Intelligent safety solutions proven in use. RPC Radiy: FPGA-Paved Road to Business Success

Transcription

1 Intelligent safety solutions proven in use RPC Radiy: FPGA-Paved Road to Business Success September 2015

2

3 Contents Chapter 1: Introduction Background Objectives of the Report Scope of the Report Structure of the Report... 8 Chapter 2: Organizational Structure of RPC Radiy Radiy Design Bureaus Research and Development Manufacturing Support Procurement Manufacturing Verification and Validation Qualification Test Laboratory Storage and Shipping Installation, Mounting and Commissioning Operation Support Training Quality Management System RPC Radiy s Interfaces with Customers Chapter 3: RPC Radiy Products and Applications FPGA Technology Features Benefits of FPGA Technology Challenges Affecting FPGA Technology Cyber Security Assurance Considerations Evolution of RPC Radiy s Products RadICS Platform RadICS-Based NPP I&C Systems Switchgear and Controlgear Assemblies Chapter 4: RPC Radiy s Nuclear and Thermal Industry Experience Chapter 5: RPC Radiy s Approach to the Modernization of NPP I&C systems Modernization Goals Approaches to Modernization Modernization Activities Reverse Engineering Cooperation with Subcontractors... 45

4 Chapter 6: Safety Evaluation of RadICS Platform and Its Applications Overview of Safety Standards for the Applications of FPGAs in NPP I&C Systems Implementation of Safety Standard Requirements in the Life Cycle of the RadICS Platform and its Applications Requirements for the RadICS Platform and its Applications Chapter 7: Case Study 1 Functional Safety Approach to the Certification of FPGAbased Platforms and its Applications Chapter 8: Case Study 2 IAEA IERICS Mission at Radiy s Facilities Chapter 9: Case Study 3 FPGA-Based I&C Systems Licensing Process Followed in Ukraine and Bulgaria Chapter 10: Case Study 4 RadICS digital I&C platform Licensing Under the U.S. NRC Regulations Chapter 11: Case Study 5 Modernization of Engineered Safety Features Actuation Systems (ESFAS) at the Kozloduy NPP in Bulgaria Chapter 12: Case Study 6 FPGA-Based Diversity Features in Radiy s I&C Platforms Chapter 13: Case Study 7 Embalse refurbishment project Chapter 14: Case Study 8 I&C system of IEA-R1 Research Reactor Control Console and Nuclear Channels Modernization Chapter 15: Case Study 9 Project with Électricité de France Chapter 16: Case Study 10 Printed Circuits Boards Assemblies of Rod Ready Indicator for Pickering NPP Conclusion Bibliography References Glossary Abbreviations Contributors to Report Appendix A International Experience with FPGA Applications in NPPs Appendix B Information on RPC Radiy s Board of Directors and Officers... 95

5 Chapter 1: Introduction 1.1 Background The continued safe and economical operation of nuclear power plants (NPPs) requires the modernization of its control and safety systems to cope with obsolescence and age-related degradation. Changes and upgrades made in these systems also affect their digital instrumentation and control systems (I&C), human-machine interface (HMI) systems in the control rooms, and the full-scope simulators. Nuclear utilities may choose to perform a large-scale modernization project of their I&C systems in a single maintenance outage, or they may take several modernization steps spread over a number of outages. The design, manufacturing and installation tasks to replace existing I&C systems are usually done by external companies and contractors with project supervision by the NPPs technical departments. Research and Production Corporation (RPC) Radiy has a long history of working with operating NPPs and installing new I&C systems in turn-key projects. The company uses Field- Programmable Gate Array (FPGA) technology in our digital platform to implement customized solutions to NPPs I&C systems. With over 90 systems installed to-date and upcoming Safety Integrity Level (SIL) 3 certification for the new RadICS platform, Radiy s demonstrated technological expertise is a significant contributing factor to increased safety in the nuclear field. We provide a wide variety of I&C solutions ranging from full-scope turn-key modernization projects to reverse engineering and PC board-level, like-for-like replacement as well as solutions to ageing and obsolescence problems, both for safety and non-safety applications. RPC Radiy has successfully completed the final independent Functional Safety Assessment performed by exida. The certification company confirmed that Radiy s processes complied with SIL3 requirements and our FPGA-based platform (RadICS) met SIL3 requirements ( RPC Radiy is committed to support the city s scientific heritage. The statue of Academician and Nobel laureate I.E. Tamm, the developer of the Tokamak, was unveiled at the company headquarters Radiy s I&C systems have been installed in safety related systems of all operating NPP sites in the Ukraine and Bulgaria. The installed systems include Reactor Trip System (RTS), Reactor Power Control and Limitation System (RPCLS), Engineered Safety Features Actuation System (ESFAS), and Rod Control System (RCS), Switchgear and Electrical Distribution Systems, Nuclear Island Control System, and Turbine Island Control System. In addition, we supported Candu Energy Inc. (Canada) in joint projects to improve and modernize safety systems at Embalse NPP (Argentina), OPG at Pickering NPP (Canada), EdF with I&C Test Platform (France) and IPEN with I&C system of IEA-R1 Research Reactor Control Consol and Nuclear Channels Modernization (Brazil). FPGA-PAVED ROAD TO BUSINESS SUCCESS 5

6 Radiy applies its best practices to other areas of the energy sector, such as the development and supply of I&C systems for the Trypilska Thermal Power Plant (TPP) in Ukraine. In addition, as part of Radiy s mission to promote the use of reliable, diverse, and costeffective FPGA-based I&C solutions for safety and control systems in NPPs, Radiy is hosting for the second time the International Workshop on the Application of Field Programmable Gate Arrays in Nuclear Power Plants, in cooperation with the International Atomic Energy Agency (IAEA) and SunPort SA. The series of international workshops was established in 2007 by a group of industry participants interested in FPGA applications in NPPs. As the interest in the workshop grew, a committee named Topical Group on FPGA Applications in NPPs (TG-FAN) was established with the mandate of managing and organizing the international workshops. TG-FAN organized workshops have been held annually in the past eight years. The International Workshop on the Application of Field Programmable Gate Arrays in Nuclear Power Plants is held on a regular basis, and is usually attended by key members of research, design, manufacturing, and supply organizations, as well as nuclear utilities and licensing authorities from several countries. 7th FPGA workshop, 2014, Charlotte, North Carolina, USA The workshop builds on the success of previous ones held and hosted as follows: 2008 Chatou, France, hosted by EdF; 2009 Kirovograd, Ukraine, hosted by Radiy; 2010 Hamilton, Ontario, Canada, hosted by AECL/McMaster University; 2011 Chatou, France, hosted by EdF; 2012 Beijing, China, hosted by CNNC/CNCS; 2013 Kirovograd, Ukraine, hosted by Radiy; 2014 Charlotte, North Carolina, USA, hosted by EPRI; 2015 Shanghai, China, hosted by SNPAS. The FPGA workshops attract a significant interest and had a broad representation of utilities, vendors, regulators, and research organizations. 6 RPC Radiy September 2015

7 Examples of technical areas covered are: Benefits and challenges encountered in FPGA applications; Methods and tools for application development; Methods and tools for verification and validation; Productivity and reliability improvement applications; Types of applications that can benefit from FPGA implementations; Lifecycle of FPGA-based platforms, systems, and applications; Regulations, licensing, and standards of FPGA applications; Specific standards for FPGAs; Qualification and certification; Guidance and good practices for FPGA-based system and component applications; Diversity provided by FPGA-based systems; FPGAs as prototyping tools; Cyber security; Operating experience; FPGA-based modernization of I&C systems and components; FPGA-based systems installed in operating NPPs; V&V and testing in the FPGA development process; Potential future applications in operating NPPs and in new NPP I&C designs. The updated version of this Report was also produced for distribution at the workshop. 1.2 Objectives of the Report The objectives of this report are: To provide a general overview of Radiy s activities, capabilities, products, and their applications in operating and new NPPs; To describe the FPGA technology, Radiy s digital I&C applications are based on; To present the advantages of the FPGA-based I&C systems; To present specific case studies on successful applications; To discuss issues related to licensing, certification, safety evaluation, and project implementation. This report summarizes the Company s achievements in the NPP I&C field and presents issues that emerge with the application of FPGA-based I&C solutions in NPPs. The report reflects the current status and practices, experience gained to-date progress made and challenges being faced. Our intention is to update this report on a regular basis to include the latest developments in the application of FPGA-based I&C systems in NPPs. FPGA-PAVED ROAD TO BUSINESS SUCCESS 7

8 1.3 Scope of the Report This report has been prepared for a technical audience with an engineering or managerial background, who are interested in learning more about FPGA technology, Radiy s activities and the products and services the company can offer in the field of NPP I&C modernization. Those who are directly involved in the design, manufacture, testing, qualification, licensing, operation, and maintenance of NPP I&C systems can also benefit from this report, even if they are not familiar with FPGA technology. Potential readers of this report can be staff members at managerial and engineering levels of nuclear utilities, regulatory authorities, their technical support organizations (TSOs), R&D organizations, and vendor/manufacturing companies. In general, the information presented in the report can be useful to support both the replacements and upgrades of I&C systems and components in existing operating NPPs, as well as developing I&C systems in new NPP designs. The report can be viewed or downloaded using the following link: Structure of the Report The report has been divided into 16 chapters as follows: Chapter 1: This introduction. Chapter 2: Overview of RPC Radiy s organizational structure, its main business units and activities. Chapter 3: Description of the Company products, their applications in NPPs and the main features and advantages of FPGA technology. The rest of Chapter 3 describes the evolution of the Company products, giving a more detailed description of the Company s latest FPGA platform (RadICS) and its applications. Chapter 4: Reference table of Radiy s FPGA-based I&C systems installed in operating NPPs since Chapter 5: A description of Radiy s general approach to project implementation in NPPs I&C modernization projects. Chapter 6: A discussion on the safety evaluation of the FPGA-based RadICS Platform and its applications on NPPs I&C systems. This chapter also includes an overview of applicable safety standards for I&C systems in NPPs and how a discussion on how they are used in the life cycle of the RadICS Platform and its applications. Chapter 7: An IEC based case study on SIL certification and its application to the certification process of the RadICS Platform. Chapter 8: A description of the results of the 2010 IAEA review mission referred to as Independent Engineering Review of I&C Systems (IERICS) in Nuclear Power Plants conducted at Radiy s facilities in the Ukraine. Chapter 9: A discussion on the licensing process followed in NPPs I&C modernization projects in Ukraine and Bulgaria. Chapter 10: A description of the RadICS digital I&C platform licensing process under the U.S. NRC Regulations. 8 RPC Radiy September 2015

9 Chapter 11: A description of Radiy s modernization project at the Kozloduy NPP in Bulgaria, in which the Engineered Safety Features Actuation Systems for Units 5 and 6 were replaced by modern FPGA-based systems. This chapter also includes a description of Radiy`s replacement of Kozloduy`s obsolete switchgear systems ( RTZO ) with Radiy s new switchgear and control gear assemblies. Chapter 12: A description of the diversity that can be introduced in the design of FPGA-based I&C systems in order to prevent common cause failures (CCFs). Chapter 13: A description of RPC Radiy s modernization projects for Embalse NPP. Chapter 14: A description of I&C system of IEA-R1 research reactor control console and nuclear channels modernization. Chapter 15: A description of a project with Électricité de France on development of FPGAbased I&C Testbed on the basis of RadICS platform. Chapter 16: A description of reverse engineering project for the Pickering Nuclear Power Plant in Canada. Finally, the report includes sections providing Conclusions, Bibliography, References, Glossary and Abbreviations. Appendix A includes international experience of FPGA applications for NPP I&C systems. Appendix B provides information on RPC Radiy s Board of Directors and Officers. FPGA-PAVED ROAD TO BUSINESS SUCCESS 9

10 Chapter 2: Organizational Structure of RPC Radiy RPC Radiy is a leading Ukrainian designer and supplier of advanced I&C systems for NPPs and TPPs. RPC Radiy offers a full development cycle including design, manufacturing, testing, and equipment installation. The Company has over 900 employees, including more than 200 highly qualified design engineers. Figure below shows RPC Radiy`s products life cycle and support organizations. Certified ISO 9001:2008 QMS (Quality assurance department) Administration (top management) RPC Radiy products life cycle and services R&D Design Manufacturing Support Procurement Manufacturing V&V Qualification FAT Shipping Installation (assembly) Commisioning SAT LTO RPC Radiy capacities that support product life cycle and services R&D Capacity Center for Safety- Oriented Research and Analysis Design Capacity Design Bureau of I&C systems Design Bureau of Fire Safety Automatic Control Design Bureau of Electrotechnical Equipment Manufacturing Support Capacity Design Department of Manufacturing Support Procurement Capacity Procurement and Sales Department Manufacturing Capacity Shops with Modern Equipment V&V Capacity STC Technical Department Qualification Capacity Test Lab Shipping Capacity Procurement and Sales Department Installation, Commissioning Capacity Installation and Maintenance Department LTO s Support Capacity Warranty and Maintenance Department Training Capacity Training Center Design Bureau of Physical Processes Analysis Design Bureau of Software and Hardware Systems Suppliers Subcontractors Customers RPC Radiy Support Infrastructures Financial and Economic Group Legal Group HR IT Support Group International Projects Division Radiy`s products life cycle and support organizations 2.1 Radiy Design Bureaus RPC Radiy provides a full range of design activities. In addition to the equipment associated with our main FPGA-based platform, RadICS (see Section 3.6), we design other hardware components, such as electrical distribution and switchgear cabinets and non-fpga-based I&C systems. RPC Radiy s engineering capacities include the following units: Design Bureau of I&C Systems performs design of instrumentation and control and electrical systems for NPPs and other industrial facilities; Design Bureau of Fire Safety Automatic Control performs design of fire detection and video surveillance systems for NPPs and other industrial facilities; Design Bureau of Electrotechnical Equipment designs reactor power control and limitation systems (RPCLS) and electrical distribution control systems; 10 RPC Radiy September 2015

11 Design Bureau of Physical Processes Analysis develops industrial seismic sensors and seismic detection systems; Design Bureau of Software and Hardware Systems develops new platforms and systems, performs reverse engineering and supports Radiy activities during international projects; Design Department of Manufacturing Support. Company designers: always looking for best technical solutions The effective and safe utilization of human resources and the application of processes and qualified tools are the main priorities and responsibilities of the Company s top management, as well as every employee in the organization. RPC Radiy has adopted design processes and Quality Management System (QMS) practices that are in compliance with industry wide safety requirements for I&C systems as described in ISO 9001, IEC 61508, IAEA GS- R-3, as well as specific requirements for nuclear I&C systems as described in the IAEA and IEC standards for nuclear facilities. Since 1995 RPC Radiy designers have been involved in the development of instrumentation and control systems for the nuclear industry (see reference list in Chapter 4). RPC Radiy s methods are based on the company s experience, continuous improvement processes and the best international FPGA design practices. RPC Radiy shares its FPGA-related experience with the international NPP community to make the FPGA technology and its potentials be known to the nuclear industry. Application of only qualified tools from well-known vendors helps avoid errors during software and hardware development. The Company technical departments and top management support the designers professional development. Training of designers is performed on a regular basis to achieve the appropriate staff qualification levels. All training activities are performed according to Company s QMS standards. Company designers have solid technical skills and sufficient working-level English language skills to allow them to participate in technical discussions and meetings with customers from most countries in the world. 2.2 Research and Development RPC Radiy is one of the leading companies in the world providing FPGA-based I&C solutions to the nuclear industry and seeking new applications where the advantages of the FPGA technology can be utilized. The continuous investment in research and development (R&D) activities leads to continuous improvement of our products and an increased ability to support our customers. Radiy s R&D activities are focused in the support of the company s business strategy and solutions to problems encountered in the industry. The main R&D mission statements are: Create a new competitive advantage and value to pave the way for the Company s business success and improve its position as a leading FPGA-based I&C system vendor; FPGA-PAVED ROAD TO BUSINESS SUCCESS 11

