Enclosure 2 to 042018/10 - Research and Production Corporation Radics Response to NRC Staff Request for Additional Information, Topical Report

ML18107A240
Person / Time
Site:	PROJ0816
Issue date:	04/13/2018
From:	radICS
To:	Office of Nuclear Reactor Regulation
Shared Package
ML18107A173	List: ML18107A238 ML18107A240
References
042018/10, CAC MF841 1, EPID: L-2016-TOP-0010
Download: ML18107A240 (30)
v • d • e

Text

{{#Wiki_filter:NON-PROPRIETARY Enclosure 2 8:{ad ICS 29 Geroyev Stalingrada Street 25009 Kirovograd , Ukraine RESEARCH AND PRODUCTION CORPORATION RADICS RESPONSE TO THE U.S. NUCLEAR REGULATORY COMMISSION STAFF REQUEST FOR ADDITIONAL INFORMATION RadlCS TOPICAL REPORT General Questions I System Overview The following request for additional information (RAI) questions address Sections D.2.2 and D.3.2 , " Information to be provided ," of Digital Instrumentation and Controls Interim Staff Guidance (Digital l&C-ISG-06) (Agencywide Documents Access and Management System (ADAMS) Accession No. ML 110140103). Digital l&C-ISG-06 provides guidance that a submittal should provide sufficient information to allow the U. S. Nuclear Regulatory Commission (NRC) staff to understand and document the adequacy of the systems hardware and software development lifecycles , how the various components are connected , and how these components are being used. This general RAI section will address the guidance of NUREG-0800 , " Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition " (SRP) (ADAMS Accession No.: ML052340534) Appendix 7.1-C , " Guidance for Evaluation of Conformance to Institute of Electrical and Electronics Engineers Std. 603 Review Responsibilities ," Section 4 , " Safety System Designation ," which states that:

• The design basis should address all system functions necessary to fulfill the system's safety intent.
• The information provided for the design basis items should be technically accurate.
• The information provided for the design basis items , taken alone and in combination , should have one and only one interpretation. RAI-P1-01:

The NRC staff review was not able to determine and identify the complete purpose , safety function , or sufficient design descriptions of the " Protection Module(s)." Specifically:

• Provide additional RadlCS Topical Report (TR) descriptions to explain and describe the purpose , safety function(s) and operation of each of the protection modules.
• The NRC staff is also not clear if there will be only one type of protection module used or several [i.e., a " special protection module" (refer to Section 6.2.4.1 , " RadlCS Chassis External Interfaces")

an electromagnetic protection module; a surge protection module] types. Provide a table list of the various protection modules , their functions , applicability , and if all listed protection modules are a part of the TR generic approval application

• Section 6.2.2 , " RadlCS Chassis Configuration

," of the RadlCS TR , states that there are " 16 physical slots" for special electromagnetic protection modules for external Page 1 of 9 NON-PROPRIETARY &:r ad ICS 29 Geroyev Stalingrada Street 25009 Kirovograd , U k raine interfaces ." It i s not clear to NRC staff whether these are 16 additional rear chassis slots or if these refer to the same chassis front 16 slots that accept the logic module and input/output (1/0) modules.

• Prov i de adequate design descriptions of how the protection modules are used to extend protection functions, as stated in Section 6.2.4.1 of the RadlCS TR. RAI-P1-01 Radiy Response:

The RadlCS protection modules are used to provide protection for RadlCS Modules from the electromagnetic interference and other electrical hazards defined in RadlCS Topical Report Sect i ons 9.1.2.5 through 9.1.2.9. The Interface Protection Modules use discrete circuit components (e.g., diodes , capacitors , varistors , fuses , etc.) to provide the electromagnetic interference and surge protection. The mechan i cal design of the RadlCS Chassis is a metal box consists of 16 physical slots accessible from the front for Modules , as shown in RadlCS Topical Report Figure 6-1. There are 14 phys i cal slots for the Interface Protection Modules associated with the RadlCS input/output (1/0) Modules and Optical Communicat i on Modules (OCM) that are accessible from the rear , as shown in RadlCS Topical Report Figure 6-7. There are no slots for a separate Logic Module (LM) Interface Protection Module because the LMs have few 1/0 channels in their des i gn and the assoc i ated protection circuitry is placed on the LM board. There are five types of protection modules that are shown in Figure 6-7 and identified in RadlCS Topical Report Table 6-1.

• Interface Protection Module for Analog Inputs Module (AIM), Analog Outputs Module (AOM), and Discrete Inputs Module (DIM) o Two styles: top and bottom externa l connections. The protection features are the same for these two sty l es. o The protection features are the same for these the AIM , AOM , and DIM. 0 [[ ua , c , e
• Interface Protection Module for Discrete Outputs Module (DOM) also has o Two styles: top and bottom external connections. The protection features are the same for these two styles. 0 [[ ua , c , e o The Interface Protection Module for the DOM has higher ratings consistent with the duty requirements of the digital output circuits.
• Interface Protection Module for OCM comes in one style. The Interface Protection Module for OCM does not contain any additional protect i on feature for the OCM and only extends the OCM connections to the back of the chass i s and provides connectors for external links. Page 2 of 9 NON-PROPRIETARY Topical Report Changes ~ad ICS 29 Geroyev Stalingrada Street 25009 Kirovograd , Ukraine RadlCS Topical Report Sections 6.2.2 will be revised to clarify the Chassis description for the front and back accessible slots. RadlCS Topical Report Sections 6.2.4.1 will be revised to clarify the protective functions provided by the Interface Protection Modules. RAI-P1-02:

The NRC staff was not able to determine which RadlCS-TR , Table 6-4 , " Summary of Communications Links ," set of communication links the RadlCS TR requires to be used to implement ( 1) chassis communications between different chassis within the same safety division (intra-divisional channel communications) and (2) chassis communications between different chassis that reside in separate safety divisions (inter-channel communications). The NRC staff requests addit i onal information to identify the communication links that address items (1) and (2) of this RAI question. RAI-P1-02 Radiy Response: The RadlCS platform uses several types of communication links that are utilized as an external interface from the board , as well as , several communication links that utilized internally on the board. External communication links can be used for divisional and intra-divisional communications depending on the system configuration and architecture , as indicated in the table below. Communication Link Protocol Usage LM ~7 1/0 Modules and RPP Communication between LM and other OCMs via backplane L VOS Modules within the same Chassis OCM ~7 OCM via fiber opt i c RPP Communication between LMs in different racks cable via the OCM. Can be used for inter-and intra-divisional communications LM ~7 LM via fiber optic RPP Extends the RadlCS Platform capabilities by cable adding 1/0 or processing expansion in another chassis and can be used for inter-and intra-divisional communication. LM ~7 OCM v i a fiber optic RPP Extends the RadlCS Platform capabilities by cable (to extend the RadlCS adding 1/0 or processing expansion in another capabilities chass i s and can be used for inter-and intra-divisional communication. PSWD ~7 FPGA RSWP Inter-unit interface within a module between the Power Supply and Watchdog (PSWD) Complex Programmable Logic Device (CPLD) and Field Programmable Gate Array (FPGA) for self-diagnostics and watchdog functions. Page 3 of 9 NON-PROPRIETARY Communication Link Protocol LM 7 MA TS via fiber optic RUP cable (broadcast) MA TS Tun i ng Personal RUP Computer (PC) ~7 LM via fiber opt i c cable (temporary connection) Universal Asynchronous RPU Receiver/Transmitter (UART) interface Serial Per i pheral Interface RSPE (SPI) interface Top i cal Report Changes K[ad ICS Usage 29 Ge royev Stal i ng rada S treet 25 0 09 Kirovogra d , Ukraine One-way data broadcast to the Monitoring and Tuning System (MA TS) for monitoring purposes. Temporary connection for the purpose of modifying the Application Electron i c Design (ED) operational (tuning) parameters Temporary connection used to download and upload configuration data to and from Electrically Erasable Programmable Read-Only Memory (EEPROM) via FPGA internal Random-Access Memory (RAM) while in CONFIGURATION mode (only accessible with Module inserted into Download Station (DLS) chassis) Inter-unit interface for data exchange between FPGA and EEPROMs (Configuration and Tun i ng) RadlCS Top i cal Report Table 6-4 will be updated to add the description of how each communicat i on link is used with i n the RadlCS Platform. RAI-P1-03: Section 6.2.5.2.13 , " Real Time Unit ," contains design descriptions that state " The Real Time Unit transmits real time data received from an information techno l ogy system or the same data from timekeeping chip if original signal is lost to FPGA [field programmable gate array] Un i t." The NRC staff was not able to identify a definition or design description of the RadlCS TR terms " information technology system" or " timekeeping ch i p" as used i n the quoted design descr i ption. The NRC staff requests additional information to describe and define the listed terms of " information technology system" and " timekeep i ng chip" as used in the listed design descr i ption. RAI-P1-03 Radiy Response: The Real T i me Unit i s used for receiving real-time data from an externally supplied time input not a part of the RadlCS platform. The Real Time Unit has the capability to duplicate and store the externally supplied time. In case the externally supplied time input is lost , the Real Time Unit will cont i nue to supply a t i me input to the FPGA Unit. The Real Time Unit does not affect any safety funct i on performed by the LM. The time signal is not used by any safety function. The Real Time Unit uses a dedicated data format that is distinct from formats used by safety critical logic and data so that safety logic would detect corruption of safety data by the time signal. The time signal is only used for the purpose of Page 4 of 9 NON-PROPRIETARY 8(r ad ICS 29 Ge roy ev Stal i ngrada Street 25 00 9 Kirovograd , Ukra i ne placing time stamps on the one-way data communications to the MATS. The Real Time Unit is galvanically isolated. Topical Report Changes RadlCS Topical Report Section 6.2.5.2.13 will be revised to replace the current discussion with the discussion above. RAI-P1-04: Section 6.3.2.2 , " LVDS [Low-Voltage Differential Signaling] Transceiver Unit ," states that the L VOS unit provides " ... full-duplex operation that may be supported with other similar units , located in other modules of the same Chassis." The NRC staff requests that RadlCS provide design descriptions and examples that would provide clarity when stating that the LVDS unit " may be supported with other similar units." RAI-P1-04 Radiy Response: The L VOS Unit is used for point-to-point commun i cation between the LM (i n slot 1) and any 1/0 or communication Module (in slots 2 through 15) i n the same Chassis. L VOS provides galvan i c isolation and converts the unidirectional discrete electric signal in the form of a differential signal using two symmetrical links. L VOS consists of a receiver and transmitter , providing full-duplex operation supported by an LVDS Transceiver Unit located on other Modules in the same Chassis. All communication links of L VOS are implemented on po i nt-to-point principle between two different Modules (e.g., LM to AIM). The RPP communication protocol is used for data exchange between LM with 1/0 Modules and Optical Communication Modules within the Chassis , as described in the response to RAI-P1-02. Topical Report Changes RadlCS Topical Report Section 6.3.2.2 will be revised to reflect this clarification. RAI-P1-05: Section A.2.1 , " RadlCS Chassis Configuration ," states that " The qualified RadlCS Chassis supports the use of EMI/RFI [electromagnetic interference/radio-frequency interference] protection filters" and that these " filters" are mounted within the chassis at the rear directly behind their respective 1/0 modules. The NRC staff was not able to identify a definition for these filters or a complete design and functional description of these " protection filters." The NRC staff requests t hat RadlCS provides a definition and adequate design descriptions of the " protection filters." In addition , the RadlCS TR list several types of " protection modules" (i.e., special electromagnet i c protection modules , interface protection modules , electromagnetic interference/surge -protection modules). The NRC staff also requests that RadlCS provides definitions and additional design descript i ons of the " protection modules ," and to identify which protection modules are to be included with the Rad I CS TR application request for generic approval. RAI-P1-05 Radiy Response: The various terminology in the RadlCS Topical Report (i.e., EMI/RFI protection filters , protection modules , special electromagnetic protection modules , interface protection modules , and EM I/surge-protect i on modules) all refer to the Interface Protection Modules discussed in the response to RAI-P1-01. Page 5 of 9 NON-PROPRIETARY Topical Report Changes K(ad ICS 2 9 Ge r o y ev Stal i ng r ada Street 2 500 9 Kirovograd , Ukraine RadlCS Topical Report Sections 1.6 , 6.2.2 , 6.2.4.1 , A.2.1 , and A.3.2 will be revised to use consistent descriptors in all locations. RAI-P1-06: Section 6.3.2.1 , " Optical Transceiver Unit ," of the RadlCS TR , states that The OPTO [Opt i cal] Unit uses standard optical transceiving interface with associated optical isolation." The NRC staff requests that RadlCS submit the definit i on and design specification of a " standard optical transceiving interface." RAI-P1-06 Radiy Response: The OPTO Unit is used for optical transceiving with another OPTO Unit i n anothe r Module for fiber optic inter-Chassis communication (i.e., not within the same Chassis). The OPTO Unit uses a standard optical transceiving interface (i.e., AFCT-5971ALZ or equivalent optical transceiver and LC connectors) and the RPP protocol. The OPTO Unit converts electric signa l s to opt i cal signals and vice versa , provides galvanic isolation for resistance to external influences on optical signals and for signal transmission outside the Chassis. OPTO Units consists of two parts (i.e., opt i cal transceiver and converters for receiving and transmitting) that provide full duplex communication mode. All communication links using OPTO Units are executed according point-to-point principle between two different modules. Every communication link has its own identification (i.e., OPTO port unique add r ess and OPTO port data unique identification) to exclude incompatible connection between two devices. The OPTO Units are hardware devices that can be seen in the lower left of the p i ctures of the Logic Modu l e and Opt i cal Communication Modules i n RadlCS Topical Report Sections 6.2.6.1 and 6.2.6.6 , respectively. Topical Report Changes RadlCS Topical Report Section 6.3.2.1 will be revised to reflect the clarifying discussion regarding the OPTO Unit. RAI-P1-07: RadlCS TR Section 6.5 , " Redundancy ," states that " Redundancy is also achieved by allocating the same functionality to ma i n and standby processing units at the PCB circuit board] level." The NRC staff was not able to identify TR design descriptions that would define what RadlCS TR components are considered main and standby processing units or explain how to configure these processing unit components to achieve the listed redundancy at the PCB leve l. The NRC staff requests that RadlCS provide definitions and design descriptions that would describe the main and standby processing units. RAI-P1-07 Radiy Response: The RadlCS Topical Report wil l be reviews to clarify the discussion on redundancy. The first bullet of Section 6.5 will read:

• Architecture-based active redundancy managemen t: Safety l&C systems typically are comprised of several separate , independent div i sions (typ i cally three or four). Output signals from each division are issued through output boards into the hardware voting logic or via communications l i nks to d i v i sional vot i ng divisions (e.g., ESFAS voters) depending on system Page 6 of 9 NON-PROPRIETARY

~ad lCS 29 Ge r o y ev Stalingrada Street 2500 9 Kirovograd , Ukraine architecture. The degree and architecture of redundancy is dictated by reliability requirements imposed on the application. The RadlCS Modules can be configured as single channels , voting logic configurat i ons , such as 2-out-of-3 , 2-out-of-4 , or variations of these configurations. The general design pr i nciple of the redundant architecture , is to comply with the single fa i lure criterion provided in IEEE Std 379-2000. The third bullet of Section 6.5 will be deleted in its entirety. RAI-P1-08: RadlCS TR Appendix B , " Dl&C-ISG-04 Compliance Matrix ," Items #8 , #12 , and #16 , list a term called " Safety Operation." The NRC staff was not able to identify a definition or design descriptions that would describe this term. The NRC staff requests that RadlCS provide definitions and design descriptions that would describe the term " safety operations ." RAI-P1-08 Radiy Response: The RadlCS platform can be utilized in many different types of applications , including a Nuclear Safety Class 1 E application. The term " Safety Operation" is meant to refer to a RadlCS system being utilized in a Nuclear Safety Class 1 E application. The term " Safety Operation" will be removed in Appendix B of the RadlCS Topical Report , as it is superfluous and adds no additional information for the purpose of the discussion. An additional correction is made to Appendix B of the RadlCS Topical Report to clarify that communicat i ons between a safety division and non-1 E equipment. The corrected RadlCS Topical Report text will read:

• Communication between a safety division and non-Class 1 E equipment is not allowed , except the following: -Tuning Interface (see Section 6.9) -MATS (see Sections 6.3 and 6.6) -OCM RS-232/485 interface (See Section 6.2.5.2.12)
• The interface to the OCM RS-232/485 is one-way broadcast (i.e., interfering). [[ ]]a , c , e Thus , the OCM RS-232/485 is also non-interfering. Topical Report Changes RadlCS Top i cal Report Appendix B will be revised in all locations containing the discussion of Communication between a safety division and non-Class 1 E equipment.

