ACRS Subcommittee on Plant Systems Meeting - October 31, 2000

                                                                 1
 1                            UNITED STATES
 2                    NUCLEAR REGULATORY COMMISSION
 3                                 ***
 4              ADVISORY COMMITTEE ON REACTOR SAFEGUARDS
 5                                 ***
 6                    SUBCOMMITTEE ON PLANT SYSTEMS
 7
 8                      Tuesday, October 31, 2000
 9
10              The subcommittee met, pursuant to notice at 8:30
11    a.m.
12
13    BEFORE:
14              AMARJIT SINGH
15
16
17
18
19
20
21
22
23
24
25
.                                                                 2
 1                        P R O C E E D I N G S
 2                                                     [8:30 a.m.]
 3              CHAIRMAN UHRIG:  Good morning.  The meeting will
 4    now come to order.  This is a meeting of the ACRS
 5    Subcommittee on Plant Systems.  I am Robert Uhrig, Chairman
 6    of this subcommittee.
 7              Other ACRS members in attendance are Dr. Dana
 8    Powers, Graham Leitch, and Jack Sieber.
 9              The purpose of this meeting is to discuss the
10    safety evaluation reports for the Westinghouse/ABB/CE and
11    Siemens digital I&C applications.
12              Mr. Amarjit Singh is the cognizant ACRS staff
13    engineer and designated Federal official for this meeting.
14              The rules for participation in today's meeting
15    have been announced as part of the notice of this meeting
16    previously published in the Federal Register on October 18,
17    year 2000.
18              A transcript of the meeting is being kept and will
19    be made available as stated in the Federal Register notice. 
20    It is requested that speakers first identify themselves and
21    speak with sufficient clarity and volume so that they can be
22    readily heard.
23              We have received no written comments or requests
24    to make oral statements from members of the public.
25              We will now proceed with the meeting and I call
.                                                                 3
 1    upon Mr. Larry Erin, of Siemens, to begin.
 2              MR. ERIN:  My name is Larry Erin, work for Siemens
 3    Power Corporation.  I'll be giving an overview of the
 4    Teleperm access safety system that's been designed by
 5    Siemens and used for nuclear power plants applications.
 6              The first slide that you see here is just a
 7    picture of our overall I&C solutions.  It's a combined
 8    architecture of the Teleperm XS, which is used for safety
 9    applications, and the Teleperm XP, which is used for
10    non-safety applications.
11              The platforms, again, with an interface with
12    filled components, both 1E safety applications and non-1E,
13    which are non-safety and control systems.
14              The Teleperm XS is used for the safety
15    applications.  The Teleperm XP platform, an automation
16    system, is used for the non-safety applications.  Typical
17    safety applications are for reactor protection, safeguards
18    actuation, safety controls, nuclear instrumentation system.
19              Also, we have a Teleperm XP operation and
20    monitoring system that is used for the plant computer type
21    applications.  And the Teleperm XP also has a capability to
22    interface with other plant types of buses that are used
23    throughout the plant.
24              I'm going to give an overview of the Teleperm XS,
25    which is the safety system.  Some of the basic design goals. 
.                                                                 4
 1    When the Teleperm XS system was developed, for the safety
 2    applications, were to have short response times.  Typically,
 3    the I&C portion of the channel needs to respond at something
 4    less than about 200 milliseconds.  Proof of required
 5    reliability, this needs to be highly reliable systems
 6    because of the applications.  And the ability to control all
 7    of the postulated events.
 8              Some of the important criteria for digital-based
 9    safety systems would no event-driven interrupts, no code
10    optimization, and simple software structures.
11              CHAIRMAN UHRIG:  Could you elaborate on that no
12    code optimization?
13              MR. ERIN:  Some of the compilers that can be used
14    have methods of, I'd say, optimizing the code, minimizing
15    the usage, and some of the criteria that's been given back
16    to us from industry is that they operate more reliably if
17    you don't use the optimization features of the compilers.
18              CHAIRMAN UHRIG:  Thank you.
19              MR. ERIN:  Some of the elements that go into the
20    make-up of the system, standard hardware components.  Some
21    of these in the I/O area have been used elsewhere in
22    industrial applications in Siemens products.
23              We have specific systems software that was
24    developed specific for the safety system applications.  And
25    we have an engineering system that provides the interface
.                                                                 5
 1    between the engineer and designing the application.
 2              The engineering system gives us one common tool
 3    that's used for both the specification of the hardware and
 4    the software design, provides automatic code generation, and
 5    our code generators were independently verified and
 6    validated.
 7              The specific systems software is based on a
 8    deterministic operating system, no event-driven interrupts. 
 9    I've put together software libraries that have been verified
10    and used specifically for the safety system applications.
11              DR. POWERS:  Could we come back to this statement
12    you made, event-driven interrupts?  You said there are none?
13              MR. ERIN:  That's correct.
14              DR. POWERS:  I guess I don't understand what that
15    means.
16              MR. ERIN:  It means once we get into our execution
17    cycle for an application, there is nothing external to the
18    system that can cause that execution cycle to be interrupt
19    and not proceed to completion of the cycle.
20              For example, if there was some other event in the
21    plant or in another channel of equipment, it is not
22    permitted to interfere.  You're familiar with the
23    multi-tasking capabilities of your PC that you have at home. 
24    The systems that are used for safety-related applications
25    are designed to preclude any sort of multi-tasking.
.                                                                 6
 1              Once you begin to execute the safety function, you
 2    have to complete that execution cycle to completion without
 3    being interrupted.
 4              DR. POWERS:  I would just comment that, I think I
 5    understand what you're saying here on this particular issue,
 6    but in the documentation, there's a lot of discussion of
 7    system generated interrupts and the question that came to my
 8    mind throughout was the question of how interrupts are
 9    handled between system generated interrupts and external
10    interrupts when they're coincident and how coincident do
11    they have to be to be coincident.
12              MR. ERIN:  There are -- I think what you refer to
13    when you talk about the system generated interrupts, these
14    can be something that results from an internal diagnostic or
15    some failure fault is detected internal to the system.  And
16    because of the recognition of that fault, the system fails
17    to some predetermined state.
18              Those are going to be part of the system design. 
19    I guess the comment about them being coincident is there is
20    not a way or a design path for an external type of event or
21    interrupt to influence our system the way that it's
22    designed.
23              DR. POWERS:  I'm sure you don't mean what you say. 
24    If there's no way for the outside to influence your system,
25    then the system is not very useful.
.                                                                 7
 1              MR. ERIN:  Other than the, of course, the
 2    naturally designed interface between the external sensors
 3    and the input to the system.
 4              DR. POWERS:  And that's what I'm talking about. 
 5    If you get a system signal in or even an internally
 6    generated, the one that comes immediately to mind is a
 7    divide by zero error coming in because of the input to the
 8    system, at the same time you get a system generated input.
 9              At what points do they have to be coincident and
10    how does the system handle it?
11              MR. ERIN:  I'm not sure how to respond to that
12    scenario.
13              DR. POWERS:  Just bear it in mind as you go
14    through the presentation.
15              MR. ERIN:  Okay.
16              DR. POWERS:  I'm sure it will come up again.
17              MR. ERIN:  Okay.  Due to the capabilities of the
18    digital equipment and the design of existing analog systems
19    that we're upgrading, we get into situations where we're
20    able to combine many of the existing systems onto one
21    digital platform.
22              For example, typically, you have separate systems
23    currently in the plants for process protection, your ESFAS,
24    relay protection, sequencer.  These functions, because they
25    share many of the same inputs, can be combined into single
.                                                                 8
 1    platforms using just a few subsystems of the digital
 2    platform and because of this, you end up eliminating many of
 3    the hardware interfaces that exist between the current
 4    systems, because you accept the input signals, do all the
 5    processing in a more centralized location and then have your
 6    interface with the outputs.
 7              This picture is a hierarchical view of the
 8    Teleperm XS system, starting with the field sensors, coming
 9    in through the signal conditioning.  We show that we have
10    typically have four redundant protection channel sets, a
11    monitoring and service interface, an isolation device and
12    gateway to the TXP, which is non-safety applications, and a
13    service unit that is used for the monitoring and service
14    interface.
15              Over here, also, there's a capability for inputs
16    for monitoring and manual controls.
17              This picture may be a little more clear in your
18    handout.  It represents the capabilities of the space
19    engineering system, which is part of the service interface. 
20    This is the engineering system that I mentioned earlier
21    that's used for hardware design, determines module location,
22    cabinet location, the network diagrams, the interfaces
23    between the communication links, the functional diagrams for
24    the system, and provides diagnostics and monitoring.
25              You can actually use this service unit to
.                                                                 9
 1    interrogate the inner workings of the system, follow a
 2    signal through all of its function blocks, look at its
 3    signal values anywhere within the internal functional
 4    diagram.
 5              This whole system is based on a graphical user
 6    interface to build the functional design on the screen.  The
 7    other functions are completed automatically by the design of
 8    the system.
 9              CHAIRMAN UHRIG:  Is there a navigational problem
10    of going from one to the other?  How do you -- what I'm
11    getting at here is, is this a hierarchical system and each
12    one that you have to sort of go down through it?  Can you
13    jump from somewhere low in, say, network diagrams over to
14    somewhere in the lower part of diagnostics and monitoring,
15    or do you have to go to the top of diagnostics and
16    monitoring and go down?
17              MR. ERIN:  I need to defer to someone who knows
18    the answer, and he just nodded yes.  The internal links
19    allow you to go automatically from one screen to the other.
20              MR. WINKLER:  My name is Martin Winkler, with
21    Siemens.  The systems supports, both horizontal and vertical
22    navigation features to go through those diagrams, so the
23    different types of diagrams are connected by those
24    navigation features.
25              CHAIRMAN UHRIG:  Okay.  So you should have no
.                                                                10
 1    problem of going wherever you want to go directly without
 2    having to go through a whole sequence.
 3              MR. ERIN:  Correct.
 4              CHAIRMAN UHRIG:  Like you typically do on a
 5    computer.
 6              MR. ERIN:  This is just a single line
 7    representation of the signal flow through the system.  At
 8    the top, for protection channel set one, you have your data
 9    acquisition block.  It comes into the processing portion of
10    the TXS and down below we have an actuation voting, where
11    two out of four function is completed.
12              Now, the lines that you see toward the redundant
13    channel sets, these represent communications between
14    channels.  It's not a mandatory configuration, but in our
15    typical recommended configuration for the reactor protection
16    system, we'll take the information that's in protection
17    channel set one and share it with protection channel sets
18    two, three and four and it gives you the capability to do
19    the two out of four voting for any parameter four times.
20              It can be done in each of the four redundant
21    channel sets and then it can be done by this voting logic
22    one more time down below just to vote whether or not two of
23    the four channel sets had voted two out of four for a
24    particular function.
25              So it's an extra layer of two out of four voting
.                                                                11
 1    is provided as a capability beyond what you would get in the
 2    analog system.
 3              DR. POWERS:  Is it clear that having an extra
 4    layer of two out of four voting is a good thing?
 5              MR. ERIN:  I think there is an opinion that it's a
 6    good thing.  It gives you some advantages in terms of
 7    operability when you're performing surveillance tasks and
 8    doing maintenance.
 9    One of the protection channel sets can be defeated or shut
10    down for maintenance and you still have the capability of
11    two out of three in the remaining channel sets, where if you
12    wanted to design the application to default the one out of
13    three, you can do that, also.  It's up to the user and there
14    is going to be an interface with the plant-specific tech
15    specs on which way they decide to go.
16              But in my opinion, there's operability advantages
17    from having the extra voting and being able to effectively
18    be in a bypass condition when you perform surveillance tests
19    and when you're doing maintenance.
20              CHAIRMAN UHRIG:  So you can take any one of those
21    sets out of service for maintenance, signals coming from
22    that particular channel.
23              MR. ERIN:  Yes.
24              CHAIRMAN UHRIG:  Could you take two out
25    simultaneously?
.                                                                12
 1              MR. ERIN:  Two redundant channel sets?
 2              CHAIRMAN UHRIG:  Yes.  Or if you had a glitch --
 3    say you had one out for maintenance and you had a glitch, a
 4    transient of some sort in one system, this could handle that
 5    then.
 6              MR. ERIN:  That's the idea of going into bypass. 
 7    If you take one out for maintenance and you stay two out of
 8    three on the remaining three as opposed to going one out of
 9    three, that transient on one of the three remaining systems
10    doesn't trip the plant.
11              CHAIRMAN UHRIG:  Yes.  I thought it was, but I
12    wanted to make sure.
13              MR. ERIN:  Yes.  That's the operability advantage.
14              CHAIRMAN UHRIG:  Okay.  This feeds into then two
15    trains that are virtually independent.
16              MR. ERIN:  Train A, train B, completely
17    independent trains.
18              CHAIRMAN UHRIG:  Even though they're feeding from
19    the common set of signals coming from sets one, two, three
20    and four.
21              MR. ERIN:  These are isolated data links.  So that
22    no fault on one side of the data link can go back and
23    degrade a function on the input side of the data link.
24              What you end up with here, take steam generator
25    level, for example, you have four channels of steam
.                                                                13
 1    generator level.  Say you're looking at your low level
 2    protection.  Instead of having channel one, two, three and
 3    four for a particular steam generator, just spread over the
 4    four redundant sets.
 5              Each one of these redundant channel sets votes two
 6    out of four on the steam generator level.  So you're two out
 7    of four on steam generator level here, here, here and here
 8    and what we're doing with this voter is simply saying did
 9    two of the four redundant channel sets vote at least two out
10    of four low level for steam generator level.
11              In the analog system, no voting would be done
12    until you got down here to the voting portion, to the relay
13    portion of the system, because these protection channel sets
14    would not communicate with each other in the analog system.
15              CHAIRMAN UHRIG:  Is there a way of propagating a
16    problem with one of the four channels there from one to the
17    other?  You're showing the cross links there.  Suppose you
18    had a short in a signal coming into set one or within the
19    protection logic, for instance.
20              MR. ERIN:  The isolation would protect you from
21    any electrical types of faults.  Now, the other thing that
22    we can do and we typically designed it into the application
23    is that we will compare each input versus the other three
24    and if one of the inputs deviates from the other three by
25    some predetermined amount, then it is rejected from being
.                                                                14
 1    processed further through, because it's considered to be a
 2    failed signal.
