ML20148D768
| ML20148D768 | |
| Person / Time | |
|---|---|
| Issue date: | 05/20/1997 |
| From: | Craig C NRC (Affiliation Not Assigned) |
| To: | Matthews D NRC (Affiliation Not Assigned) |
| References | |
| PROJECT-694 NUDOCS 9706020100 | |
| Download: ML20148D768 (61) | |
Text
t
[p+R rec o
4 UNITED STATES
~,
j yj NUCLEAR REGULATORY COMMISSION o,
WASHINGTON, D.C. 20555-0001 k * *,,,,o May 20, 1997 1
MEMORANDUM T0: David B. Matthews, Chief Generic Issues and Environmental Projects Branch Division of Reactor Program Management Office of Nuclear Reactor Regulation FROM:
Claudia M. Craig, Senior Project Manager 61dia A(gJ Generic Issues and Environmental Projects Branch d
Division of Reactor Program Management Office of Nuclear Reactor Regulation
SUBJECT:
SUMMARY
OF MEETING WITH WESTINGHOUSE AND THE WESTINGHOUSE OWNERS GROUP (WOG) DISCUSS THE APPLICATION-SPECIFIC INTEGRATED CIRCUIT (ASIC)-BASED REACTOR CONTROL AND PROTECTION SYSTEM REPLACEMENT MODULES FOR WESTINGHOUSE DESIGNED NUCLEAR UNITS 0.i h rch 18, 1997, members of the NRC staff met with representatives of Westinghouse, the Westinghouse Owners Group (WOG), EPRI, Oak Ridge National Laboratory (ORNL), and Northrop Grumman Advanced Technology Center (ATC) to discuss the status of the ASIC-based reactor control and protection system replacement modules for Westinghouse designs. Attachment 1 is a list of meeting attendees.
By letter dated April 17, 1997, the WOG submitted proprietary and non-proprietary versions of the presentation material discussed at the meeting. Attachment 2 is a copy of non-proprietary version of the presentation material.
Westinghouse provided the staff with an overview of the ASIC design.
This included discussions of the block diagram, the ASICs card diagram, and the operator interface. Westinghouse also discussed the design, verification, and validation plan for the ASIC program.
This plan outlines the responsibilities of the different organizations for the various program activities.
Westinghouse discussed how independence was maintained between the design process and the verification and validation review process.
The verification FM process was developed to independently confirm that the final design functioned as documented. This process consisted of design reviews and simulation testing. The validation process was developed to demonstrate the system design met the system functional requirements.
This process consisted of functional requirements testing, qualification testing, and abnormal condition and event testing. ORNL provided a discussion of the test and simulation process.
ATC provided a discussion of the ASIC test and fabrication process. Westinghouse concludes the ASIC chip will operate reliably based on the fact that the test and qualification process provided an independent review by ATC, maintained diversity of the review, ensured devices were tested prior to delivery, and a commercial grade item dedication process was performed.
1 h
9706020100 970520 g[l.
DR TOPRP ENVW
, w
D. Matthews
-2_
May 20, 1997 The schedule for submittal of the topical report was also discussed. The first of four submittals is scheduled for April 1997, while the last is scheduled for January 1998. The staff plans on conducting audits, possibly at the various locations that were involved in the development of the ASIC program.
The staff provided a summary of a report conducted by a staff contractor entitled, " Safety Critical Application for ASICs".
This report will be put in the Public Document Room. The staff also provided the status of the Standard Review Plan update, the development of two inspection modules, and development of the branch technical position. The staff informed the attendees that ACRS may be interested in receiving a briefing by the WOG and/or the staff on the ASIC program.
Project No. 694 Attachments: As stated cc w/atts:
See next page J
D. Hatthews
-2_
May 20, 1997 The schedule for submittal of the topical report was also discussed. The first of four submittals is scheduled for April 1997, while the last is scheduled for January 1998. The staff plans on conducting audits, possibly at the various locations that were involved in the development of the ASIC program.
The staff provided a summary of a report conducted by a staff contractor entitled, " Safety Critical Application for ASICs".
This report will be put in the Public Document Room. The staff also provided the status of the Standard Review Plan update, the development of two inspection modules, and development of the branch technical position.' The staff informed the attendees that ACRS may be interested in receiving a briefing by the WOG and/or the staff on the ASIC program.
