ACRS Subcommittee on Plant Systems Meeting - October 31, 2000
1
1 UNITED STATES
2 NUCLEAR REGULATORY COMMISSION
3 ***
4 ADVISORY COMMITTEE ON REACTOR SAFEGUARDS
5 ***
6 SUBCOMMITTEE ON PLANT SYSTEMS
7
8 Tuesday, October 31, 2000
9
10 The subcommittee met, pursuant to notice at 8:30
11 a.m.
12
13 BEFORE:
14 AMARJIT SINGH
15
16
17
18
19
20
21
22
23
24
25
. 2
1 P R O C E E D I N G S
2 [8:30 a.m.]
3 CHAIRMAN UHRIG: Good morning. The meeting will
4 now come to order. This is a meeting of the ACRS
5 Subcommittee on Plant Systems. I am Robert Uhrig, Chairman
6 of this subcommittee.
7 Other ACRS members in attendance are Dr. Dana
8 Powers, Graham Leitch, and Jack Sieber.
9 The purpose of this meeting is to discuss the
10 safety evaluation reports for the Westinghouse/ABB/CE and
11 Siemens digital I&C applications.
12 Mr. Amarjit Singh is the cognizant ACRS staff
13 engineer and designated Federal official for this meeting.
14 The rules for participation in today's meeting
15 have been announced as part of the notice of this meeting
16 previously published in the Federal Register on October 18,
17 year 2000.
18 A transcript of the meeting is being kept and will
19 be made available as stated in the Federal Register notice.
20 It is requested that speakers first identify themselves and
21 speak with sufficient clarity and volume so that they can be
22 readily heard.
23 We have received no written comments or requests
24 to make oral statements from members of the public.
25 We will now proceed with the meeting and I call
. 3
1 upon Mr. Larry Erin, of Siemens, to begin.
2 MR. ERIN: My name is Larry Erin, work for Siemens
3 Power Corporation. I'll be giving an overview of the
4 Teleperm access safety system that's been designed by
5 Siemens and used for nuclear power plants applications.
6 The first slide that you see here is just a
7 picture of our overall I&C solutions. It's a combined
8 architecture of the Teleperm XS, which is used for safety
9 applications, and the Teleperm XP, which is used for
10 non-safety applications.
11 The platforms, again, with an interface with
12 filled components, both 1E safety applications and non-1E,
13 which are non-safety and control systems.
14 The Teleperm XS is used for the safety
15 applications. The Teleperm XP platform, an automation
16 system, is used for the non-safety applications. Typical
17 safety applications are for reactor protection, safeguards
18 actuation, safety controls, nuclear instrumentation system.
19 Also, we have a Teleperm XP operation and
20 monitoring system that is used for the plant computer type
21 applications. And the Teleperm XP also has a capability to
22 interface with other plant types of buses that are used
23 throughout the plant.
24 I'm going to give an overview of the Teleperm XS,
25 which is the safety system. Some of the basic design goals.
. 4
1 When the Teleperm XS system was developed, for the safety
2 applications, were to have short response times. Typically,
3 the I&C portion of the channel needs to respond at something
4 less than about 200 milliseconds. Proof of required
5 reliability, this needs to be highly reliable systems
6 because of the applications. And the ability to control all
7 of the postulated events.
8 Some of the important criteria for digital-based
9 safety systems would no event-driven interrupts, no code
10 optimization, and simple software structures.
11 CHAIRMAN UHRIG: Could you elaborate on that no
12 code optimization?
13 MR. ERIN: Some of the compilers that can be used
14 have methods of, I'd say, optimizing the code, minimizing
15 the usage, and some of the criteria that's been given back
16 to us from industry is that they operate more reliably if
17 you don't use the optimization features of the compilers.
18 CHAIRMAN UHRIG: Thank you.
19 MR. ERIN: Some of the elements that go into the
20 make-up of the system, standard hardware components. Some
21 of these in the I/O area have been used elsewhere in
22 industrial applications in Siemens products.
23 We have specific systems software that was
24 developed specific for the safety system applications. And
25 we have an engineering system that provides the interface
. 5
1 between the engineer and designing the application.
2 The engineering system gives us one common tool
3 that's used for both the specification of the hardware and
4 the software design, provides automatic code generation, and
5 our code generators were independently verified and
6 validated.
7 The specific systems software is based on a
8 deterministic operating system, no event-driven interrupts.
9 I've put together software libraries that have been verified
10 and used specifically for the safety system applications.
11 DR. POWERS: Could we come back to this statement
12 you made, event-driven interrupts? You said there are none?
13 MR. ERIN: That's correct.
14 DR. POWERS: I guess I don't understand what that
15 means.
16 MR. ERIN: It means once we get into our execution
17 cycle for an application, there is nothing external to the
18 system that can cause that execution cycle to be interrupt
19 and not proceed to completion of the cycle.
20 For example, if there was some other event in the
21 plant or in another channel of equipment, it is not
22 permitted to interfere. You're familiar with the
23 multi-tasking capabilities of your PC that you have at home.
24 The systems that are used for safety-related applications
25 are designed to preclude any sort of multi-tasking.
. 6
1 Once you begin to execute the safety function, you
2 have to complete that execution cycle to completion without
3 being interrupted.
4 DR. POWERS: I would just comment that, I think I
5 understand what you're saying here on this particular issue,
6 but in the documentation, there's a lot of discussion of
7 system generated interrupts and the question that came to my
8 mind throughout was the question of how interrupts are
9 handled between system generated interrupts and external
10 interrupts when they're coincident and how coincident do
11 they have to be to be coincident.
12 MR. ERIN: There are -- I think what you refer to
13 when you talk about the system generated interrupts, these
14 can be something that results from an internal diagnostic or
15 some failure fault is detected internal to the system. And
16 because of the recognition of that fault, the system fails
17 to some predetermined state.
18 Those are going to be part of the system design.
19 I guess the comment about them being coincident is there is
20 not a way or a design path for an external type of event or
21 interrupt to influence our system the way that it's
22 designed.
23 DR. POWERS: I'm sure you don't mean what you say.
24 If there's no way for the outside to influence your system,
25 then the system is not very useful.
. 7
1 MR. ERIN: Other than the, of course, the
2 naturally designed interface between the external sensors
3 and the input to the system.
4 DR. POWERS: And that's what I'm talking about.
5 If you get a system signal in or even an internally
6 generated, the one that comes immediately to mind is a
7 divide by zero error coming in because of the input to the
8 system, at the same time you get a system generated input.
9 At what points do they have to be coincident and
10 how does the system handle it?
11 MR. ERIN: I'm not sure how to respond to that
12 scenario.
13 DR. POWERS: Just bear it in mind as you go
14 through the presentation.
15 MR. ERIN: Okay.
16 DR. POWERS: I'm sure it will come up again.
17 MR. ERIN: Okay. Due to the capabilities of the
18 digital equipment and the design of existing analog systems
19 that we're upgrading, we get into situations where we're
20 able to combine many of the existing systems onto one
21 digital platform.
22 For example, typically, you have separate systems
23 currently in the plants for process protection, your ESFAS,
24 relay protection, sequencer. These functions, because they
25 share many of the same inputs, can be combined into single
. 8
1 platforms using just a few subsystems of the digital
2 platform and because of this, you end up eliminating many of
3 the hardware interfaces that exist between the current
4 systems, because you accept the input signals, do all the
5 processing in a more centralized location and then have your
6 interface with the outputs.
7 This picture is a hierarchical view of the
8 Teleperm XS system, starting with the field sensors, coming
9 in through the signal conditioning. We show that we have
10 typically have four redundant protection channel sets, a
11 monitoring and service interface, an isolation device and
12 gateway to the TXP, which is non-safety applications, and a
13 service unit that is used for the monitoring and service
14 interface.
15 Over here, also, there's a capability for inputs
16 for monitoring and manual controls.
17 This picture may be a little more clear in your
18 handout. It represents the capabilities of the space
19 engineering system, which is part of the service interface.
20 This is the engineering system that I mentioned earlier
21 that's used for hardware design, determines module location,
22 cabinet location, the network diagrams, the interfaces
23 between the communication links, the functional diagrams for
24 the system, and provides diagnostics and monitoring.
25 You can actually use this service unit to
. 9
1 interrogate the inner workings of the system, follow a
2 signal through all of its function blocks, look at its
3 signal values anywhere within the internal functional
4 diagram.
5 This whole system is based on a graphical user
6 interface to build the functional design on the screen. The
7 other functions are completed automatically by the design of
8 the system.
9 CHAIRMAN UHRIG: Is there a navigational problem
10 of going from one to the other? How do you -- what I'm
11 getting at here is, is this a hierarchical system and each
12 one that you have to sort of go down through it? Can you
13 jump from somewhere low in, say, network diagrams over to
14 somewhere in the lower part of diagnostics and monitoring,
15 or do you have to go to the top of diagnostics and
16 monitoring and go down?
17 MR. ERIN: I need to defer to someone who knows
18 the answer, and he just nodded yes. The internal links
19 allow you to go automatically from one screen to the other.
20 MR. WINKLER: My name is Martin Winkler, with
21 Siemens. The systems supports, both horizontal and vertical
22 navigation features to go through those diagrams, so the
23 different types of diagrams are connected by those
24 navigation features.
25 CHAIRMAN UHRIG: Okay. So you should have no
. 10
1 problem of going wherever you want to go directly without
2 having to go through a whole sequence.
3 MR. ERIN: Correct.
4 CHAIRMAN UHRIG: Like you typically do on a
5 computer.
6 MR. ERIN: This is just a single line
7 representation of the signal flow through the system. At
8 the top, for protection channel set one, you have your data
9 acquisition block. It comes into the processing portion of
10 the TXS and down below we have an actuation voting, where
11 two out of four function is completed.
12 Now, the lines that you see toward the redundant
13 channel sets, these represent communications between
14 channels. It's not a mandatory configuration, but in our
15 typical recommended configuration for the reactor protection
16 system, we'll take the information that's in protection
17 channel set one and share it with protection channel sets
18 two, three and four and it gives you the capability to do
19 the two out of four voting for any parameter four times.
20 It can be done in each of the four redundant
21 channel sets and then it can be done by this voting logic
22 one more time down below just to vote whether or not two of
23 the four channel sets had voted two out of four for a
24 particular function.
25 So it's an extra layer of two out of four voting
. 11
1 is provided as a capability beyond what you would get in the
2 analog system.
3 DR. POWERS: Is it clear that having an extra
4 layer of two out of four voting is a good thing?
5 MR. ERIN: I think there is an opinion that it's a
6 good thing. It gives you some advantages in terms of
7 operability when you're performing surveillance tasks and
8 doing maintenance.
9 One of the protection channel sets can be defeated or shut
10 down for maintenance and you still have the capability of
11 two out of three in the remaining channel sets, where if you
12 wanted to design the application to default the one out of
13 three, you can do that, also. It's up to the user and there
14 is going to be an interface with the plant-specific tech
15 specs on which way they decide to go.
16 But in my opinion, there's operability advantages
17 from having the extra voting and being able to effectively
18 be in a bypass condition when you perform surveillance tests
19 and when you're doing maintenance.
20 CHAIRMAN UHRIG: So you can take any one of those
21 sets out of service for maintenance, signals coming from
22 that particular channel.
23 MR. ERIN: Yes.
24 CHAIRMAN UHRIG: Could you take two out
25 simultaneously?
. 12
1 MR. ERIN: Two redundant channel sets?
2 CHAIRMAN UHRIG: Yes. Or if you had a glitch --
3 say you had one out for maintenance and you had a glitch, a
4 transient of some sort in one system, this could handle that
5 then.
6 MR. ERIN: That's the idea of going into bypass.
7 If you take one out for maintenance and you stay two out of
8 three on the remaining three as opposed to going one out of
9 three, that transient on one of the three remaining systems
10 doesn't trip the plant.
11 CHAIRMAN UHRIG: Yes. I thought it was, but I
12 wanted to make sure.
13 MR. ERIN: Yes. That's the operability advantage.
14 CHAIRMAN UHRIG: Okay. This feeds into then two
15 trains that are virtually independent.
16 MR. ERIN: Train A, train B, completely
17 independent trains.
18 CHAIRMAN UHRIG: Even though they're feeding from
19 the common set of signals coming from sets one, two, three
20 and four.
21 MR. ERIN: These are isolated data links. So that
22 no fault on one side of the data link can go back and
23 degrade a function on the input side of the data link.
24 What you end up with here, take steam generator
25 level, for example, you have four channels of steam
. 13
1 generator level. Say you're looking at your low level
2 protection. Instead of having channel one, two, three and
3 four for a particular steam generator, just spread over the
4 four redundant sets.
5 Each one of these redundant channel sets votes two
6 out of four on the steam generator level. So you're two out
7 of four on steam generator level here, here, here and here
8 and what we're doing with this voter is simply saying did
9 two of the four redundant channel sets vote at least two out
10 of four low level for steam generator level.
11 In the analog system, no voting would be done
12 until you got down here to the voting portion, to the relay
13 portion of the system, because these protection channel sets
14 would not communicate with each other in the analog system.
15 CHAIRMAN UHRIG: Is there a way of propagating a
16 problem with one of the four channels there from one to the
17 other? You're showing the cross links there. Suppose you
18 had a short in a signal coming into set one or within the
19 protection logic, for instance.
20 MR. ERIN: The isolation would protect you from
21 any electrical types of faults. Now, the other thing that
22 we can do and we typically designed it into the application
23 is that we will compare each input versus the other three
24 and if one of the inputs deviates from the other three by
25 some predetermined amount, then it is rejected from being
. 14
1 processed further through, because it's considered to be a
2 failed signal.
3 CHAIRMAN UHRIG: And this is all sample systems,
4 so that you -- each sampled set goes through that test.
