ML091330023
| ML091330023 | |
| Person / Time | |
|---|---|
| Site: | Wolf Creek  |
| Issue date: | 05/13/2009 |
| From: | Wolf Creek |
| To: | Office of Nuclear Reactor Regulation |
| Stewart Bailey, NRR/DIG I&C, 415-1321 | |
| References | |
| Download: ML091330023 (13) | |
Text
Successful Licensing of the ALS FPGA Based Safety Related I&C Platform Successful Licensing of the ALS FPGA Based Safety Related I&C Platform Wolf Creek Nuclear Operating Corporation Wolf Creek Nuclear Operating Corporation
Introduction Wolf Creek Nuclear Operating Corporation (WCNOC) to install Wolf Creek Nuclear Operating Corporation (WCNOC) to install first implementation of the Advanced Logic System (ALS) first implementation of the Advanced Logic System (ALS) during fall 2009 refueling outage during fall 2009 refueling outage For WCNOC and CS Innovations (CSI) installation is For WCNOC and CS Innovations (CSI) installation is For WCNOC and CS Innovations (CSI), installation is For WCNOC and CS Innovations (CSI), installation is culmination of five year development and 24 month licensing culmination of five year development and 24 month licensing effort effort Page 2 Wolf Creek Non-Proprietary
ALS project was born out of immediate need to solve reliability and ALS project was born out of immediate need to solve reliability and obsolescence issues obsolescence issues WCNOC conducted study of challenges faced by all USNPPs replacing their WCNOC conducted study of challenges faced by all USNPPs replacing their existing safety related I&C systems.
existing safety related I&C systems.
Found that original manufacturers of existing equipment are in most cases out of Found that original manufacturers of existing equipment are in most cases out of business or no longer support the product lines.
business or no longer support the product lines.
Situation typically leads to two approaches, each with their own challenges:
Situation typically leads to two approaches, each with their own challenges:
1 Reverse engineer existing system/maintain as obsolescence and failures occur 1 Reverse engineer existing system/maintain as obsolescence and failures occur Safety Related I&C Platform Study
- 1. Reverse engineer existing system/maintain as obsolescence and failures occur
- 1. Reverse engineer existing system/maintain as obsolescence and failures occur Short Short--term fix for long term fix for long--term problem term problem Offers little benefit from advancements in system integrity, diagnostics, and Offers little benefit from advancements in system integrity, diagnostics, and testability testability Updated version subject to same obsolescence problems, multiplied due to number Updated version subject to same obsolescence problems, multiplied due to number of components required to replace or update all safety related I&C systems of components required to replace or update all safety related I&C systems Requires specific experts and specific training Requires specific experts and specific training
- 2. Replace the system with a Commercial
- 2. Replace the system with a Commercial--Off Off--The Shelf System (COTS)
The Shelf System (COTS)
Complex system, designed targeted for more complex industrial control apps Complex system, designed targeted for more complex industrial control apps COTS platforms are rapidly advancing, thus shortening the obsolescence cycle.
COTS platforms are rapidly advancing, thus shortening the obsolescence cycle.
This creates a cost model the NPP is unable to justify This creates a cost model the NPP is unable to justify Cost and effort to upgrade physical and procedural infrastructure provides little Cost and effort to upgrade physical and procedural infrastructure provides little benefit benefit Page 3 Wolf Creek Non-Proprietary
Safety I&C Platform Goals Common Platform for Safety I&C Architecture Common Platform for Safety I&C Architecture Mitigate Impact of Future Obsolescence Mitigate Impact of Future Obsolescence Increase Integrity Increase Integrity Increase Reliability Increase Reliability Increase Reliability Increase Reliability Minimize Cost and Effort to Retrofit Minimize Cost and Effort to Retrofit Advanced Testing and Diagnostics Advanced Testing and Diagnostics No Additional Diverse Actuation Systems No Additional Diverse Actuation Systems Approval for RPS/ESFAS Applications Approval for RPS/ESFAS Applications Page 4 Wolf Creek Non-Proprietary
Status of Project
- SER Approved!!!
SER Approved!!!