RAI-P1-09: The RadlCS TR , Section Appendix B , " Dl&C-ISG-04 Compl i ance Matrix ," states that:

• Communication between safety divisions and non-Class 1 E equipment is not allowed while in safety operation

....

• Communications ports are monitored and blocked. The NRC staff requests additional information to describe and explain: 1) What Rad I CS platform system operation criteria determines

" safety operation ," and Page 7 of 9 NON-PROPRIETARY 8(r ad ICS 29 Ge r oyev Stali n g r ada Str e et 2 500 9 K i rov o g r a d , Ukra i ne 2) How communication between safety divisions and non-Class 1 E equipment is prevented while in safety operation. RAI-P1-09 Radiy Response 1) The Rad I CS platform can be utilized in many different types of applications , including a Nuclear Safety Class 1 E application. The term " Safety Operation" is meant to refer to a RadlCS system being utilized in a Nuclear Safety Class 1 E application. The term " Safety Operation" will be removed in Appendix B of the RadlCS Top i cal Report , as it is superfluous and adds no additional information for the purpose of the d i scussion. 2) Connections to a non-Class 1 E communication link are not allowed for a Rad I CS based system in a Class 1 E application. These design and archi t ecture connection limitations provides a non-interfering communication interference. Th i s design approach prov i des a non-interfering communication interference. The Interfaces and Data Transmission Diagnostics described in RadlCS Topical Report Section 6.4.3 provide additional in-depth for unwanted connection that was made inadvertently. [[ u a , c , e As described in the response to RAI-P1-08 above , three cases are allowed for the connect i on of non-1 E class equipment to a safety division. Connections to the LM are as follows: [[

• Tuning Interface (described in RadlCS Topical Report Section 6.9)
• MATS (described in RadlCS Topical Report Sections 6.3 and 6.6)
• OCM RS-232/485 Transmitter Unit (described in RadlCS Topica l Report Section 6.2.5.2.12) ]]a , c , e as shown in RadlCS Topical Report Figure 6-12. [[ u a , c , e For the TUNING interface , the LAN Transceiver Unit receiving port is connected for the TUNING i nterface; however , the [[ ]J a , c , e is controlled by a keyswitch. The LAN Transceiver Unit is [[ ]J a , c , e unless the keyswitch is turned on. When the TUNING and ARMING keyswitches are turned on the RadlCS Platform transitions to the TUNING Mode. It is poss i ble to tune predefined signals. The outputs associated with the LM being tuned are isolated from the field (and placed in a safe state v i a external circuits designed per end user's requirements) for tuning and tuning change validation. A fiber-optic cable i s used to galvanically i solate the LM from the MATS Tuning PC. [[ Page 8 of 9 NON-PROPRIETARY R[ad ICS 29 Geroyev Stalingrada Street 25009 K i rovograd , Ukra i ne with no receiving input connected. J]a , c , e As a result , a hardwired one-way communication interface is implemented.

The OCM one-way interface is implemented using the RS-232/485 Transmitter Unit, as described in RadlCS Topical Report Section 6.2.5.2.12. The RS-232/485 Transmitter Unit controller is implemented in the OCM FPGA , as shown in RadlCS Topical Report Figure 6-22. [[ J]a , c , e thereby , a hardwired one-way communication interface is implemented. Digital isolators are used to galvanically isolate the RS-232/485 connections. Topical Report Changes RadlCS Topical Report Appendix B will be revised in all locations containing the discussion of Communication between a safety division and non-Class 1 E equipment. RadlCS Topical Report Section 6.3.2.3 will be revised to reflect the clarifying discussion regarding the LAN Transceiver Unit. RadlCS Topical Report Section 6.3.2.4 will be revised to reflect the clarifying discussion regarding the RS-232/485 Transmitter Unit. Page 9 of 9 NON-PROPRIETARY k[ad ICS 2 9 Geroye v Staling r ada Street 25009 Kirovograd , Ukra i ne Enclosure 2 Attachment 1: Topical Report Mark Up Showing Changes Attachment 1 to Enclosure 2 contains the non-proprietary version of the RadlCS Topical Report pages affected by the responses to the NRC request for additional info r mation. The pages show the planned changes in a line-in/line -out format. Page 1 of 1 Term l&C 1/0 IAEA ID IDR IEC IEEE IERICS IF SD 10PM IP IPC ISA ISO IT JTAG kA kHz kV kO LAN LED LLC LLS&TS LM LSB LVDS m ma MATS Document ID: ~ad lCS Definition Instrumentation and Control Input/Output Internationa l Atomic Energy Agency Identification Input Data Receive International Electrotechnical Commission Institute of Electrical and Electronic Engineers Independe nt Engineering Review of l&C Systems in Nuclear Power Plants Interface and Data Transmission Self-Diagnostics Interface Protection Module Internet Protocol Institute for Print ed Circuits Instrument Society of Automation International Organization for Standardization Integration Test Joint Test Action Group Kiloampere Kilohertz Kilovolt Kiloohm Loca l Area Network Light Emitting Diode Limited Liability Company Logic Level Simulation and Timing Simulation Logic Module Least Significant Bit Low-Voltage Differential Signaling Meter Milliampere Monitoring and Tuning System 2016-RPC003 -TR-001 Revision: Page 22 of 382 ~ad ICS The RadlCS Platform human-machine interface features satisfy the identification requirements of IEEE Std 603-1991 Section 5.11. 6.2.2 Radics Chassis Configurat i on The RadlCS Chassis has 2 slots for LMs 7 and 14 slots for other 1/0 Modules. The mechanical design of the Radics Chassis (hereinafter referred to as Ch.assis) is a metal box consists of 16 physical slots accessible from the front for Modules, backplane for providing connections between M odules and power supply for the Modules, and two fans (with associated control board). Each of t he slots for Modules is equipped with rails for proper and safe installation. There are -le-llJ>hyslcal slots for special eleetFefflagRetie Interface &f rotection Modules (IOPMI associated with the 1/0 Modules and OCMs that are accessible from the rea ri gr eictei=Aal iAtfir=fu1K (see Rgure 6-S fiewre ij 5). Each Module and 10PM locks into place with a lever at top and bottom. Electrical connection of each ekffe.Modul es and 10PM ls accomplished by Insertion of the Uailwla board Into the Chassis socket. There are no slots for a separate LM Interface Protection Module because the LMs haye few 1/0 channels In their design and the associated protection circuitry Is placed on the LM board. If , ___ _ 2----, ___ _ , __ _ F i c u re 6: Si-i: Rild l CS Chu sls De sl cn The Chassis is configured by installation of the *,*aFieYS tyf!es distlnct types of Modules in accordance with the following configuration constraints: The mechanical aRd ele~A&al des i gn allows for two LM, but only one lM Is used at present. Document ID: 2016-RPC003-TR -001 Revision: Page 104 of 382 ~ad ICS [[ Figure 6:~: RadlCS Chassis Diagram with Internal and External Interfaces 6.2.4.1 Rad/CS Chassis External Interfaces All e x ternal iriterfaces of the sing le channel Chassis are galvanically-i solated interfaces to components outside this Chassis. The Chassis external interfaces are:

• 24 VDC Power Supply Interface is used to provide [[ J]'*c.* to the Chassis. This power interface is safety related.
• 1/0 Int erfaces are provided via connectors on the backplane for the field 1/0 connections to the 1/0 Modules and LM. [[ ))'*'** Document ID: 2016-RPC003-TR

-001 Revis io n: Page 110 of 382 ,l(ad ICS optical transceiving with the same Unit in another Module of the same type. The LVDS Unit is used for poi n t-to-point communication between two Modules within one Chassis. The RS-232/485 Unit is used for one-way communication with peripheral device s. The use of the communication units is described in Section 6.3.2. 6.2.5.2.13 Real Time Unit The Real Time Unit is used for receiving real-time data from an externally supplied time input not a part of the Rad I CS platform. The Real Time Unit has the capability t o duplica t e and store the externally supplied time. I n case the externally supplied time input is lost the Real Time Unit can continue to supply a time input to the iAfanflatiaA teelrnalagy system a As s1i11lieatiAg it with timel1ee11iAg ellill iA a ease af iAJllit sigAal al3seAee. Tile Real Time UR it traAsmits real time sata reeeives fram aA iAfarmatiaA teellAalagy system er tile same sata fram timel1eeJliAg elliJl if arigiAal sigAal is last ta FPGA Unit. The Real Time Unit do es not affect any safety function perform ed by the LM. Th e time signal is not u se d by a ny sa fety function. The Real Time Unit uses ef-a dedicated data format that is di s tinct from format s used by safety critical logic and data so that sa fety logic would detect corruption of sa fety data by the time signal. The time signal is only used for the purpose of placing time stamps on the one-way data communications to the MATS. The Real Time Unit is galvanically iso lated. 6.2.5.3 Ventilation Module The RadlCS Platform has a Ventilation Module (VM) that is u sed for driving chassis fans. The VM performs only one function (i.e., driving fans) and do es not e xchange data with other RadlCS Modules. The VM is controlled by a CPLD that processes data received from the fans (e.g., indicatio n of voltage and speed) and external devices (e.g., control switches and alarm indications). The VM can det ec t fan fail u res; however , this capability is not critical, since une x pected st oppage of fan s will cause chassis internal temperatures to increase, which are dete cte d by oth er monitoring features , as de scri bed in Section s 6.2.5.2.7 and 6.8. 6.2.6 Hardware Module Specifications The R a dlCS Hardwar e Modules are describ e d in th e following sections, which de scri b e the technical specifications , operation , and failure detection and prevention for each Module. 6.2.6.1 Logic Module The LM is u se d for dat a exc hange with Modules in Chassis and Units within Modul e and execution of App l ic a tion Logic specified by th e end user's funct iona l requirements. Document ID: 2016-RPC003-TR-001 Revision: Page 121 of 382 ~ad ICS only two Modules have access to those signal paths. The participants in these communications are therefore uniquely identified without the possibility of cross interference, except by multiple physical short circuits between physical lines, which are nearly impossible to occur and would be detected if it occurred. Additional within-Chassis communications communication checking measures are Imp l emented In the Platform ED. For example, inserted messages are detected by I nvalid sequence numbers and potentially protocol or media access violati o ns. Corruptions and collisions would be detected by the packet level CRC. The communication error checking techniques are described in Section 6.4.3. The FPGA Unit acquires Input data, executes Module logic functions (e.g., data processing. Application Logi c, etc.), performs diagnostics, and conditions output data. ([ In general , all communications interfaces are treated as safety critical using the measures summarized below (the broadcast link to the MATS Is not safety critical but uses all the measures below except acknowledgement). Table 6-4 summarizes all the links, the protocol used, and the safety criticality according to IEC 61508. The RadlCS platform uses several types of communicatjon links that are utilized as an external interface from the board as well as several communication links that utilized internally on the board. External communication links can be used for inter-divisional and intra-divisional communications depending on the system configuration and architecture as indicated in the table below. Table 6-4: S u mmary o f Commun i cat io n s Li n ks Communication link Protocol Usage Sat.ty Crttlc:a lity lM 7 1/0 Modules and OCMs RPP Communication (( via backplane LVDS between LM and other na..c.* Modules within the ~meQJassis 0CM ~7 OCM via fiber optic RPP Communication ([ cable bet~en I.M~ la w-different racks via the OCM. Can be used for in!gr-i!nd jntrn-divisional communications Document ID: 2016-RPC003 -TR-001 Revision: Page 171 of 382 ~ad ICS Communication Unk Protocol Usage Sa f ety Criticality LM '7 LM via fiber optic cable RPP Extends the RadlCS ([ l~e B*leRe tl!eRael~ Eafiallilit,ies Pla!form capabilities !zx n*, c,e 111 e' 1,tO IIICpaR,iQA Q~ adding ILO or pFeeessiRg mrpansieR) processing expansion I!! another !.hillli~ and can be used for Inter-af!S! lntra-dbfillonal communication. LM ~'7 OCM via fiber optic RPP Extends the RadlCS ([ cable (to extend the RadlCS elalform !ci!Pl!blli!i~ !zx n*-capabilities 111 8' l,IQ IINJliiA&illA adding ILO or er preeesslRg e11i:,aRsieR) processing expansion in another tba~ls and can be used for inter-j!nd intra-divisional communication. PSWD ~'7 ~PGA RSWP inter-unit interface [( ~thin l! mQSlule n*..-.* between the PSWD ~P!.Q l!nd EP~ for ~If-diagnostics and watchdQS functions. LM '7 MATS via fiber optic cable RUP Q!]e-wal£ Qilta [[ (broadcast) brQl!d!ci!st to the MAT:i for monitoring Jr,c,-12 ur1?Qses. MATS Tuning PC ~'7 LM via RUP T 5:m[!S!raOi! bl-(( fiber optic cable (temporary directional connection connection) for the 12!.![l!O~ 2f mod i f:ling the ~012ligitiQ!l Ell I F o~ra t ions1I (tu!]ing} Qi!rameters Document ID: 2016-RPC003 -TR-001 Revision: 9 1 I Page 172 of 382 I ~ad ICS Commun i cation Unk Protocol Usage Safety Criticality UART interface~ RPU TemE!2raQ'. connection ([ Elev,RleaEI eeRflgtifil~ieR Ela~a le ~d to smwnl2s1d and aAd ~RI lalaP~OU 1~a i;iic;;~ iA ul:!!oad confiBYration n*.c.e EQNJ;iCl:IR.AiJ:IQ~I ffl8&8 di!ta 12 i!nd UQ!D (teff!Jl&Faflf' eeRRe&tieR wif:j\ ff PROM via FPGA U9'11o1l11 ~11A1Q1111d fl;Q"' ~aG&i,I internal RAM while In ~QNFIG!.!RATION mQS!i: (onh! accessible with Moduli: i!l~!:!l!:l:! inlQ Q!.:!chassi~l SPI interface wi;ail ia ila11111la;iil RSPE 9 Inter-unit int!:rface for ([ eeRflg11filtieR Elata te Q;PRQM data exchange u*.c.e a REI te 11pleaEI tYRiRg 11aFaffleteF between FPGA and c;RilR!llil' i11 +wAIAS liliPROU IA EEPROMs lUPIINC FReEle (Confifil!ration and Tuning) Several additional measures are utilized for commun i cations to support the Rad i cs fundamenta l safety approach.

