UTLR-0020NP Part IV Rev. 1, Licensing Topical Report for ...TOSHIBA Leading Innovation >>>...

TOSHIBALeading Innovation >>>

UTLR-0020NP Part IV Rev.1February 2015

Topical Report

Licensing Topical Report for Toshiba NRW-FPGA-basedInstrumentation and Control System for Safety-Related Application

Part IVCompliance to the Codes and Standards

Approved byInstrumentation & Control Systems

Design and Engineering Dept.

Toshiba CorporationNuclear Energy Systems & Services Division

©2012 - 2015 Toshiba Corporation All Rights Reserved

Licensing Topical Report for Toshiba NRW-FPGA-based Instrumentation and Control System for Safety-Related Application UTLR-0020NP Part IV Rev. 1

PART IV Compliance to the Codes and Standards

The use of the information contained in this document b)anyone for any purpose other than that for which it is intended iEnot authorized. In the event the information is used withoulauthorization from TOSHIBA CORPORATION, TOSHIBACORPORATION makes no representation or warranty andassumes no liability as to the completeness, accuracy, orusefulness of the information contained in this document.

TOSHIBA CORPORATIONNUCLEAR ENERGY SYSTEMS & SERVICES DIV.

TOSII3A CORPORATIONNuclear Energy Systems & Services Division



Table of Contents

Table of Contents ............................................................................................................................... 1

List of Tables ....................................................................................................................................... 2

Note for Acronym s and References .............................................................................................. 3

IV-1 Introduction ............................................................................................................................ 4

IV- 1.1 Background ............................................................................................................... 4

IV -1.2 Purpose .............................................................................................................................. 6

IV -1.3 Scope ................................................................................................................................. 6

IV-2 Com pliance w ith IEEE Std. 603-1991 ............................................................................. 7

IV-3 Com pliance w ith IEEE Std. 7-4.3.2-2003 ...................................................................... 21

IV-4 Conform ance w ith EPRI TR -107330 .............................................................................. 27

IV-5 Com pliance to ISG -04 ..................................................................................................... 80

IV-6 Docum ent M apping w ith ISG -06 .................................................................................... 94

IV-7 Correspondence of Toshiba Process to RG 1.152 ............................................................ 118

TOSHIBA CORPORATION

Nuclear Energy Systems & Services Division

I



List of TablesTable IV-2-1 PRM Conformance with IEEE Std. 603-1991 .......................................................... 7

Table IV-3-1 Conformance with IEEE Std. 7-4.3.2-2003 ........................................................ 21

Table IV-4-1 Conformance with EPRI TR-107330 .................................................................. 27

Table IV-5-1 Conformance with ISG-04 .................................................................................. 80

Table IV-6-1 Document Mapping with ISG-06 ....................................................................... 94

Table IV-7-1 Correspondence of Toshiba Process to RG 1.152 ................................................. 118

TOSHIBA CORPORATION


2



Note for Acronyms and References

All acronyms and references are listed in the Acronym and Reference Part that is provided as a

separate part of this Licensing Topical Report (LTR).

TOSHIBA CORPORATION


3



IV-1 Introduction

This is Part IV of the Licensing Topical Report for Toshiba NRW-FPGA-based Instrumentation

and Control System for Safety-Related Application (LTR). This part describes compliance to

Codes and Standards.

IV-1.1 Background

Toshiba has extensive experience in supplying nuclear safety-grade Instrumentation and Control

(I&C) systems in Japan. This experience ranges from supplying digital I&C systems, such as

Power Range Neutron Monitors for individual plants, up to designing and manufacturing the

world's first fully integrated digital CPU-based I&C system for Advanced Boiling Water Reactor

(ABWR)s. These systems were first installed at Kashiwazaki-Kariwa Unit 6, and are in use at

Kashiwazaki-Kariwa Unit 6 and Hamaoka Unit 5.

Following the installation of the CPU-based BWR digital system, Toshiba started development of

I&C technology based on Non-Rewritable (NRW) Field Programmable Gate Arrays (FPGAs) and

supplied the NRW-FPGA-based I&C products to Japanese Nuclear Power Plants under Toshiba's

ISO 9001 program. NRW-FPGA-based products have been installed in 11 nuclear power plants

including 254 NRW-FPGA-based units for non-safety-related systems, 91 units for safety-related

process radiation monitors and 60 units for safety-related neutron monitoring systems.

Toshiba also has been working on establishing of a 10 CFR 50 Appendix B (Reference (a2))

Quality Assurance (QA) process to permit the use of Toshiba FPGA-based system in the US for

safety-related applications in nuclear power plants. Toshiba implemented Appendix B QA

processes in a phased approach to ensure a smooth transition of the processes at the affected

organizations. The Part I of this Licensing Topical Report (LTR) describes the phases used for the

establishment of the Appendix B QA processes

* Original Process:

Initial establishment of the Appendix B QA process in the system engineering organization,

this process was applied to the development and the qualification of the Power Range

Monitor (PRM) for a BWR-5. This process is referred as original process hereafter.

" Current Process:

Improved the original process by extending Appendix B QA process into design organization

and closer to manufacturing in which other Toshiba NRW-FPGA-based I&C products to be

TOSHIBA CORPORATION 4Nuclear Energy Systems & Services Division



developed. This process is referred as current process hereafter in this LTR.

Toshiba has used the original process to develop and qualify a NRW-FPGA-based Power Range

Monitor (PRM) for a BWR-5.

After the development of the PRM, Toshiba was selected as the Engineering, Procurement, and

Construction (EPC) Contractor for two new Advanced Boiling Water Reactors (ABWRs) to be

constructed at the South Texas Project (STP) site. South Texas Project - Nuclear Operating

Company (STPNOC) selected the NRW-FPGA-based systems for the Reactor Trip and Isolation

System (RTIS) and the Neutron Monitoring System (NMS).

STPNOC elected to license the NRW-FPGA platform using the Design Acceptance Criteria

(DAC) inspection process. Key platform design information regarding platform independence,

determinism, diversity, redundancy, and simplicity is included in the STP 3&4 COL and has been

reviewed by USNRC Staff and the Advisory Committee for Reactor Safeguards (ACRS).

In April 2011, the schedule for procurement and engineering activities for the STP 3&4 project

including the post-COL DAC Inspection activities has been extended and is no longer predictable.

COL related activities continue.

Toshiba desires the USNRC platform review to continue, so this LTR has been drafted for

submittal. This LTR consists of the following six Parts and Acronym and Reference Part.

Part I describes software lifecycle and development processes.

Part II describes design description of the platform together with application guide.

Part III describes the qualification results of the BWR-5 PRM and the ABWR Oscillation Power

Range Monitor (OPRM).

Part IV describes the compliance to the Codes and Standards.

Part V is V&V report of the BWR-5 PRM.

Part VI is V&V report of the ABWR OPRM

The Acronym and Reference Part lists all the acronyms and references used in the all Parts except

Part V and VI of the LTR. Part V and VI have their own acronym and reference lists because

they are existing actual V&V reports of the BWR-5 PRM and the ABWR OPRM.




IV-1.2 Purpose

This document is Part IV of the LTR. The purpose of this part is to describe the compliance of

Toshiba NRW-FPGA-based Safety-Related I&C Systems to the codes and standards.

IV-1.3 Scope

This Part IV is being submitted to the USNRC for review and approval of Toshiba

NRW-FPGA-based Safety-Related Systems as platform.

The Part IV of the LTR descrives the compliance of the Toshiba NRW-FPGA-based

Safety-Related I&C System to following codes and standards:

" IEEE Std. 603-1991 (Reference (a36))

* IEEE Std. 7-4.3.2-2003 (Reference (a30))

" EPRI TR-107330 (Reference (a46))

* ISG-04 (Reference (a22))

" ISG-06 (Reference (a23))

This report includes the following information:

" Section IV-1 provides introductory material like the report purpose and scope,

" Section IV-2 provides compliance with IEEE Std. 603-1991

* Section IV-3 provides compliance with IEEE Std. 7-4.3.2-2003

* Section IV-4 provides compliance with EPRI TR-107330

* Section IV-5 provides compliance with ISG-04.

* Section IV-6 provides document mapping with ISG-06.




IV-2 Compliance with IEEE Std. 603-1991

Table IV-2-1 documents conformance of a typical Toshiba safety system to IEEE Std. 603-1991(Reference (a36)), using the PRM system as an example. All Toshiba safety systems will complywith the requirements of IEEE Std. 603-1991, as required by US regulation.

