Instrumentationand Control

TELEPERM XS Qualifi cation and Licensing

2

Table of Contents

Introduction 3

The TELEPERM XS System Platform 4

�� Platform Components 4

�� Hardware Architecture 5

�� Software Architecture 6

�� Cyclic Operation 7

�� Communication 10

Generic Platform Qualifi cation 12

�� Generic Qualifi cation of the Platform Components 12

�� Generic Integration and System Test 13

�� Confi rmation of Deterministic System Behavior 14

�� Maintaining the Qualifi ed Status 15

U.S. NRC Safety Evaluation 16

�� Generic Assessment 16

Licensing and Operational Experience 18

�� Plant-specific Assessment 18

�� Approval of Critical Items 19

�� Experience 19

Introduction

3

Utilities expect cost-effective I&C systems – with respect to design, installation, licensing, and longterm

operation. This calls for systems and strategies that optimally match their special requirements – for new

plant projects as well as for modernization and upgrading.

That is why, with TELEPERM XS AREVA offers a comprehensive system platform providing all features

relevant to safety-related I&C systems for nuclear power plants and a strategy that helps minimizing

licensing risks for utilities.

TELEPERM XS supports distributed multiple computer systems with virtually any degree of re-dundancy. It permits confi guring technically and economically optimized solutions for the entire spectrum of safety-related tasks. Typical applica-tions include Reactor Protection Systems (RPS), Engineered Safety Features Actuation Systems (ESFAS) and Nuclear Instrumentation Systems. The scalability of TELEPERM XS makes it also a cost-eff ective solution for other safety functions, such as Diesel Controls, Post Accident Monitor-ing Systems, and other safety grade controls or monitoring applications.

TELEPERM XS is qualifi ed to the highest safety category to perform all of these tasks and meets highest deterministic and probabilistic reliability requirements. Its high functional reliability is based on a combination of fail-safe design and fault tolerance. This applies to both hardware and software. Deterministic behavior of implemented safety I&C systems is ensured by the following platform features: On each processing module, the application software is processed strictly cyclically in a fi xed sequence. The functional tasks are completely executed in every cycle and are not aff ected by interrupts or service tasks. The communication between all processing modules inside a TELEPERM XS based systemas well as to outside systems is performed strictly cyclically and interference-free. This re-sults in constant bus loads. Failures of a sending processing module or a communication de-vice cannot infl uence the cyclic operation on a receiving processing module.

TELEPERM XS is employed for new and upgrad-ed safety I&C systems utilizing its features for a powerful, scalable and fl exible, yet cost-eff ective application.

The use of digital technology in safety I&C systems has raised licensing issues. With respect to the design, qualifi cation and assessment of hard-ware, proven methodologies are available. Requirements from IEC 61226, IEC 61513 and IEC 60987 result in a system design that meets the single failure criterion, using adequate redundancy of separated channels and qualifi ed and proven hardware components. In conjunction with suffi ciently low fault rates, this ensures a tolerable low probability of system failure on demand (e.g., less than 10–5).

Adequate assessment of software reliability for safety-related I&C systems is more diffi cult. An accepted methodology for the qualifi cation of software for digital safety I&C focuses on the assessment of the software design process including verifi cation and validation. Both aspects are fully covered by the qualifi cation and licensing approach chosen for TELEPERM XS that is based on a two-stage strategy:

1. Generic qualifi cation of the system platform’s hardware components, reusable software and generic system functions

2. Project-specifi c qualifi cation of the architecture and functions of the engineered I&C system

In this way, the general suitability of the hardware and software components is an assessed feature of TELEPERM XS and the plant-specifi c licensing procedure can focus on the functional system design. TELEPERM XS was developed in accordance with IEC 60880 as the soft-ware standard, and IEC 60780, IEEE 323 and KTA 3503 as the hardware qualifi cation standards. This outstanding quality signifi cantly reduces plant-specifi c implementation eff ort and licensing risks.

This brochure provides an introduction to TELEPERM XS and emphasizes the safety assessment performed by independent experts in Germany and in the US.

