# **TRN Module Summary Description**

### 1 Introduction

This document provides the module description for the following module.

- (1) Module Name: TRN module
- (2) Module Number: HNS0531
- (3) Unit and application to be used

LPRM/APRM, LPRM, FLOW, SRNM Units for BWR-2, 3, 4, 5 and 6 Application OPRM, LPRM, APRM, SRNM, DTF-RPS, DTF-MSIV, DTF-MSIV-S, TLF-RPS, TLF-MSIV, SPTM, SPTM-S Units for ABWR Application

(4) Number of FPGA on the module: Six

## 2 Functional Summary

The TRN module has two data processing trains that collect data from other modules mounted in the same unit, generate a data frame in a fixed format by multiplexing the collected data, and transmit the data frame to external over fiber optic links and to other modules in the same unit. When installed in the LPRM/APRM unit, the TRN module receives the data frame from the APRM module in the same unit, and transmits the data frame over fiber optic links instead of the data frame generated in the TRN module.

## 3 Module Description

### 3.1 Module Front Panel

Figure 1 shows the front panel of the TRN module.

### 3.2 Inputs and Outputs

The TRN module has the following inputs and outputs.

#### 3.2.1 Inputs

(1) Input signals via process input and output modules

N/A

(2) Input signals via communication modules

N/A

(3) Others to be noted

The TRN module has two data processing trains A and B receiving the same inputs data through point-to-point serial communication links in the backplane. The TRN module has the following two data collecting functions:

(a) Collect individual digital data from modules. Up to 16 digital data are collected. The digital data typically come from modules equipped with an analog-to-digital converter, such as the LPRM or SQ-ROOT module.

(b) Receive data frames from a module transmitting more than one data, such as the APRM module. The data frame is in a fixed data format, multiplexing 46 data items of 16 bits long.

#### 3.2.2 Outputs

(1) Output signals via process input and output modules

N/A

#### (2) Outputs via communication modules

Each data processing train transmits data frames containing collected data items through two identical optical transmitters. Note that the TRN module installs no hand shaking method with the receiver.

(3)Others to be noted

Each data processing train transmits data frames containing the data collected using function (a) in Section 3.2.1 described above to other modules through the backplane.



Figure 1 The front panel of the TRN module

### 3.3 FPGA functions

Figure 2 shows Functional Block Diagram of the TRN module. Table 1 provides functions of each FPGA.

MEM-JHS-000105 Rev.1



### 3.4 Self Diagnosis

Watchdog timers in each data processing trains monitors operation of FPGAs. The TRN module shows the results of the monitoring on the front panel.

#### MEM-JHS-000105 Rev.1

|                                                                    | r           | 変更記録                                                                                                                                                                            | REVISIONS               | T                        | 1                       | 1                      |
|--------------------------------------------------------------------|-------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|--------------------------|-------------------------|------------------------|
| 変更記号<br>REV.MARK<br>変更発行日<br>REV.ISSUED                            | ページ<br>PAGE | 変更箇所・変更内容<br>CHANGED PLACE AND CONTENTS                                                                                                                                         | 承認<br>APPROVED<br>BY    | 調査<br>REVIEWED<br>BY     | 担当<br>PREPARED<br>BY    | 保 管<br>REGISTEREI      |
| 0<br>Feb.13. 2013                                                  |             | First Issue                                                                                                                                                                     | K.Wakita<br>Feb.13,2013 | T.Tarumi<br>Feb.13,2013  | H.Ito<br>Feb.13,2013    | H.Ito<br>Feb.13,2013   |
| (1)<br>(1)<br>(1)<br>(1)<br>(1)<br>(1)<br>(1)<br>(1)<br>(1)<br>(1) | 3           | Descriptions on communication were improved.<br>Figure number was changed from 3-1 to 1.<br>Figure number was changed from 3-2 to 2.<br>Table number was changed from 3-1 to 1. | K.Waluta<br>Robit.2013  | 7.7arumi<br>Feb. 15,2013 | 25. Ito<br>Feb.15. 2013 | X. Sto<br>Feb. 15.2013 |
|                                                                    |             |                                                                                                                                                                                 |                         |                          |                         |                        |
|                                                                    |             |                                                                                                                                                                                 |                         |                          |                         |                        |
|                                                                    |             |                                                                                                                                                                                 |                         |                          |                         |                        |
|                                                                    |             |                                                                                                                                                                                 |                         |                          |                         |                        |
|                                                                    |             |                                                                                                                                                                                 |                         |                          |                         |                        |
|                                                                    |             |                                                                                                                                                                                 |                         |                          |                         |                        |
|                                                                    |             |                                                                                                                                                                                 |                         |                          |                         |                        |
|                                                                    |             |                                                                                                                                                                                 |                         |                          |                         |                        |

# RCV Module Summary Description

### 1 Introduction

This document provides the module description for the following module.

- (1) Module Name: RCV module
- (2) Module Number: HNS0541
- (3) Unit and application to be usedLPRM, LPRM/APRM Unit for BWR-2, 3, 4, 5 and 6 Application

OPRM, LPRM, APRM, DTF-RPS, DTF-MSIV, TLF-RPS, TLF-MSIV, SPTM for ABWR Application

(4) Number of FPGA on the module: Eight

## 2 Functional Summary

The RCV module has four independent data processing trains that receive optical signals containing a fixed format data frame from external, and transmits the data frame to other modules mounted in the same unit through point-to-point serial communication links.

## 3 Module Description

### 3.1 Module Front Panel

Figure 1 shows the front panel of the RCV module.

### 3.2 Inputs and Outputs

The RCV module has the following inputs and outputs.

#### 3.2.1 Inputs

(1) Input signals via process input and output modules

#### N/A

(2) Input signals via communication modules

Four optical input ports.

#### 3.2.2 Outputs

(1) Output signals via process input and output modules

#### N/A

(2) Outputs via communication modules

N/A

#### (3) Others to be noted

Each data processing train transmits the data frame to other modules mounted in the same unit through point-to-point serial communication links in the backplane.



Figure 1 The front panel of the RCV module

#### 3.3 FPGA functions

Figure 2 shows Functional Block Diagram of the RCV module. Table 1 provides functions of each FPGA.

MEM-JHS-000107 Rev.1

a,c

### Figure 2 Functional Block Diagram of RCV module

#### Table 1 FPGA functions in the RCV module



|             | 変 更 記 録                                                                                                                                                                                                                        | REVISIONS                                                                                                                                                                                                                                                     | 1                                                                                                                                                      |                                                                                                                                                |                                                                                                                                                                                                                                                                                                                                                                                                                         |
|-------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| ページ<br>PAGE | 変更箇所・変更内容<br>CHANGED PLACE AND CONTENTS                                                                                                                                                                                        | 承認<br>APPROVED<br>BY                                                                                                                                                                                                                                          | 調 査<br>REVIEWED<br>BY                                                                                                                                  | 担当<br>PREPARED<br>BY                                                                                                                           | 保 管<br>REGISTEREI                                                                                                                                                                                                                                                                                                                                                                                                       |
| -           | First Issue                                                                                                                                                                                                                    | K.Wakita<br>Feb.13,2013                                                                                                                                                                                                                                       | T.Tarumi<br>Feb.13,2013                                                                                                                                | H.Ito<br>Feb.13,2013                                                                                                                           | H.lto<br>Feb.13,2013                                                                                                                                                                                                                                                                                                                                                                                                    |
| 1<br>2<br>3 | Descriptions on communication were improved.<br>Figure number was changed from 3-1 to 1.<br>Figure number was changed from 3-2 to 2.<br>Table number was changed from 3-1 to 1.<br>Description on self diagnosis was improved. | K. Wakila<br>Feblt. 2013                                                                                                                                                                                                                                      | 7. Tarumi<br>Feb,15,2013                                                                                                                               | 78. Uto<br>Feb. 15. 2013                                                                                                                       | N. Ito<br>Feb. 15. 2-13                                                                                                                                                                                                                                                                                                                                                                                                 |
|             |                                                                                                                                                                                                                                |                                                                                                                                                                                                                                                               |                                                                                                                                                        |                                                                                                                                                |                                                                                                                                                                                                                                                                                                                                                                                                                         |
|             |                                                                                                                                                                                                                                |                                                                                                                                                                                                                                                               |                                                                                                                                                        |                                                                                                                                                |                                                                                                                                                                                                                                                                                                                                                                                                                         |
|             |                                                                                                                                                                                                                                |                                                                                                                                                                                                                                                               |                                                                                                                                                        |                                                                                                                                                |                                                                                                                                                                                                                                                                                                                                                                                                                         |
|             |                                                                                                                                                                                                                                |                                                                                                                                                                                                                                                               |                                                                                                                                                        |                                                                                                                                                |                                                                                                                                                                                                                                                                                                                                                                                                                         |
|             |                                                                                                                                                                                                                                |                                                                                                                                                                                                                                                               |                                                                                                                                                        |                                                                                                                                                |                                                                                                                                                                                                                                                                                                                                                                                                                         |
|             |                                                                                                                                                                                                                                |                                                                                                                                                                                                                                                               |                                                                                                                                                        |                                                                                                                                                |                                                                                                                                                                                                                                                                                                                                                                                                                         |
|             | PAGE<br>                                                                                                                                                                                                                       | ページ<br>PAGE 変更箇所・変更内容<br>CHANGED PLACE AND CONTENTS<br>- First Issue<br>1 Descriptions on communication were improved.<br>Figure number was changed from 3-1 to 1.<br>2 Figure number was changed from 3-1 to 1.<br>2 Table number was changed from 3-1 to 1. | ページ<br>PAGE 変更箇所・変更内容<br>CHANGED PLACE AND CONTENTS APPROVED<br>BY<br>- First Issue<br>- First Issue<br>1 Descriptions on communication were improved. | ページ<br>PAGE 変更箇所・変更內容<br>CHANGED PLACE AND CONTENTS 承認 調査<br>APPROVED REVIEWED<br>BY BY<br>- First Issue<br>- K.Wakita T.Tarumi<br>Feb.13,2013 | ページ<br>PAGE     変更箇所・変更内容<br>CHANGED PLACE AND CONTENTS     承認調査<br>APPROVED<br>BY     担当       -     First Issue     REVIEWED<br>BY     PREPARED<br>BY       -     First Issue     K.Wakita     T.Tarumi       1     Descriptions on communication were improved.<br>Figure number was changed from 3-1 to 1.     K.Wakita     7.Tarumi       2     Figure number was changed from 3-1 to 1.     K.Uokita     7.Tarumi |

## LVPS Module Summary Description

### 1 Introduction

This document provides the module description for the following module.

- (1) Module Name: LVPS module
- (2) Module Number: HNS500
- (3) Unit and application to be used

LPRM/APRM, LPRM, FLOW, OPRM, SRNM Units for BWR-2, 3, 4, 5 and 6 Application LPRM, APRM, OPRM, SRNM, DTF-RPS, DTF-MSIV, DTF-MSIV-S, TLF-RPS, TLF-MSIV, SPTM, SPTM-S Units for ABWR Application

(4) Number of FPGA on the module: None

### 2 Functional Summary

The LVPS module is a plug-in type direct current (DC) power supply mounted in a unit and supplies DC power to other modules in the same unit through the backplane. Toshiba FPGA-based unit mount two redundant LVPSs, and either alone provide sufficient power to operate the unit. The LVPS module monitors the output voltage inside the power supply, and generates an alarm signal in case of failure.

### 3 Module Description

#### 3.1 Module Front Panel

Figure 1 shows the front panel of the LVPS module.

#### 3.2 Inputs and Outputs

The LVPS module has the following inputs and outputs.

#### 3.2.1 Inputs

N/A

#### 3.2.2 Outputs

The LVPS module provides a discrete alarm signal to the module which has a function of status indicator in the same unit through the backplane.



Figure 1 The front panel of the LVPS module

|                                         | r           | 変更記録                                                                               | REVISIONS              | -                      | T                      |                       |
|-----------------------------------------|-------------|------------------------------------------------------------------------------------|------------------------|------------------------|------------------------|-----------------------|
| 変更記号<br>EEV.MARK<br>変更発行日<br>REV.ISSUED | ページ<br>PAGE | 変更箇所・変更内容<br>CHANGED PLACE AND CONTENTS                                            | 承認<br>APPROVED<br>BY   | 調査<br>REVIEWED<br>BY   | 担当<br>PREPARED<br>BY   | 保 管<br>REGISTERE      |
| 0<br>Feb.8. 2013                        | -           | First Issue                                                                        | K.Wakita<br>Feb.8,2013 | T.Tarumi<br>Feb.8,2013 | H.lto<br>Feb.8,2013    | H.Ito<br>Feb.8,2013   |
| (1)<br>14. 15.2013                      | 1           | Improve description in Section 2 and 3.<br>Figure number was changed from 3-1 to 1 | K.Wakita<br>Robić.2013 | 7.7<br>Feb.15,2013     | N eltr<br>Feb 15, 2013 | W.sltv<br>Feb. 15-201 |
|                                         |             |                                                                                    |                        |                        |                        |                       |
|                                         |             |                                                                                    |                        |                        |                        |                       |
|                                         |             |                                                                                    |                        |                        |                        |                       |
|                                         |             |                                                                                    |                        |                        |                        |                       |
|                                         |             |                                                                                    |                        |                        |                        |                       |
|                                         |             |                                                                                    |                        |                        |                        |                       |
|                                         |             |                                                                                    |                        |                        |                        |                       |

# **AO Module Summary Description**

## 1 Introduction

This document provides the module description for the following module.

- (1) Module Name: AO module
- (2) Module Numbers: HNS515, HNS516, HNS517, HNS518
- (3) Unit and application to be used

LPRM/APRM, LPRM, FLOW, SRNM Units for BWR-2, 3, 4, 5 and 6 Application

LPRM, APRM, SRNM, SPTM Units for ABWR Application

(4) Number of FPGA on the module: None

## 2 Functional Summary

The AO module provides sixteen 12-bit analog outputs to external equipment. The AO module receives individual digital values from other modules in the same unit through point-to-point copper serial communication links on the backplane. The AO module converts each output's digital data into an analog output value. The model number specifies the output signal voltage range for all of the digital-to-analog converters.

## 3 Module Description

### 3.1 Module Front Panel

Figure 1 shows the front panel of the AO module.

### 3.2 Inputs and Outputs

The AO module has the following inputs and outputs.

#### 3.2.1 Inputs

Sixteen serial digital data values, over sixteen individual copper communication paths.

#### 3.2.2 Outputs

Sixteen single ended analog voltage output ports of the following voltage ranges. An isolated DC/DC converter provides power to the output ports.

HNS515: 1 to 5 V HNS516: 0 to 1 V HNS517: 0 to 5 V HNS518: 0 to 160 mV



Figure 1 The front panel of the AO module (HNS515)

|                                         | r           | 変更記録                                                                                      | REVISIONS                 | }                         | r                      | r                       |
|-----------------------------------------|-------------|-------------------------------------------------------------------------------------------|---------------------------|---------------------------|------------------------|-------------------------|
| 変更記号<br>REV.MARK<br>変更発行目<br>REV.ISSUED | ベージ<br>PAGE | 変更箇所・変更内容<br>CHANGED PLACE AND CONTENTS                                                   | 承認<br>APPROVED<br>BY      | 調 査<br>REVIEWED<br>BY     | 担当<br>PREPARED<br>BY   | 保 管<br>REGISTERE        |
| 0<br>Feb.8, 2013                        | -           | First Issue                                                                               | K.Wakita<br>Feb.8,2013    | T.Tarumi<br>Feb.8,2013    | H.lto<br>Feb.8,2013    | H.Ito<br>Feb.8,2013     |
| (1)<br>12 (5, 2013                      | I           | Descriptions in Section 2 and 3 were improved.<br>Added information on the communication. | K.Walcila<br>Robits. 2013 | 7. Turumi<br>Feb. 15,2013 | H. Sta<br>Feb 15. 2013 | ) f. Ito<br>Feb. 15.201 |
|                                         |             |                                                                                           |                           |                           |                        |                         |
|                                         |             |                                                                                           |                           |                           |                        |                         |
|                                         |             |                                                                                           |                           |                           |                        |                         |
|                                         |             |                                                                                           |                           |                           |                        |                         |
|                                         |             |                                                                                           |                           |                           |                        |                         |
|                                         |             |                                                                                           |                           |                           |                        |                         |
|                                         |             |                                                                                           |                           |                           |                        |                         |

2E

# **DIO Module Summary Description**

## 1 Introduction

This document provides the module description for the following module.

- (1) Module Name: DIO module
- (2) Module Number: HNS520
- (3) Unit and application to be used LPRM/APRM, LPRM, FLOW, SRNM Units for BWR-2, 3, 4, 5 and 6 Application LPRM, APRM, OPRM, SRNM Units for ABWR Application
- (4) Number of FPGA on the module: None

# 2 Functional Summary

The DIO module provides for sampling four discrete inputs from external equipment, and 16 discrete outputs to external equipment. The received signals are sent to other modules in the same unit. The output signals are provided from other modules in the same unit. The inputs and outputs are provided to the DIO module through the backplane (which Toshiba refers to as a middle plane) on copper point-to-point discrete wiring.

# 3 Module Description

### 3.1 Module Front Panel

Figure 1 shows the front panel of the DIO module.

### 3.2 Inputs and Outputs

The DIO module has the following inputs and outputs.

#### 3.2.1 Inputs

Four discrete 24 VDC input points. All signals share a common ground. The external voltage source is isolated from the backplane through photo couplers.

### 3.2.2 Outputs

Sixteen discrete contact output points. The sixteen points are grouped in four. Output points in each group share a common ground. Each output point is isolated from the backplane through a photo coupler.



Figure 1 The front panel of the DIO module

|                                         |             | 変更記録                                                                                      | REVISIONS              |                           |                        |                        |
|-----------------------------------------|-------------|-------------------------------------------------------------------------------------------|------------------------|---------------------------|------------------------|------------------------|
| 変更記号<br>REV.MARK<br>変更発行日<br>REV.ISSUED | ベージ<br>PAGE | 変更箇所 · 変更内容<br>CHANGED PLACE AND CONTENTS                                                 | 承認<br>APPROVED<br>BY   | 調査<br>REVIEWED<br>BY      | 担当<br>PREPARED<br>BY   | 保管<br>REGISTEREE       |
| 0<br>Feb.5. 2013                        | -           | First Issue                                                                               | K.Wakita<br>Feb.5,2013 | T.Tarumi<br>Feb.5,2013    | H.Jto<br>Feb.5,2013    | H.Ito<br>Feb.5,2013    |
| (1)<br>28, 15,243                       | I           | Descriptions in Section 2 and 3 were improved<br>Figure number was changed from 3-1 to 1. | K.Wakta<br>Feb 15.20B  | 7. Гагиті<br>Feb. 15.2013 | N. elto<br>Feb. 15.20B | 20. Ita<br>Feb. 15. 20 |
|                                         |             |                                                                                           |                        |                           | •                      |                        |
|                                         |             |                                                                                           |                        |                           |                        |                        |
|                                         |             |                                                                                           |                        |                           |                        |                        |
|                                         |             |                                                                                           |                        |                           |                        |                        |
|                                         |             |                                                                                           |                        |                           |                        |                        |
|                                         |             |                                                                                           |                        |                           |                        |                        |
|                                         |             |                                                                                           |                        |                           |                        |                        |
|                                         |             |                                                                                           |                        |                           |                        |                        |

# **BLANK Module Summary Description**

## 1 Introduction

This document provides the module description for the following module.

- (1) Module Name: BLANK module
- (2) Module Number: HNS490
- (3) Unit and application to be usedLPRM/APRM, LPRM Units for BWR-2, 3, 4, 5 and 6 Application
- (4) Number of FPGA on the module: None

# 2 Functional Summary

The BLANK module fills a unit slot instead of an LPRM module. The BLANK module bypasses alarm signal lines that take OR (logical disjunction) of each LPRM module alarm.

## 3 Module Description

### 3.1 Module Front Panel

Figure 1 shows the front panel of the BLANK module.

### 3.2 Inputs and Outputs

The BLANK module has the following inputs and outputs through the backplane.

### 3.2.1 Inputs

Three types of daisy chain signals (LPRM High, LPRM Downscale, LPRM inoperable) for alarm detection from one neighboring LPRM module.

### 3.2.2 Outputs

The BLANK module provides the three types of daisy chain signals to the other neighboring LPRM module. A DIO module accepts the signals at the end.

One dummy LPRM inoperable signal to the TRN module.



Figure 1 The front panel of the BLANK module

| 変更記号                |             | 変更記録                                    | REVISIONS                   | T                        |                           | 1                      |
|---------------------|-------------|-----------------------------------------|-----------------------------|--------------------------|---------------------------|------------------------|
| 変更発行日<br>REV.ISSUED | ページ<br>PAGE | 変更箇所・変更内容<br>CHANGED PLACE AND CONTENTS | 承認<br>APPROVED<br>BY        | 調査<br>REVIEWED<br>BY     | 担当<br>PREPARED<br>BY      | 保管<br>REGISTERED       |
| 0<br>Feb.8. 2013    | ł           | First Issue                             | K.Wakita<br>Feb.8,2013      | T.Tarumi<br>Feb.8,2013   | H.lto<br>Feb.8,2013       | H.lto<br>Feb.8,2013    |
| 1)<br>Feb. 15-2413  | 1           | Figure number 3-1 was changed to 1.     | K. Walkitu<br>Fab. UT. 2013 | 7. Tarumi<br>Feb 15,2013 | N° el to<br>F2b. 15. 2013 | 24 dts<br>Fab 15. 2013 |
|                     |             |                                         |                             |                          |                           |                        |
|                     |             |                                         |                             |                          |                           |                        |
|                     |             |                                         |                             |                          |                           |                        |
|                     |             |                                         |                             |                          |                           |                        |
|                     | •           |                                         |                             |                          |                           |                        |
|                     |             |                                         |                             |                          |                           |                        |
|                     |             |                                         |                             |                          |                           |                        |

# CELL Module Summary Description

## 1 Introduction

This document provides the module description for the following module.

- (1) Module Name: CELL module
- (2) Module Number: HNS0400
- (3) Unit and application to be used OPRM Unit for ABWR Application
- (4) Number of FPGA on the module: Eleven

## 2 Functional Summary

The CELL module converts LPRM levels to normalized oscillation levels, and provides the data to AGRD and PBD module for trip determinations.

## 3 Module Description

### 3.1 User Interfaces

Figure 1 shows the front panel of the CELL module.

### 3.2 Inputs and Outputs

The CELL module has the following inputs and outputs.

#### 3.2.1 Inputs

(1) Input signals via process input and output modules

N/A

(2) Input signals via communication modules

The CELL module uses the LPRM levels and status from individual LPRM modules. The TRN module in the LPRM unit that is not shown in the Figure 2 transmits the LPRM data to OPRM unit. The RCV module in the OPRM unit receives the LPRM data. The CELL module is responsible for receiving the LPRM data from the RCV module.

#### MEM-JHS-000121 Rev.1



Figure 1 The front panel of the CELL module

#### 3.2.2 Outputs

(1) Output signals via process input and output modules

N/A

(2) Output signals via communication modules

The CELL module provides the data including the discrete alarm signal to the DAT/ST module and DAT/ST module provides the data to external equipment via TRN module.

a,c

### 3.3 FPGA functions

Figure 2 shows Functional Block Diagram of the CELL module where each block is an FPGA. Table 1 provides functions of each FPGA.

Figure 2 Functional Block Diagram of CELL module

Table 1 FPGA functions in the CELL module

| FPGA               | Description |     |
|--------------------|-------------|-----|
|                    |             | ר ' |
|                    |             |     |
|                    |             |     |
|                    |             |     |
|                    |             |     |
|                    |             |     |
|                    |             |     |
|                    |             |     |
|                    |             |     |
|                    |             |     |
|                    |             |     |
|                    |             |     |
|                    |             |     |
|                    |             |     |
|                    |             |     |
|                    |             |     |
|                    |             |     |
|                    |             |     |
| OSHIBA CORPORATION | 3/5         |     |

MEM-JHS-000121 Rev.1



|                                         |             | 変 更 記 錄                                 | REVISIONS                 | k                        |                          |                          |
|-----------------------------------------|-------------|-----------------------------------------|---------------------------|--------------------------|--------------------------|--------------------------|
| 変更記号<br>REV.MARK<br>変更発行日<br>REV.ISSUED | ページ<br>PAGE | 変更箇所・変更内容<br>CHANGED PLACE AND CONTENTS | 承認<br>APPROVED<br>BY      | 調査<br>REVIEWED<br>BY     | 担当<br>PREPARED<br>BY     | 保管<br>REGISTERED         |
| 0<br>Feb 25,2013                        | -           | First Issue                             | K. Wakita<br>Feb 25,2013  | T. Tarumi<br>Feb 25,2013 | H. Ito<br>Feb 25,2013    | H. Ito<br>Feb 25,2013    |
| 1)<br>Har-11-2013                       | I           | Editorial error correction.             | K. Wakita<br>Mar 11, 2013 | 7. Tarami<br>Mar.11,2013 | 24. Itu<br>Har. 11. 2013 | N. Ito<br>Mos. 11 . 2013 |
|                                         |             |                                         |                           | 1744<br>1744 - 174       |                          |                          |
|                                         |             |                                         |                           |                          |                          |                          |
|                                         |             |                                         |                           |                          |                          |                          |
|                                         |             |                                         |                           |                          |                          |                          |
|                                         |             |                                         |                           |                          |                          |                          |
|                                         |             |                                         |                           |                          |                          |                          |
|                                         |             |                                         |                           |                          |                          |                          |
|                                         |             |                                         |                           |                          |                          |                          |

# DAT/ST Module Summary Description

### 1 Introduction

This document provides the module description for the following module.

- (1) Module Name: DAT/ST module
- (2) Module Number: HNS0410
- (3) Unit and application to be usedOPRM Unit for ABWR Application
- (4) Number of FPGA on the module: Two

## 2 Functional Summary

The DAT/ST module receives data from CELL module, AGRD module, PBD module and LVPS module, multiplexes these data, and outputs them to the TRN module.

The DAT/ST module also displays input and power status on the front panel.

## 3 Module Description

### 3.1 User Interfaces

Figure 1 shows the front panel of the DAT/ST module.

### 3.2 Inputs and Outputs

The DAT/ST module has the following inputs and outputs.