Appendix 7.1-C of the USNRC Standard Review Plan (SRP), NUREG-0800 (Reference (a4))provides guidance for evaluation of conformance to IEEE Std. 603-1991. Table IV-2-1 is preparedconsidering Appendix 7.1-C of the SRP.

Figure 2 of the IEEE Std. 603-1991 illustrates the scope of the standard. Some parts of thisstandard are out of the scope the FPGA-based safety-related I&C systems, as the features apply tothe installed system with a plant-specific context. For example, Toshiba cannot include the manualcontrol features defined in Clause 7.2 of IEEE Std. 603-1991 "Execute Features" in the FPGA-basedsafety-related I&C systems. Rather, such features will be included in a plant-specific design.

In the table, the IEEE clauses are summarized. Toshiba evaluates system and plant-specificdesigns against the standard itself, to avoid issues with interpretation that result from changing theIEEE standard wording.

Notes:* "Comply" means the Toshiba safety system comply with the corresponding IEEE Std. 603

requirement.6 "---" means there is no requirement in the IEEE Std. 603.' "N/A" means the IEEE Std. 603 requirement is applied at the plant level, when the systemsdescribed in this LTR are integrated with the plant, including the plant HMI.

Table IV-2-1 PRM Conformance with IEEE Std. 603-1991IEEE Std. 603-1991 Compliance Comments

Clause Requirements Summary

I Scope. Description ofIEEE scope. --- No requirements.

2 Definitions. --- No requirements.

List of definitions used in the IEEE.

3 Reference. --- No requirements.

List of documents referenced in theIEEE.

TOSHIBA CORPORATION7Nuclear Energy Systems & Services Division

7



IEEE Std. 603-1991 Compliance Comments


4 A safety system design basis shall be Comply Toshiba established a specific design basis for each safetyestablished, system design in each engineering process. In below sections

of this TR, such engineering process describes.

Section 1-2 describes QA programs used in establishing designbases.

Section 1-3.3.1 describes how the base requirements for theFPGA-based I&C system are established in the ProjectPlanning and Concept Definition Phase.

4.1 The design basis events applicable to Comply Section 1-3.3. 1.1 states that plant specific documents,each operation mode. regulations, and applicable industry codes and standards are

inputs to the Project Planning and Concept Definition Phase.The design basis events are included in the plant specificdocuments and regulations.

4.2 The safety ftinctions and N/A The FPGA-Based I&C systems do not include execute features,corresponding protective actions of the but provide signals to the execute features.execute features.

4.3 The permissive conditions for each Comply Section 1-3.3.1.3 states that the SDD and IBD are prepared foroperating bypass capability, each FPGA-based system. These documents and drawings

document the permissive conditions for each operating bypasscapability.

4.4 The variables or combinations of Comply Section 1-3.3.1.3 states that the SDD and LED are prepared forvariables, or both, to be monitored; the each FPGA-based system. These documents and drawingsanalytical limit associated with each document the monitored variables, as well as system responsevariable, the ranges; and the rates of times, ranges, and the rates of the change of the variables withchange of these variables, the value required from the plant specific document for the

analytical limit.

4.5 Minimum criteria for each possible --- The FPGA-based Safety-Related I&C systems are automaticmanucal action. systems, provides automatic initiation function corresponding

protective actions, not requiring any safety action by manualmeans. However, Toshiba will comply with this requirementwhen designing systems requiring manual means, includingRPS/RTIS.

4.6 For those spatially dependant variables Comply Section 1-3.3.1.3 states that the SDD and lED are prepared forin 4.4, the minimum number and each FPGA-based system. These documents and drawingslocations of sensors required for document the minimum number and locations of sensors.protective purposes. The APRM and OPRM systems are typical systems that use

spatially dependant variables.

4.7 The environmental conditions Comply Section II-A-4.2 describes that the FPGA-based I&C systemsthroughout which the safety system are considered for the environmental conditions given in EPRIshall perform. TR-107330, and other nuclear standards.

TOSHIBA CORPORATIONNuclear Energy Systems & Services Division

8





4.8 The conditions which may cause Comply Toshiba will qualify the FPGA-based systems using thedegradation and for which provisions guidance of RG 1.180, Revision 1; RG 1.209, Revision 0; EPRIare needed to retain the capability for TR-107330, and IEEE Std. 323-2003 as appropriate.performing the safety functions.

4.9 The methods of the reliability analysis Comply Section 1-3.3 Software Development Plan and Section 1-3.10determine that the reliability is Software V&V Plan describe methods Toshiba uses to enhancesufficient for the safety systems. software reliability, ensuring the requirements in the top level

design documents are implemented.

For qualitative hardware reliability, Section 111-3.2.1 describesthe Availability/Reliability analysis used to establishconservative hardware reliability figures.

Toshiba uses the hardware reliability numbers to ensure thehardware has sufficient reliability to meet utility and PRArequirements.

4.10 The critical points in time or the plant Comply Section 11-2.2.3.3 discusses determinism, stating that analysesconditions including: are performed to satisfy the design timing requirements set

forth in Clause 4.10 of IEEE Std. 603.4.10.1 For the protective actions of the safety Section 1-3.3.1.3 states that the SDD and IBD are prepared for

system shall be initiated, each FPGA-based system. These documents and drawingsdetermine the critical points in time or plant conditions for the

4.10.2 For the completion of the safety initiation, completion, and control of the protective actions, andfunction. the conditions that allow returning the safety systems to normal.

4.10.3 Requiring automatic control ofprotective actions.

4.10.4 Allowing returning a safety system tonormal.

4.11 The equipment protective provisions Comply For the FPGA-based I&C systems,that prevent the safety systems fromaccomplishing their safety functions. FMEA in the qualification and the hazard analysis reportprovides documented faults and failures, which Toshibaattempts to eliminate or at least mitigate in the system design(Section 111-3.2.2). The system behavior then provides a basison which plant faults and failures can be evaluated (Section111-4.1.3).

For plant systems, Toshiba will perform safety analyses asnecessary.

4.12 Any other special design basis. Comply Section 11-2.2.3.3 discusses determinism, Section 11-2.2.3.4discusses diversity, and Section 11-2.2.3.5 discusses simplicity.

TOE1IB-IA CORPORAT'rl1NNuclear Energy Systems & Services Division

9





5 The safety systems shall maintain Comply Section 1-3.3.1.1 states that plant specific documents,plant parameters within acceptable regulations, and applicable industry codes and standards arelimits inputs to the Project Planning and Concept Definition Phase.

Section 1-3.3.1.3 states that the SDD and IED are prepared foreach FPGA-based system. These documents and drawingsdocument how the safety systems with precision and reliabilitymaintain required specific plant parameters within acceptablelimits established for required design basis event.

5.1 Single-failure criterion. Comply Toshiba designs FPGA-based I&C systems, as well as safetysystems considering the Single Failure Criterion.

Section 11-2.2.2.2 describes the redundant NMS configuration,and how the individual divisions of APRM and OPRM cangenerate a trip signal leading to a scram signal generated in theRPS, under permissible bypass conditions, meeting the SingleFailure Criterion.

Section 11-2.2.3. 1.1 describes how the RTIS meets the SingleFailure Criterion even when one division of sensors and logic isbypassed.

Section 11-2.2.3.4 discusses diversity, and Section 1-3.1discusses that Toshiba uses a high quality lifecycle process toreduce potential for common cause failure in the programmablelogic and in the hardware.

5.2 Completion of protective action. Comply Toshiba designs the RTIS logic to complete the protective

The safety systems shall be designed action, once initiated.

to complete the protective actions.

5.3 Quality. Comply Toshiba develops FPGA-based safety-related I&C systems in a

Safety system equipment shall be high quality development process.

designed, manufactured, inspected, Section 1-2 describes the nuclear QA program. The sectioninstalled, tested, operated, and also describes how the the complete software / programmablemaintained in accordance with a logic life cycle program (including the software qualityprescribed quality assurance program assurance program) operates under Toshiba's NQA-I compliant(ANSUASME NQA-1-1989). nuclear QA program used for the FPGA-based safety-related

I&C systems.

Section 1-3 describes Software/Hardware development process.

5.4 Equipment qualification. Comply Partlll of this LTR describes Toshiba's Qualification Testprogram and Test Results.

Toshiba qualifies the FPGA-based I&C system by type test,Sualifietby system equipmen ushl busing EPRI TR-107330, IEEE Std. 323-1983 and Reg. Guidequalified by type test, previous 1.209.

operating experience, or analysis, or

any combination of these three Reg. Guide 1.180 Revision I is used for EMI qualification.methods.