Maximum Quality for

All Safety I&C Functions

Two-stage Qualifi cation Strategy:

Project-related Licensing Minimized

��

��

The TELEPERM XS System Platform

Figure 1: Components of the TELEPERM XS system platform

4

Platform Components

This section describes essential features of TELEPERM XS that form the basis for

system qualifi cation.

The TELEPERM XS system platform is a perfectly interacting set of hardware and software components consistently orientated to the needs of safety I&C in nuclear power plants. Particular importance is attached to design measures ensuring robustness and to methods and procedures for fault prevention and failure tolerance.

The TELEPERM XS system platform comprises:

�� Hardware components with proven reliability �� System software components designed with deterministic execution of I&C function in mind �� The SPACE engineering tool set which eases system confi guration and application software creation in line with all relevant design principles �� Service and monitoring tools for optimized diagnosis and reduced test eff ort

In this way, TELEPERM XS meets the requirements of current and future application within a cost-eff ective framework.

Figure 2: Architectural example of a safety I&C system based on TELEPERM XS

5

I&C systems with TELEPERM XS are typically implemented as distributed computer systems.

Essential keys to economical system archi-tecture are its flexibility and modularity which make it possible to tailor I&C systems to the specific safety and functional requirements of the plant on an individual basis. Only those components really required to fulfill the tasks are implemented and if desired, the system can effortlessly be extended to add further functions in the future.

Figure 2 shows a sketch of an architecture example of a four-fold redundant system.

Four independent data acquisition and func-tion computers (I-IV) read the signals from the process and exchange the redundant infor-mation on the process signals. Each function computer performs online signal validation by majority voting (typically 2-out-of-4 for binary

signals and 2nd minimum / 2nd maximum selection for analog signals). Fault masking features prevent invalid signals from further processing and improve the availability of the safety I&C functions.

The function computers operate independently from each other, and are not aff ected by failures of communication links or of other function computers.

The output signals of the safety I&C functions are distributed to the voters (A, B). A voter consists of two separate computers (voter sub-units). Each sub-unit is equipped with two processing modules (CPUs) operating as a master/checker pair. The master CPU and the checkerCPU independently validate the signals from the upstream level by 2-out-of-4 voting. Each sub-unit outputs actuation signals provided that its master CPU and checker CPU both calculated the same results (2-out-of-2). Should a discrepancy occur (single failure), actuation signal output is inhibited and the signal level is set to low. In this case the second sub-unit ensures the correct reaction of the safety I&C system.

The monitoring and service interface (MSI) ensures isolation against any interference from non-safetyclassified devices like the service unit or the plant computer. MSI computers are based on the same hardware and software as the computers in the initiation trains.

Hardware Architecture

The TELEPERM XS System Platform

6

To meet the stringent reliability and quality demands for software in safety systems of nuclear power plants, the TELEPERM XS software:

�� Avoids system errors through a modular system with simple, thoroughly tested components

�� Avoids design errors by enforcing a clear design process with a phased structure including verifi cation and validation steps

�� Operates the application functions in a deterministic way

�� Identifi es and copes with system failures using self-monitoring and fault handling routines

This guarantees the high quality required for use in safety applications.

The software running on the processing modules (CPUs) is

subdivided into

�� A common qualified system software

The TELEPERM XS system software consists of a set of qualifi ed modules, which are part of all implemented systems. It makes the application soft-ware run on the distributed computer system and provides a standard function block library.

�� An individual application software

The application software implements the specifi c I&C functions. It isengineered in a graphical manner as function diagrams by selecting and connecting pre-developed function blocks from the library.

Qualifi ed code generators automatically generate the entire applica-tion source code (function diagram modules and generic interface) for each CPU from this specifi cation. There are no manual modifi cations or additions to this code. The code is then validated and fi nally linked to the system software. The fi nal result is the runtime architecture as shown in Figure 3.

The application functions are controlled by the runtime environment (RTE) and are completely separated from the operating system soft-ware and services. This independence is a key feature for confi guration management and the maintenance of the system platform and allows, for example, to integrate new hardware components (processing modules, I/O modules, etc.) without aff ecting the application software functions. * IEC International Electrical Commission

IEEE Institute of Electrical and Electronics Engineers

KTA Kerntechnischer Ausschuss

(Nuclear Safety Standards Commission, Germany)

Software Architecture

7

No Real Time Clock

The cycle time is controlled individually on each CPU. A hardware timer pulse occurring every millisecond is used as time basis for all time-dependent application functions. In order to prevent any interference of the cyclic function processing with any calendar dates or clock-based events, no real-time clock is used in the system.