5 MR. ERIN: Correct.
6 CHAIRMAN UHRIG: This set might have one signal
7 thrown out, the next one might be all four would be
8 satisfactory.
9 MR. ERIN: If you were right on the edge, that's a
10 possibility.
11 MR. LEITCH: Could this system be utilized in an
12 application where there were four trains?
13 MR. ERIN: It could be. The system is just basic
14 building blocks and the user can configure and interconnect
15 those building blocks in accordance with whatever his
16 specification or functional design is.
17 Just a little more detail here from the previous
18 figure. You can see the four redundant channel sets, one,
19 two, three and four. The independent voters, train A and
20 train B that we talked about.
21 An interface with the main control board
22 enunciator system and the interface with our monitoring and
23 service interface equipment, which connects with the service
24 unit, which is used for the monitoring and the engineering
25 functions associated with the system.
. 15
1 These are the gateways which allow the conversion
2 of the digital information in the safety system to be passed
3 on to the plant bus, the XP plant bus and the TXP operation
4 and monitoring system.
5 This picture is a representation of surveillance
6 tests and combined automatic and user initiated testing
7 that's provided with the TXS system.
8 Over on the left-hand side you can see the on-line
9 monitoring. This on-line monitoring is done automatically,
10 executed every cycle. The periodic testing is tests that
11 are not done automatically, but they are initiated by the
12 user.
13 CHAIRMAN UHRIG: Once they're initiated, are they
14 then automatically carried out?
15 MR. ERIN: There's a degree of automation in each
16 of these. For example, the startup self-test when you
17 reboot the system. There's a sequence of tests that are
18 performed every time on a reboot and, of course, that's
19 automatic.
20 We have the cyclic self-monitoring that's done
21 every cycle, monitoring on the bus communication system.
22 There are tests that are done, these engineered input checks
23 are called engineered checks because these are designed by
24 the user. They're part of the application.
25 If you decide to do that check of one redundant
. 16
1 sensor versus the other three and compare it versus some
2 delta, that's something that the user can set up. So we
3 call it an engineered check.
4 There's a capability to check the relay output
5 signals. We have check-backs built in that's automated into
6 the design.
7 And there's automatic cabinet and sub-rack
8 monitoring, things like power available to the sub-racks,
9 cabinet door open alarms, all these types of things are part
10 of the on-line monitoring.
11 Over on the periodic testing, there is a startup
12 self-test that would be done periodically when you reboot
13 the processor subsystems. There is an input test that could
14 be initiated by the user. It's like a traditional test you
15 would do on an analog system, disconnect the sensor, inject
16 the signal, follow the signal, check the calibration
17 accuracy of your equipment.
18 Output tests are available both go and non-go,
19 where you can actuate the interface or choose not to actuate
20 it if it's one that you would not want to actuate in the
21 plant, and we have the capability for response time test.
22 MR. LEITCH: When you say disconnect the signal, I
23 assume the system is built in such a way that that does not
24 involve any actual lifting of leads or --
25 MR. ERIN: Correct.
. 17
1 MR. LEITCH: That the system is built to
2 facilitate this. There's no jumpers, no lifted leads.
3 MR. ERIN: No jumpers, no lifted leads. We have a
4 portable test machine that facilitates the test and we're
5 able to automatically disengage the sensor from the system
6 and inject our test signal.
7 CHAIRMAN UHRIG: Is your test signal digital or
8 analog? Does it go through the A-to-D converter?
9 MR. ERIN: Yes, it does. It's an analog input.
10 CHAIRMAN UHRIG: It checks the converter then.
11 MR. ERIN: We need to do that to check the
12 calibration accuracy of the front-end portion of the
13 equipment.
14 This is a picture of a typical Teleperm XS rack
15 and subsystem. These are the ones that have been used in
16 applications in Europe.
17 Up at the top of the cabinet here, you see the
18 microprocessor subsystem, our processing boards,
19 communication processors.
20 Some of the I/O devices are shown down here at the
21 bottom. The interfaces for communication data links are
22 over on the left-hand side. This is just a little larger
23 picture of the subsystem over here on the left-hand side.
24 Just to give you an idea physically of what the equipment
25 looks like.
. 18
1 CHAIRMAN UHRIG: What are the dimensions, standard
2 rack width?
3 MR. ERIN: Nineteen inch racks.
4 CHAIRMAN UHRIG: Does this whole system fit in one
5 rack, several racks?
6 MR. ERIN: It depends on the amount of I/O in the
7 application, but what we have seen in typical applications
8 is that we're able to reduce the amount of cabinet space
9 that was required for the analog system. There's a space
10 efficiency that's gained by going to the digital equipment.
11 CHAIRMAN UHRIG: On a backfit, you would have
12 plenty of room.
13 MR. ERIN: Yes. We end up having some of the
14 cabinets that previously had analog equipment in them become
15 spares on the backfits.
16 And these are just some pictures of the various
17 boards, TXS processing module, communication, digital output
18 module, and the analog input module, where the A-to-D
19 conversion is done.
20 CHAIRMAN UHRIG: What accuracy on the A-to-D
21 conversion, 16-bit or 12-bit?
22 MR. ERIN: It's 12-bit.
23 CHAIRMAN UHRIG: A tenth of a percent. No. It's
24 better than that.
25 MR. ERIN: A little higher. This was just a
. 19
1 summary of some of the features we had just talked about.
2 They're in the handout. I don't think I'll read them to
3 you.
4 The next portion of the presentation was a
5 discussion --
6 MR. LEITCH: I have a couple of general questions.
7 Maybe this is going to be covered later, but what are the
8 typical customers for this type of a system now? In other
9 words, is this an existing nuclear plant that wants to
10 retrofit with this kind of equipment or is this being
11 proposed for brand new plants or how does that work?
12 MR. ERIN: Depending on the region of the world
13 where we're working. In China, for example, we're
14 installing this equipment in two completely new Russian
15 designed plants, where we're providing the I&C with the
16 Siemens Teleperm platforms.
17 In the United States, the current market is
18 completely retrofit. We have a lot of customers that have
19 equipment that's 15-20 years old, many of them are currently
20 going for life extension, and they're looking to modernize
21 the I&C systems for a variety of reasons, spare parts and
22 maintenance being one of the big ones.
23 And we're taking this equipment and retrofitting
24 it into the existing cabinets and removing the analog
25 equipment.
. 20
1 MR. LEITCH: Is that retrofit then an all or
2 nothing situation or can one have this platform, if that's
3 the right term, and partially retrofit?
4 MR. ERIN: It's always going to be done piecemeal,
5 just because of the shear logistics of the amount of time
6 that it takes to remove an existing system and install a new
7 one compared to the typical outage time that's available.
8 So we look for ways where it makes sense to
9 combine certain systems to replace at particular outages and
10 then the next outage you move to the next group of systems
11 that make sense. So it's always done in a piecemeal type of
12 way.
13 MR. LEITCH: But the basic Teleperm system, as I
14 understand it, would be installed once and then at
15 subsequent outages you could retrofit certain portions or
16 certain systems.
17 MR. ERIN: On the safety side, typically, it's
18 done a couple systems at a time and these can be interfacing
19 types of systems. For example, you would almost always want
20 to take your process protection where you acquire your
21 temperatures, pressures, flows and levels, the process side,
22 and interface with the loading. You take those signals, you
23 read them, you go through by stables where you compare them
24 to their set points and then you do the two out of four
25 voting.
. 21
1 In the current plants, the process portion and the
2 voting portion are almost always different equipment types,
3 but you would want to combine those and replace them during
4 the same outage if you're going to a digital system because
5 it makes sense due to the information that's already
6 available as inputs to the system.
7 But you might have a stand-alone system, like a
8 diesel generator load sequencer, that's independent of the
9 process protection and that could be done on a stand-alone
10 basis or at a different outage, if someone chooses to
11 upgrade that system.
12 MR. LEITCH: And would the main motivation be
13 obsolescence of existing equipment or is there a reliability
14 improvement perceived with this system?
15 MR. ERIN: I believe there's always reliability
16 improvements with the digital platforms that are available
17 today. But it doesn't seem to be the motivation. The
18 utility motivation seems to be obsolescence issues,
19 maintenance issues, cost of spare parts and in addressing
20 those problems, if they're able to improve reliability and
21 operability, then those are benefits that also come along
22 with the upgrade.
23 Occasionally you might have a troublesome system
24 that you want to upgrade because it's causing you so many
25 maintenance problems or maybe even occasionally causes a
. 22
1 plant to trip and that would be a good reason for targeting
2 that system at the very front part of your upgrade schedule.
3 MR. SIEBER: How sensitive is your system to
4 disturbances in input power? For example, both A/C and D/C
5 buses in a power plant are very noisy, with circuit breakers
6 closing and loads starting up and inductive devices doing
7 their thing.
8 MR. ERIN: There's requirements that are very
9 specific for EMI/RFI and surge protection and as I go
10 through the NRC review, I will make reference to some of the
11 standards that were used regarding acceptance criteria in
12 that area.
13 MR. SIEBER: Does your equipment do the power
14 conditioning or is that something that the owner has to
15 apply when he installs your equipment?
16 MR. ERIN: We accept 118 volts A/C that has gone
17 somewhat through the owner's power system. It's coming from
18 a Class 1E inverter. The input signal that we see.
19 MR. SIEBER: I ask that question because I've had
20 a couple of ugly experiences with digital systems on D/C
21 buses where the opening and closing of contactors put surges
22 in the line and would reset the CPUs, and it was bad news.
23 MR. ERIN: This figure represents some of the
24 criteria that were looked at as part of our generic
25 qualification of the system and also provides some
. 23
1 separation between elements that were looked at generically
2 and things that still remained to be looked at on a
3 plant-specific application basis.
4 As part of the generic qualification, we just
5 mentioned EMI/RFI and surge withstand qualification to
6 environmental conditions and environment, seismic
7 conditions, depending on the plant and the floor responses
8 and rack responses. We need to satisfy a seismic
9 qualification criteria.
10 There is a generic verification/validation of our
11 system software design, no engineering tools that are used
12 by the user for the system. Diversity and defense-in-depth
13 methodology is one of the items that was looked at on a
14 generic basis.
15 As you get into the particular application with
16 any specific utility, they're going to have specific design
17 requirements, functional requirements, that have got to be
18 implemented and verified for that application. There is
19 going to be a plant-specific diversity and defense-in-depth
20 assessment that's going to be specific to their particular
21 I&C configuration. It's going to be specific to their
22 particular Chapter 15 accident analysis.
23 And there are going to be validation tests that
24 have to be performed on a plant-specific basis in order to
25 validate that the equipment has been designed properly and
. 24
1 the application has been installed properly on the digital
2 equipment.
3 As part of our review process with the NRC staff,
4 I guess I will mention that this was one of the first major
5 applications that's been reviewed since the new standard
6 review plan, and I believe the ACRS had some input to.
7 There were a variety of documents that we
8 submitted to the staff in order to support our system.
9 There was a topical report that was done. It was a general
10 topical report which described the system, described the
11 system hardware, the software design, compliance with key
12 criteria.
13 In addition to that, there were a number of other
14 reports that were submitted along the way.
15 We had a specific report to discuss all the
16 periodic surveillance test capabilities of the TXS system.
17 There was a report for the shielding and grounding
18 guidelines for application of the Teleperm XS.
19 CHAIRMAN UHRIG: Now, these three reports have
20 been submitted and have been approved by the NRC, correct?
21 MR. ERIN: They were all reviewed and discussed in
22 the safety evaluation.
23 CHAIRMAN UHRIG: So that a vendor -- I mean, a
24 utility now could come in with an application to install
25 this equipment and make reference to these reports.
. 25
1 MR. ERIN: Sure. That was the idea of submitting
2 reports up front, having a generic review, and then for a
3 plant specific application, the utility makes reference to
4 the generic reports and addresses the plant specific open
5 items that were discussed in the staff safety evaluation.
6 CHAIRMAN UHRIG: These are the three main ones.
7 Are there any others?
8 MR. ERIN: We've got a few more here.
9 CHAIRMAN UHRIG: Okay.
10 MR. ERIN: We had a couple on diversity and
11 defense-in-depth. One was a methodology to show how we
12 would recommend going about being consistent with Branch
13 Technical Position 19 and NUREG-6303, which was discussed in
14 BTP-19.
15 And we also did a typical application of our methodology to
16 show how, for a typical plant, using our methodology and our
17 recommended architecture, we would end up addressing
18 diversity and defense-in-depth and how we would segregate
19 our various systems.
20 This is just a summary of the systems that can be
21 upgraded using the TXS, your typical plant safety systems,
22 process protection, logic voters, ESFAS, diesel generator
23 load sequencers, safety-related BLP functions and Class 1E
24 controls would be the target systems.
25 CHAIRMAN UHRIG: Typical installation by a utility
. 26
1 would involve all of these or would it be one or two or what
2 has been your experience so far? What do you anticipate?
3 MR. ERIN: We've seen customer interest and
4 proposals ranging from any one of these systems to utilities
5 that have a vision that they want to replace all of these
6 systems in some sort of phased approach.
7 It's really been a combination of all of the
8 above.
9 CHAIRMAN UHRIG: So that you could install just
10 one of these, make reference to the appropriate documents
11 that you just listed.
12 MR. ERIN: Sure.
13 CHAIRMAN UHRIG: And submit it to the NRC and
14 address the open items.
15 MR. ERIN: Yes. And further generic aspects of
16 the equipment qualification, the system software design, the
17 verification and validation that was done on the platform.
18 It doesn't matter what the application is. So those generic
19 things, I think the NRC safety evaluation addresses very
20 well and the items that would be plant-specific open items
21 were also identified in the safety evaluation by the staff.