• CRCs are used on all commun i cations and safety-critical data. External communications links are all treated as 'black-channel'.
• Communicat i ons ports are monitored and b l ocked except when specifically requ i red (e.g., tun i ng).
• The interface to the MATS is one-way broadcast (i.e., non-I nterfe ri ng), rated at SIL 2. Thus , the MATS ls also non-interfering. (Note: The MATS Is supp li ed to the end user, to meet projectspecific Human Factors requirements.)
• The Radics Platform blocks all inward communications with the only except i on being tuning inputs when put into TUN I NG mode by the keyswitch.
• implementation of the lower levels of the transmission path between two OC:Ms is not relevant to analysis of safety communications based upon the black channel concept , since all necessary integrity measures are included as a part of the safety application level of the protocol.
• All communication links between OCMs are configured a s po i nt-to-point data exchanges with
• only one data source and one data sink. 6.3.2 Rad i cs Communication Ha r dware Co m po n ents The basic Radics communications Interfaces and ded i cated hardware Modules are described i n Sections 6.2.4.2, and 6.2.6.6, and 6.3. This section describes how the board level communication components work. There are four board level communicat i on components

, RSPE -Rad i y SPl-based Protocol for EEPROM Document ID: 201&-RPC003

-TR-001 Revis i on: 9 1 ! Page 173 of 382 I ,q:ad ICS

• OPTO Unit
• LVDS Unit
• LAN Unit
• RS-232/485 Unit The primary purpose of these components is to enable data exchange within and between the RadlCS Cha s sis as well as external devices. Several different communication protocols are utilized , as described in Section 6.3.3.
• Radiy Proprietary Protocol -RPP
• Radiy UDP based Protocol -RUP
• RS-232 based Protocol -RS-232
• Radiy Protocol for UART Interface

{RPU)

• Radiy SPl-based Protocol for EEPROM (RSPE)
• Radiy Watchdog Interface C hann el Level Protocol (RSWP) Diagnostics of the components are performed through Rad I CS Platform ED by analyzing the data and the tran s miss i on protocols which are transmitted through each component. The fiber optic RUP Int erface is de-energized, if the TUNING key is not in Tuning position and RadlCS Platform is not in TUNING mode. All e x ternal communications l inks are optically isolated and the output to the monitoring station is noninterfering (one-way broadcast). 6.3.2.1 Optical Transceiver Unit The OPTO Unit is used for optical transceiving with another OPTO tl:ie same Unit in another OPTO Unit in another Module for fiber optic inter-Chassis communication (i.e., not within the same Chassisl eHl.e same ty13e. The OPTO Unit uses i!_Standard optical transceiving interface (i.e .* AFCT-5971ALZ or equivalent optical transceiver and LC connectors) and the RPP protoco l witt:i asseeiateel e13tieal iselatieR. The OPTO Unit converts electric signa l s to optical signals and vice versa, provides galvanic isolation for resis t ance to external influences on optical signals , and for signal transmission outside the Chassis. +Re OPTO Unit~ consists of t wo parts (i.e., a-optical transceiver and converters for receiving and transmitting reeeiver aRel traRsmitter l that provide full duplex comm un ication mode , w l:i id1 ma~* Ile maiRtaiReel witl:i ett:ier similar IJRits, l eeateel iR etl:ier Meel11 l es er e)(terRa l ta tl:ie system. All communication links of the OPTO Unit are executed according point-to-point principle between two different Modules. Every communication link has its own identification (i.e., OPTO port unique address and OPTO port d ata unique identification) to allow for detection of an incorrect connection between two devices. Each communication link identifier is unique within the wt:iele S'(Stem comp l ete system (i.e., n ot just one chassis). The OPTO Unit is safety related. The OPTO Units are hardware devices that can be seen in the l ower left of t h e pictures of the Logic Module and Optical Communication Modules in RadlCS Topical Report Sections 6.2.6.1 and 6.2.6.6 respectively. The OPT O Unit is considered a b lac k-channel device so all data sent v i a this Unit is subject to the communications protocol for the link in question , which includes complete data validation by ED. The error detection methods are described in Section 6.4. D ocument ID: 2016-RPC003-TR-001 Revision: Page 174 of 382 i ad lCS 6.3.2.2 l VDS Transceiver Unit The LVDS Unit is u sed for point-to-point communication between the LM (in slot 1) and any 1/0 or communication Module (in slots 2 through 15) in the same twe Meel1,1les witRiA eAe Chassis. LVDS provides galvanic isolation and converts the unidirectional discrete electric signal in the form of a diff e rential sig nal using two sy mm etrica l links. LVDS consists of a receiver and transmitter, providing full-duplex operation tRat may ee s upport ed by an LVDS Transceiver Unit witR etRer similar IJAits , located i Q n oth er Modules ef..irr.th e same Chassis. All communication links of LVDS are implemented on poi n t-to-point principl e between two different Modules (e.g .* LM to AIM). Th e RPP communication protocol giveA ty13e ef eemm1,1AieatieA iA RaellCS Platferm is used for data exchange between LM with 1/0 Mo d ules and O CMs 13tieal CemmYAieatieA MeelYles within the Chassis , as described in Table 6-4. The LVD S Unit is safety related. Th e LVDS Unit i s considered a bla ck-channel d evice so a ll dat a sent via this Unit is su bject to the communications protocol for the lin k in question, which includes complete d ata validatio n by the RadlCS Platform ED. The error detection methods are described in Section 6.4. 6.3.2.3 LAN Transceiver Unit Th e LAN Unit i s u se d for communication with a p er iph era l devic e (e.g., MATS or MATS Tuning PC). It u ses RUP to transmit data to the MATS. When the LAN Unit is d esignate d for use with a MATS Tuning PC, the Unit is in de-energize d state except in the TUNING Mod e. Dedicated protocols are u sed for spec i fic purposes: RUP for the Tuning interface and RUP for the one-way broadcast to the MATS. A fiber-optic cable is used to galvanically isolate the LM from the external Unit. The LAN Unit is safety related. For a Radics based system in a Class lE application.

by design and architecture connections to a nonClass lE communication link is not allowed. These connections are verified during the design and V&V processes. This design approach provides a non-interfering communication interference. The Interfaces and Data Transmission Self-Diagnostics described in RadlCS Topical Report Section 6.4.3 provide additional defense-in -depth for unwanted connection that was made inadvertently. [[ The cases are allowed for the connection of non-lE cla s s equipment to a safety division. Connections to the LM are as follows:

• Tuning Interface (described in Section 6.9)
• MATS (descr i bed in Sectio n s 6.3 and 6.6)
• DCM RS-232/485 Transmitter Unit (described in Section 6.2.5.2.12) 1L )]"*'** as shown in RadlCS Topical Report Figure 6-12. [[ Docum ent ID: 2016-RPC003-TR-001 Revision:

Pa ge 175 of 38 2 ~ad ICS For t he TUNING interface, the LAN Transceiver Unit receiving port is connected for the TUNING inte r face; however, the rr The LAN Transceiver Unit is [[ na , c , e unless the keyswitch is turned on. When the TUNING keyswitch is turned on, the RadlCS Platform outputs. associated with the LM being tuned. are isolated from the field (i.e .* placed in safe state) for tuning. A fiber-optic cable is used to galvanically isolate the LM from the MATS Tuning PC. IL na , c , e As a result a hardwired one-way communication interface is implemented. The LAN Unit is considered a black-channel device so all data sent via this Unit is subject to the communications protocol for the link in question, including rejection of incomin g transmissions where not allowed. Th e error detection methods are described i n Section 6.4. 6.3.2.4 RS-232/485 Transmitter Unit The R S-232/485 Unit is used for on e-way communicati on with a peripheral device (e.g., data acquisition system). The RS-232/485 Unit u ses the RS-232/485 Int e rfac e to transmit d ata. Dedicated protocols are u se d for spec ific purpo ses: RS-232/485 Int erface (RPP). The DCM one-way interface is implemented using the RS-232/485 Transmitter Unit. The RS-232/485 Transmitter Unit Controller is implemented in the OCM FPGA as shown on Figure 6-22. II --11:::_The RS-232/485 Unit is safety related. Digital isolators are u s ed to galvanically isolate the RS-232/485 connections. The RS-232/485 Unit is considere d a black-channel device so all data sent vi a this Unit is s ubj ect to the communications proto c ol for the link in qu estion, including rejection of incoming transmissi on s where not allowed. The error detection methods are described in Section 6.4. 6.3.3 Communication Protocols R a dlCS u ses se v era l typ es of data c ommunic ation:

• Client-serve r (safety-related point-to-point as in the 1/0 Module response to interrogation by the LM)
• Broadcast (non-safety related as in the on-line reporting of plant d ata and RadlCS Platform status to MATS)
• Transformational (as in a transceiver used for communication b e tw een LMs in the sa me division (safety-relate d) or between LM and MATS Tuning PC (non-safety related))

In all cases , two things are specified for the communications link to meet IEC 61508 req uir ements:

• Sequence of op erations
• Data packet construction , including validation data and demonstration that it i s of adequate capabi lity to det ect errors for the SIL target Document ID: 2016-RPC003-TR-001 Revision:

Page 176 of 382 ~ad ICS A u n ique ID (i.e., 64-bit hash code) is stored in the Tuning , Application Netlist , and Configuration EEPROMs. These unique IDs are read during STARTUP mode and compared to ensure match for the chassis , as a safety critical function. They continue to be compared during other modes but these comparisons are not treated as safety critical. 6.5 R edunda ncy The RadlCS Platform modular architecture is convenient for building redundant systems. RadlCS P l atform provides for three k i nds of redundancy management

• Architecture

-based active redundancy management: Safety l&C systems typically are comprised of several separate , independent divisions (typically three or four). Output signals from each division are issued through output boards into the hardware voting logic s or via communications links to inter-divisional voting divisions (e.g. ESFAS voters) depending on system architecture. The degree and architecture of redundancy is dictated by reliability requirements imposed on the application. The RadlCS Modules can be configured as single channels. voting logic configurations, such as 2-out-of-3, 2-out-of-4, or variations of these configurations. The general design principle of the redundant architecture, is to comply with the single failure criterion provided in IEEE Std 379-2000 (Reference 6-6).

• Hardware-based active redundancy management:

_Redundancy is built into the hardware for inputs, outputs , and power supplies. o For inputs , the ADC Unit provides redundancy of input analog signal results after ana l og-to-digita l conversion and Analog signal is a l so transmitted to !hg_redundant Unit for scaling and filtration and analog-to-digital conversion. o For outputs , the safety concept is based on 1-out-of-2 taken tw i ce redundancy for deenergize to trip , plus testing of individual switches. To open the discrete output, all four switches are opened; however , at least one in each pair must open. Once a safety condition is detected by the application or the platform , all four outputs are deenergized. o For power supplies, the PSWD Unit receives redundant 24 VDC power supp l y and is used for its converting into the voltage levels (for example into +1.2 V , +3.3 V , etc.), necessary for al l RadlCS Module operation.

• Lagie laasee aeti*,e reElllRBaRey FRaRageFReRt

Tl:te Elegree a Re arel:titeetllre sf reellRBaRey is Elietatee lay relialaility reetllireFReRts iFRf)asee BR tl:te af)f)lieatiaR. Tl:te RaEIICS Maellles eaR lae eaRfigllreEI as siRgle el:taRRels , ,..atiRg lagie eaRfigllratiaRs , SllEl:t as 2 Silt sf 3, 3 silt sf 4 , er ... ariatiaRs sf tl:tese eaRfigllratiaRs. ReElllRBaRe*,*

is a Isa ael:tie*,ee lay allaeatiRg tl:te saFRe fllREtiaRality ta FRaiR a REI staREllay flFSEessiRg llRits at tl:te PCB level. Tl:te geReral ElesigR f)FiREif)le sf tl:tis reeeRfigllratiaR, a Re ef tl:te reElllRBaRt arel:titeetllre , is te eeFRfll'f witl:t tl:te siRgle failllre eriteriaR f!Fevieee iR I EEE Ste 379 2000 (RefereRee 6 6). Tl:tis featllre alse iFRf)ra**es S'(SteFR relialaility aREI availalaility witl:tellt ElegraeiRg safet.,.. Document ID: 2016-RPC003 -TR-001 Revision: Page 206 of 382 ~ad ICS STARTUP RUN (SAFE) RUN CONFIGURATION STUP RUNS RUN CFG If a failur e occurs the 4-character display shows an error code , and maintenance will generally be req u ired. If the Applicat i on Logic has put the Rad I CS Platform into the safe state , then the 4-character disp l ay on the LM will display #lDB (if SOR set from Application Logic) or #lDC (if Application Logic put s system in Faulted Mode). The RadlCS Product Safety Manual contains a li s ting of all the faults codes. A.2 System Design Guidance A.2.1 RadlCS Chassis Configuration The q ual ifi ed RadlCS Chassis configuration consists of one LM , located in slot Fl (left end from front side). Slot F2 (right end from front side) is not used. The 14 central module slots may be empty or used for any combination of 1/0 Modules. The backplane provides separate and dedicated communications lines between slot Fl and every optional module slot (i.e., 14 separate dedic ated comm unications lin es). The qualified RadlCS Chassis s upport s the u se of IOPMs for EMI/RFI protection ..filtefs. The y IOPMs are mounted within the chassis at the rear directly behind their respective 1/0 Modules. The JlFOtectioA filtelcs lOPMs are specific to the type of 1/0 Module they protect. This mean s that changing the use of a slot from one type of m.M odule to another requires relocating the IOPMs filtelcs. A.2.2 Power Supplies The e ntire Rad I CS Chassis is supplied with one or two +24 VDC power su pplie s which are mounted externally to the RadlCS Cha ss is. The two power sources are independently supplied to every module s lot, a nd every module has its own galvanical ly isolated power supply s ub-module which uses both supp l y lines. The power supply requirements are two sepa rate feeds , each meeting the following requirements

Nominal: 24 voe Operating Limits: [( JJ'*'** voe to [[ JJ'*'** voe Capacity: Calculated based on rack configurat i on The n ominal maximum load for the RadlCS Chas s is depends on the number s of modules of each type, and should be calculated by the end user. The end user should then allow a suitable margin in power supply capacity. The nominal ma x imum loads for each Module type are: Document ID: 2016-RPC003-TR-001 Revision:

Page 346 of 382 ~ad ICS A.2.9.7 Monitor i ng Module Tempera ture The A pplication Logic should monitor the operating temperature of the RadlC5 Modules and specify whe t her the con d iti on is alarmed o r t he Module is put int o the safe state, as specifie d in t h e system f u nc t ional requirements specification. A.3 Installation A.3.1 Physical Security Rad l C 5 recommen d s t h at the RadlC5 Platform and other associated safety-related l&C equipment be installed in a secure location to which access is controlled. A.3.2 Mounting The minimum space required around the chassis is as fo ll ows:

• Vertical s p ace above the fan assembly porti o n of the chassis: ;,: 3 cm
• Vertical s p ace b elow t h e c h ass i s: ;,: 3 cm
• Horizonta l dept h behind t h e c h assis (to acc om mo d ate the 1/0 ca bl es): ;,: 15 cm The RadlC5 chassis is supporte d by its front panel a nd s h o u ld be installe d with required n u mber of bo l ts and the supplied locking brackets. The bolts should be torqued to the specified values. RadlC5 Modules must be fully inserted and the hold-down latches secured by screws. The screws should b e torqued to the specified values. The R adlC5 eMI/Sllrge PreteetieR Mea1,1les lOPMs must be fully inserted and the hold-down latches secured by screws. T he screws s h o ul d b e torqued t o th e s p ecified values. Ca b les connecte d t o t h e RadlC5 C h assis must be fu lly inserted and the l ocking bars is in t h e l ocked po s it ion. Unuse d c o nnectors sh ould b e covere d w i t h a du s t cap. A.4 Routine Maintenance Activities T h is section provi d es the recomme n de d p eriodic ins p ect i on and testi n g pr ocedures for t h e R ad 1 C5 Platform. These requirements are intended to identify important considerations for maintaining the envir o nmental q ua l ification of the Ra d lC5 Platform. A.4.1 Periodic Inspection A vis u al inspec t i on a nd then a physical inspection s h o uld b e conducte d p eri o dically to co n fi r m that the equ i pment is p hy sica lly in the environment and con diti o n t h a t are expec t e d. It is recommen d ed to inspe c t the Rad l C5 Pl a t form whe n eve r scheduled pre v e n tative mainte n ance is performe d o n e q uipment in t h e same cabine t. Document ID: 2 0 16-RPC003-TR