 3              CHAIRMAN UHRIG:  And this is all sample systems,
 4    so that you -- each sampled set goes through that test.
 5              MR. ERIN:  Correct.
 6              CHAIRMAN UHRIG:  This set might have one signal
 7    thrown out, the next one might be all four would be
 8    satisfactory.
 9              MR. ERIN:  If you were right on the edge, that's a
10    possibility.
11              MR. LEITCH:  Could this system be utilized in an
12    application where there were four trains?
13              MR. ERIN:  It could be.  The system is just basic
14    building blocks and the user can configure and interconnect
15    those building blocks in accordance with whatever his
16    specification or functional design is.
17              Just a little more detail here from the previous
18    figure.  You can see the four redundant channel sets, one,
19    two, three and four.  The independent voters, train A and
20    train B that we talked about.
21              An interface with the main control board
22    enunciator system and the interface with our monitoring and
23    service interface equipment, which connects with the service
24    unit, which is used for the monitoring and the engineering
25    functions associated with the system.
.                                                                15
 1              These are the gateways which allow the conversion
 2    of the digital information in the safety system to be passed
 3    on to the plant bus, the XP plant bus and the TXP operation
 4    and monitoring system.
 5              This picture is a representation of surveillance
 6    tests and combined automatic and user initiated testing
 7    that's provided with the TXS system.
 8              Over on the left-hand side you can see the on-line
 9    monitoring.  This on-line monitoring is done automatically,
10    executed every cycle.  The periodic testing is tests that
11    are not done automatically, but they are initiated by the
12    user.
13              CHAIRMAN UHRIG:  Once they're initiated, are they
14    then automatically carried out?
15              MR. ERIN:  There's a degree of automation in each
16    of these.  For example, the startup self-test when you
17    reboot the system.  There's a sequence of tests that are
18    performed every time on a reboot and, of course, that's
19    automatic.
20              We have the cyclic self-monitoring that's done
21    every cycle, monitoring on the bus communication system. 
22    There are tests that are done, these engineered input checks
23    are called engineered checks because these are designed by
24    the user.  They're part of the application.
25              If you decide to do that check of one redundant
.                                                                16
 1    sensor versus the other three and compare it versus some
 2    delta, that's something that the user can set up.  So we
 3    call it an engineered check.
 4              There's a capability to check the relay output
 5    signals.  We have check-backs built in that's automated into
 6    the design.
 7              And there's automatic cabinet and sub-rack
 8    monitoring, things like power available to the sub-racks,
 9    cabinet door open alarms, all these types of things are part
10    of the on-line monitoring.
11              Over on the periodic testing, there is a startup
12    self-test that would be done periodically when you reboot
13    the processor subsystems.  There is an input test that could
14    be initiated by the user.  It's like a traditional test you
15    would do on an analog system, disconnect the sensor, inject
16    the signal, follow the signal, check the calibration
17    accuracy of your equipment.
18              Output tests are available both go and non-go,
19    where you can actuate the interface or choose not to actuate
20    it if it's one that you would not want to actuate in the
21    plant, and we have the capability for response time test.
22              MR. LEITCH:  When you say disconnect the signal, I
23    assume the system is built in such a way that that does not
24    involve any actual lifting of leads or --
25              MR. ERIN:  Correct.
.                                                                17
 1              MR. LEITCH:  That the system is built to
 2    facilitate this.  There's no jumpers, no lifted leads.
 3              MR. ERIN:  No jumpers, no lifted leads.  We have a
 4    portable test machine that facilitates the test and we're
 5    able to automatically disengage the sensor from the system
 6    and inject our test signal.
 7              CHAIRMAN UHRIG:  Is your test signal digital or
 8    analog?  Does it go through the A-to-D converter?
 9              MR. ERIN:  Yes, it does.  It's an analog input.
10              CHAIRMAN UHRIG:  It checks the converter then.
11              MR. ERIN:  We need to do that to check the
12    calibration accuracy of the front-end portion of the
13    equipment.
14              This is a picture of a typical Teleperm XS rack
15    and subsystem.  These are the ones that have been used in
16    applications in Europe.
17              Up at the top of the cabinet here, you see the
18    microprocessor subsystem, our processing boards,
19    communication processors.
20              Some of the I/O devices are shown down here at the
21    bottom.  The interfaces for communication data links are
22    over on the left-hand side.  This is just a little larger
23    picture of the subsystem over here on the left-hand side. 
24    Just to give you an idea physically of what the equipment
25    looks like.
.                                                                18
 1              CHAIRMAN UHRIG:  What are the dimensions, standard
 2    rack width?
 3              MR. ERIN:  Nineteen inch racks.
 4              CHAIRMAN UHRIG:  Does this whole system fit in one
 5    rack, several racks?
 6              MR. ERIN:  It depends on the amount of I/O in the
 7    application, but what we have seen in typical applications
 8    is that we're able to reduce the amount of cabinet space
 9    that was required for the analog system.  There's a space
10    efficiency that's gained by going to the digital equipment.
11              CHAIRMAN UHRIG:  On a backfit, you would have
12    plenty of room.
13              MR. ERIN:  Yes.  We end up having some of the
14    cabinets that previously had analog equipment in them become
15    spares on the backfits.
16              And these are just some pictures of the various
17    boards, TXS processing module, communication, digital output
18    module, and the analog input module, where the A-to-D
19    conversion is done.
20              CHAIRMAN UHRIG:  What accuracy on the A-to-D
21    conversion, 16-bit or 12-bit?
22              MR. ERIN:  It's 12-bit.
23              CHAIRMAN UHRIG:  A tenth of a percent.  No.  It's
24    better than that.
25              MR. ERIN:  A little higher.  This was just a
.                                                                19
 1    summary of some of the features we had just talked about. 
 2    They're in the handout.  I don't think I'll read them to
 3    you.
 4              The next portion of the presentation was a
 5    discussion --
 6              MR. LEITCH:  I have a couple of general questions. 
 7    Maybe this is going to be covered later, but what are the
 8    typical customers for this type of a system now?  In other
 9    words, is this an existing nuclear plant that wants to
10    retrofit with this kind of equipment or is this being
11    proposed for brand new plants or how does that work?
12              MR. ERIN:  Depending on the region of the world
13    where we're working.  In China, for example, we're
14    installing this equipment in two completely new Russian
15    designed plants, where we're providing the I&C with the
16    Siemens Teleperm platforms.
17              In the United States, the current market is
18    completely retrofit.  We have a lot of customers that have
19    equipment that's 15-20 years old, many of them are currently
20    going for life extension, and they're looking to modernize
21    the I&C systems for a variety of reasons, spare parts and
22    maintenance being one of the big ones.
23              And we're taking this equipment and retrofitting
24    it into the existing cabinets and removing the analog
25    equipment.
.                                                                20
 1              MR. LEITCH:  Is that retrofit then an all or
 2    nothing situation or can one have this platform, if that's
 3    the right term, and partially retrofit?
 4              MR. ERIN:  It's always going to be done piecemeal,
 5    just because of the shear logistics of the amount of time
 6    that it takes to remove an existing system and install a new
 7    one compared to the typical outage time that's available.
 8              So we look for ways where it makes sense to
 9    combine certain systems to replace at particular outages and
10    then the next outage you move to the next group of systems
11    that make sense.  So it's always done in a piecemeal type of
12    way.
13              MR. LEITCH:  But the basic Teleperm system, as I
14    understand it, would be installed once and then at
15    subsequent outages you could retrofit certain portions or
16    certain systems.
17              MR. ERIN:  On the safety side, typically, it's
18    done a couple systems at a time and these can be interfacing
19    types of systems.  For example, you would almost always want
20    to take your process protection where you acquire your
21    temperatures, pressures, flows and levels, the process side,
22    and interface with the loading.  You take those signals, you
23    read them, you go through by stables where you compare them
24    to their set points and then you do the two out of four
25    voting.
.                                                                21
 1              In the current plants, the process portion and the
 2    voting portion are almost always different equipment types,
 3    but you would want to combine those and replace them during
 4    the same outage if you're going to a digital system because
 5    it makes sense due to the information that's already
 6    available as inputs to the system.
 7              But you might have a stand-alone system, like a
 8    diesel generator load sequencer, that's independent of the
 9    process protection and that could be done on a stand-alone
10    basis or at a different outage, if someone chooses to
11    upgrade that system.
12              MR. LEITCH:  And would the main motivation be
13    obsolescence of existing equipment or is there a reliability
14    improvement perceived with this system?
15              MR. ERIN:  I believe there's always reliability
16    improvements with the digital platforms that are available
17    today.  But it doesn't seem to be the motivation.  The
18    utility motivation seems to be obsolescence issues,
19    maintenance issues, cost of spare parts and in addressing
20    those problems, if they're able to improve reliability and
21    operability, then those are benefits that also come along
22    with the upgrade.
23              Occasionally you might have a troublesome system
24    that you want to upgrade because it's causing you so many
25    maintenance problems or maybe even occasionally causes a
.                                                                22
 1    plant to trip and that would be a good reason for targeting
 2    that system at the very front part of your upgrade schedule.
 3              MR. SIEBER:  How sensitive is your system to
 4    disturbances in input power?  For example, both A/C and D/C
 5    buses in a power plant are very noisy, with circuit breakers
 6    closing and loads starting up and inductive devices doing
 7    their thing.
 8              MR. ERIN:  There's requirements that are very
 9    specific for EMI/RFI and surge protection and as I go
10    through the NRC review, I will make reference to some of the
11    standards that were used regarding acceptance criteria in
12    that area.
13              MR. SIEBER:  Does your equipment do the power
14    conditioning or is that something that the owner has to
15    apply when he installs your equipment?
16              MR. ERIN:  We accept 118 volts A/C that has gone
17    somewhat through the owner's power system.  It's coming from
18    a Class 1E inverter.  The input signal that we see.
19              MR. SIEBER:  I ask that question because I've had
20    a couple of ugly experiences with digital systems on D/C
21    buses where the opening and closing of contactors put surges
22    in the line and would reset the CPUs, and it was bad news.
23              MR. ERIN:  This figure represents some of the
24    criteria that were looked at as part of our generic
25    qualification of the system and also provides some
.                                                                23
 1    separation between elements that were looked at generically
 2    and things that still remained to be looked at on a
 3    plant-specific application basis.
 4              As part of the generic qualification, we just
 5    mentioned EMI/RFI and surge withstand qualification to
 6    environmental conditions and environment, seismic
 7    conditions, depending on the plant and the floor responses
 8    and rack responses.  We need to satisfy a seismic
 9    qualification criteria.
10              There is a generic verification/validation of our
11    system software design, no engineering tools that are used
12    by the user for the system.  Diversity and defense-in-depth
13    methodology is one of the items that was looked at on a
14    generic basis.
15              As you get into the particular application with
16    any specific utility, they're going to have specific design
17    requirements, functional requirements, that have got to be
18    implemented and verified for that application.  There is
19    going to be a plant-specific diversity and defense-in-depth
20    assessment that's going to be specific to their particular
21    I&C configuration.  It's going to be specific to their
22    particular Chapter 15 accident analysis.
23              And there are going to be validation tests that
24    have to be performed on a plant-specific basis in order to
25    validate that the equipment has been designed properly and
.                                                                24
 1    the application has been installed properly on the digital
 2    equipment.
 3              As part of our review process with the NRC staff,
 4    I guess I will mention that this was one of the first major
 5    applications that's been reviewed since the new standard
 6    review plan, and I believe the ACRS had some input to.
 7              There were a variety of documents that we
 8    submitted to the staff in order to support our system. 
 9    There was a topical report that was done.  It was a general
10    topical report which described the system, described the
11    system hardware, the software design, compliance with key
12    criteria.
13              In addition to that, there were a number of other
14    reports that were submitted along the way.
15              We had a specific report to discuss all the
16    periodic surveillance test capabilities of the TXS system. 
17    There was a report for the shielding and grounding
18    guidelines for application of the Teleperm XS.
19              CHAIRMAN UHRIG:  Now, these three reports have
20    been submitted and have been approved by the NRC, correct?
21              MR. ERIN:  They were all reviewed and discussed in
22    the safety evaluation.
23              CHAIRMAN UHRIG:  So that a vendor -- I mean, a
24    utility now could come in with an application to install
25    this equipment and make reference to these reports.
.                                                                25
 1              MR. ERIN:  Sure.  That was the idea of submitting
 2    reports up front, having a generic review, and then for a
 3    plant specific application, the utility makes reference to
 4    the generic reports and addresses the plant specific open
 5    items that were discussed in the staff safety evaluation.
 6              CHAIRMAN UHRIG:  These are the three main ones. 
 7    Are there any others?
 8              MR. ERIN:  We've got a few more here.
 9              CHAIRMAN UHRIG:  Okay.
10              MR. ERIN:  We had a couple on diversity and
11    defense-in-depth.  One was a methodology to show how we
12    would recommend going about being consistent with Branch
13    Technical Position 19 and NUREG-6303, which was discussed in
14    BTP-19.
15    And we also did a typical application of our methodology to
16    show how, for a typical plant, using our methodology and our
17    recommended architecture, we would end up addressing
18    diversity and defense-in-depth and how we would segregate
19    our various systems.
20              This is just a summary of the systems that can be
21    upgraded using the TXS, your typical plant safety systems,
22    process protection, logic voters, ESFAS, diesel generator
23    load sequencers, safety-related BLP functions and Class 1E
24    controls would be the target systems.
25              CHAIRMAN UHRIG:  Typical installation by a utility
.                                                                26
 1    would involve all of these or would it be one or two or what
 2    has been your experience so far?  What do you anticipate?
 3              MR. ERIN:  We've seen customer interest and
 4    proposals ranging from any one of these systems to utilities
 5    that have a vision that they want to replace all of these
 6    systems in some sort of phased approach.
 7              It's really been a combination of all of the
 8    above.
 9              CHAIRMAN UHRIG:  So that you could install just
10    one of these, make reference to the appropriate documents
11    that you just listed.
12              MR. ERIN:  Sure.
13              CHAIRMAN UHRIG:  And submit it to the NRC and
14    address the open items.
15              MR. ERIN:  Yes.  And further generic aspects of
16    the equipment qualification, the system software design, the
17    verification and validation that was done on the platform. 
18    It doesn't matter what the application is.  So those generic
19    things, I think the NRC safety evaluation addresses very
20    well and the items that would be plant-specific open items
21    were also identified in the safety evaluation by the staff.