12 Conduct R&D which could transfer FPGA technology advantages into company products, services, and technology improvement; Improve R&D effectiveness by new knowledge acquisition and innovations. The Scientific and Technical Center for Safety Infrastructure-Oriented Research and Analysis (STC) is the R&D Department ( of RPC Radiy, which together with the Company design bureaus and technical department is committed to maintaining the leading position of RPC Radiy in the RPC Radiy R&D team design, development, manufacturing and supply of FPGA-based I&C systems to the nuclear industry. Finding the optimal balance between innovation and the existing proven-in- use solutions is one of the key elements of the Company s R&D policy. STC s main activities are as follows: Reliability, safety and cybersecurity assessment of FPGA-based I&C systems; Supporting the development and other lifecycle processes for I&C systems, software, and FPGA applications; Assessment and supporting implementation of diversity principle in software and I&C systems; Development of techniques and tools for verification and validation of software and FPGAbased I&C systems; Development of green computing technologies and industry mobile applications; Development of standards and normative documents in the area of critical I&C systems, software and FPGA; Supporting of the quality management system processes; Certification and licensing support for I&C systems, software, and FPGA applications; Supporting the training of designers and auditors in I&C systems safety; Holding scientific and technical conferences and workshops focused on FPGA-based I&C reliability and safety problems as applicable to FPGA-based I&C platforms in nuclear and other critical applications (for example, annual international conference titled Dependable Systems, Services & Technologies, and the Critical Infrastructure Safety & Security (CrISS) Workshop; Preparation of research reports for domestic and international workshops and conferences; Publication of scientific papers and monographs in reputable domestic and international journals (see the Bibliography section); Support of Company participation in international educational and R&D projects; 12 RPC Radiy September 2015

13 Support and education of professionals from independent institutions of higher education, including university (undergraduate and graduate) students, and lecturers; Support of RPC Radiy patent related activities; Leading of university-industry cooperation (UIC); Supervision of PhD and post-doctoral research work and dissertations; Involving of students and young researchers in R&D projects. 2.3 Manufacturing Support The Design Department of Manufacturing Support provides guidance and support for managing and delivering the design phase of RPC Radiy projects. These activities include issue and configuration management of all documentation relevant for assembling and manufacturing processes that take place at RPC Radiy (see Section 2.5). This department also issues and keeps up-to-date as-built documentation for all I&C systems produced by RPC Radiy. Main features of RPC Radiy manufacturing support processes are the following: Use of modern document control and management tools; Assistance for all design departments during manufacturing phase; Interaction with customers in the context of as-built documentation and acceptance tests. 2.4 Procurement RPC Radiy performs all manufacturing activities in its own production facilities. Certain components, such as printed circuit boards (PCBs) and electronic components, as well as materials, such as metal plates, mounting hardware, and chemical are purchased parts. The selection of these components is performed by RPC Radiy technologists, procurement department personnel, QA staff (quality inspectors and auditors) and using Test Laboratory capabilities (if needed) in accordance with the requirements of the standards and specifications mentioned above, with strong regards to the Company Standards. According to requirements in ISO 9001, NQA , NQA-1a-2009 (ASME) and other related standards, it is necessary to establish a supplies evaluation process to provide reasonable assurance that a commercial grade item will successfully perform its intended safety function. Information required for the evaluation of the Company s suppliers is obtained via the following methods: Testing (Special Tests and Inspections); Suppliers assessment (Commercial Grade Survey); Suppliers inspection (Source Verification); Statistical estimation (Acceptable Supplier/Item Performance Record). The following criteria are used for supplier selection: 1. Quality of delivered items: reliability data of suppliers items; quantity of unaccepted materials due to noncompliance with requirements; acceptable deviations from requirements in various entire scope of delivery; FPGA-PAVED ROAD TO BUSINESS SUCCESS 13

14 quality and completeness of the documentation; parts traceability; availability of a certified quality management system. 2. Observance of delivery terms: timely delivery of order items; compliance with commercial and legal conditions of the contract; in case of justified delays, the suppliers ability and willingness to implement a successful schedule recovery plan. 3. Price policy and terms of payment: compatibility of terms of payment with Radiy s financial strategy; competitive pricing; production capability; financial health of the company; ability and willingness to support their clients during challenging times. 4. Other requirements: Ability of the suppliers staff to communicate in a clear and open fashion. All above mentioned activities are performed by the Company procurement and sales department on a regular basis, allowing us to maintain an up-to-date list of qualified suppliers. As an example, RPC Radiy performs such activities for Altera Corporation and its distributors every three years. 2.5 Manufacturing RPC Radiy has the following manufacturing capabilities and facilities: Metal working shop equipped with automated sheet shearing machines, sheet bending presses, turret punch presses, table spot welding machines and automated welding machines for assembling components and complete cabinets; FIPFG/FIPG line for polyurethane foam or silicone sealing contours gasket on the doors and different panels of the chassis/racks/cabinets, equipped with CNC mixing and dispensing machines; Galvanic coating lines; Polymeric powder and seal coating lines; Automated line for PCB surface mounting (including soldering) equipped with an automatic solder pastes screen printer, inspection conveyor, automatic Surface-Mount Device (SMD) pick & place machine, inspection conveyor, automatic convection soldering system and automated X-ray tomography system for soldering quality control; Facilities for manual heavy components, as well as production lines for surface mounting of connectors on the PCBs with quality inspection workstations; PCB washing and protective coating (including protection against tropical conditions) facilities using Silicone Conformal Coating (Electrolube DCA SSC 3 type); 14 RPC Radiy September 2015

15 Fiber-optical patch cables manufacturing facility equipped with a video fiber microscope, polishing machine, fiber optic curing oven and universal optical fiber test platform/ reflectometer; Facilities equipped with special measurement, monitoring and simulation equipment for calibration of electronic and electric assemblies and systems; Facilities for the repair of PCBs, modules, assemblies and other parts associated with I&C systems. These are equipped with disassembling, demounting, coating, soldering, measurement, monitoring and simulation equipment; Facilities for the inspection of soldering in PCBs, electronic and electrical assemblies. Processes are in place to ensure that all the above manufacturing facilities are kept in good working conditions. The above facilities are also updated in order to incorporate the latest electronic manufacturing improvements. RPC Radiy counts with highly trained professionals and equipment operators. Our manufacturing and inspection facilities comply with Company Standards Guides and Working Instructions and Procedures, as reflected in our QMS. These are in turn based on ISO, IEC, IPC, Interstates Council for Standardization, Metrology and Certification of the CIS countries (GOST), Ukraine National Standardization Body (DSTU) standards and recommendations. Automated production line for PCBs surface mounting Automated sheet shearing machine AMADA 2.6 Verification and Validation Given the criticality of many of the applications in which RPC Radiy is using our I&C platforms, the implementation of a rigorous approach to V&V in compliance with widely recognized standards is considered by management and the company s technical community an important measure to be taken in order to ensure compliance with requirements specified by utilities and regulators. RPC Radiy s approach was to establish a V&V program in full compliance with processes defined in international standards, starting from the System Integrity Level (SIL) down to the processes and procedures that are necessary to provide supporting evidence that our equipment and systems comply with requirements at each stage of the development process. The following V&V methods are in use: Documents review; Failure and mode effect analysis (FMEA); Static code analysis and code review; FPGA-PAVED ROAD TO BUSINESS SUCCESS 15

16 HDL code functional testing; Logic level simulation, timing simulation and static timing analysis (for FPGA electronic design); Reports review of synthesis, place and route, bitstream generation (for FPGA electronic design); Fault insertion testing (FIT); Integration testing, validation testing. Whenever possible, RPC Radiy prefers the use of proven V&V tools over manual methods to eliminate human error. The above tools are purchased only from well-established vendors, such as Mentor Graphics, Aldec Inc., National Instruments Corporation, with track records of Configuration Management (CM), V&V, problem notification and resolution, and support and training materials. The company QMS prescribes that all commercial software tools used for V&V should be tested and evaluated with the issuance of relevant evaluation reports. In addition to commercial software tools, Radiy use our own custom software and hardware tools for implementation of V&V activities. Patience and high professionalism: main features of V&V team member Test bed for fault insertion testing RPC Radiy s V&V capabilities are supported by the STC (see Section 2.2 above), a department that is technically, administratively and financially independent from the Design departments. Personnel performing V&V activities have strong theoretical background and practical experience on design and testing of software and FPGA Electronic Design (ED). Our practices are in line with those followed by other organizations involved in the design of FPGA-based safety and non-safety I&C solutions for NPPs, and they enable us to achieve full compliance with domestic and international standards. STC took an active part in the SIL3 certification of RadICS platform. 2.7 Qualification Test Laboratory Equipment qualification testing for RPC Radiy I&C systems is performed in the Company s laboratories. Our testing laboratory (TestLab) is certified by the National Accreditation Agency of Ukraine (Affiliated member of the International Laboratory Accreditation Cooperation - ILAC) on technical competence in conformance with ISO/IEC 17025:2005. The TestLab is equipped with all the necessary certified test equipment. The above test equipment is calibrated in compliance with ISO 10012: RPC Radiy September 2015

17 The TestLab is operated by trained and experienced staff. The facilities include: Test benches for seismic qualification; environmental qualification (EQ); equipment aging chambers and I&C systems simulation/modeling facilities. Qualification test capabilities include: radiation exposure resistance, dust resistance, pressure, temperature and humidity resistance; seismic qualification, vibration and other mechanical shock resistance, electrical insulation, electrical safety, and electromagnetic compatibility. Where required, we outsource our test activities to certified laboratories and monitor their performance throughout the execution period. As an example, electromagnetic compatibility (EMC) tests of all our I&C systems and platforms were performed in accordance with IEC series standards and EPRI TR (including MIL-STD-461E) requirements (adopted by the U.S. NRC) in the Testing Laboratory of the Research and Design Institute MOLNIYA (Kharkov, Ukraine) and in the Testing Laboratory of the MEEI Kft. (Budapest, Hungary, member of TÜV Rheinland Group), both certified to ISO/IEC 17025:2005. Also, in 2014, radiation exposure resistance tests of our I&C Platforms were performed in accordance with EPRI TR requirements (adopted by the U.S. NRC) in the Independent Testing Laboratory of the Research and Production Enterprise ATOMKOMPLEKSPRYLAD (Kyiv, Ukraine) certified by the National Accreditation Agency of Ukraine (NAAU) in accordance with ISO/IEC 17025:2005. RPC Radiy practices a two-step approach to acceptance testing, both at our premises as follows: pre-factory acceptance testing (pre-fat) held as part of final validation tests of our I&C systems, followed by a FAT with the participation of representatives of Regulatory Authorities (as required) customers and/or final users. RPC Radiy equipment qualification processes comply with IEC based requirements of the IEEE and EPRI based requirements of the U.S. NRC. Electrodynamic Vibration Table V HBT Combo, LVD Climatic thermal pressure chamber KTBV Storage and Shipping Where required by the terms of our contract, we take full responsibility for storage, preservation against corrosion, damage and degradation, shipping and delivery of I&C equipment and associated documentation to our customers location of choice. FPGA-PAVED ROAD TO BUSINESS SUCCESS 17

18 18 RPC Radiy September 2015 Our storage, packing and shipment procedures, as applied to our products and components ensure the following: Protection against equipment physical and functional damage resulting from mechanical or environmental damage; Labelling of parts in compliance with customer requirements; The equipment is packed in containers in compliance with customer RPC Radiy: reliable and careful shipping requirements and where there is a need for it, we support the customer by recommending adequate packaging in accordance with the type of equipment and transportation mode; Provision of a complete and detailed packing list; Where required to store or ship products that do not meet requirements, these will be properly identified and controlled to avoid unintended use. Our procedures prescribe methods and assign responsibilities for handling of defective products. 2.9 Installation, Mounting and Commissioning Where required by the terms of the contract, RPC Radiy counts with all the resources required to either supervise or undertake installation activities effectively and in compliance with the highest quality requirements. Where necessary, in order to achieve our goals and commitments to our customers, RPC Radiy partners with local subcontractors in the installation and commissioning of our systems. Site Acceptance Tests (SATs) are carried out after system installation. The SAT s scope is decided in agreement with our customers. Where required, RPC Radiy provides training to Customer s operation and maintenance staff either at Radiy s or at the customer s facilities. The following are measures that Radiy has successfully employed in the past and we are willing to undertake in order to reduce installation and, as a result, outage times (see Table in Chapter 4): The preparation, of a detailed project implementation plan (PIP); Detailed monitoring of all project activities in the PIP and, where needed, the adoption of carefully evaluated remedial actions to ensure proper control of schedule, budget and resources; Implementation of an effective quality plan in order to ensure compliance with technical and safety requirements and avoid repeat work with negative impact to the project schedule; SAT discussion with customer participation

19 The employment of highly qualified staff at all levels and for all key activities; Optimized design resulting in the shortest possible duration of installation and commissioning activities; Effective communications between our staff and their customers counterparts through the use of experienced Single Points of Contact (SPOC); Pre-qualification of our subcontractors; Radiy s experience with NPP turn-key contract model Operation Support At RPC Radiy, we take all measures to ensure that our equipment and services meet customer requirements. Depending on our customers needs, we offer the following support services: Warranty plans can be set up for different periods and they include new parts and labour to cover design, fabrication and installation defects, whether due to materials or workmanship. Our warranty plans includes software updates and maintenance at no additional charge during the entire warranty period. The typical equipment guaranteed service lifetime of all systems is 36 months from the day of its commissioning, but not more than 48 months starting from shipping the system to the customer. The guaranteed storage lifetime is 36 months. The actual terms are subject to negotiations under each contract; RPC Radiy provides accumulation of spare parts by changeable components instead of used ones for rehabilitation upon occurrence of equipment failures during the warranty service lifetime without additional charge. The Customer delivers failed parts to RPC Radiy to analyze failures causes, perform repair and utilization. RPC Radiy can renew or repair spare parts to the level, which corresponds to the original shipment stage in accordance with the contract. In order to cater to obsolescence, we offer spare parts and technical support for 30 years after equipment delivery; Via our Operating Experience (OPEX) program we keep our customers informed of defects reported by other users. Solutions are addressed by our Warranty and Maintenance Department. The above department, together with the Installation and Support group, performs analysis of user reports and informs customers of root causes of failures. Various types of support services are as follows: Telephone hotline in Russian, Ukrainian and English; Resident support during the operation of our equipment; Development of installation and troubleshooting procedures. Operation support is simplified as a result of the relatively easy approach to code upgrade and reduced obsolescence risks posed by FPGA-based I&C systems. Our average response time to customer calls requesting support on our I&C systems is below 8 hours. Our average equipment repair time is below 72 hours from customer call time. FPGA-PAVED ROAD TO BUSINESS SUCCESS 19

20 2.11 Training RPC Radiy counts with facilities in Kirovograd, Ukraine, to train our customers and employees. The training center is equipped with full-scale samples of all I&C systems designed and manufactured by RPC Radiy. Training is provided by qualified instructors using proven methods and tools. Equipment in RPC Radiy training center and our required quality. 20 RPC Radiy September 2015 Our training infrastructure, methods and tools were successfully utilized in the I&C modernization projects in Bulgaria, where we were able to achieve a high degree of efficiency with the resulting benefits to all stakeholders Quality Management System RPC Radiy s QMS covers all company activities during all phases of our products lifecycle and it is designed to ensure that our equipment complies with our customers Between 1994 and 2003 the Company has developed, implemented and put into action the quality management system that conformed to the requirements of ISO 9000 series standards. In February 2004, Radiy passed the certification audit by the Ukrainian State Agency State Regulatory Center of Delivery and Service Quality of quality certification system SERTATOM. This certified our compliance with requirements of the national standard DSTU ISO As a result of the performed activities, a QMS was implemented in Radiy and was certified by UkrSEPRO. In January 2005, our QMS was also certified in the International Certification System by the TÜV Rheinland InterCert for compliance with requirements of international standard ISO 9001:2000, in October 2013 certification was done according to ISO 9001:2008. As a result of the successful audit, TÜV Rheinland InterCert issued a certificate confirming the required quality of the controlled conditions at the Company for the production. In 2008, after analyzing a set of documents, including QMS, the State Committee of the Nuclear Regulations in Ukraine granted the Activity License that enables RPC Radiy to perform the design and manufacturing activities of certain nuclear products. To assess the production and management capabilities of RPC Radiy for designing, manufacturing and supply of I&C systems for nuclear power plants, corporate customers conducted their independent assessment as well. In 2010, based on their assessment, the state enterprise National Nuclear Energy Generating Company ENERGOATOM approved RPC Radiy as a corporate supplier and gave the right to manufacture and supply equipment for the Ukrainian NPPs. Inputs from other design and manufacturing companies, performing audits to assess Radiy as a potential supplier, also helped improving Radiy s quality management system. In 2010 RPC Radiy s QMS was assessed by the former Atomic Energy of Canada Limited (AECL) (now