Project No. 694 Attachments: As stated cc w/atts:
See next page DISTRIBUTION:
See attached page DOCUMENT NAME: 0:\\ CMC 1 \\3 18_97. MIN To receive a copy of this document, Indicate in the box:
"C" = Copy without attachment / enclosure "F" = Copy with attachment / enclosure
- N' = No copy 0FFICE PGEB (){ln,SIDhSC L PGEB:SC V NAME CCraig' sW-QRedidRF Architze1 DATE 5/l&/97 5/ W 97 Y 5//6/97 g
)0FfjCIALRECORDCOPY
(
g I
DISTRIBUTION w/ attachments:
Summary of March.18, 1997, with Westinghosue Hard Cooy and the WOG dated MaY 20. 1997 Central File PUBLIC l
i PGEB i
RArchitzel CCraig E-Mail SCollins/FMiraglia AThadani BBoger TMartin DMatthews 4
JWermiel JMauck JStewart i
PLoeser DSpaulding i
JCalvert, RES I
i 1
e i
)
l 1
]
l WESTINGHOUSE /WOG/NRC MEETING ASIC BASED REACTOR CONTROL AND PROTECTION SYSTEM REPLACEMENT MODULES MARCH 18, 1997 AT ROCKVILLE, MD MEETING ATTENDEES NAME ORGANIZATION Claudia Craig NRC/NRR/DRPM/PGEB Jim Stewart NRC/NRR/DRCH/HICB Darrell Cooksey Union Electric Co.
Robert Sterdis Westinghouse Carl Vitalbo Westinghouse Joseph Naser EPRI Andre Petrenko NY Power Authority Michael Marino VA Power / North Anna John R. Guider Rochester Gas & Electric Pravin Shah TV Electric l
Paul Loeser NRC/NRR/DRCH/HICB Jerry Mauck NRC/NRR/DRCH/HICB Deidre Spaulding NRC/NRR/DRCH/HICB Mike Garton VA Power i
Peel Travis Houston Lighting & Power /STP John E. Kennerly SCE&G/V.C. Summer Nuclear Hamilton Fish New York Power Authority - R&D Bob Queenan Duke Power / Catawba Dick Miller Westinghouse Ron Battle ORNL Steve DiTommaso WOG Project Office John A. Calvert NRC/RES/CIHFB John Ruether NSP - Prairie Island Jared Wermiel NRC/NRR/DRCH/HICB Michael R. Natale Northrop Grumman Corp.
l ATTACHMENT I i
l
...,i i
KG ~\\
L Westinghouse Owners Group - EPRI Meeting with the US NRC l
on ASIC Based Reactor Control &
Protection System Replacement Modules for Westinghouse Designed Nuclear Units i
March 18,1997 NRC White Flint Offices l
1
- =. = :. _-
i l
i I
Westinghouse Owners Group - EPRI Eb Meeting with the US NRC
--~
)
i i
h l
i i
l AGENDA
~
i l
l t
l k
l me_asic m i
e t
(
P D
l
.e WOG-NRC ASICs Meeting Arenda 1
DATE:
Mrrch 18,1997 TIME:
8:30 - 12:00 PLACE:
NRC White Flint Offices Proprietary Information to be Discussed PARTICIPANTS:
NRC:
Jim Stewart Jerry Mauck Diedra Spaulding Claudia Craig Utiliti-s:
Mike Marino (VP) l Darrell Cooksey (UE)
Paul Travis (HL&P)
Dennis Deardorf(SCE&G)
Bob Queenan (Duke) i Joe Ruether (NSP)
John Guider (RGE)
Pravin Shah (TUE)
Karl Jacobs (NYPA) l EPRI:
Joe Naser Westinghouse: Carl Vitalbo Bob Sterdis Dick Miller l
ORNL:
Ron Battle ATC:
Mike Natale l
AGENDA:
i I.
Design Update II. Design, Verification, & Validation Plan III. Test & Qualification Process A.ASIC Chip Test Program
- 1. Test Vectors
- 2. Fault Coverage
- 3. Simulation Results
- 4. Test Result Summary B. Validation Test Plan l
C. Qualification Test Plan IV. Topical Report Submittal Schedule l
I V. NRC Summary of" Safety Critical Application for ASICs" Report VI. Wrap-up 1
j BMMk l
I l
Westinghouse Owners Group - EPRI l
WeD Meeting with the US NRC I
(
i t
l
[
I L
l I
DESIGN UPDATE
~
4 t
1 i
suc_asic ppt
~
Westinghouse Owners Group - EPRI WG Meeting with the US NRC I
Design, Verification, &
l Validation Plan j
i i
I i
i mc_asic ppt t
m
ASIC PROGRAM DESIGN, VERIFICATION & VALIDATION PROGRAM j
Westinghouse is responsible for the following program activities:
1.