3.2.1 Inputs

(1) Input signals via process input and output modules

N/A

(2) Input signals via communication modules

N/A

(3) Others to be noted

The DAT/ST module receives data from CELL module, AGRD module, PBD module, and LVPS module on the same chassis.

MEM-JHS-000122 Rev.1



Figure 1 The front panel of the DAT/ST module

#### 3.2.2 Outputs

(1) Output signals via process input and output modules

N/A

(2) Output signals via communication modules

a,c

The DAT/ST module provides received data from CELL module, AGRD module, PBD module and LVPS module to external via TRN module.

#### 3.3 FPGA functions

Figure 2 shows Functional Block Diagram of the DAT/ST module where each block is an FPGA. Table 1 provides functions of each FPGA.

#### Figure 2 Functional Block Diagram of DAT/ST module

#### Table 1 FPGA functions in the DAT/ST module



| 変更配号<br>REV.MARK<br>変更発行日<br>REV.ISSUED | ページ<br>PAGE | 変更箇所・変更内容<br>CHANGED PLACE AND CONTENTS | 承認<br>APPROVED<br>BY      | 調査<br>REVIEWED<br>BY      | 担当<br>PREPARED<br>BY      | 保管<br>REGISTERED      |
|-----------------------------------------|-------------|-----------------------------------------|---------------------------|---------------------------|---------------------------|-----------------------|
| 0<br>Feb 25,2013                        |             | First Issue                             | K. Wakita<br>Feb 25,2013  | T. Tarumi<br>Feb 25,2013  | H. Ito<br>Feb 25,2013     | H. Ito<br>Feb 25,2013 |
| 1)<br>ar. 11. 2013                      | 1,2         | Editorial error correction              | K. Wakila<br>Har 11. 2013 | 7. Tarumi<br>Mar. 11,2013 | 94. olto<br>Mar. 11. 2013 | N. Ito<br>Nav. 11. 20 |
|                                         |             |                                         |                           |                           |                           |                       |
|                                         |             |                                         |                           |                           |                           |                       |
|                                         |             |                                         |                           |                           |                           |                       |
|                                         |             |                                         |                           |                           |                           |                       |
|                                         |             |                                         |                           |                           |                           |                       |
|                                         |             |                                         |                           |                           |                           |                       |
|                                         |             |                                         |                           |                           |                           |                       |
|                                         |             |                                         |                           |                           |                           |                       |

# AGRD Module Summary Description

### 1 Introduction

This document provides the module description for the following module.

- (1) Module Name: AGRD module
- (2) Module Number: HNS0420
- (3) Unit and application to be used OPRM Unit for ABWR Application

(4) Number of FPGA on the module: Eight

## 2 Functional Summary

The AGRD module receives OPRM cell data from the CELL module, monitors power oscillation for each cell using the Amplitude-Based Algorithm (ABA) and Growth Rate-based detection Algorithm (GRA). When the power oscillation is detected by ABA or GRA, the AGRD module generates a trip signal to DIO module. The AGRD module transmits AGRD calculation data to the DAT/ST module.

## 3 Module Description

### 3.1 User Interfaces

Figure 1 shows the front panel of the AGRD module.

### 3.2 Inputs and Outputs

The AGRD module has the following inputs and outputs.

3.2.1 Inputs

(1) Input signals via process input and output modules

N/A

(2) Input signals via communication modules

N/A

(3) Others to be noted

The AGRD module receives OPRM cell data from the CELL module.



Figure 1 The front panel of the AGRD module

#### 3.2.2 Outputs

(1) Output signals via process input and output modules

When the power oscillation is detected by ABA or GRA, the AGRD module generates a trip signal to DIO module.

(2) Output signals via communication modules

The AGRD module transmits AGRD calculation data to the DAT/ST module.

a,c

### 3.3 FPGA functions

Figure 2 shows Functional Block Diagram of the AGRD module where each block is an FPGA. Table 1 provides functions of each FPGA.

#### Figure2 Functional Block Diagram of AGRD module

#### Table1 FPGA functions in the AGRD module

| FPGA               | Description |   |
|--------------------|-------------|---|
|                    |             | ) |
|                    |             |   |
|                    |             |   |
|                    |             |   |
|                    |             |   |
|                    |             |   |
|                    |             |   |
|                    |             |   |
|                    |             |   |
|                    |             |   |
|                    |             | J |
| OSHIBA CORPORATION | 3/5         |   |

MEM-JHS-000123 Rev.1

a,c

a,c

a.c

a,c

)<sup>a,c</sup>

### 3.4 Self Diagnosis

The AGRD module generates the following self diagnosis signals.

#### 3.4.1 Minor Failure Alarm

The AGRD module generates a minor failure alarm if the EEPROM data error or the ) is detected. The ( ) is detected by Watchdog Timer (WDT) and determined as error if the ) is not detected.

#### 3.4.2 Inoperable Trip

Ę

ſ

The AGRD module generates an inoperable trip if ( )is detected. The ( detected by WDT and determined as error if the (

)<sup>a,c</sup> ) is not detected.

|           |             | 変 更 記 録                                 | REVISIONS                   | 3                          |                          |                        |
|-----------|-------------|-----------------------------------------|-----------------------------|----------------------------|--------------------------|------------------------|
| AKK       | ページ<br>PAGE | 変更箇所・変更内容<br>CHANGED PLACE AND CONTENTS | 承認<br>APPROVED<br>BY        | 調査<br>REVIEWED<br>BY       | 担当<br>PREPARED<br>BY     | 保管<br>REGISTEREI       |
| 2013      | <b>B</b> a  | First Issue                             | K. Wakita<br>Feb 25,2013    | T. Tarumi<br>Feb 25,2013   |                          | H. Ito<br>Feb 25,2013  |
| )<br>2015 | 1,3         | Editorial error correction.             | K., Lookita.<br>Mar 11.7013 | 7. Tarumi<br>Mar. 11, 2013 | 95. Ito<br>Mar. 11. 2013 | N. Sto<br>Mar. 11. 20] |
|           |             |                                         |                             |                            |                          |                        |
|           |             |                                         |                             |                            |                          |                        |
|           |             |                                         |                             |                            |                          |                        |
|           |             |                                         |                             |                            | 2                        |                        |
|           |             |                                         |                             |                            |                          |                        |
|           |             |                                         |                             |                            |                          |                        |
|           |             |                                         |                             |                            |                          |                        |
|           |             |                                         |                             |                            |                          |                        |

# PBD Module Summary Description

### 1 Introduction

This document provides the module description for the following module.

- (1) Module Name: PBD module
- (2) Module Number: HNS0430
- (3) Unit and application to be used OPRM Unit for ABWR Application
- (4) Number of FPGA on the module: Seven

# 2 Functional Summary

The PBD module receives OPRM cell data from the CELL module, monitors power oscillation for each cell using the Period-Based Detection Algorithm (PBDA). When the power oscillation is detected by PBDA, the PBD module generates a trip signal to DIO module. The PBD module transmits PBDA calculation data to the DAT/ST module.

## 3 Module Description

### 3.1 User Interfaces

Figure 1 shows the front panel of the PBD module.

### 3.2 Inputs and Outputs

The PBD module has the following inputs and outputs.

#### 3.2.1 Inputs

(1) Input signals via process input and output modules

N/A

(2) Input signals via communication modules

#### N/A

(3) Others to be noted

The PBD module receives OPRM cell data from the CELL module.



Figure 1 The front panel of the AGRD module

#### 3.2.2 Outputs

(1) Output signals via process input and output modules

When the power oscillation is detected by PBDA, the PBD module generates a trip signal to DIO module.

(2) Output signals via communication modules

The PBD module transmits PBD calculation data to the DAT/ST module.

### 3.3 FPGA functions

Figure 2 Functional Block Diagram of PBD module



#### 3.4 Self Diagnosis

The PBD module generates the following self diagnosis signals.

1

#### 3.4.1 Minor Failure Alarm

The PBD module generates a minor failure alarm if the EEPROM data error or the jis detected. The detected by Watchdog Timer (WDT) and determined as error if the jis not detected.

#### 3.4.2 Inoperable Trip

l

[

The PBD module generates an inoperable trip if stop is detected. The detected by WDT and determined as error if the

)<sup>a,c</sup> Jis ) is not detected.

a,c

a,cک

)<sup>a,c</sup>

|                                        |             | 変 更 記 録                                        | REVISIONS                    |                           |                        |                        |
|----------------------------------------|-------------|------------------------------------------------|------------------------------|---------------------------|------------------------|------------------------|
| 交更記号<br>REV.MARK<br>変更発行日<br>REV.ISWED | ページ<br>Page | 変更 箇 所 ・ 変 更 内 容<br>CHANGED PLACE AND CONTENTS | 承認<br>APPROVED<br>BY         | 調査<br>REVIEWED<br>BY      | 担当<br>PREPARED<br>BY   | 保管<br>REGISTERED       |
| 0<br>Feb 25,2013                       | _           | First Issue                                    | K. Wakita<br>Feb 25,2013     | T. Tarumi<br>Feb 25,2013  | H. Ito<br>Feb 25,2013  | H. Ito<br>Feb 25,2013  |
| 1)<br>Flor. 11. 2013                   | 1           | Editorial error correction.                    | K , Luskata<br>Mar-11 , 2013 | 7. Torumi<br>Mar.11, 2013 | H. Sto<br>Har. 11-2013 | H. Ito<br>Mar 11. 2013 |
|                                        |             | ,                                              |                              |                           |                        |                        |
|                                        |             |                                                |                              |                           |                        |                        |
|                                        |             |                                                |                              |                           |                        |                        |
|                                        |             |                                                |                              |                           |                        |                        |
|                                        |             | <b>、</b>                                       |                              |                           |                        |                        |
|                                        |             |                                                |                              |                           |                        | ·                      |
|                                        |             |                                                |                              |                           |                        |                        |
|                                        |             |                                                |                              |                           |                        |                        |

5E

# TOSHIBA Leading Innovation >>>

UTLR-0020NP Part III Rev.2 August 2015

# **Topical Report**

Licensing Topical Report for Toshiba NRW-FPGA-based Instrumentation and Control System for Safety-Related Application

### Part III

Qualification Results of the BWR-5 PRM and the ABWR OPRM

Approved by Electrical System Design & Engineering Dept.

# Masahiko Hamada

Toshiba Corporation Nuclear Energy Systems & Services Division

©2012 - 2015 Toshiba Corporation All Rights Reserved

Licensing Topical Report for Toshiba NRW-FPGA-based Instrumentation and Control System for Safety-Related Application UTLR-0020NP Part III Rev.2 Part III Qualification Results of the Power Range Monitor (PRM)

The use of the information contained in this document by anyone for any purpose other than that for which it is intended is not authorized. In the event the information is used without authorization from TOSHIBA CORPORATION, TOSHIBA CORPORATION makes no representation or warranty and assumes no liability as to the completeness, accuracy, or usefulness of the information contained in this document.

TOSHIBA CORPORATION NUCLEAR ENERGY SYSTEMS & SERVICES DIV. Licensing Topical Report for Toshiba NRW-FPGA-based Instrumentation and Control System for Safety-Related Application UTLR-0020NP Part III Rev.2 Part III Qualification Results of the Power Range Monitor (PRM)

# Table of Contents

| Table of Contents                                          |    |
|------------------------------------------------------------|----|
| List of Figures                                            |    |
| List of Tables                                             |    |
| Note for Acronyms and References                           | 5  |
| III-1 Introduction                                         |    |
| III-1.1 Background                                         | 6  |
| III-1.2 Purpose                                            | 7  |
| III-1.3 Scope                                              |    |
| III-2 Qualification Test of PRM                            |    |
| III-2.1 General Description                                |    |
| III-2.1.1 Pre-Qualification Tests                          | 9  |
| III-2.1.2 Qualification Tests                              |    |
| III-2.1.3 Performance Proof Tests                          |    |
| III-2.2 Qualification Tests for PRM System                 |    |
| III-2.2.1 Environmental Test                               | 14 |
| III-2.2.2 Seismic Test                                     | 17 |
| III-2.2.3 Electromagnetic Compatibility (EMC) Test         | 20 |
| III-2.2.4 Performance Proof Test for PRM System            | 27 |
| III-2.2.5 Conclusion of Qualification Tests for PRM System | 27 |
| III-3 Qualification Analysis of PRM                        | 29 |
| III-3.1 General Description                                |    |
| III-3.2 Qualification Analysis of PRM System               |    |
| III-3.2.1 Availability/Reliability Analysis of PRM System  | 30 |
| III-3.2.2 FMEA for PRM System                              | 30 |
| III-3.2.3 Setpoint Support Analysis for PRM System         | 31 |
| III-4 Verification and Validation of PRM                   | 32 |
| III-4.1 Power Range Neutron Monitor                        |    |
| III-4.1.1 V&V Organization and Process                     | 32 |
| III-4.1.2 Design Verification                              | 33 |
| III-4.1.3 Hazard Analyses                                  | 36 |
| III-4.1.4 V&V Iteration                                    |    |
| TOSHIBA CORPORATION                                        |    |

· -

Licensing Topical Report for Toshiba NRW-FPGA-based Instrumentation and Control System for Safety-Related Application UTLR-0020NP Part III Rev.2 Part III Qualification Results of the Power Range Monitor (PRM)

| III-4.1.: | 5 V&V Conclusions                                  | 37 |
|-----------|----------------------------------------------------|----|
| III-5 Qua | alification Test of OPRM                           | 38 |
| III-5.1   | General Description                                | 38 |
| III-5.1.  | 1 Performance Proof Test                           | 39 |
| III-5.2   | Qualification Tests for OPRM System                | 39 |
| III-5.2.  | 1 Environmental Test                               | 44 |
| III-5.2.2 | 2 Seismic Test                                     | 45 |
| Ш-5.2.    | 3 Electromagnetic Compatibility (EMC) Test         | 48 |
| III-5.3   | Similarity Evaluation for New Module Design        | 53 |
| III-5.4   | Conclusion of Qualification Tests for OPRM System  | 54 |
| III-6 Qua | alification Analysis of OPRM                       | 56 |
| III-6.1   | General Description                                | 56 |
| III-6.2   | Qualification Analysis of OPRM System              | 56 |
| III-6.2.  | 1 Availability/Reliability Analysis of OPRM System | 56 |
| III-6.2.2 | 2 FMEA for OPRM System                             | 57 |
| `III-6.2  | 3 Setpoint Support Analysis for OPRM System        | 57 |
| III-7 Ver | ification and Validation of OPRM                   | 59 |
| III-7.1   | Oscillation Power Range Neutron Monitor            | 59 |
| III-7.1.  | 1 V&V Organization and Process                     | 59 |
| III-7.1.2 | 2 Design Verification                              | 60 |
| III-7.1.  | 3 Safety Analyses                                  | 62 |
| III-7.1.4 | 4 V&V Iteration                                    | 63 |
| III-7.1.: | 5 V&V Conclusions                                  | 63 |

ļ

ļ

2

# List of Figures

| Figure III-2-1 Test Sequence (PRM Qualification Project)                                  | 14 |
|-------------------------------------------------------------------------------------------|----|
| Figure III-3-1 Availability/Reliability Analysis Results (Test Specimen)                  | 30 |
| Figure III-3-2 Availability/Reliability Analysis Results (Full PRM System)                | 30 |
| Figure III-5-1 Environmental and Seismic Qualification Test Sequence (OPRM Qualification) | 42 |
| Figure III-5-2 EMC Qualification Test Sequence (OPRM Qualification)                       | 43 |

# List of Tables

| Table III-2-1 Qualification Test Overview (PRM Qualification Project)                      | .13  |
|--------------------------------------------------------------------------------------------|------|
| Table III-2-2 Seismic Levels                                                               | 19   |
| Table III-2-3 EMC Test Results                                                             | 21   |
| Table III-2-4 [Deleted]                                                                    | 22   |
| Table III-2-5 [Deleted]                                                                    | .22  |
| Table III-5-1 Test Specimen Configuration during Environmental, Seismic, and EMC test of C |      |
| Table III-5-2 Qualification Test Overview (OPRM Qualification)                             | 41   |
| Table III-5-3 Seismic Levels                                                               | .46  |
| Table III-5-4 EMC Test Results                                                             | .49  |
| Table III-5-5 Applicable Module Type and FPGA Code Name for TRN Modules                    | 53   |
| Table III-5-6 Applicable Module Type and FPGA Code Name for RCV Modules                    | . 54 |
| Table III-6-1 Availability/Reliability Analysis Results (OPRM equipment)                   | . 56 |

\_ - -----

4

١

# Note for Acronyms and References

All acronyms and references are listed in the separate Acronym and Reference Part, which is part of this LTR.

# III-1 Introduction

This Part III of the Licensing Topical Report (LTR) for the Toshiba Non-Rewritable Field Programmable Gate Array-based (NRW-FPGA-based) Instrumentation and Control (I&C) Systems for Safety-Related Applications. This part addresses qualification results of the Power Range neutron Monitor (PRM) for Boiling Water Reactor (BWR)-5 and Oscillation Power Range Monitor (OPRM) for Advanced Boiling Water Reactor (ABWR).

# III-1.1 Background

Toshiba has extensive experience in supplying nuclear safety-grade Instrumentation and Control (I&C) systems in Japan. This experience ranges from supplying digital I&C systems, such as power range neutron monitors for individual plants, up to designing and manufacturing the world's first fully integrated digital CPU-based I&C systems for ABWRs. These systems were first installed at Kashiwazaki-Kariwa Unit 6, and are in use at Kashiwazaki-Kariwa Unit 6 and Hamaoka Unit 5.

Following the installation of the CPU-based BWR digital system, Toshiba started development of I&C technology based on Non-Rewritable (NRW) Field Programmable Gate Arrays (FPGAs) and supplied the NRW-FPGA-based I&C products to Japanese Nuclear Power Plants under Toshiba's ISO 9001 program. NRW-FPGA-based products have been installed in 11 nuclear power plants including 254 NRW-FPGA-based units for non-safety-related systems, 91 units for safety-related process radiation monitors, and 60 units for safety-related neutron monitoring systems.

Toshiba also established a 10 CFR 50 Appendix B (Reference (a2)) Quality Assurance (QA) process to permit the use of Toshiba FPGA-based system in the US for safety-related applications in nuclear power plants. Toshiba implemented Appendix B QA processes in a phased approach as follows to ensure a smooth transition of the processes at the affected organizations.

• Original Process:

Initial establishment of the Appendix B QA process in the system engineering organization. This process was applied to the development and the qualification of the Power Range Monitor (PRM) for a Boiling Water Reactor (BWR)-5. This process is referred to as the "Original Process" in this topical report.

• Current Process:

Toshiba improved the Original Process by extending the Appendix B QA process into the

design organization and closer to the manufacturing organization where other Toshiba NRW-FPGA-based I&C products are developed. This process is referred to as the "Current Process" in this LTR. All future work will be under this process, including a modifications to equipment produced under the original process.

Toshiba has used the Original Process to develop and qualify a NRW-FPGA-based PRM for a BWR-5. Toshiba used the Current Process to develop and qualify the OPRM for ABWR.

This LTR uses the term "PRM," to means PRM for BWR-5 and uses the term "OPRM," to means OPRM for ABWR.

This LTR consists of the following six parts.

Part I describes software lifecycle and development processes.

Part II provides the design descriptions for the PRM and the OPRM and includes an application guide.

Part III describes the qualification results for the PRM and the OPRM.

Part IV provides the compliance tables for Toshiba processes to important Codes and Standards.

Part V provides the BWR-5 PRM V&V report.

Par VI provides the ABWR OPRM V&V report.

The Acronym and Reference Part lists all the acronyms and references used in the all Parts except Part V and VI of the LTR. Part V and Part VI have their own acronym and reference lists because they are the existing actual V&V reports for the PRM and the OPRM.

This is Part III of the LTR.

## III-1.2 Purpose

The purpose of Part III of the LTR is to describe the qualification of Toshiba NRW-FPGA-based PRM and OPRM.

The PRM was developed by the Original process, and the qualification activities of the PRM, including EQ and EMC testing were completed using this process. Comparison between the Current process and the Original process is provided in Appendix I-A. One exception was a V&V iteration performed to resolve a problem found in the FPGA dynamic testing of PRM.

The relating activities including V&V were performed using the Current process.

The OPRM was developed by the Current process, and the qualification activities of the OPRM including EQ and EMC testing were completed using current process.

# III-1.3 Scope

This Part III of the report includes the following information:

- Section III-1 provides introductory material like the report purpose and scope,
- Section III-2 introduces the qualification testing and describes how Toshiba implements this qualification testing for qualification of PRM.
- Section III-3 introduces the qualification analysis and describes how Toshiba implements this qualification analysis for qualification of PRM.
- Section III-4 introduces the system V&V process and results of the PRM.
- Section III-5 introduces the qualification testing and describes how Toshiba implements this qualification testing for qualification of OPRM.
- Section III-6 introduces the qualification analysis and describes how Toshiba implements this qualification analysis for qualification of OPRM.
- Section III-7 introduces the system V&V process and results of the OPRM.

The model numbers of the qualified modules for PRM are listed in Table 4-1 of the Requirements Definition Phase V&V Report for the PRM, which is included in Part V.

The model numbers of the qualified modules for OPRM are listed in Table 9-1, 9-5, and 10-1 of the NICSD V&V Report for OPRM, which is included in Part VI.

Licensing Topical Report for Toshiba NRW-FPGA-based Instrumentation and Control System for Safety-Related Application UTLR-0020NP Part III Rev.2 Part III Qualification Results of the Power Range Monitor (PRM)

# III-2 Qualification Test of PRM

# III-2.1 General Description

This section describes the qualification of the Toshiba FPGA-based PRM. Toshiba performed qualification test activities as required by EPRI TR-107330, (Reference (a46)), which describes the hardware qualification tests to demonstrate hardware acceptability for safety-related applications. The tests specified in EPRI TR-107330 are required in order to comply with the applicable regulatory requirements and industry standards. The qualification tests were performed using an assembled test system that is comprised of a test specimen and test equipment with validated final FPGA logic.

For equipment qualification, test plans were prepared that define the test activities and test sequence. The test plans specify the set of qualification tests to be performed on the test specimen, including defining a set of operability tests to be performed during qualification test. The tests include a pre-qualification test, qualification test, and performance proof test. The following describes the hardware testing required by EPRI TR-107330 as it relates to the FPGA-based systems. Test limits have been adjusted by more current NRC guidance, including USNRC RG 1.180, Revision 1.

## III-2.1.1 Pre-Qualification Tests

The Pre-Qualification Test was performed prior to the Qualification Test. This test was performed to demonstrate that the Test Specimen operates as intended and to provide a performance baseline for the Qualification Tests. The Pre-Qualification test includes:

- System Set-up and Check-out Test. The purpose of this test is to verify proper assembly, integration, and operation of the assembled Test System for Pre-Qualification Test. This test confirms proper connection and operation of the Test System including monitoring instruments, variable power supplies, and signal simulators.
- Burn-in Test. The purpose of this test is to perform a minimum 352 hour burn-in of the assembled Test System. The objective of the test is to detect any failures in early life that might otherwise impact the subsequent Qualification Test activities. System Set-up and Check-out Test described above is repeated after the Burn-in Test.
- Operability Test. The purpose of this test is to verify the Test System functions correctly prior to the performance of Qualification Tests. This initial performance during Pre-Qualification Testing also established the baseline performance of the Test

System, which are used for comparison to performance measured during Qualification Tests.

• Prudency Test. The purpose of this test is to verify the Test System functions correctly while being exercised in various ways to simulate potential in-service stresses prior to the performance of Qualification Test. This initial performance of the prudency test also establishes baseline performance of the Test System for comparison to performance measured during Qualification Tests.

These tests were performed in accordance with Section 5 of EPRI TR-107330.

## III-2.1.2 Qualification Tests

These tests were conducted to demonstrate compliance with requirement specifications and to demonstrate suitability of equipment while subject to stress conditions. Qualification tests were performed on the assembled Test System after the system passes the pre-qualification testing acceptance criteria. The Qualification Tests include:

- Environmental Test (Radiation). Since the PRM system is designed to be installed in a mild environment, radiation exposure was not necessary. However, Toshiba decided to demonstrate that the PRM system, the first NRW-FPGA-based I&C system for the US market, would not be affected by radiation exposure.
- Environmental Test. The Environmental Test is performed to ensure that the system provides the performance required under the temperature and humidity conditions shown in Section 6.3.3 of EPRI TR-107330 (Reference (a46)). After the Environmental Test, the Operability Test, and Prudency Test are performed under the same conditions as the prequalification testing to compare with the baseline performance measured during Pre-Qualification Test.
- Seismic Test. The Seismic Test is performed to ensure that the system continues to operate correctly during the seismic conditions shown in Section 6.3.4 of EPRI TR-107330 to the extent achievable at the test facility. After the Seismic Test, the Operability Test and Prudency Test are performed under the same conditions as the pre-qualification testing to compare with the baseline performance measured during Pre-Qualification Test.
- Electromagnetic Interference/Radio-Frequency Interference (EMI/RFI) Test. The EMI/RFI Test is performed to ensure that the system is not susceptible to and does not radiate more than the EMI/RFI levels shown in USNRC RG 1.180 Revision 1

(Reference (a19)).

- Surge Withstand Capability (SWC) Test. The SWC test is performed to ensure that the system withstands the surge limits shown in USNRC RG 1.180 Revision 1.
- Electrical Fast Transient / Burst (EFT/B) Test. The EFT/B Test is performed to ensure that the system withstands the EFT/B limits shown in USNRC RG 1.180 Revision 1.
- Electrostatic Discharge (ESD) Test. The ESD Test is performed to ensure that the system can continue to operate when exposed to the ESD levels shown in the Section 4.3.8 of EPRI TR-107330. The test was performed in accordance with EPRI TR-102323 Revision 2 (Reference (a44)) Appendix B Section 3.5.
- Class 1E to Non Class 1E Isolation Test. The Class 1E to Non Class 1E Isolation Test demonstrated that the system provides suitable electrical and functional isolation. This test is necessary where the tested FPGA-based system is a safety-related device credited with isolating itself from Non Class 1E equipment. The test levels are shown in Section 4.6.4 of EPRI TR-107330 and IEEE Std 384-1992 (Reference (a34)).