21 CANDU Energy) Procurement Department to confirm the implementation and effectiveness of the QMS. AECL s Supplier s Quality Management System Audit was conducted to evaluate the ability of RPC Radiy to supply products which can meet the AECL requirements. Series of Company standards were modified and implemented in order to successfully pass the AECL audit. Based on the audit s results, AECL concluded that Radiy s QMS complies with the Canadian Standards CSA CAN3-Z299 series and subsequently RPC Radiy was included in the official AECL suppliers list. As a result of an additional audit performed in October 2011 by the International Certification Agency TÜV Rheinland InterCert, RPC Radiy obtained a new certificate for compliance with standard requirements of ISO 9001:2008. The certificate s scope included design, manufacturing, installation and maintenance of instrumentation and control systems and fire alarm system, including systems and equipment important to safety for nuclear power plants. In order to renew the approved vendor qualification status, CANDU Energy audited RPC Radiy at our facilities in April 2013 against Canadian Standard CSA N Z299.1, and ISO 9001:2008. The audit scope included, among other items, Resource Management, Human Resources, Infrastructure, Work Environment, Product Realization, Customer Related Processes, Purchasing, Management Responsibility, and Planning. The audit s conclusion is that RPC Radiy quality program is compliant with CSA Z299.1, ISO 9001:2008 and supplementary CANDU Energy requirements. RPC Radiy senior management in conversation with CANDU Energy representative during the customer audit in April 2013 the contracts with CANDU Energy. The audit also concluded that RPC Radiy has demonstrated quality program effectiveness in order to satisfy the contractual and technical requirements defined in In 2014 RPC Radiy s QMS was assessed by Hungarian nuclear utility, MVM Paks Nuclear Power Plant. The audit resulted in a conclusion that Radiy is in full compliance with requirements to perform work such as design, manufacturing, repair, maintenance, expert activities, main contractor activities and contributions in installation activities related to operation, maintenance, modification and repair of I&C systems and components classified into the safety categories (ABOS) 2 and 3. In April 2015 Radiy s QMS was audited by OS UKRNIIMET-CERT to the requirements of national standard DSTU ISO 9001:2009. The scope of the audit consisted of following services and equipment: design, development, manufacturing, supply and maintenance of equipment for automatic data processing, measurement and testing as well as navigation equipment, switchgear and control gear equipment, electrical audible or visual signaling equipment, hydraulic and pneumatic equipment, energy-efficient LED luminaires. OS UKRNIIMET-CERT confirmed that Radiy s Quality Management System met the DSTU ISO 9001: 2009 requirements and is capable to produce equipment that meets regulatory requirements. FPGA-PAVED ROAD TO BUSINESS SUCCESS 21

22 Final stage of audit: joint meeting of Paks NPP s auditors and Radiy s top managers We have also made use of the operational experience gained during the engineering and installation work at NPP sites and our working knowledge of IAEA standards and guidelines such as GS-R-3, NS-G-1.3, and NS-G-1.1 in developing our QMS. RPC Radiy s QMS is being constantly improved and developed. In recent years, we have introduced additional improvements in order to be in compliance with the quality management system standards of various international and national organizations, such as ISO, CSA, U.S. NRC, IEC, and ASME RPC Radiy s Interfaces with Customers Global nuclear business development and our Company s sphere of business activities require foreign language competence, a broad range of communication skills as well as continuous research and analysis to ensure that we respond to our customer s needs in the most effective way. In striving to meet these requirements, Radiy s International Projects Department draws from core expertise in all areas of the company to liaise with our customers outside Ukraine in our effort to provide the required technical assistance as well as with international organizations to identify and pursue opportunities to introduce our products and services. The International Projects Department was created with the goal of strengthening ties between RPC Radiy and its international partners in order to promote our products in the global nuclear industry, and utilize the competitive advantages of the reliable state-of-the-art FPGA technology we have developed over the year. The International Projects Department is the main point of contact for all our existing and potential international customers. Staffed with international project managers and support staff, the team works closely with all divisions of the Company to Determined to understand and support Customer s needs ensure efficiency in the execution of all activities, from proposal preparation to the timely delivery of all project deliverables. Members of the International Projects Department and the Technical Department jointly take part in customer-specific activities, such as technical meetings, negotiations, responding to requests for proposals and clarification of technical and commercial documentation. In addition, staff members promote Radiy s products and services at international conferences, user group meetings, trade shows, and exhibits. 22 RPC Radiy September 2015

23 Services offered by the International Projects Department include: Assisting in establishing strong scientific and technical cooperation with international companies and organizations; Data gathering, establishment of connections with international business organizations, business planning, working with foreign specialists; Technical and commercial negotiations with foreign companies representatives; Development and monitoring of activities associated with the execution of agreements and contracts with foreign companies; Gathering of data associated with international experience in the solution of technical and organizational issues; Development and translation of technical and commercial documentation in English, translation of the above document types from Russian to English and from English to Russian; Making arrangements for the participation of our staff in international conferences, meetings, exhibitions and workshops; Development of the company s corporate web-site, promotion of corporate style, as well as other marketing related activities; Enhancing the Company s corporate style by utilizing the feedback obtained at internal company workshops and seminars; Provision of translation and interpretation services to the company s specialists and foreign delegations during negotiations and meetings, supporting the coordination of international projects; Development of a trustworthy relationship with our international consulting companies; Arranging training courses oriented towards the successful execution of projects and the development of the skills required for working effectively in a foreign language environment. The International Projects Department supports Radiy s senior management in their effort to increase our Company s knowledge, experience and good practices through effective cooperation with our customers and within our internal organization. Our overall goal is to grow in our professional achievements and business success. FPGA-PAVED ROAD TO BUSINESS SUCCESS 23

24 Chapter 3: RPC Radiy Products and Applications 3.1 FPGA Technology Features FPGA-based I&C systems have been developed and applied in aerospace and process industries since the early 1990s. Although the use of FPGAs in NPPs has lagged behind in the past, compared to other industries, due to quite conservative approaches, there is an increasing number of FPGA installations in operating NPPs worldwide, most of them provided by RPC Radiy. FPGA technology is an alternative to microprocessor based technologies and other types of programmable devices. FPGAs are semiconductor-based programmable devices which can be configured to perform custom-designed functions. It includes two entities: an FPGA chip which is a hardware component that can be tested against hardware qualification requirements, and the electronic design, represented by a set of instructions in hardware description language (HDL) to be configured into the FPGA hardware and that can be verified against functional requirements. There are two main FPGA chip architectures: fine-grained and coarse-grained. The coarsegrained FPGAs have very large logic blocks (macrocells) with sometimes two or more sequential logic elements, and the fine-grained ones have very simple logic blocks. Another architectural difference is the technology used to manufacture the FPGA chips. The most common technologies are: EPROM/EEPROM/Flash based chips are re-writable types (they allow reprogramming of the FPGA) and non-volatile (no data or logic is lost in case of power losses); SRAM based chips are re-writable, but volatile; Anti-fuse based chips are non-rewritable and non-volatile (one-time programmable). The development process of FPGA applications typically consists of requirement specification, design, implementation and integration along with the associated verification and validation activities. The objective of the requirements specification phase is to define precisely all the requirements that apply to the FPGA platform and associated application. These requirements are usually derived by following a top-down approach whereby each system component is allocated functional and safety requirements and interfaces among them are defined. The most critical phase of the FPGA overall development process is the design phase. Errors made in this phase will dramatically affect all subsequent stages. The development process includes architectural and detailed design activities. The architectural design defines all functional blocks and their interfaces, as well as other information required for the detailed design development process. Reliability, traceability and design verifiability requirements are defined at this stage. The output of the architectural design requirements definition process is the textual or graphical description of the design partitioning of the above requirements among the system components. Upon completion of this design activity, a design review is performed, which may result in creating a modified design partitioning or correction of the initial requirements. The detailed design phase refines the architectural design and translates it into an FPGA electronic design description. The detailed design should implement the functions of the 24 RPC Radiy September 2015

25 FPGA electronic design. The forms of design inputs typically used to implement detailed design are HDL coding (such as VHDL or Verilog) and schematic representation. The detailed design phase is finished by producing the FPGA electronic design components (a collection of files that comprise the design and perform certain checks) and by creating the Register Transfer Level (RTL) model synthesis by means of logic gates. In the RTL model, the circuit s behaviour is defined by the flow of data between hardware registers, and the logical operations performed on that data flow. This phase is finished by RTL elaboration and optimization that identifies and/or infers datapath operations, such as additions, multiplications, register files, and/or memory blocks, and control logic. The next important phase is implementation, which comprises logic synthesis, physical design and bitstream generation. During logic synthesis, the synthesizer converts the RTL model of the FPGA electronic design into gate or cell-level schemes (the netlist). Most synthesizers generate both the FPGAindependent schematic representation of the RTL model, as well as the FPGA-specific schematic representation. The result of the logic synthesis is the creation of text or graphics file. The synthesizer allows different kinds of optimizations with respect to the given design constraints, affecting one or more of the following attributes of the FPGA electronic design: Logic synthesis; Timing characteristics; Chip pin assignment and adjustment; Topology of FPGA electronic design in the FPGA chip. Typically, two optimization types are carried out: architecture-independent optimization that includes datapath optimization and control logic optimization and architecture-specific optimization that includes mapping of datapath to on-chip dedicated circuit structures, control logic and datapath to basic programmable logic elements. RTL Synthesis Logic Synthesis Physical Design RTL Design RTL elaboration and optimization Architecture-independent optimization Technology mapping & Architecture-specific optimization Clustering and placement Placement-driven optimization & incremental placement Routing Bitstream generation Typical FPGA design flow datapath netlist Physical design starts from clustering and placement that can be carried out separately or simultaneously. After that, placement-driven optimization is carried out and incremental placement deals with interconnects bottleneck. Physical design is finished by routing that includes global routing and detail routing. The last step of the implementation phase is bitstream generation. The output of this phase is the configuration file to be downloaded in the FPGA chip. The configuration file contains all the data required to configure the FPGA chip and it will be verified after the electronic design is integrated into the FPGA chip. The verification process corresponding to the bitstream generation step consists of gate- level simulation, which is technology-dependent in contrast with functional simulation which is FPGA-PAVED ROAD TO BUSINESS SUCCESS 25

26 technology neutral. During gate-level simulation, timing characteristics of the FPGA electronic design are verified based on assumed gate and routing time delays. The FPGA electronic design placement and routing is carried out after logic synthesis. This is a tool-driven process that determines where registers and gates described in the netlist will be placed within the FPGA chip. This process also determines the connection paths between design logic blocks of FPGA. The resulting design connectivity is shown in the Floor Plan. The place and route tool also generates a timing file that is more accurate than the one produced during the logic synthesis, since it also includes timing resulting from the placement and routing process. Design constraints should be taken into consideration during placement and routing and logic synthesis processes. During the FPGA electronic design integration phase, the configuration files derived in the previous step, are downloaded to the FPGA chip. Special hardware, such as configuration interfaces (e.g., JTAG) is required to download the configuration file into the FPGA chip. Some FPGA chips associated tools provide automatic checking of integration correctness. Integration testing is intended to demonstrate that the electronic design implemented in the FPGA chip performs according to its specification and system architecture. One of the reasons why FPGA technology is gaining acceptance for nuclear applications is that some I&C functions requiring short response times (for example, some safety functions within boiling water reactor systems and reactor overpower protection in CANDU reactors) could not be easily implemented using microprocessor based platforms. FPGAs allow the possibility of implementing functions requiring faster response times than those provided by microprocessor based systems. Other FPGA attractive features are: Simpler and, therefore, more reliable technology, partly because it doesn t include an operating system and any kind of embedded potentially vulnerable software; Parallel processing inside the FPGA chip and its integrated circuit. This contributes to the above described shorter response time. The common approach for the development of an FPGA-based I&C system is to use a predeveloped and verified FPGA-based platform, whose modules can be used to implement specific applications just by configuring them. RPC Radiy has used its FPGA-based platforms in I&C modernization projects at various NPPs for a wide range of safety and control applications, examples of these are the implementation of RTS, RPCLSs, ESFAS, RCS, and non-safety Nuclear Island Control System, and Turbine Island Control System. In addition to the above mentioned large-scale modernization projects (list of projects is given in Chapter 4), the technology is suited to implement solutions to a variety of applications, such as: Pin-to-pin and like-for-like or Form, Fit and Function (FFF) replacement of obsolete electronic components by new FPGA-based components; Reverse engineering of existing components; Computer emulation; Straight replacement of components and/or control systems as a whole; Design of I&C systems for new NPPs; Providing diverse systems in order to reduce the possibility of common cause failures (CCFs) in safety critical systems. 26 RPC Radiy September 2015

27 FPGAs can be used to implement any of the safety and control functions presently found in any NPP designs, be it PWRs, PHWR, or BWR reactors. In that respect, FPGAs are technology-neutral. 3.2 Benefits of FPGA Technology The application of FPGA technology has significant advantages that can be utilized both in I&C modernization projects of existing NPPs and in I&C designs for new NPPs. These advantages are the following: Design, development, implementation, and operation simplicity and transparency; Easy portability of algorithms and possibility of re-programming, if algorithms or technology may change in the future, but the hardware stays the same; Reduction of vulnerability of the digital I&C system to cyber attacks or malicious acts due to absence of any system software or operating systems; Faster and more deterministic performance due to capability of executing logic functions and control algorithms in a parallel mode; due to advantage of native hardware parallelism, FPGAs are able to process more data, provide faster input and output response times and execute more instructions per clock cycle than digital signal processors; Possibility to segregate safety functions and non-safety functions on the same integrated circuit; Diversability, i.e. potential to comply with strict diversity requirements that include, but are not limited to, design, equipment, functional and software diversity; More reliable, testable and error-free end-product due to reduction in the complexity of the verification and validation (V&V) and implementation processes; Relatively easy qualification process of FPGA-based safety systems due to the simplicity and transparency of system architecture and its design process and possibility to provide evidences of meeting qualification requirements, such as independence, separation, redundancy and diversity, in an easier and more convincing way; Resilience to obsolescence due to the portability of the HDL code between different versions of FPGA chips produced by the same or different manufacturers: even if the FPGA migrates to the next generation, the HDL code remains unchanged; Possibility of implementing the results of reverse engineering via emulation in FPGA of obsolete central processing units (CPU) without modification of existing proven in use software code; Specific beneficial properties regarding cyber security compared to microprocessors (no viruses for FPGA); Reduction of development efforts due to adoption of ready-to-use components called IPcores (intellectual properties), such as network interfaces and memory controllers; Possibility of operation in harsh industrial environments (for example, the Cyclone FPGAs from Altera are qualified for an operation temperature of -40 to +85 C); Availability of SIL3-certified hardware and tools (for example, Altera Safety Data Package). Therefore, FPGAs have much in their favour. From the preceding it may be deduced that they have adequate capabilities for most of the typical safety and control I&C applications in the nuclear power industry. It s an increasingly accepted opinion that FPGAs have potential FPGA-PAVED ROAD TO BUSINESS SUCCESS 27