TOSII3A CORPORATIONNuclear Energy Systems & Services Division

10





5.5 System integrity. Comply The qualification test and the V&V efforts will provideadequate confidence that system integrity is maintained underthe full range of applicable conditions enumerated in the

The safety systems shall be designed specific plant design basis.to accomplish their safety functions Section 1-3 addresses the software/hardware developmentunder the full range of applicable process that ensures software and hardware integrity of theconditions enumerated in the design FPGA-based I&C systems. The process includes softwarebasis, safety analysis, described in Section 1-3.9.

Appendix 7.1-C of the SRP states that real-time performance isa special concern of system integrity. Section 11-2.2.2.2addresses the NMS response time requirements.

5.6 Independence. --- Clause Title

5.6.1 Redundant portions of a safety system Comply Section 11-2.2.3.2.1 describes that each of the divisions of theshall be independent and physically NMS and RTIS are physically and electrically separated.separated. Section 11-2.2.3.2 describes that only votes to trip and status

information are provided across divisional boundaries,providing communications independence.

5.6.2 Safety system equipment shall be Comply Toshiba qualifies FPGA-based I&C systems using methodsindependent of, and physically compliant to Clause 5.4 of this IEEE.separated from, the effects of thedesign basin event. Equipmentqualification in accordance with 5.4 isone method that can be used.

TOSNIA CORPORATION 11Nuclear Energy Systems & Services Division

I1I





5.6.3 The safety system shall be designed Comply Section 11-2.2.3 describes FPGA application principlesnot to suffer from credible failures in including redundancy and independence.and consequential actions by other Section 11-2.2.3.2.1 describes that qualified electrical isolationsystems, in meeting the requirements devices are provided between redundant Class IE divisions andof this standard. between non-Class I E and Class I E circuits.

Section 11-2.1.4.3 and 11-2.2.3.2.2 describes data andcommunication independence. Each division has uni-directional

5.6.3.1 Interconnected equipment. Comply fiber optic communication link, providing fixed data setsbetween divisions as well as fixed data sets from each

(I )Classification. Equipment that is safety-related division individually to external, nonsafety

used for both safety and non-safety related systems,through Class IE to non-lE isolation. Section

functions shall be classified as part of 11-2.2.3.2.2 describes that the NMS allows nonsafety calibration

the safety systems. Isolation devices data to be transferred only to one channel of`NMS when thatchannel is out of service.used to effect a safety system

boundary shall be classified as part of All equipment and programmable logic physically located with

the safety system. safety systems is classified as safety-related. Appropriatedata, communication, and electrical isolation is provided

(2)lsolation. No credible failure on the Comply between channels/divisions as well as from safety to nonsafety.non-safety side of an isolation deviceshall prevent any portion of a safetysystem from meeting its minimumperformance requirements.

5.6.3.2 Equipment in proximity. Comply Section 11-2.2.3.2.1 states that each of the divisions ofsafety-related NMS and RTIS are physically separated from the

(e1 )Separation. Other systems other redundant divisions, following the guidance of Regulatoryequipment placed proximity to safety Guide 1.75 which endorses IEEE Std. 384.system equipment shall be physically

separated from the safety system Each plant-specific design will ensure that adequate separationequipment. The separation of Clans I E and/or barriers are provided between systems and wiring asequipment shall be in accordance with necessary.the requirements of IEEE Std.384-1981.

(2)Barrier. Physical barriers used to Complyeffect a safety system boundary shallmeet the requirements of 5.3, 5.4 and5.5.

5.6.3.3 Effects of a single random failure. Comply Section 11-2.2.3.2 describes physical, data, and communications

The safety system shall perform the independence ofthe RTIS and NMS, and ensures that they do

safety functions even it is degraded by not suffer from failures in any nonsafety system.

any separate single failure in a Single random failures in the safety systems are dealt withnon-safety system. through divisional redundancy. Detected failures are

annunciated.

For example, the RTIS and NMS do not accept anycommunications from nonsafety systems except the GainAdjustment Factors, which is only permitted duringmaintenance.

The effects of single random failure in the transmission of GainAdjustment Factors to the PRM has been considered andincorporated in the PRM design.

TOSHIBLA CORPORATION 12Nuclear Energy Systems & Services Division

12





5.6.4 Detailed criteria. Comply Section 11-2.2.3.2.1 addresses physical and electricalindependence; Section 1H-2.2.3.2.2 addresses communicationIEEE Std. 384-1981 provides detailed and data independence.

criteria for the independence of Class

I E equipment and circuits. Toshiba has designed the FPGA-based systems to comply withthe likely independence requirements in plant-specific systems.

5.7 Capability for testing and calibration. Comply Toshiba designs FPGA-based safety-related I&C systems

Safety system equipment shall provide providing capability for testing and calibration.

testing and calibration capability Section 11-2.2.2 describes how the NMS configuration isduring power operation, retaining the redundant, and the SRNM, APRM and OPRM generatesafety functions. divisional votes to trip leading to a scram signal generated in

Testing of Class I E systems shall be in the RPS, under permissible bypass conditions.

accordance with the requirements of Section 11-2.2.3. 1.1 describes that the RTIS was designed toIEEE Std. 338-1987. permit surveillance testing and maintenance and that the RTIS

Exceptions are allowed where this meets Single Failure Criterion even when one division of

capability cannot be provided without sensors and/or logic is bypassed for maintenance.

adversely affecting the safety or Section 11-2.2.3.2.2 describes how the NMS allows nonsafetyoperability of the generating station. calibration data, and that the FPGA-based system includes

self-diagnostic functions that continuously verify proper FPGAand communications performance. The NMS is also designedfor surveillance testing and maintenance. The NMS alsomeets the Single Failure Criterion even when one division isbypassed for maintenance.

Section II-A-2.7 describes how the programmable logic in theLPRM module provides a diagnostic function to detect an errorin the attached EEPROM, which stores the Gain AdjustmentFactor, for those FPGAs which use the GAF.

Toshiba notes that the sensors themselves are likely to requireoutages for more extensive maintenance, surveillance, orreplacement activities, but that the FPGA-based equipment isdesigned to support on-line maintenance, to the extentpracticable.

5.8 Information Displays. --- Clause Title

TOS3HIEBA CORPORATION1Nuclear Energy Systems & Services Division

13



IEEE Std. 603-1991

Clause I Requirements Summary

Comments

5.8.1 Displays for manually controlledactions.

The display instrumentation providedfor safety manually controlled actionsshall be part of the safety systems.

The requirements for the information display are issues of plantdesign, and the FPGA-based I&C system alone cannot show tosatisfy the requirements.

Basically, the RTIS and NMS are designed to accomplish theirsafety actions without any manual action.

However, the FPGA-based I&C systems have features tosupport information display. Toshiba does not include a videodisplay unit or soft controls in this LTR.

5.8.2 System status Indication. N/A

Display instrumentation shall provideaccurate, complete, and timelyinformation pertinent to safety systemstatus.

5.8.3 Indication of bypasses. N/A

Bypass status except an operatingbypass shall be provided in the controlroom.

5.8.4 Location.

Information displays shall be locatedaccessible to the operator.

N/A

5.9 Control of access. Comply Provisions for controlling access through administrative meansis provided in all Toshiba safety system designs.

The access to the safety system Implementation of such administrative controls isequipment shall be administratively plant-specific,

controlled.Toshiba FPGA-based I&C systems have some support featuresto meet this requirement.

Section 11-2.2.3.2 describes the key lock switch in each LPRMmodule blocking data transfer from the nonsafety system.

5.10 Repair. Comply Toshiba FPGA-based I&C systems have self diagnostics forearly detection of an fault, and their modular design eases theThe safety systems shall allow timely replacement of failed components.

recognition, location, replacement,

repair, and adjustment of Section II-A-2.7 describes how the FPGA has a diagnosticmalfunctioning equipment. function to detect an error in the attached EEPROM, which

stores the setpoint value.

Section 11-2.2.3.3 describes how the FPGA-based systemdesigns use multiple FPGAs on modules, in which data is

passed from the first FPGA through the remaining FPGAs, anda watchdog timer on each module alarms if all signal processingFPGAs do not finish passing data as well as means ofannunciating the failure to the main control room.


14

Licensing Topical Report for Toshiba NRW-FPGA-based Instrumentation and Control System for Safety-Related Application UTLR-0020NP Part IV Rev. 1PART IV Compliance to the Codes and Standards



5.11 Identification. Comply Toshiba will meet the identification requirements.

The following identification Toshiba's QA program requires identification of safety-relatedrequirements shall be met: documents, including (but not limited to) plans, procedures,

Safety system equipment shall be instructions, design documents, drawings, VHDL code, V&V

identified for each redundant portion reports, safety analysis reports, and test documentation.

of safety system. Section 1-3.3.1.11 and 1-3.12 discuss software configurationmanagement that includes activities maintaining theComponents identified as being in aidnicaonndvronfFPAlg.

single redundant portion do not require identification and version of FPGA logic.

identification.