Project definition 2.
Conceptual design 3.
Project specific methods and activities 4.
Functional requirement definition (process functions, algorithms, etc.)
[
5.
1-lardware requirement definition l
6.
Analysis 7.
Technical integration of all design areas (main board, personality modules, ASIC, Controller) 8.
Main board design, layout and assembly 9.
Operator Interface design 10.
Personality module design, layout and assembly 11.
Configuration Management Control
~
12.
Documentation (specifications, design drawings, manufacturing drawings, etc.)
13.
Second party review of all ORNL design activities (e.g.. controller algorithm verification)
I 14.
Reliability Assessment and Failure Modes and Effects Analysis 15.
Design Reviews (Preliminary, Intermediate and Final) 16.
Validation Testing ofintegrated product 17.
Abnormal Conditions and Events Testing (ACES) 18.
Qualification Testing ofintegrated product 19.
Licensing, including regulatory compliance analysis 20.
Prototype and production unit fabrication 21.
Commercial Dedication of ASIC 22.
Technical Manual
ASIC PROGRAM DESIGN, VERIFICATION & VALIDATION PROGRAM PURPOSE Provide guidance for the design, verification and validation of the ASIC Based RPS Replacement Module Development Program.
Provide a disciplined development process across multiple design organizations.
Provide references to applicable codes and standards
~
ORGANIZATIONAL OVERVIEW Westinghouse Electric Company
- Program Technical Lead l
- Primary design, verification, validation and liccusing organization l
10CFR50 Appendix B supplier i
Procedures in place for design, verification and validation activities Responsible for independent review of design activities performed by others
- Conduct validation tests to confirm adherence to requirements l
l
ASIC PROGRAM DESIGN, VERIFICATION & VALIDATION PROGRAM 1
i Northrop Grumman Advanced Technology Center (ATC)
- Responsible for simulation testing ofORNL ASIC design
(
- Fabrication of ASIC devices for qualification & production
- Comprehensive testing ofdevices prior to delivery Not an Appendix B supplier
- Treated as a commercial vendor Northrop Grumman ATC is responsible for the following program activities:
t
- 1. Independent simulation testing of ORNL ASIC design
- 2. AS!C prototype testing (ORBIT devices)
- 3. ASIC fabrication for qualification and production
- 4. ASIC component testing j
i t
t
i ASIC PROGRAM l
DESIGN, VERIFICATION & VALIDATION PROGRAM s
Oak Ridge National Laboratory (ORNL)
- Design of ASIC chip and Controller
- Not an Appendix B supplier
- Treated as a commercial vendor I
L ORNL is responsible for the following program activities:
- 1. ASIC design aiid layout
- 2. ASIC prototype fabrication (ORBIT devices)
- 3. Controller design
- 4. Controller code development
- 5. Implementation of process functions and algorithms in Controller i
5
ASIC PROGRAM DESIGN, VERIFICATION & VALIDATION PROGRAM SYSTEM LIFE CYCLE DEVELOPMENT PROCESS Eight phases Conceptual / Planning Phase Requirements Phase Design Phase Implementation Phase Integration and Test Phase Installation and Checkout Phase Operation and, Maintenance Phase Retirement Phase DESIGN PROCESS Design organization (WEC) is responsible for assuring that design, verification and validation activities are performed in a manner which maintains the review process independent nom the design process.
Independence means an objective second-party review by competent individual (s) of material which they did not design.
Internal second-party review of all design documentation
- Auditing vendors to assure adherence to the design and review process i
ASIC PROGRAM DESIGN, VERIFICATION & VALIDATION PROGRAM VERIFICATION PROCESS Objective: sidependently confirm, by means other than accomplished by the designer, that the final design l' unctions as documented.