22              CHAIRMAN UHRIG:  Now, each one of these modules
23    here has its own microprocessor system and its own
24    programming, so that you don't in any way tie those
25    together.
.                                                                27
 1              MR. ERIN:  Typically, that's correct.  The ESFAS
 2    and the process protection sometimes are intermingled,
 3    because some of the functions that are in process protection
 4    are also in the front-end for ESFAS.  So you get some
 5    intermingling in that area.
 6              And that is one of the things that is looked at
 7    when you do the diversity and defense-in-depth evaluation. 
 8    You break your system into like blocks, you postulate
 9    potential common cause failures of those like blocks, and
10    you make sure that you have adequate protection remaining
11    for the plant.
12              CHAIRMAN UHRIG:  Do you use your own
13    microprocessors or do you use --
14              MR. ERIN:  Siemens, we use our own.
15              CHAIRMAN UHRIG:  You use your own.
16              MR. ERIN:  Yes.  The design of our microprocessor
17    boards, we go back to Intel for some of our chips.  But the
18    microprocessor boards are Siemens' design.
19              CHAIRMAN UHRIG:  Like the Intel is something like
20    Pentium?
21              MR. ERIN:  486's, Pentiums, we've used various
22    Intel processors.
23              MR. SIEBER:  The diesel generator load sequencer,
24    that's a stand-alone device, is it not?  Generally powered
25    by D/C.
.                                                                28
 1              MR. ERIN:  I'm not certain.
 2              MR. SIEBER:  Well, if you have a station blackout,
 3    that's all that's left.
 4              MR. ERIN:  Okay.
 5              MR. SIEBER:  Getting back to my other question,
 6    this is where all the spikes come from.  Is that tested so
 7    that a spike on a D/C bus won't reset the load sequencer and
 8    prevent the diesel from loading?
 9              MR. ERIN:  Any of our input power signal
10    conditioning would have to undergo surge withstand testing. 
11    That's a requirement for any safety-related system.
12              In the area of equipment qualification, I wanted
13    to mention briefly the approach that was used.  We were
14    looking for some industry document that had the best
15    collection of requirements and acceptance criteria in this
16    area and the one that we used, and was also used by the
17    staff during the review, was EPRI Topical Report 107-330.
18              It was a generic requirement specification for
19    commercially available PLCs that was written over the last
20    couple of years.
21              It was a very good benchmark document because
22    there was a broad range of industry representation on the
23    group that wrote the requirements document, including staff
24    representation, and then through EPRI, they submitted that
25    topical report to the staff for review and safety
.                                                                29
 1    evaluation.
 2              So it became what I will say is a very good
 3    benchmark and very good precedence for the current
 4    requirements in the area.
 5              We had prepared a report and submitted it to the
 6    staff, TR-114-017, which compared all of our system design
 7    and qualification items versus the EPRI requirements.
 8              So once we had a benchmark established, we then
 9    prepared a matrix showing exactly where we stood versus all
10    the EPRI requirements and that was part of the review
11    process.
12              CHAIRMAN UHRIG:  Now, this is for PLCs.  But
13    you're using microchips.
14              MR. ERIN:  The PLCs really are very close to a
15    distributed processing system.  And the requirements for a
16    digital PLC and a distributed processing system are very
17    much the same.
18              CHAIRMAN UHRIG:  Physically they are, the
19    difference being one is better logic or some hard
20    programming versus the software.
21              MR. ERIN:  Typically designed maybe for more
22    stand-alone applications, smaller applications, but PLCs in
23    recent years have become very powerful and some of the more
24    state-of-the-art PLCs can do most of the things that a
25    distributed system would do.
.                                                                30
 1              Some of the criteria that was used by the staff
 2    during the review for which we responded to.  Of course,
 3    NUREG-0800, revision of the standard review plan, Section 7
 4    on I&C provided a lot of guidance, a lot of details.  Branch
 5    Technical Position HICB-8 is guidance for application of Reg
 6    Guide 1.22, discussed some of the requirements for periodic
 7    surveillance testing.  HICB-14 was one of the new ones that
 8    was in the rewrite of the standard review plan guidance on
 9    software reviews for digital computer-based systems, was
10    used throughout the review.
11              HICB-17 provided guidance on self-test and
12    surveillance test provisions.  Again, that was one of the
13    new branch technical positions that was written for digital
14    systems.
15              HICB-19, I mentioned a little earlier, provided
16    the guidance for evaluation of diversity and
17    defense-in-depth; also references NUREG-6303, which was
18    used.
19              The EPRI document I talked about a little earlier
20    provided a benchmark for qualificational requirements.  And
21    in the area of EMI/RFI and surge withstand, EPRI-107-330
22    refers to EPRI TR-102-323, which was the document which gave
23    the results of all the surveys that were done by the EPRI
24    group to try and come up with enveloping environments of EMI
25    and RFI for the nuclear power plants.
.                                                                31
 1              CHAIRMAN UHRIG:  What about things like smoke,
 2    fire resistance?  Is there any testing as far as smoke is
 3    concerned, any attempt to address that?
 4              MR. ERIN:  I don't recall a specific NRC criteria
 5    for smoke resistance.  We don't run any special test for
 6    smoke.  I think there are some guidelines for using fire
 7    retardant materials as you design your system, but the
 8    specific test of the equipment for smoke is not done.
 9              CHAIRMAN UHRIG:  The concern here is the arc-over
10    associated with ionization brought on by the smoke in this
11    type of thing.  I guess that's still a research area.
12              MR. ERIN:  I don't know.  If you have a control
13    room fire, there may be some other actions that are
14    necessitated prior to worrying about the equipment. You
15    probably be in some sort of administrative action to shut
16    down anyhow.
17              MR. SIEBER:  Have you done any aging tests of your
18    equipment to see how long it will function properly?
19              MR. ERIN:  There's a sequence of testing that is
20    done to address aging.  The environmental test, for example,
21    are done prior to seismic tests.  EMI/RFI tests are done. 
22    We perform what I will say are thousand hour tests as part
23    of our type testing and in addition to what I'll say are the
24    sequence of testing, aging is also addressed through
25    periodic test process.  We establish periodic test intervals
.                                                                32
 1    that are effective to catch failures and make sure the
 2    equipment is still reliable.
 3              We don't, for example, if you're asking if we take
 4    equipment and test it for five or ten years, that type of
 5    long-term aging, that's not done for the equipment.
 6              Some of the plant specific interfaces that remain
 7    that you might be interested in.  I showed before on a
 8    pyramid that each plant is going to have a plant specific
 9    diversity and defense-in-depth assessment.  There will be a
10    safety analysis confirmation for accuracy and time response,
11    technical specification confirmation, depending on how you
12    want to use these capabilities for bypass during test and
13    maintenance that affects your plant tech specs.
14              We need to make sure that the plant specific
15    environment has been enveloped by EPRI-107-330 and 102-323. 
16    I haven't seen any cases where they're not.
17              There's plant specific enunciator and status light
18    arrangements and plant specific configuration management
19    procedures once they accept the new equipment.
20              And the conclusion, which came out of our safety
21    evaluation we received from the staff, it was based on the
22    information provided and review conducted.
23              The staff concluded that the design of the TXS
24    system was acceptable for safety-related I&C applications
25    and meets the relevant regulatory requirements.
.                                                                33
 1              DR. POWERS:  I think I read that you tested the
 2    material for -- the system for seismic concerns.
 3              MR. ERIN:  Yes.
 4              DR. POWERS:  And in that test, you operated in a
 5    system that vibrated it at right at frequencies for one
 6    minute.
 7              MR. ERIN:  I'm not certain about the one minute,
 8    but there's IEEE-344 guidelines for the OBEs and the SSEs.
 9              DR. POWERS:  A relatively short period of time. 
10    Have you also considered how it would perform during a plant
11    blow-down and the associated and very long-term vibrations
12    of the system during blow-down?
13              MR. ERIN:  We haven't done anything beyond the
14    requirements in IEEE-344.
15              DR. POWERS:  Would you imagine that there might be
16    some challenges there?
17              MR. ERIN:  Something I hadn't considered.
18              DR. POWERS:  I guess what I'm asking is in this
19    relatively short seismic test, which presumably the system
20    passed with flying colors, was there any indication that had
21    it gone on for an hour, like a blow-down might, would the --
22    that it might not have passed?
23              MR. ERIN:  I can tell you, just based on our
24    experience, we used the same test specimen for many, many
25    different seismic tests, to the point where we stressed that
.                                                                34
 1    equipment, I would say, in four or five different seismic
 2    test programs without causing any failures in that equipment
 3    due to fatigue.
 4              I would say, just based on that experience, I
 5    would feel like, from a structural mechanical standpoint,
 6    we're pretty robust.
 7              DR. POWERS:  That's what I was looking for.
 8              MR. ERIN:  I have a few minutes left.  The last
 9    section I have just provides some information on references
10    where the Teleperm XS has actually been used.
11              These sheets provide references for both our
12    Teleperm XS and our Teleperm XP platforms.  Over on the
13    right-hand side, we show columns one for TXP and one for
14    TXS.
15              The ones that are currently in operation in
16    nuclear power plants have check marks over on the right-hand
17    side.     We talked a little bit right at the very beginning
18    of the presentation, some of the US applications that are
19    planned, both the Callaway and Comanche Peak plants plan to
20    use both Teleperm XS and Teleperm XP for comprehensive I&C
21    upgrades and these are just beginning.  We entered into a
22    contract with Callaway in the spring and with Comanche Peak
23    just a couple of months ago.
24              Some of the applications in Europe for TXS are for
25    reactor control limitation systems.  I show some other ones
.                                                                35
 1    here.  Reactor protection system, neutron flux measurement
 2    at the Paks power plant in Hungary.  That's a four-unit
 3    application.
 4              Bohunice is a reactor protection and limitation
 5    system.  A few more on this sheet.  Beznau is a reactor
 6    protection system upgrade and NSSS control system upgrade in
 7    Switzerland that has recently been installed and the one I
 8    mentioned in China is Tianwan, there are two brand new
 9    nuclear power plants, Russian designed plants, and Teleperm
10    XS and XP is being used for the complete I&C, both safety
11    and non-safety.
12              CHAIRMAN UHRIG:  Are those VVER?
13              MR. ERIN:  Yes, VVR-1000.
14              CHAIRMAN UHRIG:  The neutron flux measurement
15    system, is this the complete system or is it just you, for
16    instance, put in the self-power detectors or is that part of
17    the system that you just attach on and take the signals from
18    there?
19              MR. ERIN:  I'll defer.  Do you know, Mark?
20              MR. WINKLER:  We are talking about the Teleperm XS
21    application and the Teleperm XS, of course, has to receive
22    the analog signals somehow from the nuclear detectors.
23              So there are different possibilities.  Either you
24    maintain the existing analog portion, which provides voltage
25    level signals, or we also have a different product line
.                                                                36
 1    capabilities to directly get the information from the
 2    nuclear detectors.
 3              CHAIRMAN UHRIG:  But you don't provide the
 4    detector, the whole system.
 5              MR. WINKLER:  Siemens also provides detectors.
 6              CHAIRMAN UHRIG:  It does.  So you could, for
 7    instance, put in a whole monitoring system.
 8              MR. WINKLER:  Siemens has the capabilities, yes,
 9    to provide that.
10              CHAIRMAN UHRIG:  Are you finished?
11              MR. ERIN:  Yes.  That's all I had prepared.  Are
12    there any questions from the committee members?
13              DR. POWERS:  I wonder if I could just ask some
14    questions for personal information, because I don't
15    understand, and it's on this signal on-line validation using
16    the second minimum principal, second maximum principal.  I
17    guess my question is you're avoiding using the first minimum
18    and the first maximum because you think they may not be
19    correct.  And why do you think the second is correct?
20              MR. ERIN:  One of the reasons could be that you
21    don't think the first is correct, the -- what we're really
22    accomplishing by using that second minimum or second maximum
23    is it's another way of performing a two out of four voting.
24              If you're, say, for example, looking at steam
25    generator low level protection and if you operate your
.                                                                37
 1    comparitor based on the second minimum and you have all four
 2    signals represented and your function is off the second
 3    minimum, it gives you the same functional effect as a two
 4    out of four vote, and that's really how it is used in each
 5    of the four channel sets.
 6              You would use the second max, if it's a trip on
 7    high function.
 8              DR. POWERS:  Thank you.
 9              MR. LEITCH:  With these European plants, where the
10    system is in operation, have you had significant startup
11    problems resulting in, say, reactor trips or other
12    misoperations before you --
13              MR. ERIN:  No, we haven't, and one thing that I
14    meant to point out and didn't is in all the operating
15    experience that we have in Europe, we've never experienced a
16    software failure in the field.
17              So the experience has been very good.  The
18    reliability of the hardware components in actual operation
19    has exceeded our design calculations that we expected for
20    reliability, also.  So we are very pleased with the
21    experience that we've had to date.
22              MR. LEITCH:  Can you say a word or is it beyond
23    the scope of what you do, that is, the training of utility
24    personnel.  In other words, I'm a little -- what concerns me
25    is you put in this system and it works fine and you lock up
.                                                                38
 1    the door and leave.  Is there anybody in the power plant
 2    that really understands the operation of this system?
 3              Do you do some training of I&C techs?
 4              MR. ERIN:  We do a lot of training of both
 5    technician and engineering personnel on the application of
 6    the system and as part of that training, they also come to
 7    understand the design fairly well, also.
 8              But certainly the utility people become very
 9    experienced and very proficient with the capabilities and
10    the application of the equipment.
11              MR. LEITCH:  Are there protections against I&C
12    personnel interfering with or somehow, say, changing the
13    software inadvertently?
14              MR. ERIN:  There's certainly levels of password
15    protection that are used for various personnel that have
16    various authorization privileges.  There's key lock
17    switches; of course, there's administrative controls,
18    there's door open alarms.  There is a sequence of
19    protections that would have to be violated for an
20    unauthorized person to somehow access and change the
21    software.
22              MR. LEITCH:  My concern is that we're very
23    concerned in licensed reactor operators.  Yet, I think in
24    some cases, we're putting in the hands of I&C techs
25    capabilities or decision-making that could be as significant
.                                                                39
 1    or more significant than the licensed operator.