A typical cycle takes 50 ms, but can be specifi ed rather fl exible between 10 and some hundred milliseconds depending on process requirements. A cycle counter is individually handled by each CPU and is incremented every processing cycle. The processing cycles of the CPUs are not synchronized (except for master and checker in a voter). This prevents any time-related common mode failures in the system.

No Process Related Interrupts

As a basic design principle of TELEPERM XS, process dependent interrupts are not possible. This feature avoids adverse eff ects which could be triggered by unfavorable input signal trajectories. During runtime, the application cycle task of a CPU is only interrupted by the hardware timer pulse.

Cyclic Operation

Figure 3: Layered software structure on a processing module

Furthermore, if a failure of the CPU occurs, any possible exceptions are identifi ed and addressed by the exception handler. The ex-ception handler is a special system software component that reacts to faults with a reset or shutdown of the processor.

Static Memory Allocation

All memory resources of the application software are defi ned during code generation. Data buff ers are allocated statically in the generated code and each data buff er is used for one purpose only.

The principle of a strictly static allocation is also applied for all types of resources under control of the operating system software. They are all allocated during system start-up. By this princi-ple, deadlock situations resulting from depletion of resources are prevented.

Each processing module (CPU) of a distributed I&C system operates cyclically with a fi xed engineered

cycle time. The time behavior of all functions on applications level is a multiple of the complete

processing cycle.

The TELEPERM XS System Platform

8

Phase 1 – Read Input Data

The input signals are sampled from the input modules assigned to the CPU. In a second step all data messages that have been received since Phase 1 of the last processing cycle are transferred to input buff ers.

Phase 2 – Input Checks of Messages

The integrity of all messages transferred between CPUs is checked for individual bit errors by means of Cyclic Redundancy Check (CRC) checksums and for messages losses by means of sequence increments. Incorrectly transferred messages and even old messages are marked as invalid.

Phase 3 – FDG Input Function

The FDG Input Function prepares processing on the application software level. The individual signals inside the message input buff ers and data input buff ers of the RTE are copied to the signal buff er memory of the FDG.

Phase 4 – FDG Computation Function

During this phase, the function diagram (FD) modules are processed. All I&C functions are imple-mented by a linear and unconditional sequence of function block module calls within the processing cycle of the FDG. The call sequence strictly follows the signal fl ow from input to output. Data hand-over between the function blocks is also implemented in the generated code and performed without copying as far as possible. In order to prevent interference due to communication failures, signals received via communication channels are fi rst validated on FD module level before the algorithms are processed. This process is performed to handle missing or faulty information, so that the results of FD module processing are correct in spite of any kind of faulty information originating from outside the concerned CPU. During FD module processing (“A” through “E” in Figure 4), all results are stored in a dedicated signal buff er memory.

Phase 5 – FDG Output Function

This step of application software processing makes the results available to data structures of new output messages for transmission over the network or for output to output modules as appropriate.

Phase 6 – Prepare Output Messages

The RTE adds the message header and frame to the message data including the CRC checksum and the cycle counter reading and stores the messages in the output message buff ers.

Phase 7 – Write Output Data

The last application-specifi c activity of the RTE within the processing cycle is to put the new signals on the output modules and to transfer the output messages from the output buff ers to the dual-port RAMs of the assigned communication modules.

Phase 8 – Self-test and Service Tasks

In this phase the self-test and service tasks are executed. They are described in more detail in the following sections.

Processing the Application Software

At start-up each CPU executes an initialization routine. After successfully passing comprehen-sive selftests, it is switched to normal status, commencing cyclic operation. Figure 4 illustrates the standard processing cycle on a CPU with one function diagram group (FDG) assigned to it. The individual I&C functions are implemented as function diagram (FD) modules, which are called by the FDG module. Each cycle comprises eight phases, which are sequentially started by the runtime environment (RTE). During normal operation, the complete set of I&C functions is executed in each cycle without being aff ected by system routines.