Safety system identification shall bedistinguishable from otheridentification.

Identification shall not require firequentuse of reference material.

The associated documentation shall beidentified.

5.12 Auxiliary features. Comply Auxiliary supporting features and other auxiliary features areprovided through plant desgin.these are out of this TR.However, according to Figure 3 of IEEE Std. 603-1991, thebypass logic included in the RTIS and NMS is considered as anauxiliary feature. All logic including the bypass in the RTISand NMS is developed meeting IEEE Std. 603-1991.Electrical isolation devices and fiber optic cables are also

auxiliary features.

Power supply is also auxiliary features.

Section 11-2.2.3.2.1 describes the qualified electrical isolationdevices that are provided in the design.

5.13 Multi-unit stations. N/A The RTIS and NMS will not be shared between units at

The sharing of structures, systems, and multi-unit generating stations.

components between units atmulti-unit generating stations shall becapable of simultaneous performanceof the safety functions.

5.14 Human factors considerations. Comply Human factors compliance will be verified by plant-specific

Human factors shall be considered at implementation. Toshiba considers that the human interfaces

the initial stages and throughout the on the equipment are sufficient for use by trained operators.

design process.


15





5.15 Reliability. Comply As described for Clause 5.3 of this IEEE, Toshiba developsFPGA-based safety-related I&C systems in a high quality

Appropriate analysis of the design development process to achieve reliability goal.shall be performed.

Section 1-3 describes Software/Hardware development process.

Section 111-3 describes qualification analysis including FMEA.System and software safety activities, including FMEA, areperformed throughout the life cycle to detect and eliminate, orat least mitigate, potential unsafe conditions, and ensure that theunsafe conditions are reviewed and tested during theprogrammable logic, hardware, and integration life cycleprocesses.

6 Sense and Command Features --- Requirements are in the subclause.

The following requirements shallapply:

6.1 Automatic initiation and control of all Comply Section 11-2.2.1 and 11-2.2.2 describe the RTIS and NMS thatprotective actions shall be provided, will initiate automatic protective actions.

Since FPGA-based safety-related I&C systems are digitalsystems, functional requirements need to be appropriatelyallocated into hardware and software requirements. Section1-3.3.1 states that a System Design Descripition (SDD) isprepared, documenting functions, comprehensive system designdescription. Based on the SDD, an Equipment DesignSpecification was prepared that defines functionalrequirements, hardware and software design requirements.

Section 1-3.10 describes that Toshiba performs requirementstraceability efforts to trace the requirements throughout the lifecycle.

6.2 Manual control. --- Clause Title

6.2.1 Division level manual action means Comply The RTIS and NMS will initiate automatic protective actions.shall be provided in the control room When integrated with a plant design, appropriate manualto initiate protective actions that are capabilities will be supplied to meet regulatory requirementsinitiated automatically. and licensing commitments.

The Main Control Room HMI will provide manual means forprotective actions

6.2.2 Manual control means shall be Comply The RTIS and NMS will initiate automatic protective actions.provided in the control room to initiate When integrated with a plant design, appropriate manualprotective actions that are not initiated capabilities will be supplied to meet regulatory requirementsautomatically. and licensing commitments.



16





6.2.3 Manual control means to maintain safe Comply The RTIS and NMS will initiate automatic protective actions.conditions shall be provided. When integrated with a plant design, appropriate manual

capabilities will be supplied to meet regulatory requirementsand licensing commitments.


6.3 Interaction between the sense and --- No Requirements.command features and other systems.

6.3.1 Where a single credible event can Comply Toshiba will perform safety analyses, and design andcause a non-safety system action that implement FPGA-based safety-related I&C systems so thatresult in a condition requiring isolation is ensured between:protective action and can concurrentlyprevent the protective action and * safety systems in the different channelscommand feature channels providing 0 safety systems and nonsafety systemsprotection against the condition, one ofthe following requirements shall be The analyses, design and implementation will depend on themet: plant-specific design, which Toshiba and the utility will

(1) Alternate channels shall be incorporate appropriately.

provided to limit the consequences. Section 11-2.2.2.3 describes the NMS system configurationAlternate channels shall be selected arranged in four divisions. Section [1-2.2.1.3 describe thefrom the following: RTIS as separated in four divisions.(a) Channels that sense a set ofvariChabeles different e from th p l Section 11-2.2.3.2.2 describes communication and datavariables different from the principal independence including use ofuni-directional communicationchannels. from a safety system to a nonsafety system.(b) Channels that use equipment

different from that of the principal Diversity and defense-in-depth (D3) is a plant-specific designchannels to sense the same variable, activity that will be undertaken with each plant licensing and(c) Channels that sense a set of design basis as well as between the utility, Toshiba, and NRCvariables different from those of the staffprincipal channels using equipmentdifferent from that of the principalchannels.

(2) Equipment not subject to failurecaused by thesame single credible event shall be

provided to detectthe event and limit the consequences

to a valuespecified by the design bases. Such

equipment isconsidered a part of the safety system.


17





6.3.2 Provisions shall be included so that the Comply The RTIS and NMS are configured to meet single failurerequirements in 6.3.1 can be met in criterion even one of the channel is bypassed.conjunction with the requirements of Section 11-2.2.2.2 describes that the NMS configuration is6.7 if a channel is in maintenance redundant, and the APRM and OPRM generate vote to tripbypass.leading to a scram signal generated in the RPS, under

permissible bypass conditions, meeting Single Failure Criterion.

Section 11-2.2.3.1.1 describes that the RTIS meets SingleFailure Criterion even one division sensor is bypassed.

This clause will be considered in the plant-specific D3 analysisand design activities.

6.4 Derivation of system inputs. Comply Toshiba will design I&C systems to use input signals derivedfrom direct measurement of plant parameters, to the extentSense and command feature inputs feasible and practical.

shall be derived from signals that are

direct measures of the desiredvariables as specified in the designbasis.

6.5 Capability for testing and calibration. --- Clause Title

6.5.1 Checking the operational availability. Comply The NMS and RTIS are configured in redundant channels.Each NMS channel has its own set of sensors.

Means shall be provided for checking, Cross-comparison of the sensor readings of different channelsthnse operationalaavailabilityeoprovides checking of the operational availability. Thesesense and command feature input cross-checks are performed in an external nonsafety relatedsensor required for a safety function system.

during reactor operation.Likewise, the RTIS is configured in four divisions, each ofwhich has a set of sensors. Cross-checks of RTIS sensor datais also performed in external, nonsafety related systems towhich each RTIS division provides the division's sensor, status,and derived data.

Section 11-2.2.2.3 describes that the NMS configuration.

Figure 2-18 provides the RTIS configuration.

Toshiba requires the utility to install and operate cross-channelcomparisons. The means will be in external, nonsafetyequipment, to avoid complexity in the safety systems.

6.5.2 Assuring the operational availability. Comply A part of RTIS and SRNM of NMS are used as Post AccidentManagement function.

Provisions of means in Clause 6.5.1 of this IEEE depends onthe plant specific design using qualified equipment in this LTR.Qualified condition uses generic required condition described inEPRI TR 107330 as mild condition.


18





6.6 Operating bypasses. Comply Toshiba will design I&C systems including the RTIS and NMSso that their operating bypass becomes active if and only if theapplicable permissive conditions are met.

Section 11-2.2.1.5.1 states that the MSIV-TLF unit performsbypassing and relating interlocking based on the bypass andreactor mode signals from the manual switches by hardwiredconnection.

6.7 Maintenance bypass. Comply Toshiba will design I&C systems including the RTIS and NMSso that their maintenance bypasses becomes active if and only if

Capability of a safety system to the applicable permissive conditions are met, with considerationretac pisdhit safety fundctiommnd sof faults and failures also not being able to bypass more thanretained while sense and commandondisonaatme

features equipment is in maintenance one division at a time.

bypass. Section 11-2.2.2.3 describes NMS configuration that allowsindividual LPRM bypass and channel bypass for maintenance.