22 CHAIRMAN UHRIG: Now, each one of these modules
23 here has its own microprocessor system and its own
24 programming, so that you don't in any way tie those
25 together.
. 27
1 MR. ERIN: Typically, that's correct. The ESFAS
2 and the process protection sometimes are intermingled,
3 because some of the functions that are in process protection
4 are also in the front-end for ESFAS. So you get some
5 intermingling in that area.
6 And that is one of the things that is looked at
7 when you do the diversity and defense-in-depth evaluation.
8 You break your system into like blocks, you postulate
9 potential common cause failures of those like blocks, and
10 you make sure that you have adequate protection remaining
11 for the plant.
12 CHAIRMAN UHRIG: Do you use your own
13 microprocessors or do you use --
14 MR. ERIN: Siemens, we use our own.
15 CHAIRMAN UHRIG: You use your own.
16 MR. ERIN: Yes. The design of our microprocessor
17 boards, we go back to Intel for some of our chips. But the
18 microprocessor boards are Siemens' design.
19 CHAIRMAN UHRIG: Like the Intel is something like
20 Pentium?
21 MR. ERIN: 486's, Pentiums, we've used various
22 Intel processors.
23 MR. SIEBER: The diesel generator load sequencer,
24 that's a stand-alone device, is it not? Generally powered
25 by D/C.
. 28
1 MR. ERIN: I'm not certain.
2 MR. SIEBER: Well, if you have a station blackout,
3 that's all that's left.
4 MR. ERIN: Okay.
5 MR. SIEBER: Getting back to my other question,
6 this is where all the spikes come from. Is that tested so
7 that a spike on a D/C bus won't reset the load sequencer and
8 prevent the diesel from loading?
9 MR. ERIN: Any of our input power signal
10 conditioning would have to undergo surge withstand testing.
11 That's a requirement for any safety-related system.
12 In the area of equipment qualification, I wanted
13 to mention briefly the approach that was used. We were
14 looking for some industry document that had the best
15 collection of requirements and acceptance criteria in this
16 area and the one that we used, and was also used by the
17 staff during the review, was EPRI Topical Report 107-330.
18 It was a generic requirement specification for
19 commercially available PLCs that was written over the last
20 couple of years.
21 It was a very good benchmark document because
22 there was a broad range of industry representation on the
23 group that wrote the requirements document, including staff
24 representation, and then through EPRI, they submitted that
25 topical report to the staff for review and safety
. 29
1 evaluation.
2 So it became what I will say is a very good
3 benchmark and very good precedence for the current
4 requirements in the area.
5 We had prepared a report and submitted it to the
6 staff, TR-114-017, which compared all of our system design
7 and qualification items versus the EPRI requirements.
8 So once we had a benchmark established, we then
9 prepared a matrix showing exactly where we stood versus all
10 the EPRI requirements and that was part of the review
11 process.
12 CHAIRMAN UHRIG: Now, this is for PLCs. But
13 you're using microchips.
14 MR. ERIN: The PLCs really are very close to a
15 distributed processing system. And the requirements for a
16 digital PLC and a distributed processing system are very
17 much the same.
18 CHAIRMAN UHRIG: Physically they are, the
19 difference being one is better logic or some hard
20 programming versus the software.
21 MR. ERIN: Typically designed maybe for more
22 stand-alone applications, smaller applications, but PLCs in
23 recent years have become very powerful and some of the more
24 state-of-the-art PLCs can do most of the things that a
25 distributed system would do.
. 30
1 Some of the criteria that was used by the staff
2 during the review for which we responded to. Of course,
3 NUREG-0800, revision of the standard review plan, Section 7
4 on I&C provided a lot of guidance, a lot of details. Branch
5 Technical Position HICB-8 is guidance for application of Reg
6 Guide 1.22, discussed some of the requirements for periodic
7 surveillance testing. HICB-14 was one of the new ones that
8 was in the rewrite of the standard review plan guidance on
9 software reviews for digital computer-based systems, was
10 used throughout the review.
11 HICB-17 provided guidance on self-test and
12 surveillance test provisions. Again, that was one of the
13 new branch technical positions that was written for digital
14 systems.
15 HICB-19, I mentioned a little earlier, provided
16 the guidance for evaluation of diversity and
17 defense-in-depth; also references NUREG-6303, which was
18 used.
19 The EPRI document I talked about a little earlier
20 provided a benchmark for qualificational requirements. And
21 in the area of EMI/RFI and surge withstand, EPRI-107-330
22 refers to EPRI TR-102-323, which was the document which gave
23 the results of all the surveys that were done by the EPRI
24 group to try and come up with enveloping environments of EMI
25 and RFI for the nuclear power plants.
. 31
1 CHAIRMAN UHRIG: What about things like smoke,
2 fire resistance? Is there any testing as far as smoke is
3 concerned, any attempt to address that?
4 MR. ERIN: I don't recall a specific NRC criteria
5 for smoke resistance. We don't run any special test for
6 smoke. I think there are some guidelines for using fire
7 retardant materials as you design your system, but the
8 specific test of the equipment for smoke is not done.
9 CHAIRMAN UHRIG: The concern here is the arc-over
10 associated with ionization brought on by the smoke in this
11 type of thing. I guess that's still a research area.
12 MR. ERIN: I don't know. If you have a control
13 room fire, there may be some other actions that are
14 necessitated prior to worrying about the equipment. You
15 probably be in some sort of administrative action to shut
16 down anyhow.
17 MR. SIEBER: Have you done any aging tests of your
18 equipment to see how long it will function properly?
19 MR. ERIN: There's a sequence of testing that is
20 done to address aging. The environmental test, for example,
21 are done prior to seismic tests. EMI/RFI tests are done.
22 We perform what I will say are thousand hour tests as part
23 of our type testing and in addition to what I'll say are the
24 sequence of testing, aging is also addressed through
25 periodic test process. We establish periodic test intervals
. 32
1 that are effective to catch failures and make sure the
2 equipment is still reliable.
3 We don't, for example, if you're asking if we take
4 equipment and test it for five or ten years, that type of
5 long-term aging, that's not done for the equipment.
6 Some of the plant specific interfaces that remain
7 that you might be interested in. I showed before on a
8 pyramid that each plant is going to have a plant specific
9 diversity and defense-in-depth assessment. There will be a
10 safety analysis confirmation for accuracy and time response,
11 technical specification confirmation, depending on how you
12 want to use these capabilities for bypass during test and
13 maintenance that affects your plant tech specs.
14 We need to make sure that the plant specific
15 environment has been enveloped by EPRI-107-330 and 102-323.
16 I haven't seen any cases where they're not.
17 There's plant specific enunciator and status light
18 arrangements and plant specific configuration management
19 procedures once they accept the new equipment.
20 And the conclusion, which came out of our safety
21 evaluation we received from the staff, it was based on the
22 information provided and review conducted.
23 The staff concluded that the design of the TXS
24 system was acceptable for safety-related I&C applications
25 and meets the relevant regulatory requirements.
. 33
1 DR. POWERS: I think I read that you tested the
2 material for -- the system for seismic concerns.
3 MR. ERIN: Yes.
4 DR. POWERS: And in that test, you operated in a
5 system that vibrated it at right at frequencies for one
6 minute.
7 MR. ERIN: I'm not certain about the one minute,
8 but there's IEEE-344 guidelines for the OBEs and the SSEs.
9 DR. POWERS: A relatively short period of time.
10 Have you also considered how it would perform during a plant
11 blow-down and the associated and very long-term vibrations
12 of the system during blow-down?
13 MR. ERIN: We haven't done anything beyond the
14 requirements in IEEE-344.
15 DR. POWERS: Would you imagine that there might be
16 some challenges there?
17 MR. ERIN: Something I hadn't considered.
18 DR. POWERS: I guess what I'm asking is in this
19 relatively short seismic test, which presumably the system
20 passed with flying colors, was there any indication that had
21 it gone on for an hour, like a blow-down might, would the --
22 that it might not have passed?
23 MR. ERIN: I can tell you, just based on our
24 experience, we used the same test specimen for many, many
25 different seismic tests, to the point where we stressed that
. 34
1 equipment, I would say, in four or five different seismic
2 test programs without causing any failures in that equipment
3 due to fatigue.
4 I would say, just based on that experience, I
5 would feel like, from a structural mechanical standpoint,
6 we're pretty robust.
7 DR. POWERS: That's what I was looking for.
8 MR. ERIN: I have a few minutes left. The last
9 section I have just provides some information on references
10 where the Teleperm XS has actually been used.
11 These sheets provide references for both our
12 Teleperm XS and our Teleperm XP platforms. Over on the
13 right-hand side, we show columns one for TXP and one for
14 TXS.
15 The ones that are currently in operation in
16 nuclear power plants have check marks over on the right-hand
17 side. We talked a little bit right at the very beginning
18 of the presentation, some of the US applications that are
19 planned, both the Callaway and Comanche Peak plants plan to
20 use both Teleperm XS and Teleperm XP for comprehensive I&C
21 upgrades and these are just beginning. We entered into a
22 contract with Callaway in the spring and with Comanche Peak
23 just a couple of months ago.
24 Some of the applications in Europe for TXS are for
25 reactor control limitation systems. I show some other ones
. 35
1 here. Reactor protection system, neutron flux measurement
2 at the Paks power plant in Hungary. That's a four-unit
3 application.
4 Bohunice is a reactor protection and limitation
5 system. A few more on this sheet. Beznau is a reactor
6 protection system upgrade and NSSS control system upgrade in
7 Switzerland that has recently been installed and the one I
8 mentioned in China is Tianwan, there are two brand new
9 nuclear power plants, Russian designed plants, and Teleperm
10 XS and XP is being used for the complete I&C, both safety
11 and non-safety.
12 CHAIRMAN UHRIG: Are those VVER?
13 MR. ERIN: Yes, VVR-1000.
14 CHAIRMAN UHRIG: The neutron flux measurement
15 system, is this the complete system or is it just you, for
16 instance, put in the self-power detectors or is that part of
17 the system that you just attach on and take the signals from
18 there?
19 MR. ERIN: I'll defer. Do you know, Mark?
20 MR. WINKLER: We are talking about the Teleperm XS
21 application and the Teleperm XS, of course, has to receive
22 the analog signals somehow from the nuclear detectors.
23 So there are different possibilities. Either you
24 maintain the existing analog portion, which provides voltage
25 level signals, or we also have a different product line
. 36
1 capabilities to directly get the information from the
2 nuclear detectors.
3 CHAIRMAN UHRIG: But you don't provide the
4 detector, the whole system.
5 MR. WINKLER: Siemens also provides detectors.
6 CHAIRMAN UHRIG: It does. So you could, for
7 instance, put in a whole monitoring system.
8 MR. WINKLER: Siemens has the capabilities, yes,
9 to provide that.
10 CHAIRMAN UHRIG: Are you finished?
11 MR. ERIN: Yes. That's all I had prepared. Are
12 there any questions from the committee members?
13 DR. POWERS: I wonder if I could just ask some
14 questions for personal information, because I don't
15 understand, and it's on this signal on-line validation using
16 the second minimum principal, second maximum principal. I
17 guess my question is you're avoiding using the first minimum
18 and the first maximum because you think they may not be
19 correct. And why do you think the second is correct?
20 MR. ERIN: One of the reasons could be that you
21 don't think the first is correct, the -- what we're really
22 accomplishing by using that second minimum or second maximum
23 is it's another way of performing a two out of four voting.
24 If you're, say, for example, looking at steam
25 generator low level protection and if you operate your
. 37
1 comparitor based on the second minimum and you have all four
2 signals represented and your function is off the second
3 minimum, it gives you the same functional effect as a two
4 out of four vote, and that's really how it is used in each
5 of the four channel sets.
6 You would use the second max, if it's a trip on
7 high function.
8 DR. POWERS: Thank you.
9 MR. LEITCH: With these European plants, where the
10 system is in operation, have you had significant startup
11 problems resulting in, say, reactor trips or other
12 misoperations before you --
13 MR. ERIN: No, we haven't, and one thing that I
14 meant to point out and didn't is in all the operating
15 experience that we have in Europe, we've never experienced a
16 software failure in the field.
17 So the experience has been very good. The
18 reliability of the hardware components in actual operation
19 has exceeded our design calculations that we expected for
20 reliability, also. So we are very pleased with the
21 experience that we've had to date.
22 MR. LEITCH: Can you say a word or is it beyond
23 the scope of what you do, that is, the training of utility
24 personnel. In other words, I'm a little -- what concerns me
25 is you put in this system and it works fine and you lock up
. 38
1 the door and leave. Is there anybody in the power plant
2 that really understands the operation of this system?
3 Do you do some training of I&C techs?
4 MR. ERIN: We do a lot of training of both
5 technician and engineering personnel on the application of
6 the system and as part of that training, they also come to
7 understand the design fairly well, also.
8 But certainly the utility people become very
9 experienced and very proficient with the capabilities and
10 the application of the equipment.
11 MR. LEITCH: Are there protections against I&C
12 personnel interfering with or somehow, say, changing the
13 software inadvertently?
14 MR. ERIN: There's certainly levels of password
15 protection that are used for various personnel that have
16 various authorization privileges. There's key lock
17 switches; of course, there's administrative controls,
18 there's door open alarms. There is a sequence of
19 protections that would have to be violated for an
20 unauthorized person to somehow access and change the
21 software.
22 MR. LEITCH: My concern is that we're very
23 concerned in licensed reactor operators. Yet, I think in
24 some cases, we're putting in the hands of I&C techs
25 capabilities or decision-making that could be as significant
. 39
1 or more significant than the licensed operator.
2 MR. ERIN: In the analog world, you have
3 technicians going in and adjustment the potentiometer with a
4 screwdriver. In the digital world, he's in installing a
5 piece of software or digitally entering a data value for a
6 set point. But ultimately it comes down to training and
7 administrative controls, procedures and documentation.