Figure 4: The processing cycle during normal operation

9

The self-tests are an endless loop of CPU hard-ware tests (processor, memory, system con-troller, watchdog, etc.) performed in a back-ground process independent of the application processing cycle. The entire test sequence is generally completely executed at least once within one hour. When this was not possible, e.g. due to service activities, an error message is sent to the service unit.

In addition to these background tests, further comprehensive self-monitoring activities are implemented as part of application processing (e.g., input data validation, communication mon-itoring).

Errors detected by self-monitoring are automatically indicated at the service unit. The service unit is the user interface to the I&C system and off ers to the I&C technician the complete range of service and diagnostic functions. All CPUs can be reached in this way.

During execution of all standard service functions like reading and acknowledgement of system messages, signal data tracing or online modifi cation of operation parameters, strictly cyclic processing is continu-ously ensured. Service commands received by a CPU are checked for data consistency, for syntactical accuracy and for the proper permission granted by the release logic before execution. An interruption of cyclic processing on the related CPU is only required for detailed diagnosis and software modifi cation. If such service functions are requested, the operation mode of the CPU fi rst has to be changed to a special diagnostic mode. As a consequence, all data messages sent by the CPU are marked as “Faulty” and are ignored in all receiving CPUs.

It is ensured that processing in only one of the redundant initiation trains of the safety I&C system can be infl uenced via the service unit at a time. This is achieved by the hardwired release logic (e.g., by use of key switches) that provides individual release signals to the CPUs of each train.

Self-tests Service and Diagnosis

The TELEPERM XS System Platform

10

Dual-port Memory for

Computer Internal Communication

TELEPERM XS function computers consist of one or more processing modules (CPUs) in a subrack. Communication between CPUs of the same function computer is executed via the backplane bus by means of dual-port memory access. Sending a message to another CPU means writing a data frame via the backplane bus into dual-port communication RAM located on the receiver CPU. On the receiver side, incoming messages are read locally from the communication RAM without accessing the backplane bus.

LAN Communication

Between CPUs in diff erent subracks, to the service unit and to gateways connecting external systems, data are transmitted in messages via serial buses. Dedicated communication modules are used to control LAN access. All CPU activities for message transmission are integrated into cyclic processing and always performed in the following sequence:

�� The sending CPU prepares the output message and writes it into the dual-port RAM of the communication module (phase 6 and 7 of the processing cycle).

�� The message is transmitted via the network to the communication module of the destination system in accordance with the protocol used.

�� The receiving communication module transmits the message to the dual-port RAM of the receiving CPU.

�� The receiving CPU reads the message and checks data integrity (phases 1 and 2 of the processing cycle). It is not notifi ed of any new messages but polls the dual-port memory in cycle to check for new messages.

All messages are sent and received without any dependencies from plant transients with a designed fi xed message length and a constant transmission cycle. A distinct logical communication channel is allocated for each message path on the LAN. This approach assures a constant bus load.

Communication

The communication methods applied to ensure interference-free communication within the

TELEPERM XS system, as well as to external systems, such as to the plant computer system (see

Figure 2) are described in this section.

The cyclic operation principle described in the previous section (see Figure 4) is the basis for

interference-free communication.

11

Communication from the initiation trains of the safety I&C system to the plant information system is implemented via the monitoring and service interface (MSI), which serves as the qualified isolation means, and a gateway computer, which serves as a communication bridge. The communication link typically is only used unidirectionally by data messages that are sent to the plant information system or other external systems.

Interference-free Communication

between Redundant Trains

Communication between the redundant initiation trains is interference-free. If one of the redundant computers or the communication link between two computers fails, the available trains will continue to operate as designed on the basis of the remaining information.