6.8 Setpoints. --- Clause Title

6.8.1 The allowance for uncertainties Comply Data for entry into a utility's setpoint analysis methodology isbetween the process analytical limit provided by Toshiba, as described in Section 11I-3.2.3 Setpointand the device setpoint shall be Support Analysis for PRM.determined using a documentedmethodology. Refer to ISAS67.04-1987

6.8.2 Where multiple setpoints are required, Comply Data for entry into a utility's setpoint analysis methodology isthe design shall provide means to use provided by Toshiba, as described in Section 11I-3.2.3 Setpointthe more restrictive setpoint when Support Analysis for PRM.required.

7 Execute features-functional and --- No requirementdesign requirements.

The following requirements shallapply to the execute features.

7.1 Automatic Control. N/A The FPGA-Based systems including the RTIS and NMSdescribed in this LTR do not include the execute features,, but

upncuteofeatiesonhall receigandals frthe systems provide automatic control signals to the executeupon automatic control signals from features. Plant-specific designs will include manual control ofthe sense and command features, the execute features, with the manual signals injected at a point

beyond where common cause failure of the programminglanguage could inhibit manual control.

7.2 Manual Control. N/A The FPGA-Based systems including the RTIS and NMS

The additional design features in the described in this LTR do not include the execute features.

execute features for manual controlshall not defeat the requirements of 5.1and 6.2. Capability shall be providedin the execute features to receive andact upon manual control signals.


19





7.3 Completion of Protective Action. N/A The FPGA-Based systems including the RTIS and NMS

The design of the execute features described in this LTR do not include the execute features,., but

the RTIS system has a "seal-in" feature to force completion ofshall be such that once initiated, the tepoetv cin

protective actions of the execute

features shall go to completion.

7.4 Operating Bypass. N/A The FPGA-Based systems including the RTIS and NMSdescribed in this LTR do not include the execute features. The

Operationaly blasshabllbe active ifsystems comply with the operating bypass requirements inand only if applicable permissible Clause 6.6 of this IEEE as sence and command features.conditions are met, and if the

conditions changes:

Remove the bypass,

Restore the plant conditions, or

Initiate the appropriate safetyfunctions.

7.5 Maintenance Bypass. N/A The FPGA-Based systems including the RTIS and NMSdescribed in this LTR do not include the execute features. The

The capability of a safety system to systems comply with the maintenance bypass requirements inaccomplish its safety function shall be Clause 6.7 ofthis IEEE as sense and command features.retained while execute features

equipment is in maintenance bypass.

8 Power source requirements. --- Clause Title

8.1 Electrical Power Sources. N/A This requirement is mostly addressed in plant-specific designs.The low voltage power supplies inside the equipment are safety

Those portions of the Class IE power related, Class I E. This LTR does not address this requirementsystem required to provide the power for external power, but the systems are designed to supportto the safety system are a portion of installation in electrical systems compliant to this requirement.the safety systems.

8.2 Non-electrical Power Sources. N/A This requirement is mostly addressed in plant-specific designs.The FPGA-based Safety-Related Instrumentation and Control

Non-electrol-aical poer, soures, s as Systems do not require any non-electrical power source.control-air systems, bottled-gas

systems, and hydraulic systems,required to provide the power to thesafety systems are a portion of thesafety systems.

8.3 Maintenance Bypass. The capability of N/A This is a requirement for the electrical design.the safety systems to accomplish their Each plant-specific design will ensure the capability of thesafety functions shall be retained while safety systems to accomplish their safety functions shall be

power sources are in maintenance retained while power sources are in maintenance bypass.bypass.

TOSHIB-A CORPORATION2Nuclear Energy Systems & Services Division

20



IV-3 Compliance with IEEE Std. 7-4.3.2-2003

Table IV-3-1 documents conformance of Toshiba FPGA-based safety-related I&C system to IEEEStd. 7-4.3.2-2003 (Reference (a30)) using the PRM system as an example. All Toshiba safetysystems will comply with the requirements of IEEE Std. 7-4.3.2-2003.

Appendix 7.1-D of the SRP (Reference (a4)) provides guidance for evaluation of conformance toIEEE Std. 7-4.3.2-2003, including "Cyber Security Criteria" added in Reg. Guide 1.152 Revision 2.Table IV-3-1 is prepared considering the point of views in Appendix 7.1-D of the SRP, except thatToshiba uses Reg. Guide 1.152 Revision 3 instead of Revision 2.

In the table, the IEEE clauses are summarized. Toshiba evaluates system and plant-specificdesigns against the standard itself, to avoid issues with interpretation that result from changing theIEEE standard wording.

Notes:o "Comply" means the Toshiba safety system comply with the corresponding IEEE Std. 7-4.3.2

requirement.* "---" means there is no requirement in the IEEE Std.7-4.3.2.* "N/A" means the IEEE Std.7-4.3.2 requirement is not applicable.

Table IV-3-1 Conformance with IEEE Std. 7-4.3.2-2003IEEE Std. 7-4.3.2-2003

Clause Requirements Summary Compliance Comments

I Scope. Amplifying criteria in IEEE --- No requirements.Std. 603-1998

2 Reference --- No requirements.

3 Definitions and abbreviations --- No requirements.

4 Safety System design basics --- No requirements beyond this Clause in IEEE Std. 603.No requirements beyond those

defined in IEEE Std. 603.

5 Safety system criteria --- Requirements are in the subclauses

5.1 Single-failure criterion --- No requirements beyond this Clause in IEEE Std. 603.

No requirements beyond thosedefined in IEEE Std. 603.

5.2 Completion of Protective Action --- No requirements beyond this Clause in IEEE Std. 603.

No requirements beyond thosedefimed in IEEE Std. 603.


21



IEEE Std. 7-4.3.2-2003


5.3 Quality -- The Toshiba life cycle processes incorporate both hardware andprogrammable logic, as the two are heavily interconnected,including the process for integrating programmable logic andhardware and commercial grade dedication of hardwarecomponents and assembly.

5.3.1 Software Development Comply Section 1-3 describes Software/Hardware development process,

which conforms to BTP 7-14.

Section 1-3.3 describes software development plans.

5.3.1.1 Software quality metrics Comply Toshiba use several metrics in the process.

Section 1-3.2.6 describes that the PMs are responsible formetrics.

Section 1-3. 11 describes how the V&V reports and evaluatesmetrics.

5.3.2 Software tools Comply Software tool evaluations are performed as required by theSQAP and Software Verification and Validation Plan (VVP)

Section 11-2.1.5 describes use of the software tools in the FPGAdesign.

Section 1-2.2.1 and 1-2.3 describe that Toshiba surveyed toolvendor and implemented a Critical Digital Review of thesoftware tools and vendor software processes, includingacceptance of software tools from their sub-vendors.

Section 1-3.3.10 describes software development tool control.The Netlist Viewer and ModelSim tools are used to detectdesign errors in the VHDL logic.

Section 1-3.10 includes use of the software tools in the V&V.

5.3.3 Verification and validation Comply Section 1-3.10 describes the V&V Plan stating that the V&VPlans cover the requirements of IEEE Std. 1012 as endorsed inUSNRC Reg. Guide 1.168.

5.3.4 Independent V&V (IV&V) Comply Toshiba performs IV&V activities, with at least as muchrequirements independence as is required in this clause.

Section 1-3.2.1 discusses the organization including the IV&VTeam.

Section 1-3.2.2 and 1-3.2.3 states that the independence of theIV&V Leads.

Section 1-3.10 describes V&V Plan

5.3.5 Software configuration Comply Toshiba performs software configuration management inManagement compliance with USNRC RG 1.169 and the endorsed IEEE

Std. 828-1990 and ANSI/IEEE Std. 1042-1987.

Section 1-3.12 describes software configuration managementplan.

Section 1-3.3 and 1-3.10 include description of baselinereviews.

5.3.6 Software Project Risk Comply Section 1-3.2.5 states that the NED PM is responsible for riskManagement management of the entire project including schedule, budget,

resources, and technical issues, and must take appropriateactions to minimize project risks.


22



IEEE Std. 7-4.3.2-2003Clause Requirements Summary Compliance Comments

5.4 Equipment qualification --- Requirements are in the subclauses.

5.4.1 Computer system testing Comply Section 1-3.13 describes the Software Test Plan, whichdescribes FPGA testing, Module Validation Testing, andSystem Validation Testing.

Section 111-2 describes Qualification Testing.

5.4.2 and Qualification of existing Comply Toshiba established a CGD process to procure FPGA-basedsubclauses commercial computers safety-related I&C systems.

Section 1-1.5.3 summarizes the CGD process.

Including: Section 1-3.3.1.8 describes CGD Planning includingidentification of PDS, CGD Planning, and PreliminaryPreliminary phase of the COTSTehiaEvlton

dediatio proessTechnical Evaluation.dedication process

Detailed phase of the COTS Section 1-3.3.2.4, 1-3.3.2.5, and 1-3.3.2.6 describes the CGD

dedication process process.