28 advantages over the currently more commonly applied microprocessor-based digital I&C systems. 3.3 Challenges Affecting FPGA Technology Challenges that FPGA technology faces are: Even though the technology doesn t differ significantly from the well-established Programmable Logic Devices (PLD) technology, and the HDL language used for configuring FPGAs is a very well established language, FPGAs are still considered as a relatively new technology and not widely known in the nuclear power industry; With the exception of IEC 62566:2012, which provides requirements for HDL- Programmed Devices for use in Category A I&C systems, there is a lack of normative documents for the utilization of FPGAs in nuclear I&C applications. Lack of regulatory experience in licensing FPGA-based I&C safety systems is also a challenge; Limited accessibility to signals in FPGA-based systems: special effort may be required at the design stage to provide access to important internal signals for monitoring, testing and troubleshooting activities; Limited number of FPGA-based I&C platforms and products available for NPPs on the market, compared to PLCs. The above described disadvantages are not intrinsic to the technology; rather they are the results of there not being a large number of applications. These disadvantages will diminish as FPGA-based systems gain more acceptances in larger numbers of nuclear applications. 3.4 Cyber Security Assurance Considerations In order to meet the safety and high reliability requirements associated with nuclear safety and power production applications FPGA-based I&C systems must be protected from cyber attacks and malicious acts. RPC Radiy dedicates significant effort and resources to ensure a high degree of cyber security assurance for FPGA technology and our I&C systems in general, through the implementation of effective solutions. These measures are applied to prevent vulnerabilities and potential cyber attacks that could result in undesirable events such as copying and modification of design, introduction of malicious codes, and service interruptions. FPGA-based RadICS platform (described in details in Section 3.6) comprises a chassis containing several hardware modules, including input/output and communication modules used in the extension of the system to multiple chassis. The system includes various interfaces and protocols, including fiber optic interfaces and low-voltage differential signaling protocol (LVDS) for inter module and inter chassis connectivity purposes. In striving to reduce cyber security concerns, RPC Radiy considers all possible vulnerabilities that could affect the final product, including those affecting both development and operational environments, and assesses vulnerabilities according to their criticality. We categorize cyber vulnerabilities as follows: Policy and procedure vulnerabilities; Configuration vulnerabilities of the platform; Hardware vulnerabilities of the platform; 28 RPC Radiy September 2015

29 Software vulnerabilities of the platform; Network vulnerabilities; Potential vulnerabilities of platform s components. The next step is to implement effective countermeasures either to eliminate the identified vulnerabilities or to reduce them to a level acceptable in the given I&C application. Given that the criticality of the cyber attack depends on the application, the security strategy should include all the parties involved in the whole life cycle of the I&C system application, namely the vendor of the components, the I&C system developer, and the user of FPGAbased I&C system. A comprehensive analysis of cyber-security considers both the development process and the operation of the integrated I&C system. Cyber-security vulnerabilities can be identified by: The FPGA-chip vendor, during the design, manufacture, packaging, and testing of FPGA chips; The I&C system developer, during the development and integration or during the implementation and testing of the FPGA electronic design; The system operator while making changes in the installed I&C system during operation or maintenance activities. The following factors can lead to the introduction of vulnerabilities in FPGA-based I&C systems: Malicious use of software tools during the design of the FPGA chip or during the development of the electronic design; Use of third-party vendors cores as part of the development of the electronic design, either in the form of HDL modules or in the form of compiled netlists; Use of compromised devices during the integration and implementation of the electronic design into the FPGA chip. FPGA chip vendors can reduce vulnerabilities by: Protecting their FPGA-chip design against reverse engineering, copying or modification, since some of possible attack types can be launched based on these activities; Providing Customers with FPGA electronic security measures against cyber attacks, which can be applied during the development, operation, and maintenance of FPGA-based I&C systems. An additional problem can arise due to the fact that FPGA chips vendors may not have their own manufacturing capacity. After designing and developing the FPGA chip, the actual chip manufacturing may be outsourced to foundries. These foundries can introduce additional vulnerabilities into FPGA chips by altering the FPGA design during the manufacturing process. Hence, traceable and audited processes of manufacturing in foundries play an important role in assuring cyber-security and prevention of vulnerabilities. Most of the life cycle stages of the FPGA chips and the FPGA-based I&C systems are implemented by the extensive use of software tools. Examples are: the design of printed circuit boards for FPGA chips, the development of the FPGA electronic design, and performance simulations. Hence, developers of automated design software tools play a key role in the reduction and removal of cyber-security vulnerabilities. Some of the potential cyber attack modes are listed below. FPGA-PAVED ROAD TO BUSINESS SUCCESS 29

30 Black box attack. An attacker feeds all possible input combinations to the FPGA chip and registers the corresponding output states. Such an approach provides the potential to reverseengineer the FPGA electronic design configured in the chip. In practice, this type of attack may not be successful in systems with highly-complex logic. Read-back attack. The attack is based on the potential of reading the FPGA chip configuration, usually, via the JTAG interface used in most FPGAs for debugging and maintenance purposes. Recently, FPGA vendors have improved the protection measures against unauthorized access to chip configuration. Cloning attack. In Static RAM-type FPGA chips, a configuration file is stored in a nonvolatile memory external to the FPGA chip. This may al low the retrieval of bitstreams while loading the configuration in the FPGA, and later to clone the stolen FPGA electronic design. The protection against this threat is encrypting the bitstreams during their transmission from a non-volatile memory to the FPGA chip. Measures have been already implemented in most modern FPGAs to prevent this kind of cyber attacks. Physical attack against Static RAM-based FPGAs. The objective of such an attack is to obtain information concerning the physical structure of the FPGA chip by studying specific areas in the chip. These attacks usually target parts of the FPGA that are inaccessible through input-output channels. Special instruments based on focused ion beams capable of scanning and reading the FPGA structure can be used for such an attack. However, it is rather difficult to implement this kind of attacks due to the complexity of the required instruments; Side-channel attack. Such an attack is intended to obtain information on the FPGA chips performance and physical parameters, such as power consumption, execution time, and electromagnetic fields. By analyzing these signatures, information about the underlying implementation might be exposed. The tasks of collecting and processing of such information are nontrivial. However, there are known complex techniques requiring only several measurements to learn and attack a system. All the above forms of attacks require a rather difficult and sophisticated data analysis of the indirect information obtained. Therefore, the fact that an adversary has obtained such indirect data does not guarantee that they can successfully obtain the original FPGA electronic design. Over and above the described vulnerabilities and measures of defense against them, FPGA technology has intrinsic and engineered strengths against cyber attacks. Examples of this are: FPGA-based system operation does not rely for its functionality on an operating system which could be the target of potential cyber attacks; There are no known viruses and malware designed to attack HDL coded configurations, FPGA-based platforms have a simple and structured design, therefore the corresponding V&V processes are more likely detect the presence of potential threats and malicious design; Physical access to the FPGA chip is also strictly controlled by design. For example, the HDL code is located in a flash memory (on a separate chip) without offering any physical access for modification while in on-line operating mode; FPGA programming and reprogramming can be done only through a special interface. It is impossible to connect common storage media or communication devices that could infect the control logic code, as was the case in the Stuxnet attack. Stuxnet is a computer worm discovered in June 2010 that is believed to have been created to attack Iran s nuclear facilities. Stuxnet initially spreads via Microsoft Windows, and targets Siemens industrial 30 RPC Radiy September 2015

31 control systems. It is the first discovered malware that spies on and subverts industrial systems, and the first to include a programmable logic controller (PLC) rootkit; RPC Radiy s I&C systems are intended for use in a wide range of nuclear safety and process control applications. In most cases, systems are composed of multiple modules and chassis, each including one or more FPGA chips as their computational engine. Internal interfaces are implemented via dedicated and isolated connections between chassis modules, while interfaces external to our systems chassis provide secured and reliable connections to prevent unauthorized access; FPGA reconfiguration is performed through interfaces protected physically and by passwords. Software used in configuration and verification processes is also password protected; Appropriate V&V activities performed at each stage of design development. All I&C systems users are provided with clear recommendations and guides from RPC Radiy to help them implement technical, operational and management countermeasures as follows: Access control to the equipment; Ensuring the absence of any means to connect or use of a setting/tuning PC, or any other non-permanently connected device during system s operation; Configuring tuning PC in a manner that will allow its use for intended purpose only; Implementing the necessary procedures to ensure and verify that the tuning parameters are assigned to the correct values, so that a single human error will not result in the improper setting of a tuning parameter. During last years the Center for Safety Infrastructure-Oriented Research and Analysis, RPC Radiy investigates and develops techniques and company regulations related to cyber security issue for FPGA-based NPP I&C systems. In particular, the following issues are considered: Modern standards concerning NPP I&C systems, FPGA technologies and computer security. This allows to profile the requirements to cyber security for safety-important FPGAbased I&Cs; The relationship between I&C security and functional safety. This analysis stipulated the development of security informed safety approach and security case-based technique to assess cybersecurity level and conformity to standard requirements; Security risk analysis. It has established the basis for development of IMECA (Intrusion Modes and Effects Criticality Analysis) and Markov s models-based technique and tool to support assessment process. 3.5 Evolution of RPC Radiy s Products The first generation of RPC Radiy s products, called Unified Hardware System equipment (UKTS in Russian), was introduced in The main purpose of using UKTS was to replace obsolete NPP equipment that was no longer available in the market. Within the next six years, about UKTS modules housed in approximately 700 UKTS cabinets, were manufactured and supplied and installed at to Ukrainian nuclear power plants. In 1998 RPC Radiy developed a new generation of UKTS-DPI modules and cabinets with digital signal processing, noise-elimination and built-in diagnostics functions. In these modules, FPGA technology was used for the first time to implement control logic. In the subsequent years, more than of such modules were installed in NPPs. FPGA-PAVED ROAD TO BUSINESS SUCCESS 31

32 Started development and supply of the equipment for NPP I&C systems First generation of equipment for NPP I&C systems Second generation of equipment for NPP I&C systems Third generation of equipment for NPP I&C systems Replacement of obsolete NPP I&C modules FPGA-based I&C systems for NPP FPGA-based I&C platform for NPP SIL3 certified FPGA-based I&C platform for NPP Evolution of RPC Radiy products Concurrently with the manufacturing and installation of the UKTS-DPI modules, the development of a new concept of an FPGA-based I&C platform was initiated in This new platform, called RADIY Platform, eventually replaced the UKTS-DPI platform, whose main disadvantage was that it was designed for single-purpose applications. The RADIY Platform is of a modular type and it includes modules such as logic modules, diagnostic modules, digital and analogue I/O modules and special purpose modules, such as the ultra-low current I/O modules for processing neutron flux signals. We have installed over 70 RADIY Platform based safety and control systems in operating nuclear power plants. Examples are RTSs, ESFASs, and RPCLSs. Our latest development is the FPGA-based Digital Instrumentation and Control Platform RadICS. This is a new generation product, designed in 2011 on the basis of an earlier RADIY platform. The RadICS platform consists of an IEC 61508:2010 SIL 3 chassis level certifiable architecture with a typical response time of less than 5 ms and a comprehensive set of constituent modules. Assessments performed by exida, as well as its final independent Functional Safety Assessment, confirmed that RadICS platform meets SIL3 requirements. 3.6 RadICS Platform The RadICS platform consists mostly of a set of general-purpose building blocks that can be configured and used to implement application-specific functions and systems. The RadICS platform is composed of various standardized modules, each based on the use of FPGA chips as computational engines. 32 RPC Radiy September 2015

33 The basic architecture of the RadICS platform consists of an instrument chassis containing two redundant logic modules, as well as up to 14 other I/O and fiber -optic communication modules. Logic modules gather input data from input modules, execute user-specified logic, and update the value driving the output modules. They are also responsible for gathering diagnostic and general health information from all I/O modules. The I/O modules provide interfaces with field devices (for example, sensors, transmitters, actuators). The functionality of each module is defined by the logic implemented in the FPGA(s) that are part of the above modules. In addition to the above described general purpose I/O modules, there are also special-purpose I/O modules designed to interface with specific sensors and devices, such as resistance temperature detectors (RTDs), thermocouples, ultra-low voltage analog input boards used for neutronic instrumentation, actuator controller modules, and fiber-optic communication modules that can be used to expand the I&C system to multiple chassis. It is also possible to provide inter- channel communications via fiber-optic based connections between logic modules. RadICS Platform The backplane of the RadICS platform provides interfaces to power supplies, process I/Os, communication links, as well as inputs and indicators. The internal backplane provides interfaces to the various modules installed within each chassis by means of a dedicated, isolated, point-to-point low-voltage differential signaling (LVDS) interface. For application development, Radiy provides a tool called Radiy Product Configuration Toolset (RPCT). This tool can be used to configure logic for various applications using the functional block library (FBL). In addition, the RadICS platform includes extensive on-line self-surveillance and diagnostics at various levels, including control of FPGA power, watchdog timer, cyclical redundancy check (CRC) calculations and monitoring of the performance of FPGA support circuits, I/O modules, communications units, and power supplies. The RadICS platform can also be represented as a hierarchy with several levels, which could be arranged into two main groups: software and hardware blocks. The RadICS platform high level representation is shown in figure below. FPGA-PAVED ROAD TO BUSINESS SUCCESS 33

34 RadICS PLATFORM HARDWARE SOFTWARE Non-safety Workstations Cabinets Platform Logic (FPGA Electronic Design) HSI Software Chassis Application Logic (FPGA Electronic Design) Functional Modules RPCT Engineering Tools Human-System Interfaces ( high level ) Control Logic ( low level ) RadICS platform high level representation The diagnostic functions are separated from the logic functions and both are executed concurrently. In case of fault detection, the system is placed in a safe state as predefined for each application during configuration. 3.7 RadICS-Based NPP I&C Systems FPGA-based platforms produced by RPC Radiy are used in the most critical and highreliability demanding NPP applications such as Reactor Trip, Power Control and Limitation, Engineered Safety Features Actuation, and Rod Control systems. Other examples include nuclear and turbine island control systems, and Automatic Regulation, Control, Operation and Protection (ARCOP) of research reactors. The following sub-sections provide a description of these systems Reactor Trip System (RTS) The RTS Radiy developed, continuously monitors the actual values of neutron flux and other process variables, and generates reactor shutdown signals in case these variables reach their setpoints. The system transmits all the information necessary for surveillance and monitoring of the plant (e.g., the status of command execution, plant and diagnostic data) to the control room, and on customer s request, to other safety and non-safety systems. Radiy s RTS can have 3 or 4 redundant channels and it can be implemented via two-out-of-three (2oo3) or twoout-of-four (2oo4) voting logic. An example of 2oo3 voting logic configuration is shown in figure below. 34 RPC Radiy September 2015

35 Reactor Trip System Configuration (2oo3 voting logic version) Radiy s RTS can correct its voting logic in case faults are detected, so that system availability is optimized without compromising safety. The RTS self-diagnostic subsystem includes troubleshooting assistance functions for easy localization of faults. In case of failure detection (i.e., failure in one of modules of Radiy s RTS), the RTS puts itself in the safe state by generating a reactor shutdown signal and the corresponding annunciation signals. Radiy s RTS design includes manual actuation of shutdown logic from the Main Control Room (MCR) or Emergency Control Room (ECR). Radiy s implementation of the above described RTS system can be adapted to perform equivalent functions in most reactor types (e.g., PWR, BWR, Radiy s Reactor Trip System PHWR). To date there are 30 Radiy designed RTSs in operation at Zaporizhzhia NPP, Rivne NPP, Khmelnitsky NPP, and South Ukraine NPP Reactor Power Control and Limitation Systems (RPCLS) Radiy s RPCLSs (figure below) can perform the following generic main functions in VVER or other types of reactors: Automatic and continuous regulation of reactor power and/or main steam line pressure; Reactor power control from start up to full-power operation; Reactor fast responding protection (e.g. runback at 10% of full power/sec). FPGA-PAVED ROAD TO BUSINESS SUCCESS 35

36 The system s required reliability is achieved via a 2oo3 or 2oo4 voting logic configuration. Radiy s Reactor Power Control and Limitation System cabinets Rod Control System (RCS) During the design phase of the different RPCLS, Radiy adhered to a strict separation philosophy in compliance with clients licensing commitments. One of the measures that our engineers took in order to achieve this was separating and allocating protection functions to galvanically isolated subunits. From 2004 to 2015, eleven Reactor Power Control and Limitation Systems were put in operation in Ukrainian NPPs. A generic RCS (figure below) consists of Rods Position Indication (RPIS) and Rods Drive Control (RDCS) sub-systems, electronic equipment power supplies and Rod Drives Electric Power Supply Subsystem (RDEPSS), either designed and manufactured by RPC Radiy, or other suppliers. The function of the RPIS subsystem is to provide an indication of all reactor control and safety rods operation parameters. The RDCS subsystem performs all rod drive control and trip functions. The RDEPSS provides the following functions: Radiy designed and manufactured Rod Control System cabinets Uninterruptable electric power supply of Rod Drives in normal operation mode; Switching off of the rod drives electric power on receipt of Emergency Protection (EP) signals. The RCS can have either 2 or 3 redundant channels depending on the design basis of the nuclear reactor, and it can be implemented via 1oo2 or 2oo3 voting logic. A typical RCS architecture in a 1oo2 voting logic configuration for a PWR Unit is shown in figure below. 36 RPC Radiy September 2015