Bottom-Up Review proces. Divides the overall system design into smaller " subsystems" i'or evaluation (for example, an analog input circuit or a digital output circuit). After all " subsystems" are verified, the complete system is evaluated. This design verification philosophy ensures that all subsystems and interfaces between subsystems are reviewed and/or tested Conducting formal design reviews Preliminary Design Review during Design Phase Intermediate Design Review during Implementation Phase c
i
- Final Design Review during Integration and Test Phase F
t M
I 8,C,C l
t i
k 1
I e
t ASICs CARD DIAGRAM P-f I
I 6
i t
I
,I e
9 4
m..
.. m.
.-.- m.m m
m-
I a,C,C i
b Figure 2-1 ASIC Block Diagram
]
I i-s.
l i
i
a,c,e J
=
7300A OPERATORINTERFACE (Sheet 1 of 2) 1 l
l l
1 l
4 D.
i
)
ll
{
a,c,e e
r i
i k
i i
j 4
i 4
i 7300A OPERATORINTERFACE
- t l
(Sheet 1 of 2) a i
l 4-4 I
i 4
h
- j 1
)
a,c,e d
]
4 4
1 e
4 4
1 a
1 i
i I
i 7300A OPERATORINTERFACE i
2 (Sheet 2 of 2) l d
J i
ML u..
O b
4 4
i i
1 i
SEISMIC TESTING Modules mounted in card cage, configured l
as typical process channel Attached to rigid test fixture j
Identical mounting and test parameters as l
7300 analog card test i
FAULT TESTS Faults applied to all non-1E connections Short Circuit Line to Ground
.Line to Line t
j Fault Voltages l
125 VAC,60 Hz l
580 VAC,60 Hz j
125 VDC j
250 VDC i
i t
i O
i 4
1 i
i EMC TESTING 4
1 Immunity and Emissions requirements Provided j
by EPRI 102323 Rev.~1 (DRAFT)
No Exceptions to Frequency Ranges 4
Emissions Effect on Adjacent 7300 Analog Card Addressed in Validation Test Plan Modules in Card Cage, in Cabinet, Configured as Typical Process Channels Conducted Emissions 30 Hz to 400 MHz Radiated Emissions 30 Hz to 1GHz Radiated Immunity - Continuous Wave 30 Hz to 1GHz,10 V/m Conducted Immunity - Continuos Wave 30 Hz to 50 KHz,6.3 VRMS 50 KHz to 400 MHz,7 VRMS P
FEATURES OF THE DESIGN THAT SUPPORT LICENSING UNDER 10CFR50.59
- 7. CONSEQUENCES OF FAILURE OF Tile RAMLogic FPGA A. FAILURE TO CONFIGURE: SAME AS THE 01 FPGA B.
FAILURE OF THE CLOCK DIVIDER CIRCUlT
- Divides 4 MHz oscillator frequency down to 1 MHz operational frequency
- Failure could cause operational frequency to go high, low or to zero
- If high or low,.the process functions that are time dependent (lag, derivative, lead / lag) will not function correctly because the actual cycle time would be different from.the SP & TC which were based on ~a one millisecond cycle time. This will be detectable during periodic ACOT testing.
If zero, the dead man timer circuit will time-out, causing the GA to activate Failures would be similar to component (capacitor, resistor, op-amp) failure in analog system ASIC component tested at 4 MHz during post manufacturing testing C.