 2              MR. ERIN:  In the analog world, you have
 3    technicians going in and adjustment the potentiometer with a
 4    screwdriver.  In the digital world, he's in installing a
 5    piece of software or digitally entering a data value for a
 6    set point.  But ultimately it comes down to training and
 7    administrative controls, procedures and documentation.
 8              CHAIRMAN UHRIG:  I've been groping for the
 9    significance of the small triangles on your chart.
10              MR. ERIN:  I think the purpose was just to
11    identify some of the more significant or larger TXS
12    applications, since TXS was the topic for today's
13    discussion.
14              CHAIRMAN UHRIG:  Okay.  Are there any comments
15    from the staff?
16              MR. CALVO:  I think Erin has done a good job.  Al
17    I can tell you is that some of the questions you had asked
18    we had done.  We had asked those questions.  I think you
19    cannot miss something he says about how can you prevent the
20    operator from -- an I&C technician.  They have a lot of
21    memories in this computer and protected memory.  Nobody can
22    guess in there and you've got a special way to to do it.
23              Also, they've got addressable -- for fuel burn-up
24    and things like this.  Those are limited.  So if you make a
25    mistake, you catch it.  Also, you only can mess with one
.                                                                40
 1    channel at the same time.  On top of all this, you still
 2    introduce the potential for common mode failure.  That will
 3    be the focus also in defense-in-depth.  What else do you
 4    have in case that potential is cascaded to all four
 5    channels.  So we asked all these kind of things.
 6              CHAIRMAN UHRIG:  Thank you.  If there are no
 7    further questions, thank you very much, Larry.
 8              MR. ERIN:  Thank you.
 9              CHAIRMAN UHRIG:  And we will move on to the second
10    system, which is Westinghouse's ABB/CE system, and Ken.
11              MR. SCAROLA:  I need a moment to set up.
12              MR. SINGH:  Can we take a break for five minutes?
13              CHAIRMAN UHRIG:  Why don't we take a five-minute
14    break while he sets up.
15              [Recess.]
16              CHAIRMAN UHRIG:  We'll come back into session. 
17    This is Ken Scarola who will give the presentation.
18              MR. SCAROLA:  Good morning, gentlemen.  Thank you
19    very much for letting us have this opportunity to talk about
20    Common Q, the Westinghouse Nuclear Automation Common
21    Qualified Platform.
22              As Mr. Uhrig said, my name is Ken Scarola and I am
23    from Westinghouse Nuclear Automation.  Before I get into the
24    presentation, I would also like to introduce some of the
25    other key players that are here with us.  Our Licensing
.                                                                41
 1    Manager, Denny Popp; our Manager of Protection Systems, Mark
 2    Stofko; we have our lead engineer for hardware
 3    qualification, and that's Marty Ryan; and our lead engineer
 4    here for software qualification, and that's Warren
 5    Odess-Gillett.
 6              So these are the people that will be answering the
 7    tough questions.  I'll be answering the easy ones.
 8              Since the last time I was here several years ago,
 9    we were just, at that time, ABB, things have happened, I
10    think many of you know that Westinghouse has now acquired
11    the nuclear facilities of ABB, the nuclear assets, and now
12    we are long large I&C organization.
13              These yellow boxes represent the old ABB locations
14    and down at the bottom, the original Westinghouse locations. 
15    So this is effectively now Westinghouse Nuclear Automation.
16              I thought it was important that I first really
17    give you that perspective, since there are a lot of changes
18    going on.
19              Now we will talk about the common qualified
20    platform and I first wanted to go through what our overall
21    program objective was for this.
22              We were looking to qualify an I&C platform for
23    safety for what we call safety critical Class 1E
24    applications and we were really looking at a building block
25    approach that would allow us to build very simple safety
.                                                                42
 1    systems, such severe accidents things like diesel sequencers
 2    that are relatively simple; in fact, reactor protection
 3    systems that are relatively simple.
 4              But then, also, much more complex systems, like
 5    core protection calculators for CE plants, Combustion
 6    Engineering plants, and things like post-accident monitoring
 7    systems that have fairly sophisticated data reduction
 8    algorithms for things like core temperature monitoring.
 9              So the intent was a building block approach that
10    would handle very simple systems and also fairly complex
11    safety critical applications.
12              And then we also recognized that the strategy that
13    many utilities would have would vary from system by system
14    replacements to full plant-wide upgrades and we had to
15    realize an approach that would really accommodate both ends
16    of the spectrum.  So that was our goal.
17              We also discussed this with many of our own
18    customers.  We listened to them and, in fact, this whole
19    program was partially funded by the CE Owners Group, and
20    these were the major messages that they gave us.
21              One is they wanted us to use industrially proven
22    products.  They didn't want something new for the nuclear
23    industry.  They wanted something that had a long history of
24    successful operation, and nobody wants to be first.
25              They wanted maximum standardization.  It's best
.                                                                43
 1    for them if they can use the same widget everywhere, but
 2    there is also a recognition that dealing with common mode
 3    failure somewhat goes against this idea of standardization,
 4    so there is this issue of dealing with diversity.  Very
 5    important recognition.
 6              In any modernization effort, when you're doing
 7    things that the industry has not done before, there is
 8    always licensing risks, so they want a product that was
 9    fully pre-licensed.
10              Also, when you look at modern digital systems, one
11    of the major expectations is that you will improve the
12    reliability with less manual effort, with less frequent
13    periodic surveillance.
14              So therefore, they wanted really to see that the
15    NRC was going to accept that, that we were, in fact, going
16    to get some relief on manual surveillance testing, and still
17    achieve very high reliable systems.
18              And then lastly, a very significant concern of
19    many utilities is they wanted to make sure that this year's
20    solution is not next year's obsolescence problem.  I think
21    many of you who have desktop computers know that this
22    technology moves at the speed of light and we really have to
23    be conscious of this issue.
24    What we really are looking at here is a snapshot in time of
25    a product, and all of these products have ongoing life
.                                                                44
 1    cycles, and dealing with that life cycle management was a
 2    very critical issue.
 3              This chart depicts our licensing strategy,
 4    essentially the basis of the Westinghouse topical report. 
 5    It builds on a foundation of the qualification of the
 6    product building blocks, the basic elements of the design
 7    and I will talk about those in a few minutes.
 8              It also, in this foundation, builds on the methods
 9    that are used to build the applications software.  I think
10    everybody realizes what we're talking about here is a
11    product that comes with some base software, but it really
12    doesn't do reactor protection systems until you do a lot
13    more with the application level.
14              So the NRC has reviewed this fundamental piece and
15    this is a subject of the safety evaluation report.  Then on
16    top of that, we talk about what we call generic applications
17    and we have submitted to the staff and the staff has
18    reviewed the application of these building blocks to systems
19    such as the reactor protection system, engineered safety
20    feature actuations, core protection calculators,
21    post-accident monitoring.
22              This, again, was all the subject of our topical
23    report, because we felt that it was important not only to
24    see the product, but how it will be used in various
25    applications.
.                                                                45
 1              CHAIRMAN UHRIG:  Is this core protection
 2    calculator essentially the same one that's installed in a
 3    number of units or is this an upgraded system?
 4              MR. SCAROLA:  Functionally identical to what's
 5    installed in operating units, but now on this new platform.
 6              Then these really represent stand-alone system
 7    applications, but we all recognize that where utilities were
 8    heading is plant-wide modernization.  And when you start
 9    doing a plant-wide modernization, you have to look at how
10    you integrate all these together, because really the main
11    efficiency that comes through digital systems is when you
12    can start sharing functions, such as sharing maintenance
13    panels, sharing the data communication buses.
14              So instead of looking at each one of these as a
15    stand-alone application, in this appendix, for the topical,
16    we looked at the integrated solution, how they all fit
17    together and how we share these services and how that
18    sharing does not compromise the functionality or the
19    performance.
20              CHAIRMAN UHRIG:  That's what I was going to ask,
21    is that a two-edged sword, so to speak, when you try to
22    combine them.
23              MR. SCAROLA:  It can be.  If it's not done
24    correctly, it certainly can be.
25              CHAIRMAN UHRIG:  Common mode failure.
.                                                                46
 1              MR. SCAROLA:  You can introduce all kinds of
 2    problems when you do that and, therefore, we felt it was
 3    very important that we present to the staff our method of
 4    doing it and they review that we have sufficiently addressed
 5    all those issues.
 6              So these three tiers of this pyramid have all been
 7    addressed in this topical report and it's what we call the
 8    CE Owners Group/EPRI, because there was also some funding in
 9    this from EPRI, phase two.
10              We are now through this, we feel we have set the
11    foundation for future licensing submittals that may address
12    new generic new generic applications; for example, though
13    here you don't see the diesel load sequencer, as a standard
14    application, so we would expect that maybe in the future
15    that would be at this tier.
16              And then, also, we know that every utility has
17    very specific things in their plants and we feel that
18    through this, we have now established the framework of what
19    the NRC is expecting to see for a new application.
20              So we were really hoping that through this
21    program, we would not only license a product, but also
22    establish a process for the application of this product.
23              That's really where we are now.
24              Now, we are moving into what we call phase three
25    of these Common Q program.  We are now in phase three and
.                                                                47
 1    what you will see is phase three has a new building block
 2    that we call the flat panel display.
 3              Now, this was addressed in phase two.  It is in
 4    the SER, but we didn't really finish all of the effort, and,
 5    therefore, this is an open issue in the existing SER, and we
 6    hope to close it out shortly.
 7              What I wanted to do was just give you a little bit
 8    of a timeline here to give you a feel for when we started
 9    and when we actually finished.  Our first submittal was in
10    March of 1999 on this topical, but the initial discussions
11    we had with the staff go back to May of 1998, where we first
12    came in and we said this is what we're thinking about, does
13    this make sense to everyone.
14              And then it took us a while for us to get our act
15    together and write some documentation and then our first
16    submittal was in March of '99.
17              All of these submittals address the basic building
18    blocks, as well as specific applications, such as the
19    integrated solution, the RPS, et cetera.
20              Now, we also said to the staff very early on in
21    the program this is what we want to get out of this.  These
22    are our expectations, are these lining up with what you
23    think we contract get, because that's very important. 
24    Sometimes we go through these things and find out that we
25    don't really line up.
.                                                                48
 1              So then in August, the staff issued their safety
 2    evaluation report in August of this year.  So this has been
 3    a substantial effort from a number of people on both sides
 4    working very hard to get to the end.
 5              CHAIRMAN UHRIG:  Just for point of clarification. 
 6    This basically -- the genesis of this system is the ABB/CE
 7    system, not the Sizewell B.
 8              MR. SCAROLA:  Right.  This is from the ABB side of
 9    the business, and I will be going through the building
10    blocks, so you see that.
11              The topical report format had a main body of the
12    document where we described the basic building blocks and we
13    addressed what we felt were the key standard review plan
14    issues, things like hardware and software qualification,
15    configuration management, the application development tools,
16    and, of course, 3D, diversity and defense-in-depth.
17              And then in addition, in the topical, we had
18    appendices for each one of these significant applications.
19              I will start by going through the building blocks. 
20    The heart of this Common Q system is the ABB Advant
21    controller, the AC-160.  So this really gets back to your
22    question, this is really from the ABB product line.
23              Now, this is not a new product or a specific
24    product for nuclear applications.  This is a product that
25    ABB has been applying our fossil business unit since 1997
.                                                                49
 1    and this is actually a second generation product from
 2    something that we called the AC-110, that was introduced in
 3    1993.
 4              So there's a long, very long history of industrial
 5    application.  The product is used today in boiler protection
 6    systems and also turbine protection systems and it was
 7    certified last summer by Tuv for boiler protection in
 8    Germany.
 9              So this was the thing that originally gave us real
10    solid confidence that we would be successful here.
11              Fundamentally, this controller will handle a
12    variety of I/O modules, up to 1,500 I/O points for a single
13    controller.  And it supports six parallel processors.  Now,
14    this is really the key to building very simple systems,
15    where we may use one processor and maybe very sophisticated,
16    complex systems, where we require several more, and it's
17    this flexibility that really gives this system its wide
18    range of applicability.
19              CHAIRMAN UHRIG:  Now, each one of these processors
20    basically is a microprocessor such as a --
21              MR. SCAROLA:  It's a micro-controller.  It's a
22    Motorola --
23              CHAIRMAN UHRIG:  Is this Intel chips?
24              MR. SCAROLA:  We use Motorola.  It's a Motorola
25    68,000 base processor and each one of these processors is
.                                                                50
 1    basically a stand-alone module that slips into this rack,
 2    but they all share one common back plane, so they can
 3    exchange information very, very quickly, very rapidly.
 4              In a typical application, we'll essentially have
 5    functional segmentation between the processors.  One might
 6    be doing a DNBR calculation, another one might be doing a
 7    local power density calculation, another one might be doing
 8    some other function or maybe handling data communication.
 9              But the idea is that we can take very
10    sophisticated functions and distribute them.
11              Now, what makes the system suitable for nuclear
12    applications is it's a highly deterministic system.  The
13    operating system runs cyclically.  All of the application is
14    executed all of the time regardless of what the logic may
15    actually indicate in the application.  So we set flags and
16    execute all of the building block elements and all of the
17    network communications is fully cyclical.
18              We are sending thousands of times a second no
19    trip, no trip, no trip, no trip.  Then sooner or later we
20    may send trip.  So this is fully cyclical data
21    communications, not event dependent.
22              Also, the system has extensive self-diagnostics. 
23    So we monitor things like RAM integrity.  We do bit checks
24    continuously on the internal memory of the system to make
25    sure that there are no errors.  We are doing continuous data
.                                                                51
 1    link communication checks.  We do continuous verification
 2    that the CPUs can actually talk to the I/O modules and that
 3    there is no disconnect there where things might be freezing.
 4              So these extensive diagnostics, along with highly
 5    deterministic performance, make this a very suitable product
 6    for these nuclear safety critical applications.
 7              MR. SIEBER:  What happens if you detect a RAM
 8    error, for example?
 9              MR. SCAROLA:  Well, a RAM error is what we would
10    call a fatal failure.  So in this particular case, we
11    actually shut down the processor.  We actuate an output
12    relay in this case and depending upon the application, we
13    either fail actuated or we simply alarm.  For example, in
14    the case of a reactor protection function, reactor trip, we
15    typically fail in the actuated mode, so we force something
16    to happen.
17              MR. SIEBER:  So this fails, a RAM chip fails, that
18    trips the plant.