8 CHAIRMAN UHRIG: I've been groping for the
9 significance of the small triangles on your chart.
10 MR. ERIN: I think the purpose was just to
11 identify some of the more significant or larger TXS
12 applications, since TXS was the topic for today's
13 discussion.
14 CHAIRMAN UHRIG: Okay. Are there any comments
15 from the staff?
16 MR. CALVO: I think Erin has done a good job. Al
17 I can tell you is that some of the questions you had asked
18 we had done. We had asked those questions. I think you
19 cannot miss something he says about how can you prevent the
20 operator from -- an I&C technician. They have a lot of
21 memories in this computer and protected memory. Nobody can
22 guess in there and you've got a special way to to do it.
23 Also, they've got addressable -- for fuel burn-up
24 and things like this. Those are limited. So if you make a
25 mistake, you catch it. Also, you only can mess with one
. 40
1 channel at the same time. On top of all this, you still
2 introduce the potential for common mode failure. That will
3 be the focus also in defense-in-depth. What else do you
4 have in case that potential is cascaded to all four
5 channels. So we asked all these kind of things.
6 CHAIRMAN UHRIG: Thank you. If there are no
7 further questions, thank you very much, Larry.
8 MR. ERIN: Thank you.
9 CHAIRMAN UHRIG: And we will move on to the second
10 system, which is Westinghouse's ABB/CE system, and Ken.
11 MR. SCAROLA: I need a moment to set up.
12 MR. SINGH: Can we take a break for five minutes?
13 CHAIRMAN UHRIG: Why don't we take a five-minute
14 break while he sets up.
15 [Recess.]
16 CHAIRMAN UHRIG: We'll come back into session.
17 This is Ken Scarola who will give the presentation.
18 MR. SCAROLA: Good morning, gentlemen. Thank you
19 very much for letting us have this opportunity to talk about
20 Common Q, the Westinghouse Nuclear Automation Common
21 Qualified Platform.
22 As Mr. Uhrig said, my name is Ken Scarola and I am
23 from Westinghouse Nuclear Automation. Before I get into the
24 presentation, I would also like to introduce some of the
25 other key players that are here with us. Our Licensing
. 41
1 Manager, Denny Popp; our Manager of Protection Systems, Mark
2 Stofko; we have our lead engineer for hardware
3 qualification, and that's Marty Ryan; and our lead engineer
4 here for software qualification, and that's Warren
5 Odess-Gillett.
6 So these are the people that will be answering the
7 tough questions. I'll be answering the easy ones.
8 Since the last time I was here several years ago,
9 we were just, at that time, ABB, things have happened, I
10 think many of you know that Westinghouse has now acquired
11 the nuclear facilities of ABB, the nuclear assets, and now
12 we are long large I&C organization.
13 These yellow boxes represent the old ABB locations
14 and down at the bottom, the original Westinghouse locations.
15 So this is effectively now Westinghouse Nuclear Automation.
16 I thought it was important that I first really
17 give you that perspective, since there are a lot of changes
18 going on.
19 Now we will talk about the common qualified
20 platform and I first wanted to go through what our overall
21 program objective was for this.
22 We were looking to qualify an I&C platform for
23 safety for what we call safety critical Class 1E
24 applications and we were really looking at a building block
25 approach that would allow us to build very simple safety
. 42
1 systems, such severe accidents things like diesel sequencers
2 that are relatively simple; in fact, reactor protection
3 systems that are relatively simple.
4 But then, also, much more complex systems, like
5 core protection calculators for CE plants, Combustion
6 Engineering plants, and things like post-accident monitoring
7 systems that have fairly sophisticated data reduction
8 algorithms for things like core temperature monitoring.
9 So the intent was a building block approach that
10 would handle very simple systems and also fairly complex
11 safety critical applications.
12 And then we also recognized that the strategy that
13 many utilities would have would vary from system by system
14 replacements to full plant-wide upgrades and we had to
15 realize an approach that would really accommodate both ends
16 of the spectrum. So that was our goal.
17 We also discussed this with many of our own
18 customers. We listened to them and, in fact, this whole
19 program was partially funded by the CE Owners Group, and
20 these were the major messages that they gave us.
21 One is they wanted us to use industrially proven
22 products. They didn't want something new for the nuclear
23 industry. They wanted something that had a long history of
24 successful operation, and nobody wants to be first.
25 They wanted maximum standardization. It's best
. 43
1 for them if they can use the same widget everywhere, but
2 there is also a recognition that dealing with common mode
3 failure somewhat goes against this idea of standardization,
4 so there is this issue of dealing with diversity. Very
5 important recognition.
6 In any modernization effort, when you're doing
7 things that the industry has not done before, there is
8 always licensing risks, so they want a product that was
9 fully pre-licensed.
10 Also, when you look at modern digital systems, one
11 of the major expectations is that you will improve the
12 reliability with less manual effort, with less frequent
13 periodic surveillance.
14 So therefore, they wanted really to see that the
15 NRC was going to accept that, that we were, in fact, going
16 to get some relief on manual surveillance testing, and still
17 achieve very high reliable systems.
18 And then lastly, a very significant concern of
19 many utilities is they wanted to make sure that this year's
20 solution is not next year's obsolescence problem. I think
21 many of you who have desktop computers know that this
22 technology moves at the speed of light and we really have to
23 be conscious of this issue.
24 What we really are looking at here is a snapshot in time of
25 a product, and all of these products have ongoing life
. 44
1 cycles, and dealing with that life cycle management was a
2 very critical issue.
3 This chart depicts our licensing strategy,
4 essentially the basis of the Westinghouse topical report.
5 It builds on a foundation of the qualification of the
6 product building blocks, the basic elements of the design
7 and I will talk about those in a few minutes.
8 It also, in this foundation, builds on the methods
9 that are used to build the applications software. I think
10 everybody realizes what we're talking about here is a
11 product that comes with some base software, but it really
12 doesn't do reactor protection systems until you do a lot
13 more with the application level.
14 So the NRC has reviewed this fundamental piece and
15 this is a subject of the safety evaluation report. Then on
16 top of that, we talk about what we call generic applications
17 and we have submitted to the staff and the staff has
18 reviewed the application of these building blocks to systems
19 such as the reactor protection system, engineered safety
20 feature actuations, core protection calculators,
21 post-accident monitoring.
22 This, again, was all the subject of our topical
23 report, because we felt that it was important not only to
24 see the product, but how it will be used in various
25 applications.
. 45
1 CHAIRMAN UHRIG: Is this core protection
2 calculator essentially the same one that's installed in a
3 number of units or is this an upgraded system?
4 MR. SCAROLA: Functionally identical to what's
5 installed in operating units, but now on this new platform.
6 Then these really represent stand-alone system
7 applications, but we all recognize that where utilities were
8 heading is plant-wide modernization. And when you start
9 doing a plant-wide modernization, you have to look at how
10 you integrate all these together, because really the main
11 efficiency that comes through digital systems is when you
12 can start sharing functions, such as sharing maintenance
13 panels, sharing the data communication buses.
14 So instead of looking at each one of these as a
15 stand-alone application, in this appendix, for the topical,
16 we looked at the integrated solution, how they all fit
17 together and how we share these services and how that
18 sharing does not compromise the functionality or the
19 performance.
20 CHAIRMAN UHRIG: That's what I was going to ask,
21 is that a two-edged sword, so to speak, when you try to
22 combine them.
23 MR. SCAROLA: It can be. If it's not done
24 correctly, it certainly can be.
25 CHAIRMAN UHRIG: Common mode failure.
. 46
1 MR. SCAROLA: You can introduce all kinds of
2 problems when you do that and, therefore, we felt it was
3 very important that we present to the staff our method of
4 doing it and they review that we have sufficiently addressed
5 all those issues.
6 So these three tiers of this pyramid have all been
7 addressed in this topical report and it's what we call the
8 CE Owners Group/EPRI, because there was also some funding in
9 this from EPRI, phase two.
10 We are now through this, we feel we have set the
11 foundation for future licensing submittals that may address
12 new generic new generic applications; for example, though
13 here you don't see the diesel load sequencer, as a standard
14 application, so we would expect that maybe in the future
15 that would be at this tier.
16 And then, also, we know that every utility has
17 very specific things in their plants and we feel that
18 through this, we have now established the framework of what
19 the NRC is expecting to see for a new application.
20 So we were really hoping that through this
21 program, we would not only license a product, but also
22 establish a process for the application of this product.
23 That's really where we are now.
24 Now, we are moving into what we call phase three
25 of these Common Q program. We are now in phase three and
. 47
1 what you will see is phase three has a new building block
2 that we call the flat panel display.
3 Now, this was addressed in phase two. It is in
4 the SER, but we didn't really finish all of the effort, and,
5 therefore, this is an open issue in the existing SER, and we
6 hope to close it out shortly.
7 What I wanted to do was just give you a little bit
8 of a timeline here to give you a feel for when we started
9 and when we actually finished. Our first submittal was in
10 March of 1999 on this topical, but the initial discussions
11 we had with the staff go back to May of 1998, where we first
12 came in and we said this is what we're thinking about, does
13 this make sense to everyone.
14 And then it took us a while for us to get our act
15 together and write some documentation and then our first
16 submittal was in March of '99.
17 All of these submittals address the basic building
18 blocks, as well as specific applications, such as the
19 integrated solution, the RPS, et cetera.
20 Now, we also said to the staff very early on in
21 the program this is what we want to get out of this. These
22 are our expectations, are these lining up with what you
23 think we contract get, because that's very important.
24 Sometimes we go through these things and find out that we
25 don't really line up.
. 48
1 So then in August, the staff issued their safety
2 evaluation report in August of this year. So this has been
3 a substantial effort from a number of people on both sides
4 working very hard to get to the end.
5 CHAIRMAN UHRIG: Just for point of clarification.
6 This basically -- the genesis of this system is the ABB/CE
7 system, not the Sizewell B.
8 MR. SCAROLA: Right. This is from the ABB side of
9 the business, and I will be going through the building
10 blocks, so you see that.
11 The topical report format had a main body of the
12 document where we described the basic building blocks and we
13 addressed what we felt were the key standard review plan
14 issues, things like hardware and software qualification,
15 configuration management, the application development tools,
16 and, of course, 3D, diversity and defense-in-depth.
17 And then in addition, in the topical, we had
18 appendices for each one of these significant applications.
19 I will start by going through the building blocks.
20 The heart of this Common Q system is the ABB Advant
21 controller, the AC-160. So this really gets back to your
22 question, this is really from the ABB product line.
23 Now, this is not a new product or a specific
24 product for nuclear applications. This is a product that
25 ABB has been applying our fossil business unit since 1997
. 49
1 and this is actually a second generation product from
2 something that we called the AC-110, that was introduced in
3 1993.
4 So there's a long, very long history of industrial
5 application. The product is used today in boiler protection
6 systems and also turbine protection systems and it was
7 certified last summer by Tuv for boiler protection in
8 Germany.
9 So this was the thing that originally gave us real
10 solid confidence that we would be successful here.
11 Fundamentally, this controller will handle a
12 variety of I/O modules, up to 1,500 I/O points for a single
13 controller. And it supports six parallel processors. Now,
14 this is really the key to building very simple systems,
15 where we may use one processor and maybe very sophisticated,
16 complex systems, where we require several more, and it's
17 this flexibility that really gives this system its wide
18 range of applicability.
19 CHAIRMAN UHRIG: Now, each one of these processors
20 basically is a microprocessor such as a --
21 MR. SCAROLA: It's a micro-controller. It's a
22 Motorola --
23 CHAIRMAN UHRIG: Is this Intel chips?
24 MR. SCAROLA: We use Motorola. It's a Motorola
25 68,000 base processor and each one of these processors is
. 50
1 basically a stand-alone module that slips into this rack,
2 but they all share one common back plane, so they can
3 exchange information very, very quickly, very rapidly.
4 In a typical application, we'll essentially have
5 functional segmentation between the processors. One might
6 be doing a DNBR calculation, another one might be doing a
7 local power density calculation, another one might be doing
8 some other function or maybe handling data communication.
9 But the idea is that we can take very
10 sophisticated functions and distribute them.
11 Now, what makes the system suitable for nuclear
12 applications is it's a highly deterministic system. The
13 operating system runs cyclically. All of the application is
14 executed all of the time regardless of what the logic may
15 actually indicate in the application. So we set flags and
16 execute all of the building block elements and all of the
17 network communications is fully cyclical.
18 We are sending thousands of times a second no
19 trip, no trip, no trip, no trip. Then sooner or later we
20 may send trip. So this is fully cyclical data
21 communications, not event dependent.
22 Also, the system has extensive self-diagnostics.
23 So we monitor things like RAM integrity. We do bit checks
24 continuously on the internal memory of the system to make
25 sure that there are no errors. We are doing continuous data
. 51
1 link communication checks. We do continuous verification
2 that the CPUs can actually talk to the I/O modules and that
3 there is no disconnect there where things might be freezing.
4 So these extensive diagnostics, along with highly
5 deterministic performance, make this a very suitable product
6 for these nuclear safety critical applications.
7 MR. SIEBER: What happens if you detect a RAM
8 error, for example?
9 MR. SCAROLA: Well, a RAM error is what we would
10 call a fatal failure. So in this particular case, we
11 actually shut down the processor. We actuate an output
12 relay in this case and depending upon the application, we
13 either fail actuated or we simply alarm. For example, in
14 the case of a reactor protection function, reactor trip, we
15 typically fail in the actuated mode, so we force something
16 to happen.
17 MR. SIEBER: So this fails, a RAM chip fails, that
18 trips the plant.