FAILURE OF Tile PARALLEL-TO-SERIAL CONVERTER Converts parallel data bus from ASIC into serial data bus to DAC Failure would corrupt data to DAC, resulting in wrong output values j
Failure would be detectable during periodic ACOT testing (accuracy, incorrect indication)
Failures would be similar to component (capacitor, resistor, op-amp) failure in analog system
=
I t
FEATURES OF DESIGN THAT SUPPORT LICENSING UNDER 10CFR50.59
- 1. DESIGN PROCESS Controlled & orderly process according to Design, Verification & Validation Plan Using established tools that have wide commercial usage
- 2. CONFIDENCE LEVEL OF THE CONFIGURATION PROCESS Serial configuration scheme has proven reliable in 1000's of designs & millions of devices CRC codes provide excellent protection against errors 100% protection against erroneous configuration files, defective configuration data sources (PROM), synchronization errors between PROM & FPGA, PCB defects (open/ shorted tracks)
- 3. DATA INTEGRITY (CONFIGURATION, SETPOINTS & TUNING CONSTANTS)
Stored values cannot change inadvertently
- 4. TESTABILITY OF Tile CONFIGURED-DEVICE Tested as part orintegrated assembly during Validation, Qualification and ACES testing Device functions are simple & can be thoroughly tested Setpoints & Tuning Constants can be tested aller card is installed in rack
- 5. RELIABILITY OF THE FPGA Hardware: Protection provUed against abnormal conditions & environment provides assurance of high data integrity in noisy environments Using high quality devices with wide commercial usage, from reputable manufacturer
a,C,C e
h t
l r
ASIC TEST & QUALIFICATION PROCESS (cont) f i
i f
I l
f l'
x m
l ASIC Test and Fabrication Summary Simulation Testing and Evaluation Complete e
High Fault Coverage Test Established with ORNL i
Prototype Parts Pass This Test Northrop Grumman Parts Pass Function Test at Wafer Production Parts Are In Assembly and~ Quality Screening D
I I
k
i f
Test Vector Evaluation Functional Vectors Individually Exercise All ASIC Functions Test of Outputs of All ASIC Functions Aided By Access To Internal Nodes by Monitor Bus
\\
Extended Vector Set (Fault Vectors) Provides Additional Tests, Combinations ofInputs in Addition to Expected Operational Signals Monitor Bus Design and Fault Vectors Provide Extremely High Degree of Fault Coverage
[
i e
4 e
l Suminary
+ Hierarchical design and bottom-to-top testing make design reliable
+ Functional tests were done at each level prior to designing the next level
+ Logic-and analog-based simulations were done to test the design and the layout
+ Enhanced test vectors were developed to test the i
fabricated ASIC l
l
+y Enhanced Test Vectors Test the Fabricated ASIC 1-
+ 40-bit vectors were divided into 10 hexadecimal components These tests include normal and boundary value
+
vectors designed to detect stuck-at faults Hex comp ~onents test many of the circuits
+
simultaneously by operating them in parallel Typical vectors selected included alternating Os and
+
1s; 1s and Os; all 1s; all Os; sequentially increasing numbers; and other combinations
+ A monitor-bus is available to observe inside some of l
the functions t
__.-__________._j
Low-Level Circuits for the ADD Block ABus BBus Sum 0 A0 I
Sign B0 -+
Full XOR XOR Adder Subtr.act Sum 1 B1 ->
XOR AI'c Full Adder CO l
These circuits are repeated 40 times plus a block for overflow i
i'
[
+[
Functional Tests UsedHierarchicad Architecture
+ At the lowest level, detailed functional tests were conducted
+ Higher levels consisted of replicated circuits that were tested at lower level
+ Normal and boundary value numbers were tested.
All combinations of signed numbers were tested
+ All interfaces between functions were tested i
+ Hierarchical circuits connect to outside circuits at top level only
+ Access to functional blocks by external data bus reduces the number of tests
ASIC Consists ofFunctional Blocksfor RPS
+ Blocks input data, manipulate data, store data, and
)
output data
+ High level blocks were selected to implement RPS card functions
+ Data bus connects blocks and provides input and j
output
+ Functions are selected by a control PROM that is stepped by an ASIC counter
ASIC PROGRAM DESIGN, VERIFICATION & VALIDATION PROGRAM GUIDELINES FOR COMMERCIAL GRADE ITEM DEDICATION When applying the guideline to the commercial grade item dedication of the ASIC chip, the following process results:
3,C 9
i 4
ASIC PROGRAM DESIGN, VERIFICATION & VALIDATION PROGRAM (2)
Qualification Testing
- Insures that the design operates within predefined acceptance criteria when subjected to anticipated extremes of the environment, seismic disturbances and electrical interference.
1.
Environmental (temperature and humidity) 2.
Seismic 3.
Electro-Magnetic Interference (EMI) and Radio Frequency Interference (RFI).
4.
Electrical Noise.
L 5.
Electrical Fault.
~
6.
Electrical Surge.
DECOMPOSED l
FUNCTIONAL QUALIFICATION QUALIFICATION QUALIFICATION REQUIREMENTS TEST TEST TEST PLAN PROCEDURES
f l
i a,C,C i
t f
i CONTROLLER DESIGN, VERIFICATION
& VALIDATION PROCESS i
c k
b i
i f
i l
h e
e
n m
ASIC PROGRAM DESIGN, VERIFICATION & VALIDATION PROGRAM Simulation Testing
- Determines performance of design as separate entity, without actual system hardware.
- Verifies that the functionality of the design meets the applicable design specifications.