19              MR. SCAROLA:  No, because we have a multi-channel
20    system.  So what we're talking about here is an architecture
21    where you would have similar to what Siemens showed, four
22    divisions.  If you have a single controller failure, you may
23    fail one of those four divisions and then we ultimately vote
24    at the final element, so that that single failure may result
25    in one of four trip legs, but it takes one more to trip the
.                                                                52
 1    plant.
 2              Now, we have other functions in the plant that we
 3    may designate as not fail-safe functions.  For example,
 4    things like containment spray.  You don't necessarily want
 5    to spray down containment on a failure.  So we may designate
 6    those as not fail safe and in those cases, we would simply
 7    have an alarm on these failures and not actually send an
 8    actuation.
 9              So it's really application dependent.
10              The second major building block is what we call
11    the ABB Advant field bus and we designate this as the AF-100
12    bus.  This is the network communications that we use within
13    a division, so the A division will have a network, the B
14    will have an independent network, C has its own, D has its
15    own, and this network allows multiple controllers to talk
16    and exchange information.
17              It allows multiple controllers to send information
18    up to a maintenance and test panel.  It allows it to send
19    information up to the operator's module that's in the main
20    control room.
21              This is a multi-drop network up to 79 nodes, so
22    you may start an installation in a power plant with three
23    nodes, but over time, when you start to add more and more
24    systems, you're building on that same network and you may
25    get up to 60 nodes in the typical power plant installation.
.                                                                53
 1              Again, this is a highly deterministic bus.  We
 2    have what we call a bus master that actually is the internal
 3    traffic cop and we rotate that master continuously.
 4              We can establish various transmission cycles for
 5    things that have to happen very rapidly and things that can
 6    happen more slowly.  It's optical fiber media, so we
 7    maintain electrical independence between these various
 8    controllers, so we don't propagate electrical faults.
 9              Similar to the CPUs, there are self-diagnostics
10    and we have automatic reconfiguration so that if you fail or
11    have a failure of one of these 79 nodes, that's not going to
12    take down the other 78 nodes, and when you re-initialize
13    that failed node, it automatically gets back into the data
14    communication sequence.  So we don't end up taking down the
15    whole system.
16               Now, the third major building block is what we
17    call the flat panel video display.  This is, in fact, a VDU,
18    video display unit, that is intended to replace the
19    conventional analog meters, control switches that you would
20    have in a typical power plant.
21              We have these in operation today for our CPC
22    functions at various operating plants, not this exact same
23    unit, but very similar VDU based HSI, and also for the
24    post-accident monitoring systems.
25              So we felt that this was a very important part of
.                                                                54
 1    the building block set.  Now, this is a simple touch-screen
 2    VDU, where you can navigate by touch and you can select and
 3    modify set points, if this is appropriate for the
 4    application.
 5              It is an X-86 based processor, so this is the
 6    Intel side of the product line, and this is used for really
 7    two major functions.  One is the maintenance and test panel,
 8    which is where you would go to resolve these diagnostic
 9    errors or to load software into the system, and it's also
10    used for the operators' modules inside the main control room
11    for effectively the information monitoring inside the plant.
12              In a typical installation, where you have four
13    divisions of a system, A, B, C and D, you would have four of
14    these operators modules, again, to protect for single
15    failures.
16              Now, there are more building blocks in the system,
17    but in the essence of time, I focused on those three major
18    ones, which are really the core building blocks.
19    Now I would like to talk about equipment qualification, then
20    we'll talk about software qualification and a number of
21    other major issues.
22              The qualification tests encompassed, first,
23    electromagnetic interference, in accordance with the EPRI
24    guidelines, and before you had asked about surges on things
25    like power supply buses.
.                                                                55
 1              One of the tests in this is a four KV surge test
 2    on the power bus feeding the system.  And we also do a two
 3    KV test on all of the input/output signal lines.
 4              So we really believe that we have encompassed our
 5    worst case situation and based on operating experience with
 6    our CPCs, which are digital systems that have been in
 7    operation in nuclear power plants since the late `70s, we
 8    really feel we have encompassed any worst case conditions
 9    here.
10              CHAIRMAN UHRIG:  Thank you.
11              MR. SCAROLA:  We also do environmental testing in
12    accordance with IEEE-323.  Now, this is essentially elevated
13    temperatures, elevated humidity for extended periods of
14    time, and seismic qualification in accordance with IEEE-344.
15              Now, one of the things that we looked at for the
16    seismic qualification are really the target markets.  I
17    think everybody knows that the seismic boundaries for the
18    west coast of the US are far different than the east coast
19    and also we have very high levels in South Korea, fairly
20    mild applications in Europe.
21              But what we did is we established our bounding
22    seismic test criteria for all of these target markets.
23              So we think we have a large market base covered. 
24    We have completed the testing on the AC-160, which is what I
25    said was the core product.  We will be doing additional EQ
.                                                                56
 1    testing to be completed the first quarter of next year, and
 2    this will encompass the flat panel display.
 3              We will do testing on power supplies and we are
 4    also doing a new series of tests on what's called the
 5    PM-646A, which is the latest processor for this AC-160
 6    product.
 7              What we did before as part of the SER was the
 8    PM-645C.  We had some prototypes of PM-646A, but we didn't
 9    have full production units and now we're going to do the
10    full gamut of testing again.  So we have very high
11    confidence that once we get through this, we will have no
12    open issues.
13              MR. SIEBER:  Now, all of these devices, like the
14    flat panel display and power supplies, they're all mild
15    environment, right?
16              MR. SCAROLA:  Everything is mild environment. 
17    Right.  Nothing is intended for in-containment use.
18              MR. SIEBER:  So what's the test consist of, just
19    elevated temperature and running for a long time or what?
20              MR. SCAROLA:  I will ask for some help.  Marty,
21    can you help on what the actual test levels were for the
22    elevated temperatures?
23              MR. RYAN:  Marty Ryan, from Westinghouse.  The
24    environment test consisted of testing three different
25    profiles for different temperature and humidity conditions,
.                                                                57
 1    where we expected the worst case high temperature and the
 2    low temperature for periods of eight hours with mixed
 3    humidity, so as to accommodate the ventilation requirements
 4    in the mild environments that currently exist.
 5              MR. SIEBER:  And that testing then sets the
 6    environmental limits on the rooms or cubicles in which the
 7    equipment would be installed.
 8              MR. RYAN:  That's correct.  We actually did it in
 9    an open frame, so we tested the physical equipment to the
10    highest level that we would expect, as the equipment goes
11    inside an enclosure.
12              MR. SIEBER:  Thank you.
13              MR. SCAROLA:  One thing I will add is that we test
14    both what we consider the normal long-term operating range
15    with normal HVAC conditions in the room, but we also test
16    boundary conditions that would be indicative of the HVAC
17    failures in the room, as well.
18              DR. POWERS:  And the test was for eight hours?
19              MR. SCAROLA:  It's actually a series of plateaus
20    for eight hours at each plateau.  There were four plateaus,
21    three plateaus.  Okay.  Three plateaus at eight hours each.
22              And the actual details of that testing are in the
23    topical report.
24              MR. SIEBER:  Do you actually do that until you get
25    a failure someplace or that would give you the ultimate
.                                                                58
 1    envelope?
 2              MR. SCAROLA:  No.  We don't do a catastrophic test
 3    to find out the limits of the equipment.  We basically
 4    establish the boundary conditions and we ensure that the
 5    equipment functions to those boundary conditions.
 6              MR. SIEBER:  Thank you.
 7              DR. POWERS:  When you do your seismic test, what
 8    are you looking for?
 9              MR. SCAROLA:  Failures, functional failures as
10    well as physical integrity failures, but essentially the
11    real focus is for functional failures.
12              DR. POWERS:  I guess what I'm asking is a little
13    more detail.  Where do you think the system is most
14    vulnerable?
15              MR. SCAROLA:  I'll look for help.  I'm not sure I
16    fully understand the question.  We are trying to make sure
17    that all the safety-critical functions in this system will
18    not be compromised during the seismic event.
19              DR. POWERS:  I could imagine that you're looking
20    for conductors coming unlatched, modules falling out of
21    slots, pins coming out of sockets.
22              MR. SCAROLA:  We are particularly sensitive to the
23    electro-mechanical interfaces all around the system, whether
24    it's a circuit board seated into its end connector, a data
25    communication coax cable, whatever it might be.  Those are
.                                                                59
 1    the things that we are particularly designing to enhance for
 2    seismic durability.  Marty, would you add something to that?
 3              MR. RYAN:  Yes.  With regard to what we look for
 4    in seismic, we're looking for the mechanical aspects, as
 5    mentioned, but also for the functional aspects, where we
 6    have an off-line monitored set of test equipment, where
 7    we're looking at the functionality of test software and test
 8    functions being executed in the specimen.
 9              We also took the equipment up to the maximum level
10    that we could see in any particular location.  It was
11    actually the maximum level of Wylie's test table at the
12    Huntsville, Alabama facility.
13              DR. POWERS:  When you expose it to a -- you do the
14    seismic test, how long does the vibration typically go on?
15              MR. RYAN:  The requirement in 344 is to subject
16    the specimen for 30 seconds.  So each of the tests that are
17    run in the triaxial mode, whether it be the OBE, which is a
18    half strength, we run a minimum of five of those, followed
19    by an SSE.  Each of those test sequences are 30 seconds
20    duration.
21              DR. POWERS:  How do you think your system would
22    perform in a much longer duration exposure to harsh
23    vibrations?
24              MR. RYAN:  We would expect it to operate without
25    any incident.  The reality is that we have not seen, based
.                                                                60
 1    on field experience, any incidents due to low level
 2    vibration. Part of the testing is also to look at a sine
 3    sweep to see if the frequencies covered outside of the
 4    seismic would present any susceptibility and during those
 5    tests, we found no problem areas, we well.
 6              DR. POWERS:  Even if it went on for an hour?
 7              MR. RYAN:  I'd have to speculate, but one would
 8    think that based on the installed type of equipment that we
 9    have in the plant, which is subjected to the same physical
10    area of the plant, we have no indication that that is a
11    problem, so we would suspect that this would not be a
12    problem to the new equipment, as well.
13              MR. SCAROLA:  I think one of the real key issues
14    here is that we look for resonance frequencies in this
15    equipment when we do these seismic sweeps.
16              DR. POWERS:  That's the sine sweep that he was
17    speaking of.
18              MR. SCAROLA:  Right.
19              DR. POWERS:  And where do you see resonance?
20              MR. RYAN:  We see resonance typically, depending
21    upon the fixture that we mount the equipment, but we have
22    traditionally tried to put a fixture that had no resonance
23    in it, a rigid test fixture.  So whatever the table is
24    imparting, it imparts it directly to the specimen.
25              But in a cubicle, we typically see resonance
.                                                                61
 1    somewhere between 12 and probably 15 hertz.
 2              CHAIRMAN UHRIG:  For your Pacific Rim countries,
 3    what is the typical OBE and SSE?
 4              MR. SCAROLA:  I'm sorry?
 5              CHAIRMAN UHRIG:  The operating basis earthquake
 6    and your safety shutdown.
 7              MR. SCAROLA:  For which country?
 8              DR. POWERS:  For South Korea, for example.
 9              CHAIRMAN UHRIG:  South Korea.
10              DR. POWERS:  What is the ZPA for South Korea?
11              MR. RYAN:  The ZPA is typically running about OBE
12    12 hertz G with a ZPA of around one to one and a half.  And
13    the SSE for worst case profile at the location is somewhere
14    around 24 G's and we test up to about a two, two and a half
15    ZPA.
16              CHAIRMAN UHRIG:  Is that horizontal component, is
17    that --
18              MR. RYAN:  That's all three components.
19              CHAIRMAN UHRIG:  All three components.
20              MR. RYAN:  Yes.  What we've attempted to do is
21    integrate a generic qualification process, where we looked
22    at the different geographical frequencies and composed a
23    composite type test environment, and that actually envelopes
24    what the machine limitation curve is at the test facility.
25              CHAIRMAN UHRIG:  Those G limits are for the
.                                                                62
 1    instrumentation and control.  That's not the for the whole
 2    plant, I assume.
 3              MR. RYAN:  That's for the typical location where
 4    we would install this equipment in the protection rooms of a
 5    typical power plant.
 6              MR. SCAROLA:  One of the real challenges is
 7    attempting to establish your boundary conditions, because we
 8    really are doing this as a statistical sample testing.  Then
 9    what we're hoping is that we have encompassed all of these
10    potential installation locations.
11              So we really test a very high G levels, as Marty
12    said, 25 G's, with the expectation that if you look at all
13    of these accelerations from the ground through the building,
14    from the bottom of the cabinet to the very highest point
15    inside the cabinet, that we have, in fact, encompassed and
16    through all the years of experience we have with seismic
17    qualification, we believe that we have, in fact, encompassed
18    almost every location we would find.
19              Now, of course, we have to confirm that for every
20    installation, but we do believe that we're covered.
21              CHAIRMAN UHRIG:  That number 25 was considerably
22    higher than I expected.
23              MR. SCAROLA:  Let me show you what the test
24    fixture looks like, because this will give you a feel for
25    what the seismic testing is.  What you can see here is this
.                                                                63
 1    a rigid test fixture, as Marty explained, and the intent of
 2    that test fixture is to impart the vibration from the table
 3    right to the electronic equipment with no acceleration.
 4              So we know that what we got at the table is what
 5    we got there.  But the real challenge is the recognition
 6    that we are qualifying building blocks and building blocks
 7    can be configured in many different ways and in many
 8    different mounting methods.
 9              For example, here you see front panel mounting
10    where the rear of this electronic chassis is actually bolted
11    to what would be considered the frame of the cabinet.
12              On the other hand, here you see what we call rack
13    mounting, which means that the rack assembly is actually
14    bolted from the front and, therefore, is now cantilevered in
15    the back.
16              So one of the real challenges was establishing
17    what we felt were the boundary conditions for this seismic
18    test.  Similarly, we had to establish boundary conditions
19    that encompassed the building block configurations for the
20    EMC testing.  Again, a significant challenge because you can
21    have many different combinations of modules inside any
22    particular rack.
23              So establishing these boundaries as a worst case
24    test was an important part of the program.  Then we
25    addressed software qualification.  Now, an important point
.                                                                64
 1    here is that this is a product that was developed for the
 2    industrial market, not the nuclear market.