Overall Review Consisted of Multiple Reviews Overall Review Consisted of Multiple Reviews Generic Topical Generic Topical Applications Specific Applications Specific G
i A li i
G i A li i
Generic Application Generic Application MSFIS Equipment Designed, Built, Tested.. Ready for Install MSFIS Equipment Designed, Built, Tested.. Ready for Install Install Fall 2009 Install Fall 2009 Page 5 Wolf Creek Non-Proprietary
Overview of the SER First time an FPGA platform used for safety First time an FPGA platform used for safety--related applications related applications Review was similar to the review of a microprocessor platform Review was similar to the review of a microprocessor platform ALS platform overview ALS platform overview Development process review Development process review Pl tf i
Pl tf i
Platform review Platform review Life cycle planning review Life cycle planning review Equipment qualification review Equipment qualification review Diversity and Defense Diversity and Defense--inin--Depth review Depth review IEEE 603 IEEE 603--1991 review 1991 review IEEE 7 IEEE 7--4.3.2 4.3.2--2003 review 2003 review Page 6 Wolf Creek Non-Proprietary
SER Conclusions Development process was of a high quality to ensure design correctness Development process was of a high quality to ensure design correctness of the application of the application ALS platform meets the requirements of:
ALS platform meets the requirements of:
IEEE 603 IEEE 603--1991 1991 IEEE 7 IEEE 7--4.3.2 4.3.2--2003 2003 ALS platform meets or exceeds all equipment qualification requirements ALS platform meets or exceeds all equipment qualification requirements ALS platform meets the guidance provided in:
ALS platform meets the guidance provided in:
ALS platform meets the guidance provided in:
ALS platform meets the guidance provided in:
ISG ISG--01, ISG 01, ISG--02, ISG 02, ISG--04 04 Generic approval of ALS process documentation Generic approval of ALS process documentation Generic approval of ALS hardware documentation Generic approval of ALS hardware documentation Generic approval of ALS FPGA programming documentation Generic approval of ALS FPGA programming documentation Future use of the ALS platform will require minimal information to be Future use of the ALS platform will require minimal information to be submitted submitted Page 7 Lets review the goals of the project and how they were met!
Lets review the goals of the project and how they were met!
Wolf Creek Non-Proprietary
Meeting the Goals Common Platform for Safety I&C ALS architecture is scalable, from single system replacement to full safety I&C ALS architecture is scalable, from single system replacement to full safety I&C replacement replacement ALS is architected with dedicated and redundant control modules, which are designed for ALS is architected with dedicated and redundant control modules, which are designed for reliability and integrity attributes critical to safety systems reliability and integrity attributes critical to safety systems Mitigate Future Obsolescence Mitigate Future Obsolescence Fewer components and common components Fewer components and common components -- one FPGA per board incorporates all one FPGA per board incorporates all di it l i it filt d b i
ti
(
hi t IC i
d) di it l i it filt d b i
ti
(
hi t IC i
d) digital circuits, filters, and bus communication (no chip set ICs required) digital circuits, filters, and bus communication (no chip set ICs required)
For the primary critical component (FPGA), obsolescence is mitigated by utilizing For the primary critical component (FPGA), obsolescence is mitigated by utilizing portable RTL design which supports targeting to a new technology if required in the future portable RTL design which supports targeting to a new technology if required in the future Increase Integrity Increase Integrity ALS is capable of detecting failures while the system is operational ALS is capable of detecting failures while the system is operational ALS performs corrective action upon detection of a failure ALS performs corrective action upon detection of a failure The ALS utilizes redundancy and/or Digital BIST for all critical circuits The ALS utilizes redundancy and/or Digital BIST for all critical circuits ALS Incorporates dedicated integrity logic and provides run ALS Incorporates dedicated integrity logic and provides run--time detection of a changed time detection of a changed device and/or board behavior device and/or board behavior Page 8 Wolf Creek Non-Proprietary
Meeting the Goals - 2 Increase Reliability Increased reliability and robustness by implementing an appropriate level of design Increased reliability and robustness by implementing an appropriate level of design complexity, which results in fewer active components, and translates directly to a lower complexity, which results in fewer active components, and translates directly to a lower system failure rate system failure rate ALS utilizes only proven design practices and methodologies for implementation of the ALS utilizes only proven design practices and methodologies for implementation of the hardware hardware ALS utilizes distributed monitoring of the integrity and validity of signals, and provides the ALS utilizes distributed monitoring of the integrity and validity of signals, and provides the capability to take action on exceptions capability to take action on exceptions p
y p
p y
p Minimize Cost of Retrofit Installation is simplified due to reduced hardware and wiring, maintenance is simple, Installation is simplified due to reduced hardware and wiring, maintenance is simple, efficient, and reliable translating to lower on efficient, and reliable translating to lower on--going costs to maintain going costs to maintain The ALS provides simple, efficient, and reliable maintenance with a high degree of The ALS provides simple, efficient, and reliable maintenance with a high degree of visibility into the system, where all boards are easily replaceable, reusable, and hot visibility into the system, where all boards are easily replaceable, reusable, and hot--
