR. In the tests, allthe simulated design basis communication faults will be generated for the verification. Thesetests are categorized as the type tests which are addressed by NEI 08-01 (Rev 4) Section8.5.3. In addition, inspection of the as-built DCS communication processors will beconducted under existing ITAAC #6.i in the same table, which is slightly revised forclarification.

Impact on DCDDCD Tier 1 Table 2.5.6-1 ITAAC #6 is revised as shown in Attachment-1.

Impact on R-COLAThere is no impact on the R-COLA.

Impact on PRAThere is no impact on the PRA.

Impact on Technical / Topical ReportSubsection 4.3.2.5.2 will be revised in and Appendix-H will be added to MUAP-07005 at thenext version as shown in Attachment 2-1 and 2-2, respectively. Subsection 3.2.1 will berevised in MUAP-13018 (JEXU-1015-1009 will be resubmitted as MHI document MUAP-13018) as shown in Attachment 2-3.

07.09-3

Attachment-1 to Response to RAI 992-6999 Subquestion 2 (1/2)

2.5 INSTRUMENTATION AND CONTROLS US-APWR Design Control Document

2.5.6 Data Communication Systems

2.5.6.1 Design Description

The data communication systems (DCS) consist of:

* Plant-wide unit bus

• Safety bus (for each PSMS division)

• Data links for point-to-point communication

• Input/Output (1/O) bus

• Maintenance network for each PSMS division and the PCMS

The DCS is a distributed and highly interconnected system as shown in Figure 2.5.6-1, which hascommunication independence to prevent electrical and communication processing faults in onesafety division (or the non-safety PCMS) from adversely affecting the performance of safetyfunctions in other divisions. Qualified fiber-optic isolators are used to prevent electrical faults fromtransferring between divisions, and between safety and non-safety systems. Communicationfaults are prevented through data integrity verification.

A non-redundant non-safety multi-drop maintenance network is provided separately within eachPSMS division and within the PCMS. The maintenance network is used to transmit signalsbetween the engineering tools and the PSMS or PCMS system management module of eachcontroller.

1. Deleted.

2. Deleted.

3. The DCS provides external networks with a communications link via the unit managementcomputer (UMC) which is connected to the unit bus. The UMC provides a firewalledinterface, which allows only outbound communication from the unit bus to externalnetworks. There are no other connections from external sources to the DCS.

4. The safety-related portions of the DCS are located in a facility area that providesprotection from accident related hazards such as missiles, pipe breaks and flooding. I

5. The PSMS application setpoints, constants and application software are changeable onlyby removing the CPU module that contains the memory devices from the controller andplacing it in a dedicated re-programming chassis. L__lnsert "the DCS" between

SJ"by" and "communication".6. Digital communication independence is achieved by communication processors that are I DCD_..07.09

independent of RT and ESF actuation processing functions of the redundant divisions of -26 So

the PSMS, and also between non-safety systems and the PSMS.

Tier I 2.5-57 Revision 4Tier I 2.5-57 Revision 4

Attachment-1 to Response to RAI 992-6999 Subquestion 2 (2/2)

2.5 INSTRUMENTATION AND CONTROLS US-APWR Design Control Document

Table 2.5.6-1 Data Communication Systems Inspections, Tests, Analyses, andAcceptance Criteria (Sheet 2 of 2)

Design Commitment Inspections, Tests, Analyses Acceptance Criteria

5. The PSMS application 5. Type tests of the PSMS 5. The PSMS applicationsetpoints, constants and changeability will be performed. setpoints, constants andapplication software are application software arechangeable only by removing changeable only by removingthe CPU module that contains the CPU module that containsthe memory devices from the Inse "the DCS" between Change "Communication" tccontroller and placing it in a v and "communication". "The DCS communication".dedicated re-programming /Ingeu~oaieu r5-programmingchassis. Ihassis.

I16. Digital communication

independence is achieved by,~mmunication processors that

re independent of RT and ESFctuation processing functions

of the redundant divisions of/ the PSMS, and also between

t non-safety systems and theP PSMS.

6.i An inspection of the as-builtPSMqfkill be performed toverify'ommunicationorocessori are installed.

6.i Zommunication processorsexist in the as-built PSMS fordigital communication betweenredundant divisions of thePSMS and between non-safetysystems and the PSMS.

r .......................

insert "the DCS" between "by"land "communication".

I

6.ii Type tests or analyses, or acombination of type tests andanalyses of the digitalcommunication independencewill be performed.

I lnsert 'the DCS" between"by" and "communication". I

.ii A report exists and concludesthat digital communicationindependence is achieved bycommunication processors thatare independent of trip andactuation processing functions.

DCD..D07.09-26 S01

I DCD_-07.09-26S01

DCD..07.09-26 S01

DCCD07.09-26S01

I ° I

-' -' 1 -' I I i 1 '1a________________• _ o

6111 A report exists and concludes thatthe communication processors forthe DCS can mitigate thedesign-basis communication faultsof the DCS.

Dele te the line.