Section 1-3.3.6.2 describes the CGD package prepared at thededication completion of the CGD process.

5.5 System integrity --- The requirements are described in the subclauses.

5.5.1 Design for computer integrity Comply The FPGA-based safety-related I&C systems are designed for

The computer shall be designed to integnty.

perform its safety function when Section 1-3 addresses software/hardware development processsubjected to conditions, external or that ensures the software and hardware integrity of theinternal, that have significant FPGA-based I&C systems. The process includes softwarepotential for defeating the safety safety analysis described in Section 1-3.9.function. Section 1-3.9.3.3 states that potential hazards associated with

design are adequately resolved to eliminate or at least mitigatepossible safety concerns.

TOS-HIA CORPORATIONNuclear Energy Systems & Services Division

23



IEEE Std. 7-4.3.2-2003

Clause I Requirements Summary C Comments

5.5.2 Design for test and calibration

Test and calibration function shallnot adversely affect the ability ofthe computer to perform its safetyfunction. Appropriate bypass ofone redundant channel is notconsidered an adverse effect inthis context. It shall be verifiedthat the test and calibrationfunction does not affect anycomputer function not included ina calibration change.

Comply Toshiba designs the FPGA-based safety-related I&C systems sothat test and calibration functions do not adversely affect thesafety functions.

Section 11-2.2.2.3 describes that the NMS configuration isredundant, and the APRM and OPRM can generate a trip signalleading to a scram signal generated in the RPS, underpermissible bypass conditions.

Section 11-2.2.3.1.1 describes that all four divisions of the RTIStwo-out-of-four voting logic become two-out-of-three votinglogic if one division sensors are bypassed for test or calibration.If another division fails during one division is bypassed, theremaining two divisions still can perform the safety functions.

Section 11-2.2.3.2.2 states that the NMS allows nonsafetycalibration data to be transferred only to one channel of NMSwhen that channel is out of service, that an operator then has toreview each piece of calibration data, and accept that theprinted calibration data has been transferred to the correctdivision and to the correct LRPM within that division, beforeaccepting the calibration data for use. This process is thenrepeated in all four divisions.

V&V, configuration management,and QA

" shall be required for test andcalibration computerproviding sole verification oftest and calibration data.

* shall be required for the testand calibration function ofthe safety system.

" are not required when thetest and calibration functionon a separate computer doesnot provide the soleverification of test andcalibration data.

Comply Toshiba does not incorporate a test and calibration computer inthe NMS or RTIS systems.


24



IEEE Std. 7-4.3.2-2003


5.5.3 Fault detection and self Comply Section 11-2.2.3.2.2 describes how the FPGA-based systemdiagnostics. includes self-diagnostic functions that continuously verify

proper FPGA and communications performance.Self-diagnostics are one means

that can be used to assist in Section II-A-2.7 describes that each FPGA that has andetecting failures. EEPROM to store constants for the setpoint value storage has a

diagnostic function to detect an error for each EEPROM.

If reliability requirements warrantself-diagnostics, then computerprograms shall incorporatefunctions todetect and reportcomputer system faults andfailures in a timely manner.

Self-diagnostic functionsshall notadversely affect the ability of thecomputer system to perform itssafety function, or causespuriousactuations of the safety function.

5.6 Independence Comply Toshiba complies with the guidance provided in DigitalInstrumentation and Controls Interim Staff Guidance 4,Revision 1.

Section 11-2.1.4.3 and 11-2.2.3.2.2 describe communication anddata independence. Each division has uni-directional fiber opticcommunication link, providing fixed data sets from eachsafety-related division individually to the nonsafety-related,providing Class IE to non-I E isolation. Data passed betweendivisions is votes to trip, which are combined in the RPSvoters. No engineering unit data passes between divisions.

5.7 Capability for test and calibration Comply No requirements beyond this Clause in IEEE Std. 603.

No requirements beyond those ofIEEE Std. 603.

5.8 Information displays N/A No requirements beyond this Clause in IEEE Std. 603.

No requirements beyond those of This LTR does not contain any information Display for PlantIEEE Std. 603. Operation.

5.9 Control of access Comply No requirements beyond this Clause in IEEE Std. 603.


5.10 Repair Comply No requirements beyond this Clause in IEEE Std. 603.


5.11 Identification Comply The PC board fabricator installs logic in the FPGA, and thelogic cannot be changed later. The correct programmablelogic is verified by the commercial grade dedication processand by module testing under Toshiba's NQA- I compliant NQAprogram.

Section 1-3.12 explains software configuration managementused to ensure that correct logic is installed in each FPGA.The configuration management covers the module supplier.


25

Licensing Topical Report for Toshiba NRW-FPGA-based Instrumentation and Control System for Safety-Related Application UTLR-O020NP Part IV Rev. 1


IEEE Std. 7-4.3.2-2003


5.12 Auxiliary features Comply No requirements beyond this Clause in IEEE Std. 603.


5.13 Multi-unit stations Comply No requirements beyond this Clause in IEEE Std. 603.No requirements beyond those ofIEEE Std. 603.

5.14 Human factors considerations Comply No requirements beyond this Clause in IEEE Std. 603.No requirements beyond those ofIEEE Std. 603.

5.15 Reliability Comply No requirements beyond this Clause in IEEE Std. 603.

When reliability goals areidentified, the proof of meeting thegoals shall include the software.

6 Sense and command Comply No requirements beyond this Clause in IEEE Std. 603.features--functional and designrequirements


7 Execute features-functional and N/A No requirements beyond this Clause in IEEE Std. 603.design requirements NMS and RTIS have no execute features.


8 Power source requirements N/A No requirements beyond this Clause in IEEE Std. 603.

No requirements beyond those of No requirement for this LTR.IEEE Std. 603.

SDOE Comply Section 1-3.14 describes SDOE. Toshiba's SDOE programcomplies with RG 1. 152, Revision 3, Regulatory Positions 2.1Appendix 7.I-D of the SRPhogh25

describes "Cyber Security

Criteria" in addition to IEEE Std. Toshiba's implementation of SDOE provides sufficient7-4.3.2 in accordance with Reg. capabilities in the system design to support a utility inGuide 1.152, Revision 2. evaluation of the system against USNRC Regulatory Guide

Reg. Guide 1. 152 was revised to (RG) 5.71, "CYBER SECURITY PROGRAMS FOR

Revision 3, and "Cyber Security" NUCLEAR FACILITIES."

was changed to "SDOE."


26

Licensing Topical Report for Toshiba NRW-FPGA-based Instrumentation and Control System for Safety-Related Application


UTLR-0020NP Part IV Rev.1

IV-4 Conformance with EPRI TR-1 07330

Table IV-4-1 documents conformance of a typical Toshiba safety system to EPRI TR- 107330 (Reference (a46)). The PRM system is usedas an example. The table refers the Reactor Trip and Isolation System (RTIS) or the Reactor Protection System (RPS) only when the EPRITR-107330 requirement is appropriately not implemented in the PRM. Table IV-4-1 shows the mapping of EPRI TR-107330 requirementsto the PRM or the NRW-FPGA based Safety-Related I&C Systems.

Notes:* "Comply" means the Toshiba NRW-FPGA-based Safety-Related I&C Systems comply with corresponding EPRI TR-107330

requirement." "N/A" means the EPRI TR-107330 requirement is not applicable to Toshiba NRW-FPGA-based Safety-Related I&C Systems.* "Exception" means Toshiba NRW-FPGA-based Safety-Related I&C sysmtes can be excepted to the corresponding EPRI TR-107330

requirement.

Table IV-4-1 Conformance with EPRI TR-107330

Section Summary of EPR TR-107330 Requirements Compliance with EPRI TR-107330 Requirements(or N/A)

I Scope. Description of TR scope. No requirement

2 Definitions, Abbreviations, Acronyms. List of No requirementdefinitions, abbreviations, and acronyms used in theTR.

3 Reference Documents. List of documents No requirementreferenced in the TR.

4 System Requirements. (section heading) No requirement

4.1 Overview of Performance Basis. Descriptive No requirementinformation.

4.2 Functional Requirements. (section heading) No requirement

T"OS-HIBA CORPORATION

Nuclear Systems & Services Division27

Licensing Topical Report for Toshiba N RW-FPGA-based Instrumentation and Control System for Safety-Related Application


UTLR-O02ONP Part IV Rev.1

Section No Summary of EPRI TR-107330 Requirements Compliance with EPRI TR-107330 RequirementsSectioNoSmmaryofEP __TR-07330Requiement (or N/A)

4.2.1 General Functional Requirements. Descriptive No requirement

information.