19 MR. SCAROLA: No, because we have a multi-channel
20 system. So what we're talking about here is an architecture
21 where you would have similar to what Siemens showed, four
22 divisions. If you have a single controller failure, you may
23 fail one of those four divisions and then we ultimately vote
24 at the final element, so that that single failure may result
25 in one of four trip legs, but it takes one more to trip the
. 52
1 plant.
2 Now, we have other functions in the plant that we
3 may designate as not fail-safe functions. For example,
4 things like containment spray. You don't necessarily want
5 to spray down containment on a failure. So we may designate
6 those as not fail safe and in those cases, we would simply
7 have an alarm on these failures and not actually send an
8 actuation.
9 So it's really application dependent.
10 The second major building block is what we call
11 the ABB Advant field bus and we designate this as the AF-100
12 bus. This is the network communications that we use within
13 a division, so the A division will have a network, the B
14 will have an independent network, C has its own, D has its
15 own, and this network allows multiple controllers to talk
16 and exchange information.
17 It allows multiple controllers to send information
18 up to a maintenance and test panel. It allows it to send
19 information up to the operator's module that's in the main
20 control room.
21 This is a multi-drop network up to 79 nodes, so
22 you may start an installation in a power plant with three
23 nodes, but over time, when you start to add more and more
24 systems, you're building on that same network and you may
25 get up to 60 nodes in the typical power plant installation.
. 53
1 Again, this is a highly deterministic bus. We
2 have what we call a bus master that actually is the internal
3 traffic cop and we rotate that master continuously.
4 We can establish various transmission cycles for
5 things that have to happen very rapidly and things that can
6 happen more slowly. It's optical fiber media, so we
7 maintain electrical independence between these various
8 controllers, so we don't propagate electrical faults.
9 Similar to the CPUs, there are self-diagnostics
10 and we have automatic reconfiguration so that if you fail or
11 have a failure of one of these 79 nodes, that's not going to
12 take down the other 78 nodes, and when you re-initialize
13 that failed node, it automatically gets back into the data
14 communication sequence. So we don't end up taking down the
15 whole system.
16 Now, the third major building block is what we
17 call the flat panel video display. This is, in fact, a VDU,
18 video display unit, that is intended to replace the
19 conventional analog meters, control switches that you would
20 have in a typical power plant.
21 We have these in operation today for our CPC
22 functions at various operating plants, not this exact same
23 unit, but very similar VDU based HSI, and also for the
24 post-accident monitoring systems.
25 So we felt that this was a very important part of
. 54
1 the building block set. Now, this is a simple touch-screen
2 VDU, where you can navigate by touch and you can select and
3 modify set points, if this is appropriate for the
4 application.
5 It is an X-86 based processor, so this is the
6 Intel side of the product line, and this is used for really
7 two major functions. One is the maintenance and test panel,
8 which is where you would go to resolve these diagnostic
9 errors or to load software into the system, and it's also
10 used for the operators' modules inside the main control room
11 for effectively the information monitoring inside the plant.
12 In a typical installation, where you have four
13 divisions of a system, A, B, C and D, you would have four of
14 these operators modules, again, to protect for single
15 failures.
16 Now, there are more building blocks in the system,
17 but in the essence of time, I focused on those three major
18 ones, which are really the core building blocks.
19 Now I would like to talk about equipment qualification, then
20 we'll talk about software qualification and a number of
21 other major issues.
22 The qualification tests encompassed, first,
23 electromagnetic interference, in accordance with the EPRI
24 guidelines, and before you had asked about surges on things
25 like power supply buses.
. 55
1 One of the tests in this is a four KV surge test
2 on the power bus feeding the system. And we also do a two
3 KV test on all of the input/output signal lines.
4 So we really believe that we have encompassed our
5 worst case situation and based on operating experience with
6 our CPCs, which are digital systems that have been in
7 operation in nuclear power plants since the late `70s, we
8 really feel we have encompassed any worst case conditions
9 here.
10 CHAIRMAN UHRIG: Thank you.
11 MR. SCAROLA: We also do environmental testing in
12 accordance with IEEE-323. Now, this is essentially elevated
13 temperatures, elevated humidity for extended periods of
14 time, and seismic qualification in accordance with IEEE-344.
15 Now, one of the things that we looked at for the
16 seismic qualification are really the target markets. I
17 think everybody knows that the seismic boundaries for the
18 west coast of the US are far different than the east coast
19 and also we have very high levels in South Korea, fairly
20 mild applications in Europe.
21 But what we did is we established our bounding
22 seismic test criteria for all of these target markets.
23 So we think we have a large market base covered.
24 We have completed the testing on the AC-160, which is what I
25 said was the core product. We will be doing additional EQ
. 56
1 testing to be completed the first quarter of next year, and
2 this will encompass the flat panel display.
3 We will do testing on power supplies and we are
4 also doing a new series of tests on what's called the
5 PM-646A, which is the latest processor for this AC-160
6 product.
7 What we did before as part of the SER was the
8 PM-645C. We had some prototypes of PM-646A, but we didn't
9 have full production units and now we're going to do the
10 full gamut of testing again. So we have very high
11 confidence that once we get through this, we will have no
12 open issues.
13 MR. SIEBER: Now, all of these devices, like the
14 flat panel display and power supplies, they're all mild
15 environment, right?
16 MR. SCAROLA: Everything is mild environment.
17 Right. Nothing is intended for in-containment use.
18 MR. SIEBER: So what's the test consist of, just
19 elevated temperature and running for a long time or what?
20 MR. SCAROLA: I will ask for some help. Marty,
21 can you help on what the actual test levels were for the
22 elevated temperatures?
23 MR. RYAN: Marty Ryan, from Westinghouse. The
24 environment test consisted of testing three different
25 profiles for different temperature and humidity conditions,
. 57
1 where we expected the worst case high temperature and the
2 low temperature for periods of eight hours with mixed
3 humidity, so as to accommodate the ventilation requirements
4 in the mild environments that currently exist.
5 MR. SIEBER: And that testing then sets the
6 environmental limits on the rooms or cubicles in which the
7 equipment would be installed.
8 MR. RYAN: That's correct. We actually did it in
9 an open frame, so we tested the physical equipment to the
10 highest level that we would expect, as the equipment goes
11 inside an enclosure.
12 MR. SIEBER: Thank you.
13 MR. SCAROLA: One thing I will add is that we test
14 both what we consider the normal long-term operating range
15 with normal HVAC conditions in the room, but we also test
16 boundary conditions that would be indicative of the HVAC
17 failures in the room, as well.
18 DR. POWERS: And the test was for eight hours?
19 MR. SCAROLA: It's actually a series of plateaus
20 for eight hours at each plateau. There were four plateaus,
21 three plateaus. Okay. Three plateaus at eight hours each.
22 And the actual details of that testing are in the
23 topical report.
24 MR. SIEBER: Do you actually do that until you get
25 a failure someplace or that would give you the ultimate
. 58
1 envelope?
2 MR. SCAROLA: No. We don't do a catastrophic test
3 to find out the limits of the equipment. We basically
4 establish the boundary conditions and we ensure that the
5 equipment functions to those boundary conditions.
6 MR. SIEBER: Thank you.
7 DR. POWERS: When you do your seismic test, what
8 are you looking for?
9 MR. SCAROLA: Failures, functional failures as
10 well as physical integrity failures, but essentially the
11 real focus is for functional failures.
12 DR. POWERS: I guess what I'm asking is a little
13 more detail. Where do you think the system is most
14 vulnerable?
15 MR. SCAROLA: I'll look for help. I'm not sure I
16 fully understand the question. We are trying to make sure
17 that all the safety-critical functions in this system will
18 not be compromised during the seismic event.
19 DR. POWERS: I could imagine that you're looking
20 for conductors coming unlatched, modules falling out of
21 slots, pins coming out of sockets.
22 MR. SCAROLA: We are particularly sensitive to the
23 electro-mechanical interfaces all around the system, whether
24 it's a circuit board seated into its end connector, a data
25 communication coax cable, whatever it might be. Those are
. 59
1 the things that we are particularly designing to enhance for
2 seismic durability. Marty, would you add something to that?
3 MR. RYAN: Yes. With regard to what we look for
4 in seismic, we're looking for the mechanical aspects, as
5 mentioned, but also for the functional aspects, where we
6 have an off-line monitored set of test equipment, where
7 we're looking at the functionality of test software and test
8 functions being executed in the specimen.
9 We also took the equipment up to the maximum level
10 that we could see in any particular location. It was
11 actually the maximum level of Wylie's test table at the
12 Huntsville, Alabama facility.
13 DR. POWERS: When you expose it to a -- you do the
14 seismic test, how long does the vibration typically go on?
15 MR. RYAN: The requirement in 344 is to subject
16 the specimen for 30 seconds. So each of the tests that are
17 run in the triaxial mode, whether it be the OBE, which is a
18 half strength, we run a minimum of five of those, followed
19 by an SSE. Each of those test sequences are 30 seconds
20 duration.
21 DR. POWERS: How do you think your system would
22 perform in a much longer duration exposure to harsh
23 vibrations?
24 MR. RYAN: We would expect it to operate without
25 any incident. The reality is that we have not seen, based
. 60
1 on field experience, any incidents due to low level
2 vibration. Part of the testing is also to look at a sine
3 sweep to see if the frequencies covered outside of the
4 seismic would present any susceptibility and during those
5 tests, we found no problem areas, we well.
6 DR. POWERS: Even if it went on for an hour?
7 MR. RYAN: I'd have to speculate, but one would
8 think that based on the installed type of equipment that we
9 have in the plant, which is subjected to the same physical
10 area of the plant, we have no indication that that is a
11 problem, so we would suspect that this would not be a
12 problem to the new equipment, as well.
13 MR. SCAROLA: I think one of the real key issues
14 here is that we look for resonance frequencies in this
15 equipment when we do these seismic sweeps.
16 DR. POWERS: That's the sine sweep that he was
17 speaking of.
18 MR. SCAROLA: Right.
19 DR. POWERS: And where do you see resonance?
20 MR. RYAN: We see resonance typically, depending
21 upon the fixture that we mount the equipment, but we have
22 traditionally tried to put a fixture that had no resonance
23 in it, a rigid test fixture. So whatever the table is
24 imparting, it imparts it directly to the specimen.
25 But in a cubicle, we typically see resonance
. 61
1 somewhere between 12 and probably 15 hertz.
2 CHAIRMAN UHRIG: For your Pacific Rim countries,
3 what is the typical OBE and SSE?
4 MR. SCAROLA: I'm sorry?
5 CHAIRMAN UHRIG: The operating basis earthquake
6 and your safety shutdown.
7 MR. SCAROLA: For which country?
8 DR. POWERS: For South Korea, for example.
9 CHAIRMAN UHRIG: South Korea.
10 DR. POWERS: What is the ZPA for South Korea?
11 MR. RYAN: The ZPA is typically running about OBE
12 12 hertz G with a ZPA of around one to one and a half. And
13 the SSE for worst case profile at the location is somewhere
14 around 24 G's and we test up to about a two, two and a half
15 ZPA.
16 CHAIRMAN UHRIG: Is that horizontal component, is
17 that --
18 MR. RYAN: That's all three components.
19 CHAIRMAN UHRIG: All three components.
20 MR. RYAN: Yes. What we've attempted to do is
21 integrate a generic qualification process, where we looked
22 at the different geographical frequencies and composed a
23 composite type test environment, and that actually envelopes
24 what the machine limitation curve is at the test facility.
25 CHAIRMAN UHRIG: Those G limits are for the
. 62
1 instrumentation and control. That's not the for the whole
2 plant, I assume.
3 MR. RYAN: That's for the typical location where
4 we would install this equipment in the protection rooms of a
5 typical power plant.
6 MR. SCAROLA: One of the real challenges is
7 attempting to establish your boundary conditions, because we
8 really are doing this as a statistical sample testing. Then
9 what we're hoping is that we have encompassed all of these
10 potential installation locations.
11 So we really test a very high G levels, as Marty
12 said, 25 G's, with the expectation that if you look at all
13 of these accelerations from the ground through the building,
14 from the bottom of the cabinet to the very highest point
15 inside the cabinet, that we have, in fact, encompassed and
16 through all the years of experience we have with seismic
17 qualification, we believe that we have, in fact, encompassed
18 almost every location we would find.
19 Now, of course, we have to confirm that for every
20 installation, but we do believe that we're covered.
21 CHAIRMAN UHRIG: That number 25 was considerably
22 higher than I expected.
23 MR. SCAROLA: Let me show you what the test
24 fixture looks like, because this will give you a feel for
25 what the seismic testing is. What you can see here is this
. 63
1 a rigid test fixture, as Marty explained, and the intent of
2 that test fixture is to impart the vibration from the table
3 right to the electronic equipment with no acceleration.
4 So we know that what we got at the table is what
5 we got there. But the real challenge is the recognition
6 that we are qualifying building blocks and building blocks
7 can be configured in many different ways and in many
8 different mounting methods.
9 For example, here you see front panel mounting
10 where the rear of this electronic chassis is actually bolted
11 to what would be considered the frame of the cabinet.
12 On the other hand, here you see what we call rack
13 mounting, which means that the rack assembly is actually
14 bolted from the front and, therefore, is now cantilevered in
15 the back.
16 So one of the real challenges was establishing
17 what we felt were the boundary conditions for this seismic
18 test. Similarly, we had to establish boundary conditions
19 that encompassed the building block configurations for the
20 EMC testing. Again, a significant challenge because you can
21 have many different combinations of modules inside any
22 particular rack.
23 So establishing these boundaries as a worst case
24 test was an important part of the program. Then we
25 addressed software qualification. Now, an important point
. 64
1 here is that this is a product that was developed for the
2 industrial market, not the nuclear market.