Tier I 2.5-60 Revision 4Tier 1 2.5-60 Revision 4

Attachment 2-1 to Response to RAI 992-6999 Subquestion 2 (1/1)

SAFETY SYSTEM DIGITAL PLATFORM - MELTAC - JEXU-1012-1002-NP(R9)

(5) Abnormal data transmission conditions for all non-safety to safety interfaces

Abnormal data transmission conditions for all non-safety to safety interfaces in the MELTACplatform are detected and mitigated, covering all communication faults described in ISG-04Staff Position 1.12. The detail is described in Appendix H of this report.

DCD_.07.09-26S01

MITSUBISHI ELECTRIC CORPORATION122


SAFETY SYSTEM DIGITAL PLATFORM - MELTAC - JEXU-1 012-1002-NP(R9)

APPENDIX H DESIGN-BASIS COMMUNICATION FAULTSDCD_07.09-28 SOIThis anoendix describes that the MELTAC olatform can be tested to demonstrate that the data

communication system can mitigate the all design-basis communication faults in non-safetySystem to safety-related system communication. The design basis communication faults listedin this appendix cover all the communication faults described in the ISG-04 Staff Position 1.12.The term "abnormal conditions" in this appendix indicates the condition which is caused by thedesign basis communication faults.

Figure H.1 identifies typical abnormal conditions, focusing on the communication from the non-safety system to the safety-related system.

In this figure. MELTAC is defined as the operation target controller, the O-VDU is defined asthe equipment that should send an operational command to MELTAC, and the OtherController is defined as the equipment that should not send an operational command toMELTAC. The "X" marks in the flaure indicate the points where abnormal conditions aregenerated: dotted line balloons indicate the content of abnormal conditions.

.Network error(network cable -1)

Figure H.1 Configuration on Control Network

Figure H.2 below shows a comprehensive chart for the contents of abnormal conditionsidentified in the Fioure H. ("communication messaoe error" and "network error"Y.Figure H.2 shows possible abnormal condition patterns in the communication from non-safetysystem to safety-related system in a hierarchical way based on the configuration of Figure H.1.This figure thus exhaustively identifies abnormal conditions.




"%Y DCD[07.0O-26 S01

\I, -I

Figure H.2 Abnormal Data Transmission Condition Patterns

I




DCD.O07.09-26 S01

I



Table H.1 Communicaton Error Patterns Identified (1113)

0(r

3

0

0coco

;0

Co

co

0

CDCD

0*

",4

DCD_07.09-26 S01

MITSUBISHI ELECTRIC CORPORATION 343MITSUBISHI ELECTRIC CORPORATION 343


Table H.1 Communication Error Patterns Identified (2/13)0

010

0)(c

c0co

CD(0

t-C"0*.-

DCD 07.09-26 S0l ,-

0)


mommomommmmmool


Table H.1 Communication Error Patterns Identified (3113)

o

;0

N)

co

5.'10

-26SOI

0

0

€-4

-26 S01 CDC,(

O)

"*4CD

-I

MITSUBISHI ELECTRIC CORPORATION 345



Table H.1 Communication Error Patterns Identified (4113)K-

N)

02

(0N)

-)

(0

C,)Cr

.0

DCD._07.09 O-26 S01l I

-4



SAFETY SYSTEM DIGITAL PLATFORM - MELTAC - JEXU-1012-1002-NP(R9)0

Table H.1 Communication Error Patterns Identified (5113)m m0

X(D

-a

00

;0

CD(0

0)CD

CD

0*

D .D_07.09 =-26 S01 K)

co



Table H.1 Communication Error Patterns Identified (6113)/- 0

0

co

o

w

cna"

0

DCL._07.09-26 S01

-S,



Table H.1 Communication Error Patterns Identified (7113)0

co

"C3

co

co

(D

C%)

IDD07.09 •-a-26 601 -4



Table H.1 Communication Error Patterns Identified (8113) ;uC)0

'1o

0

CD

0

co

.D

c

OCo

(0

DC 07.09 .

-26 SO0 :i"

-1



Table H.1 Communication Error Patterns Identified (9113)

co

c3

5.

(A

0-

-26 S01 c

(0

K)

C,,




Table H.1 Communication Error Pattems Identified (10113)

3

0

0

(D

-o

0

0-CD

CD

wCD

C"ciCD0,

0

CAo

DCD_07.09-26 501




Table H.1 Communication Error Pattems Identified (11/13)

=r

0

0

'3

5.-

0;0

cl)

0o

DCD_07.09 03)-265S01

C,)

)




Table H.1 Communication Error Pattems Identified (12113)

c

C,3

CID

0Ou0

0

(D

(D

coooCD

CD

0*

.-

CA

-4




Table H.1 Communication Error Pattems Identified (13/13)

r

0a

3

0r,3

0o

co

0

"ow

co

c.(0

0

.,4

-/





Table H.2 ISG-04 Staff Positionl.12 DCD._07.09-26 SO0

K



MELTAC Platform ISG-04 Conformance Analysis JEXU-1 015-1009-NP(R5)I

DCD_07I.0926

Sol

DCD_07.09-26Sol

DCD_07.09-26Sol

DCD_07.09-f6Sol


enclosure 3 to uap-hf-13235 - supplemental response to

Documents