Comprehensively exercises (via computer emulation) the &ign
- Used to verify the transformation from a " paper design" to actual hardware.
- Test inputs (or test vectors) are developed to exercise all the possible signal paths through a system or component, and operation is compared to expected results.
For components or system operation not directly observable, a qualitative analysis should be performed to assess the significance of the components not exercised.
Used to evaluate the system response to potential unintended functions (i.e., transients, noise, etc.). The simulation process can also be used to evaluate interactions between subsystems (i.e.,
loading, opens, shorts, etc.) and to ascertain postulated failure modes and effects.
- Aller completion ofsimulation testing, design is released for fabrication and subsequent system validation testing.
-_..A 4,
..a.-
d
-+6.
L-J 4.
ASIC PROGRAM DESIGN, VERIFICATION & VALIDATION PROGRAM VALIDATION PROCESS Demonstrates that the system design meets the system functional requirements on the target i
hardware System Validation Plan defines a methodology that must be followed to perform a series of functional requirement based tests which compliment the reviews and simulations conducted during the design verification phase.
(1)
Functional Requirements Testing
- Insures that the design meets the functional requirements and that good design practice was utilized DECOMPOSED VALIDATION VALIDATION VALIDATION FUNCTIONAL TEST TEST TEST REQUIREMENTS PLAN PROCEDURES
- Good engineering practice a.
Interfaces between other systems, subsystems or components.
b.
Maintenance and calibration features.
c.
Diagnostics and alarms.
d.
Component placement for manufacturability.
Location of operator interface controls.
c.
ASIC PROGRAM DESIGN, VERIFICATION & VALIDATION PROGRAM (3)
Abnormal Conditions and Events (ACES) Testing
- Insures that the design operates in a known and predictable manner under abnormal mode conditions.
DECOMPOSED ACES ACES ACES FUNCTIONAL REQUIREMENTS TEST TEST TEST PLAN PROCEDURES' i
i PROBLEM REPORTING & RESOLUTION DESIGN, VERIFICATION & VALIDATION REPORTS Validation Test Report Qualification Test Report ACE Test Report t
..l L
Westinghouse Owners Group - EPRI MeetinE with the US NRC l
5 l
t F
t L
Test & Qualification Process i
t l
t j
ItfC,8 SIC lp i
i h
..o.
)
i ASIC-Based Replacement Modules
\\
R. E. Battle 1
ORXL I
March 18,1997 t
t ASIC BOUNDARY DATA BUS r - - - - - -- - - - - - -
- en as a=qr = =y=== - men me use y==== = mm.,.- em ROCK I
I I g
'. " - - - - - -""""""'I I
g I.
souac Roor 3
a 5
"j MEMORY OPERATOR NTERFACE WPUER
[".*==*, um"was"=="=="==l l l
pm I.
I i
. sg
[
I l tum j
DISCRETE 3.
-- mwn l
g
" "5 ADO. SUBTMACT. SHIFT.
l I.
23 COWUMENT m am sun g
, ADC 8
i I 'l
.g MONITOR BUS' COMPAR ATOR h=,=,,=,=,,,=,=,=,=,
l l
DACSl l
3 I l
ADC M1EWACEh*a"ma"em"ame"==~se"a "l l I
I i
I DAC N1ERFACE*""""---a "g I.
I l l
i
'l t
l l REN m------
'l N. TROL. BUS.==a C O. - - -- -
CONTROufR l.
.I I.
4, I
I l
counitn i
l I
SEQUENTIAL COUNT ~4----------
j L
l i_.-._._ _._._ _.-._.
.-.J DAC: DlQTAL-TO-ANALOG CONVERTER ADC: ANALOG-TO-DIGTAL CONVtRTER i
l 1
+b
~ Design and Functional Tests Started at Lowest Level i
+ Top level functions for RPS were selected
+ Lowest level circuits were designed and tested by the designer prior to moving to next higher level
+ The low-level circuits were combined and then tested i
at the next' level l
+ Finally, top level ASIC functions and the core were tested
+ All possible controller instructions were input for each function, which operated each device and moved data between them I
~'.