3 So we are using standard ABB software for what's
4 called the Advant controller base software, this is inside
5 the AC-160, and inside the flat panel display, we're using
6 an operating system from a company in Canada, QNX Software
7 Systems Limited. Again, standard off-the-shelf software
8 with a long history of performance in industrial
9 applications.
10 Then what we had to do are really two major
11 things, a design life cycle evaluation and an operating
12 history evaluation. What we did through this life cycle
13 evaluation, we evaluated the OEM software development
14 process to confirm that it was essentially equivalent to
15 what we would expect in the nuclear industry.
16 And where we found deficiencies, we would
17 accommodate those through additional review by our own
18 people, for example, code reviews. We would do supplemental
19 testing. We would ask the vendor in some cases to modify
20 his process for future software revisions or for error
21 reporting and correction.
22 In some cases, we required more documentation.
23 And in some cases, we would say this part of the software
24 may not have been developed to the level that we would
25 really expect; therefore, it's an application restriction.
. 65
1 We may not use it in safety-critical applications.
2 So this whole design life cycle evaluation was a
3 very important part of the program. We also evaluated the
4 operating history of these products. Are they, in fact,
5 good products; what is their performance record, and we
6 ensured that all of the applicable problems had been
7 resolved or the supplier has a mechanism in place that they
8 will be resoled and we have a tracking interface for that.
9 So, again, we must recognize that these are life
10 cycle products. This is a snapshot in time of a product,
11 making sure that we maintain this product for its useable
12 life in the nuclear industry is as important as what the
13 product is today.
14 Then the other part of the software qualification
15 pertains to the application software itself. That's the
16 part that will be specific for nuclear application and
17 there, with the staff, we have established coding standards,
18 testing standards, standards for documentation and
19 verification and validation.
20 All of this is encompassed in what we call our
21 software program manual, which effectively becomes the bible
22 of how you apply this product in future nuclear applications
23 and it establishes the basis for what the NRC is expecting
24 to see when a licensee applies this product.
25 Another very important area is what we call
. 66
1 configuration management. This is the issue of ensuring
2 that the nth of a kind product that you build is the same as
3 the one that you put through qualification and licensed.
4 And we have supply agreements with our key suppliers that
5 establish configuration control of both hardware and
6 software and also proactive obsolescence management
7 programs, where we don't wait and find out that something is
8 obsolete. We're actually out there all the time discussing
9 with Motorola, with Intel, with all of the key suppliers for
10 what we call the critical components what are their plans.
11 It's a very significant program.
12 Now, we have contracts in place already with ABB
13 and as we move further into the maturity of things like the
14 flat panel display, we will have other contracts in place
15 with those key suppliers, as well.
16 As a result of this, we can ensure that the nth
17 product is equivalent to the qualification specimen and we
18 can ensure 20-plus years longevity for these products. So
19 we protect the utility's investment all the way through.
20 This, though, I would say is probably one of the
21 more substantial efforts of the entire program. This is not
22 an easy thing to do in this day and age, where this
23 electronics industry is moving at the speed of light.
24 So I really cannot over-emphasize the importance
25 of this program.
. 67
1 MR. SIEBER: A question on the control of
2 obsolescence. You know, Intel or Motorola or some
3 chip-maker, they'll make a CPU chip for a year and then
4 somebody thinks of something better and they quit making
5 that and start making something else.
6 Does that mean your circuit cards that may employ
7 these OEM chips will change from time to time to incorporate
8 the so-called advances? In other words, if I own one of
9 your processors and say, uh-oh, I think I need a new card,
10 the card I get is going to be different than the one I take
11 out.
12 MR. SCAROLA: You are describing exactly the
13 problem that we are dealing with and the way we deal with
14 this problem, number one, is we know when the parts are
15 changing and I can't necessarily say that about every
16 product in the industry. Sometimes these OEMs will do
17 things and the end users have no knowledge of it.
18 So you think you're getting the same thing, when,
19 in fact, you're not. So the first step in here is
20 establishing a process with the key suppliers where we, in
21 fact, know that they have a problem with components. And
22 then at that point, we have the option, we can do one of two
23 things.
24 We can buy these components and stock them. For
25 example, say, Motorola says, look, I'm only going to build a
. 68
1 specific CPU for another year and then I know I'm going to
2 obsolete it. At that point, we can buy whatever we need for
3 our existing customers and our future customers in the
4 near-term. We also have the option at that point of
5 redesigning their next generation chip into the new board
6 and ensuring form fit function replacement.
7 So even though there is a new part in there, we
8 are supervising the application design with the supplier so
9 that we ensure that the next generation product is, in fact,
10 a form fit function replacement, and then we also would, at
11 that point, do the evaluation of any new requalification
12 needs.
13 Sometimes you can analyze the equivalency of new
14 chips, but sometimes you can't. And you actually have to go
15 back through the hardware qualification and software
16 qualification process. But the real key is knowing that you
17 have the problem and then you can do something about it.
18 MR. SIEBER: Now, the same question applies to
19 software. Some bright person can say there's a better way
20 to do this particular calculation or what have you and come
21 up with a changed software that satisfies form fit and
22 function. On the other hand, it may change the duty on the
23 CPU or RAM or what have you or change the whole timing of
24 the computer.
25 MR. SCAROLA: Absolutely, and that's why
. 69
1 configuration control of software is as equally important as
2 it is to hardware.
3 We have very strict controls over the firmware
4 that is embedded in these products at every point in the
5 product, whether it's the CPU, the firmware that may be
6 inside a simple I/O module, the firmware that may be inside
7 a network communication module, we are controlling that
8 firmware and we ensure that these suppliers have processes
9 and we audit those processes, because I agree with you. You
10 can get yourself into a lot of trouble if these things are,
11 in fact, changed and you don't know about them.
12 So we get to evaluate every change. Some changes
13 we can accept, some changes we cannot accept and, therefore,
14 we will use a previous revision of the software. We don't
15 necessarily always upgrade the software to the latest
16 revision.
17 MR. SIEBER: So you will, in fact, then, be the
18 only qualified supplier for those software, firmware and
19 hardware.
20 MR. SCAROLA: For this product.
21 MR. SIEBER: Right.
22 MR. SCAROLA: Absolutely.
23 MR. SIEBER: Thank you.
24 MR. SCAROLA: Another major issue is what we call
25 diversity and defense-in-depth, and here we have established
. 70
1 a methodology where the analysis addresses common mode
2 failures and effects for all postulated initiating events
3 and we credit diverse non-safety I&C systems for coping.
4 Some examples of the systems that we credit are
5 the non-safety control systems, the ATWS systems, but in
6 many cases, we find that even they are not sufficient and we
7 need to supplement the RPS and ESFAS functions with some
8 supplemental trips in these diverse platforms.
9 So there is an entire methodology that we have
10 established. We executed this methodology the first time on
11 the System 80+ ALWR and we are following the same
12 methodology for future upgrades.
13 One of the real challenges in this is when you
14 start dealing with modernization in phased upgrades, where
15 my first upgrade might be the post-accident monitoring
16 system and then the next one is the CPCs and you can get
17 yourself into an analysis quagmire.
18 So what we have established is a methodology where
19 we do the analysis one time and then we confirm the
20 applicability of that analysis through each phase of the
21 upgrade.
22 Now, I addressed basically the main body, which
23 you can't see here, but now I would like to talk a little
24 bit about the appendices.
25 As I said, there are four major -- there are four
. 71
1 key appendices that were submitted to the staff for these
2 functions, PAMS, CPCR, PS and ESFAS, and the integrated
3 solution.
4 The intent of the appendix is to show the system
5 configuration for each of these major applications. So we
6 defined to the staff the process or architecture in a
7 specific application like RPS, it may take eight processors.
8 In an application like PAMS, maybe only two.
9 We define both the intra-division within a
10 division of communication and the inter-division between
11 division communication methods, and we also defined expected
12 variations for the plants that we were knowledgeable of that
13 are out there.
14 So we said this is a base configuration, but we
15 envision that the architectures may change in this way, this
16 way and this way. We defined significant plant interfaces.
17 We defined features such as automatic testing, manual
18 testing and bypass features.
19 For each of these appendices, we submitted a
20 failure modes and effects analysis for that configuration
21 and we provided technical input for 50.59 evaluations and
22 also for tech spec changes that would relate to extending
23 manual surveillance intervals.
24 Now, we know that the staff cannot approve 50.59
25 evaluations in a topical report, and we know that they
. 72
1 cannot approve tech spec changes in a technical report, but
2 we did want to get the staff's reaction on our technical
3 basis for these things. We feel we had very good
4 interaction on that.
5 Now, the appendices, as I said, address
6 stand-alone system configurations, but the fourth appendix,
7 the integrated solution, shows how all these things fit
8 together, how we share the building blocks and the effects
9 of that sharing.
10 So the intent of Common Q is to address the entire
11 spectrum of what we envision as safety critical Class 1E
12 applications in any operating power plant today.
13 We have submitted applications for various or
14 submitted appendix material for various applications, but we
15 feel we have now laid the groundwork so that utilities can
16 do this in the future with our help for future applications.
17 Now, I wanted to just go through some places where
18 the system is being applied. Its first application is at
19 the Oskarsham-1 modernization in Sweden, where the
20 applications include the full spectrum of safety-critical
21 functions, reactor protection engineered safety features,
22 the load sequencer for the emergency diesel, and component
23 control for every class 1E safety-related pump and valve in
24 the plant.
25 And this system will be in operation in September
. 73
1 of 2001. So we're not very far away from having that system
2 up.
3 CHAIRMAN UHRIG: How long was the plant down to do
4 this?
5 MR. SCAROLA: Actually, the plant is not down yet.
6 They will start their down sequence of April of next year.
7 They will actually come down.
8 CHAIRMAN UHRIG: So April to --
9 MR. SCAROLA: So the installation will be very
10 aggressive. It will be about four months for installation.
11 CHAIRMAN UHRIG: So it's essentially a complete
12 replacement.
13 MR. SCAROLA: Right. This is a full
14 modernization, and it's in one shot. It's not a phased
15 installation, as we talked about before. This is one-shot,
16 do everything at one time.
17 CHAIRMAN UHRIG: But you might be able to split it
18 up into two or three shorter sequences.
19 MR. SCAROLA: For other utilities, if that's what
20 they desire, right. But for this particular utility, they
21 wanted to do it all in one shot.
22 MR. SIEBER: How long will that take, just out of
23 curiosity?
24 CHAIRMAN UHRIG: He said about four months.
25 MR. SCAROLA: About four months for the
. 74
1 installation.
2 MR. SIEBER: Okay.
3 MR. SCAROLA: The second application is at
4 Ulchin-5 and 6 in South Korea. There we are doing a reactor
5 protection and engineered safety features, and that will be
6 operational in 2003. Ringhals Unit 2 in Sweden, again, is a
7 full modernization; again, in one step, shut down the plant,
8 rip out the old equipment, install the new equipment, and
9 the operation there is expected 2004.
10 One of the additions here over the Oskarsham is we
11 will now be using this flat panel display product, so we
12 will have video human systems interfaces, whereas at
13 Oskarsham is still discreet HIS.
14 We also building KEDO-1 and 2 now in North Korea.
15 This is a recent contract and that's actually several years
16 out.
17 This will actually be a duplicate of the Ulchin 5
18 and 6 plants in South Korea. And then as we speak today we
19 are in discussions with many US utilities about
20 modernization, either on a small system basis or a
21 plant-wide modernization basis. It runs a full gamut.
22 CHAIRMAN UHRIG: Ulchin is a plant under
23 construction?
24 MR. SCAROLA: It's under construction.
25 CHAIRMAN UHRIG: So this is new installation.
. 75
1 MR. SCAROLA: Yes. These are new plants -- well,
2 this is a new plant, this is a new plant, and Oskarsham and
3 Ringhals are operating plants.
4 So that's the specifically application of the
5 Common Q platform, but I also wanted to explain that this
6 ABB Advant Technology, through predecessors and related
7 products, is in operation in many nuclear power plants today
8 in Europe, at Forsmark-1 and 2, also plants in Finland,
9 TVO-1 and 2, and in the U.S. we actually have operation of
10 the AC-160 predecessor, which is the AC-110, for rod
11 position indication systems at Beaver Valley and also
12 Ringhals-2 in Sweden.
13 So this equipment has been around in a number of
14 different places. We hope we have achieved this goals.
15 MR. LEITCH: Excuse me just a second. Can you
16 help to orient me? I had -- I was at Maine Yankee for a
17 while and we had a -- I'm not sure of the terminology.
18 Before I was there, they had installed a digital platform of
19 some type that supported feedwater control. Would that be a
20 forerunner of this system or are you familiar with that
21 system at all?
22 MR. SCAROLA: I'm not specifically familiar with
23 it, but I'm sure it was not the forerunner of this system.
24 Feedwater control systems are what we would view as
25 non-safety systems and they would use the Advant non-safety
. 76
1 platform, whereas this is a safety-critical platform for
2 safety-critical applications, like reactor protection.
3 MR. LEITCH: This would have been installed maybe
4 in the 1991 or 2 timeframe, so it would likely have been
5 non-safety related.
6 MR. SCAROLA: Non-safety and not this product.
7 MR. LEITCH: Not this product.
8 MR. SCAROLA: Probably another product line.
9 MR. LEITCH: My question was going to be could
10 that product line still have been supported or is that one
11 of those -- in other words, I'm getting back to this system
12 of obsolescence. That system was put into overcome
13 obsolescence on the order of magnitude of eight years ago
14 and I'm wondering could that still be supported.
15 MR. SCAROLA: It depends on --
16 MR. LEITCH: Perhaps it's an unfair question if
17 you're not familiar with that.