## III-2.1.3 Performance Proof Tests

Performance Proof Tests were conducted to confirm satisfactory operation after being subjected to qualification test conditions. Performance Proof Tests were also performed after the test system was re-configured to evaluate the aging effect, mainly from temperature, humidity, and seismic tests. Performance Proof Tests were a repeat of selected Pre-Qualification baseline tests to identify any changes in equipment performance. Performance Proof Tests includes:

- System Set-up and Check-out Test
- Operability Test
- Prudency Test

The sequence of tests is shown in Figure III-2-1 and Table III-2-1.

Note: System Set-up and Check-out Tests was performed, as necessary, when the Test System is moved or re-configured as the part of qualification testing. These tests are not part of the qualification, but are performed to confirm the equipment is properly configured and operating correctly before starting subsequent testing credited qualification.

# III-2.2 Qualification Tests for PRM System

Qualification Tests were conducted for the PRM system during the PRM Qualification Project using a test specimen that is comprised of an LPRM unit, an LPRM/APRM unit and a FLOW unit.

Qualification Test items with reference to the relevant test documents of PRM Qualification Project are shown in Table III-2-1. The test sequence that was used for PRM Qualification Project is shown in Figure III-2-1.

As shown in Table III-2-1, the test levels for EMI/RFI Test, SWC Test, and EFT/B Test are not the same as those specified in EPRI TR-107330 (Reference (a46)) requirements. Instead, the test levels used were obtained from RG 1.180, Revision 1 (Reference (a19)), which was issued in October 2003 after the EPRI report was completed. These Regulatory Guide values are considered to better reflect the current requirements of US utilities.

Results of these tests conducted for the PRM system during the PRM Qualification Project are summarized in the following subsections.

Licensing Topical Report for Toshiba NRW-FPGA-based Instrumentation and Control System for Safety-Related Application UTLR-0020NP Part III Rev.2 Part III Qualification Results of the Power Range Monitor (PRM)

|                                     | Test                                                       | Applied Standard | Toshiba Test Procedure<br>Number*       | Section in<br>Master Test Plan<br>(Reference (d19))  |  |
|-------------------------------------|------------------------------------------------------------|------------------|-----------------------------------------|------------------------------------------------------|--|
|                                     | 1.1<br>System Set-up<br>and Check-out<br>Test              | TR-107330        | FPG-TPRC-C51-1001<br>(Reference (d20))  | App. 2<br>Hardware<br>Pre-Qualification<br>Test Plan |  |
| 1.Hardware                          | 1.2<br>Burn-in Test                                        | TR-107330        |                                         |                                                      |  |
| Pre-<br>Qualification<br>Test       | 1.3<br>System Set-up<br>and Check-out<br>Test              | TR-107330        | FPG-TPRC-C51-1001                       |                                                      |  |
|                                     | 1.4<br>Operability Test                                    | TR-107330        | FPG-TPRC-C51-1009<br>(Reference (d28))  |                                                      |  |
|                                     | 1.5<br>Prudency Test                                       | TR-107330        | FPG-TPRC-C51-1010<br>(Reference (d29))  | · ·                                                  |  |
|                                     | 2.2<br>Environmental<br>Test (Radiation<br>Exposure)       | TR-107330        | FPG-TPRC-C51-1002<br>(Reference (d21))  | Арр. 3                                               |  |
| 2.Hardware<br>Qualification<br>Test | 2.4<br>Environmental<br>Test (Temperature<br>and Humidity) | TR-107330        | FPG-TPRC-C51-1002                       | Environmental Test<br>Plan                           |  |
|                                     | 2.6<br>Seismic Test                                        | TR-107330        | FPG-TPRC-C51-1003<br>(Reference (d22))  | App. 4<br>Seismic Test Plan                          |  |
|                                     | 2.8<br>EMI/RFI Test                                        | RG 1.180         | FPG-TPRC-C51-1004<br>(Reference (d23))  | App. 5<br>EMI/RFI Test Plan                          |  |
|                                     | 2.9<br>Surge Withstand<br>Capability Test                  | RG 1.180         | FPG-TPRC- C51-1005<br>(Reference (d24)) | App. 6<br>Surge Withstand<br>Capability Test Plan    |  |
|                                     | 2.10<br>EFT / B Test                                       | RG 1.180         | FPG-TPRC- C51-1006<br>(Reference (d25)) | App. 7<br>EFT / B Test Plan                          |  |
|                                     | 2.11<br>ESD Test                                           | TR-107330        | FPG-TPRC- C51-1007<br>(Reference (d26)) | App. 8<br>ESD Test Plan                              |  |
|                                     | 2.12<br>Class 1E to<br>Non-1E Isolation<br>Test            | TR-107330        | FPG-TPRC- C51-1008<br>(Reference (d27)) | App. 9<br>Class 1E to Non-1E<br>Test Plan            |  |
| 3.Hardware<br>Performance-          | 3.2<br>Operability Test                                    | TR-107330        | FPG-TPRC-C51-1009                       | App. 10<br>Hardware                                  |  |
| Proof Test                          | 3.3<br>Prudency Test                                       | TR-107330        | FPG-TPRC- C51-1010                      | Performance-Proof<br>Test Plan                       |  |

### Table III-2-1 Qualification Test Overview (PRM Qualification Project)

\* This column lists the test procedure numbers used for PRM Qualification Project.

ī

Licensing Topical Report for Toshiba NRW-FPGA-based Instrumentation and Control System for Safety-Related Application UTLR-0020NP Part III Rev.2 Part III Qualification Results of the Power Range Monitor (PRM)



Figure III-2-1 Test Sequence (PRM Qualification Project)

### III-2.2.1 Environmental Test

### III-2.2.1.1 Environmental Test (Radiation)

The PRM System was exposed to radiation. Since all of the PRM equipment was installed only

| TOSHIBA        | CORPORATION                 |
|----------------|-----------------------------|
| Nuclear Energy | Systems & Services Division |

in a mild environment, radiation exposure was not necessary. However, Toshiba decided to demonstrate that the PRM system, the first NRW-FPGA-based I&C system for the US market, would not be affected by radiation exposure.

The gamma irradiation on the Test Specimen was performed to 11 Gy to provide 10% margin above the requirement of 10 Gy. The 10 Gy exposure requirement is stated in Section 4.3.6.1 of EPRI TR-107330 (Reference (a46)). The test was performed in accordance with the guidance provided on IEEE Std 323-1983 (Reference (a31)). Radiation exposure was performed with the system powered down, which is the most conservative in terms of damage to the silicon, in that there is no heating to anneal radiation damage. Maximal damage is accumulated prior to powering the system.

The irradiation was performed at high level radiation effects test facility. For this irradiation, a curie (Ci) Co-60 source was used.

After the radiation exposure, a Performance Proof Test was performed. This test showed that all PRM safety functions were confirmed to be within the required tolerance, after subjecting the Test Specimen to this exposure. The evaluation concludes that exposure to these environmental stressors will not prevent the PRM System from performing its safety-related function. Details of the tests results and test data of Environmental Test are reported in the Qualification Test Summary Report (Reference (d16)). After the radiation exposure was finished, the PRM System was transported to another test facility for the environmental test.

## III-2.2.1.2 Environmental Test Profiles for PRM System

The environmental test was performed to ensure that the Toshiba PRM system operates correctly when exposed to the environmental conditions shown TR-107330 (Reference (a46)) Section 6.3.3. Environmental qualification testing of the Test System was performed as described in the Environmental Test Procedure (Reference (d21)).

Requirements for environmental test are specified in EPRI TR-107330, Sections 4.3.6 and 6.3.3. The acceptance criteria are given in the Master Test Plan (Reference (d19)).

For the temperature and humidity exposure, specific test patterns were applied in repetition, and the output data was monitored.

After the test, the performance of the Test Specimen was compared to the baseline performance (measured during Pre-Qualification Test) to determine if the test impacted the performance and operability of the Test Specimen Units.

Environmental Testing was performed at the test facilities from June 2006 through October 2006. In August 2006, the test was suspended due to problems with the environmental chamber. During this test, Toshiba observed that water condensation formed on the ceiling of the chamber. Water drops were observed on the top face of the Test Specimen Units. These water drops short-circuited the IC pins causing the failure of the Test Specimen. Because the test required a non-condensing environment, Toshiba concluded that the environmental condition deviated from the required conditions. Toshiba installed a condensation shield to prevent water condensate on the ceiling of the environmental chamber from falling directly onto the Test Specimen Units. In addition, Toshiba replaced the damaged modules with spare modules that had also been subjected to radiation exposure. The Environmental Testing was then re-performed satisfactorily.

The testing complied closely, but not identically, with the test curve in EPRI TR-107330, due to limitations on real world test equipment, and is considered to demonstrate satisfactory performance.

The value of relative humidity at the low temperature condition was not established due to test facility capability. Toshiba performed the low temperature test independently of the low humidity test. This is acceptable because EPRI TR-107330 states that if the specified relative humidity cannot be achieved for the specified temperature, then the test should be run for the specified time at the lowest relative humidity where can be achieved at the specified temperature followed by running the test at the lowest temperature that the specified relative humidity can be achieved.

The test achieved the objective of exposing the tested equipment to a wide range of humidity conditions. Also, review of the data collected during the test shows that the Test Specimen operated as intended.

Review of the post-test Operability and Prudency Test results shows that exposure to the environmental test conditions had no adverse effect on the Test Specimen.

Details of the tests results and test data of Environmental Test are reported in the Qualification Test Summary Report (Reference (d16)).

### III-2.2.1.3 Power Quality Tolerance Test for PRM System

According to the requirement of Section 6.4.3 of TR-107330 (Reference (a46)), the Power Quality Tolerance Test was performed during acceptance test, at the end of the elevated temperature test while still at high temperature, and following the Seismic Test. The test was performed in accordance with input voltage ranges and frequency ranges of power supplies for

connection to an AC (and DC) source given in Section 4.6.1 of TR-107330, and the margin given in IEEE Std 323-1983 (Reference (a31)).

## III-2.2.1.4 Summary of Environmental Test Results of PRM System

The test results are summarized as follows:

- The Test Specimen successfully completed the radiation exposure test with no signs of physical or functional degradation.
- The Test Specimen successfully completed the temperature and humidity test.
- The Test Specimen met all applicable performance requirements during and after application of the environmental test conditions.
- The test results show that the Test Specimen will not experience failures due to abnormal service conditions of temperature and humidity.

## III-2.2.2 Seismic Test

## III-2.2.2.1 Test Method and Process for PRM System

The Seismic Test was performed to assure that the PRM Test Specimen provides the performance and seismic withstand capability under Seismic Test conditions shown in Section 4.3.9 of TR-107330 (Reference (a46)) to the extent achievable at the test facility.

Requirements for seismic testing are specified in Sections 4.3.6 and 6.3.3 of EPRI TR-107330. These sections require that the system be seismically tested in accordance with IEEE Std 344 (Reference (a32)). The testing is required to include a resonance search followed by five simulated Operating Basis Earthquakes (OBEs) and one simulated Safe Shutdown Earthquake (SSE) at 9.75 g's and 14 g's respectively, based on 5% damping.

Due to the limitations of the Triaxial Seismic Simulator Table, the SSE tests were performed using a maximum acceleration level of 10g's. For this reason, the PRM System testing did not fully meet EPRI TR-107330 for seismic requirements. Before using the PRM System in safety-related applications in nuclear power plants, licensees must determine that the plant-specific seismic requirements are enveloped by the existing test spectra of the PRM System.

Table III-2-2 shows seismic levels applied during this test.

Compliance of the Test Specimen seismic qualification testing with these requirements is

described in the Seismic Test Procedure (Reference (d22)). The seismic test acceptance criteria are given in the Master Test Plan (Reference (d19)).

The Test Specimen was mounted to the seismic test table in accordance with mounting details provided on the Seismic Test Procedure. The Test Specimen Unit was mounted as follows.

- Two pieces of 6 inch by 3 inch by 3/8 inch steel tubing were welded to the test table with 3/16 inch fillet welds approximately 4 inches in length (two at each corner).
- The test fixture was constructed from 2 inch by 2 inch steel angle and was welded to the lower mounting tubes on each vertical 2 inch by 2 inch angle of the test fixture.
- The fixture was installed on the test facility's Triaxial Seismic Simulator Table such that its horizontal axes were collinear with the horizontal axis of the table.
- Accelerometers were provided on the test fixture to verify that actual triaxial seismic loads applied to the worst case locations on the frame.
- The Test Specimen Units were mounted in the test facility-provided test fixture using M5 mounting hardware located in the front of the chassis and M4 screws located in the rear of each unit.

Test Specimen Units were mounted on the seismic test table to comply with the following directional conditions:

- X-Direction: Parallel to the control panel of the test specimen units on the horizontal surface of the table,
- Y-Direction: Perpendicular to the control panel of the test specimen units on the horizontal surface of the table, and
- Z-Direction: Perpendicular to the surface of the table.

The units were fixed using four screws in the front side and eight screws in the back side. The specification of the torque to tighten the screws was 2.6 - 3.4 Nm in the front side and 1.3 - 1.7 Nm in the back side. The torque values were measured and confirmed that they were within the limits in the testing.

The simulated signals were input to the Test Specimen to establish the AO and DO status described in Sections 4.4 and 4.3 of the Seismic Test Procedure.

Licensing Topical Report for Toshiba NRW-FPGA-based Instrumentation and Control System for Safety-Related Application UTLR-0020NP Part III Rev.2 Part III Qualification Results of the Power Range Monitor (PRM)

#### Table III-2-2 Seismic Levels

| Seismic | Maximum Amplitude Requirement from                                                             |  |
|---------|------------------------------------------------------------------------------------------------|--|
| Event   | EPRI TR-107330 Section 4.3.9                                                                   |  |
| OBE     | 9.8 g                                                                                          |  |
| SSE     | 14 g (9.8 g was applied to type test for PRM<br>Qualification Project due to the limitation of |  |
|         | test facility)                                                                                 |  |

The seismic tests were performed in accordance with the Seismic Test Procedure. The following tests were performed:

(1) Resonance Search

A low-level (approximately 0.2 g) single-axis sine sweep up to 100 Hz was performed in each of the three orthogonal axes to determine major resonance of the Test Specimen Units. There was no major resonance below 100Hz.

(2) Random Multifrequency Tests (5 OBEs and 1 SSE)

The Test Specimen was subjected to 30 second duration triaxial multi-frequency, random motion which was amplitude-controlled in one-sixth octave bandwidth spaced one-sixth octave apart over the frequency range of 1 to 100 Hz. The test response spectrum (TRS) obtained is shown in the Qualification Test Summary Report (Reference (d16)).

Details of the test results and test data of the Seismic Test are reported in the Qualification Test Summary Report. Data collected during and after each OBE and SSE test demonstrate that the Test Specimen operated as intended throughout the testing.

The Test Specimen was visually inspected for damage or degradation following each OBE and SSE test. Results of these inspections showed no physical damage or degradation of the Test Specimen.

III-2.2.2.2 Summary of Seismic Test Results of PRM System

The test results are summarized follows:

- The maximum level of acceleration in SSE was limited to 10 g due to the limitation of the test facility's seismic test table.
- The Test Specimen met all applicable performance requirements during and after application of the seismic test vibration levels.
- The Test Specimen units completed seismic testing with no signs of physical or functional degradation.

## III-2.2.3 Electromagnetic Compatibility (EMC) Test

## III-2.2.3.1 Test Method and Process for PRM System

The purpose of this test was to demonstrate the electromagnetic compatibility of the PRM Test Specimen. EMI/RFI, Surge Withstand Capability (SWC), EFT/B, ESD, and Class-1E to Non Class-1E Isolation Tests were performed.

The test levels specified for EMI/RFI, SWC, and EFT/B Tests were not the same as those specified in EPRI TR-107330 (Reference (a46)) requirements. Instead, the test levels used were obtained from RG 1.180, Revision 1 (Reference (a19)), which was issued in October 2003. These Regulatory Guide values are considered to better reflect the current requirements of US utilities. EPRI TR-107330 was published in December 1996, prior to issuance of Revision 1 of RG 1.180.

Table III-2-3 shows the results of EMC tests.

The EMC test (EMI/RFI, Surge, EFT/B, ESD, and Class 1E to Non Class 1E Isolation) was performed from October 18, 2007 to December 5, 2007.

Test Specimen Units were installed in the same free-standing instrument rack used in the Environmental Test. To permit confirmation of the Test Specimen Units capability, this rack was designed to not shield emission from the Test Specimen Units or to shield the equipment from external test signals. The Test Specimen Units were installed in test facility's anechoic chamber.

For the EMC Tests, specific test patterns were applied in repetition. The specific test patterns are described in Section 3.6 of the System Set-up and Check-out Test Procedure (Reference (d20)).

Details of the test results, required mitigations, and test data of EMC Test are reported in the

Qualification Test Summary Report (Reference (d16)).

| Test Item                                                | Test Method                       | Test Level                                                 | Test Results |
|----------------------------------------------------------|-----------------------------------|------------------------------------------------------------|--------------|
| Conducted Emissions Low Frequency                        | MIL-STD-461E/CE101                | 60 Hz to 10 kHz                                            | Comply       |
| Conducted Emissions High Frequency                       | MIL-STD-461E/CE102                | 10 kHz to 2<br>MHz                                         | Comply       |
| Radiated Emissions Magnetic Field                        | MIL-STD-461E/RE101                | 30 Hz to 100<br>kHz                                        | Comply       |
| Radiated Emissions Electric Field                        | MIL-STD-461E/RE102                | 2 MHz to 1 GHz                                             | Comply       |
| Conducted Susceptibility Low Frequency                   | MIL-STD-461E/CS101                | 120 Hz to 150<br>kHz                                       | Comply       |
| Conducted Susceptibility High<br>Frequency               | MIL-STD-461E/CS114                | 10 kHz to 30<br>MHz                                        | Comply       |
| Conducted Susceptibility Bulk Cable<br>Injection         | MIL-STD-461E/CS115                | 2A                                                         | Comply       |
| Conducted Susceptibility Damped<br>Sinusoidal Transients | MIL-STD-461E/CS116                | 10 kHz to 100<br>MHz                                       | Comply       |
| Radiated Susceptibility Magnetic Field                   | MIL-STD-461E/RS101                | 30 Hz to 100<br>kHz                                        | Comply       |
| Radiated Susceptibility Electric Field                   | MIL-STD-461E/RS103                | 30 MHz to 1<br>GHz                                         | Comply       |
| Surge 100 kHz Ring Wave                                  | IEC 61000-4-12/Ring Wave          | 2 kV                                                       | Comply       |
| Surge Combination Wave                                   | IEC 61000-4-5/Combination<br>Wave | 2 kV                                                       | Comply       |
| Electrical Fast Transient /Burst                         | IEC 61000-4-4/EFT/B               | 2 kV                                                       | Comply       |
| Electrostatic Discharge                                  | IEC 61000-4-2/ESD                 | 15 kV (Air<br>Discharge)<br>/8 kV (Contact<br>/ Discharge) | Comply       |
| Class 1E to Non-1E Isolation                             | ,                                 | 600VDC<br>/250VDC                                          | Comply       |

### Table III-2-3 EMC Test Results

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

# Table III-2-4 [Deleted]Table III-2-5 [Deleted]

### III-2.2.3.2 EMI/RFI Test for PRM System

The purpose of this test is to demonstrate the suitability of the PRM System for qualification as a safety-related device with permissible EMI/RFI emissions and susceptibility.

EMI/RFI Test was performed to assure that the PRM System withstands the EMI/RFI levels given in RG 1.180 (Reference (a19)). Toshiba decided to use these test levels because they were issued more recently than the requirements specified in the EPRI TR-107330 (Reference (a46)) requirements. These Regulatory Guide values are considered to better reflect the current requirements of US utilities.

The EMI/RFI susceptibility and emissions withstand capability was tested using the following test methods from MIL-STD-461E (Reference (a25)).

| Test Type                                             | Test Method |
|-------------------------------------------------------|-------------|
| (a) Low-Frequency Conducted Susceptibility (Power):   | CS101       |
| (b) High-Frequency Conducted Susceptibility (Power):  | CS114       |
| (c) High-Frequency Conducted Susceptibility (Signal): | CS114       |
|                                                       | CS115       |
|                                                       | CS116       |
| (d) Radiated Susceptibility, Magnetic Field:          | RS101       |
| (e) Radiated Susceptibility, Electric Field:          | RS103       |
| (f) Low-Frequency Conducted Emissions:                | CE101       |
| (g) High-Frequency Conducted Emissions:               | CE102       |
| (h) Radiated Emissions, Magnetic Field:               | RE101       |
| (i) Radiated Emissions, Magnetic Field:               | RE102       |

Tests were not performed in the above order. Prior to the first EMI/RFI Test, a System Set-up and Check-out Test was performed.

Environmental conditions were kept at "normal environmental basic conditions" in accordance with the requirements of Section 4.3.6.1 of EPRI TR-107330.

Compliance of the Test Specimen EMI/RFI qualification testing with these requirements is described in the EMI/RFI Test Procedure (Reference (d23)).

The acceptance criteria are given in the Master Test Plan (Reference (d19)).

Details of the test results and test data of EMI/RFI testing are reported in the Qualification Test Summary Report (Reference (d16)). The results of the susceptibility testing show that the Test Specimen continued to function correctly throughout all test exposure levels. The transfer of input and output data was not interrupted. There were no interruptions or inconsistencies in the operation of the system.

For the emissions tests, the Test Specimen was found to comply with the allowable equipment emissions levels for radiated magnetic field emissions from 30 Hz to 100 kHz (RE101). A specific exceedance was found during CE101 in the power leads. From approximately 100 Hz to 700 Hz, emissions exceed the limit shown in RG 1.180 Revision 1. This excess comes from the waveform distortion due to the AC/DC power supply (i.e. LVPS module) in the units in PRM system. To suppress this emission, Toshiba inserted a filter into the AC power line to the LVPS module, and confirmed that the test results met the requirement.

For the CE101 requirement, mitigation is needed for PRM system. Toshiba confirmed that Low Frequency Conducted Emission can be mitigated by inserting filters in the power line. Toshiba will supply the system with the coils on the power supply leads to ensure that these emissions are beneath the required levels.

## III-2.2.3.3 Surge Withstand Capability Test for PRM System

The purpose of this test is to demonstrate the suitability of the PRM System for qualification as a safety-related device with Surge Withstand Capability (SWC), as stated in Section 5 of RG 1.180 (Reference (a19)), IEC 61000-4-5 (Reference (a28)), and IEC 61000-4-12 (Reference (a29)).

The SWC Test was performed to ensure that the PRM System withstands the surge limits given in Table 22 of RG 1.180. Surges were applied in accordance with IEC 61000-4-12 (for Ring Wave) and IEC 61000-4-5 (for Combination Wave). The Surge Withstand Capability Test Procedure (Reference (d24)) describes in detail the surge tests applied to the Test Specimen.

The surge withstand test acceptance criteria are defined in the Master Test Plan (Reference (d19)).

During this test, environmental conditions were kept at "normal environmental basic conditions" shown in Section 4.3.6.1 of TR-107330. The specific test patterns are described in Section 3.6

of the System Set-up and Check-out Test Procedure (Reference (d20)).

Details of the test results and test data of the SWC Test are reported in the Qualification Test Summary Report (Reference (d16)). The surges were applied to the test points, and the Test Specimen maintained normal operation during the surge application. Based on the results reported in the Qualification Test Summary Report, the Test Specimen continued to operate in accordance with the test acceptance criteria following application of the surge test voltages. However, the test results show that the repetition rate for the ring wave was not in accordance with the testing requirements,

a,c

a,c

) Since the period of the ring wave (30  $\mu$ sec) is very short ſ compared to the required 1-second repetition rate, the effect of the transient can be considered over and the longer []second rate will, therefore, not affect the conclusion of the test.

### III-2.2.3.4 EFT/B Test for PRM System

l

The purpose of this test is to demonstrate the suitability of the PRM System for qualification as a safety-related device with EFT/B withstand capability, as stated in Section 5 of RG 1.180 (Reference (a19)), and IEC 61000-4-4 (Reference (a27)).

The EFT/B Test was performed to assure that the PRM Test Specimen withstands the EFT/B wave forms given in the Table 22 of RG 1.180. The EFT/B Test Procedure (Reference (d25)), describes in detail the tests applied to the Test Specimen. The EFT/B test acceptance criteria are defined in the Master Test Plan (Reference (d19)).

During this test, environmental conditions were kept at "normal environmental basic conditions" shown in Section 4.3.6.1 of TR-107330 (Reference (a46)). The specific test patterns are described in Section 3.6 of the System Set-up and Check-out Test Procedure (Reference (d20)).

Details of the test results and test data of EFT/B Test are reported in the Qualification Test Summary Report (Reference (d16)). The EFT/B wave forms were applied to the defined test points.

Results of the EFT/B testing show that the Test Specimen continued to operate in accordance with the test acceptance criteria.

## III-2.2.3.5 ESD Test for PRM System

The purpose of this test is to demonstrate the suitability of the PRM System for qualification as a safety-related device with regard to Electro-Static Discharge (ESD) withstand capability, as stated in IEC 61000-4-2 (Reference (a26)).

The ESD Test was performed to assure that the Test Specimen withstands the ESD levels given in Section 4.3.8 of EPRI TR-107330 (Reference (a46)). The tests were performed according to Appendix B Section 3.5 of EPRI TR-102323 (Reference (a44)). The ESD Test Procedure (Reference (d26)) describes in detail the tests applied to the Test Specimen.

The ESD test acceptance criteria are given defined in the Master Test Plan (Reference (d19)). Environmental conditions were kept at "normal environmental basic conditions" shown in Section 4.3.6.1 of EPRI TR-107330. The specific test locations and voltages are described in Section 3.6 of the System Set-up and Check-out Test Procedure (Reference (d20)).

Details of the test results and test data for the ESD test are reported in the Qualification Test Summary Report (Reference (d16)).

Results of the ESD testing show that the Test Specimen did not present any temporary degradation or loss of function or performance when the ESD noises were applied to front panels, components on the front panels, and side panels, which can all be touched during normal operation.