1 1
Top-Level Block for Adder DBus ABus AReg Load A Controller Load A 3
Signals Load B MFA Controller Enable DBus BBus BReg Read Output Load B
- ABus, Output 1
ABus SL & SR DBus ADD 2s 2s y
Comp Comp Enable Enable Enable 3
Read Output l
BBus
D r)
Functional Testing Used Two Simulators
+ Logic simulations done at each level ensured they function p operly
+ Analog simulations of layout ensured there were no timing problems
+ Timing simulations were done at 4 MHz for circuits j
intended to operate at l MHz
+ All the functional tests were run on the analog simulation
+ Single, low-speed clock and synchronous circuits essentially eliminate timing problems f
j
t
+b
" Operating Features of tile ASIC Increase Reliabilip
+ There are no undefined states. Only a hardware failure can cause continued misoperation l
+ The controller is designed without loops, interrupts, or branches. Only the data vary between scans
+ The ASIC circuits are deterministic in that they respond to l
enable commands and complete their operation regardless I
of other external signals l
+ A single low-speed clock connected to synchronous circuits ensures timing problems will not occur t
l i
1
i I
Northrop Grumman RPS ASIC Test and Fabrication I
t M. R. Natale t
I 18 March 1997
?
t i
j h
i f
t a
ASIC Simulation Testing l
i Functional Simulation Files Transferred and Re-Run at ATC i
Performed Independent Review to Confirm Fault Coverage of Simulation Vectors r
Recommended and Received Additional Fault Coverage Simulations f
From ORNL to Supplement Functional Simulations l
9,046 Functional Vectors 149,571 Fault Vectors 65,536 Command Address Vectors z t'
>zz + x Reformatted and' Added Initiation Sequence To Functional and Fault Simulations to Create Test Vectors i
a n n-~
w.u
.s..
.-x..-
..a
--u
- -. ~
-c
. -.--.*~ ~
e 2.~
. -. ~ --- u a.
~ --. - ~ ~ - - -. -,. - - - - -. -
+
.=,
x-.
i ASIC Tests Are Comprehensive Functions Tests - All Individual Functions: Add, Subtract, Shift,2's Complement, Multiply, Divide, Comparator, ADC & DAC Interfaces j
Combinations of Functions - As Applied in Operation: Square Root-Multiply-Divide, for Example l
System Simulation - Calculates Y=[-X2+2( 10X-3 5)]/3.5 Fault Vectors Apply Exhaustive Data Patterns All Possible Bit Patterns in Four Bit Sections Walking one Patterns Applied to Test Sections Interaction All ADC & DAC Channels Tested Simultaneously Differing Patterns in Each ADC & DAC Channel
a,C,C t
J L
s i
ASIC TEST & QUALIFICATION PROCESS i
i 4
ASIC TEST & QUALIFICATION PROCESS (cont)
SUMMARY
1.
INDEPENDENT REVIEW OF ORNL DESIGN WAS CONDUCTED BY ATC
- Simulation testing of design was conducted by ATC i
. En!anced test vectors developed to thoroughly test the device P
2.
DIVERSITY OF REVIEW PROCESS
- DifTerent People
- Different Process
. Different Procedures
. Different Tools c
3.
ALL DEVICES TESTED PRIOR TO DELIVERY l
a,c,e j
t I
4.
COMMERCIAL GRADE ITEM DEDICATION PROCESS a,c,e 5.
CONCLUSION: ASIC CHIP WILL OPERATE RELIABLY
FPGAs USED IN REPLACEMENT CARD DESIGN OPERATOR INTERFACE FPGA USED TO ENTER / CHANGE / STORE SETPOINTS AND TUNING CONSTANTS USED TO PERFORM ANALOG INPUT AND ANALOG OUTPUT CALIBRATION RAMLogic FPGA USED DIVIDE 4MHz CLOCK FREQUENCY DOWN TO IMHz PERFORM PARALLEL TO SERIAL CONVERSION FOR DATA FROM ASIC TO DAC PERFORMS COMBINATORIAL LOGIC FOR GENERAL AND TROUBLE ALARMS CONTAINS EXTERNAL (SCRATCH PAD) MEMORY FOR INTERMEDIATE CALCULATIONS FPGAs ARE USED IN CONJUNCTION WITH A PROM THAT CONTAINS THE CONFIGURATION INFORMATION
e*
=
FEATURES OF DESIGN THAT SUPPORT f
LICENSING UNDER 10CFR50.59 t
- 6. CONSEQUENCES OF FAILURE OF THE OPERATOR INTERFACE FPGA i
A. FAILURE TO CONFIGURE
{
- When card is inserted into slot, FPGA configures fre m PROM
- During this time, the GA indicator is OFF & the TA indicator is ON j
- Upon completion ofsuccessful configuration, the GA indicator turns ON (indicating NORMAL i
operation) & the TA indicator turns OFF
- ARer this point, any failure is considered a hardware failure (such as a gate)
[
B.