This is ensured by the following characteristics:

�� Application of a fi ber optic transmission medium to limit the propagation of electromagnetic interference or overvoltage

�� Individual memories (dual-port RAM buff ers) for each message ensuring the separation of the data fl ow for sending and receiving

�� Cyclic processing of all application functions (message transmis- sion included) without any possibilities of infl uencing the linked communication systems (independent control fl ow of commu- nication modules and processing modules)

�� Checks on the received messages, whether the transmission has been performed with valid message data (message header and CRC checksum checks, message age monitoring)

�� Input data voting as a principle to generally provide valid input data for function diagram module processing

Protection against Interference

from other Systems

Generic Platform Qualifi cation

12

In Germany, third party product verifi cation plays an important role in nuclear licensing. Typically, the German reactor safety association GRS* or a TUEV** organization is involved as the third party.

For each type of component of the system platform, the third party approves all safety-related properties on both a theoretical and a practical basis independently of a spe-cifi c application. This includes aspects such as functional behavior, robustness against environmental conditions, failure rates, testability and maintainability as specifi ed in the data sheet for the component. After approval, compo-nents of this type can be assumed to fulfi ll these properties when used in a safety system.

The qualifi cation was partly performed as an assessment in parallel to the development of the system platform, and partly as an assessment of the TELEPERM XS platform components. The concept is illustrated in Figure 5. The qualifi cation activities also include the evaluation of the com-ponent manufacturing process and the quality assurance (QA) system of the manufacturer.

All TELEPERM XS hardware components have been qualified according to a nuclear grade test and inspection program, in line with KTA 3503, IEC 60780, IEEE 323 and EPRI*** TR-107330 standards. The results of qualification are documented in test and inspection reports, and sum-marized in certificates issued by independent assessors according to German practice. They are available on request and can be used in all licensing processes.

Although generic qualifi cation was invented for hardware com-ponents, the basic idea of component-related qualifi cation

can also be applied to reusable software components. If there is a clearly structured software architecture of well-defi ned modules with proper interfaces, each of these modules can be tested and verifi ed by a third party as a reusable compo-nent independent of a specifi c application.

Software qualifi cation focuses on aspects critical for ensuring software quality like defensive programming and a structured and reviewable development process including verifi cation and validation. All safety-related software components of the system platform have been qualifi ed in this manner.

The TELEPERM XS supports the creation of application soft-ware for safety systems of virtually any structure by compos-ing them from pre-existing function blocks provided in the form of a library without modifi cations. This allows the safety features of the I&C functionality to be evaluated mainly at the application software level.

With the help of the SPACE engineering tools, the application software for the safety I&C system is completely specifi ed in graphical form. Qualifi ed automatic code generators gener-ate the application software including the confi guration data for the system software from the graphical specifi cation. The result is a composition of interconnected preexisting, quali-fi ed software components with defi ned interfaces to each other and to the system software. This reduces the risk of errors during the software assembly phase to a minimum.

in conclusion, generic platform qualifi cation reduces the scope of qualifi cation activities related to particular safety applications and forms a sound basis for customer project execution and licensing with minimal risks for the project schedule.

The TELEPERM XS system platform has fi rst undergone a generic qualifi cation, based on type

testing, verifi cation and validation according to German and international nuclear standards.

Subsequently, AREVA has successfully performed a generic approval process with the U.S. Nuclear

Regulatory Commission (NRC).

Generic Qualifi cation of the Platform Components

* GRS Gesellschaft für Reaktorsicherheit, Germany

** TUEV Technical Inspection Agency, Germany

*** EPRI Electrical Power Research Institute

13

Figure 5: Qualifi cation concept for TELEPERM XS

The generic qualifi cation of the initial devel-opment of TELEPERM XS was completed by a generic integration and system test on a TELEPERM XS system with a representative architecture and functionality.

The system was designed with the help of the SPACE tools and the application software generated using the automatic code genera-tors. The goal of this test was to verify the safety-related features of I&C systems that are based on platform features. The tested features include both the correct interaction of the individually qualifi ed hardware and software components and typical features of safety I&C systems, such as failure detection or fail-safe behavior. The test program was agreed with the independent assessors. They also supervised the execution of the tests, performed by AREVA.