However, testing show temporary degradation/loss of function when ESD was applied to back panels. System functionality was recoverable. These panels are not generally exposed to ESD during normal operation. For the PRM System, ESD can be mitigated by preventing access to the back panel during plant operation, or by requiring personnel to wear anti-ESD wristbands when accessing the equipment back panel during plant operation. Therefore, administrative controls (e.g., procedures requiring use of static discharge control devices such as grounding straps) will be required to prevent or reduce exposure to electrostatic discharges. This instruction is incorporated in Appendix II-A, Application Guide.

## III-2.2.3.6 Class 1E to Non-Class1E Isolation Test for PRM System

The purpose of this test is to demonstrate the suitability of the PRM System for qualification as a safety-related device with respect to providing electrical isolation capability of Class 1E to Non-Class 1E field connections. Section 4.6.4 of EPRI TR-107330 (Reference (a46)) requires that isolation test demonstrate that the isolation features conform to IEEE Std 384-1992

## (Reference (a34)).

The communication data link provided in each PRM System has a one-way fiber optic communication link, providing fixed data sets from each safety-related PRM division individually to the non-safety-related Rod Block Monitor (RBM), providing 1E to non-1E isolation, and offering no possibility of data transfer from the non-safety to the safety equipment. This design eliminates any potential for data from one division being supplied to another division. Based on this system design, only the devices installed in the main chassis are required to provide Class 1E to Non-1E electrical isolation capability (if these modules are used to interface to Non-1E equipment). Accordingly, the following devices that are used to provide analog output signals to Non-1E portion were tested for Class 1E isolation capability:

- HNS518 and HNS515 AO modules installed in LPRM Units
- HNS518, HNS516, and HNS515 AO modules installed in LPRM/APRM Units
- HNS518, HNS517, and HNS516 AO modules installed in Flow Unit

The detailed functional descriptions of these AO modules are shown in Table II-A-3-1.

The test levels used comply with the level shown in Section 4.6.4 of EPRI TR-107330 and IEEE Std 384-1992. IEEE Std 384 requires the following:

- The isolation device prevents shorts, grounds, and open circuits on the Non-Class 1E side from degrading the operation of the circuits on the Class 1E side.
- (2) The isolation device prevents application of the maximum credible voltage on the Non-Class 1E side from degrading the operation of the circuits on the Class 1E side.

The Class 1E to Non-1E Isolation Test Procedure (Reference (d27)) describes in detail the tests applied to the Test Specimen.

Class 1E to Non-1E test acceptance criteria are defined in the Master Test Plan (Reference (d19)).

During this test, environmental conditions were kept at "normal environmental basic conditions" shown in Section 4.3.6.1 of EPRI TR-107330.

Details of the test results and test data of the Class 1E to Non-1E test are reported in the Qualification Test Summary Report (Reference (d16)). Test level voltages were applied to the test points and the safety-related portion of the Test Specimen operated normally during and after the application.

As expected, damage occurred to the non-1E portion of the AO module, which did not propagate to the Class 1E equipment. After this test, the damaged AO modules were replaced with spare modules. Post-replacement testing (System Set-up and Checkout Test, Operability Test, and Prudency Test) show that the system operated correctly with the replacement AO modules installed.

## III-2.2.4 Performance Proof Test for PRM System

The Performance Proof Test was conducted at the completion of all qualification testing to demonstrate the continued acceptable performance of the Test Specimen after exposure to the various qualification test conditions.

The Performance Proof Test involved performing the Operability Test and the Prudency Test, (References (d28) and (d29), respectively) under the same environmental conditions as during Pre-Qualification Testing. These procedures were developed in accordance with Sections 5.3 and 5.4 of EPRI TR-107330 (Reference (a46)).

The conclusion from the performance proof testing was that the Test Specimen provided required operability and performance after completion of the series of qualification tests.

## III-2.2.5 Conclusion of Qualification Tests for PRM System

As a result of Qualification Tests, the following limitations should be considered when the PRM System is applied to the actual plant:

- (1) In the Seismic Test, due to the limitation of the test facility's seismic table, the peak amplitude of SSE was approximately 10 g. The maximum amplitude should be evaluated in actual plant installation; this is stipulated in the Application Guide, Appendix II-A-4.4.
- (2) For the CE101 requirement, mitigation is needed for PRM System Unit. Toshiba confirmed that Low Frequency Conducted Emission can be mitigated by inserting filters in the power line. Toshiba will provide production PRM system equipment with appropriate emission protection (e.g., a coil). This issue is discussed in the Application Guide, Appendix II-A-4.5.1.
- (3) ESD test show temporary degradation/loss of function occurred when ESD was applied to back panels. System functionality can be recoverable. These panels are not generally exposed to ESD during normal operation. For this PRM system, ESD can be mitigated by preventing access to the back panel during plant operation or by requiring personnel to wear anti-ESD wristbands when accessing the equipment back panel during plant operation.

This instruction is stated in the Application Guide, Appendix II-A-4.7.

With the above considerations, the PRM System Units achieved the required performance and are considered satisfactory for safety-related applications.

# III-3 Qualification Analysis of PRM

# III-3.1 General Description

Availability/Reliability Analysis, Failure Modes and Effects Analysis (FMEA), and Setpoint Support Analysis were performed for the PRM system. Toshiba does not perform a diversity and defense in depth analysis in this LTR, because this analysis is a plant wide evaluation based on overall considerations and general characteristics of devices rather than the specification of any device in the system. The qualification analysis of Toshiba FPGA-based I&C systems only provides assurance for a qualified device and logic.

An availability/reliability analysis was performed by NICSD to meet the requirements of Section 4.2.3 of EPRI TR-107330 (Reference (a46)). This section requires that analysis is performed to determine the availability and reliability of a Programmable Logic Controller in safety-related applications. Section 4.2.3 of EPRI TR-107330 defines the hypothetical system configuration and conditions under which these probabilities must be determined.

A Failure Modes and Effects Analysis (FMEA) was performed by NICSD to meet the requirements of Section 4.2.3.5 of EPRI TR-107330 and IEEE Std 352-1987 (Reference (a33)). The system analyzed by the FMEA is identical to the Test Specimen configuration that is used in the Qualification Test Program. The intent of the FMEA is to identify potential failure states of modules and units. Toshiba performs the FMEA at the module level.

A Setpoint Support Analysis was performed by NED to meet the requirements of EPRI TR-107330, Section 4.2.4 and RG 1.105 Revision 3 (Reference (a10)).

Section 6.3.1 of EPRI TR-107330 requires performing aging analysis. Toshiba did not perform aging analysis, since aging analysis is not necessary when equipment is qualified for use only in mild environments.

# III-3.2 Qualification Analysis of PRM System

Qualification analysis was conducted for the PRM system during the PRM Qualification Project. Results of the analysis conducted for the PRM system are summarized in the following subsections.

## III-3.2.1 Availability/Reliability Analysis of PRM System

The PRM system was very conservatively analyzed for reliability and availability using MIL-HDBK-217F (a24)). The reliability and availability analysis for the test specimen is documented in the Availability/Reliability Analysis Report (Reference (d30)). This analysis complies with the applicable requirements of EPRI TR-107330 (Reference (a46)). The reliability values were calculated by summing failure rates of whole devices. Table III-3-1 lists the reliability values for the single division Test Specimen. Table III-3-2 lists the reliability values for a full PRM System (for a BWR-5), including redundant divisions; the system analyzed contains LPRM, LPRM/APRM, and Flow units qualified in the PRM Qualification Project.

| Figure III-3-1 | Availability/Reliability | <b>Analysis Results</b> | (Test Specimen) |
|----------------|--------------------------|-------------------------|-----------------|
|                |                          | •                       |                 |

|               | MTBF                                                                       | MTTR               | Availability       |
|---------------|----------------------------------------------------------------------------|--------------------|--------------------|
|               | $\begin{bmatrix} \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\$ | ()hr               |                    |
| Test Specimen | using MIL-STD-217F                                                         | using TR-107330    | using TR-107330    |
|               |                                                                            | Section 4.2.3.3 C. | Section 4.2.3.3 C. |

### Figure III-3-2 Availability/Reliability Analysis Results (Full PRM System)

|             | MTBF               | MTTR               | Availability       |
|-------------|--------------------|--------------------|--------------------|
| Full System | [ ]yr ([ ]hr)      | ()hr               |                    |
|             | using MIL-STD-217F | using TR-107330    | using TR-107330    |
|             |                    | Section 4.2.3.3 C. | Section 4.2.3.3 C. |

## III-3.2.2 FMEA for PRM System

The FMEA was performed in the Preliminary Hazard Analysis in the Requirements Definition Phase and documented in an appendix of the Requirements Definition Phase Preliminary Hazard Analysis Report (Reference (d11)).

Failure modes that affect the safety-related functions and methods of detection for those failure modes were identified through the FMEA. The FMEA has been performed based on the design information from the module design specifications. The analysis focused on the input and output of each FPGA, determining possible deviations from normal operation and their effects.

The detailed results of the FMEA are documented in the Requirements Definition Phase

Preliminary Hazard Analysis Report. The results showed that failure modes that can prevent the PRM System from performing its function were detected by the application-specific design, the built-in system diagnostics, or by periodic testing.

The Application Guide, Appendix II-A, includes recommendations for periodic surveillance. The general surveillance techniques should be similar to those used for existing PRM systems. The surveillance interval of once per month, similarly, is based on existing technology. The surveillance is used to detect failures to lower the risk of occurrence of any problem that could adversely affect plant operation or safety. It is strongly recommended that specific nuclear plant safety-related applications incorporate Toshiba's recommended methods and frequencies to maximize system reliability and operability. This result conforms to the failure state/FMEA requirements shown in Section 4.2.3.5 of EPRI TR-107330 (Reference (a46))).

## III-3.2.3 Setpoint Support Analysis for PRM System

In accordance with the Setpoint Support Analysis, the Rack Reference Accuracy (RRA), Rack Temperature Effect (RTE), and Rack Drift (RD) are applicable allowances to the following safety-related trip signals in the PRM System:

- APRM Upscale (High-High) Trip
- Simulated Thermal Power Upscale Trip
- APRM Inoperable Trip

In the PRM Qualification Project, RRA, RTE, and RD were evaluated collectively for the above safety-related trip signals. It has been verified that Channel Statistical Allowance (CSA) (the relationship among CSA, RRA, RTE, and RD is noted in Eq. III-3-1) for APRM Upscale (High-High) Trip signal and Simulated Thermal Power Upscale Trip signal is less than 2.0% Full Scale (FS). CSA is not applicable to APRM Inoperable Trip, because the APRM Trip Inoperable Trip will be issued by self diagnosis of APRM.

$$CSA = {(RRA)^2 + (RTE)^2 + (RD)^2}^{1/2}$$
 Eq. III-3-1

The methodology and details of the results are reported in the Setpoint Support Analysis Report (Reference (d31)).

Licensing Topical Report for Toshiba NRW-FPGA-based Instrumentation and Control System for Safety-Related Application UTLR-0020NP Part III Rev.2 Part III Qualification Results of the Power Range Monitor (PRM)

# III-4 Verification and Validation of PRM

# III-4.1 Power Range Neutron Monitor

Toshiba developed a PRM system, and conducted V&V for the PRM system through the development.

The Original process described in Section III-1.1 was used in the development and V&V. In the Original process, NED worked under the Appendix B QA program and procured the PRM from NICSD who worked under its ISO 9001 QA program those days, using NED's CGD process. ICDD had the overall responsibility for the V&V activities.

In 2011, a problem was found in the FPGA dynamic testing performed using the Original process, and necessary V&V activities were activated. In the activities, the Current process was used, because the Original process was no longer applicable. Section III-4.1.4 describes the V&V iteration.

## III-4.1.1 V&V Organization and Process

ICDD organized a ICDD V&V Team independent of its design group. The ICDD V&V Team established an NED VVP defining the organizations, responsibilities, applicable standards, and the life cycle activities. The NED VVP was attached to the Job Order to NICSD.

NICSD organized their V&V Team. The NICSD V&V Team established a NICSD VVP based on the NED VVP defining the organizations, responsibilities, applicable standards, and the life cycle activities for their portions. The NICSD VVP was submitted to NED for review and approval.

The V&V activities were performed following the original process described in Section I-1.5.2, i.e., the following life cycle phases:

- Project Planning and Concept Definition Phase,
- Requirements Definition Phase,
- Design Phase,
- Implementation and Integration Phase,
- Unit/Module Validation Testing Phase, and

• System Validation Testing Phase.

Of these phases, NED performed the Project Planning and Concept Definition Phase, and the System Validation Testing Phase. The remaining phases were performed by NICSD in accordance with the Job Order, and under the oversight by the ICDD V&V Team.

III-4.1.2 Design Verification

The ICDD and NICSD V&V Team verified the design of the PRM by reviewing the design documents, and tracing the requirements for the PRM throughout the life cycle using RTM.

III-4.1.2.1 Document Reviews

The NED design engineers established an Equipment Requirements Specification (ERS), which specified all functional and design requirements for the PRM.

Based on the ERS, the NICSD design engineers established the following design documents:

- Unit Equipment Design Specifications for the LPRM, LPRM/APRM and FLOW units,
- Module Equipment Design Specifications for modules installed in those units, and
- FPGA Design Specifications for all FPGAs mounted on each modules.

The ICDD V&V Team reviewed the ERS. The NICSD V&V Team reviewed the above NICSD design documents. The ICDD V&V Team made spots checks of the NICSD design documents. The ICDD V&V Team concluded that these design documents, and the manner of the NICSD reviews were satisfactory.

In addition to the design documents, the NICSD V&V Teams reviewed the following test procedures before the tests were performed:

- FPGA test procedures,
- Module test procedures, and
- Unit test procedures.

After the test, the NICSD V&V Teams reviewed the corresponding test reports.

The NICSD V&V Team concluded that these test procedures and reports were satisfactory. The

ICDD V&V Team accepted the results from the NICSD V&V Team, after spot checks of these test procedures and reports.

The ICDD V&V Team reviewed the System test procedure prepared by the ICDD design engineers, and the System test report after the system validation testing. The ICDD V&V Team concluded that the documents were satisfactory.

III-4.1.2.2 Requirements Traceability Efforts

NED prepared an RTM by collecting requirements from the ERS. The RTM was reviewed by the ICDD V&V Team, and sent to NICSD as the base requirments for the PRM.

The NICSD V&V team developed the RTM through the life cycle phases, tracing requirements or design specifications in the following documents:

- Unit Equipment Design Specifications for the LPRM, LPRM/APRM and FLOW units,
- Module Equipment Design Specifications for modules installed in those units,
- FPGA Design Specifications for all FPGAs mounted on each modules.
- FPGA test procedures,
- Module test procedures, and
- Unit test procedures.

The NICSD V&V team verified that all the base requirements provided by NED were traced forward and traced back through the life cycle phases.

The ICDD V&V team made spot checks, and confirmed the NICSD V&V Team's conclusions.

The ICDD V&V team completed the RTM by filling in the test items from the System Validation Testing Procedurs.

## III-4.1.2.3 FPGA Logic Implementation V&V

The NICSD design engineers established FPGA Design Specifications for all FPGAs mounted on each modules. Toshiba FPGA-based systems uses FE approach, as describe in Section II-2.1.6. The FPGA Design Specifications represented the FPGA design in block diagrams and broke down to the level of FEs.

The NICSD design engineers developed the VHDL source code for each FPGA, converted the VHDL source code into a netlist, and into a fusemap using software tools. The fusemap was implemented in an FPGA for FPGA testing.

These design activities were performed in accordance with the FPGA design principles described in Section II-2.1.5.

The FPGA Logic Implementation V&V included:

- (1) VHDL Source Code Review. See Section I-3.10.2.5.
- (2) Software Tool Message Review. See Section I-3.10.2.5.
- (3) Signal Timing Analysis Review. See Section I-3.10.2.5 and Section II-2.1.5.3.
- (4) Netlist Review. See Section I-3.10.2.5.
- (5) FPGA Testing, the NICSD design engineers performed validation testing of the FPGAs in a manner that achieved the 100% toggle coverage criteria. See Section I-3.10.2.5 and Section II-2.1.7.
- (6) Software Tool Control Review. See Section I-3.10.2.5.

The NICSD V&V Team concluded that the results of the V&V activities were acceptable. The NED V&V Team concluded that the conclusion of the NICSD V&V Team was acceptable.

## III-4.1.2.4 Validation Testing

NICSD performed the module validation tests for each module, and then performed unit validation tests for each unit installing the modules. Finally, NED performed the system validation testing of the assembled PRM system. As stated before, NED reviewed and accepted the work performed by NICSD, ensuring the Validation Testing activities completed were complete, correct, thorough, adequate, controlled, and that the resulting safety system would produce accurate, timely results, with the correct functionality, acceptable reliability, appropriate cyber security, and ability to operate (and identify) single faults and failures in a redundant installation.

For the validation testing, a set of test equipment was used. The test equipment entered test signals into the LPRM modules in the LPRM units or in the LPRM/APRM unit. The LPRM converted the signals into digital data, and applied a digital filter on the data. The data was sent to the APRM module in the LPRM/APRM unit through the fiber optic links or through the middle plane of the LPRM/APRM unit. The APRM module made trip determinations, and sent the trip signal to the discrete output module, from which the trip signals were sent to the test equipment.

One or more test PCs controlled the test equipment, and recorded the input and output signals. The record were compared with the desired values.

The NICSD V&V Team reviewed the results of the module and unit validation testing, and concluded that they were acceptable. The ICDD V&V Team reviewed the NICSD VVR and the result of the system validation testing, and concluded that the validation testing was acceptable.

## III-4.1.3 Hazard Analyses

NED, as an Appendix B vendor, performed a hazard analysis for each phase of the life cycle, and completed the analysis at the System Validation Testing Phase.

In the Project Planning and Concept Definition Phase, a fault tree analysis (FTA) was performed as a top down analysis approach. The analysis concluded that it requires two concurrent occurrences of failures to affect plant operation.

However, the analysis pointed out that errors in the software tools and timing errors of FPGA should be addressed in the life cycle. The subsequent phases, hazard analyses addressed the two issues, and concluded that the PRM system-level risk was less than the existing plant equipment.

The NED V&V Team reviewed the hazard analysis reports at each phases, and concluded that they were acceptable.

## III-4.1.4 V&V Iteration

In 2011, NICSD and the Power Platform Development Department (PPDD) of the Fuchu Complex found a problem in the FPGA testing that had been performed in the V&V for the PRM, and notified to the Instrumentation & Control Systems Design & Engineering Dept. (ICDD). The problem was that the FPGA dynamic timing simulation had not been performed appropriately. A Corrective Action Request (CAR)-11-176, which requested resolution of the problem was issued.

To resolve the problem, the NICSD and PPDD performed a correct dynamic timing simulation as FPGA retesting. The result of the retesting was satisfactory ensuring the correct operation of the FPGAs without any logic change.

NICSD issued a V&V report for the retesting in accordance with the V&V Plan. The ICDD IV&V Team updated the Verification and Validation Final Report for the PRM, which is Part V of the LTR. The updated V&V Final Report concluded that the result of the V&V was

acceptable.

### III-4.1.5 V&V Conclusions

The ICDD V&V Team issued the Verification and Validation Final Report for the PRM system, concluding that all requirements for the PRM system were fulfilled in the final product, and that the PRM system is suitable for nuclear plant power monitoring. This conclusion was not changed after the V&V iteration described in Section III-4.1.4, and the V&V Final Report was issued. In the V&V for the PRM, all observed issues and concerns were resolved appropriately.

## III-5 Qualification Test of OPRM

## III-5.1 General Description

This section describes the qualification of the safety-related Oscillation Power Range Monitor (OPRM). Toshiba performed qualification test activities as required by EPRI TR-107330 (Reference (a46)) in the similar manner as the qualification test for PRM. Table III-5-1 shows the configuration of the test specimen of the OPRM for the qualification test.