FA! LURE DURING SETTING SETPOINTS & TUNING CONSTANTS
- Circuit is only active during entering / changing / storing ofsetpoints & tuning constants
- A failure would result in the wrong value being entered / stored l
- Failure would be detectable during the functional test conducted aRer the change l
C.
FAILURE DURING CALIBRATION OPERATION Only active when enabled by operator (not automatic or "on-line")
- Failure results in inability to calibrate analog inputs or analog outputs
- Failure would be detectable during the functional test conducted aller the change (accuracy) l i
[
i
e.
t i
FEATURES OF THE DESIGN THAT SUPPORT LICENSING UNDER 10CFR50.59 i
D. FAILURE OF THE COMBINATORIAL LOGIC
- Monitors internal diagnostic signals & generates GA and TA
~
- Failure results in either a spurious GA, spurious TA, no GA or no TA
- Circuit is not part of process signal path. If false alarm, output of card will still be correct. If a GA or TA failed to activate, the output of the card will be incorrect because the condition causing
{
the alarm also causes an error in the signal processing (ex. clock failure)
- The ASIC design enhances the GA feature of the 7300 System. In current analog system, the GA activates only when power, or the card fuse, fails.
l E.
FAILURE OF THE EXTERNAL MEMORY (SCRATCH-PAD) j
- Stores intermediate values during string calculations being performed by the ASIC math function Failure results in data corruption during READ or WRITE operations, or a stuck bit (gate failure)
If error is in LSB area, the card output may still be within specified accuracy. If error is in MSB area, results of calculation will be wrong and card output will not be within specified accuracy.
- ASIC chip design cannot lock-up. If error was intermittent, a " glitch" may appear at the end of the current cycle, but will be correct next cycle if error disappears. If error is permanent, then f
output will be wrong and detectable during periodic ACOT testing.
l i
t
i
!.s b.#
TEST PLAN for 4
l Electromagnetic Compatibility l
(EMC),. Abnormal 4
l Environments, Seismic & Fault i
j Testing i
i i
i Equipment Identification 7'300 (NXX) ASIC-based Reactor Protection System Replacement Modules l
Associated Personality Modules l
March 17,1997 i
i i
,S d L
i j
Electrostatic Discharge 1
8 kV Contact J
l Fast Transient / Impulse 3 kV into 50 ohm load l
Surge Tests 3 kV peak i
?
i ABNORMAL ENVIRONMENT I
i
)
l EnvirautruzilConditions i
l Qde Destion Tegerahme RH(%)
DC %itage Onas)
(F)
(%its) 1 12 158 20 22 i
2 12 83 95 22 l
3 12 158 20 27 4
12 82 95 27 Modules mounted in card cage, configured as typical process channel i
_ls b e-ACCEPTANCE CRITERIA l-EMC Emissions per EPRI 102323 Immunity J
- Maintain ability to perform safety function
- No change ofstate Abnormal Environment Test Maintain accuracy deviation to a maximum of
}
0.1% of span per.50 F change i
Seismic Testing l
j Maintain ability to perform safety function
{
during and after SSE, zero residual effects j
Contact outputs shall not chatter 2 msee or j
greater No change of state i
i Fault Tests i
1 Maintain ability to perform safety function
1 Westinghouse Owners Group - EPRI
-l WeD Meeting with the US XRC l
)
[
t f
f i
Topical Report Submittal Schedule
[
I L
i nre_asic ppt
)
=e i
Westinghouse Owners Group - EPRI WeD Meeting with the US NRC j
I NRC Summary of" Safety Critical Application for ASICs" Report j
i l
l l
l
_.sa m
me I e ~
o i
cc:
Mr. Nicholas Liparulo Westinghouse Electric Corporation Mail Stop ECE 4-15 P.O. Box 355 Pittsburgh, PA 15230-0355 Mr. Andrew Drake, Project Manaer Westinghouse Owners Group Westinghouse Electric Corporation i
Mail Stop ECE 5-16 1
P.O. Box 355 Pittsburgh, PA 15230-0355 4
t l
4