 3              So we are using standard ABB software for what's
 4    called the Advant controller base software, this is inside
 5    the AC-160, and inside the flat panel display, we're using
 6    an operating system from a company in Canada, QNX Software
 7    Systems Limited.  Again, standard off-the-shelf software
 8    with a long history of performance in industrial
 9    applications.
10              Then what we had to do are really two major
11    things, a design life cycle evaluation and an operating
12    history evaluation.  What we did through this life cycle
13    evaluation, we evaluated the OEM software development
14    process to confirm that it was essentially equivalent to
15    what we would expect in the nuclear industry.
16              And where we found deficiencies, we would
17    accommodate those through additional review by our own
18    people, for example, code reviews.  We would do supplemental
19    testing.  We would ask the vendor in some cases to modify
20    his process for future software revisions or for error
21    reporting and correction.
22              In some cases, we required more documentation. 
23    And in some cases, we would say this part of the software
24    may not have been developed to the level that we would
25    really expect; therefore, it's an application restriction. 
.                                                                65
 1    We may not use it in safety-critical applications.
 2              So this whole design life cycle evaluation was a
 3    very important part of the program.  We also evaluated the
 4    operating history of these products.  Are they, in fact,
 5    good products; what is their performance record, and we
 6    ensured that all of the applicable problems had been
 7    resolved or the supplier has a mechanism in place that they
 8    will be resoled and we have a tracking interface for that.
 9              So, again, we must recognize that these are life
10    cycle products.  This is a snapshot in time of a product,
11    making sure that we maintain this product for its useable
12    life in the nuclear industry is as important as what the
13    product is today.
14              Then the other part of the software qualification
15    pertains to the application software itself.  That's the
16    part that will be specific for nuclear application and
17    there, with the staff, we have established coding standards,
18    testing standards, standards for documentation and
19    verification and validation.
20              All of this is encompassed in what we call our
21    software program manual, which effectively becomes the bible
22    of how you apply this product in future nuclear applications
23    and it establishes the basis for what the NRC is expecting
24    to see when a licensee applies this product.
25              Another very important area is what we call
.                                                                66
 1    configuration management.  This is the issue of ensuring
 2    that the nth of a kind product that you build is the same as
 3    the one that you put through qualification and licensed. 
 4    And we have supply agreements with our key suppliers that
 5    establish configuration control of both hardware and
 6    software and also proactive obsolescence management
 7    programs, where we don't wait and find out that something is
 8    obsolete.  We're actually out there all the time discussing
 9    with Motorola, with Intel, with all of the key suppliers for
10    what we call the critical components what are their plans. 
11    It's a very significant program.
12              Now, we have contracts in place already with ABB
13    and as we move further into the maturity of things like the
14    flat panel display, we will have other contracts in place
15    with those key suppliers, as well.
16              As a result of this, we can ensure that the nth
17    product is equivalent to the qualification specimen and we
18    can ensure 20-plus years longevity for these products.  So
19    we protect the utility's investment all the way through.
20              This, though, I would say is probably one of the
21    more substantial efforts of the entire program.  This is not
22    an easy thing to do in this day and age, where this
23    electronics industry is moving at the speed of light.
24              So I really cannot over-emphasize the importance
25    of this program.
.                                                                67
 1              MR. SIEBER:  A question on the control of
 2    obsolescence.  You know, Intel or Motorola or some
 3    chip-maker, they'll make a CPU chip for a year and then
 4    somebody thinks of something better and they quit making
 5    that and start making something else.
 6              Does that mean your circuit cards that may employ
 7    these OEM chips will change from time to time to incorporate
 8    the so-called advances?  In other words, if I own one of
 9    your processors and say, uh-oh, I think I need a new card,
10    the card I get is going to be different than the one I take
11    out.
12              MR. SCAROLA:  You are describing exactly the
13    problem that we are dealing with and the way we deal with
14    this problem, number one, is we know when the parts are
15    changing and I can't necessarily say that about every
16    product in the industry.  Sometimes these OEMs will do
17    things and the end users have no knowledge of it.
18              So you think you're getting the same thing, when,
19    in fact, you're not.  So the first step in here is
20    establishing a process with the key suppliers where we, in
21    fact, know that they have a problem with components.  And
22    then at that point, we have the option, we can do one of two
23    things.
24              We can buy these components and stock them.  For
25    example, say, Motorola says, look, I'm only going to build a
.                                                                68
 1    specific CPU for another year and then I know I'm going to
 2    obsolete it.  At that point, we can buy whatever we need for
 3    our existing customers and our future customers in the
 4    near-term.  We also have the option at that point of
 5    redesigning their next generation chip into the new board
 6    and ensuring form fit function replacement.
 7              So even though there is a new part in there, we
 8    are supervising the application design with the supplier so
 9    that we ensure that the next generation product is, in fact,
10    a form fit function replacement, and then we also would, at
11    that point, do the evaluation of any new requalification
12    needs.
13              Sometimes you can analyze the equivalency of new
14    chips, but sometimes you can't.  And you actually have to go
15    back through the hardware qualification and software
16    qualification process.  But the real key is knowing that you
17    have the problem and then you can do something about it.
18              MR. SIEBER:  Now, the same question applies to
19    software.  Some bright person can say there's a better way
20    to do this particular calculation or what have you and come
21    up with a changed software that satisfies form fit and
22    function.  On the other hand, it may change the duty on the
23    CPU or RAM or what have you or change the whole timing of
24    the computer.
25              MR. SCAROLA:  Absolutely, and that's why
.                                                                69
 1    configuration control of software is as equally important as
 2    it is to hardware.
 3              We have very strict controls over the firmware
 4    that is embedded in these products at every point in the
 5    product, whether it's the CPU, the firmware that may be
 6    inside a simple I/O module, the firmware that may be inside
 7    a network communication module, we are controlling that
 8    firmware and we ensure that these suppliers have processes
 9    and we audit those processes, because I agree with you.  You
10    can get yourself into a lot of trouble if these things are,
11    in fact, changed and you don't know about them.
12              So we get to evaluate every change.  Some changes
13    we can accept, some changes we cannot accept and, therefore,
14    we will use a previous revision of the software.  We don't
15    necessarily always upgrade the software to the latest
16    revision.
17              MR. SIEBER:  So you will, in fact, then, be the
18    only qualified supplier for those software, firmware and
19    hardware.
20              MR. SCAROLA:  For this product.
21              MR. SIEBER:  Right.
22              MR. SCAROLA:  Absolutely.
23              MR. SIEBER:  Thank you.
24              MR. SCAROLA:  Another major issue is what we call
25    diversity and defense-in-depth, and here we have established
.                                                                70
 1    a methodology where the analysis addresses common mode
 2    failures and effects for all postulated initiating events
 3    and we credit diverse non-safety I&C systems for coping.
 4              Some examples of the systems that we credit are
 5    the non-safety control systems, the ATWS systems, but in
 6    many cases, we find that even they are not sufficient and we
 7    need to supplement the RPS and ESFAS functions with some
 8    supplemental trips in these diverse platforms.
 9              So there is an entire methodology that we have
10    established.  We executed this methodology the first time on
11    the System 80+ ALWR and we are following the same
12    methodology for future upgrades.
13              One of the real challenges in this is when you
14    start dealing with modernization in phased upgrades, where
15    my first upgrade might be the post-accident monitoring
16    system and then the next one is the CPCs and you can get
17    yourself into an analysis quagmire.
18              So what we have established is a methodology where
19    we do the analysis one time and then we confirm the
20    applicability of that analysis through each phase of the
21    upgrade.
22              Now, I addressed basically the main body, which
23    you can't see here, but now I would like to talk a little
24    bit about the appendices.
25              As I said, there are four major -- there are four
.                                                                71
 1    key appendices that were submitted to the staff for these
 2    functions, PAMS, CPCR, PS and ESFAS, and the integrated
 3    solution.
 4              The intent of the appendix is to show the system
 5    configuration for each of these major applications.  So we
 6    defined to the staff the process or architecture in a
 7    specific application like RPS, it may take eight processors. 
 8    In an application like PAMS, maybe only two.
 9              We define both the intra-division within a
10    division of communication and the inter-division between
11    division communication methods, and we also defined expected
12    variations for the plants that we were knowledgeable of that
13    are out there.
14              So we said this is a base configuration, but we
15    envision that the architectures may change in this way, this
16    way and this way.  We defined significant plant interfaces. 
17    We defined features such as automatic testing, manual
18    testing and bypass features.
19              For each of these appendices, we submitted a
20    failure modes and effects analysis for that configuration
21    and we provided technical input for 50.59 evaluations and
22    also for tech spec changes that would relate to extending
23    manual surveillance intervals.
24              Now, we know that the staff cannot approve 50.59
25    evaluations in a topical report, and we know that they
.                                                                72
 1    cannot approve tech spec changes in a technical report, but
 2    we did want to get the staff's reaction on our technical
 3    basis for these things.  We feel we had very good
 4    interaction on that.
 5              Now, the appendices, as I said, address
 6    stand-alone system configurations, but the fourth appendix,
 7    the integrated solution, shows how all these things fit
 8    together, how we share the building blocks and the effects
 9    of that sharing.
10              So the intent of Common Q is to address the entire
11    spectrum of what we envision as safety critical Class 1E
12    applications in any operating power plant today.
13              We have submitted applications for various or
14    submitted appendix material for various applications, but we
15    feel we have now laid the groundwork so that utilities can
16    do this in the future with our help for future applications.
17              Now, I wanted to just go through some places where
18    the system is being applied.  Its first application is at
19    the Oskarsham-1 modernization in Sweden, where the
20    applications include the full spectrum of safety-critical
21    functions, reactor protection engineered safety features,
22    the load sequencer for the emergency diesel, and component
23    control for every class 1E safety-related pump and valve in
24    the plant.
25              And this system will be in operation in September
.                                                                73
 1    of 2001.  So we're not very far away from having that system
 2    up.
 3              CHAIRMAN UHRIG:  How long was the plant down to do
 4    this?
 5              MR. SCAROLA:  Actually, the plant is not down yet. 
 6    They will start their down sequence of April of next year. 
 7    They will actually come down.
 8              CHAIRMAN UHRIG:  So April to --
 9              MR. SCAROLA:  So the installation will be very
10    aggressive.  It will be about four months for installation.
11              CHAIRMAN UHRIG:  So it's essentially a complete
12    replacement.
13              MR. SCAROLA:  Right.  This is a full
14    modernization, and it's in one shot.  It's not a phased
15    installation, as we talked about before.  This is one-shot,
16    do everything at one time.
17              CHAIRMAN UHRIG:  But you might be able to split it
18    up into two or three shorter sequences.
19              MR. SCAROLA:  For other utilities, if that's what
20    they desire, right.  But for this particular utility, they
21    wanted to do it all in one shot.
22              MR. SIEBER:  How long will that take, just out of
23    curiosity?
24              CHAIRMAN UHRIG:  He said about four months.
25              MR. SCAROLA:  About four months for the
.                                                                74
 1    installation.
 2              MR. SIEBER:  Okay.
 3              MR. SCAROLA:  The second application is at
 4    Ulchin-5 and 6 in South Korea.  There we are doing a reactor
 5    protection and engineered safety features, and that will be
 6    operational in 2003.  Ringhals Unit 2 in Sweden, again, is a
 7    full modernization; again, in one step, shut down the plant,
 8    rip out the old equipment, install the new equipment, and
 9    the operation there is expected 2004.
10              One of the additions here over the Oskarsham is we
11    will now be using this flat panel display product, so we
12    will have video human systems interfaces, whereas at
13    Oskarsham is still discreet HIS.
14              We also building KEDO-1 and 2 now in North Korea. 
15    This is a recent contract and that's actually several years
16    out.
17              This will actually be a duplicate of the Ulchin 5
18    and 6 plants in South Korea.  And then as we speak today we
19    are in discussions with many US utilities about
20    modernization, either on a small system basis or a
21    plant-wide modernization basis.  It runs a full gamut.
22              CHAIRMAN UHRIG:  Ulchin is a plant under
23    construction?
24              MR. SCAROLA:  It's under construction.
25              CHAIRMAN UHRIG:  So this is new installation.
.                                                                75
 1              MR. SCAROLA:  Yes.  These are new plants -- well,
 2    this is a new plant, this is a new plant, and Oskarsham and
 3    Ringhals are operating plants.
 4              So that's the specifically application of the
 5    Common Q platform, but I also wanted to explain that this
 6    ABB Advant Technology, through predecessors and related
 7    products, is in operation in many nuclear power plants today
 8    in Europe, at Forsmark-1 and 2, also plants in Finland,
 9    TVO-1 and 2, and in the U.S. we actually have operation of
10    the AC-160 predecessor, which is the AC-110, for rod
11    position indication systems at Beaver Valley and also
12    Ringhals-2 in Sweden.
13              So this equipment has been around in a number of
14    different places.  We hope we have achieved this goals.
15              MR. LEITCH:  Excuse me just a second.  Can you
16    help to orient me?  I had -- I was at Maine Yankee for a
17    while and we had a -- I'm not sure of the terminology. 
18    Before I was there, they had installed a digital platform of
19    some type that supported feedwater control.  Would that be a
20    forerunner of this system or are you familiar with that
21    system at all?
22              MR. SCAROLA:  I'm not specifically familiar with
23    it, but I'm sure it was not the forerunner of this system. 
24    Feedwater control systems are what we would view as
25    non-safety systems and they would use the Advant non-safety
.                                                                76
 1    platform, whereas this is a safety-critical platform for
 2    safety-critical applications, like reactor protection.
 3              MR. LEITCH:  This would have been installed maybe
 4    in the 1991 or 2 timeframe, so it would likely have been
 5    non-safety related.
 6              MR. SCAROLA:  Non-safety and not this product.
 7              MR. LEITCH:  Not this product.
 8              MR. SCAROLA:  Probably another product line.
 9              MR. LEITCH:  My question was going to be could
10    that product line still have been supported or is that one
11    of those -- in other words, I'm getting back to this system
12    of obsolescence.  That system was put into overcome
13    obsolescence on the order of magnitude of eight years ago
14    and I'm wondering could that still be supported.
15              MR. SCAROLA:  It depends on --
16              MR. LEITCH:  Perhaps it's an unfair question if
17    you're not familiar with that.