| OPRM Unit (HNU1200B0000)           (FSL01) Blank Panel          Blank Panel           (FSL02) Blank Panel          Blank Panel           (FSL03) Blank Panel          Blank Panel           (FSL04) Blank Panel          Blank Panel           (FSL05) to (FSL07)         HNS0400B00000         LPRM Levels are converted to Normalized Oscillation           CELL Module          Blank Panel            (FSL08) to (FSL09)         HNS0420B00000         Amplitude-Based Detection Algorithm judgment is performed.         Growth Rate-Based Detection Algorithm judgment is performed.           (FSL10) to (FSL11)         HNS0430B00000         Period-Based Detection Algorithm judgment is performed.           (FSL12) Blank Panel          Blank Panel            (FSL13) Blank Panel          Blank Panel            (FSL12) Dlank Panel          Blank Panel            (FSL14) DAT/ST Module         HNS0410B00000         Power status are indicated on the front panel. Input status are indicated on the front panel. Input status are indicated on the front panel.            (BSL01) LVPS Module         HNS0500B00000         +5V and ±15V power supply to each module.            (BSL02) Blank Panel                                                                                                                                                                                                                                                                                                       | (Slot ID) Module Name     | Model Number  | Functional Description                               |  |  |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------|---------------|------------------------------------------------------|--|--|
| (FSL02) Blank Panel        Blank Panel         (FSL03) Blank Panel        Blank Panel         (FSL04) Blank Panel        Blank Panel         (FSL05) to (FSL07)       HNS0400B00000       LPRM Levels are converted to Normalized Oscillation         CELL Module       Signal.         (FSL05) to (FSL07)       HNS0420B00000       Amplitude-Based Detection Algorithm judgment is performed. Growth Rate-Based Detection Algorithm judgment is performed.         (FSL10) to (FSL11)       HNS0430B00000       Period-Based Detection Algorithm judgment is performed.         (FSL12) Blank Panel        Blank Panel         (FSL12) Blank Panel        Blank Panel         (FSL13) Blank Panel        Blank Panel         (FSL14) DAT/ST Module       HNS0410B00000       Power status are indicated on the front panel. Input intiplexed.         (BSL01) Elank Panel        <          | OPRM Unit (HNU1200B00000) |               |                                                      |  |  |
| (FSL03) Blank Panel        Blank Panel         (FSL04) Blank Panel        Blank Panel         (FSL05) to (FSL07)       HNS0400B0000       LPRM Levels are converted to Normalized Oscillation         CELL Module       HNS0420B00000       Amplitude-Based Detection Algorithm judgment is performed. Growth Rate-Based Detection Algorithm judgment is performed.         (FSL10) to (FSL11)       HNS0430B00000       Period-Based Detection Algorithm judgment is performed.         (FSL12) Blank Panel        Blank Panel         (FSL13) Blank Panel        Blank Panel         (FSL13) Blank Panel        Blank Panel         (FSL14) DAT/ST Module       HNS0410B00000       Power status are indicated on the front panel. Input status are indicated on the front panel. Must status are indicated on the front panel. Input status are indicated on the front panel.         (PSSL01) LVPS Module       HNS0500B00000       +5V and ±15V power supply to each module.         (BSL03) Blank Panel        Blank Panel         (BSL04) DIO Module       HNS0541B00000       Digital input are received from the Relay unit. Digital output are provided to the Relay unit.         (BSL05) RCV Module       HNS0531B00000       Optical data reception of the LPRM unit data from LPRM unit.         (BSL06) RCV Module       HNS0531B00000       Optical data transmission of OPRM unit data to ELCS and PICS. </td <td>(FSL01) Blank Panel</td> <td></td> <td>Blank Panel</td>                                       | (FSL01) Blank Panel       |               | Blank Panel                                          |  |  |
| (FSL04) Blank Panel        Blank Panel         (FSL05) to (FSL07)<br>CELL Module       HNS0400B00000       LPRM Levels are converted to Normalized Oscillation<br>Signal.         (FSL08) to (FSL09)<br>AGRD Module       HNS0420B00000       Amplitude-Based Detection Algorithm judgment is<br>performed. Growth Rate-Based Detection Algorithm<br>judgment is performed.         (FSL10) to (FSL11)       HNS0430B00000       Period-Based Detection Algorithm judgment is<br>performed.         (FSL12) Blank Panel        Blank Panel         (FSL13) Blank Panel        Blank Panel         (FSL14) DAT/ST Module       HNS0410B00000       Power status are indicated on the front panel. Input<br>status are indicated on the front panel. Data are<br>multiplexed.         (PSSL01) LVPS Module       HNS0500B00000       +5V and ±15V power supply to each module.         (BSL02) Blank Panel        Blank Panel         (BSL03) Blank Panel        Blank Panel         (BSL04) DIO Module       HNS0541B00000       Optical data reception of the APRM unit data from<br>LPRM unit.         (BSL05) RCV Module       HNS0541B00000       Optical data reception of the APRM unit data from<br>LPRM unit.         (BSL05) RCV Module       HNS0531B00000       Optical data transmission of OPRM unit data to ELCS<br>and PICS.         (BSL08) TRN Module       HNS05031B00000       Optical data transmission of OPRM unit data to TDR,<br>SOE, and PC. <td>(FSL02) Blank Panel</td> <td></td> <td>Blank Panel</td> | (FSL02) Blank Panel       |               | Blank Panel                                          |  |  |
| (FSL05) to (FSL07)<br>CELL Module       HNS0400B00000       LPRM Levels are converted to Normalized Oscillation<br>Signal.         (FSL08) to (FSL09)<br>AGRD Module       HNS0420B00000       Amplitude-Based Detection Algorithm judgment is<br>performed. Growth Rate-Based Detection Algorithm<br>judgment is performed.         (FSL10) to (FSL11)       HNS0430B00000       Period-Based Detection Algorithm judgment is<br>performed.         (FSL12) Blank Panel        Blank Panel         (FSL13) Blank Panel        Blank Panel         (FSL14) DAT/ST Module       HNS0400B00000       Power status are indicated on the front panel. Input<br>status are indicated on the front panel. Data are<br>multiplexed.         (PSSL01) LVPS Module       HNS0500B00000       +5V and ±15V power supply to each module.         (BSL02) Blank Panel        Blank Panel         (BSL03) Blank Panel        Blank Panel         (BSL04) DIO Module       HNS0520B00000       Digital input are received from the Relay unit. Digital<br>output are provided to the Relay unit.         (BSL05) RCV Module       HNS0541B00000       Optical data reception of the APRM unit data from<br>LPRM unit.         (BSL07) TRN Module       HNS0531B00000       Optical data transmission of OPRM unit data to ELCS<br>and PICS.         (BSL08) TRN Module       HNS0531B00000       Optical data transmission of OPRM unit data to TDR,<br>SOE, and PC.         (PSSL02) LVPS Module                                              | (FSL03) Blank Panel       |               | Blank Panel                                          |  |  |
| CELL Module       Signal.         (FSL08) to (FSL09)<br>AGRD Module       HNS0420B00000       Amplitude-Based Detection Algorithm judgment is<br>performed. Growth Rate-Based Detection Algorithm<br>judgment is performed.         (FSL10) to (FSL11)       HNS0430B00000       Period-Based Detection Algorithm judgment is<br>performed.         (FSL12) Blank Panel        Blank Panel         (FSL13) Blank Panel        Blank Panel         (FSL13) DAT/ST Module       HNS0410B00000       Power status are indicated on the front panel. Input<br>status are indicated on the front panel. Data are<br>multiplexed.         (PSSL01) LVPS Module       HNS0500B00000       +5V and ±15V power supply to each module.         (BSL02) Blank Panel        Blank Panel         (BSL03) Blank Panel        Blank Panel         (BSL04) DIO Module       HNS0541B00000       Digital input are received from the Relay unit. Digital<br>output are provided to the Relay unit.         (BSL05) RCV Module       HNS0541B00000       Optical data reception of the APRM unit data from<br>APRM unit.         (BSL07) TRN Module       HNS0531B00000       Optical data transmission of OPRM unit data to ELCS<br>and PICS.         (BSL08) TRN Module       HNS0531B00000       Optical data transmission of OPRM unit data to TDR,<br>SOE, and PC.         (PSSL02) LVPS Module       HNS0500B00000       +5V and ±15V power supply to each module.                                                                           | (FSL04) Blank Panel       |               | Blank Panel                                          |  |  |
| (FSL08) to (FSL09)<br>AGRD Module       HNS0420B00000       Amplitude-Based Detection Algorithm judgment is<br>performed. Growth Rate-Based Detection Algorithm<br>judgment is performed.         (FSL10) to (FSL11)       HNS0430B00000       Period-Based Detection Algorithm judgment is<br>performed.         (FSL12) Blank Panel        Blank Panel         (FSL13) Blank Panel        Blank Panel         (FSL14) DAT/ST Module       HNS0410B00000       Power status are indicated on the front panel. Input<br>status are indicated on the front panel. Data are<br>multiplexed.         (PSSL01) LVPS Module       HNS0500B00000       +5V and ±15V power supply to each module.         (BSL02) Blank Panel        Blank Panel         (BSL03) Blank Panel        Blank Panel         (BSL04) DIO Module       HNS0541B00000       Digital input are received from the Relay unit. Digital<br>output are provided to the Relay unit.         (BSL05) RCV Module       HNS0541B00000       Optical data reception of the LPRM unit data from<br>LPRM unit.         (BSL06) RCV Module       HNS0531B00000       Optical data transmission of OPRM unit data to ELCS<br>and PICS.         (BSL08) TRN Module       HNS0531B00000       Optical data transmission of OPRM unit data to TDR,<br>SOE, and PC.         (PSSL02) LVPS Module       HNS050B00000       +5V and ±15V power supply to each module.         (BSL06) RRN Module       HNS050B00000       Opt                                                      | (FSL05) to (FSL07)        | HNS0400B00000 | LPRM Levels are converted to Normalized Oscillation  |  |  |
| AGRD Module       performed. Growth Rate-Based Detection Algorithm<br>judgment is performed.         (FSL10) to (FSL11)       HNS0430B00000       Period-Based Detection Algorithm judgment is<br>performed.         (FSL12) Blank Panel        Blank Panel         (FSL13) Dank Panel        Blank Panel         (FSL13) DAT/ST Module       HNS0410B00000       Power status are indicated on the front panel. Input<br>status are indicated on the front panel. Data are<br>multiplexed.         (PSSL01) LVPS Module       HNS0500B00000       +5V and ±15V power supply to each module.         (BSL02) Blank Panel        Blank Panel         (BSL03) Blank Panel        Blank Panel         (BSL04) DIO Module       HNS0541B00000       Digital input are received from the Relay unit. Digital<br>output are provided to the Relay unit.         (BSL05) RCV Module       HNS0541B00000       Optical data reception of the LPRM unit data from<br>LPRM unit.         (BSL07) TRN Module       HNS0531B00000       Optical data reception of OPRM unit data to ELCS<br>and PICS.         (BSL08) TRN Module       HNS0531B00000       Optical data transmission of OPRM unit data to TDR,<br>SOE, and PC.         (PSSL02) LVPS Module       HNS0500B00000       +5V and ±15V power supply to each module.         (BSL07) TRN Module       HNS0531B00000       Optical data transmission of OPRM unit data to TDR,<br>SOE, and PC.         (P                                                                          | CELL Module               |               | Signal.                                              |  |  |
| judgment is performed.(FSL10) to (FSL11)HNS0430B0000Period-Based Detection Algorithm judgment is<br>performed.(FSL12) Blank PanelBlank Panel(FSL13) Blank PanelBlank Panel(FSL14) DAT/ST ModuleHNS0410B00000Power status are indicated on the front panel. Input<br>status are indicated on the front panel. Data are<br>multiplexed.(PSSL01) LVPS ModuleHNS0500B00000+5V and ±15V power supply to each module.(BSL01) Blank PanelBlank Panel(BSL02) Blank PanelBlank Panel(BSL03) Blank PanelBlank Panel(BSL04) DIO ModuleHNS0520B00000Digital input are received from the Relay unit.(BSL05) RCV ModuleHNS0541B00000Optical data reception of the LPRM unit data from<br>LPRM unit.(BSL07) TRN ModuleHNS0531B00000Optical data ransmission of OPRM unit data to ELCS<br>and PICS.(BSL08) TRN ModuleHNS0531B00000Optical data transmission of OPRM unit data to TDR,<br>SOE, and PC.(PSSL02) LVPS ModuleHNS050B00000+5V and ±15V power supply to each module.(PSSL02) LVPS ModuleHNS0531B00000Optical data transmission of OPRM unit data to TDR,<br>SOE, and PC.(PSSL02) LVPS ModuleHNS050B00000+5V and ±15V power supply to each module.(PSSL02) LVPS ModuleHNS500B00000+5V and ±15V power supply to each module.(PSSL02) LVPS ModuleHNS500B00000+5V and ±15V power supply to each module.                                                                                                                                                                                                                                    | (FSL08) to (FSL09)        | HNS0420B00000 |                                                      |  |  |
| (FSL10) to (FSL11)       HNS0430B00000       Period-Based Detection Algorithm judgment is performed.         (FSL12) Blank Panel        Blank Panel         (FSL13) Blank Panel        Blank Panel         (FSL13) Blank Panel        Blank Panel         (FSL14) DAT/ST Module       HNS0410B00000       Power status are indicated on the front panel. Input status are indicated on the front panel. Data are multiplexed.         (PSSL01) LVPS Module       HNS0500B00000       +5V and ±15V power supply to each module.         (BSL02) Blank Panel        Blank Panel         (BSL03) Blank Panel        Blank Panel         (BSL04) DIO Module       HNS0541B00000       Digital input are received from the Relay unit. Digital output are provided to the Relay unit.         (BSL05) RCV Module       HNS0541B00000       Optical data reception of the LPRM unit data from LPRM unit.         (BSL07) TRN Module       HNS0531B00000       Optical data transmission of OPRM unit data to ELCS and PICS.         (BSL08) TRN Module       HNS0531B00000       +5V and ±15V power supply to each module.         (PSSL02) LVPS Module       HNS0531B00000       +5V and ±15V power supply to each module.         (BSL08) TRN Module       HNS0531B00000       Optical data transmission of OPRM unit data to TDR, SOE, and PC.         (PSSL02) LVPS Module       HNS500B00000                                                                                                                                      | AGRD Module               |               |                                                      |  |  |
| PBD Module       performed.         (FSL12) Blank Panel        Blank Panel         (FSL13) Blank Panel        Blank Panel         (FSL14) DAT/ST Module       HNS0410B00000       Power status are indicated on the front panel. Input status are indicated on the front panel. Data are multiplexed.         (PSSL01) LVPS Module       HNS0500B00000       +5V and ±15V power supply to each module.         (BSL02) Blank Panel        Blank Panel         (BSL03) Blank Panel        Blank Panel         (BSL04) DIO Module       HNS520B00000       Digital input are received from the Relay unit. Digital output are provided to the Relay unit.         (BSL05) RCV Module       HNS0541B00000       Optical data reception of the APRM unit data from LPRM unit.         (BSL07) TRN Module       HNS0531B00000       Optical data transmission of OPRM unit data to ELCS and PICS.         (BSL08) TRN Module       HNS0531B00000       Optical data transmission of OPRM unit data to TDR, SOE, and PC.         (PSSL02) LVPS Module       HNS500B00000       +5V and ±15V power supply to each module.         (PSSL02) LVPS Module       HNS500B00000       +5V and ±15V power supply to each module.                                                                                                                                                                                                                                                                                                               | (FSL10) to (FSL11)        | HNS0430B00000 |                                                      |  |  |
| (FSL12) Blank Panel        Blank Panel         (FSL13) Blank Panel        Blank Panel         (FSL14) DAT/ST Module       HNS0410B00000       Power status are indicated on the front panel. Input status are indicated on the front panel. Data are multiplexed.         (PSSL01) LVPS Module       HNS0500B00000       +5V and ±15V power supply to each module.         (BSL01) Blank Panel        Blank Panel         (BSL02) Blank Panel        Blank Panel         (BSL03) Blank Panel        Blank Panel         (BSL04) DIO Module       HNS0520B00000       Digital input are received from the Relay unit. Digital output are provided to the Relay unit.         (BSL05) RCV Module       HNS0541B00000       Optical data reception of the LPRM unit data from LPRM unit.         (BSL07) TRN Module       HNS0531B00000       Optical data transmission of OPRM unit data to ELCS and PICS.         (BSL08) TRN Module       HNS0531B00000       Optical data transmission of OPRM unit data to TDR, SOE, and PC.         (PSSL02) LVPS Module       HNS0500B00000       +5V and ±15V power supply to each module.         Power Factor Correction module (PFC)       (External) Power Factor       BPC-10                                                                                                                                                                                                                                                                                                          |                           |               |                                                      |  |  |
| (FSL13) Blank Panel        Blank Panel         (FSL14) DAT/ST Module       HNS0410B00000       Power status are indicated on the front panel. Input status are indicated on the front panel. Data are multiplexed.         (PSSL01) LVPS Module       HNS0500B00000       +5V and ±15V power supply to each module.         (BSL01) Blank Panel        Blank Panel         (BSL02) Blank Panel        Blank Panel         (BSL03) Blank Panel        Blank Panel         (BSL04) DIO Module       HNS520B00000       Digital input are received from the Relay unit. Digital output are provided to the Relay unit.         (BSL05) RCV Module       HNS0541B00000       Optical data reception of the LPRM unit data from LPRM unit.         (BSL06) RCV Module       HNS0531B00000       Optical data reception of the APRM unit data to ELCS and PICS.         (BSL07) TRN Module       HNS0531B00000       Optical data transmission of OPRM unit data to TDR, SOE, and PC.         (PSSL02) LVPS Module       HNS0500B00000       +5V and ±15V power supply to each module.         Power Factor Correction module (PFC)       External) Power Factor       BPC-10                                                                                                                                                                                                                                                                                                                                                          | (FSL12) Blank Panel       |               |                                                      |  |  |
| (FSL14) DAT/ST ModuleHNS0410B00000Power status are indicated on the front panel. Input<br>status are indicated on the front panel. Data are<br>multiplexed.(PSSL01) LVPS ModuleHNS0500B00000+5V and ±15V power supply to each module.(BSL01) Blank PanelBlank Panel(BSL02) Blank PanelBlank Panel(BSL03) Blank PanelBlank Panel(BSL04) DIO ModuleHNS0520B00000Digital input are received from the Relay unit. Digital<br>output are provided to the Relay unit.(BSL05) RCV ModuleHNS0541B00000Optical data reception of the LPRM unit data from<br>LPRM unit.(BSL06) RCV ModuleHNS0541B00000Optical data reception of the APRM unit data from<br>APRM unit.(BSL07) TRN ModuleHNS0531B00000Optical data reception of OPRM unit data to ELCS<br>and PICS.(BSL08) TRN ModuleHNS0531B00000Optical data transmission of OPRM unit data to TDR,<br>SOE, and PC.(PSSL02) LVPS ModuleHNS500B00000+5V and ±15V power supply to each module.Power Factor Correction module (PFC)External) Power FactorBPC-10Input line filter for LVPS module.Input line filter for LVPS module.                                                                                                                                                                                                                                                                                                                                                                                                                                                           |                           |               | Blank Panel                                          |  |  |
| status are indicated on the front panel. Data are<br>multiplexed.(PSSL01) LVPS ModuleHNS0500B00000+5V and ±15V power supply to each module.(BSL01) Blank PanelBlank Panel(BSL02) Blank PanelBlank Panel(BSL03) Blank PanelBlank Panel(BSL04) DIO ModuleHNS520B00000Digital input are received from the Relay unit. Digital<br>output are provided to the Relay unit.(BSL05) RCV ModuleHNS0541B00000Optical data reception of the LPRM unit data from<br>LPRM unit.(BSL06) RCV ModuleHNS0541B00000Optical data reception of the APRM unit data from<br>APRM unit.(BSL07) TRN ModuleHNS0531B00000Optical data reception of OPRM unit data to ELCS<br>and PICS.(BSL08) TRN ModuleHNS0531B00000Optical data transmission of OPRM unit data to TDR,<br>SOE, and PC.(PSSL02) LVPS ModuleHNS500B00000+5V and ±15V power supply to each module.Power Factor Correction module (PFC)External) Power FactorBPC-10(External) Power FactorBPC-10Input line filter for LVPS module.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |                           | HNS0410B00000 | Power status are indicated on the front panel. Input |  |  |
| multiplexed.(PSSL01) LVPS ModuleHNS0500B00000+5V and ±15V power supply to each module.(BSL01) Blank PanelBlank Panel(BSL02) Blank PanelBlank Panel(BSL03) Blank PanelBlank Panel(BSL04) DIO ModuleHNS520B00000Digital input are received from the Relay unit. Digital<br>output are provided to the Relay unit.(BSL05) RCV ModuleHNS0541B00000Optical data reception of the LPRM unit data from<br>LPRM unit.(BSL06) RCV ModuleHNS0541B00000Optical data reception of the APRM unit data from<br>APRM unit.(BSL07) TRN ModuleHNS0531B00000Optical data reception of OPRM unit data to ELCS<br>and PICS.(BSL08) TRN ModuleHNS0531B00000Optical data transmission of OPRM unit data to TDR,<br>SOE, and PC.(PSSL02) LVPS ModuleHNS500B00000+5V and ±15V power supply to each module.Power Factor Correction module (PFC)Input line filter for LVPS module.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |                           |               |                                                      |  |  |
| (BSL01) Blank Panel        Blank Panel         (BSL02) Blank Panel        Blank Panel         (BSL03) Blank Panel        Blank Panel         (BSL04) DIO Module       HNS520B00000       Digital input are received from the Relay unit. Digital output are provided to the Relay unit.         (BSL05) RCV Module       HNS0541B00000       Optical data reception of the LPRM unit data from LPRM unit.         (BSL06) RCV Module       HNS0541B00000       Optical data reception of the APRM unit data from APRM unit.         (BSL07) TRN Module       HNS0531B00000       Optical data transmission of OPRM unit data to ELCS and PICS.         (BSL08) TRN Module       HNS0531B00000       Optical data transmission of OPRM unit data to TDR, SOE, and PC.         (PSSL02) LVPS Module       HNS500B00000       +5V and ±15V power supply to each module.         Power Factor Correction module (PFC)         (External) Power Factor       BPC-10       Input line filter for LVPS module.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |                           |               |                                                      |  |  |
| (BSL02) Blank Panel        Blank Panel         (BSL03) Blank Panel        Blank Panel         (BSL04) DIO Module       HNS520B0000       Digital input are received from the Relay unit. Digital output are provided to the Relay unit.         (BSL05) RCV Module       HNS0541B00000       Optical data reception of the LPRM unit data from LPRM unit.         (BSL06) RCV Module       HNS0541B00000       Optical data reception of the APRM unit data from APRM unit.         (BSL07) TRN Module       HNS0531B00000       Optical data transmission of OPRM unit data to ELCS and PICS.         (BSL08) TRN Module       HNS0531B00000       Optical data transmission of OPRM unit data to TDR, SOE, and PC.         (PSSL02) LVPS Module       HNS500B00000       +5V and ±15V power supply to each module.         Power Factor Correction module (PFC)         (External) Power Factor       BPC-10       Input line filter for LVPS module.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | (PSSL01) LVPS Module      | HNS0500B00000 | $+5V$ and $\pm 15V$ power supply to each module.     |  |  |
| (BSL03) Blank Panel        Blank Panel         (BSL04) DIO Module       HNS520B00000       Digital input are received from the Relay unit. Digital output are provided to the Relay unit.         (BSL05) RCV Module       HNS0541B00000       Optical data reception of the LPRM unit data from LPRM unit.         (BSL06) RCV Module       HNS0541B00000       Optical data reception of the APRM unit data from APRM unit.         (BSL07) TRN Module       HNS0531B00000       Optical data transmission of OPRM unit data to ELCS and PICS.         (BSL08) TRN Module       HNS0531B00000       Optical data transmission of OPRM unit data to TDR, SOE, and PC.         (PSSL02) LVPS Module       HNS500B00000       +5V and ±15V power supply to each module.         Power Factor Correction module (PFC)       Input line filter for LVPS module.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | (BSL01) Blank Panel       |               | Blank Panel                                          |  |  |
| (BSL04) DIO ModuleHNS520B00000Digital input are received from the Relay unit. Digital<br>output are provided to the Relay unit.(BSL05) RCV ModuleHNS0541B00000Optical data reception of the LPRM unit data from<br>LPRM unit.(BSL06) RCV ModuleHNS0541B00000Optical data reception of the APRM unit data from<br>APRM unit.(BSL07) TRN ModuleHNS0531B00000Optical data transmission of OPRM unit data to ELCS<br>and PICS.(BSL08) TRN ModuleHNS0531B00000Optical data transmission of OPRM unit data to TDR,<br>SOE, and PC.(PSSL02) LVPS ModuleHNS500B00000+5V and ±15V power supply to each module.Power Factor Correction module (PFC)(External) Power FactorBPC-10Input line filter for LVPS module.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | (BSL02) Blank Panel       |               | Blank Panel                                          |  |  |
| output are provided to the Relay unit.         (BSL05) RCV Module       HNS0541B00000         Optical data reception of the LPRM unit data from<br>LPRM unit.         (BSL06) RCV Module       HNS0541B00000         Optical data reception of the APRM unit data from<br>APRM unit.         (BSL07) TRN Module       HNS0531B00000         Optical data transmission of OPRM unit data to ELCS<br>and PICS.         (BSL08) TRN Module       HNS0531B00000         Optical data transmission of OPRM unit data to TDR,<br>SOE, and PC.         (PSSL02) LVPS Module       HNS500B00000         +5V and ±15V power supply to each module.         Power Factor Correction module (PFC)         (External) Power Factor       BPC-10                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | (BSL03) Blank Panel       |               | Blank Panel                                          |  |  |
| (BSL05) RCV Module       HNS0541B00000       Optical data reception of the LPRM unit data from LPRM unit.         (BSL06) RCV Module       HNS0541B00000       Optical data reception of the APRM unit data from APRM unit.         (BSL07) TRN Module       HNS0531B00000       Optical data transmission of OPRM unit data to ELCS and PICS.         (BSL08) TRN Module       HNS0531B00000       Optical data transmission of OPRM unit data to TDR, SOE, and PC.         (PSSL02) LVPS Module       HNS500B00000       +5V and ±15V power supply to each module.         Power Factor Correction module (PFC)         (External) Power Factor       BPC-10       Input line filter for LVPS module.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | (BSL04) DIO Module        | HNS520B00000  |                                                      |  |  |
| LPRM unit.         (BSL06) RCV Module       HNS0541B00000       Optical data reception of the APRM unit data from APRM unit.         (BSL07) TRN Module       HNS0531B00000       Optical data transmission of OPRM unit data to ELCS and PICS.         (BSL08) TRN Module       HNS0531B00000       Optical data transmission of OPRM unit data to TDR, SOE, and PC.         (PSSL02) LVPS Module       HNS500B00000       +5V and ±15V power supply to each module.         Power Factor Correction module (PFC)         (External) Power Factor       BPC-10       Input line filter for LVPS module.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | (BSL05) RCV Module        | HNS0541B00000 |                                                      |  |  |
| APRM unit.         (BSL07) TRN Module       HNS0531B00000       Optical data transmission of OPRM unit data to ELCS and PICS.         (BSL08) TRN Module       HNS0531B00000       Optical data transmission of OPRM unit data to TDR, SOE, and PC.         (PSSL02) LVPS Module       HNS500B00000       +5V and ±15V power supply to each module.         Power Factor Correction module (PFC)         (External) Power Factor       BPC-10       Input line filter for LVPS module.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |                           |               | LPRM unit.                                           |  |  |
| and PICS.         (BSL08) TRN Module       HNS0531B00000       Optical data transmission of OPRM unit data to TDR,<br>SOE, and PC.         (PSSL02) LVPS Module       HNS500B00000       +5V and ±15V power supply to each module.         Power Factor Correction module (PFC)         (External) Power Factor       BPC-10       Input line filter for LVPS module.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | (BSL06) RCV Module        | HNS0541B00000 |                                                      |  |  |
| (BSL08) TRN Module       HNS0531B00000       Optical data transmission of OPRM unit data to TDR, SOE, and PC.         (PSSL02) LVPS Module       HNS500B00000       +5V and ±15V power supply to each module.         Power Factor Correction module (PFC)       Power Factor       BPC-10         Input line filter for LVPS module.       Input line filter for LVPS module.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | (BSL07) TRN Module        | HNS0531B00000 | •                                                    |  |  |
| (PSSL02) LVPS Module       HNS500B00000       +5V and ±15V power supply to each module.         Power Factor Correction module (PFC)       Input line filter for LVPS module.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | (BSL08) TRN Module        | HNS0531B00000 | Optical data transmission of OPRM unit data to TDR,  |  |  |
| Power Factor Correction module (PFC)           (External) Power Factor         BPC-10           Input line filter for LVPS module.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |                           |               |                                                      |  |  |
| (External) Power Factor BPC-10 Input line filter for LVPS module.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | (PSSL02) LVPS Module      |               |                                                      |  |  |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                           |               |                                                      |  |  |
| Correction module (PFC)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |                           | BPC-10        | Input line filter for LVPS module.                   |  |  |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | Correction module (PFC)   | <u> </u>      |                                                      |  |  |

#### Table III-5-1 Test Specimen Configuration during Environmental, Seismic, and EMC test of OPRM

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division Licensing Topical Report for Toshiba NRW-FPGA-based Instrumentation and Control System for Safety-Related Application UTLR-0020NP Part III Rev.2 Part III Qualification Results of the Power Range Monitor (PRM)

### III-5.1.1 Performance Proof Test

The performance proof test was performed prior to the qualification test as pre-qualification test, and it was also performed after the qualification test as post-qualification test. The performance proof test includes Set-up and Check-out Test, Operability Test, and Prudency Test, and these tests were conducted in the same manner as the PRM Qualification. Qualification Tests

Qualification tests were conducted to demonstrate compliance with requirement specifications and to demonstrate suitability of equipment while subject to stress conditions. Qualification tests were performed on the assembled Test System after the system passes the pre-qualification testing acceptance criteria.

The qualification tests include the Wear Aging Test, the Environmental Test, the Seismic Test, the Electromagnetic Interference/Radio-Frequency Interference (EMI/RFI) EMI/RFI Test, the Power Surge Test, the Electrical Fast Transient / Burst (EFT/B) Test, and Electrostatic Discharge (ESD) Test. The Environmental Test, the Seismic Test, the EMI/RFI Test, the Power Surge Test, the EFT/B Test, and ESD Test were performed in the similar manner as BWR-5 PRM Qualification.

The Radiation Test which was performed for PRM was not performed for OPRM, since the equipment is designed to be installed in a mild environment, radiation exposure was not necessary.

The Wear Aging Test which was not performed for PRM was performed for OPRM. As a result of design, since the attachment of connectors and switching of a key-switch may cause wear degradation, thus the wear aging testing for them was performed. Result of the Wear Aging Test is applicable to the same type of the connectors and the key-switch applied in BWR-5 PRM. The wear aging test is performed prior to the temperature and humidity test, in order to apply severe condition such as interface oxidation due to wear aging. The wear aging test for any screw used in the test specimen is not required since it is managed with a controlled torque. After the wear aging test was performed, an operability test was performed.

The Class 1E to Non-Class 1E Isolation Test was performed for PRM for reference. The test was not performed for ABWR OPRM because fuses, analog isolators, optical couplers, and optic cables which support class 1E to Non-Class 1E isolation are out of scope of OPRM qualification.

## III-5.2 Qualification Tests for OPRM System

Qualification tests were conducted for the ABWR OPRM using a test specimen that is comprised of one OPRM unit with two Power Factor Correction modules (PFCs).

Qualification Test items with reference to the relevant test documents of OPRM Qualification are shown in Table III-5 2. The test sequence of environmental qualification test, seismic test, and EMC qualification test that were used for OPRM qualification are shown in Figure III-5-1 and Figure III-5-2. The EMC qualification test was conducted prior to the seismic test.

As shown in Table III-5 2, the test levels for EMI/RFI Test, Power Surge Test, and EFT/B Test are not the same as those specified in EPRI TR-107330 (Reference (a46)) requirements. Instead, the test levels used were obtained from RG 1.180, Revision 1 (Reference (a19)), which was issued in October 2003 after the EPRI report was completed. These Regulatory Guide values are considered to better reflect the current requirements of US utilities.