37 Typical RCS architecture in a 1oo2 voting logic configuration for a PWR Unit The first Radiy supplied RCS has been successfully put in operation in Unit 1 of the South- Ukraine NPP (VVER-1000 PWR- type reactor) in Engineered Safety Features Actuation System (ESFAS) The RPC Radiy designed and manufactured ESFAS (see figure below) provides the following main functions: Protection, interlocking, and monitoring of actuators; Manual remote control of actuators; Acquisition of signal data and other related information; Signal conditioning and monitoring of safety signals, detectors, and sensor; Full-scope system self-diagnostics. RPC Radiy designed and manufactured Engineered Safety Features Actuation System cabinets The following design principles are applied in the ESFAS: Diversity of input signals (e.g., current, voltage, resistance, dry contact ); FPGA-PAVED ROAD TO BUSINESS SUCCESS 37

38 System expandability to accommodate the need for an increased number of inputs and outputs; A simple and controlled process for the modification of system logic and control algorithms; Interfacing capability with other plant control and monitoring systems. The ESFAS can be supplied in one to four channels configurations. It meets safety class 2 requirements, as well as national, EU and USA standards. Eighteen ESFASs are presently in operation at Rivne, South Ukraine, and Kozloduy (Bulgaria) NPPs Nuclear and Conventional (Turbine) Island Systems Nuclear and conventional (Turbine) island systems (see figure below) provides the following main functions: RPC Radiy designed and manufactured Nuclear Island System cabinets Conditioning and initiation of protection, interlocks and alarm signals; Conditioning and initiation of automatic regulation signals when process values deviate from setpoints; Generation of operator initiated remote control signals; Indication of actuators operation and status in control rooms. Presently, there are 8 nuclear and conventional island systems in operation at Ukrainian NPPs supplied by Radiy Automatic Regulation, Control, Operation and Protection for Research Reactors (ARCOP) Radiy s ARCOP systems are designed to ensure the safe operation of research reactors. ARCOP systems perform the following functions: RPC Radiy designed and manufactured Automatic Regulation, Control, Operation and Protection for Research Reactors Measurement and monitoring of neutronic parameters; Measurement and monitoring of thermal parameters; Generation of emergency protection and preventive signaling; Automatic reactor power regulation; Automatic control of actuators; Diagnostics and information display support. In 2006, an ARCOP system was installed at the WWR-M type research reactor in the Institute of Nuclear Research at the National Science Academy of Ukraine, Kiev. 38 RPC Radiy September 2015

39 3.8 Switchgear and Controlgear Assemblies Radiy has developed the Switchgear and Controlgear Assemblies (SHERs) to replace the obsolete low voltage switchgears (RTZO types used in VVER NPPs). The main functions of the switchgear and controlgear assemblies are: Actuators control; Monitoring of actuators parameters, such as limit switches, position, operating time and duty cycle; Low voltage electrical protection of actuators; Providing power supply and managing power consumption; Fault indication. In addition, secondary or auxiliary functions of the assemblies include: Self-diagnostics; Monitoring of load parameters; Control commands sequence of events monitoring; Data collection and transmission to an external monitoring system for events visualization and archiving. Switchgear and Controlgear Assemblies have the following features: Architecture flexibility and scalability to tailor general system design to customer s needs in terms of number of actuators to be controlled; Quick configuration change of assembly to accommodate various types of customerdefined actuators; Expandability adding new features and units; Standardization identical slots for all actuators control modules; Reliability application of Industry series components; Maintenance easy and user friendly; Repairability application of unified actuator control modules. RPC Radiy designed and manufactured Switchgear and Controlgear Assembly cabinets There are a total of 1,635 Switchgear and Controlgear assemblies supplied by RPC Radiy at the Rivne and Kozloduy NPPs in Ukraine and Bulgaria, respectively, as well as in the Nuclear Research Institute in Kiev. FPGA-PAVED ROAD TO BUSINESS SUCCESS 39

40 Chapter 4: RPC Radiy s Nuclear and Thermal Industry Experience RPC Radiy reference list summarizes I&C systems supplied for nuclear and thermal applications. Table below provides reference list as of September The newest up-todate version is available at the RPC Radiy s website on the following link: Table RPC Radiy designed and manufactured equipment and systems installed in nuclear and thermal applications Equipment Supplied Reactor Trip System Reactor Power Control and Limitation System Engineered Safety Feature Actuation System Rod Control System Fire Alarm System Power Supply for Rod Control System Switchgear and Controlgear Cabinets Nuclear and Conventional Island Control System I&C system of Research Reactor Installed in Zaporizhzhia NPP South-Ukraine NPP Rivne NPP Khmelnitsky NPP Zaporizhzhia NPP South-Ukraine NPP Rivne NPP Khmelnitsky NPP South-Ukraine NPP Rivne NPP Kozloduy NPP, Bulgaria # of Installed Systems Delivery/ Installation Year Installation Time Anticipated Installation Time in Future Projects days days days days days days South-Ukraine NPP In progress days Zaporizhzhia NPP South-Ukraine NPP Kozloduy NPP, Bulgaria South- Ukraine NPP Rivne NPP South-Ukraine NPP Kozloduy NPP, Bulgaria South-Ukraine NPP Rivne NPP Nuclear Research Institute days days days days days days days days days days 40 RPC Radiy September 2015

41 Equipment Supplied Seismic Sensors UKTS-based Reactor and Turbine Control System I&C System of Research Reactor (ARCOP) PHT Pump Motor Speed Measuring Devices MCR and SCA Window Annuciators PCBs for Rod Ready Indicator Chassis Vibration- Measuring System for Seismic Sensors calibration DC Distribution System for Transformer Plant Neutron Flux Monitoring System Installed in Khmelnitsky NPP Zaporizhzhia NPP Zaporizhzhia NPP Rivne NPP Nuclear Research Institute Embalse NPP, Argentina Embalse NPP, Argentina Pickering NPP, OPG, Canada # of Installed Systems Delivery/ Installation Year Installation Time Anticipated Installation Time in Future Projects days 1-2 days days days days 1 Delivered to Candu Energy, April Delivered to Candu Energy, April 2014 n/a n/a n/a n/a n/a n/a South-Ukraine NPP 1 In progress - - Khmelnitsky NPP 1 In progress - - South-Ukraine NPP I&C System Trypilska TPP FPGA-PAVED ROAD TO BUSINESS SUCCESS 41

42 Chapter 5: RPC Radiy s Approach to the Modernization of NPP I&C systems 5.1 Modernization Goals NPPs modernization goals and objectives are defined by the utilities based on their operating experience, equipment obsolescence and commitments to their regulators, within the constraints imposed by their long and short term business plans. Examples of such goals and objectives are to minimize production costs by reducing the number of unplanned outages and decreasing the length of planned outages. Examples of external commitments are those made to licensing authorities, local governments, and international organizations, as well as with the public and other stakeholders. In general, I&C modernization goals fall under one or more of the following types: Increase the reliability of NPP I&C systems; Improving safety in the operation of NPP units; Life Extension of operating units; Environmentally safe and efficient production of electricity at minimum cost; Compliance with new, more stringent safety standards and design requirements than those to which the plant was originally designed, e.g., more demanding seismic, environmental, fire protection, reliability and human factors related requirements; Catering to equipment obsolescence. The following are examples of factors that are typically to be considered when supporting utilities in the implementation of their I&C within planned or dedicated refurbishment outages: Time required for equipment replacement (demolition and installation times) and commissioning; Suitability of the new equipment to work with other related (unchanged) systems in the existing environment; Compliance of the replacement equipment with new requirements. 5.2 Approaches to Modernization Entire System Modernization This approach involves a complete replacement of the existing I&C system. In this case, all components, from the sensor to the I/O and logic processing equipment are replaced with modern equipment. During the design process of the new system, its operation experience is taken into account in order to ensure that its strengths remain and its weaknesses are eliminated, thus improving the reliability and safety of the refurbished system. 42 RPC Radiy September 2015

43 FPGA-based platforms lend themselves very well to complete system modernization strategies due to the following reasons: No costs for the design or redesign of complex computer operating systems; Straightforward conformance to modern requirements (e.g., cyber security, diversity); Easier implementation of functions that require fast response time Partial Modernization This involves the replacement of only the most critical or obsolete components via a Form Fit and Function (FFF) equivalent. The new component may include additional useful functionality, such as self-diagnostics and more comprehensive displays. The new component must meet the physical and functional constraints of the old component, such as size, power consumption and pin-out. When properly implemented, an FFF solution should allow the user to simply replace the old component with the new one without having to change operating procedures and interfaces with the rest of the equipment. Maintainers will have to be trained to troubleshoot the new equipment. Factors to be considered when pursuing partial modernization are: Portability of the old software into the new component; Impact of the eventual obsolescence of the new equipment; Reliability of the new equipment and its impact on safety analysis. Adoption of FPGA technology could help resolve or mitigate potential problems associated with the above factors, because of its capability to replicate the functionality of electronic components. In general, FPGA technology is very effective for module to module replacements. This approach is much more cost-effective compared to the cost of entire system modernization. As an example of such modernization, RPC Radiy produced UKTS type modules to replace obsolete control modules in the Ukrainian NPPs (please see Section 3.5). These UKTS modules were pin-to-pin compatible with existing obsolete modules, but they were designed using modern electronic components. Another example is an FPGA emulation of a PDP-8 minicomputer. 5.3 Modernization Activities RPC Radiy develops detailed work plans for all phases of our projects, i.e. design, procurement, manufacturing, certification, testing, installation and commissioning as required. The above plans are discussed and agreed with customer, contractors and suppliers during contract negotiations and they are later used during the project execution phase. Deviations from the original schedule and reasons for these are documented and archived in a readily retrievable manner. RPC Radiy s project execution activities include, but are not limited to the following: Establishment of quality procedures, organization and work processes commensurate with project requirements; Control, administration and support of design work; Coordination, updating and monitoring of work execution to ensure compliance with project deadlines and requirements; FPGA-PAVED ROAD TO BUSINESS SUCCESS 43

44 Establishment of effective interfaces, work processes and means of communication (through meetings and correspondence) between project participants, in order to ensure achievement of the needed degree of involvement of all necessary parties and organizations; Controlled transfer of documentation to the Customer; Issue of documentation in language required by Customer; Implementation of a Lessons Learned process in order to avoid repeating mistakes in future projects; Periodic reporting to the customer on project progress, quality, cost (where applicable), schedule and safety issues; Provision of technical and other support in accordance with the warranty terms stated in the contract. 5.4 Reverse Engineering Whether introducing new equipment or systems as part of NPPs refurbishment or life extension activities, in most cases there is a need to ensure that new components are compatible and interface correctly with existing plant components. However, it is frequently the case that equipment documentation may be either inexistent or lack all necessary details. In order to avoid additional replacement costs and associated licensing effort, utilities and other clients resort to reverse engineer the existing equipment. Reverse engineering activities include detailed analysis of existing system behavior in order to reproduce its functionality. FPGA-based I&C platforms are very well suited for activities of this nature because they can be easily programmed to emulate and implement most of the functionality exhibited by existing equipment. Reverse engineering could also be necessary to preserve the feel and look of existing human-machine interfaces, while replacing the rest of the system with a new one, including additional functionality or the same functionality as the old one. Another benefit of reverse engineering is a possibility to determine reasons why the performance and / or the behaviour characteristics of the old module are the way they are. Sometimes reverse engineering confirms that they are just consequences of the initial design and implementation, and not due to functional requirements. One of our successful projects was the replacement of obsolete I&C systems with our pin-to pin and functionally identical UKTS modules. This success was repeated during the upgraded UKTS-DPI design process as well (please see Section 3.5). In case of the UKTS-DPI design, the use of FPGAs allowed implementing the existing functionality requirements in a significantly easier way. Case study of one of Radiy s reverse engineering projects is given in Chapter RPC Radiy September 2015

45 5.5 Cooperation with Subcontractors At times, RPC Radiy must subcontract some of our design, installation and commissioning activities to specialized companies. Each of the potential subcontractors is being carefully selected in compliance with the prescribed process under company guides. The following are the main criteria for selecting our subcontractors: Experience of our subcontractors in similar projects and their observance of the laws and regulations associated with the nuclear energy field; Quality management system of the subcontractor is certified (for example, according to ISO 9001, as a minimum); The subcontractor has developed and implemented a normative framework (Company standards, procedures, etc.) to ensure the required quality level of its products and services; The subcontractor has the relevant certificates and licenses from the required licensing authorities for conducting nuclear related activities; The subcontractor staff is qualified and regularly successfully passes audits by qualified authorities of their training and knowledge in the field of nuclear energy; Evidence of good faith as a trustworthy business partner with RPC Radiy and other involved organizations. FPGA-PAVED ROAD TO BUSINESS SUCCESS 45

46 Chapter 6: Safety Evaluation of RadICS Platform and Its Applications 6.1 Overview of Safety Standards for the Applications of FPGAs in NPP I&C Systems There are three main international organizations whose standards must be considered for NPP I&C development: The International Atomic Energy Agency (IAEA), the IEC subcommittee 45A for Instrumentation and control for nuclear facilities, and the IEEE s Nuclear Power Engineering Committee (NPEC). The IAEA Safety Standards reflect international consensus on what constitutes a high level of safety, and form the basis for the IAEA safety review services and assistance. They are intended for use by all organizations involved in the nuclear industry, including operating organizations, regulatory bodies, designers, and suppliers. Safety Guide IAEA NS-G-1.3 Instrumentation and Control systems important to safety in nuclear power plants, provides guidance on the design of I&C systems important to safety in nuclear power plants, including all I&C components, from sensors to actuators and final elements, operator interfaces and auxiliary equipment. This guide supplements Safety Specific Safety Requirements No. SSR-2/1, Safety of Nuclear Power Plants: Design, which establishes the design requirements for ensuring the safety of nuclear power plants. The IEC uses IAEA safety guides (mainly SSR-2/1, NS-G-1.3 and NS-G-1.1) as guidelines for development of I&C systems important to safety. IEC standards provide guidance for the implementation in the design of basic safety principles. IEC Functional safety of electrical/electronic/programmable electronic safety-related systems outlines the industry s best practices to be followed during the entire lifecycle of programmable electronic systems in order to reduce the risk of systematic failures to an acceptable level. IEC 61508:2010 addresses all aspects of the lifecycle of electrical/electronic/programmable devices in safety-related applications, regardless of the technology (FPGA or other) that the above devices are based on. IEC 61513:2011, Nuclear power plants Instrumentation and control systems important to safety General requirements for systems, establishes the relationship between NPP safety objectives, requirements for the overall architecture of I&C systems and requirements of the individual systems important to safety. This standard uses the main principles of IEC 61508:2010 to introduce requirements applicable to computer-based I&C systems and equipment that are used to perform functions important to NPPs safety. When part of I&C systems, software is a critical part of the same. There are two main international regulatory documents that deal with computer-based I&C software as follows: IEC 60880:2006, Nuclear power plants Instrumentation and control systems important to safety Software aspects for computer-based systems performing category A functions and IAEA NS-G-1.1, Software for computer-based systems important to safety in NPPs. IEC 60880:2006 Nuclear power plants - Instrumentation and control systems important to safety - Software aspects for computer-based systems performing category A functions addresses the following topics: 46 RPC Radiy September 2015