18 MR. SCAROLA: Let me ask the other people from
19 ABB. Did we install that equipment? Okay. This was not an
20 ABB installation and not a Westinghouse installation. It
21 was probably done by Maine Yankee with a third party
22 supplier.
23 So I have no idea what sort of arrangements they
24 had in place for obsolescence. But I can tell you that
25 enough utilities have been burned by obsolescence management
. 77
1 because they thought they were solving an obsolescence
2 problem only to find out they installed an obsolescence
3 problem.
4 MR. LEITCH: Exactly.
5 MR. SCAROLA: And I think we're much smarter
6 consumers now than we were back in the early `90s.
7 MR. LEITCH: Yes. I think you're quite correct,
8 by the way. I was thinking at first it was an ABB system,
9 but now that you've refreshed my memory, you're quite
10 correct. It was not. Thank you.
11 MR. SCAROLA: In looking at the goals we
12 established, one common solution, very important for
13 utilities, in that it reduces technical support costs and it
14 reduces unique spare parts cost. One thing we all have to
15 realize is spare parts and maintenance for utilities of a
16 major factor and right now they're maintaining in any power
17 plant probably no less than about 25 different
18 safety-related platforms of different things and getting
19 them down to one is a major economic improvement.
20 And then through this modern technology, we really
21 are seeing improved reliability, but allowing an extension
22 of manual surveillance intervals.
23 You know, one can be a tradeoff over the other.
24 You can extend manual surveillance intervals and not be as
25 reliable, but the real key is to find a way to extend them
. 78
1 and also improve reliability, and that is what we have
2 achieved.
3 This is all through low power consumption
4 electronics that have much longer MTVF ratings than the old
5 analog stuff that was heat-producing. We have internal
6 self-diagnostics that essentially pick up probably near 100
7 percent of the failures within milliseconds. Then we have
8 automated testing that really tests the function of the
9 system.
10 In closing, I would just like to say that you've
11 seen a lot of pictures and a lot of words here, but we'd
12 really like for you to come to Pittsburgh, if any of you
13 have a chance, and we'd like to demonstrate this equipment.
14 You can see it, you can touch it, you can feel it. We have
15 a very extensive customer demonstration facility there where
16 we can actually show the operation of the equipment, as well
17 as the HSI, the human-systems interface.
18 A few years ago, when we were doing the System 80+
19 licensing, we actually brought the equipment to the ACRS. I
20 don't know if any of you remember that. But it's much
21 easier to get you to come to Pittsburgh. So I extend the
22 invitation.
23 We would love to have you.
24 MR. SIEBER: What's the address?
25 MR. SCAROLA: 286 Golden Mile Highway in
. 79
1 Monroeville.
2 DR. POWERS: Let me remind the subcommittee that
3 in the discussions with Commissioner Diaz, he certainly
4 thinks that the ability to go to digital systems like this
5 is key to the future for the nuclear industry in so many
6 respects, and because of the importance that he ascribes to
7 it, I think we should give serious thought to this
8 invitation. The more exposure we get to this, the better
9 prepared we are to supply the answers to Mr. Diaz when he
10 asks questions about these digital systems.
11 MR. SCAROLA: I think seeing it, touching it,
12 interacting with it is worth much more than whatever I could
13 give you.
14 DR. POWERS: If you don't mind, the next time I
15 have a chance to talk with Commissioner Diaz, I will remind
16 him of this capability you have to demonstrate this. He may
17 be very interested himself.
18 MR. SCAROLA: We'd extend the invitation to the
19 whole staff, as well.
20 DR. POWERS: It very much is uppermost on his mind
21 right now in connection with the future.
22 MR. SCAROLA: Thank you gentlemen. Any questions?
23 MR. LEITCH: Yes, a couple questions. I notice
24 that in the safety evaluation report, there is some generic
25 open items, about ten in number. Are they -- at least as I
. 80
1 understand it, they're not plat-specific, but as the heading
2 says, generic open items.
3 Are they on their way to resolution?
4 MR. SCAROLA: Yes.
5 MR. LEITCH: What is the status of those issues?
6 MR. SCAROLA: Most of those issues relate to the
7 building blocks within the Common Q platform that we had not
8 fully completed. For example, we talked about the flat
9 panel display. We talked about the power supply system. We
10 also have a few new analog interface modules that we need
11 for some specific applications such as the CPC, core
12 protection calculator. All of these hardware qualifications
13 will be completed the first quarter of 2001.
14 So we are on the way to essentially closing out
15 all of these issues. We will be talking with the staff
16 about our submittal schedule. This is probably the first
17 time they're seeing 2001 in a date, but we have to sit down
18 and work it out and work out the details.
19 MR. LEITCH: You said one of your objectives was
20 to relax the manual surveillance test intervals. Have you
21 achieved that objective or is that still unclear?
22 MR. SCAROLA: We think we have achieved it in the
23 sense that the staff has reviewed our basis for that, the
24 technical basis, and they have accepted that basis.
25 However, tech spec changes can only occur through license
. 81
1 amendment. So there are probably still some fine points
2 that will be worked out.
3 But in essence, we think we have achieved it.
4 MR. LEITCH: And is that a significant reduction?
5 MR. SCAROLA: Significant, because we now test
6 many functions quarterly or even monthly and we will now go
7 to 18 month intervals.
8 MR. LEITCH: So it's getting to once per refueling
9 type of situation.
10 MR. SCAROLA: Well, it's once per cycle. When you
11 say once per refueling, some utilities get upset about that
12 because they don't want to do anything more during refueling
13 than they have to. So the important thing is once per cycle
14 and all of the testing that we require for manual testing
15 can be done with the pliant on-line.
16 So even though it's once every 18 months, when
17 they do it is entirely up to them. We're not forcing things
18 to be done during refueling and that's an important issue
19 for many utilities.
20 MR. LEITCH: Are your cabinets locked and alarmed?
21 MR. SCAROLA: Locked and alarmed.
22 MR. LEITCH: And this testing can be done without
23 jumpers, lifting leads and so forth.
24 MR. SCAROLA: Yes. Most of the testing can be
25 done through the operator's module and the maintenance and
. 82
1 test panels. With regard to the injection of analog
2 signals, what we have proposed is that we do continuous
3 cross-channel monitoring of all redundant sensors and that
4 is the basis for extending that interval.
5 So we will detect sensor drift immediately.
6 MR. LEITCH: As it occurs.
7 MR. SCAROLA: Right, as it occurs.
8 MR. LEITCH: I apologize, I was called out of the
9 room a little bit, but is this -- do you have any operating
10 experience in Europe with this system or anyplace, do you
11 have any operating experience?
12 MR. SCAROLA: We have extensive experience with
13 the predecessor, AC-110, in nuclear applications. We have
14 extensive experience with the AC-160 in fossil applications,
15 in many fossil applications. But the actual first
16 installation of the AC-160 in a nuclear facility will be at
17 Oskarsham-1 and that's operational 2001.
18 MR. LEITCH: Now, with the predecessor of the
19 system, when retrofitting nuclear plants, did you experience
20 serious startup problems?
21 MR. SCAROLA: No. Actually, for example, Beaver
22 Valley, when we replaced the Westinghouse analog rod
23 position indication system with the AC-110 system, the
24 installation including all of the testing was done in 15
25 days. There were some minor hiccups, but nothing of any
. 83
1 significant.
2 MR. LEITCH: Do you train utility personnel in the
3 operation and maintenance of the system?
4 MR. SCAROLA: Yes. Not only do we train them, but
5 we encourage the utilities to be part of our design staff
6 when we do an application for them. For example, we are now
7 in discussions with many US utilities about applications and
8 a major element of each one of those programs is their
9 people working in our shop side by side with our design
10 team.
11 MR. LEITCH: Okay.
12 MR. SCAROLA: So it's not only important that we
13 do the training, but there's only so much you can get from
14 training. We really want their people in our staff working
15 with our people.
16 MR. LEITCH: Thank you.
17 CHAIRMAN UHRIG: Other questions? Any comments
18 from the staff?
19 MR. CALVO: No. I think the presentation covered
20 it.
21 CHAIRMAN UHRIG: With this, we will recess and
22 come back at 11:00.
23 [Recess.]
24 CHAIRMAN UHRIG: We will come back into session.
25 Go ahead.
. 84
1 MR. MARINOS: My name is Evangelos Marinos. I am
2 the Section Chief for the Instrumentation and Control
3 Section in the Electrical Instrumentation Branch in NRR.
4 There are two sections, the electrical section and the
5 instrumentation section.
6 In the instrumentation section, of course, we do
7 all the instrumentation reviews, including the digital
8 reviews that you have heard today.
9 We have staff over here that conducted these
10 reviews and if any questions arise that are specific to the
11 review and the SER that you have copies of, they'll be ready
12 to address them.
13 There are also people here from Research who help
14 us in maintaining our status with the advanced issues as
15 they emerge and we look to them to keep us abreast of what
16 is happening.
17 And with that, I will start and give you a quick
18 overview of how we conducted the review. A lot of what I'm
19 going to present is redundant with the presentations you've
20 heard already, but this is a major thing.
21 The reason for replacing the digital equipment, as
22 you already heard, is analog equipment are going obsolete.
23 Plant components are aging and maintenance costs are
24 increasing and vendors that support analog equipment will no
25 longer provide equipment.
. 85
1 Digital equipment and components are readily
2 available with potential for performance and reliability
3 improvements, as you also heard today from Siemens and ABB.
4 The replacements, of course, include the -- they
5 are expected to replace reactor protection systems,
6 engineered safeguards systems, management systems and
7 balance of plant equipment, which are, to a certain degree,
8 already in place, balance of plant, like feedwater systems
9 controls are replaced with digital systems.
10 Presently, we have the status of our reviews are
11 as you see in the slide. We have completed the Siemens
12 review and the Westinghouse ABB/CE. We have in-house right
13 now, we're reviewing the ASICS, which is application
14 specific integrated control circuit, and this is a digital
15 system that is just a specific function type of platform.
16 It doesn't have the extent of the main platforms that were
17 described today.
18 The unique features, that is that this kind of
19 circuit design, it can be fully tested and we can have
20 better confidence in its performance.
21 We are still reviewing this and we expect to have
22 it completed this year, by the end of this next month.
23 An additional review we're doing is the Triconex,
24 which just arrived for review, and that platform is
25 essentially the same magnitude as the two that you have
. 86
1 heard today.
2 A large platform and the features of that platform
3 is about the same as the ones that were described today.
4 CHAIRMAN UHRIG: Are there other systems that you
5 expect coming in in the next year or two or are these the
6 three principal --
7 MR. MARINOS: I heard, in fact, yesterday, from a
8 new employee we have, that a French company, I don't recall
9 the name of it, which provides the platforms for French
10 reactors, is considering to submit a topical report for our
11 review, which will be similar to the ones you've heard
12 today.
13 But this is just, I guess, a rumor or just an
14 information that really has no --
15 CHAIRMAN UHRIG: Is that Gillett? It makes no
16 difference.
17 MR. MARINOS: Would you tell me the company's
18 name? Schnela Electric.
19 In our review, we've used the guidelines as
20 security Siemens and ABB/CE presented. The principal
21 guidelines is, of course, the Chapter 7 of the SRP and
22 IEEE-603 and 7-4.3.2.
23 All these documents, particularly the standard
24 review plan, of course, has been fully reviewed by ACRS and
25 over the years that is relevant on a standard review plan
. 87
1 Section 7, Chapter 7, and ACRS is familiar with the contents
2 of that.
3 More specifically, in those guidelines, we have,
4 of course, the branch technical positions that deal with
5 individual areas, like the software review, the branch
6 position 14, defense-in-depth, as you heard today from both
7 vendors. We've reviewed defense-in-depth and have
8 guidelines and criteria which we follow and vendors, of
9 course, know it, to address the specifics that we're
10 interested in.
11 Real-time performance is, of course, we make sure
12 that the platforms can meet the time requirements for an
13 accident event, for a design basis event, time of functions
14 that need to be performed.
15 The on-line periodic testing, as you've heard
16 again today, we evaluate the capability for doing that
17 on-line periodically or continuously, however they prefer to
18 do it. And we look at the level of detail of design. We
19 have, of course, a branch position there. And, of course,
20 programmable logic controllers, their design, software and
21 everything.
22 We have a position that identifies the --
23 highlights the areas that we will be interested in the
24 design.
25 Verification and validation reviews and audits of
. 88
1 software and hardware and their criteria there, Regulatory
2 Guides and IEEE standards that provide guideline by which
3 tells the vendors how they should conduct the verification
4 and validations to assure that the product, the end product
5 meets the expectations of the design.
6 Of course, we also have requirements, lots of
7 them, for software configuration management, which you heard
8 again today, is important to know that the product you have
9 is the product you designed for.
10 The test documentation, software unit testing, of
11 course, more software requirement specifications and
12 software life cycle process, we, again, emphasize that in
13 our review, the planning through the operation of any
14 digital system will make sure that they have proper
15 procedures and documentation to assure that the life cycle
16 is credible.
17 Challenges in the review of the design system,
18 there are many challenges that we have as we're reviewing
19 those things. The rapidly changing software engineering
20 technology, as Ken Scarola indicted, it's changing with the
21 speed of light. I'm afraid we are operating at the speed of
22 sound, but we try and catch up with it, we do the best we
23 can to maintain that
24 CHAIRMAN UHRIG: Isn't the rapid change occurring
25 in the hardware as opposed to the software or is it both?
. 89
1 MR. MARINOS: It's both, but the hardware, I'm
2 sure, is the one that's changing faster than the software.
3 There is, of course, changes in the languages that are being
4 used right now, but they're basically the same, small
5 variations in the software languages being used.
6 The continuous performance, which is, of course, sequential
7 performance of the analog systems are hard-wired. Its
8 parameter, its function is wired there and you constantly
9 see it in an analog form. In the digital, you rely in the
10 cycle to come back to it.