Generic Integration and System Test

The results at the generic integration and system test are summarized in an evaluation report which confi rms the following key properties of TELEPERM XS: �� The qualifi ed hardware and software components cooperate as specifi ed. �� The application software generated by the SPACE tools works as specifi ed. �� There is no interaction among independent safety functions, even if they are processed on the same processing module. �� The response time of a safety function is within the limits expected from calculations during the system design phase. �� The system is testable and maintainable, and works correctly during periodic tests and start-up as well. �� The fault propagation barriers are eff ective. �� The fault tolerant features and the fail-safe features work correctly. �� Failures are detected corresponding to the implemented monitoring mechanisms and are signaled as specifi ed.

With the further development of TELEPERM XS, every evolution of hard- and software components and their compliance with the overall system platform features is verifi ed in dedicated integration and system tests which carry forward the validity of the initial test results.

Generic Platform Qualifi cation

14

Deterministic system behavior is confi rmed by the “Generic Integration and System Test” and is summarized in the certifi cate by the independent assessors of GRS/ISTec* and TUEV** Nord. Notably it is stated:

Processing and communication cycle times are not influenced by external process states (measured signals, amount of alarms and monitored information).”

Mutually independent I&C functions are processed as specifi ed according to their chronological order and their input signals.”

The system behavior with respect to I&C functionality is entirely defi ned by the application software.”

Confi rmation of Deterministic System Behavior

In a comparable way, deterministic system behavior is confi rmed as a result of the safety evaluation performed by the U.S. NRC***:

The design principle for software of Class 1E systems is to ensure that the sequence of processing executed for each expected situation can be deter-ministically established. It discourages the use of non-deterministic data com-munications, non-deterministic compu-tations, multitasking, dynamic schedul-ing, use of nondeterministic interrupts and event driven designs.

... Based on its review, the staff determines that the design of the TELEPERM XS system satisfi es this design principle for Class 1E system software.”

* ISTec Institute for Safety Technology, Germany

** TUEV Technical Inspection Agency, Germany

*** NRC U.S. Nuclear Regulatory Commission

For I&C systems based on the TELEPERM XS system platform, deterministic system behavior is inherent in the platform architecture. This is supplemented by design measures engineered during system specifi cation in compliance with the platform procedures, for example:

The time constants of input transients are larger than twice the engineered cycle times of the processing modules (sampling theorem).

Propagation of faulty data is restricted by online signal validation.

Suffi cient redundancy is designed to address the applicable fault postulates, such as single failure, maintenance, and internal hazard.

��

��

��

15

With innovation cycles in the computer and automation industry becoming ever shorter, maintaining an I&C system over decades has become a real challenge. AREVA faces this challenge with a forward-looking life-cycle man-agement for the TELEPERM XS system platform.

Our goal is not only to have compatible com-ponents available as spare parts over the entire life-time of implemented I&C systems but also to always provide our customers with innovative technology.

To achieve this, we have developed a long-term product strategy and combined it with a sound confi guration management that controls further development and ensures that hardware and

software components fulfi ll compatibility requirements. All system features important to safety which have been qualifi ed and documented as input for the design of I&C systems are kept valid.

Independent assessors such as GRS or TUEV are involved to verify changes and new components.

In this way, qualifi cation of the system platform is retained, and safe and reliable operation of TELEPERM XS I&C systems is ensured over their entire service life.

Details including a description of the software development process, as well as the change and release procedures are a fi xed part of AREVA’s quality assurance system.

The department that performed the initial development of TELEPERM XS is also responsible for maintaining the qualifi ed status for the platform.

Maintaining the Qualifi ed Status

Figure 6: TELEPERM XS Hardware qualifi cation

U.S. NRC Safety Evaluation

16

On May 5, 2000 the NRC issued a Safety Evaluation Report (SER) on AREVA’s (formerly Siemens Power Corporation) Topical Report EMF-2110 (NP), Revision 1, ”TELEPERM XS: A Digital Reactor Protection System”. The NRC staff stated that they found this generic Topical Report to be acceptable for referencing in plant specifi c license applications. The SER contains no generic open items and only a limited number of plant-specifi c action items. Sub-sequent to the SER, AREVA has performed activities to close these plant-specifi c action items on a generic basis to the extent possible.