47 Introduces the concept of software lifecycle, clarifies and details the concept of system safety lifecycle of digital systems given in IEC to the software portion of the I&C system; Recommends good practices related to activities, such as: The development of safety applications software, software verification processes, software modification, qualification and configuration control procedures, and tools application requirements; Prescribes the adoption of I&C software development principles, such as: top-down design methods; the V model for software development; modularity; verification of each phase and clear and unambiguous documentation contents; Details the I&C validation stage in IEC 61513:2011 to the software portion of the system and introduces software-specific issues to the validation process. IEC 60987:2007, Nuclear power plants Instrumentation and control important to safety Hardware design requirements for computer-based systems sets out the general requirements for the hardware development life-cycle of computer-based systems. IEC 60987:2007 addresses the following topics: Establishes requirements for the I&C systems hardware, and aims at ensuring consistency between system and hardware requirements; Hardware development, including V&V. In summary, taken together, IEC 60880:2006, IEC 60987:2007, and IEC 61513:2011 include requirements for the whole lifecycle of digital I&C systems and products. Given that the above-mentioned standards are not I&C technology specific, they are only suitable for identification of requirements as applicable to FPGA-based I&C systems at a general level. Considering the growing trend of programmable devices in the nuclear industry, in 2006, IEC subcommittee 45A dealing with instrumentation and control for nuclear facilities, decided to create a new standard to establish requirements for the development processes to be applied to FPGA-based I&C systems performing Category A functions. The first edition of IEC 62566, Nuclear power plants Instruments and control important to safety Development of HDL-programmed integrated circuits for systems performing category A functions, was issued in IEC 62566:2012 addresses the following topics: Establishes requirements for each stage of the HPDs lifecycle (requirements specification, design, implementation, verification, integration and validation) to develop highly reliable HDL- Programmed Devices (HPD) for use in I&C systems of NPPs performing safety category A functions; Describes activities and guidelines to be followed in addition to requirements in IEC 61513:2011, for the system integration and validation of HPDs; Adapts the basic safety principles from IEC 61508:2010 for the development of HDL- Programmed Devices; Clarifies IEC 60880:2006 requirements taking into account FPGA specific features. Before IEC 62566:2012 was published, RPC Radiy had already used many of the mentioned requirements in the development of the RadICS platform. Radiy designers have analyzed and used many good practices that have been successfully applied in other safety critical domains, for example, in aerospace. These goods practices are described in RTCA/DO 254, FPGA-PAVED ROAD TO BUSINESS SUCCESS 47

48 Design Assurance Guidance for Airborne Electronic Hardware, an aerospace standard that highlights the processes and other (not technical) aspects specific to FPGA-based systems. Adherence to the above standards and the adoption of the best practices in the industry allow us to develop modern, safe, and reliable digital I&C systems. All RPC Radiy Quality Management plans and procedures are in line with the requirements and recommendations found in international and domestic regulatory documents and all our staff is fully trained to follow them throughout the products life cycle. 6.2 Implementation of Safety Standard Requirements in the Life Cycle of the RadICS Platform and its Applications All regulatory documents requirements and recommendations can be divided into two categories: Process oriented requirements: These describe processes, organizations, documentation, and concepts to be followed in order to achieve the desired safety levels and provide recommendations on how to avoid common mistakes and meet all established requirements; Mandatory safety and functional requirements: These are the main I&C safety and functional requirements that define the way the I&C system will operate and describe the NPP I&C mandatory features. RPC Radiy develops I&C systems based on our pre-qualified RadICS platform. The development cycle complies with requirements of IEC 62566:2011. IEC uses the term HDL-Programmed Device (HPD) for integrated circuit configured via Hardware Description Languages. RPC Radiy develops, maintains and uses a Function Block Library (FBL) which allows us to significantly reduce the design time, cost and quality of our FPGA-based I&C systems. The FBL consists of pre-developed functional blocks used in the implementation of functions of a wide complexity range. Most Functional Blocks are written in VHDL. The FBL consists of two parts: The platform FBL (PFBL) which includes functional blocks used for the Electronic Design (ED) of the RadICS modules (transceivers, diagnostic elements, etc.); The application FBL (AFBL) which includes functional blocks used in the ED of the application (logical, mathematical functions, time functions, etc.). The simplified RadICS lifecycle model is based on IEC 61508:2010 and it is illustrated in figure below. 48 RPC Radiy September 2015

49 Product Concept Product Safety Requirements Review Product Safety Requirements Product Validation FMEA Product Architecture Integration Testing ED Electronic Design; AD Architecture Design; DD Detailed Deign; FIT Fault Insertion Tests; FMEA Failure Mode and Effect Analysis; SCA Static Code Analysis; FT Functional Tests. ED AD Review ED Architecture Design ED DD Review ED Detailed Design ED Code SCA&RR ED FT ED FIT ED FIT HW RadICS Platform lifecycle simplified model RadICS-based applications development consists in the configuration of platform s modules, chassis and cabinets to perform the required functions. The hardware design is reduced to choosing the required amount and type of cabinets, chassis and modules in accordance with the system requirements specification. The main development activities are aimed at generating the system application, including the Human System Interface. While carrying out these activities, we follow the V cycle model (see figure below) as referred to, among other standards, in IEC 62566:2011, IEC 61508:2010, IEC 61513, IEC 62566:2011, IEC 60880:2006 and IAEA NS-G 1.3. System requirements specification HSI software requirements specification Requirements review HPD requirements specification Requirements review System validation H SI software design HPD design S ystem integration Design review VHDL SCA and Functional Testing Integration testing HSI software implementation HPD implementation Functional testing HPD Functional testing Development lifecycle for HPD-based I&C system Table below provides a description of all the phases of HPD based I&C systems development lifecycle. FPGA-PAVED ROAD TO BUSINESS SUCCESS 49

50 Table - Phases description HPD Lifecycle Stage Phases Description Phases Results HPD requirements specification Requirements review HPD ED design Based on system requirements a set of requirements for HPD Electronic Design is defined, including: functions to be provided by the HPD, modes (such as POWERED- OFF, STARTUP, RUN (SAFE) mode, etc.) and transitions between these modes; I/Os, external interfaces requirements; parameters which can be modified during operation; performance requirements and restrictions; assumptions regarding the HPD s environment; fault detection and diagnostics requirements. Completeness and compliance of HPD requirements with system requirements are verified after HPD requirements specification phase. Based on HPD Requirements Specification Document required system functions (specific system behaviour) is defined using predeveloped blocks (application related functional blocks) which HPD Requirements Specification Document HPD Requirements Specification Review Report Formalized description of the HPD and associated HPD design documentation Standards Requirements IEC (6.1.4), IEC (6.1.9), IEC (5.3 and 5.4), IEC (class 8) IEC (software aspects), IEC (hardware aspects), IEC (both) IEC ( ), IEC (8.2, 8.3.4), IEC (class 7), IEC (8.7, 9.4.2), IEC (8.4) 50 RPC Radiy September 2015

51 HPD Lifecycle Stage Phases Description Phases Results are provided as Functional Blocks Library (FBL). Integration of application related functional blocks is done in accordance with HPD Requirements Specification HPD ED Static Code Analysis (SCA) and Functional Testing HPD implementation Functional testing System integration Integration testing Correctness of HPD design (Static Code Analysis) and its compliance with HPD requirements (Functional Testing) are verified after HPD design phase. Logic synthesize the gate-level description (netlist) of the HPD, then place and route (floor plan) is performed and results in the physical description needed to produce the HPD, such as HPD programming file or bitstream file. Implementation of bitstream file in HPD. Compliance of HPD with required functionality is verified via a testbed which simulates inputs and allows the monitoring of outputs as well as the overall performance of the HPD. System integration involves all the activities necessary for the of programmable and nonprogrammable components to work together as a system. Integration testing is performed to check internal and external system interfaces, as well HPD Design Static Code Analysis Report HPD Design Functional Test Plan and Report Programming files with associated documentation, HPD with implemented application Functional Test Plan and Report Standards Requirements IEC (9.8) IEC (8.4.8, 8.7), IEC (9.1.1) IEC (9.5) Completed system IEC (class 10), Integration Test Plan and Report IEC (7.5) IEC (10.2, 10.3), IEC (7.5) FPGA-PAVED ROAD TO BUSINESS SUCCESS 51

52 HPD Lifecycle Stage Phases Description Phases Results as system functions System validation Validation is performed to check compliance of whole system with initial system requirements specification. This is mainly a black box type of test Validation Test Plan and Report Standards Requirements IEC (class 11) If digital I&C system requires a human-system interface (HSI), an appropriate sub-system is developed in a separate branch of system development lifecycle. RPC Radiy uses the approach to implement HSI as software executed on workstations that have connections with HPDs. Such HSI software is application software written in general-purpose language and based on pre-developed software components. As figure below shows, HSI and HPD development branches are connected within system lifecycle at system integration phase. RPC Radiy designs HSI according to requirements of IAEA NS-G-1.3 (4.61, 6.5, 6.6, 6.8, 6.43, 6.57, 6.62), and IEC (5.1.1, , ). System requirements specification HSI software requirements specification Requirements review HPD requirements specification Requirements review System validation HSI software design HPD design S ystem integration Design review VHDL SCA and Functional Testing Integration testing HSI software implementation HPD implementation Functional testing HPD Functional testing Development lifecycle for digital I&C system with HSI and HPD Configuration Management (CM) Process The CM process at RPC Radiy applies throughout the lifecycle of the RadICS platform and its applications. According to IEC 61513, a configuration management process must be established to document and control the functional and physical attributes of all components, to record and report all changes and to verify their compliance with requirements. Configuration management of the RadICS platform and its applications is performed according to requirements as outlined in IEC 60880:2006 (5.6) and IEC (5.5). According to RPC Radiy practices and requirements under IEC and IEC (6.2.10, 7.16), all project activities shall be subject to a configuration management plan, which 52 RPC Radiy September 2015

53 defines the tools, procedures to be used, activities to be performed, their sequence and timing within the product lifecycle and responsibilities for their execution Software Tools Evaluation Software tools play very important role during implementation of development activities. Application of software tools in safety-critical project is impossible without their preceding evaluation. General requirements for support tools, including programming languages are provided in IEC :2012 (7.4.4). Tools evaluation should include detecting possible errors, defects analysis and their potential effect on the safety of final products to prove that the tool cannot affect the safety of the product. Such information is gathered from tools suppliers. According to RPC Radiy s practice, the use of proven tools is preferred over manual methods. RPC Radiy purchases the tools only from long-established vendors with a good track record of CM, V&V processes, problem notification and resolution, effective user support and training services. Final selection of the tool is based on a detailed evaluation of their suitability to support all applicable life cycle processes for the specific project. Tools evaluation results are documented in a special report, which is always project-specific and includes evaluation of all tools required for implementation of development activities. The following is an example of acceptance criteria, which can be used during evaluation of tools: Evidence that the tool performs according to its specification; Availability of a clear, unique, and updated tool version identification and proof that the supplier has used a proper version control process during the entire tool life cycle; Functional rationale for the selection of the tool the explanations why this tool is required for I&C system development; Detailed, clear and complete user documentation; Extent to which the tool was used in the nuclear or other industry with equivalent software critical applications, similarity of users experience to that envisaged for RPC Radiy s applications and users feedback; Manufacturer quality assurance plan commensurate with the criticality of the tool application; Documents of known faults and possibilities to circumvent these faults; Availability of maintenance history for the version of the tool to be used by RPC Radiy with detailed, clear and complete release notes. 6.3 Requirements for the RadICS Platform and its Applications Platform requirements are divided into the following groups (see figure below for a list of requirements under each group): Functional requirements; Qualification requirements; Performance requirements; Safety requirements. FPGA-PAVED ROAD TO BUSINESS SUCCESS 53

54 Requirements to RadICS platform and platform-based applications Safety Performance Qualification requirements Independence requirements Requirements to single failure criterion Redundancy requirements Accuracy requirements Requirements to seismic qualification Independence requirements Diversity requirements Diagnostics requirements Timing requirements Power fluctuation tolerance requirements Fire protection requirements Requirements to defense against Common Cause Failures Access control requirements HSI requirements Electromagnetic compatibility requirements RadICS-platform and its applications requirements All these requirements are included in RadICS-based Applications Requirements Specifications for all RPC Radiy projects Safety Requirements Requirements to Single Failure Criterion Our I&C platforms comply with single failure criteria requirements as described in IAEA SSR- 2/1 (5.39, 5.40), IAEA SSG-2 (5.38), IAEA NS-G-1.3 (4.14, 4.15), IEC (4.2), and IEC (3.55, 3.56, , ). The criteria establish that no single failure will result in loss of any of the safety functions Redundancy Requirements Redundancy requirements are described in IAEA NS-G-1.3 (4.14, 4.22), IEC (5.2), and IEC (3.48, , ). The degree and architecture of our systems redundancy is dictated by reliability requirements imposed on the application. Our systems can be configured as single channels with single or redundant power supplies, voting logic configurations, such as 2oo3, 3oo4 or variations of the above. Redundancy is also achieved by allocating the same functionality to main and standby processing units at the PC board level Diversity Requirements Diversity requirements are described in IAEA NS-G-1.3 ( ), IEC ( , ), IEC (3.1, 5.1), and NUREG Adherence to diversity requirements means the application of different technical solutions for the execution of the same function (different components, algorithms, programs, languages, instrumentation, design team, etc.). Chapter 12 describes ways in which the RadICS platform and its applications meet diversity requirements. 54 RPC Radiy September 2015

55 Requirements for Defense Against Common Cause Failures Requirements for defense against common cause failures (CCFs) either hardware or software are described in IAEA SSR-2/1 (requirement 24), IAEA NS-G-1.3 (4.18, 4.63), IAEA NS-G-2.3 (4.26), and IEC (3.1, 5.1.1, 9.1.1). The following are measures taken by RPC Radiy as a line of defence against software CCFs: Program code volume reduction due to application of FPGA as programmable components; Application of distributed software and separation of safety category A functions from those of categories B and C (see IEC for function categories classification); Application of development methods and tools aimed to prevent introduction of faults into software; Implementation of software self-control and self-diagnostics functions. The steps of defense against hardware CCFs realized for both the RadICS platform and RadICS-based applications include adherence to independence principle. Generally, adherence to independence principle means that the I&C system should preserve its capacity to execute prescribed functions necessary to ensure NPP safety under failure or deliberate inactivation of one redundant channel. Radiy best practices to implement this principle are the following: Screening and galvanic separation of input, output circuits and power circuits in each channel using electro-optical components; Radial ( point-to-point ) structure of connections between channels to preserve the possibility and accuracy of data exchange among the rest of channels in case one of their faults; Physical separation of redundant I&C system channels that are housed in separate cabinets and powered from different sources. Additional supporting features implemented to prevent hardware CCFs are: Realization of technical diagnostic means (see subsection below); Application of technical solutions and components proven in NPP operation experience; Full-scale execution of qualification tests and I&C system functions validation Diagnostics Requirements Diagnostics requirements are described in IAEA NS-G-1.3 (4.84, 4.88), and IEC ( , , , ). Each module of RadICS platform has built-in self-diagnostics capabilities. Automated tests are being executed constantly during system operation. These tests include data integrity checking that is being performed on each of the following general processes: data transmission; data reading/writing; data processing. As mentioned in Section 3.6, the RadICS platform has a diagnostic module. This module obtains data on environmental conditions from cabinet sensors, gathers diagnostic data from modules through LVDS lines and sends diagnostic information to the Human System Interface of the Engineering Workstations through one-directional transmission lines. FPGA-PAVED ROAD TO BUSINESS SUCCESS 55

56 When a failure is detected, a generalized fault signal is sent to the Human System Interface and a corresponding alarm to workstation monitor, its form and contents allow us quickly to determine the place, time, character and hazard degree of the failure. Continuous automatic monitoring, as well as failures of diagnostic system do not affect the operation of the rest of the I&C system, and do not deteriorate its performance. This is attained due to the diagnostic system s full independence from the systems executing control functions. Thus, periodic testing of modules allows us to perform detailed diagnostics and it checks the responses of the modules to test sequences. RPC Radiy provides guidelines on required test intervals for the given systems, as well as test plans and test specifications Access Control Requirements Access Control Requirements are described in IAEA NS-G-1.3 (4.51, 4.52, 4.53, 6.21). The RadICS platform has the following features to fulfill the access control requirements: Application of platform modules in the chassis and cabinets with access control keys and alarm features; Using unique identifiers for platform modules to prevent substitution by malicious intention or by mistake. To enable the user (or system integrator) to configure the RadICS platform (that is, to define the application logic to be implemented in the system s FPGAs), there is an additional interface at the Logic Module PCB. This interface is inaccessible when the module is installed in a chassis, and it provides the possibility to configure application logic only in off-line mode. In addition, software, used in configurations process of the platform, contains password protection features, as well as functions to check the successful completion of the configuration process Performance Requirements Accuracy Requirements Accuracy requirements are part of the performance requirements. They vary from application to application, guidelines on how to define them are described in IAEA NS-G-1.3 (5.14, 5.15, 7.55). For NPP I&C systems, the metrological or calibration characteristics of measurement channels and accuracy characteristics of control channels and signalling channels are standardized. Conformity of metrological and accuracy characteristics to SRS requirements has to be confirmed by results of plant tests and metrological certification. Metrological certification of measurement channels is performed in the course of I&C systems operation at NPPs Timing Requirements The List of Performance Requirements described in IAEA NS-G-1.3 (7.55) and IEC (4.1) also includes the timing characteristics. Timing characteristics are specified in SRS as duration of entrance cycles of continuous and discrete signals and acceptable limit values of: time resolution during data input; delayed execution of discrete functions; continuous function execution speed; speed of digital message transmission along optic fiber communication lines, etc. 56 RPC Radiy September 2015