11 So there is a challenge there to make sure that
12 timing is correct and we have sufficient time to come back
13 to the function that we left.
14 Software reliability is one of the principal areas
15 that gives us a challenge. In large platforms, like the
16 ones described today, testing is, to a large degree,
17 limited. You cannot test all the functions that you can have
18 in a platform like this, so you can have unintended
19 functions, you can have failures that cannot be identified.
20 So as you heard, we rely a lot on the diversity
21 and defense-in-depth to compliment the reliability that we
22 may e losing from the software, lack of full testability.
23 Of course, detecting design errors would be one of
24 those errors in the software. With hardware, it could be
25 minimized through the periodic testing and the diagnostics
. 90
1 that are available.
2 Complete testing refers to the software
3 reliability.
4 Potential for common mode failures is, as we
5 talked about, software errors. The complexity of operating
6 systems. Complexity in the operating systems are mainly the
7 systems that are used as the ABB/CE is a commercial grade
8 type of system that is being applied in nuclear service. We
9 need to look at more carefully how we qualify that, and
10 that's the commercial dedication area.
11 Equipment sensitivity environment and temperature,
12 humidity and EMI and RFI was discussed. We have specific
13 criteria for qualification and we place a great attention to
14 that. And vendors have addressed those issues.
15 In our reviews, this is going to be a little
16 redundant, we look at the principally the adequacy of
17 commercial grade dedication process to assure safety grade
18 quality platform.
19 This is a serious process. There are a lot of
20 criteria that have been generated, as we indicated earlier.
21 There's EPRI documents that have been generated that we have
22 endorsed and IEEE standards that vendors need to follow in
23 order to commercially dedicate platforms that are not
24 specifically designed and qualified for nuclear service.
25 System requirements, hardware and software
. 91
1 specifications and equipment qualification documents and
2 test data are also being reviewed by the staff. The formal
3 design process, the life cycle was discussed earlier. We
4 look at that and make sure that what they have there will be
5 what they intended to have in the planning, is what the
6 operation will provide, and we look at all the planning of
7 the design, implementation, testing and the final operation
8 aspects of the designs of the life cycle.
9 And adequacy of configuration management and
10 system software. System software is what was discussed
11 earlier
12 today. Again, we place great emphasis in our reviews, and
13 various other documentation.
14 Verification and validation. We look carefully at
15 independence of the people that do the verification and
16 validation to make sure that the designers are not
17 influenced by their own, of course, scheduling and funding
18 requirements and constraints when they do verification and
19 validation. So we try to make sure that the people that do
20 that work are not constrained by the same problems that the
21 designers are, so that the product comes out as more
22 reliable.
23 CHAIRMAN UHRIG: They probably learned out of the
24 same book.
25 MR. MARINOS: They may have learned, but they're
. 92
1 presumably different people with different manners of
2 organization, they have different interests.
3 CHAIRMAN UHRIG: I understand.
4 MR. MARINOS: And we do conduct audits. We go to
5 the sites and we look at some of the documentation from the
6 design through the implementation and testing of some of the
7 software.
8 Environmental qualifications, the platform, as we
9 talked already about this. And interfaces with other
10 equipment and human-machine interfaces.
11 CHAIRMAN UHRIG: What are the environmental
12 requirements for the systems that we're talking about here?
13 Are they that it has to survive a LOCA, a LOCA environment?
14 MR. MARINOS: No, because as stated earlier, those
15 -- the equipment are either in relay rooms or control rooms,
16 usually in the relay room where the cabinets are being
17 replaced.
18 In fact, a lot of them would tend to retain the
19 cabinets that they had before and put the equipment in the
20 old cabinets that have the seismic qualification already.
21 So the environment that was required for analog
22 systems, of course, may be more sensitive for the digital,
23 but that is the kind of qualification that they will need.
24 We don't expect -- now, in smart transmitters,
25 which is something that is coming to us, the transducer
. 93
1 actually is replaced, the traditional transducer with a
2 digital and actually the I/O is right in there and you get
3 the digital signal right out of the transducer.
4 So the qualification of that instrument may be a
5 little different because of the environment that it's in.
6 CHAIRMAN UHRIG: More severe.
7 MR. MARINOS: Correct. But we don't have them yet
8 in safety applications.
9 Interface with existing equipment, communications,
10 timing requirements. Timing requirements to assure that the
11 execution of the whole cycle meets the design basis
12 requirements for actuation of a system when it's needed.
13 MR. LEITCH: Excuse me. I notice that in the
14 Westinghouse SER, there are ten generic issues listed, but I
15 don't see a similar listing in the Siemens. Might I
16 conclude that there are no generic issues related to the
17 Siemens?
18 MR. MARINOS: I'm coming to them in the
19 presentation and maybe we can discuss it then, if I may.
20 MR. LEITCH: Okay. Fine. In the plant specific
21 reviews, now, which will be different than the platform, we
22 will look at the plant specific requirements as they
23 interface with the design details, how were differences in
24 existing nuclear plant equipment interfaces, how they
25 interface with the platform, application specific software
. 94
1 integration with qualified platforms.
2 Of course, they have to generate new software for
3 the application area, so we will apply the same sort of
4 review criteria as we did for the platform for software and
5 hardware and so basically we do the same thing.
6 We will look at the control room design and see
7 how it is amenable to this change. Technical specification
8 modifications, you've heard, again, today, the modification
9 will be essentially relaxing requirements and we are
10 prepared to do that to evaluate those relaxations in
11 extending the surveillance intervals on the basis of the
12 continuous monitoring and testing of the equipment and the
13 reliability of the hardware mainly, because the hardware is
14 continuously monitored, which analog systems generally were
15 not.
16 So we expect significant relaxations for this
17 equipment. Defense-in-depth and diversity, a determination
18 will be -- there is a methodology, as they pointed out today
19 in the platform presentations, generic methodology that the
20 vendors will provide, but then there is a plant specific
21 defense-in-depth based on the design of the systems, what
22 kind of equipment, what kind of systems they will use to
23 compliment the platform in terms of to address the
24 defense-in-depth.
25 So, therefore, we will do a specific determination
. 95
1 of the adequacy of defense-in-depth and diversity on a plant
2 specific basis. And the implementation of design.
3 In the Siemens Teleperm review, we completed the
4 SER, as you saw, 5/5/2000 and we find it acceptable, with
5 the following items that remain open.
6 We identified four items; power supply to be
7 qualified according to the EPRI document, the EPRI document
8 we have endorsed and addresses the quality of the power
9 supply for the digital equipment.
10 The environmental qualifications are addressed
11 also in the same topical report. The seismic qualifications
12 that you heard, it was presented, now we still have open
13 items. I think Siemens did not indicate there was an open
14 area, I'm not sure, but there is an area we still need to
15 get information on.
16 And the EMC qualification, according to another
17 topical report, an EPRI topical report 102323.
18 So I think that Siemens is planning to address
19 that or if not, we will address it on a plant specific
20 basis. If a platform comes in with specific application and
21 it's not addressed by, it will be addressed one way or
22 another, either by Siemens or by plant specific application.
23 MR. LEITCH: Does EMC include RFI?
24 MR. MARINOS: Yes. EMI/RFI is both of them.
25 Plant specific review for the Teleperm XS review we will
. 96
1 look for, of course, set point analyses, how they address
2 the set points for the accident analysis and make sure that
3 the accidents in Chapter 15 or whatever chapter it is for
4 the particular plant are addressed in their evaluation of
5 that, in the implementation of the platform.
6 Again, plant specific technical specifications will be
7 looked at before we address any relaxations in how the tech
8 specs, the present inspection of plant apply to this.
9 The power supply quality, again, is an area that
10 we will look at, because the plant specific area will have
11 separate power supplies.
12 Isolation devices to be qualified, and those are
13 the devices that would be used when information is taken
14 from the platform into communication areas for sharing. We
15 want to make sure that no unwanted transients are affecting
16 redundant channels in the system.
17 The Westinghouse/CE Common Q review was completed
18 August 2000 and the area that we have open, as Ken Scarola
19 addressed them earlier, is the flat panel display system,
20 which is presently non-safety and they will address the
21 safety aspects of it at a later date.
22 Hardware, non-AC-160 hardware have not undergone
23 commercial dedication. Now, as we said before, commercial
24 dedication of hardware and software is something that we
25 look at and that is not completed yet for that particular
. 97
1 area.
2 And the technical specifications that NEI has a
3 more generic review of that, so we will wait for them before
4 address the technical specifications.
5 Again, the plant specific areas for the
6 Westinghouse type will be -- well, suitability of the 600
7 I/O modules, I think Ken Scarola addressed that earlier, how
8 it's going to be applied in plant specific applications.
9 Environmental data, plant specific temperatures and humidity
10 and seismic qualification requirements, as enveloped by the
11 Common Q qualification, to make sure that the plant specific
12 are enveloped. If not, they will have to do a more special
13 qualification.
14 The life cycle, again, plant specific hardware and
15 software life cycle process, we will evaluate, that is an
16 area that needs to be addressed.
17 Timing analysis, again, we make sure that the
18 timing of the events are consistent with the application of
19 that platform.
20 And modification of plant specific technical
21 specifications. And the capacity of shared sources, the
22 common mode, make sure that the power supplies meet all the
23 requirements.
24 In conclusion, we expect, in the near future, to
25 receive plant specific applications and license amendments
. 98
1 for the two platforms that are already out there. We will
2 continue to review the Triconex and the Westinghouse
3 platforms. And we're seeking to increase our qualified
4 staff. We're always short on staff and we are anticipating
5 a large number of reviews in plant specific areas. We will
6 need more staff to continue this and train ourselves.
7 CHAIRMAN UHRIG: Given the pressure to maintain or
8 actually reduce manpower within the Commission, is this
9 going to be a severe problem getting people with expertise?
10 MR. MARINOS: I don't think so. I think our
11 management is sensitive enough and have been informed enough
12 and, as you pointed out earlier, the Commission is aware of
13 this and, no, I don't think this area is, in fact -- I'm
14 encouraged to put out a vacancy announcement to get
15 technical --
16 CHAIRMAN UHRIG: The problem will be getting
17 somebody to respond to a vacancy notice. Not many people
18 out there that are really qualified.
19 MR. MARINOS: That is the problem. So we've got
20 to maintain what we have and increase our staff and also
21 maintain, of course, the expertise as the technology is
22 moving at the speed of light, as Ken indicated.
23 So we have a great challenge there. So as I
24 mentioned earlier, we are cooperating with Research.
25 Research is doing a lot of searching into maintain our
. 99
1 expertise and keep us in touch with the changing technology
2 and there are a number of issues that we usually have
3 identified and they are having contracts with specialists in
4 various labs or other technical areas, organizations to
5 maintain our status.
6 That's it.
7 MR. LEITCH: I notice that Westinghouse has
8 withdrawn the E3.
9 MR. MARINOS: Yes.
10 MR. LEITCH: Is there any suggestion that in light
11 of the acquisition of ABB/CE, that the ASICS may be
12 withdrawn?
13 MR. MARINOS: I'm not sure. I suspected this. It
14 was not as far along as the ABB was when we were reviewing
15 it. It was mostly in the planning stages and my guess is it
16 is, but maybe Westinghouse can address that.
17 MR. SCAROLA: I can address it. No, there is no
18 intention to withdraw the ASICS application. We really view
19 these as different products for different markets. So the
20 ASICS application will stay intact.
21 MR. LEITCH: The E3.
22 MR. SCAROLA: The E3 has been withdrawn and the
23 AC-160, the Common Q platform is now the Westinghouse
24 standard product for all safety system replacements.
25 MR. MARINOS: The question was why was it
. 100
1 withdrawn.
2 MR. SCAROLA: I'm sorry. It was withdrawn because
3 they were overlapping products and when Westinghouse
4 acquired ABB, we were much further along with the Common Q
5 licensing than Westinghouse was with E3. So it was just a
6 business decision. There was no need for two platforms.
7 The ASICS is a different product because it's
8 really targeted for essentially spare part type of
9 replacements, one for one module replacements, not full
10 system replacements. It's a different market.
11 CHAIRMAN UHRIG: E3 was essentially the Sizewell B
12 technology?
13 MR. SCAROLA: No. In fact, the E3 was a
14 combination of the Sizewell software with the Ovation
15 product hardware. It was a merging of the two platforms.
16 CHAIRMAN UHRIG: Thank you. Any comments from
17 committee members?
18 MR. LEITCH: I see in the discussion of the
19 Siemens there is a lot of specific general design criteria
20 that it says it meets this, it meets this, it meets this.
21 That seems to be absent in the Westinghouse -- is it just a
22 difference in presentation?
23 MR. MARINOS: Style. It's different reviewers.
24 Though we had the peer review and most everyone in the group
25 that has this expertise participated in the review of all of
. 101
1 them, of both of those topical reports, it was a specific
2 reviewer, however, designated, or two. So it was a
3 different style of review. We didn't really pay that much
4 attention to make it as consistent as it might have been,
5 but that's not the case. They all meet the same criteria.
6 MR. LEITCH: Thank you.
7 MR. MARINOS: That's exactly right.
8 CHAIRMAN UHRIG: Any other questions?
9 MR. LEITCH: No.
10 CHAIRMAN UHRIG: Well, thank you very much.
11 MR. SIEBER: I think we can close this session at
12 this time. I guess I'd like to extend our appreciation to
13 all the presenters today. I think it was well done and at
14 this time we will recess the meeting and go to lunch.
15 [Whereupon, at 11:29 a.m., the meeting was
16 concluded.]
17
18
19
20
21
22
23
24
25
Page Last Reviewed/Updated Tuesday, July 12, 2016