-001 Revision: Page 355 of 382 ~ad ICS Section OlaC-ISG-04 Reqwremenb Compllanc,e of the Radics Generic Platform * -11 ...... Every datum sh o uld be included in . A ll data is transmitted during each Work Cycle. Each every transmit cycle, whether it has message Is [[ changed since the previous transmission or not, to ensure n~ deterministic system behav ior. 8 Data exchanged between . FPGA technology allows for [[ redundant safety divis i ons or between safety and nonsafety divisions should be processed in a manner that does not adversely affect the safety function of the send ing divisions, the receiving divisions, or any other independent divisions. ua.c.-. Communication between_! safety divlsio~ and non-Class lE equipment Is not allowed , osllile iR ,afc!~ 1111erall11R except the following: -Tuning Interface (see Section 6.9) =-MATS (see Sections 6.3 and 6.6) -~M f!S.2~Zl4~ lnti:rf!!S:!: I~ ~1 2n 6.2.5.2.121 . Communications ports are monitored

• 'and block~ except when specifically requ ired (e.g., tuning Int erface). The safety division is placed In a safe state while the tuning int erface is active.
• The Int erface to the MATS Is o ne-wa y broadcast (I.e., non-interfering), rated at Sil 2. ([ J r,<," Thus. the MATS Is also non-interferln2.

Document ID: 2016-RPC003-TR -001 Revision: 9 1 Page 363 of 382 ~ad ICS Section Dl&C-ISG--04 R eqURments Compliance o f the RadlCS Generic Platform I . The i nterface to the OCM RS-232l485 Is one-wi!lf broadcast j l.e. non-l nterfe ri!lll* II )~ Thus, the 0CM RS-232l48S I s al s o non-i nterfering.

• In the send i ng safety divis i on, failure t o send to the non-Class 1E equ i pment due to communica ti on does not i mpair the safety fu n c ti on of the div i s i on 9 I ncom i ng message data should be . The Rad i cs Module FPGA utiliz es [I stored In fi xed predeterm i ned ])..,,_ Is l ocations I n the shared memory and entirely controlled by t h e Radics Module FPGA w i th In the memory associated w i th the no chance of I nterference from external i nterfaces. function processor.

These memory Th i s feature ensures that the lM can always have locations should not be used for access without delay to the commun i ca ti on data for any ot h er purpose. The memory transm issi on or reception of data. locations shou l d be allocated such

• The areas of [I that I nput data and output data are segrega t ed from each other I n separate memory dev i ces or I n II..,,. separate pre-specified physical areas w i th i n a memory dev i ce. 10 Safety d ivi s i on software sho u ld be * (I protected f r om altera ti on wh i le the safety d ivisi on I s I n opera ti on. O n-line changes to safety system softwa r e should be prevented by ha r dw i red I nterlocks or by physical d i sconnect i on of ma i ntenance and mon i to ri ng equ i pment. A worlcstat l on (e.g., eng i neer or programme r station) may alter addressable constants, setpo l nt s, parameters, and other sett i ngs associated w ith a safety funct i o n only by way of the dual-processo r/ shared-memory scheme desc ri bed ])..,,. I n th i s gu i dance , or when the . I n TUNING mode, parameters which are provided for assoc i ated channel Is I noperable. I n the App li cation Electron ic Des i gn can be ad j usted Such a work.sta ti on should be by connect i ng a laptop computer with spe cial p h ys i cally restricted from mak i ng software to the RadlCS LM. TUNING mode r eq ui res changes i n more than one divis i on the use of a TUNING key and a contact that comes at a time. The restriction should be from the end user's downstream safety log i c t h a t by means of phys i cal cable I nd i cates that th i s downstream log i c I s locked In to disconnect.

or by means of keylock the safe state (controlled by what i s called the switch that e i ther phys i cally opens ARMING key). This permits the end user to fully test the data transm i ss i on ci r cuit or h i s tun f ni, chan11es under safe cond i tions. Pladn11 Document ID: 2016-RPC003-TR-001 Revision: 9 1 P age 364 of 382

([ad ICS Sedion Ol&C-ISG--04 Req'*emenb Compliance of th e bdlCS Generic P latform

• constitute
• single failures" as . Communication between ,!_safety dlvlslo~ and non-described In the single failure Class lE equipment Is not allowed .,.~ill! iR safety criterion of 10 CFR Part 50, ~-except the following: Appendix A.. -Tuning Interface (see Section 6.9) .:_MATS (see Sections 6.3 and 6.6) -0CM RS-232£485 Interface (See Section 6.2.S.2.UI . Commun i cations ports are monitored H-a nd block ed-Jr# except when specifically requ i red (e.g., tuning Interface). The safety division Is placed In a safe state while the tun i ng Interface ls actlVe. !._The Interface to the MATS ls one-way broadcast (I.e., noMnterfering), rated at Sil 2. Receiving ports not used on the ED level. ~Thus the MATS ls also non-Interfering. . The Interface to the OCM RS-232£485 is one-wa:r:

broadcast (i.e., non-Interfering). [[ I]...,. Thy~, 1hs: ~M R:i*21!2l4~ I~ al~o n2n-Interfering. Examples of credible Communication failures are detected, and appropr i ate communication faults Include, but safety actions are taken (see Section 6.4). are not limited to, the following:

1. (( 1. Messages may be corrupted due to errors In communications processors, errors introduced in buffer Interfaces, errors Introduced In the transm i ssion media, or from Interference or electrical noise. 1) ..... 2. Messages may be repeated at 4. Loss of messages Is detected. (( an Incorrect point In time. 3. Messages may be sent In the II._,.. Failure Incorrect sequence.

to transm i t or receive a message cannot Interfere

4. Messages may be lost, which with the safety function.

Includes both failures to receive s. (( an uncorrupted message or to II...,. If the ls not recelVed (( acknowledge receipt of a message. )J ..... , this s. Messages may be delayed situation is detected. beyond their permitted arrival 6. (( time window for several reasons, including errors In the transmission medium, congested transmission lines, -Document ID: 2016-R PC003-TR-001 Revisio n: P age 366 of 382 I Sedlon

• Dl&C-tSG-04 R equkernents codes, but once demonstrated i s not subject to periodic testing. Error-correcting methods, i f used , should be shown to always reconstruct the orig i nal message exactly or to designate the message as unrecoverable.

None of this act ivi ty should affect the operation of the safety-function processor. 14 Vita l"' communication s sho u ld be po i nt-to-po i nt by means of a ded i cated med i um (copper or optica l cable). In th i s context, "po i nt-to-po i nt" means that the message Is passed d i rectly from the send i ng node to the receiving node without the I nvolvement of equ i pment outs i de the d i vis i on of the send i ng or receiving node. Implementat i on of o t her commun i cation strateg i es should provide the same re li ab ili ty and should be J ust i fied. ~ad ICS Compliance o f th e R adlCS Generic Platfonn

• I( IF Communicat i ons are always passed d i rectly from send i ng node to rece ivi ng node with no cha n ce for outs i de i nterference. 15 Commun i cation for safety funct i ons
• I( 16 should communicate a fixed set of data (called the "state") at regula r intervals , whether data In the set has changed or not. Networlc connectivity , liveness , and real-time propert i es essential to the safety app li cat i on should be ve rifi ed I n the protocol.

Liveness, i n particula r, Is taken to mean that no connect i on to any network outs i de the d ivi s i on can cause an RPS/ESFAS commun i ca ti on protoco l to stall, either deadlock or l i velock. {Note: Th i s i s also requ i red by the Independence criter i a of: (1) 10 CFR Part SO, Append i x A, General Design Criteria ("Goe") 24 , wh i ch states, "I nterconnection of the protect i on and control systems sha ll be limited so as to assure that safety Is not s i gnificantly imoa i red."; and 12} IEEE 603-1991 )]....-, regardles s o f whether t h e data has c h anged or no t.