57 According to the Company best practices, all performance requirements are agreed with Customer. Some typical timing characteristics of Radiy I&C applications, platform and modules are given on company website ( Human-System Interface (HSI) Requirements Requirements for human-system interface are described in IAEA NS-G-1.3 (4.61, 6.5, 6.6, 6.8, 6.43, 6.57, 6.62), and IEC (5.1.1, , ). The RadICS platform HSI comprises an information display of process parameters and equipment conditions, using multi-window graphics and branched menus system. The system includes mechanisms to aid operators in accessing the necessary information within the required time for them to take necessary actions; an example of this is protection of displayed information window overlapping resulting from operator changes to their size or position. Design solutions are also adopted to prevent any probable human errors during I&C maintenance. Some of the features of RadICS HSI are: Dynamically displayed data refreshment within a maximum time of 2 seconds; Trending of process parameters and their deviations from control or protection setpoints (margin to trip); Daily, short and long term diagnostic messages displays Qualification Requirements Requirements to Seismic Qualification Requirements for mechanical and seismic impact resistance are described in IEC ( , 5.3.2), and IEC (4.1). RPC Radiy has qualified and is prepared to design our equipment to the most stringent seismic requirements imposed by utilities and system designers. Since we count with panel design and manufacturing capabilities at our facilities, we are able to prototype most structures and modify them to meet the requirements of most sites seismicity Power Fluctuation Tolerance Requirements Requirements to tolerance to power fluctuations are described in IEC (5.5). Our equipment will perform its specified functions within the following power fluctuation and interruption limits: Indefinite supply voltage deviations of up to minus 15% to plus 10% of the nominal value; Maximum 2 seconds duration voltage deviations from minus 30% to plus 25% of the nominal value at maximum 10s intervals; Indefinite supply frequency deviations from plus 2% to minus 2% and 10s maximum frequency deviations to minus 6% of the nominal value; A difference of up to 5 degrees between supply phases; Maximum 10% Total Harmonic Distortion; Power interruptions of up to 20 ms during switching from one source to another. FPGA-PAVED ROAD TO BUSINESS SUCCESS 57

58 Each cabinet can be fed from two power supplies in main and standby modes. Each cabinet can in turn supply their loads via direct current (DC) from two independent stabilized power sources configured in hot standby mode. Workstations are fed via a single phase 220 VAC, 50 Hz power supply. All cabinets power supply inputs are continuously monitored for power availability. Loss of power at both inputs (or either one of them) in any of the cabinets results in the generation of a fault signal. Voltage output from the stabilized DC power supplies is continuously measured. All power supply data is transmitted to workstations for visualization and archiving Electromagnetic Compatibility Requirements Requirements for electromagnetic compatibility are described in IAEA NS-G-1.3 (4.77, 4.78, 5.40). The above requirements are there to ensure s that all I&C system components function as expected when subjected to electromagnetic interference generated by powers supplies, grounding, communication lines, and other sources. Our standard I&C systems are designed for operation in a medium-hardness electromagnetic environment (typical for I&C rooms and Control Rooms). RPC Radiy digital I&C systems can effectively execute their functions under the following types of interference and up to medium-hardness levels: electrostatic discharge, radiation, electromagnetic fields resulting from devices operating in the radio frequency range, electrical noise, and power frequency magnetic field. We design our systems to avoid generation of switching interference during start-up, operation and disconnection that might cause faults in the operation of other systems connected to the same power supply. Compliance with requirements for electromagnetic compatibility is confirmed by the corresponding certificates Independence Requirements Independence Requirements Independence requirements are described in IAEA SSR-2/1 (5.33), IAEA NS-G-1.3 (4.36, 4.39, 4.40, 4.42, 4.45, 5.54, 6.14), IEC (5.2), and IEC (3.29, , ). RadICS platform and applications meet independence requirements by incorporating features to ensure, physical and functional separation between redundant devices performing safety functions. By implementing these design features, our systems maintain their required safety functions in the presence of a single fault in any of their components. Our design incorporates the following features: galvanic isolation and shielding of input, output and power supply circuits in each channel using electrical or optical isolation devices; physical separation (using distance, barriers, or both of them) between redundant channels, independent redundant power supplies, physical and functional separation of devices performing safety and non-safety functions. 58 RPC Radiy September 2015

59 Physical and functional Independence of communication channels is achieved by selecting appropriate system architectures and data communication protocols. The implementation of radial (point-to-point) architecture in our inter-channel communication links provides us with the capability to maintain failure-free data exchange between I&C components even when one of the channels has failed. Additional measures designed to achieve the desired physical and functional independence are the application of fiber-optic communication lines for data exchange between I&C components and the separation of safety and control functions from information and diagnostic functions Fire Protection Requirements Fire protection requirements are described in IAEA SSR-2/1 ( ). We address fire protection requirements by incorporating the following features in the design of the RadICS platform: Where required, we use non-flammable or poorly flammable materials, coatings and fire retardant cables insulation; Monitoring and alarm systems for smoke and increased temperature in cabinets; Means to automatically de-energize all devices in case of fire hazards; The use of items that will not constitute fire hazards when subjected to conditions, such as overvoltage, overloads, and short circuits. RPC Radiy follows national and international standards associated with the entire lifecycle of I&C systems for nuclear safety and non-safety applications and our RadICS platform complies with requirements derived from all the above standards. FPGA-PAVED ROAD TO BUSINESS SUCCESS 59

60 Chapter 7: Case Study 1 Functional Safety Approach to the Certification of FPGA-based Platforms and its Applications The IEC standard provides means of certifying systems on the basis of four predefined Safety Integrity Levels (SIL), where SIL4 would be the most demanding level. The SIL certification process requires that products developed under a Functional Safety Management Plan (FSMP) to be audited in stages by the independent certification agency (more details below). The FSMP takes all IEC requirements into consideration and mandates that they be applied throughout the product life cycle. The SIL certification process outlined in IEC requires the preparation of a set of documents specific to each of the phases of the product life cycle. These documents must be subject of an independent auditing process and assessment by a Certification Body. Project Safety Management documentation structure is presented in figure below. Project Safety Management Documentation Typical SIL certification process includes the following items: Product reliability; Process execution; Human factor; Functional safety assessment. For each of the items, after comprehensive analysis, a set of inherent features was specified in details (some of them are represented in figure below). 60 RPC Radiy September 2015

61 Functional safety certification (IEC 61508, Safety Integrity Level SIL 3) at a glance One of the most critical features required for successful SIL3 certification is Requirements Tracing process. The main idea behind is to achieve complete traceability at all project stages in order to implement all initial requirements and restrict functions to required ones only. Requirements tracing principle FPGA-PAVED ROAD TO BUSINESS SUCCESS 61

62 In a result of RadICS platform SIL3 certification project successful implementation, some of the main metrics are the following: 737 requirements of IEC (items of Safety Case); About 200 docs in the Documentation Plan (tens thousand pages in total); One year ( ) for preparation and 3 years ( ) for performance; Up to 70 involved people; The project core: 7 people in Design Team, 10 people in V&V Team, 5 people in PM and Safety Assessment Team, 2 people in Infrastructure Development Team; More than 50 man-years. The auditing process starts early at some point of the product development process by conducting an independent Functional Safety Assessment in order to estimate the readiness of the processes and product(s). Internal Functional Safety Audits (FSAs) are conducted after successful completion of the development process, at certain milestones as described below. Typical objectives of internal FSA are to verify that: The required documents have been approved for use and are under proper configuration control; Project Quality Assurance (QA) manual is in place and in line with corporate and project objectives and quality requirements; The QA programs of suppliers of materials and services are in line with the project quality requirements as defined in the project QA manual; Whether all verification activities associated with this phase of the development process were correctly executed; An effective action tracking process was instituted and followed by all members of the team; An effective requirements tracing process was instituted and followed by all members of the team; The Safety Concept for the product is clearly defined; The required competences and accountabilities for the project are clearly identified and the organization is staffed accordingly; An effective Change Management process was instituted and followed by all members of the verification team; All of the above is consistent with activities as described in the project FSMP; To verify that only qualified tools are used in the development process; To determine whether conditions are met for the commencement of the independent Functional Safety Assessment by the corresponding Certification Body; To ensure compliance with the FSMP at each audited project phase; Verify that the product release baseline audit has been successfully performed; Verify that fault injection tests cover the appropriate measures. 62 RPC Radiy September 2015

63 The independent Functional Safety Assessment is performed by an external certification agency. The person in the agency, responsible for the independent assessment, prepares the FSMP and various procedures. The following information is required as input to the independent Functional Safety Assessment: IEC 61508; The final product functional, safety and performance requirements; The final product safety integrity requirements (requirements for probability rates and reliability indexes). On completion of the independent Functional Safety Assessment, the certification agency issues the following documents: Functional Safety Assessment Plan, Functional Safety Assessment Report and the certificate of product s compliance. The assessments performed by exida, as well as final independent Functional Safety Assessment, confirmed that Radiy s processes comply with SIL3 requirements and the RadICS platform meets SIL3 requirements. Certificate is available at the following link: FPGA-PAVED ROAD TO BUSINESS SUCCESS 63

64 Chapter 8: Case Study 2 IAEA IERICS Mission at Radiy s Facilities The IAEA review mission titled Independent Engineering Review of I&C Systems in Nuclear Power Plants was established by the Nuclear Power Engineering Section of IAEA to conduct peer reviews of NPP I&C design documents, prototype systems and systems in actual operation in NPPs. The IERICS review team consists of a group of invited subject matter experts from various IAEA Member States. The IERICS Mission is based on appropriate IAEA documents, such as Safety Guides and Nuclear Energy Series Reports. The IERICS Mission took place at RPC Radiy s facilities in Kirovograd, Ukraine, in December 2010 and closed-out in March 2011 in the IAEA s offices in Vienna, Austria, The subject matter of the above review mission was Radiy s FPGA-based safety I&C RadICS platform. The review was based on the IAEA Safety Guide NS-G-1.3 Instrumentation and Control Systems Important to Safety in Nuclear Power Plants (IAEA Safety Standards Series No. NS- G-1.3), and the following IAEA Nuclear Energy Series Reports: Implementing Digital I&C Systems in Modernization of Nuclear Power Plants (IAEA Nuclear Energy Series Report No.NP-T-1.4); Protecting Against Common-Cause Failures in Digital I&C Systems (IAEA Nuclear Energy Series Report No.NP-T-1.5); Core Knowledge on Instrumentation and Control Systems in Nuclear Power Plants (IAEA Nuclear Energy Series Report No.NP-T-3.12). The findings of the IERICS Mission were given in the Mission Report IERICS-UKR-2010, titled Independent engineering review of instrumentation and control systems (IERICS) in nuclear power plants. An IAEA review of the Radiy FPGA-based safety I&C platform and systems for NPPs. IAEA IERICS mission at Radiy site, RPC Radiy September 2015

65 The conclusions of the IERICS Mission included recommendations, suggestions, and an acknowledgement of good practices at Radiy. In particular, the following items were identified as good practices: The use of FPGA technology and advanced approaches to the development of an FPGAbased platform and systems; The design includes extensive on-line self-diagnostics at different system levels; Full implementation of the IAEA QMS requirements in the RPC Radiy Quality Management System; Defect reporting program from which other organizations may benefit. The IAEA review team confirmed that extensive, high quality engineering work, in compliance with the relevant sections of the IAEA Safety Guide NS-G-1.3, had been performed by Radiy in the development of FPGA-based I&C systems. FPGA-PAVED ROAD TO BUSINESS SUCCESS 65

66 Chapter 9: Case Study 3 FPGA-Based I&C Systems Licensing Process Followed in Ukraine and Bulgaria Activities associated with the design of I&C systems for NPPs in Ukraine are subject to licensing by the Regulatory Authority (State Nuclear Regulatory Inspectorate of Ukraine). In accordance with Ukrainian regulations, in order to obtain a license for the design of nuclear installations, a company shall prepare a set of documents and go through all the stages of the licensing process (see figure below). Begin System Concept Evaluation Development Planning Evaluation System Requirements Evaluation System Design Evaluation Hardware & Software Requirements, Detailed Design, Fabrication, Test & Integration Evaluation System Validation Evaluation Installation, Operation & Maintenance Evaluation Safety Evaluation Report Analysis The following is a breakdown of the 8 phases in figure above leading to the licensing of the NPP: 1. System Concept Evaluation. It involves a formal review of the Technical Concept envisaged for the new or modernized I&C system. 2. Evaluation of the development plan. It involves a formal review of: plan; a. The licensing plan; b. The modernization project management c. The QA plan and associated procedures. 3. System Requirements Evaluation. It involves the formal internal and independent review of the System Requirements Specification (SRS) document; 4. System Design Evaluation. It involves the formal review of all system design documents and processes; Workflow of the licensing process of designing I&C systems for nuclear installations a. Hardware requirements specifications; b. Hardware design; c. Manufacturing documents; d. FMEA report; End e. Reliability and Availability Analysis report; f. Software Requirements Specification; g. Software design; h. Software code; i. Software Planning Documents. 66 RPC Radiy September Evaluation of hardware & software requirements, detailed design, fabrication, test & system integration processes It involves the formal review of the following: 6. Evaluation of the V&V and qualification processes. It involves the formal review of:

67 a. V&V Plan; b. V&V reports; c. The equipment qualification test plan; d. Equipment qualification test reports; e. Metrology parameters test plan; e. Metrology parameters test report; f. Factory Acceptance Test plan; g. Factory Acceptance Test report. 7. Evaluation of installation, operation & maintenance work processes. It involves the formal review of: a. The installation plan and procedures; b. Site Project Management Framework; c. Site Acceptance Test plan; d. Site Acceptance Test report; e. Users documents; f. Operation and Maintenance Procedures; g. Training documents and procedures; h. Change Control procedures and Modification Documents; i. Trial Operation Plan; j. Trial Operation Report. 8. Safety Evaluation Report Analysis. This involves: a. A review of the Safety Evaluation Report; b. The granting of a license by the regulator. A typical regulatory review is based on the results of previous phases. After the System Validation Evaluation, the Certificate of conformance to national regulatory requirements is issued for the licensed I&C system. FPGA-PAVED ROAD TO BUSINESS SUCCESS 67

68 Chapter 10: Case Study 4 RadICS digital I&C platform Licensing Under the U.S. NRC Regulations RPC Radiy is always looking for new opportunities for its business and products. One of the most ambitious business goals is to bring all benefits of RadICS digital I&C platform as a safe and reliable product into U.S. nuclear market. As a result of these efforts performed currently RPC Radiy has established a spin-off company RadICS LLC. RadICS LLC was established in The Company has 18 qualified employees, including design engineers. LLC RadICS goals According to its policy statement RadICS shall design, procure safe and reliable I&C application to assure the safe and reliable operation of the nuclear plant, the health and safety of the public and workers. In 2015, Radiy started work with Global Quality Assurance to assist LLC RadICS to fully align its QMS with 10 CFR Part 50, Appendix B, ASME NQA , NQA-1a-2009 and 10 CFR 21. These activities include the following: QA Program document development; Development of quality procedures for 18 criteria from Appendix B; Training program for RadICS personnel on QA Program document and implementing procedures; Lead auditor and inspector qualification and training, etc. Global Quality Assurance 3rd party certification audit is planned by end of This huge work is a basis for preparation of submittal of RadICS Topical Report to the U.S. NRC in order to review and approval of the RadICS digital I&C platform design in nuclear safety I&C systems in any U.S. NPP. In this way, compliance is supposed to be demonstrated via the following licensing approach: Dedicate the generic RadICS digital I&C platform, which was not originally developed under a 10 CFR Part 50 Appendix B QA program, in accordance with the basic 68 RPC Radiy September 2015