4.2.1.A Response Time. The overall response time from an Comply. The generic response time requirements in the EPRI TR are inappropriate for the PRM or for a BWR

analog or discrete input exceeding its trip condition Reactor Trip System. Toshiba defines system-specific response time requirements based on the Toshiba BWRto the resulting discrete outputs being set shall be 100 design basis documents. The system-system specific response time requirements are described Section 11-2.2.

milliseconds or less. Response time shall includetime required for input filtering, input module signal

conversion, main processor input data acquisition,two scan times of an application program containing

2000 simple logic elements, main processor output

data transmission, digital output module signalconversion, and performance of self-diagnostics and

redundancy implementation.4.2.1.B Discrete I/O. The PLC shall have the capability to N/A. The I/O configuration of the Toshiba NRW-FPGA-based PRM hardware is application specific. Therefore,

provide a total of at least 400 discrete 1/O points, the system configurations are shown in known and fixed bases.

4.2.1.C Analog I/O. The PLC shall have the capability to N/A. The I/O configuration of the Toshiba NRW-FPGA-based PRM hardware is application specific. Thereforeprovide a total of 100 analog I/O points, the system configurations are shown in known and fixed bases. For the BWR-5., 172 analog inputs are provided

for the Local Power Range Monitors, with additional inputs for reactor flow.

4.2.1.D Combined 1/O. The PLC shall have the capability N/A. The I/O configuration of the Toshiba NRW-FPGA-based PRM hardware is application specific. Thereforeto provide a total of 50 analog and 400 discrete I/O the system configurations are shown in known and fixed bases.

points.

4.2.2 Control Function Requirements. The PLC shall N/A. The Toshiba NRW-FPGA-based PRM hardware systems are application specific. The control functionprovide a high-level language designed for control configuration (i.e., logic) is therefore shown in fixed bases. The VHDL code employed is appropriate for the system

algorithms, functionality.

4.2.3 Availability/Reliability and FMEA. (section No requirement

heading)

4.2.3.1 Availability/Reliability Overview. Descriptive No requirement

information.

4.2.3.2 Availability/Reliability and Basic Requirements. Comply. The availability of the full PRM system for a BWR-5 is more than 0.99 (see Section 111-3.2.1).The overall availability goal of the PLC is 0.99.

4.2.3.3 Availability/Reliability Calculation Requirements. Comply. An availability calculation is prepared in a manner that conforms to IEEE 352-1987.

An availability calculation shall be prepared whichconforms to IEEE 352.

TOSHIBA CORPORATION





Section No Summary of EPRI TR-107330 Requirements Compliance with EPRI TR-107330 Requirements(or N/A)

4.2.3.3.1 Availability/Reliability Calculation Requirements N/A. The Toshiba NRW-FPGA-based PRM system does not include redundant components for signal processing.

Applicable to Redundant PLCs. For PLCs that Redundancy is applied at the channel or division level.

include redundancy, the availability calculation shall

address additional, redundancy-specific

considerations.

4.2.3.4 PLC Fault Tolerance Requirements. Fault tolerance Comply. A Failure Modes and Effects Analysis (FMEA) is performed in accordance with IEEE Std 352-1987.

capability shall be addressed in the availability For each component that constitutes the modules, the analysis evaluates its failure modes and effects on the PRM

calculation, and included as part of the qualification unit performance. The FMEA identifies the following items:

envelope definition, a. Those faults that will be detected by the run-time diagnostics.

b. Faults that can only be detected by surveillance testing.

c. For redundant components, (e.g., LVPS modules), the analysis documents the following:

i) States that result from one or more failures where the system remains operable as well as where it is notoperable.

ii) States where undetected failures have occurred.

iii) States where a failure in a single component has caused the PRM System to fail.

iv) States where failures reduce the effectiveness of self-diagnostics.

4.2.3.5 Failure State/FMEA Requirements. An FMEA Comply. A Failure Modes and Effects Analysis (FMEA) is performed in accordance with IEEE Std 352-1987.

analysis shall be performed in accordance with IEEE For each component that constitutes the modules, the analysis evaluates its failure modes and effects on the PRM

352. The analysis shall evaluate the effects of unit performance. The FMEA identifies the following items:

failures of components in the PLC modules on the a. Those faults that will be detected by the run-time diagnostics.

PLC performance. b. Faults that can only be detected by surveillance testing.

c. For redundant components, (e.g., LVPS modules), the analysis documents the following:

i) States that result from one or more failures where the system remains operable as well as where it is notoperable.

ii) States where undetected failures have occurred.

iii) States where a failure in a single component has caused the PRM System to fail.

iv) State where failures reduce the effectiveness of self-diagnostics.

TOSHIBA CORPORATION




UTLR-002ONP Part IV Rev.1

Section No S Compliance with EPRI TR-107330 Requirements

uary ofEPR TR-107330 Requirements(or N/A)

4.2.3.6 Failure Detection Requirements. The PLC shallcontain features to permit generating an alarm when

the on-line fault detection detects a failure.

Processor-to-processor communication for fault

detection shall meet the given specific performance

requirements.

Comply. Toshiba's analysis assumes that all diagnostic and annunciation outputs provided for the MCR will beannunciated in the MCR and that appropriate Alarm Response Procedures will be provided to and used by the MCRoperators. The following diagnostic functions are provided:

(a) Monitoring of the Low Voltage Power Supply module

The Low Voltage Power Supply (LVPS) module shall monitor its output voltage. If the voltage of the LVPSbecomes lower than the setpoint in either of the LVPS module, the STATUS module front panel shall provide theindication and generate discrete output for annunciation in the MCR.

(b) Monitoring Low Voltage Supply for each module

The LPRM, APRM, SQ-ROOT, FLOW, TRN, RCV, and STATUS modules shall monitor the input voltage from theLVPS modules. If the input voltage becomes lower than the setpoint, the module shall be reset, which generates adiscrete output for annunciation in the MCR.

(c) Monitoring of the FPGAs with a watchdog

A watchdog timer shall monitor each FPGA that operates periodically. A group of FPGAs on a single module,which operates serially may be monitored by one watchdog timer, as long as the watchdog timer can detect the haltof any FPGA. If a signal processing FPGA halts, the module containing the FPGA shall generate an inoperablesignal. The failure of the Human Machine Interface (HMI) FPGA shall not generate an inoperable signal, but aMinor Failure Alarm, except for the LPRM module. The watchdog timers shall be constructed of hardwareexternal to the FPGA, driven by a simple completion signal from the FPGA, and not built into the FPGA logic, norshall the watchdog timer depend on the clock signal used by the FPGA. When any watchdog timer times out, andiscrete output is generated. For annunciation in the MCR.

(d) Checking data transmission between units via fiber optic cables

The module receiving data from the other unit shall verify the periodic occurrence of the data transmissions, and thevalidity of transmitted data between units over fiber optic cables. The validity of data shall be verified by CyclicRedundancy Check (CRC) in the transmitted data.

Note: Parity check was used as the method for error checking in the PRM system, for which Toshiba performed thequalification test. Toshiba will update the FPGA logic to use CRC.

TOHIBA CORPORATION




UTLR-002ONP Part IV Rev.1

Section No Summary of EPRI TR-107330 Requirements Compliance with EPRI TR-107330 Requirements

(or N/A)4.2.3.6 (e) Checking data transmission from the modules in a same unit

(continued) (continued) The APRM module shall check the periodic transmission of the data frame from the TRN modules and the RCV

modules in the same unit. Ifa timeout error occurs, a Minor Failure signal shall be generated. The Minor Failuregenerates a discrete output for annunciation in the MCR.

(f) Checking constants stored in Rewritable ROM

Every Rewritable ROM storing constants used for the signal processing shall protect its value with parity bits ordual storage. If an error is detected, a Minor Failure alarm sha II be generated. The Minor Failure generates adiscrete output for annunciation in the MCR.

(g) Checking the voltage of the LPRM High Voltage Power Supply on each LPRM module.

The LPRM module shall monitor the voltage of the High Voltage Power Supply. If the voltage becomes lowerthan the setpoint, the LPRM shall be inoperable. Inoperable of single LPRM module does not affect theSafety-Related function, but a Minor Alarm will be generated to initiate replacement of the faulted module.

(h) Checking the input value of the SQ-ROOT module

The SQ-ROOT module shall perform range check for the input current value after digital conversion. If the inputcurrent value becomes ower than setpoint, the SQ-ROOT module shall output failure signal. The Minor Failuregenerates a discrete output for annunciation in the MCR.