Results of these tests conducted for the OPRM system are summarized in the following subsections.

|                         | Test                                                                      | Applied Standard | Toshiba Test Procedure<br>Number*   | Section in<br>EQ Test Plan<br>(Reference<br>(c10))/EMC Test<br>Plan (Reference<br>(c11)) |  |
|-------------------------|---------------------------------------------------------------------------|------------------|-------------------------------------|------------------------------------------------------------------------------------------|--|
| 1.Performance           | 1.1<br>Set-up and<br>Check-out Test                                       | TR-107330        | FC51-7021-1002<br>(Reference (c12)) | Section 7.1 of EQ                                                                        |  |
| Proof Test              | 1.2<br>Operability Test                                                   | TR-107330        | FC51-7021-1003<br>(Reference (c13)) | Test Plan/Section<br>7.1 of EMC Test                                                     |  |
|                         | 1.3<br>Prudency Test                                                      | TR-107330        | FC51-7021-1004<br>(Reference (c14)) | Plan                                                                                     |  |
|                         | 2.1<br>Environmental<br>(Wear Aging,<br>Temperature and<br>Humidity) Test | TR-107330        | FC51-7021-1005<br>(Reference (c15)) | Section 7.2 of EQ<br>Test Plan                                                           |  |
|                         | 2.2<br>Seismic Test                                                       | TR-107330        | FC51-7012-1006<br>(Reference (c16)) | Section 7.2.3 of EQ<br>Test Plan                                                         |  |
| 2.Qualification<br>Test | 2.3<br>EMI/RFI Test                                                       | RG 1.180         | FC51-7012-1007<br>(Reference (c17)) | Section 7.2.1.1 and<br>7.2.1.2 of<br>EMC Test Plan                                       |  |
|                         | 2.4<br>Power Surge Test                                                   | RG 1.180         | FC51-7012-1009<br>(Reference (c18)) | Section 7.2.1.3 of<br>EMC Test Plan                                                      |  |
|                         | 2.5<br>EFT/B Test                                                         | RG 1.180         | FC51-7012-1009<br>(Reference (c18)) | Section 7.2.1.3 of<br>EMC Test Plan                                                      |  |
|                         | 2.6<br>ESD Test                                                           | TR-107330        | FC51-7012-1010<br>(Reference (c19)) | Section 7.2.1.4 of<br>EMC Test Plan                                                      |  |

#### Table III-5-2 Qualification Test Overview (OPRM Qualification)

\* This column lists the test procedure numbers used for OPRM qualification.

Licensing Topical Report for Toshiba NRW-FPGA-based Instrumentation and Control System for Safety-Related Application UTLR-0020NP Part III Rev.2 Part III Qualification Results of the Power Range Monitor (PRM)





Licensing Topical Report for Toshiba NRW-FPGA-based Instrumentation and Control System for Safety-Related Application UTLR-0020NP Part III Rev.2 Part III Qualification Results of the Power Range Monitor (PRM)





## III-5.2.1 Environmental Test

### III-5.2.1.1 Wear Aging Test

The wear aging test was performed in Toshiba Fuchu Complex. The test specimen was not energized during the wear aging test. In this test, the target connectors were subjected to 200 cycles of mechanical wear and the key switches were subjected to 550 cycles of mechanical wear. The operability test after the wear aging test was successfully performed. Thus, the test results showed that performance of the test specimen was not directly degraded by wear aging at that time and the test results were acceptable. Details of the wear aging test results are reported in the Environmental Qualification Report (Reference (c20)).

### III-5.2.1.2 Temperature and Humidity Test Profiles for OPRM System

The temperature and humidity test was performed in the test facility in US to ensure that the Toshiba OPRM system operates correctly when exposed to the temperature and humidity conditions shown TR-107330 (Reference (a46)) Section 6.3.3.

Requirements and the acceptance criteria for environmental test are specified in the Equipment Qualification Test Plan (Reference (c10)).

A total of two cycles of the temperature and humidity test was performed as planned. The temperature and relative humidity in the test chamber satisfied the requirements based on the Equipment Qualification Test Plan (Reference (c10)) throughout the temperature and humidity test.

After the test, the performance of the Test Specimen was compared to the baseline performance (measured during Pre-Qualification Test) to determine if the test impacted the performance and operability of the Test Specimen.

III-5.2.1.3 Summary of Temperature and Humidity Test Results of OPRM System

The test results demonstrated that exposure to the temperature and humidity test conditions had no adverse effect on the OPRM performance. Details of the tests results of the temperature and humidity test are reported in the Environmental Qualification Report (Reference (c20)).

#### III-5.2.2 Seismic Test

ì

#### III-5.2.2.1 Seismic Test Method and Process for OPRM System

The seismic test was performed to assure that the OPRM Test Specimen provides the performance and seismic withstand capability under seismic test conditions shown in Section 4.3.9 of TR-107330 (Reference (a46)) in accordance with IEEE Std 344 (Reference (a32)).

Requirements and the acceptance criteria for the seismic test are specified in the Equipment Qualification Test Plan (Reference (c10)).

Table III-5-3 shows the seismic level applied during this test.

The OPRM unit was mounted on a rigid seismic test fixture using mounting brackets. The direction of OPRM unit was as follows:

- X-Direction: Side-to-side of OPRM
- Y-Direction: Front-back
- Z-Direction: Vertical

The OPRM unit was fixed in the brackets with four M5-12mm truss head screws with fiber washers, and eight M4-14 mm hexagon socket bolts with flat and lock washers for the rear side. The PFCs were mounted on a steel plate in the rigid seismic test fixture. Each PFC was fixed on the steel plate with four M4 bolts with hexagon socket, with 14 mm threaded portion. The specification of the torque to tighten the screws was 2.6 - 3.4 Nm in the front side and 1.3 - 1.7 Nm in the back side. The torque values were measured and confirmed that they were within the limits in the testing.

#### Table III-5-3 Seismic Levels

| Seismic | Maximum Amplitude Requirement from |
|---------|------------------------------------|
| Event   | EPRI TR-107330 Section 4.3.9       |
| OBE     | 10.8 g                             |
| SSE     | 15.4g                              |

The seismic tests were performed in accordance with the Seismic Test Procedure (Reference ((c16))). The following tests were performed:

#### (1) Resonance Search

The resonance search was conducted in each of the three principal orthogonal directions (front-to-back (Y), side-to-side (X), and vertical (Z)) with a 0.2g input peak sinusoidal acceleration from 1 to 100 Hz at one octave/minute sweep rate. Following the 1–100 Hz sweep, a 100–1 Hz sweep was also conducted for each principal direction.

(2) Random Multifrequency Tests (5 OBEs and 1 SSE)

The seismic test was performed on the triaxial vibration table, using random, multi-frequency acceleration time-history inputs to the vibration table at the seismic test area in the test facility in US. The vibration table drive signal was a multi-frequency, random input, and 30 seconds in duration with a minimum of 20 seconds of strong motion.

#### III-5.2.2.2 Summary of Seismic Test Results of OPRM System

(1) Resonance Search

Results from all the run cases show that the natural frequencies at three locations (OPRM Rack, OPRM Chassis, and PFC Plate) were substantially same, and also the natural frequencies of sweep up from 1 to 100 Hz and sweep down from 100 to 1 Hz were substantially same. Thus it indicates that these natural frequencies were not caused by OPRM and/or PFC but by the fixture itself.

The response magnification factor with respect to the input acceleration at each location was less than 3.1 at a maximum at 41 through 45 Hz, and less than 3.8 at a maximum at 65 Hz or more. This indicates that the fixture on which the test specimen was mounted was adequately rigid.

The results stated above demonstrate that the fixture was appropriately designed and fabricated for testing, the mounting of the test specimen was successful, and the test specimen had no resonance point from 1 to 100 Hz.

Details of the tests results of the resonance search are reported in the Dynamic Qualification Report (Reference (c22)).

(2) Random Multifrequency Tests (5 OBEs and 1 SSE)

(a) OBE Test Result

The OPRM unit and PFCs were subjected to five acceptable OBE test runs. Each OBE test run was 30 seconds in duration, with multiple frequency independent triaxial random motion over the frequency range of 1 through 100 Hz.

The test specimen maintained structural integrity, all the OPRM safety-related functions correctly operated, and no error was detected by the test system during and after each OBE test.

(b) SSE Test Result

An acceptable SSE test run to the SSE RRS was performed at the completion of the OBE test. The SSE test run was 30 seconds in duration, with multiple frequency independent triaxial random motion over the frequency range of 1 through 100 Hz.

The Test Response Spectra (TRS) did not envelop the Test Required Response Spectra (TRRS) below 2 Hz in the Side to Side and Vertical directions. The dips are acceptable per clause 7.6.3.1 of IEEE Std. 344-1987 (Reference (a32)) because it was shown that the test specimen and test fixture had no natural frequencies below 5 Hz as described in (1) of this section.

The test specimen maintained structural integrity, all the OPRM safety-related functions correctly operated, and no error was detected by the test system during and after the SSE test.

Details of the tests results of the random multifrequency tests are reported in the Dynamic Qualification Report (Reference (c22)).

### III-5.2.3 Electromagnetic Compatibility (EMC) Test

#### III-5.2.3.1 Test Method and Process for OPRM System

The purpose of this test was to demonstrate the electromagnetic compatibility of the OPRM Test Specimen. EMI/RFI, Power Surge, EFT/B, and ESD tests were performed.

The test levels specified for EMI/RFI, Power Surge, and EFT/B Tests were not the same as those specified in EPRI TR-107330 (Reference (a46)) requirements. Instead, the test levels used were obtained from RG 1.180, Revision 1 (Reference (a19)), which was issued in October 2003. These Regulatory Guide values are considered to better reflect the current requirements of US utilities. EPRI TR-107330 was published in December 1996, prior to issuance of Revision 1 of RG 1.180.

Table III-5-4 shows the results of EMC tests.

The EMC tests were performed from December 3 2012 through January 07 2013.

Test Specimens were installed in the free-standing instrument rack. To permit confirmation of the Test Specimens capability, this rack was designed to not shield emission from the Test Specimen or to shield the equipment from external test signals. The Test Specimen rack was placed in test facility's EMC chamber. During the EMC qualification test, the OPRM unit was operated with a specific test pattern in the normal and abnormal modes for monitoring the OPRM performance in order to demonstrate the soundness of the test specimen throughout the test period. The specific test patterns are described in Section 8.4.1 of the EMC Qualification Report (Reference (c21)).

Details of the test results are reported in the EMC Qualification Report (Reference (c21)).

Licensing Topical Report for Toshiba NRW-FPGA-based Instrumentation and Control System for Safety-Related Application UTLR-0020NP Part III Rev.2 Part III Qualification Results of the Power Range Monitor (PRM)

| Test Item                                                | Test Method                       | Test Level                                               | Test Results |
|----------------------------------------------------------|-----------------------------------|----------------------------------------------------------|--------------|
| Conducted Emissions Low Frequency                        | MIL-STD-461E/CE101                | 60 Hz to 10 kHz                                          | Comply       |
| Conducted Emissions High Frequency                       | MIL-STD-461E/CE102                | 10 kHz to 2<br>MHz                                       | Comply       |
| Radiated Emissions Magnetic Field                        | MIL-STD-461E/RE101                | 30 Hz to 100<br>kHz                                      | Comply       |
| Radiated Emissions Electric Field                        | MIL-STD-461E/RE102                | 2 MHz to 10<br>GHz                                       | Comply       |
| Conducted Susceptibility Low Frequency                   | MIL-STD-461E/CS101                | 120 Hz to 150<br>kHz                                     | Comply       |
| Conducted Susceptibility High<br>Frequency               | MIL-STD-461E/CS114                | 10 kHz to 30<br>MHz                                      | Comply       |
| Conducted Susceptibility Bulk Cable                      | MIL-STD-461E/CS115                | 2A                                                       | Comply       |
| Conducted Susceptibility Damped<br>Sinusoidal Transients | MIL-STD-461E/CS116                | 10 kHz to 100<br>MHz                                     | Comply       |
| Radiated Susceptibility Magnetic Field                   | MIL-STD-461E/RS101                | 30 Hz to 100<br>kHz                                      | Comply       |
| Radiated Susceptibility Electric Field                   | MIL-STD-461E/RS103                | 30 MHz to 10<br>GHz                                      | Comply       |
| Surge 100 kHz Ring Wave                                  | IEC 61000-4-12/Ring Wave          | 2 kV                                                     | Comply       |
| Surge Combination Wave                                   | IEC 61000-4-5/Combination<br>Wave | 2 kV                                                     | Comply       |
| Electrical Fast Transient /Burst                         | IEC 61000-4-4/EFT/B               | 2 kV                                                     | Comply       |
| Electrostatic Discharge                                  | IEC 61000-4-2/ESD                 | 15 kV (Air<br>Discharge)<br>/8 kV (Contact<br>Discharge) | Comply       |

I

#### Table III-5-4 EMC Test Results

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

## III-5.2.3.2 EMI/RFI Test for OPRM System

The purpose of this test is to demonstrate the suitability of the OPRM System for qualification as a safety-related device with permissible EMI/RFI emissions and susceptibility.

EMI/RFI Test was performed to assure that the OPRM System withstands the EMI/RFI levels given in RG 1.180 (Reference (a19)). Toshiba decided to use these test levels because they were issued more recently than the requirements specified in the EPRI TR-107330 (Reference (a46)) requirements. These Regulatory Guide values are considered to better reflect the current requirements of US utilities.

The EMI/RFI susceptibility and emissions withstand capability was tested using the following test methods from MIL-STD-461E (Reference (a25)).

| Test | Туре                                                   | Test Method |
|------|--------------------------------------------------------|-------------|
| (a)  | Conducted Emissions, Low-frequency                     | CE101       |
| (b)  | Conducted Emissions, High-frequency                    | CE102       |
| (c)  | Radiated Emissions, Magnetic Field                     | RE101       |
| (d)  | Radiated Emissions, Magnetic Field                     | RE102       |
| (e)  | Conducted Susceptibility, Low-Frequency                | CS101       |
| (f)  | Conducted Susceptibility, High-frequency               | CS114       |
| (g)  | Conducted Susceptibility, Bulk Cable Injection         | CS115       |
| (h)  | Conducted Susceptibility, Damped Sinusoidal Transients | CS116       |
| (i)  | Radiated Susceptibility, Magnetic Field:               | RS101       |
| (e)  | Radiated Susceptibility, Electric Field:               | RS103       |

Requirements and the acceptance criteria for EMI/RFI tests are specified in the EMC Qualification Test Plan (Reference (c11)).

Details of the test results are reported in the EMC Qualification Report (Reference (c21)).

The EMI/RFI emission test was performed. All the test items of the EMI/RFI emission test were successfully completed. During the EMI/RFI emission test, the performance of the OPRM unit was supplied with the test pattern, and checked whether the OPRM unit normally operated. The history of test progress and performance check result shown that the OPRM normally operated as expected performing its intended safety functions.

The EMI/RFI susceptibility test was performed. All the test items of the EMI/RFI susceptibility

test were successfully completed. During the EMI/RFI susceptibility test, the performance of the OPRM unit was continuously monitored inputting the test pattern. The performance of the test specimen was checked to confirm whether the test specimen met the criteria specified in the EMC Qualification Test Plan (Reference (c11)) without showing any susceptibility to applied test level. The history of test progress and performance check result shown that the OPRM normally operated as expected performing its intended safety functions.

## III-5.2.3.3 Power Surge Test for OPRM System

The purpose of this test is to demonstrate the suitability of the OPRM System for qualification as a safety-related device with Power Surge, as stated in Section 5 of RG 1.180 (Reference (a19)), IEC 61000-4-5 (Reference (a28)), and IEC 61000-4-12 (Reference (a29)).

The Power Surge Test was performed to ensure that the OPRM System withstands the surge limits given in Table 22 of RG 1.180. Surges were applied in accordance with IEC 61000-4-12 (for Ring Wave) and IEC 61000-4-5 (for Combination Wave).

Requirements and the acceptance criteria for EMI/RFI tests are specified in the EMC Qualification Test Plan (Reference (c11)).

Details of the test results are reported in the EMC Qualification Report (Reference (c21)).

The power surge test was performed. All the test items of the power surge test were successfully completed. During the power surge test, the performance of the OPRM unit was continuously monitored inputting the test pattern. The performance of the test specimen was checked to confirm whether the test specimen met the criteria specified in the EMC Qualification Test Plan (Reference (c11)) without showing any susceptibility to applied test level. The history of test progress and performance check result shown that the OPRM normally operated as expected performing its intended safety functions.

## III-5.2.3.4 EFT/B Test for OPRM System

The purpose of this test is to demonstrate the suitability of the OPRM System for qualification as a safety-related device with EFT/B withstand capability, as stated in Section 5 of RG 1.180 (Reference (a19)), and IEC 61000-4-4 (Reference (a27)).

The EFT/B Test was performed to assure that the OPRM Test Specimen withstands the surge EFT/B wave form given in the Table 22 of RG 1.180.

Requirements and the acceptance criteria for EFT/B tests are specified in the EMC Qualification Test Plan (Reference (c11)).

Details of the test results are reported in the EMC Qualification Report (Reference (c21)).

The EFT/B tests were performed by applying the disturbances of  $\pm 2$  kV categorized as "Category B locations" and "Low Exposure levels" in Regulatory Position 5 and Table 22 of RG 1.180, Revision 1 (Reference (a19)). The test specimen did not exhibit susceptibility to the required interference conditions for all levels and applications. The test specimen met the criteria specified in the EMC Qualification Test Plan (Reference (c11)). Thus, the test specimen was demonstrated the surge withstand capability required in Regulatory Position 5.3 of RG 1.180, Revision 1.

## III-5.2.3.5 ESD Test for OPRM System

The purpose of this test is to demonstrate the suitability of the OPRM System for qualification as safety-related device with regard to Electro-Static Discharge (ESD) withstand capability, as stated in IEC 61000-4-2 (Reference (a26)).

The ESD Test was performed to assure that the Test Specimen withstands the ESD levels given in Section 4.3.8 of EPRI TR-107330 (Reference (a46)).

Requirements and the acceptance criteria for ESD tests are specified in the EMC Qualification Test Plan (Reference (c11)).

Details of the test results are reported in the EMC Qualification Report (Reference (c21)).

ESD test was performed. During the ESD test, the performance of the OPRM unit was continuously monitored inputting the test pattern. The performance of the test specimen was checked by to confirm whether the test specimen met the criteria specified in the EMC Qualification Test Plan (Reference (c11)) without showing any susceptibility to applied test level. The history of test progress and performance check result shown that the OPRM normally operated as expected performing its intended safety functions.

The ESD test in accordance with IEC 61000-4-2 (Reference (a26)) was performed by applying the Level 4 shown in Table 1 of IEC 61000-4-2. The test specimen met the criteria specified in the EMC Qualification Test Plan (Reference (c11)). Thus, the test specimen was demonstrated the ESD withstand capability required in Section 4.3.8 of EPRI TR-107730 (Reference (a46)).

## III-5.3 Similarity Evaluation for New Module Design

The test specimen listed in Table III-5-1 was qualified through the environmental test, seismic test, and EMC qualification test. The design changes of the TRN module, the RCV module, and related FPGAs used in those modules were made to add Cyclic Redundancy Check (CRC) function. Supplemental software safety analysis activities and Verification & Validation (V&V) activities were performed on the changes of module and FPGA designs in a same manner applied to the test specimen listed in Table III-5-1.

Table III-5-5 shows the relationship between the module types of the TRN modules and the FPGA code names applied to each module type before and after the design change. The design change is implemented on the FPGA logic change made on  $\begin{pmatrix} a,c \\ b,c \end{pmatrix}$  to enhance the integrity of data transmission between the RCV module and the TRN module used within the PRNM system, and data transmission between the PRNM system and external system. No change is made to the printed circuit board wiring, parts, hardware structure, and manufacturing process of the modules. Thus hardware design change is not included in this design change. The HNS0531B00001 has the same hardware configuration as that of the HNS0531B00000.

| Before design change |                   | After design change |                   |                                |
|----------------------|-------------------|---------------------|-------------------|--------------------------------|
| Module Type          | FPGA Code<br>Name | Module Type         | FPGA Code<br>Name | Modified in this deign change? |
| HNS0531              | a,c               | HNS0531<br>B00001   |                   | Modified                       |
| B00000               |                   | D00001              |                   | Use as is                      |
|                      |                   |                     |                   | Use as is                      |

 Table III-5-5 Applicable Module Type and FPGA Code Name for TRN Modules

Table III-5-6 shows the relationship between the module types of the RCV modules and the FPGA code names applied to each module type before and after the design change. The design change is implemented on the FPGA logic change made on RCVUNIT3 and RCVOPT3 to enhance the integrity of data transmission between the RCV module and the TRN module used within the PRNM system, and data transmission between the PRNM system and external system. No change is made to the printed circuit board wiring, parts, hardware structure, and manufacturing process of the module. Thus hardware design change is not included in this design change. The HNS0541B00001 has the same hardware configuration as that of the

### HNS0541B00000.

| Before design change |                   |             | After design chan | ge                             |
|----------------------|-------------------|-------------|-------------------|--------------------------------|
| Module Type          | FPGA Code<br>Name | Module Type | FPGA Code<br>Name | Modified in this deign change? |
| HNS0541              | a,c               | HNS0541     |                   | Modified                       |
| B00000               |                   | B00001      |                   | Modified                       |

#### Table III-5-6 Applicable Module Type and FPGA Code Name for RCV Modules

As discussed above, it was evaluated those new module designs had no effect on the results of the environmental qualification test, seismic test, and EMC qualification test reported in Section III-5.2, and the qualification test results obtained for the test specimen listed in Table III-5-1 were extended to the new module designs.

## III-5.4 Conclusion of Qualification Tests for OPRM System

From the results of the qualification tests for ABWR OPRM, Toshiba concludes:

- The EMI/RFI emission test results show that the electromagnetic emissions from the test specimen satisfied the limit level specified in Regulatory Position 3 of RG 1.180, Revision 1 (Reference (a19)).
- The EMI/RFI susceptibility test results show that the test specimen did not exhibit any malfunction, degradation of performance, or deviation from specified limits when subjected to an immunity test signal specified in Regulatory Position 4 of RG 1.180, Revision 1.
- The power surge including EFT/B test results show that the test specimen did not exhibit any malfunction, degradation of performance, or deviation from specified limits, when subjected to an immunity test signal in Regulatory Position 5 of RG 1.180, Revision 1.
- Results of the ESD testing of OPRM show that the Test Specimen did not present any temporary degradation or loss of function or performance when the ESD was applied to points that can all be touched during normal operation. Thus, the test specimen was demonstrated the ESD withstand capability required in Section 4.3.8 of EPRI TR-107730 (Reference (a46)).

Licensing Topical Report for Toshiba NRW-FPGA-based Instrumentation and Control System for Safety-Related Application UTLR-0020NP Part III Rev.2 Part III Qualification Results of the Power Range Monitor (PRM)

• As a result of the similarity evaluation described in Section III-5.3, it was determined that the Environmental, Seismic, and EMC qualification test result could be applicable to the new TRN module and RCV module which were made to add Cyclic Redundancy Check (CRC) function.

## III-6 Qualification Analysis of OPRM

## III-6.1 General Description

Availability/Reliability Analysis, Failure Modes and Effects Analysis (FMEA), and Setpoint Support Analysis are performed for OPRM in the similar manner as PRM.

## III-6.2 Qualification Analysis of OPRM System

Qualification analysis was conducted for the ABWR OPRM. Results of the analysis conducted for the OPRM are summarized in the following subsections.

## III-6.2.1 Availability/Reliability Analysis of OPRM System

The availability and reliability analysis was performed for one OPRM unit and two Power Factor Correction modules (PFCs). In this analysis, analysis for the PRNM system was not performed because the scope of this project is limited to the qualification of the OPRM equipment. Module failure rates were calculated in accordance with MIL-HDBK217F (Reference (a24)). Each of those module failure rates is the rate of the worst case condition, which is calculated by summing up the failure rate of respective components that makes up each module. The OPRM unit adopts modular design, which supports module replacement and 24 hours for the MTTR using spare and replacement parts stored at plant site. Failures of non-safety-related functions, which do not affect safety-related functions and plant availability, are excluded from the analysis. Table III-6-11ists the reliability values for the OPRM equipment (OPRM unit and PFC). Details of the availability and reliability analysis of OPRM are documented in the Availability/Reliability Analysis Report for Safety-Related Oscillation Power Range Monitor (OPRM) (Reference (c23)).

|                | MTBF                             | MTTR                    | Availability       |
|----------------|----------------------------------|-------------------------|--------------------|
|                | $\int_{yr}^{a,c} ( )_{hi}^{a,c}$ | $f_{j}$ $[]_{hr}^{a,c}$ | ( ) <sup>a,c</sup> |
| OPRM Equipment | using MIL STD 21                 | using TR-107330         | using TR-107330    |
|                | using MIL-STD-21                 | Section 4.2.3.3 C.      | Section 4.2.3.3 C. |

#### III-6.2.2 FMEA for OPRM System

The FMEA was performed in the Software Safety Analysis in the Design Phase and documented in the NICSD Software Safety Analysis Report for Safety-Related Oscillation Power Range Monitor (OPRM) (Design Phase) (Reference (c24)).

Failure modes that affect the safety-related functions and methods of detection for those failure modes were identified through the FMEA. The FMEA has been performed based on the design information from the module design specifications.

The detailed results of the FMEA are documented in the NICSD Software Safety Analysis Report for Safety-Related Oscillation Power Range Monitor (OPRM) (Design Phase). The results showed that failure modes that can prevent the OPRM from performing its function can be detected by the application-specific design, the built-in system diagnostics, or by periodic testing.

The Application Guide, Appendix II-A in the Part II of this Topical Report, includes recommendations for periodic surveillance. The general surveillance techniques should be similar to those used for existing systems. The surveillance interval of once per month, similarly, is based on existing technology. The surveillance is used to detect failures to lower the risk of occurrence of any problem that could adversely affect plant operation or safety. It is strongly recommended that specific nuclear plant safety-related applications incorporate Toshiba's result conforms to the failure state/FMEA requirements shown in Section 4.2.3.5 of EPRI TR-107330 (Reference (a46)).