• u n-* Commun i ca ti on between !_safety div i s i o~ and nonClass 1E equ i pment i s not allowed_ .. ,,11111 IA uklty 11p11*atl11A except the follow i ng: -Tun i ng Interface (see Section 6.9) =-MATS (see Sections 6.3 and 6.6) -OCM RS-232/485 interface

/See Sect i on 6.2,5.2.121

• Commun i ca ti ons ports are monitore d,lf and block ed-if"'¥ except when specifically requ i red (e.g., tun i ng I nterface). The safety division Is placed I n a safe state while the tun i ng I nterface I s active. Document ID: I 2016--RPC:003

-TR-001 f Revision: I 9 1 I Page 368 of 382 I ~ad lCS Section Dl&C-tSG-04 R equwemftlts Compliance of the R adlCS Generic Platform

• IEEE Standard C riteria for Safety !._The Interface to the MATS I s one-way broadcast (I.e., Systems for Nuclear Power non-I nterfering), rated at SIL 2. [[ Generating stations.) (Source: )]¥," Thus. the MATS is NUREG/CR-6082, 3.4.3) also non-Interfering.
• Il:!e 1011:rts 12 ttie ~M B~ZaZl4!!~

1~ ooe-wii broadcast (i.e., non-Interfering). (I IE Thus the 0CM RS-232l485 l s also non-interfering. . In the send in g safety dfvls l on, failure to send to the non-Class lE equ i pment due to communication does not impair the safety funct i on of the divis i on. 17 Pursuant to 10 CFR 50.49 , the . The Radics Platform Includes selected med ium and medium used In a v l tafii equipment used for commun i cat i ons (inclu ding communications channel should be optical fibers, twisted-sh i elded pair cables, etc.) that qualified for the anticipated normal are qualified for mild env i ronment usage (see and post-accident environments. Chapter9). For example, some optical fibers See above. and components may be subject to gradua l degradation as a result of prolonged exposure to radiation o r to heat. In addition, new digital systems may need susceptibility test i ng for EMI/RFI and power surges, If the environments are significant to the equipment be i ng qualified. 18 Provisions for communications . Each transm i tted message contains the data should be analyzed for hazards and necessary to accomplish the needed saf ety functions performance deficits posed by and elements needed for d i agnostic to allow the unneeded functionality and Modules to detect communication failure. complication. . [( )]¥," 19 If data rates exceed the capacity of * ( a communications link or the ability o f nodes to handle traffic, the system will suffer congestion. All links and nodes should have sufficient capacity to support all functions. The applicant should II"-" I dentify the true data rate, includin g overhead , to ensure that commu nicati on bandw i dth is sufficient to ensure proper performance of all safetv funct i ons. Document ID: 2016-RPC003 -TR-001 Revision: I Page 369 of 382 I ,q: ad ICS Section Dt&C-ISG-04 R equirements Compliance o f t h e Radics Genetic Platform

• Commun i cations throughput thr e sholds and saf e ty system sensit ivi ty to commun i cations throughput I ssues should be confirmed by test i ng. 20 The safety system response time . The R.adlCS Platform has a determ i nist i c behav i or. calculat i ons should assume a data The Work cycle for each Module is fi xed a n d the erro r rate that Is greate r than or m ax i mum respo n se time fo r system architecture I s equal to the des i gn basis error rate established us i ng the maximum response time of and is supported by the error rate each LM and commun i ca ti on li nks. Th i s observed I n design and qualification det e rm i n i stic behavior guarantees that safety test i ng. outputs w lll always be delivered w i th i n the computed max i mum response time lim i t. Errors In commun i cations do not i mpact or I ncr e ase the system maximum response t i me. See Sect i o n 6.10 for further deta i ls on Work cycles and response times. 2 COMM A N D PRIORITIZATION . The generic RadlCS Platform does not I nclude a pri o rity logic Module. Therefore, th i s section of Dl&C-ISG-04 does not apply. 3 MU LT IDIVI S IONAL C ONTROL ANO DISPLAY STATION S 3.1 I ndependence and Isolation . The gene ri c Radics Platform does not I nclude The follow i ng provis i ons are multldivls l onal control and d is play stat i ons. applicable to mu l tidlvls i onal contro l Therefore , the requirements for mu ltl-<livis i on and d i splay stations. These contro ls I n th is section o f Dl&C-ISG-04 do not apply. g u i dance prov i s i ons do not apply to conven ti onal hardw i red control and ind i cat i ng dev i ces (hand sw i tches, ind i cat i ng lamps , analog I nd i cators, etc.). 1 Nonsafety stations receiving . Commun i cation between 1..S1a fety divis i o M and I nformat i on from one or more non-Clas s lE equ i pment I s not allowed_~ safety divis i ons: sefr;~ 1111r;ret11111 except the follow i ng: A R commun i ca ti ons w i th safety--Tun i ng In t erface (see Sect i on 6.9) r e lated equ i pment sh o uld conform .:_MATS (see Secti o ns 6.3 and 6.6) t o the guide li nes for lnterd ivl s l onal -0CM RS-232£485 interface (See Section comm u n i cat i ons. 6.2.5.2.121 . Commun i cations ports are mon it ored H-a nd blod:~ except when specifically requ ir ed (e.g., tun i ng I nterface). The safety divis i on ls placed I n a safe state wh i le th e tun i ng I nterface I s active. !._Th e I nterface to th e M A TS is one-way broadcast (I.e., non-Interfering), rated at SIL 2 .. ([ -Docum ent ID: 201&-RPC00 3-TR-001 R evision: Pa g e 3 7 0 of 38 2 t ad ICS Section Dl&C-I SG-04 Req'*emen ts Cornpllance of the bdlCS Generic P latfonn * ]I.,.,* Thus. the MATS is also non-Interfering.
• The lnte!fig tQ the ~M Ri;Z~Z~ i~ one-wax broadcast

{I.e., non-Interfering). II JI',..,. Thus the OCM RS-232l48S is also non-Interfering. . In the sending safety divis i on, failure to send to the norl-Class lE equ i pment due to communication does not I mpa i r the safety funct i on of the division 2 Safety-related stations receiving Radics systems require l nterdlvlslonal communications Information from o ther dfvis l ons to support voting log i cs. In add i tion, one-way (safety or nonsafety): (broadcast only) commun i cations from safety divisions All commun i cations with equ i pment to non-safety display systems that can aggregate data outside the station's own safety and perform functions/d i splay of data/lnterdivls i onal division , whether that equipment is comparisons. The interface to the MATS Is one-way safety-related or not, should broadcast (I.e., non-Interfe ri ng), rated at SIL 2. [[ conform to the guidelines for 11.,.,. Thus. the lnterdlvis l onal communicat i ons. M A TS Is also no n-I nterfer i ng. Note that the guidelines for Ibe Interface to the Q!;M RS-Z3ll4!1::i Is one:wax lnterdlvisional communications broadcast (i.e., non-Interfering). [I r e fer to provisions relating to the nature and lim i tations concern i ng 11..._. Th!,!s the QS;M RS-2~U4!!::! is alsQ non-Interfering. such communicati o ns, as well as gu i delines relating to the communications process Itself. 3 N o nsafety stations controlling the The generic RadlCS Platform does not provide th i s operation of safety-related control capab i lity. equ i pment 4 Safety-related stations controlling The generic RadlCS Platform does not provide th i s the o peration of equipment I n control capability. other safety-related divis i ons 5 Malfunctions and Spurious The gener i c RadlCS Platform does not prov i de th i s Actuations. control capability; therefore, these requ i rements do not The result of malfunctions of apply. c o ntrol system resources (e.g., w o rkstations, application servers, protect i on/control processors) shared between systems must be consistent with the assumptions made I n the safety analysis of the plant. 3.2 Human Factors C o nsiderations This will be determined on a project-specific bas i s. Docum e nt ID: 2 016-R PC003-TR-00 1 R evision: Q.l. P age 3 71 of 3 82}}