The TELEPERM XS SER was the fi rst review performed under the digital update to the Standard Review Plan (SRP), NUREG-0800. This update consists of a revision to the SRP Chapter 7, Instrumentation and Control, which incorporates six new regulatory guides endors-ing IEEE standards on software quality, new Branch Technical Positions addressing review aspects of digital systems, and new sections in Chapter 7 on diverse I&C systems and data communication systems. Also included are references to NRC endorsement of key EPRI Topical Reports (TR) dealing with specifi c topics of concern in digital I&C systems includ-ing EPRI TR-102348 on digital system upgrades, TR-102323-R1 on electromagnetic interference protection and TR-107330 on generic require-ments for PLC safety-related applications.

This SRP framework sets out an accept-able approach to implementation of digital I&C systems such as TELEPERM XS. There are also twenty NRC technical reports that provide background and support for the NRC regulations and guidance and cover such digital I&C issues as: diversity analysis, software reliability and safety, environmental effects, programming languages, human-system interface, and software verification

and validation. The NRC invested consider-able resources on the revision to the SRP to en-sure that safety digital platforms and systems would possess the necessary software quality, defense-in-depth, diversity and all other required attributes.

In this fi rst review under the updated review criteria, the NRC performed a thorough assessment of all relevant licensing topics which were addressed in the TELEPERM XS Topical Report, such as:

�� The software design process

�� Performance requirements

�� Hardware requirements

�� Confi guration management

�� Surveillance testing

�� Human/machine interface �� EMI/RFI compatibility with environment �� Seismic qualifi cation

�� Environmental qualifi cation

�� Diversity and defense-in-depth

TELEPERM XS became the first digital safety I&C platform to receive a generic approval from the

Nuclear Regulatory Commission (NRC) using the rigorous regulations and guidance that were

published in 1997. Based on the generic TELEPERM XS safety evaluation report, with Oconee now

a first plant in the U.S. has obtained a license to install an integrated digital reactor protection and

engineered safeguard protection system. This section discusses the licensing of safety I&C systems

based on TELEPERM XS by the NRC in the United States.

Generic Assessment

17

An important element that aided in the success of the NRC review was the involvement of an independent third party during the prior qualification phase in Germany. This went beyond NRC requirements in this area and was one reason for the limited number of plant-specific action items.

The NRC has not only unequivocally accepted the operating system, but also the SPACE engineering tools used to develop the application software and the state-of-the-art automatic test and diagnostic features that allow the user to determine system health and status. Finally, the generic approval of the Diversity and Defense-in-Depth methodology provides a much-needed path to aid plants in resolving this issue.

Plant-specifi c Assessment

AREVA references the TELEPERM XS Topical report and the SER in license submittals to the NRC for the US-EPR. This allows minimizing the extent of EPR specifi c submittals and topical reports concerning safety I&C to plant-specifi c items, and ensures acceptance of the generic system properties of TELEPERM XS in the course of the NRC review.

Figure 7: Safety assessment of TELEPERM XS by U.S. NRC

Not only for new plant project but also for I&C modernization projects, utilities can take advantage of pre-approved benefi ts in using TELEPERM XS systems at their plants, including: �� No requirements for periodic testing of installed application and system software �� Extended period for accuracy testing of analog input modules (i.e., can be performed during refueling outages) �� Use of AREVA’s approved Diversity and Defense-in-Depth methodology �� Pre-approved equipment qualifi cation (e.g., seismic, environmental, electro- magnetic interference, and radio frequency interference) �� Pre-approved equipment qualifi cation with a minimum of remaining plant-specifi c tests

Licensing and Operational Experience

18

Plant-specifi c license applications strongly depend on the national regulatory framework. In all safety I&C applications, modernization projects as well as new plant projects, a key ele-ment is the description of the phase model for the engineering, testing, installation and com-missioning activities, and specifi cations of the systems to be implemented.

Typical documentation packages comprise:

�� The design process description �� The verifi cation and validation plan �� Suitability assessment of the I&C platform

�� Diversity-and-Defence-in-Depth approach

�� The overall design concept including description of the system architecture

�� Detailed design concepts and specifi cations, such as: � Self-monitoring and alarm concept � Periodic test concept, including confi rmation of test intervals � Specifi cations for power supply � Defi nition of standard circuits

�� Summary reports from verifi cation activities and validation testing

Plant-specifi c Assessment

Figure 8: NRC Approval of the Oconee upgrade with TELEPERM XS

February 1, 2010

The Nuclear Regulatory Commission staff

has approved a license amendment request

from Duke Energy Carolinas to install an up-

to-date computer upgrade of major safety-

related systems at the Oconee Nuclear Station,

located about 30 miles west of Greenville,

South Carolina.