## III-6.2.3 Setpoint Support Analysis for OPRM System

The function of the OPRM setpoint is to trip the reactor during a core instability event before the critical power ratio drops below the fuel safety analysis limit anywhere in the core. To determine core instability, the OPRM is comprised of multiple cells which receive input from Local Power Range Monitor (LPRM)s. Each LPRM signal is processed through a conditioning filter followed by an averaging filter in order to generate a normalized signal to the OPRM cells. Because of the filtering process and generation of the normalized signal, the LPRM sensor and process uncertainties that are used in other Neutron Monitoring functions (e.g. APRM) are indiscernible for the OPRM system. The normalized signal is then sent to three detection algorithms (the Amplitude Based Detection Algorithm (ABA), Growth Rate-Based Algorithm (GRA) and Period Based Detection Algorithm (PBDA)). Of the three detection algorithms used by the OPRM system, only the PBDA is applied in the protection of the safety limit. Since the OPRM PBDA

Licensing Topical Report for Toshiba NRW-FPGA-based Instrumentation and Control System for Safety-Related Application UTLR-0020NP Part III Rev.2 Part III Qualification Results of the Power Range Monitor (PRM)

algorithm uses the normalized signal for trip determination and a digital rack contact for the trip, the uncertainties are effectively zero for this trip function. Applying the methodology to the OPRM PBDA value will still result in a same value as a setpoint for the OPRM PDBA trip. The methodology and details of the results are reported in the Setpoint Support Analysis Report for Safety-Related Oscillation Power Range Monitor (OPRM) (Reference (c25)).

## III-7 Verification and Validation of OPRM

## III-7.1 Oscillation Power Range Neutron Monitor

Toshiba developed an OPRM, and conducted V&V for the OPRM through the development.

The Current process described in Section III-1.1 was used in the development and V&V. In the Current process, NED and NICSD worked under their Appendix B QA program. ICDD of NED ordered the OPRM system from NICSD. NICSD procured the modules of OPRM from PPDD who worked under its ISO 9001 QA program, using NICSD's CGD process. ICDD had the overall responsibility for the V&V activities.

## III-7.1.1 V&V Organization and Process

Engineers from ICDD and NICSD organized IV&V Teams, the ICDD IV&V Team and the NICSD IV&V Team, independent of the design group. The two IV&V Teams communicate with each other as one IV&V Team as needed for quality of the products.

The ICDD IV&V Team established an NED VVP defining the organizations, responsibilities, applicable standards, and the life cycle activities.

The NICSD IV&V Team established an NICSD VVP based on the NED VVP defining the organizations, responsibilities, applicable standards, and the life cycle activities for their portions. The NICSD VVP was submitted to ICDD for review and approval; and ICDD approved the NICSD VVP.

The V&V activities were performed following the current process described in Section I-1.5.2 in the Part I of this Topical Report, i.e., the following life cycle phases:

- Project Planning and Concept Definition Phase,
- Requirements Definition Phase,
- Design Phase,
- Implementation and Integration Phase,
- Unit/Module Validation Testing Phase, and

• System Validation Testing Phase.

Of these phases, the ICDD IV&V Team performed V&V activities for upstream part in the Project Planning and Concept Definition Phase; the NICSD IV&V Team performed their V&V activities for the remaining part through the life cycle. The ICDD IV&V Team reviewed the NICSD V&V activities through the life cycle and completed the V&V at the end of the System Validation Phase.

## III-7.1.2 Design Verification

The ICDD and NICSD IV&V Teams verified the design of OPRM by reviewing the design documents, and tracing the requirements for OPRM throughout the life cycle using RTM.

III-7.1.2.1 Document Reviews

The ICDD IV&V Team reviewed the following upstream design documents prepared by the ICDD design engineers:

- System Design Description (SDD),
- Interlock Block Diagrams (IBDs), and
- Instrumentation Electrical Diagrams (IEDs).

The NICSD IV&V Team reviewed the following design documents prepared by NICSD:

- Equipment Design Specification (EDS) specifying equipment design for the Power Range Neutron Monitor (PRNM) including OPRM, and
- OPRM Unit Detailed Design Specification (Unit DDS) specifying the functional requirements for the OPRM unit and defining the configuration of the OPRM unit.

The NICSD IV&V Team reviewed the following design documents prepared by PPDD:

- Module Design Specifications for modules installed in the OPRM unit, and
- FPGA Design Specifications for all FPGAs mounted on each module.

In addition to the design documents, the NICSD IV&V Teams reviewed the following test procedures before the tests were performed:

- FPGA test procedures, and
- Module test procedures.

After each test, the NICSD IV&V Team reviewed the corresponding test reports.

The NICSD IV&V Team concluded that these test procedures and reports were satisfactory.

For the System Validation Test, the NICSD IV&V Team prepared the System Validation Test Procedure and System Validation Test Report.

## III-7.1.2.2 Requirements Traceability Efforts

The ICDD design engineers prepared an upstream RTM (Requirment Taraceability matrix) by collecting base requirements from the SDD, and tracing the base requirements forward to and back from the IBDs and IEDs. The RTM was reviewed by the ICDD IV&V Team, and sent to NICSD as the base requirments for the OPRM.

NICSD developed and extended the RTM to the EDS and the OPRM Unit DDS. PPDD developed extended the RTM further to the Module Design Specifications and FPGA Design Specifications. The NICSD IV&V Team verified that all requirements were traced forward and traced back through these design documents from the base requirements.

In addition, NICSD and PPDD developed and extend the RTM from design documents to corresponding test procedures, e.g., from each FPGA Design Specification to the corresponding FPGA test procedure. At the System Validation Testing Phase, the NICSD IV&V Team confirmed that all the OPRM unit requirements specified in the EDS and the OPRM Unit DDS were traced to the System Test Specification and the System Validation Test Plan.

## III-7.1.2.3 FPGA Logic Implementation V&V

PPDD established FPGA Design Specifications for all FPGAs mounted on each module, and developed the VHDL source code for each FPGA, converted the VHDL source codes into netlists, and into fusemaps using software tools. The fusemaps were implemented into each FPGA for FPGA testing.

These design activities were performed in accordance with the FPGA design principles described in Section II-2.1.5.

The FPGA Logic Implementation V&V included:

- (1) VHDL Source Code Review. See Section I-3.10.2.5 in the Part I of this Topical Report.
- (2) Software Tool Message Review. See Section I-3.10.2.5 in the Part I of this Topical Report.
- (3) Signal Timing Analysis Review. See Section I-3.10.2.5 in the Part I of this Topical Report and Section II-2.1.5.3 in the Part II of this Topical Report.
- (4) Netlist Review. See Section I-3.10.2.5 in the Part I of this Topical Report
- (5) FPGA Testing, the NICSD design engineers performed validation testing of the FPGAs in a manner that achieved the 100% toggle coverage criteria. See Section I-3.10.2.5 in the Part I of this Topical Report and Section II-2.1.7 in the Part II of this Topical Report.
- (6) Software Tool Control Review. See Section I-3.10.2.5 in the Part I of this Topical Report.

The NICSD IV&V Team concluded that the NICSD V&V activities were completed in an acceptable manner.

#### III-7.1.2.4 Validation Testing

PPDD performed the Module Validation Testing for each module. NICSD assembled these modules into an OPRM unit. The NICSD IV&V Team performed the System Validation Testing. Since the OPRM includes only one unit, the OPRM unit, NICSD did not perform unit validation testing.

The similar set of test equipment used for the PRM testing was used in the OPRM testing, except no analog signal is entered into or received from OPRM. In the System Validation Testing, the test equipment connected with the OPRM unit through fiber optic links and discrete I/O cables. One or more test PCs controlled the test equipment, and recorded the input and output signals. The output signals were compared with the desired values.

For the Module Validation Testing, the NICSD IV&V Team reviewed the Module Test Reports, and concluded that the test reports were acceptable.

For the System Validation Testing, the NICSD IV&V Team performed the testing, and concluded that each test result was satisfactory.

#### III-7.1.3 Safety Analyses

ICDD performed a safety analysis for the upstream design of the OPRM in the Project Planning and Concept Definition Phase. The analysis checked whether all software safety requirements of the OPRM safety functions described in the ABWR Design Control Documents were included in the SDD, and concluded the OPRM design included all the requirements.

NICSD performed a safety analysis for each phase of the life cycle using fault tree, or FMEA. The analyses found some concerns. These concerns were resolved through the life cycle as reported in Part VI of this LTR.

ICDD reviewed all NICSD SSARs, and prepared ICDD SSARs based on the NICSD SSARs. ICDD finalized the safety analyses at the end of the System Validation Testing Phase.

## III-7.1.4 V&V Iteration

The ICDD and NICSD IV&V Teams iterated necessary V&V activities when design documents were changed. In particular, the requirements for the CRC function of the TRN and RCV modules were added to the design documents in the middle of the project. The ICDD and NICSD IV&V Team reviewed all design documents affected by this change, and performed necessary RTM efforts. The NICSD IV&V Team performed the module validation tests for the modified TRN and RCV modules.

### III-7.1.5 V&V Conclusions

The NICSD IV&V Team documented their V&V activities in the NICSD VVR. The NICSD VVR concluded that all NICSD V&V activities for OPRM had completed.

The ICDD IV&V Team issued the NED VVR for OPRM, which documents the ICDD portion of the V&V activities including review of the NICSD VVR.

The NED VVR concluded, confirming the conclusions of the NICSD VVR and NED SSAR, that the OPRM developed in this project is appropriate for safety-related use for ABWR plants as long as the recommendations in the NICSD VVR and the NED SSAR are implemented.

Part VI of this LTR is the NED VVR for OPRM attached with with NICSD VVR for OPRM.



UTLR-0020NP Part IV Rev.2 August 2015

# **Topical Report**

Licensing Topical Report for Toshiba NRW-FPGA-based Instrumentation and Control System for Safety-Related Application

> Part IV Compliance to the Codes and Standards

> Approved by Electrical System Design & Engineering Dept.

Masahiko Hamada

Toshiba Corporation Nuclear Energy Systems & Services Division

©2012 - 2015 Toshiba Corporation All Rights Reserved

> The use of the information contained in this document by anyone for any purpose other than that for which it is intended is not authorized. In the event the information is used without authorization from TOSHIBA CORPORATION, TOSHIBA CORPORATION makes no representation or warranty and assumes no liability as to the completeness, accuracy, or usefulness of the information contained in this document.

TOSHIBA CORPORATION NUCLEAR ENERGY SYSTEMS & SERVICES DIV.

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

# Table of Contents

| Table   | of Contents                                                              | 1  |  |  |
|---------|--------------------------------------------------------------------------|----|--|--|
| List of | f Tables                                                                 | 2  |  |  |
| Note f  | for Acronyms and References                                              | 3  |  |  |
| IV-1    | Introduction                                                             | 4  |  |  |
| IV-1    | 1.1 Background                                                           | 4  |  |  |
| IV-1    | 1.2 Purpose                                                              | 5  |  |  |
| IV-1    | 1.3 Scope                                                                | 5  |  |  |
| IV-2    | Compliance with IEEE Std 603-1991                                        | 7  |  |  |
| IV-3    | Compliance with IEEE Std 7-4.3.2-2003                                    | 21 |  |  |
| IV-4    | Conformance with EPRI TR-107330                                          | 27 |  |  |
| IV-5    | Compliance to DI&C ISG-04 "Highly-Integrated Control Rooms—Communication | S  |  |  |
| Issues  | (HICRc)"                                                                 | 80 |  |  |
| IV-6    | V-6 Document Mapping with DI&C ISG-06                                    |    |  |  |
| IV-7    | 7 Correspondence of Toshiba Process to RG 1.152 101                      |    |  |  |

1

....

ļ

# List of Tables

| Table IV-2-1 PRM and OPRM Conformance with IEEE Std 603-1991 | 7     |
|--------------------------------------------------------------|-------|
| Table IV-3-1 Conformance with IEEE Std 7-4.3.2-2003          | 21    |
| Table IV-4-1 Conformance with EPRI TR-107330                 | 27    |
| Table IV-5-1 Conformance with ISG-04                         | 80    |
| Table IV-6-1 Document Mapping with DI&C ISG-06               | 91    |
| Table IV-7-1 Correspondence of Toshiba Process to RG 1.152   | . 101 |

## Note for Acronyms and References

All acronyms and references are listed in the separate Acronym and Reference Part, which is part of this LTR.

## IV-1 Introduction

This is Part IV of the Licensing Topical Report (LTR) for the Toshiba Non-Rewitable Field Programmable Gate Array (NRW-FPGA-based) Instrumentation and Control (I&C) Systems for Safety-Related Applications. This part describes the compliance to Codes and Standards.

## IV-1.1 Background

Toshiba has extensive experience in supplying nuclear safety-grade Instrumentation and Control (I&C) systems in Japan. This experience ranges from supplying digital I&C systems, such as power range neutron monitors for individual plants, up to designing and manufacturing the world's first fully integrated digital CPU-based I&C system for Advanced Boiling Water Reactor (ABWR)s. These systems were first installed at Kashiwazaki-Kariwa Unit 6, and are in use at Kashiwazaki-Kariwa Unit 6 and Hamaoka Unit 5.

Following the installation of the CPU-based BWR digital system, Toshiba started development of I&C technology based on Non-Rewritable (NRW) Field Programmable Gate Arrays (FPGAs) and supplied the NRW-FPGA-based I&C products to Japanese Nuclear Power Plants under Toshiba's ISO 9001 program. NRW-FPGA-based products have been installed in 11 nuclear power plants including 254 NRW-FPGA-based units for non-safety-related systems, 91 units for safety-related process radiation monitors, and 60 units for safety-related neutron monitoring systems.

Toshiba also established a 10 CFR 50 Appendix B (Reference (a2)) Quality Assurance (QA) process to permit the use of Toshiba FPGA-based system in the US for safety-related applications in nuclear power plants. Toshiba implemented Appendix B QA processes in a phased approach as follows to ensure a smooth transition of the processes at the affected organizations.

• Original Process:

Initial establishment of the Appendix B QA process in the system engineering organization, this process was applied to the development and the qualification of the Power Range Monitor (PRM) for a Boiling Water Reactor (BWR)-5. This process is referred to as the "Original Process" in this topical report.

#### • Current Process:

Toshiba improved the Original Process by extending the Appendix B QA process into the design organization and closer to the manufacturing organizations where other Toshiba NRW-FPGA-based I&C products are developed. / This process is referred to as the "Current

Process" in this LTR. All future work will be under this process, including any modifications to equipment produced under the original process.

Toshiba has used the Original Process to develop and qualify a NRW-FPGA-based PRM for a BWR-5. Toshiba used the Current Process to develop and qualify the Oscillation Power Range Monitor (OPRM) for ABWR.

This LTR uses the term "PRM," to mean PRM for BWR-5 and uses the term "OPRM," to mean OPRM for ABWR.

This LTR consists of the following six parts:

Part I describes software lifecycle and development processes.

Part II provides the design descriptions for the PRM and the OPRM and includes an application guide.

Part III describes the qualification results for the PRM and the OPRM.

Part IV provides the compliance tables for Toshiba processes to impotant Codes and Standards.

Part V provides the BWR-5 PRM V&V report.

Part VI provides the ABWR OPRM V&V report.

The Acronym and Reference Part lists all the acronyms and references used in the all Parts except Part V and VI of the LTR. Part V and Part VI have their own acronym and reference lists because they are the existing actual V&V reports for the PRM and the OPRM.

# IV-1.2 Purpose

This document is Part IV of the LTR. This part of the LTR describes the compliance of Toshiba NRW-FPGA-based Safety-Related PRM and OPRM Systems to the codes and standards.

## IV-1.3 Scope

This LTR, including Part IV, is being submitted to the USNRC for review and approval of the Toshiba NRW-FPGA-based Safety-Related PRM and OPRM.

The Part IV of the LTR describes the compliance of the Toshiba NRW-FPGA-based

Safety-Related PRM and OPRM to the following codes and standards:

- IEEE Std 603-1991 (Reference (a36))
- IEEE Std 7-4.3.2-2003 (Reference (a30))
- EPRI TR-107330 (Reference (a46))
- DI&C ISG-04 (Reference (a22))
- DI&C ISG-06 (Reference (a23))

This report includes the following information:

- Section IV-1 provides introductory material, including the report purpose and scope,
- Section IV-2 describes compliance with IEEE Std 603-1991
- Section IV-3 describes compliance with IEEE Std 7-4.3.2-2003
- Section IV-4 describes compliance with EPRI TR-107330
- Section IV-5 describes compliance with DI&C ISG-04.
- Section IV-6 describes how this LTR maps to DI&C ISG-06.

# IV-2 Compliance with IEEE Std 603-1991

Table IV-2-1 documents conformance of the PRM and OPRM to IEEE Std 603-1991 (Reference (a36)). All Toshiba safety systems will comply with the requirements of IEEE Std 603-1991, as required by US regulation.

Appendix 7.1-C of the USNRC Standard Review Plan (SRP), NUREG-0800 (Reference (a4)) provides guidance for evaluation of conformance to IEEE Std 603-1991. Table IV-2-1 is prepared | considering Appendix 7.1-C of the SRP.

Figure 2 of the IEEE Std 603-1991 illustrates the scope of the standard. Some parts of this standard are out of the scope of the FPGA-based safety-related I&C systems in this LTR, as the features apply to the installed system with a plant-specific context. For example, Toshiba cannot include the manual control features defined in Clause 7.2 of IEEE Std 603-1991 "Execute Features" in the FPGA-based safety-related I&C systems. Rather, such features will be included in a plant-specific design. Toshiba's equipment includes design features to support plant applications, including compliance with the manual control features to the extent that a PRM or OPRM requires manual control features.

The IEEE clauses are summarized in the table below. Toshiba evaluates system and plant-specific designs against the standard itself, to avoid issues with interpretation that result from changes in the IEEE standard.

Notes:

- "Comply" means the Toshiba safety system comply with the corresponding IEEE Std 603 requirement.
- "---" means there is no requirement in the IEEE Std 603.
- "N/A" means the IEEE Std 603 requirement is applied at the plant level, when the systems described in this LTR are integrated with the plant, including the plant human-system interface.

|        | IEEE Std 603-1991                                           | Compliance | Comments         |
|--------|-------------------------------------------------------------|------------|------------------|
| Clause | Requirements Summary                                        |            |                  |
| 1      | Scope. Description of IEEE scope.                           |            | No requirements. |
| 2      | Definitions.<br>List of definitions used in the standard.   |            | No requirements. |
| 3      | Reference.<br>List of documents referenced in the standard. |            | No requirements. |

## Table IV-2-1 PRM and OPRM Conformance with IEEE Std 603-1991

|        | IEEE Std 603-1991                                                                                                                                                                             |        | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
|--------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Clause | Requirements Summary                                                                                                                                                                          |        |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| 4      | A safety system design basis shall be established.                                                                                                                                            | Comply | Toshiba established a specific design basis for each safety<br>system design in each engineering process. The engineering<br>processes are described in the following LTR sections.                                                                                                                                                                                                                                                                                                                                                               |
|        |                                                                                                                                                                                               |        | Section I-2 describes QA programs used in establishing design<br>bases and performing work in the current process. Section I-A-3<br>describes QA programs used in establishing design bases and<br>performing work in the original process.                                                                                                                                                                                                                                                                                                       |
|        |                                                                                                                                                                                               |        | Section I-3.3.1 describes how the base requirements for the FPGA-based I&C system are established in the Project Planning and Concept Definition Phase in the current process.                                                                                                                                                                                                                                                                                                                                                                    |
|        |                                                                                                                                                                                               |        | Section I-A-4.2.1 describes how the base requirements for the PRM were established in the Project Planning and Concept Definition Phase in the original process.                                                                                                                                                                                                                                                                                                                                                                                  |
| 4.1    | The design basis events applicable to each operation mode.                                                                                                                                    | Comply | Section I-3.3.1.1 states that plant specific documents,<br>regulations, and applicable industry codes and standards are<br>inputs to the Project Planning and Concept Definition Phase in<br>current process. Section I-A-2 states that plant specific<br>documents, regulations, and applicable industry codes and<br>standards are inputs to the Project Planning and Concept<br>Definition Phase in the original process. The design basis<br>events are included in the plant specific documents and<br>regulations.                          |
| 4.2    | The safety functions and corresponding protective actions of the execute features.                                                                                                            | N/A    | The PRM and OPRM in this LTR monitor the core and provide<br>safety functions (trips or data to block rod withdrawal or<br>insertion) to protect the core, which supports the protective<br>actions of the reactor trip system and the rod block monitor.                                                                                                                                                                                                                                                                                         |
| 4.3    | The permissive conditions for each operating bypass capability.                                                                                                                               | Comply | Section I-3.3.1.3 states that the SDD and IBD are prepared for<br>each FPGA-based system and Section I-3.3.1.7 states that an<br>EDS is prepared for each FPGA-based system in the current<br>process. Section I-A-4.2.1 states that the ERS was prepared for<br>the PRM in the original process. These documents and<br>drawings document the permissive conditions for each<br>operating bypass capability.                                                                                                                                     |
| 4.4    | The variables or combinations of<br>variables, or both, to be monitored; the<br>analytical limit associated with each<br>variable, the ranges; and the rates of<br>change of these variables. | Comply | Section I-3.3.1.3 states that the SDD and IED are prepared for<br>each FPGA-based system and Section I-3.3.1.7 states EDS is<br>prepared for each FPGA-based system in the current process.<br>Section I-A-4.2.1 describes that the ERS was prepared for the<br>PRM in the original process. These documents and drawings<br>document the monitored variables, as well as system response<br>times, ranges, and the rates of the change of the variables with<br>the value required from the plant specific document for the<br>analytical limit. |
| 4.5    | Minimum criteria for each possible manual action.                                                                                                                                             |        | The PRM and OPRM are automatic systems, providing<br>automatic initiation function corresponding to protective<br>actions, not requiring any safety action by manual means.                                                                                                                                                                                                                                                                                                                                                                       |

| IEEE Std 603-1991 |                                                                                                                                                       | Compliance | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
|-------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Clause            | Requirements Summary                                                                                                                                  |            |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| 4.6               | For those spatially dependant variables<br>in 4.4, the minimum number and<br>locations of sensors required for<br>protective purposes.                | Comply     | The location and number of neutron flux detectors in the reactor<br>core is not part of this LTR. This LTR expects that appropriate<br>numbers and locations of detectors are defined, and that the<br>allocation of detectors to channels has been performed in a<br>manner that will protect the core.<br>The PRM and OPRM systems are typical systems that use<br>spatially dependent variables.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| 4.7               | The environmental conditions<br>throughout which the safety system<br>shall perform.                                                                  | Comply     | Section II-A-4.2 describes how the PRM and OPRM are<br>evaluated for compliance with the environmental conditions<br>given in EPRI TR-107330, RG 1.180 Rev.1, and other nuclear<br>standards.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| 4.8               | The conditions which may cause<br>degradation and for which provisions<br>are needed to retain the capability for<br>performing the safety functions. | Comply     | Toshiba qualified the PRM and OPRM using the guidance of RG 1.180, Revision 1; RG 1.209, Revision 0; EPRI TR-107330, and IEEE Std 323-2003 as appropriate. Toshiba considers that the stressors applied during equipment qualification are sufficient for installation in a mild environment.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| 4.9               | The methods of the reliability analysis<br>determine that the reliability is<br>sufficient for the safety systems.                                    | Comply     | Section I-3.3 Software Development Plan and Section I-3.10<br>Software V&V Plan describe methods Toshiba uses to enhance<br>the software reliability in the current process, ensuring the<br>requirements in the top level design documents are<br>implemented.<br>Section I-A-4.2 Software Development Planning and Practice<br>and Section I-A-4.8 Software V&V Planning and Practice<br>describes methods Toshiba used to enhance the software<br>reliability of the PRM, ensuring the requirements in the top<br>level design documents are implemented.<br>For qualitative hardware reliability, Section III-3.2.1 describes<br>the Availability/Reliability analysis for the PRM system and<br>Section III-6.2.1 describes the Availability/Reliability analysis<br>for the OPRM system. These analyses are used to establish<br>conservative hardware reliability figures.<br>Toshiba uses the hardware reliability numbers to ensure the<br>hardware has sufficient reliability to meet typical utility and<br>PRA requirements and expectations. |
| 4.10              | The critical points in time or the plant conditions including:                                                                                        | Comply     | Section II-2.2.3.3 discusses determinism, stating that analyses are performed to satisfy the design timing requirements set forth in Clause 4.10 of IEEE Std 603.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| 4.10.1            | For the protective actions of the safety system shall be initiated.                                                                                   |            | Section I-3.3.1.3 states that the SDD and IBD are prepared for<br>each FPGA-based system and Section I-3.3.1.7 states EDS is                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| 4.10.2            | For the completion of the safety function.                                                                                                            | -          | prepared for it in the current process. Section I-A-4.2.1<br>describes that the ERS was prepared for the PRM in the original<br>process. These documents and drawings document the critical<br>points in time and plant conditions for the initiation                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| 4.10.3            | Requiring automatic control of protective actions.                                                                                                    |            | points in time and plant conditions for the initiation,<br>completion, and control of the protective actions, and the<br>conditions that allow returning the safety systems to normal.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| 4.10.4            | Allowing returning a safety system to normal.                                                                                                         |            |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |

|        | IEEE Std 603-1991                                                                                                                                                                                                            |        | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Clause | Requirements Summary                                                                                                                                                                                                         |        |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| 4.11   | The equipment protective provisions<br>that prevent the safety systems from<br>accomplishing their safety functions.                                                                                                         | Comply | FMEA in the qualification and the hazard analysis report<br>documents potential faults and failures, which Toshiba attempts<br>to eliminate or at least mitigate in the system design (Section<br>III-3.2.2 for the PRM and Section III-6.2.2 for the OPRM).<br>The system behavior then provides a basis on which plant faults<br>and failures can be evaluated (Section III-4.1.3 for the PRM and<br>Section III-7.1.3 for the OPRM).<br>For plant systems, Toshiba will perform safety analyses as<br>necessary.                                                                                                                                                                                                        |
| 4.12   | Any other special design basis.                                                                                                                                                                                              | Comply | Section II-2.2.3.3 discusses determinism, and Section II-2.2.3.5 discusses simplicity.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| 5      | The safety systems shall maintain<br>plant parameters within acceptable<br>limits                                                                                                                                            | Comply | Section I-3.3.1.3 states that the SDD and IED are prepared for<br>each FPGA-based system and Section I-3.3.1.7 states EDS is<br>prepared for each FPGA-based system and in the current<br>process. Section I-A-4.2.1 states that the ERS is prepared for<br>each FPGA-based system in the original process. These<br>documents and drawings document how the safety systems with<br>precision and reliability maintain required specific plant<br>parameters within acceptable limits established for the required<br>design basis event.                                                                                                                                                                                  |
| 5.1    | Single-failure criterion.                                                                                                                                                                                                    | Comply | Section II-2.2.2.3 describes that the PRM and OPRM systems<br>can generate a trip signal leading to a scram signal generated by<br>the RPS, under permissible bypass conditions, meeting the<br>Single Failure Criterion.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| 5.2    | Completion of protective action.<br>The safety systems shall be designed<br>to complete the protective actions.                                                                                                              | N/A    | Neither PRM nor OPRM complete the protective actions by<br>itself, because they are part of the safety systems that complete<br>the protective actions. Toshiba expects that the RPS will be<br>designed to ensure that an initiated trip carries through to<br>completion, once sufficient PRM or OPRM have provided<br>votes to trip to the RPS.                                                                                                                                                                                                                                                                                                                                                                         |
| 5.3    | Quality.<br>Safety system equipment shall be<br>designed, manufactured, inspected,<br>installed, tested, operated, and<br>maintained in accordance with a<br>prescribed quality assurance program<br>(ANSI/ASME NQA-1-1989). | Comply | Section I-2.1 describes the QA program in the current process.<br>Section I-A-3 describes the QA program in the original process.<br>These sections also describe how the complete software /<br>programmable logic life cycle program (including the software<br>quality assurance program) operates under Toshiba's NQA-1<br>compliant nuclear QA program used for the FPGA-based<br>safety-related I&C systems.<br>Section I-3 describes Software/Hardware development process<br>in the current process. Section I-A-4 describes<br>Software/Hardware development process in the original<br>process.<br>Section I-2.2.3 and Section I-A-3.2.3 describes the methods<br>Toshiba uses to accept commercial grade items. |