4.2.3.7.A Recovery Capability Requirements. The PLC shall (See Item 4.2.3.6 in this table)

include a watchdog timer and power bus monitoring

features.

4.2.3.7.B Recovery Capability Requirements. The PLC N/A. The Toshiba NRW-FPGA-based PRM hardware does not perform any memory writes during nomial

processor shall contain power bus monitoring operation. Should the plant power supply fail or go out of range, the affected PRM Unit will reinitialize upon

features to assure that the processor successfully restoration of power.

completes any memory writes and goes into a resetstate when the supply voltage is outside of the range.

TOHIBA CORPORATION





Section No Summary of EPRI TR- 07330 Requirements Compliance with EPRI TR-107330 Requirements(or N/A)

4.2.3.7.C Recovery Capability Requirements. Output Comply. Whenever power is applied to the PRM equipment, the equipment is initialized by the power on reset

modules shall initialize to a known state. function.

All trip and alarm outputs remain tripped until the initialization process has completed (about 470ms). Afterinitialization, the trip and alarm outputs assume the states indicated by calculations and bypass settings.

The power on reset function also is executed when the power supply low voltage is detected.

The module is provided with the power supply monitoring IC, and it executes about 150ms reset action and initialstartup of FPGA at the time when the module is energized. In addition, it executes a reset action also at the timewhen the power supply voltage lowers, i.e., if the power supply voltage continues to be low, the module remains ininitialization state, and keep all trip and alarm outputs tripped.

The PRM System is capable of performing run time diagnostics.

4.2.3.8 Requirements for Use of Operating Experience. If N/A. Operating experience is not used as a basis for establishing module failure rates of the Toshiba

operating experience is used as a basis for NRW-FPGA-based PRM system.

establishing module failure rates, the PLC

manufacturer must have a problem reporting and

tracking program.

4.2.4 Setpoint Analysis Support Requirements. An Comply. The PRM trip setpoints can be adjustable by a technician during equipment maintenance or an operator

analysis shall be prepared to provide the information during periodical surveillance service. The PRM System supports setpoint adjustments of equipment on the front

needed to support an application specific setpoint panel of each module.

analysis per ISA RP 67.04. Toshiba supplies sufficient data to support a utility's setpoints progranm, and a statement that the PRM setpoints havesufficient range to cope with applications in BWR plant and ABWR, in accordance with Section 4.2.4 of EPRITR-107330.

4.3 Hardware Requirements. (section heading) No requirement

4.3.1 General. (section heading) No requirement

4.3.1.1 Background. Descriptive information. No requirement

4.3.1.2 Requirements Common to All Modules. All (See Items 4.2.1 and 4.3.6 in this table.)

modules shall meet or support the generalrequirements given in Section 4.2.1, and shall meet

the range of environmental conditions given inSection 4.3.6. Special requirements apply to single

module assemblies that include both inputs and

outputs.

TOSHIBA CORPORATION




UTLR-O02ONP Part IV Rev.1


(or N/A)4.3.1.3 External Device Requirements. External devices N/A. The PRM, PRNM, RTIS. and RPS do not require external devices, other than sensors and transmitters which

used to meet I/O module requirements shall meet the are not part of this LTR. The SRNM requires an external pre-amplifier, which is part of the system design and

given specific requirements. qualification testing, which will be described in this LTR (or revision to this LTR) for the SRNM.

4.3.1.4 General Redundancy Requirements. Redundant N/A. The Toshiba NRW-FPGA-based PRM System does not include redundant components for signal processing.

components may be included in the generic PLC

platform.

4.3.2 Input Requirements. (section heading) No requirement

4.3.2.1 Analog Input Requirements. The PLC shall include Comply. The Toshiba NRW-FPGA-based PRM analog inputs are designed to interface with industry standard

modules that provide analog inputs. LPRM detectors and Flow transmitters. The required analog input design specifications are, therefore, known andsatisfied. The RTIS/RPS systems use industry standard transmitters and sensors, which also define the analog inputdesign specifications.

4.3.2.1.A Monotonicity. The analog inputs shall be Comply. Toshiba's systems have defined monotonicity, based on the design choice of analog-to-digital converter

monotonic to ± 1/2 LSB. made for each specific module. See Item 4.3.2.1 in this table.

4.3.2.1.B Number of Channels. Each analog input module The LPRM and FLOW modules include analog inputs. Both modules are monotonic to +1/2 LSB. See Item 4.3.2.1

shall provide a minimum of four input channels. in this table.

4.3.2.1.C Over Range. The converted value of each analog (See Item 4.3.2.1 in this table.)

input module shall remain at its maximum value for

over range inputs up to twice rated.

4.3.2.1.D Under Range. The converted value of each analog (See Item 4.3.2.1 in this table.)

input module shall remain at its minimum value for

low range inputs up to the negative of the rated input

value.

4.3.2.1.E Out of Range Indication. Over and under range (See Item 4.3.2.1 in this table.)

conditions shall be indicated in a manner available to

the application program.

4.3.2.1.1 Voltage Input Requirements. N/A. There are no analog voltage inputs in the Toshiba NRW-FPGA-based PRM system.

4.3.2.1.2 Current Input Requirements. (section heading) No requirement

4.3.2.1.2.A Analog Current Input Module Ranges. The PLC Comply. The Toshiba NRW-FPGA-based PRM analog input range of 4 to 20 mA is designed to interface with

shall include analog current input modules with industry standard Flow transmitters. The input range of 0 to 3 mA is designed to interface with the conventional

ranges of. 4 to 20 mA and 10 to 50 mA or 0 to 50 standard LPRM detectors. The required analog input design specifications are, therefore, known and satisfied.

L _ mA.

TOSHIBA CORPORATION






Sm roE IR170eimt(or N/A)

4.3.2.1.2.B Analog Current Input Module Accuracies. Overall Comply. The ToshibaNRW-FPGA-based PRM analog inputs are designed to interface with industry standard

accuracies shall be ± 0.35% of the specified range. LPRM detectors and Flow transmitters. The required analog input design specifications are, therefore, known andsatisfied.

4.3.2.1.2.C Analog Current Input Module Resolution. The Comply. The Toshiba NRW-FPGA-based PRM analog inputs are designed to interface with industry standard

minimum resolution shall be 12 bits. LPRM detectors and Flow transmitters. The LPRM and FLOW modules convert analog input signals to 12 bitsdata. The required analog input design specifications are, therefore, known and satisfied.

4.3.2.1.2.D Analog Current Input Module Common Mode Comply. The PRM analog inputs are not general purpose. The PRM analog inputs are appropriately isolated, and

Voltage. The common mode voltage capability self-powered.

shall be at least 10 volts.

4.3.2.1.2.E Analog Current Input Module Common Mode N/A. For the PRM, the current inputs are not transformed to voltage by external resistors. This requirement is not

Rejection Ratio. The common mode rejection applicable.

ratio shall be at least 90 dB.

4.3.2.1.2.F Analog Current Input Module Response Time. The (See Item 4.2. .A Response Time in this table.)

overall response time of the analog current input

modules must support the response time requirement

given in Section 4.2.I.A.

4.3.2.1.2.G Analog Current Input Module Group-to-Group Comply. Analog current inputs are grouped as unit. The unit to unit isolation is assured by fiber optic cable.

Isolation. The group-to-group isolation shall be at

least ± 30 volts peak for 4 to 20 mA inputs.

4.3.2.1.2.H Analog Current Input Module Class I E to Non-I E N/A. Since there is no system-specific requirement to accept nonsafety analog data into a safety system, the

Isolation. The Class 1E to Non-I E isolation analog input modules do not perform Class IE to Non-Class-I E isolation.

capability shall meet the requirements of Section

4.6.4.

4.3.2.1.2.1 Analog Current Input Module Surge Withstand. (See Item 4.6.2 Surge in this table.)

Surge withstand shall be as given in Section 4.6.2.

4.3.2.1.2.J Analog Current Input Module Input Impedance. Comply. The Toshiba NRW-FPGA-based PRM analog inputs are designed to interface with industry standard

The input impedance shall be 250 ohms maximum. LPRM detectors and Flow transmitters. The RTIS/RPS input impedances are also known, and meet thisrequirement. The required analog input design specifications are, therefore, known and

UTLR-0020NP Part IV Rev. 1, Licensing Topical Report for ...TOSHIBA Leading Innovation >>>...

Documents

Transcript of UTLR-0020NP Part IV Rev. 1, Licensing Topical Report for ...TOSHIBA Leading Innovation >>>...