The amended Oconee license gives Duke

permission to replace 1970s-era analog,

solidstate controls for the plant’s Reactor

Protection System (RPS) and Engineered

Safeguard Protection System (ESPS).

Duke will install TELEPERM XS (TXS) digital

computer-based equipment.

…

This marks the first NRC approval for a

nuclear power plant’s integrated digital RPS

and ESPS instrumentation and control system.

…

NRC News No. 10-21

19

Today, 39 nuclear power plants world-wide already operate with TELEPERM XS digital-based systems. From these implementa-tions, AREVA has experience with licensing in Argentina, Bulgaria, China, Finland, Germany, Hungary, Slovakia, Sweden, Switzerland and the US (see fi gure 8). Licensing processes in France, Finland and China for EPR projects are in an advanced state.

Operating experience with the hardware and software components from TELEPERM XS applications is analyzed systematically and taken into consideration in the change process. For the hardware, excellent reliability fi gures have been gained.

Due to the successfully applied licensing strate-gy, utilities are now able to apply these benefi cial features for their projects – in the most expedient and acceptable manner with a minimal licensing impact at the lowest possible cost.

In preparing these licensing documents and design concepts, designers and utilities can strongly rely on the results and documentation obtained during the development and generic qualifi cation of TELEPERM XS.

Documentation and data have been obtained during all development phases to ensure that verifi able fi les exist, and that quality assurance program requirements are met.

The critical items of software design process, system software interactions, self-diagnostics, automatic code-generation tools, and surveil-lance-test methodology were fully approved by the NRC without comments or restrictions, and have also been approved in many other countries.

Approval of Critical Items

Experience

Oconee, U.S.

Olkiluoto, Finland

Prin

ted

in G

erm

any

440

080G

WS

091

2.1

K.-N

r. 31

0A

NP

: G-1

03-V

1-12

-EN

G

AREVA NP SASI&C and Electrical SystemsTour Areva92084 Paris La Défense CedexFranceemail: I&C_ES@areva.com

AREVA NP GmbHI&C and Electrical SystemsPaul-Gossen-Strasse 10091052 ErlangenGermanyemail: I&C_ES@areva.com

AREVA NP Inc.I&C and Electrical Systems7207 IBM DriveCharlotte, NC 28262U.S.A.email: I&C_ES@areva.com

Interested in further details or is there anything else that AREVA can do for you?

Please contact your regional sales manager or

It is forbidden to reproduce the present publication in its entirety or partially in whatever form without prior consent. Legal action may be taken against any infringer and /or any person breaching the aforementioned prohibitions.Subject to change and error without notice. Illustrations could be similar. The statements and information in this brochure are for advertising purpose only and do not constitute an off er of contract. They shall neither be construed as a guarantee of quality or durability, nor as warranties of merchantability and fi tness for a particular purpose. These statements are based on information that was available to us at the date of publication. Only the content of the individual contracts shall be authoritative for type, quantity and properties of goods and services.

AREVA supplies solutions for power generation with less carbon. Its expertise and unwavering insistence on safety, security, transparency and ethics are setting the standard, and its responsible development is anchored in a process of continuous improvement.

Ranked fi rst in the global nuclear power industry, AREVA’s unique integrated off ering to utilities covers every stage of the fuel cycle, nuclear reactor design and construction, and related services. The group is also expanding its operations to renewable energies – wind, solar, bioenergies, hydrogen and storage – to be one of the leaders in this sector worldwide.

With these two major off ers, AREVA’s 48,000 employees are helping to supply ever safer, cleaner and more economical energy to the greatest number of people.

www.areva.com

Published by and copyright (2012): AREVA NP GmbH – Paul-Gossen-Strasse 100 – 91052 Erlangen – Germanywww.areva.com