69 requirements for commercial dedication as defined in 10 CFR Part 21. Radiy is employing the commercial dedication processes described in Electric Power Research Institute (EPRI) TR and TR and approved by the NRC; Qualify RadICS hardware to meet U.S. standards. The RadICS hardware will be qualified and maintained under the RadICS 10 CFR Part 50 Appendix B quality program. If new boards are developed or existing boards modified for obsolescence or other reasons, the new or modified hardware will be appropriately tested and/or analyzed to maintain equipment qualification to U.S. standards; Develop plant-specific programmable logic in accordance with software life cycle plans that are compliant with NRC Branch Technical Position (BTP) 7-14; The RadICS toolset, which issued as design aids and not as a replacement for V&V, are not dedicated but continue to be subject to a CM program. On July 14, 2015, PC RPC Radiy representatives met with the Nuclear Regulatory Commission of the United States (U.S. NRC) in Rockville, United States, as part of the certification process of the RadICS FPGA-based platform. The purpose of meeting was (1) to present technical information about the RadICS platform and planning information about RadICS Topical Report submittal, and (2) to receive NRC s feedback on the RadICS platform features and the overall licensing plan and schedule. The detailed discussions included the following areas: features of the RadICS digital I&C platform and its development process; RadICS quality management system and licensing program; Commercial grade dedication plan and qualification plan. The next meeting is scheduled for November 2015 to discuss project status and specific certification questions. With Radiy s accomplished experience in the development of FPGA-based Instrumentation & Control systems and continued success in local and international nuclear market, Radiy is pursuing further advancement and a higher level of reliability and security of product and services. Meeting of RPC Radiy with the Nuclear Regulatory Commission of the United States (US NRC) in Rockville, United States FPGA-PAVED ROAD TO BUSINESS SUCCESS 69

70 Chapter 11: Case Study 5 Modernization of Engineered Safety Features Actuation Systems (ESFAS) at the Kozloduy NPP in Bulgaria In March 2008, RPC Radiy won the international tender for the design, manufacture and installation of 6 ESFAS for the modernization of Units 5 and 6 of the Kozloduy NPP (VVER- 1000) in Bulgaria. RPC Radiy began our scope of the work in April The above systems were developed by our experts in close cooperation with the Kozloduy engineering and operation staff. This was a significant factor in our being able to finish the project in record time. The entire process, from design to installation, took 8 months, including the 4 months that were spent performing integration testing at our facilities. Installation tasks were carried out in the power units of the NPP in less than 29 days (see figure below). C - Contract with NPP F - Factory Acceptance Testing I - On-Site Installation O - Operation Time line of main activities associated with the Kozloduy ESFAS refurbishment project ESFAS is a distributed FPGA-based control system comprising reactor regulation, reactor protection, interlocks, and alarm functions. For qualification and functional testing at RPC Radiy site, our designers used mathematical models in order to reproduce plant conditions during testing of the ESFAS. ESFAS configuration, equipment location, electrical and optical communication lines were also consistent with the topology of the NPP units. Customer representatives were directly involved in all phases of the factory tests. Comprehensive evaluation of ESFAS at our facilities with the participation of the client allowed us to reduce significantly the time required for the execution of site tests. 70 RPC Radiy September 2015

71 The successful execution of the project was due to detailed planning of all activities, the high managerial and technical proficiency of the Kozloduy NPP and the INTERPRIBOR SERVICE Company, during all phases of the project. The effective team work of client and subcontractors in the modernization project, as well as companies Risk Engineering Ltd and Enemona AD, made it possible to implement the complete project ahead of schedule. DAY 1 DAY 7 DAY 10 DAY 15 Snapshots of the Kozloduy ESFAS refurbishment project (1st ESFAS, Unit 6, Kozloduy NPP) The ESFAS modernization was the first instance of an FPGA-based I&C safety system to be licensed for a nuclear application in Bulgaria. At the beginning of 2012, RPC Radiy and the Kozloduy NPP signed another contract to supply Switchgear and Controlgear Assemblies (SHER) to replace the obsolete RTZO-type Switchgear and Controlgear assemblies used in Units 5 and 6 of the Kozloduy NPP. Currently, RPC Radiy is in the process of supplying the SHER systems to the NPP. Both Radiy and the Ukrainian National Nuclear Energy Generating Company ENERGOATOM were able to pass the benefits of our experience and lessons learned during the installation and licensing of FPGA-based systems in Ukrainian NPPs to the Kozloduy NPP. FPGA-PAVED ROAD TO BUSINESS SUCCESS 71

72 Chapter 12: Case Study 6 FPGA-Based Diversity Features in Radiy s I&C Platforms As a design organization with experience in the supply of safety related systems for nuclear applications, we are sensitive to the need to meet diversity requirements in redundant systems in order to reduce the risk of common cause failures to the minimum practical level. The RadICS platform s architectural and technological features provide the RadICS-based integrated I&C systems with a large degree of diversity. As an example, Table below summarizes all the diversity features that we incorporated in the Reactor Trip Systems (RTS) that we supplied to Ukrainian NPPs. The RTS consists of a Primary System and a Diverse System: two different, but equally capable parallel safety systems. The diversity features of the RadICS platform make the platform ideal for building I&C systems that provide diverse solutions to analogue systems or digital microprocessor-based I&C system. Table - Summary of diversity features incorporated by Radiy in the design of RTS for Ukrainian plants Diversity attribute Usage* Details Design Different approach same technology e Two reactor trip systems (primary and diverse) based on different combinations of two digital technologies: primary system uses FPGA and microprocessor, while the diverse system is only FPGA-based Different architectures i Inherent difference in system architectures due to technology diversity Equipment Manufacturer Same manufacturer different design Logic Processing Equipment Different logic processing architecture Different component integration architecture e i i Primary and diverse systems are based on equipment of different manufacturers for which the control logic algorithms are implemented from the same specification The primary system incorporates Texas Instruments MSP430 microcontrollers and Altera Cyclone FPGAs. The safety related control logic is implemented in FPGA, while microcontrollers are used for communication, diagnostic and auxiliary functions For the diverse system, Altera Cyclone FPGA devices are used to perform all functions Inherent difference at the board level Different circuit board designs for primary and diverse systems 72 RPC Radiy September 2015

73 Diversity attribute Different data-flow architecture Functional Different underlying mechanisms Different function, control logic, or actuation means Life-cycle Different management within the same company Different design and development teams (designers, engineers, programmers) Different implementation and validation teams (testers, installers, or certification personnel) Logic Different algorithms, logic, and program architecture Usage* Details i Different data exchange organization, i.e. between FPGA to FPGA in the diverse system and FPGA to microcontroller in the primary system The same underlying mechanisms are used for both primary and diverse reactor trip systems e e e e e The same actuators with the same control logic are used, but there are differences in the implementation of inputs and outputs, i.e., electromechanical relays in the primary system vs. solid-state devices in the diverse system, and in the implementation of the diagnostic functions Separate design organizations to develop primary and diverse systems Separated design teams for primary and diverse systems Separate V&V teams for primary and diverse systems Different approaches to digital signal processing, i.e. linearization of data from temperature sensors with tabular procedure vs. polynomial approximation Difference in program architecture for Texas Instruments MSP430 and Altera Cyclone Different timing or order of execution Different runtime environment i Different functional representation i i Inherent difference in the order of function execution due to technology and design diversity, i.e., sequential execution in the microcontroller vs. parallel execution in the FPGA Inherent difference in logic / function execution due to technology and design organizations diversity Inherent difference in function instantiation due to technology and design organization diversity VHDL is used in the development of the FPGAbased application, whereas C and Assembler are used for the microcontroller based application FPGA-PAVED ROAD TO BUSINESS SUCCESS 73

74 Diversity attribute Signal Different parameters sensed by different physical effects in the primary and diverse systems Different parameters sensed by same physical effects Same parameter sensed by a different set of redundant sensors Other Diversity Considerations Diversity at the level of other safety systems, which perform different functions and use different equipment for different echelons of protection Hardwired manual actuation also provided to protect against digital CCF Usage* Details e e e Sensors based on different physical phenomena are used in each of the primary and redundant systems Diverse measurements are used in both primary and diverse systems Separate sensors used by primary and diverse systems Reactor trip systems operate together with other reactor control and protection systems (i.e. Reactor Power Control and Limitation System, Engineered Safely Feature Actuation System) that have different architecture and coincidence logic, implement different control logic and safety functions, use diverse actuation initiation criteria and diverse underlying mechanisms, as well as that were produced by different manufacturers *Nature of diversity: (e) engineered diversity, (i) inherent diversity, (-) not applicable or no information The RadICS Platform can be used to implement signal diversity strategies. Signal diversity is defined as the use of different sensed parameters to initiate a protective action. Signal diversity is a plant-specific design decision that can be effectively implemented with the range of input module capabilities in the RadICS Platform. The RadICS Platform can also be used employ functional diversity strategies. Two signal channels are functionally diverse if they perform different physical functions or employ different algorithms. Functional diversity is a plant-specific design decision that can be readily implemented by allocating functionally diverse channels to separate LMs in a RadICS system. The RadICS Platform supports system architectures that employ signal diversity to defend against common cause failures. The RadICS Platform also can be deployed as a diverse system as part of a plant-level diversity and defense-in-depth strategy. RadICS-based decisions assure development and implementation of safety important I&C systems with required level of diversity according with NUREG/CR-7007: RPC Radiy September 2015

75 Chapter 13: Case Study 7 Embalse refurbishment project In 2014 RPC Radiy accomplished two modernization projects for Embalse NPP in Argentina, in cooperation with Canadian-based company, CANDU Energy. Nuclear applications in the scope of the two projects were completely based on Radiy s FPGA-based I&C platform, RadICS. The first project involved the development of Window Alarm Annunciator (WAA) systems (see figure below) for use in the Main Control Room (MCR), the Secondary Control Area (SCA), and field panels for Shutdown Systems, Emergency Coolant Injection systems, Primary Heat Transport system and auxiliary electrical equipment in the Embalse NPP Life Extension Project for Unit. The following equipment was supplied: Disable Switch Panel; Relay Modules; Power Supply Units; Logic Card Assemblies; Window Box Assemblies. WAAs were designed for use in the Main Control Room (MCR) and Secondary Control Area (SCA) to generate alarms associated with the plant s Shutdown System One (SDS1), Shutdown System Two (SDS2) and Emergency Core Cooling (ECC) system to the operators. RPC Radiy developed and manufactured the Window Alarm Annunciators Three main components were developed as part of the WAA system, two associated with the MCR, housed in the same Logic Card Assembly and using two separate Alarm Logic Controllers (ALC) in the same chassis, and a third one associated with the SCA. The MCR portions of the equipment are galvanically isolated from each other. The above three components feed alarm signals to the annunciators in accordance with field binary input signals. Each of these three components comprises functional modules and all Logic Card Assemblies are equipped with redundant power supplies. The window box assemblies, controlled by ALCs, consist of LED illuminated windows with messages engraved in Spanish. As a hardware platform for WAAs equipment, Radiy used modules and chassis of the standard RadICS FPGA-based Safety Platform. These modules are certified as SIL 3 under IEC The manufactured equipment passed specified set of qualification tests according to IEEE and IEC standards which proved its stability in different operational conditions. The second modernization project at the Embalse NPP involved developing the Signal Processing Unit (SPU) of the pump motor speed measuring device (see figure below) that FPGA-PAVED ROAD TO BUSINESS SUCCESS 75

76 was designed to replace the obsolete unit in the trip signal of pump low speed trip in Shutdown System No. 2 (SDS2). The SPU may be viewed as having two main components as follows: A signal acquisition and analog output components, controlled by logic configured in an FPGA chip with self-diagnostics capabilities; A separate power supply and monitoring system implemented via a Complex Programmable Logic Device (CPLD) to constantly monitor the FPGA. PHT Pump Motor Speed Measuring Devices The monitoring and diagnostics will drive the SPU to a safe state in case of detection of critical failures. The SPU was qualified to IEC Class 1 and supports Category A safety functions. On March 11-21, 2014, after Radiy conducted all qualification tests, we carried out and Candu Energy witnessed, Factory Acceptance Tests (FATs) of MCR and SCA Window Alarm equipment. The results of the FAT and qualifications tests showed that the equipment is in full compliance with client specification and applicable standards. The application of FPGA-based RadICS platform, in close cooperation with Candu Energy Inc., as well as our well-established development practices were the essential ingredients for completing the projects successfully. 76 RPC Radiy September 2015

77 Chapter 14: Case Study 8 I&C system of IEA-R1 Research Reactor Control Console and Nuclear Channels Modernization IEA-R1 Open-pool Reactor built by Babcock-Wilcox and commissioned in 1957, 2-5 MW power, is currently operating on 3,5 MW power. The project of I&C systems modernization of the IEA-R1 Research Reactor in IPEN Institute (San Paolo, Brazil) was started in 2015 and planned to be finished in The scope includes turnkey modernization of Control Console, I&C for Nuclear Measurements, Reactor trip and ESFAS systems, HMI Panels. Equipment list includes two Signal Processing Cabinets, Computer Cabinet and Operator Consol. The I&C system will be realized on the basis of RadICS platform. The qualification of the system includes seismic and environmental testing. The Factory Acceptance Test is planned for February 2016 and will be executed in the participation of customer representatives. The commissioning is planned for the end of IEA-R1 Research Reactor Control Room FPGA-PAVED ROAD TO BUSINESS SUCCESS 77

78 Chapter 15: Case Study 9 Project with Électricité de France In October 2014 RPC Radiy was awarded a contract by Électricité de France (EdF) to provide FPGA-based I&C Testbed on the basis of RadICS platform. The testbed should serve research purposes for possible future implementation in NPPs operated by EdF. The six-month development project resulted in the delivery of the testbed along with its documentation, engineering tools for designing applications, and an EdF-specified control application. The service also included a training course on start-up and operation of the testbed, followed by a three-year R&D period with an optional extension for additional three years. In the scope of the project, RPC Radiy s specialists delivered a training course on the RadICS I&C platform use and its operational capabilities to the EdF researchers in Chatou, France. This project enabled EdF to get familiar with designing FPGA-based I&C applications in both NPP modernization and new build projects. Training Course on the RadICS I&C platform 78 RPC Radiy September 2015

79 Chapter 16: Case Study 10 Printed Circuits Boards Assemblies of Rod Ready Indicator for Pickering NPP Radiy completed a reverse engineering project for the Pickering Nuclear Power Plant, in Ontario, Canada. Printed Circuits Board assemblies (PCBs) were designed, manufactured, tested and supplied for Shutdown System 1 Rod Ready Indicator Chassis for the CANDUtype reactors. The redesigned components will improve plant safety and enhance operating efficiencies resulting in extended lifetime operation Radiy designed, programmed and produced custom software, Test Bench Control Unit and Test Chassis to meet the testing requirements The custom Test Bench configuration made it possible to simulate real normal and extreme operational conditions for all of the PCBs in different Equipment under Test (EUT) configurations, which could potentially include up to seven PCBs per configuration. One or two different EUT configurations could be installed into one Test Chassis and simulate operational conditions for up to 14 PCBs installed into one Rod Ready Indicator Chassis during one test stage for the purpose of performance/functional (integration) and burn-in (qualification) testing. The manufacturing and delivery of the PCBs was preceded by PCB Prototype qualifications, including its functional tests and burn-in test, in compliance with the IEC Environmental Testing Part 2-78: Tests Test Cab: Damp heat, steady state and Rod Ready Indicator Chassis Technical Specification requirements; and Canadian Standards Association /Electrical Safety Authority approval, supported by Candu Energy Inc. engineers. FPGA-PAVED ROAD TO BUSINESS SUCCESS 79