18              MR. SCAROLA:  Let me ask the other people from
19    ABB.  Did we install that equipment?  Okay.  This was not an
20    ABB installation and not a Westinghouse installation.  It
21    was probably done by Maine Yankee with a third party
22    supplier.
23              So I have no idea what sort of arrangements they
24    had in place for obsolescence.  But I can tell you that
25    enough utilities have been burned by obsolescence management
.                                                                77
 1    because they thought they were solving an obsolescence
 2    problem only to find out they installed an obsolescence
 3    problem.
 4              MR. LEITCH:  Exactly.
 5              MR. SCAROLA:  And I think we're much smarter
 6    consumers now than we were back in the early `90s.
 7              MR. LEITCH:  Yes.  I think you're quite correct,
 8    by the way.  I was thinking at first it was an ABB system,
 9    but now that you've refreshed my memory, you're quite
10    correct.  It was not.  Thank you.
11              MR. SCAROLA:  In looking at the goals we
12    established, one common solution, very important for
13    utilities, in that it reduces technical support costs and it
14    reduces unique spare parts cost.  One thing we all have to
15    realize is spare parts and maintenance for utilities of a
16    major factor and right now they're maintaining in any power
17    plant probably no less than about 25 different
18    safety-related platforms of different things and getting
19    them down to one is a major economic improvement.
20              And then through this modern technology, we really
21    are seeing improved reliability, but allowing an extension
22    of manual surveillance intervals.
23              You know, one can be a tradeoff over the other. 
24    You can extend manual surveillance intervals and not be as
25    reliable, but the real key is to find a way to extend them
.                                                                78
 1    and also improve reliability, and that is what we have
 2    achieved.
 3              This is all through low power consumption
 4    electronics that have much longer MTVF ratings than the old
 5    analog stuff that was heat-producing.  We have internal
 6    self-diagnostics that essentially pick up probably near 100
 7    percent of the failures within milliseconds.  Then we have
 8    automated testing that really tests the function of the
 9    system.
10              In closing, I would just like to say that you've
11    seen a lot of pictures and a lot of words here, but we'd
12    really like for you to come to Pittsburgh, if any of you
13    have a chance, and we'd like to demonstrate this equipment. 
14    You can see it, you can touch it, you can feel it.  We have
15    a very extensive customer demonstration facility there where
16    we can actually show the operation of the equipment, as well
17    as the HSI, the human-systems interface.
18              A few years ago, when we were doing the System 80+
19    licensing, we actually brought the equipment to the ACRS.  I
20    don't know if any of you remember that.  But it's much
21    easier to get you to come to Pittsburgh.  So I extend the
22    invitation.
23              We would love to have you.
24              MR. SIEBER:  What's the address?
25              MR. SCAROLA:  286 Golden Mile Highway in
.                                                                79
 1    Monroeville.
 2              DR. POWERS:  Let me remind the subcommittee that
 3    in the discussions with Commissioner Diaz, he certainly
 4    thinks that the ability to go to digital systems like this
 5    is key to the future for the nuclear industry in so many
 6    respects, and because of the importance that he ascribes to
 7    it, I think we should give serious thought to this
 8    invitation.  The more exposure we get to this, the better
 9    prepared we are to supply the answers to Mr. Diaz when he
10    asks questions about these digital systems.
11              MR. SCAROLA:  I think seeing it, touching it,
12    interacting with it is worth much more than whatever I could
13    give you.
14              DR. POWERS:  If you don't mind, the next time I
15    have a chance to talk with Commissioner Diaz, I will remind
16    him of this capability you have to demonstrate this.  He may
17    be very interested himself.
18              MR. SCAROLA:  We'd extend the invitation to the
19    whole staff, as well.
20              DR. POWERS:  It very much is uppermost on his mind
21    right now in connection with the future.
22              MR. SCAROLA:  Thank you gentlemen.  Any questions?
23              MR. LEITCH:  Yes, a couple questions.  I notice
24    that in the safety evaluation report, there is some generic
25    open items, about ten in number.  Are they -- at least as I
.                                                                80
 1    understand it, they're not plat-specific, but as the heading
 2    says, generic open items.
 3              Are they on their way to resolution?
 4              MR. SCAROLA:  Yes.
 5              MR. LEITCH:  What is the status of those issues?
 6              MR. SCAROLA:  Most of those issues relate to the
 7    building blocks within the Common Q platform that we had not
 8    fully completed.  For example, we talked about the flat
 9    panel display.  We talked about the power supply system.  We
10    also have a few new analog interface modules that we need
11    for some specific applications such as the CPC, core
12    protection calculator.  All of these hardware qualifications
13    will be completed the first quarter of 2001.
14              So we are on the way to essentially closing out
15    all of these issues.  We will be talking with the staff
16    about our submittal schedule.  This is probably the first
17    time they're seeing 2001 in a date, but we have to sit down
18    and work it out and work out the details.
19              MR. LEITCH:  You said one of your objectives was
20    to relax the manual surveillance test intervals.  Have you
21    achieved that objective or is that still unclear?
22              MR. SCAROLA:  We think we have achieved it in the
23    sense that the staff has reviewed our basis for that, the
24    technical basis, and they have accepted that basis. 
25    However, tech spec changes can only occur through license
.                                                                81
 1    amendment.  So there are probably still some fine points
 2    that will be worked out.
 3              But in essence, we think we have achieved it.
 4              MR. LEITCH:  And is that a significant reduction?
 5              MR. SCAROLA:  Significant, because we now test
 6    many functions quarterly or even monthly and we will now go
 7    to 18 month intervals.
 8              MR. LEITCH:  So it's getting to once per refueling
 9    type of situation.
10              MR. SCAROLA:  Well, it's once per cycle.  When you
11    say once per refueling, some utilities get upset about that
12    because they don't want to do anything more during refueling
13    than they have to.  So the important thing is once per cycle
14    and all of the testing that we require for manual testing
15    can be done with the pliant on-line.
16              So even though it's once every 18 months, when
17    they do it is entirely up to them.  We're not forcing things
18    to be done during refueling and that's an important issue
19    for many utilities.
20              MR. LEITCH:  Are your cabinets locked and alarmed?
21              MR. SCAROLA:  Locked and alarmed.
22              MR. LEITCH:  And this testing can be done without
23    jumpers, lifting leads and so forth.
24              MR. SCAROLA:  Yes.  Most of the testing can be
25    done through the operator's module and the maintenance and
.                                                                82
 1    test panels.  With regard to the injection of analog
 2    signals, what we have proposed is that we do continuous
 3    cross-channel monitoring of all redundant sensors and that
 4    is the basis for extending that interval.
 5              So we will detect sensor drift immediately.
 6              MR. LEITCH:  As it occurs.
 7              MR. SCAROLA:  Right, as it occurs.
 8              MR. LEITCH:  I apologize, I was called out of the
 9    room a little bit, but is this -- do you have any operating
10    experience in Europe with this system or anyplace, do you
11    have any operating experience?
12              MR. SCAROLA:  We have extensive experience with
13    the predecessor, AC-110, in nuclear applications.  We have
14    extensive experience with the AC-160 in fossil applications,
15    in many fossil applications.  But the actual first
16    installation of the AC-160 in a nuclear facility will be at
17    Oskarsham-1 and that's operational 2001.
18              MR. LEITCH:  Now, with the predecessor of the
19    system, when retrofitting nuclear plants, did you experience
20    serious startup problems?
21              MR. SCAROLA:  No.  Actually, for example, Beaver
22    Valley, when we replaced the Westinghouse analog rod
23    position indication system with the AC-110 system, the
24    installation including all of the testing was done in 15
25    days.  There were some minor hiccups, but nothing of any
.                                                                83
 1    significant.
 2              MR. LEITCH:  Do you train utility personnel in the
 3    operation and maintenance of the system?
 4              MR. SCAROLA:  Yes.  Not only do we train them, but
 5    we encourage the utilities to be part of our design staff
 6    when we do an application for them.  For example, we are now
 7    in discussions with many US utilities about applications and
 8    a major element of each one of those programs is their
 9    people working in our shop side by side with our design
10    team.
11              MR. LEITCH:  Okay.
12              MR. SCAROLA:  So it's not only important that we
13    do the training, but there's only so much you can get from
14    training.  We really want their people in our staff working
15    with our people.
16              MR. LEITCH:  Thank you.
17              CHAIRMAN UHRIG:  Other questions?  Any comments
18    from the staff?
19              MR. CALVO:  No.  I think the presentation covered
20    it.
21              CHAIRMAN UHRIG:  With this, we will recess and
22    come back at 11:00.
23              [Recess.]
24              CHAIRMAN UHRIG:  We will come back into session. 
25    Go ahead.
.                                                                84
 1              MR. MARINOS:  My name is Evangelos Marinos.  I am
 2    the Section Chief for the Instrumentation and Control
 3    Section in the Electrical Instrumentation Branch in NRR. 
 4    There are two sections, the electrical section and the
 5    instrumentation section.
 6              In the instrumentation section, of course, we do
 7    all the instrumentation reviews, including the digital
 8    reviews that you have heard today.
 9              We have staff over here that conducted these
10    reviews and if any questions arise that are specific to the
11    review and the SER that you have copies of, they'll be ready
12    to address them.
13              There are also people here from Research who help
14    us in maintaining our status with the advanced issues as
15    they emerge and we look to them to keep us abreast of what
16    is happening.
17              And with that, I will start and give you a quick
18    overview of how we conducted the review.  A lot of what I'm
19    going to present is redundant with the presentations you've
20    heard already, but this is a major thing.
21              The reason for replacing the digital equipment, as
22    you already heard, is analog equipment are going obsolete. 
23    Plant components are aging and maintenance costs are
24    increasing and vendors that support analog equipment will no
25    longer provide equipment.
.                                                                85
 1              Digital equipment and components are readily
 2    available with potential for performance and reliability
 3    improvements, as you also heard today from Siemens and ABB.
 4              The replacements, of course, include the -- they
 5    are expected to replace reactor protection systems,
 6    engineered safeguards systems, management systems and
 7    balance of plant equipment, which are, to a certain degree,
 8    already in place, balance of plant, like feedwater systems
 9    controls are replaced with digital systems.
10              Presently, we have the status of our reviews are
11    as you see in the slide.  We have completed the Siemens
12    review and the Westinghouse ABB/CE.  We have in-house right
13    now, we're reviewing the ASICS, which is application
14    specific integrated control circuit, and this is a digital
15    system that is just a specific function type of platform. 
16    It doesn't have the extent of the main platforms that were
17    described today.
18              The unique features, that is that this kind of
19    circuit design, it can be fully tested and we can have
20    better confidence in its performance.
21              We are still reviewing this and we expect to have
22    it completed this year, by the end of this next month.
23              An additional review we're doing is the Triconex,
24    which just arrived for review, and that platform is
25    essentially the same magnitude as the two that you have
.                                                                86
 1    heard today.
 2              A large platform and the features of that platform
 3    is about the same as the ones that were described today.
 4              CHAIRMAN UHRIG:  Are there other systems that you
 5    expect coming in in the next year or two or are these the
 6    three principal --
 7              MR. MARINOS:  I heard, in fact, yesterday, from a
 8    new employee we have, that a French company, I don't recall
 9    the name of it, which provides the platforms for French
10    reactors, is considering to submit a topical report for our
11    review, which will be similar to the ones you've heard
12    today.
13              But this is just, I guess, a rumor or just an
14    information that really has no --
15              CHAIRMAN UHRIG:  Is that Gillett?  It makes no
16    difference.
17              MR. MARINOS:  Would you tell me the company's
18    name?  Schnela Electric.
19              In our review, we've used the guidelines as
20    security Siemens and ABB/CE presented.  The principal
21    guidelines is, of course, the Chapter 7 of the SRP and
22    IEEE-603 and 7-4.3.2.
23              All these documents, particularly the standard
24    review plan, of course, has been fully reviewed by ACRS and
25    over the years that is relevant on a standard review plan
.                                                                87
 1    Section 7, Chapter 7, and ACRS is familiar with the contents
 2    of that.
 3              More specifically, in those guidelines, we have,
 4    of course, the branch technical positions that deal with
 5    individual areas, like the software review, the branch
 6    position 14, defense-in-depth, as you heard today from both
 7    vendors.  We've reviewed defense-in-depth and have
 8    guidelines and criteria which we follow and vendors, of
 9    course, know it, to address the specifics that we're
10    interested in.
11              Real-time performance is, of course, we make sure
12    that the platforms can meet the time requirements for an
13    accident event, for a design basis event, time of functions
14    that need to be performed.
15              The on-line periodic testing, as you've heard
16    again today, we evaluate the capability for doing that
17    on-line periodically or continuously, however they prefer to
18    do it.  And we look at the level of detail of design.  We
19    have, of course, a branch position there.  And, of course,
20    programmable logic controllers, their design, software and
21    everything.
22              We have a position that identifies the --
23    highlights the areas that we will be interested in the
24    design.
25              Verification and validation reviews and audits of
.                                                                88
 1    software and hardware and their criteria there, Regulatory
 2    Guides and IEEE standards that provide guideline by which
 3    tells the vendors how they should conduct the verification
 4    and validations to assure that the product, the end product
 5    meets the expectations of the design.
 6              Of course, we also have requirements, lots of
 7    them, for software configuration management, which you heard
 8    again today, is important to know that the product you have
 9    is the product you designed for.
10              The test documentation, software unit testing, of
11    course, more software requirement specifications and
12    software life cycle process, we, again, emphasize that in
13    our review, the planning through the operation of any
14    digital system will make sure that they have proper
15    procedures and documentation to assure that the life cycle
16    is credible.
17              Challenges in the review of the design system,
18    there are many challenges that we have as we're reviewing
19    those things.  The rapidly changing software engineering
20    technology, as Ken Scarola indicted, it's changing with the
21    speed of light.  I'm afraid we are operating at the speed of
22    sound, but we try and catch up with it, we do the best we
23    can to maintain that
24              CHAIRMAN UHRIG:  Isn't the rapid change occurring
25    in the hardware as opposed to the software or is it both?
.                                                                89
 1              MR. MARINOS:  It's both, but the hardware, I'm
 2    sure, is the one that's changing faster than the software. 
 3    There is, of course, changes in the languages that are being
 4    used right now, but they're basically the same, small
 5    variations in the software languages being used.