swappable swappable Training for plant personnel is reduced due to simplicity of the system and the ability to Training for plant personnel is reduced due to simplicity of the system and the ability to implement multiple applications with a common platform implement multiple applications with a common platform Advanced Testing and Diagnostics Advanced Testing and Diagnostics Provides deterministic testing, maintaining the same behavior Provides deterministic testing, maintaining the same behavior A run A run--time test strategy provides exhaustive self time test strategy provides exhaustive self--testing to validate system integrity testing to validate system integrity Advanced diagnostics are provided utilizing the ASU and Built Advanced diagnostics are provided utilizing the ASU and Built--in Self in Self--test (BIST) test (BIST)
Page 9 Wolf Creek Non-Proprietary
No Additional Diverse Actuation ISG #2 - Diversity and defense in depth The ALS architecture implements key design attributes which are sufficient to The ALS architecture implements key design attributes which are sufficient to eliminate the consideration of Common Cause Failure (CCF) eliminate the consideration of Common Cause Failure (CCF)
This conclusion is based on the guidance provided in U.S. NRC document DI&C This conclusion is based on the guidance provided in U.S. NRC document DI&C--
ISG ISG--02 Task Working Group #2: Diversity and Defense 02 Task Working Group #2: Diversity and Defense--inin--Depth Issues, Revision Depth Issues, Revision 1, September 2007 1, September 2007 DI&C DI&C ISG ISG 02 states in section 5 There are two design attributes that are 02 states in section 5 There are two design attributes that are DI&C DI&C-ISG ISG-02 states in section 5 There are two design attributes that are 02 states in section 5 There are two design attributes that are sufficient to eliminate consideration of CCF:
sufficient to eliminate consideration of CCF:
Staff position 1 states that if sufficient diversity exists in the protection system such Staff position 1 states that if sufficient diversity exists in the protection system such common cause failures within channels can be considered to be fully addressed common cause failures within channels can be considered to be fully addressed without further action, no additional diversity would be necessary in the safety without further action, no additional diversity would be necessary in the safety system.
system.
Since there is adequate diversity, no DAS or manual actions were necessary Since there is adequate diversity, no DAS or manual actions were necessary Page 10 Wolf Creek Non-Proprietary
Compliance with ISG #1 and #4 ISG #1 - Cyber Security There is no inbound communications, so there is no path for cyber attack There is no inbound communications, so there is no path for cyber attack Logic configuration can only be changed by removal of board while the channel is off Logic configuration can only be changed by removal of board while the channel is off--line,
- line, so no changes are possible while the channel is performing the safety function so no changes are possible while the channel is performing the safety function There is no operational software, so there can be no unintended functions within the There is no operational software, so there can be no unintended functions within the software, and no operational software changes software, and no operational software changes All hardware circuits are traced to state machines used by requirements There are no All hardware circuits are traced to state machines used by requirements There are no All hardware circuits are traced to state machines used by requirements. There are no All hardware circuits are traced to state machines used by requirements. There are no unneeded circuits unneeded circuits The design life cycle considered cyber security as required by RG 1.152 The design life cycle considered cyber security as required by RG 1.152 ISG #4 ISG #4 -- Communications Communications The only two The only two--way communications with non way communications with non--safety is with the ASU safety is with the ASU Section 1. There is no interdivisional communications Section 1. There is no interdivisional communications Section 2. The command prioritizations is between automatic and manual safety related Section 2. The command prioritizations is between automatic and manual safety related signals, and the command to isolate takes priority. All inputs are safety signals, and the command to isolate takes priority. All inputs are safety--related. There are related. There are no non no non--safety inputs during operation. Since the command is processed by a finite state safety inputs during operation. Since the command is processed by a finite state machine, verification is simplified.
machine, verification is simplified.
Section 3. There are no multidivisional control and display stations Section 3. There are no multidivisional control and display stations Page 11 Wolf Creek Non-Proprietary
Whats Next at Wolf Creek Wolf Creek Safety I&C Replacement Plan
-MSFIS (RF17, Fall 2009)
-LSELS (RF19, Fall 2012)
-BOP ESFAS (RF19, Fall 2012)
Wolf Creek Safety I&C Architecture (RPS/ESFAS)
-SSPS
-TC/CCM (On-line, 2010)
-RVLIS Page 12 Wolf Creek Non-Proprietary
Gregg Clarkson Project Manager, Safety I&C Wolf Creek Nuclear Operating Corporation (620) 364-8831 x4438 grclark@wcnoc.com Steen Sorensen President CS Innovations, LLC (480) 612-2040 steen@cs-innovation.com Gregg Clarkson Project Manager, Safety I&C Wolf Creek Nuclear Operating Corporation (620) 364-8831 x4438 grclark@wcnoc.com Steen Sorensen President CS Innovations, LLC (480) 612-2040 steen@cs-innovation.com