 6    The continuous performance, which is, of course, sequential
 7    performance of the analog systems are hard-wired.  Its
 8    parameter, its function is wired there and you constantly
 9    see it in an analog form.  In the digital, you rely in the
10    cycle to come back to it.
11              So there is a challenge there to make sure that
12    timing is correct and we have sufficient time to come back
13    to the function that we left.
14              Software reliability is one of the principal areas
15    that gives us a challenge.  In large platforms, like the
16    ones described today, testing is, to a large degree,
17    limited. You cannot test all the functions that you can have
18    in a platform like this, so you can have unintended
19    functions, you can have failures that cannot be identified.
20              So as you heard, we rely a lot on the diversity
21    and defense-in-depth to compliment the reliability that we
22    may e losing from the software, lack of full testability.
23              Of course, detecting design errors would be one of
24    those errors in the software.  With hardware, it could be
25    minimized through the periodic testing and the diagnostics
.                                                                90
 1    that are available.
 2              Complete testing refers to the software
 3    reliability.
 4              Potential for common mode failures is, as we
 5    talked about, software errors.  The complexity of operating
 6    systems.  Complexity in the operating systems are mainly the
 7    systems that are used as the ABB/CE is a commercial grade
 8    type of system that is being applied in nuclear service.  We
 9    need to look at more carefully how we qualify that, and
10    that's the commercial dedication area.
11              Equipment sensitivity environment and temperature,
12    humidity and EMI and RFI was discussed.  We have specific
13    criteria for qualification and we place a great attention to
14    that.  And vendors have addressed those issues.
15              In our reviews, this is going to be a little
16    redundant, we look at the principally the adequacy of
17    commercial grade dedication process to assure safety grade
18    quality platform.
19              This is a serious process.  There are a lot of
20    criteria that have been generated, as we indicated earlier. 
21    There's EPRI documents that have been generated that we have
22    endorsed and IEEE standards that vendors need to follow in
23    order to commercially dedicate platforms that are not
24    specifically designed and qualified for nuclear service.
25              System requirements, hardware and software
.                                                                91
 1    specifications and equipment qualification documents and
 2    test data are also being reviewed by the staff.  The formal
 3    design process, the life cycle was discussed earlier.  We
 4    look at that and make sure that what they have there will be
 5    what they intended to have in the planning, is what the
 6    operation will provide, and we look at all the planning of
 7    the design, implementation, testing and the final operation
 8    aspects of the designs of the life cycle.
 9              And adequacy of configuration management and
10    system software.  System software is what was discussed
11    earlier
12    today.  Again, we place great emphasis in our reviews, and
13    various other documentation.
14              Verification and validation.  We look carefully at
15    independence of the people that do the verification and
16    validation to make sure that the designers are not
17    influenced by their own, of course, scheduling and funding
18    requirements and constraints when they do verification and
19    validation.  So we try to make sure that the people that do
20    that work are not constrained by the same problems that the
21    designers are, so that the product comes out as more
22    reliable.
23              CHAIRMAN UHRIG:  They probably learned out of the
24    same book.
25              MR. MARINOS:  They may have learned, but they're
.                                                                92
 1    presumably different people with different manners of
 2    organization, they have different interests.
 3              CHAIRMAN UHRIG:  I understand.
 4              MR. MARINOS:  And we do conduct audits.  We go to
 5    the sites and we look at some of the documentation from the
 6    design through the implementation and testing of some of the
 7    software.
 8              Environmental qualifications, the platform, as we
 9    talked already about this.  And interfaces with other
10    equipment and human-machine interfaces.
11              CHAIRMAN UHRIG:  What are the environmental
12    requirements for the systems that we're talking about here? 
13    Are they that it has to survive a LOCA, a LOCA environment?
14              MR. MARINOS:  No, because as stated earlier, those
15    -- the equipment are either in relay rooms or control rooms,
16    usually in the relay room where the cabinets are being
17    replaced.
18              In fact, a lot of them would tend to retain the
19    cabinets that they had before and put the equipment in the
20    old cabinets that have the seismic qualification already.
21              So the environment that was required for analog
22    systems, of course, may be more sensitive for the digital,
23    but that is the kind of qualification that they will need.
24              We don't expect -- now, in smart transmitters,
25    which is something that is coming to us, the transducer
.                                                                93
 1    actually is replaced, the traditional transducer with a
 2    digital and actually the I/O is right in there and you get
 3    the digital signal right out of the transducer.
 4              So the qualification of that instrument may be a
 5    little different because of the environment that it's in.
 6              CHAIRMAN UHRIG:  More severe.
 7              MR. MARINOS:  Correct.  But we don't have them yet
 8    in safety applications.
 9              Interface with existing equipment, communications,
10    timing requirements.  Timing requirements to assure that the
11    execution of the whole cycle meets the design basis
12    requirements for actuation of a system when it's needed.
13              MR. LEITCH:  Excuse me.  I notice that in the
14    Westinghouse SER, there are ten generic issues listed, but I
15    don't see a similar listing in the Siemens.  Might I
16    conclude that there are no generic issues related to the
17    Siemens?
18              MR. MARINOS:  I'm coming to them in the
19    presentation and maybe we can discuss it then, if I may.
20              MR. LEITCH:  Okay.  Fine.  In the plant specific
21    reviews, now, which will be different than the platform, we
22    will look at the plant specific requirements as they
23    interface with the design details, how were differences in
24    existing nuclear plant equipment interfaces, how they
25    interface with the platform, application specific software
.                                                                94
 1    integration with qualified platforms.
 2              Of course, they have to generate new software for
 3    the application area, so we will apply the same sort of
 4    review criteria as we did for the platform for software and
 5    hardware and so basically we do the same thing.
 6              We will look at the control room design and see
 7    how it is amenable to this change.  Technical specification
 8    modifications, you've heard, again, today, the modification
 9    will be essentially relaxing requirements and we are
10    prepared to do that to evaluate those relaxations in
11    extending the surveillance intervals on the basis of the
12    continuous monitoring and testing of the equipment and the
13    reliability of the hardware mainly, because the hardware is
14    continuously monitored, which analog systems generally were
15    not.
16              So we expect significant relaxations for this
17    equipment.  Defense-in-depth and diversity, a determination
18    will be -- there is a methodology, as they pointed out today
19    in the platform presentations, generic methodology that the
20    vendors will provide, but then there is a plant specific
21    defense-in-depth based on the design of the systems, what
22    kind of equipment, what kind of systems they will use to
23    compliment the platform in terms of to address the
24    defense-in-depth.
25              So, therefore, we will do a specific determination
.                                                                95
 1    of the adequacy of defense-in-depth and diversity on a plant
 2    specific basis.  And the implementation of design.
 3              In the Siemens Teleperm review, we completed the
 4    SER, as you saw, 5/5/2000 and we find it acceptable, with
 5    the following items that remain open.
 6              We identified four items; power supply to be
 7    qualified according to the EPRI document, the EPRI document
 8    we have endorsed and addresses the quality of the power
 9    supply for the digital equipment.
10              The environmental qualifications are addressed
11    also in the same topical report.  The seismic qualifications
12    that you heard, it was presented, now we still have open
13    items.  I think Siemens did not indicate there was an open
14    area, I'm not sure, but there is an area we still need to
15    get information on.
16              And the EMC qualification, according to another
17    topical report, an EPRI topical report 102323.
18              So I think that Siemens is planning to address
19    that or if not, we will address it on a plant specific
20    basis.  If a platform comes in with specific application and
21    it's not addressed by, it will be addressed one way or
22    another, either by Siemens or by plant specific application.
23              MR. LEITCH:  Does EMC include RFI?
24              MR. MARINOS:  Yes.  EMI/RFI is both of them. 
25    Plant specific review for the Teleperm XS review we will
.                                                                96
 1    look for, of course, set point analyses, how they address
 2    the set points for the accident analysis and make sure that
 3    the accidents in Chapter 15 or whatever chapter it is for
 4    the particular plant are addressed in their evaluation of
 5    that, in the implementation of the platform.
 6    Again, plant specific technical specifications will be
 7    looked at before we address any relaxations in how the tech
 8    specs, the present inspection of plant apply to this.
 9              The power supply quality, again, is an area that
10    we will look at, because the plant specific area will have
11    separate power supplies.
12              Isolation devices to be qualified, and those are
13    the devices that would be used when information is taken
14    from the platform into communication areas for sharing.  We
15    want to make sure that no unwanted transients are affecting
16    redundant channels in the system.
17              The Westinghouse/CE Common Q review was completed
18    August 2000 and the area that we have open, as Ken Scarola
19    addressed them earlier, is the flat panel display system,
20    which is presently non-safety and they will address the
21    safety aspects of it at a later date.
22              Hardware, non-AC-160 hardware have not undergone
23    commercial dedication.  Now, as we said before, commercial
24    dedication of hardware and software is something that we
25    look at and that is not completed yet for that particular
.                                                                97
 1    area.
 2              And the technical specifications that NEI has a
 3    more generic review of that, so we will wait for them before
 4    address the technical specifications.
 5              Again, the plant specific areas for the
 6    Westinghouse type will be -- well, suitability of the 600
 7    I/O modules, I think Ken Scarola addressed that earlier, how
 8    it's going to be applied in plant specific applications. 
 9    Environmental data, plant specific temperatures and humidity
10    and seismic qualification requirements, as enveloped by the
11    Common Q qualification, to make sure that the plant specific
12    are enveloped.  If not, they will have to do a more special
13    qualification.
14              The life cycle, again, plant specific hardware and
15    software life cycle process, we will evaluate, that is an
16    area that needs to be addressed.
17              Timing analysis, again, we make sure that the
18    timing of the events are consistent with the application of
19    that platform.
20              And modification of plant specific technical
21    specifications.  And the capacity of shared sources, the
22    common mode, make sure that the power supplies meet all the
23    requirements.
24              In conclusion, we expect, in the near future, to
25    receive plant specific applications and license amendments
.                                                                98
 1    for the two platforms that are already out there.  We will
 2    continue to review the Triconex and the Westinghouse
 3    platforms.  And we're seeking to increase our qualified
 4    staff.  We're always short on staff and we are anticipating
 5    a large number of reviews in plant specific areas.  We will
 6    need more staff to continue this and train ourselves.
 7              CHAIRMAN UHRIG:  Given the pressure to maintain or
 8    actually reduce manpower within the Commission, is this
 9    going to be a severe problem getting people with expertise?
10              MR. MARINOS:  I don't think so.  I think our
11    management is sensitive enough and have been informed enough
12    and, as you pointed out earlier, the Commission is aware of
13    this and, no, I don't think this area is, in fact -- I'm
14    encouraged to put out a vacancy announcement to get
15    technical --
16              CHAIRMAN UHRIG:  The problem will be getting
17    somebody to respond to a vacancy notice.  Not many people
18    out there that are really qualified.
19              MR. MARINOS:  That is the problem.  So we've got
20    to maintain what we have and increase our staff and also
21    maintain, of course, the expertise as the technology is
22    moving at the speed of light, as Ken indicated.
23              So we have a great challenge there.  So as I
24    mentioned earlier, we are cooperating with Research. 
25    Research is doing a lot of searching into maintain our
.                                                                99
 1    expertise and keep us in touch with the changing technology
 2    and there are a number of issues that we usually have
 3    identified and they are having contracts with specialists in
 4    various labs or other technical areas, organizations to
 5    maintain our status.
 6              That's it.
 7              MR. LEITCH:  I notice that Westinghouse has
 8    withdrawn the E3.
 9              MR. MARINOS:  Yes.
10              MR. LEITCH:  Is there any suggestion that in light
11    of the acquisition of ABB/CE, that the ASICS may be
12    withdrawn?
13              MR. MARINOS:  I'm not sure.  I suspected this.  It
14    was not as far along as the ABB was when we were reviewing
15    it.  It was mostly in the planning stages and my guess is it
16    is, but maybe Westinghouse can address that.
17              MR. SCAROLA:  I can address it.  No, there is no
18    intention to withdraw the ASICS application.  We really view
19    these as different products for different markets.  So the
20    ASICS application will stay intact.
21              MR. LEITCH:  The E3.
22              MR. SCAROLA:  The E3 has been withdrawn and the
23    AC-160, the Common Q platform is now the Westinghouse
24    standard product for all safety system replacements.
25              MR. MARINOS:  The question was why was it
.                                                               100
 1    withdrawn.
 2              MR. SCAROLA:  I'm sorry.  It was withdrawn because
 3    they were overlapping products and when Westinghouse
 4    acquired ABB, we were much further along with the Common Q
 5    licensing than Westinghouse was with E3.  So it was just a
 6    business decision.  There was no need for two platforms.
 7              The ASICS is a different product because it's
 8    really targeted for essentially spare part type of
 9    replacements, one for one module replacements, not full
10    system replacements.  It's a different market.
11              CHAIRMAN UHRIG:  E3 was essentially the Sizewell B
12    technology?
13              MR. SCAROLA:  No.  In fact, the E3 was a
14    combination of the Sizewell software with the Ovation
15    product hardware.  It was a merging of the two platforms.
16              CHAIRMAN UHRIG:  Thank you.  Any comments from
17    committee members?
18              MR. LEITCH:  I see in the discussion of the
19    Siemens there is a lot of specific general design criteria
20    that it says it meets this, it meets this, it meets this. 
21    That seems to be absent in the Westinghouse -- is it just a
22    difference in presentation?
23              MR. MARINOS:  Style.  It's different reviewers. 
24    Though we had the peer review and most everyone in the group
25    that has this expertise participated in the review of all of
.                                                               101
 1    them, of both of those topical reports, it was a specific
 2    reviewer, however, designated, or two.  So it was a
 3    different style of review.  We didn't really pay that much
 4    attention to make it as consistent as it might have been,
 5    but that's not the case.  They all meet the same criteria.
 6              MR. LEITCH:  Thank you.
 7              MR. MARINOS:  That's exactly right.
 8              CHAIRMAN UHRIG:  Any other questions?
 9              MR. LEITCH:  No.
10              CHAIRMAN UHRIG:  Well, thank you very much.
11              MR. SIEBER:  I think we can close this session at
12    this time.  I guess I'd like to extend our appreciation to
13    all the presenters today.  I think it was well done and at
14    this time we will recess the meeting and go to lunch.
15              [Whereupon, at 11:29 a.m., the meeting was
16    concluded.]
17
18
19
20
21
22
23
24
25

 

Page Last Reviewed/Updated Tuesday, July 12, 2016