|        | IEEE Std 603-1991                                                                                                                                                                                                    | Compliance | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|--------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Clause | Requirements Summary                                                                                                                                                                                                 |            |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| 5.4    | Equipment qualification.<br>Safety system equipment shall be<br>qualified by type test, previous<br>operating experience, or analysis, or<br>any combination of these three<br>methods.                              | Comply     | Part III of this LTR describes Toshiba's Qualification Test<br>program and Test Results.<br>Toshiba qualifies the FPGA-based I&C system by type test,<br>using EPRI TR-107330, IEEE Std 323-1983, and Reg.<br>Guide 1.209.<br>Reg. Guide 1.180 Revision 1 is used for EMI qualification.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| 5.5    | System integrity.<br>The safety systems shall be designed<br>to accomplish their safety functions<br>under the full range of applicable<br>conditions enumerated in the design<br>basis.                             | Comply     | The qualification test and the V&V efforts provide adequate<br>confidence that system integrity is maintained under the full<br>range of applicable conditions defined enumerated in the<br>specific plant design basis.<br>Section I-3 addresses the software/hardware development<br>process in the current process, and Section I-A-4 addresses the<br>software/hardware development process in the original process.<br>The software/hardware development process ensures software<br>and hardware integrity in the FPGA-based I&C systems.<br>Software safety analysis in the current process is described in<br>Section I-3.9; software safety analysis in the original process is<br>described in Section I-A-4.7.<br>Appendix 7.1-C of the SRP states that real-time performance is<br>a special concern of system integrity. Section II-2.2.2.2.1<br>addresses the response time requirements of the PRM. Section<br>II-2.2.2.2.2 addresses the response time requirements of the<br>OPRM. |
| 5.6    | Independence.                                                                                                                                                                                                        |            | Clause Title                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| 5.6.1  | Redundant portions of a safety system<br>shall be independent and physically<br>separated.                                                                                                                           | Comply     | Section II-2.2.3.2.1 describes that each of the divisions of the PRM and OPRM are physically and electrically separated.<br>Section II-2.2.3.2 describes that only votes to trip and status information are provided across divisional boundaries into the RPS, providing communications independence. As described in Section II-2.1.4.5, for BWR-3, data is shared across division in a controlled manner to ensure that sufficient data is provided to protect the fuel integrity, in a manner approved and licensed in the US BWR fleet for existing PRM and OPRM applications. For other BWRs no data are shared across the divisions.                                                                                                                                                                                                                                                                                                                                                         |
| 5.6.2  | Safety system equipment shall be<br>independent of, and physically<br>separated from, the effects of the<br>design basin event. Equipment<br>qualification in accordance with 5.4 is<br>one method that can be used. | Comply     | Toshiba qualifies FPGA-based I&C systems using methods compliant to Clause 5.4 of this IEEE.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |

|         | IEEE Std 603-1991                                                                                                                                                                                                                                                                                           |        | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
|---------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Clause  | Requirements Summary                                                                                                                                                                                                                                                                                        |        |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| 5.6.3   | The safety system shall be designed<br>not to suffer from credible failures in<br>and consequential actions by other<br>systems, in meeting the requirements<br>of this standard.                                                                                                                           | Comply | Section II-2.2.3 describes FPGA application principles<br>including redundancy and independence.<br>Redundant power supplies are provided on separate circuits.<br>Section II-2.2.3.2.1 describes that qualified electrical isolation<br>devices are provided between redundant Class 1E divisions and<br>between non-Class 1E and Class 1E circuits.<br>Section II-2.1.4.3 describes data and communication                                                                                                                                                  |
| 5.6.3.1 | Interconnected equipment.<br>(1) Classification. Equipment that is<br>used for both safety and non-safety<br>functions shall be classified as part of<br>the safety systems. Isolation devices<br>used to effect a safety system<br>boundary shall be classified as part of<br>the safety system.           | Comply | independence. Each division has uni-directional fiber optic<br>communication links, providing fixed data sets between<br>divisions as well as fixed data sets from each safety-related<br>division individually to external, nonsafety related systems,<br>through Class 1E to non-Class 1E isolation.<br>All equipment and programmable logic physically located<br>within safety systems is classified as safety-related.<br>Appropriate data, communication, and electrical isolation are<br>provided between channels/divisions as well as from safety to |
|         | (2) Isolation. No credible failure on the<br>non-safety side of an isolation device<br>shall prevent any portion of a safety<br>system from meeting its minimum<br>performance requirements.                                                                                                                | Comply | nonsafety.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| 5.6.3.2 | Equipment in proximity.<br>(1) Separation. Other systems<br>equipment placed proximity to safety<br>system equipment shall be physically<br>separated from the safety system<br>equipment. The separation of Clans 1E<br>equipment shall be in accordance with<br>the requirements of IEEE Std<br>384-1981. | Comply | Section II-2.2.3.2.1 states that each of the divisions of the PRM<br>and OPRM is physically separated from the other redundant<br>divisions, following the guidance of Regulatory Guide 1.75<br>which endorses IEEE Std 384.<br>Each plant-specific design will ensure that adequate separation<br>and/or barriers are provided between systems and wiring as<br>necessary.                                                                                                                                                                                   |
|         | (2) Barrier. Physical barriers used to<br>effect a safety system boundary shall<br>meet the requirements of 5.3, 5.4 and<br>5.5.                                                                                                                                                                            | Comply |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| 5.6.3.3 | Effects of a single random failure.<br>The safety system shall perform the<br>safety functions even it is degraded by<br>any separate single failure in a<br>non-safety system.                                                                                                                             | Comply | Section II-2.2.3.2 describes physical, data, and communications<br>independence of the PRM and OPRM, and ensures that they do<br>not suffer from failures in any nonsafety system.<br>Single random failures in the safety systems are dealt with<br>through divisional redundancy. Detected failures are<br>annunciated. There are no identified interfaces with<br>non-safety related equipment that could degrade the operation<br>of the PRM or OPRM.                                                                                                     |
| 5.6.4   | Detailed criteria.<br>IEEE Std 384-1981 provides detailed<br>criteria for the independence of Class<br>1E equipment and circuits.                                                                                                                                                                           | Comply | Section II-2.2.3.2.1 addresses physical and electrical<br>independence; Section II-2.2.3.2.2 addresses communication<br>and data independence.<br>Toshiba has designed the FPGA-based systems to comply with<br>the likely independence requirements in plant-specific systems.                                                                                                                                                                                                                                                                               |

|        | IEEE Std 603-1991                                                                                                                                                                                                                                                                                                                                                                                                                                         |        | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
|--------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Clause | Requirements Summary                                                                                                                                                                                                                                                                                                                                                                                                                                      |        |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| 5.7    | Capability for testing and calibration.<br>Safety system equipment shall provide<br>testing and calibration capability<br>during power operation, retaining the<br>safety functions.<br>Testing of Class 1E systems shall be in<br>accordance with the requirements of<br>IEEE Std 338-1987.<br>Exceptions are allowed where this<br>capability cannot be provided without<br>adversely affecting the safety or<br>operability of the generating station. | Comply | Section II-2.2.3.1.2 describes how the PRM and OPRM<br>configurations are redundant, and the PRM and OPRM generate<br>divisional votes to trip leading to a scram signal generated in<br>the RPS, under permissible bypass conditions.<br>Section II-2.2.3.2.2 describes the PRM and OPRM<br>self-diagnostic functions that continuously verify proper FPGA<br>and communications performance. The PRM and OPRM are<br>also designed for surveillance testing and maintenance. The<br>PRM and OPRM also meet the Single Failure Criterion even<br>when one division is bypassed for maintenance.<br>Section II-A-2.7 describes self-diagnostics capabilities<br>Toshiba notes that the sensors themselves are likely to require<br>outages for more extensive maintenance, surveillance, or<br>replacement activities, but that the FPGA-based equipment is<br>designed to support on-line maintenance, to the extent<br>practicable. |
| 5.8    | Information Displays.                                                                                                                                                                                                                                                                                                                                                                                                                                     |        | Clause Title                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
| 5.8.1  | Displays for manually controlled<br>actions.<br>The display instrumentation provided<br>for safety manually controlled actions<br>shall be part of the safety systems.                                                                                                                                                                                                                                                                                    | N/A    | The requirements for the information display are issues of plant<br>design, and the PRM and OPRM alone cannot satisfy the<br>requirements.<br>Basically, the PRM and OPRM are designed to accomplish their<br>safety actions without any manual action.<br>However, the PRM and the OPRM have features to support<br>information display and indication of bypasses in the Main<br>Control Room. Toshiba does not include a video display unit or<br>soft controls in this LTR.                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| 5.8.2  | System status Indication.                                                                                                                                                                                                                                                                                                                                                                                                                                 | Comply |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
|        | Display instrumentation shall provide<br>accurate, complete, and timely<br>information pertinent to safety system<br>status.                                                                                                                                                                                                                                                                                                                              |        |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| 5.8.3  | Indication of bypasses.<br>Bypass status except an operating<br>bypass shall be provided in the control<br>room.                                                                                                                                                                                                                                                                                                                                          | Comply |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| 5.8.4  | Location.<br>Information displays shall be located<br>accessible to the operator.                                                                                                                                                                                                                                                                                                                                                                         | Comply |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |

|        | IEEE Std 603-1991                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |        | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
|--------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Clause | Requirements Summary                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | ]      |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| 5.9    | Control of access.<br>The access to the safety system<br>equipment shall be administratively<br>controlled.                                                                                                                                                                                                                                                                                                                                                                                                       | Comply | Provisions for controlling access through administrative means<br>is provided in all Toshiba safety system designs.<br>Implementation of such administrative controls is<br>plant-specific.<br>The PRM and OPRM have some support features to meet this<br>requirement.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| 5.10   | Repair.<br>The safety systems shall allow timely<br>recognition, location, replacement,<br>repair, and adjustment of<br>malfunctioning equipment.                                                                                                                                                                                                                                                                                                                                                                 | Comply | The PRM and OPRM systems have self diagnostics for early detection of a fault, and their modular design eases the replacement of failed components.<br>Section II-A-2.7 describes self-diagnostic capabilities.<br>Section II-2.2.3.3 describes how the FPGA-based system designs use multiple FPGAs on modules, in which data is passed from the first FPGA through the remaining FPGAs, and a watchdog timer on each module alarms if all signal processing FPGAs do not finish passing data as well as a means of annunciating the failure locally and remotely to the main control room operators.                                                                                                                                                                 |
| 5.11   | Identification.<br>The following identification<br>requirements shall be met:<br>Safety system equipment shall be<br>identified for each redundant portion<br>of safety system.<br>Components identified as being in a<br>single redundant portion do not require<br>identification.<br>Safety system identification shall be<br>distinguishable from other<br>identification.<br>Identification shall not require frequent<br>use of reference material.<br>The associated documentation shall be<br>identified. | Comply | Toshiba will meet the identification requirements with some<br>elements being plant specific and not within the scope of this<br>LTR.<br>Toshiba's QA program requires identification of safety-related<br>documents, including (but not limited to) plans, procedures,<br>instructions, design documents, drawings, VHDL code, V&V<br>reports, safety analysis reports, and test documentation.<br>Section I-3.12 discusses software configuration management in<br>the current process that includes activities maintaining the<br>identification and version of FPGA logic.<br>Section I-A-4.9 discusses software configuration management<br>for PRM in the original process that includes activities<br>maintaining the identification and version of FPGA logic. |
| 5.12   | Auxiliary features.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | Comply | Auxiliary supporting features and other auxiliary features are<br>provided through plant designs, and these are not in the scope<br>of this LTR.<br>The power supplies for the PRM and OPRM is also an auxiliary<br>feature.<br>Section II-2.2.3.2.1 describes the qualified electrical isolation<br>devices that are provided in the design.                                                                                                                                                                                                                                                                                                                                                                                                                          |
| 5.13   | Multi-unit stations.<br>The sharing of structures, systems, and<br>components between units at<br>multi-unit generating stations shall be<br>capable of simultaneous performance<br>of the safety functions.                                                                                                                                                                                                                                                                                                      | N/A    | Neither PRM nor OPRM will be shared between units at multi-unit generating stations.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |

| IEEE Std 603-1991 |                                                                                                                                   | Compliance | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
|-------------------|-----------------------------------------------------------------------------------------------------------------------------------|------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Clause            | Requirements Summary                                                                                                              |            |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| 5.14              | Human factors considerations.<br>Human factors shall be considered at<br>the initial stages and throughout the<br>design process. | N/A ,      | Human factors compliance will be verified by plant-specific implementation. Toshiba considers that the human interfaces on the equipment are sufficient for use by trained operators and maintainers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| 5.15              | Reliability.<br>Appropriate analysis of the design<br>shall be performed.                                                         | Comply     | As described for Clause 5.3, Toshiba develops FPGA-based<br>safety-related I&C systems in a high quality development<br>process to achieve an internally set reliability goal.<br>Section I-3 describes the Software/Hardware development<br>process of the current process. Section I-A-4 describes the<br>Software/Hardware development process in the original<br>process.<br>Section III-3 describes qualification analyses including FMEA<br>for the PRM. Section III-6 describes qualification analyses<br>including FMEA for the OPRM. System and software safety<br>activities, including FMEA, are performed throughout the life<br>cycle to detect and eliminate, or at least mitigate, potential<br>unsafe conditions, and ensure that the unsafe conditions are<br>reviewed and tested during the programmable logic, hardware,<br>and integration life cycle processes.                                                                                                                                                                            |
| 6                 | Sense and Command Features<br>The following requirements shall<br>apply:                                                          |            | Requirements are in the subclauses.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| 6.1               | Automatic initiation and control of all<br>protective actions shall be provided.                                                  | Comply     | Section II-2.2.2 describes PRM and OPRM that will initiate<br>automatic protective actions. There are no manual protective<br>actions applicable to this system.<br>Since the PRM and OPRM are digital systems, functional<br>requirements need to be appropriately allocated into hardware<br>and software requirements. Section I-3.3.1.3 states that a<br>System Design Description (SDD) is prepared, documenting<br>functions, comprehensive system design description in the<br>current process. Based on the SDD, an Equipment Design<br>Specification was prepared that defines functional<br>requirements, hardware and software design requirements in the<br>current process.<br>Section I-A-4.2.1 states that the ERS is prepared to document<br>system design and functional requirements in the original<br>process.<br>Section I-A.4.2.10 describes how Toshiba traces requirements<br>throughout the life cycle in the current process. For the PRM,<br>Part V documents the V&V activities including the<br>requirements traceability efforts. |
| 6.2               | Manual control.                                                                                                                   |            | Clause Title                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |

| IEEE Std 603-1991 |                                                                                                                                                    | Compliance | Comments                                                                                                                                                                                                                                                                                                                                                    |
|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------|------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Clause            | Requirements Summary                                                                                                                               |            |                                                                                                                                                                                                                                                                                                                                                             |
| 6.2.1             | Division level manual action means<br>shall be provided in the control room<br>to initiate protective actions that are<br>initiated automatically. | N/A        | The PRM and OPRM will initiate automatic protective actions<br>through the RPS. When integrated with a plant design,<br>appropriate manual capabilities will be supplied to meet<br>regulatory requirements and licensing commitments through the<br>RPS.<br>The Main Control Room HSI will provide manual means for<br>protective actions through the RPS. |
| 6.2.2             | Manual control means shall be<br>provided in the control room to initiate<br>protective actions that are not initiated<br>automatically.           | N/A        | The PRM and OPRM will initiate automatic protective actions<br>through the RPS. When integrated with a plant design,<br>appropriate manual capabilities will be supplied to meet<br>regulatory requirements and licensing commitments through the<br>RPS.<br>The Main Control Room HSI will provide manual means for<br>protective actions.                 |
| 6.2.3             | Manual control means to maintain safe conditions shall be provided.                                                                                | N/A        | The PRM and OPRM will initiate automatic protective actions<br>through the RPS. When integrated with a plant design,<br>appropriate manual capabilities will be supplied to meet<br>regulatory requirements and licensing commitments through the<br>RPS.<br>The Main Control Room HSI will provide manual means for<br>protective actions.                 |
| 6.3               | Interaction between the sense and command features and other systems.                                                                              |            | No Requirements.                                                                                                                                                                                                                                                                                                                                            |

Х

| IEEE Std 603-1991 |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | Compliance | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
|-------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Clause            | Requirements Summary                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |            |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| 6.3.1             | <ul> <li>Where a single credible event can cause a non-safety system action that result in a condition requiring protective action and can concurrently prevent the protective action and command feature channels providing protection against the condition, one of the following requirements shall be met: <ol> <li>Alternate channels shall be provided to limit the consequences.</li> <li>Alternate channels shall be selected from the following: <ul> <li>(a) Channels that sense a set of variables different from the principal channels.</li> <li>(b) Channels that use equipment different from that of the principal channels that sense a set of variables different from those of the principal channels that sense a set of variables different from those of the principal channels.</li> </ul> </li> <li>(2) Equipment not subject to failure caused by the same single credible event shall be provided to detect the event and limit the consequences to a value specified by the design bases.</li> </ol></li></ul> | N/A        | In plant application, Toshiba will perform safety analyses, and<br>design and implement FPGA-based safety-related I&C systems<br>so that isolation is ensured between:<br>• safety systems in the different channels<br>• safety systems and nonsafety systems<br>The analyses, design, and implementation will depend on the<br>plant-specific design, which Toshiba and the utility will<br>incorporate appropriately.<br>Section II-2.2.2.3 describes the PRM system configuration<br>arranged in multiple divisions.<br>Section II-2.2.3.2.2 describes communication and data<br>independence including use of uni-directional communication<br>from a safety system to a nonsafety system.<br>Diversity and defense-in-depth (D3) is a plant-specific design<br>activity that will be undertaken with each plant licensing and<br>design basis as well as between the utility, Toshiba, and NRC<br>staff. |
| 6.3.2             | Provisions shall be included so that the requirements in 6.3.1 can be met in conjunction with the requirements of 6.7 if a channel is in maintenance bypass.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | Comply     | The PRM and OPRM are configured to meet the single failure<br>criterion even if one channel is bypassed.<br>Section II-2.2.2.3 describes that the PRM and OPRM<br>configuration is redundant, and the APRM and OPRM generate<br>votes to trip leading to a scram signal generated in the RPS,<br>under permissible bypass conditions, meeting the Single Failure<br>Criterion.<br>This clause will be considered in the plant-specific D3 analysis<br>and design activities.                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| 6.4               | Derivation of system inputs.<br>Sense and command feature inputs<br>shall be derived from signals that are<br>direct measures of the desired<br>variables as specified in the design<br>basis.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | Comply     | The PRM and OPRM use in-core detector signals that are<br>representative of neutron flux and core flow. Toshiba complies<br>with this requirement.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| 6.5               | Capability for testing and calibration.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |            | Clause Title                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |

17

- --

| IEEE Std 603-1991 |                                                                                                                                                                                                                                  | Compliance | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Clause            | Requirements Summary                                                                                                                                                                                                             |            |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| 6.5.1             | Checking the operational availability.<br>Means shall be provided for checking,<br>the operational availability of each<br>sense and command feature input<br>sensor required for a safety function<br>during reactor operation. | Comply     | The PRM and OPRM are configured in redundant channels.<br>Each PRM/OPRM channel has its own set of sensors.<br>Cross-comparison of the sensor readings of different channels<br>provides checking of the operational availability. These<br>cross-checks are performed in an external nonsafety related<br>system or by the operators.<br>Section II-2.2.2.3 describes that the PRM and OPRM<br>configuration.<br>Toshiba requires the utility to install and operate cross-channel<br>comparisons. A manual means would be performed by plant<br>operators. An automated means would be in external,<br>nonsafety related equipment, to avoid complexity in the safety<br>systems. |
| 6.5.2             | Assuring the operational availability.                                                                                                                                                                                           | N/A        | Toshiba has designed equipment with high availability and<br>reliability. Self-diagnostics enhance operational availability.<br>Equipment qualification ensures that the equipment is capable<br>of continued operation in a mild environment.                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| 6.6               | Operating bypasses.                                                                                                                                                                                                              | Comply     | Section II-A-6.4 states that the OPRM is bypassed when the<br>APRM level is less than the setpoint, or when the Core Flow<br>Level is more than the setpoint. The OPRM is only armed<br>when within the potentially unstable region of the core<br>power-flow map.<br>The PRM is operationally bypassed by the operator when the<br>plant is operating at power levels below the equipment's design<br>capability.                                                                                                                                                                                                                                                                  |
| 6.7               | Maintenance bypass.<br>Capability of a safety system to<br>accomplish its safety function shall be<br>retained while sense and command<br>features equipment is in maintenance<br>bypass.                                        | Comply     | Toshiba will design I&C systems including the PRM and<br>OPRM so that their maintenance bypasses becomes active if<br>and only if the applicable permissive conditions are met, with<br>consideration of faults and failures and not being able to bypass<br>more than one division at a time.<br>Section II-2.2.2.3 describes the PRM and OPRM configuration<br>that allows individual LPRM bypass and channel bypass for<br>maintenance.                                                                                                                                                                                                                                          |
| 6.8               | Setpoints.                                                                                                                                                                                                                       |            | Clause Title                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| 6.8.1             | The allowance for uncertainties<br>between the process analytical limit<br>and the device setpoint shall be<br>determined using a documented<br>methodology. Refer to ISA<br>S67.04-1987                                         | Comply     | Data for entry into a utility's setpoint analysis methodology is<br>provided by Toshiba, as described in Section III-3.2.3 Setpoint<br>Support Analysis for the PRM and Section III-6-2.3 for the<br>OPRM.                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
| 6.8.2             | Where multiple setpoints are required,<br>the design shall provide means to use<br>the more restrictive setpoint when<br>required.                                                                                               | Comply     | Data for entry into a utility's setpoint analysis methodology is<br>provided by Toshiba, as described in Section III-3.2.3 Setpoint<br>Support Analysis for the PRM and Section III-6.2.3 for the<br>OPRM.                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |

|        | IEEE Std 603-1991                                                                                                                                                                                                                                                    | Compliance | Comments                                                                                                                                                                                                                                                                                                                                                                                            |
|--------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Clause | Requirements Summary                                                                                                                                                                                                                                                 | -<br>      |                                                                                                                                                                                                                                                                                                                                                                                                     |
| 7      | Execute features—functional and design requirements.                                                                                                                                                                                                                 |            | No requirement                                                                                                                                                                                                                                                                                                                                                                                      |
|        | The following requirements shall apply to the execute features.                                                                                                                                                                                                      |            |                                                                                                                                                                                                                                                                                                                                                                                                     |
| 7.1    | Automatic Control.<br>Execute features shall receive and act<br>upon automatic control signals from<br>the sense and command features.                                                                                                                               | N/A        | The PRM and OPRM described in this LTR do not include<br>execute features, but the systems provide automatic control<br>signals to the execute features. Plant-specific designs will<br>include manual control of the execute features in the RPS, with<br>the manual signals injected at a point beyond where common<br>cause failure of the programming language could inhibit manual<br>control. |
| 7.2    | Manual Control.<br>The additional design features in the<br>execute features for manual control<br>shall not defeat the requirements of 5.1<br>and 6.2. Capability shall be provided<br>in the execute features to receive and<br>act upon manual control signals.   | N/A        | The PRM and OPRM described in this LTR do not include the<br>any manual control of execute features. Plant-specific designs<br>will include manual control of the execute features in the RPS,<br>with the manual signals injected at a point beyond where<br>common cause failure of the programming language could<br>inhibit manual control.                                                     |
| 7.3    | Completion of Protective Action.<br>The design of the execute features<br>shall be such that once initiated, the<br>protective actions of the execute<br>features shall go to completion.                                                                            | N/A        | The PRM and OPRM described in this LTR do not include the execute features. Plant-specific designs will include manual control of the execute features in the RPS, with the manual signals injected at a point beyond where common cause failure of the programming language could inhibit manual control. The RPS design shall ensure that the required plant scram goes to completion.            |
| 7.4    | Operating Bypass.<br>Operational bypass shall be active if<br>and only if applicable permissible<br>conditions are met, and if the<br>conditions changes:<br>Remove the bypass,<br>Restore the plant conditions, or<br>Initiate the appropriate safety<br>functions. | N/A        | The PRM and OPRM comply with the operating bypass requirements in Clause 6.6 in this IEEE standard.                                                                                                                                                                                                                                                                                                 |
| 7.5    | Maintenance Bypass.<br>The capability of a safety system to<br>accomplish its safety function shall be<br>retained while execute features<br>equipment is in maintenance bypass.                                                                                     | N/A        | The PRM and OPRM comply with the maintenance bypass requirements in Clause 6.7 in this IEEE standard                                                                                                                                                                                                                                                                                                |
| 8      | Power source requirements.                                                                                                                                                                                                                                           |            | Clause Title                                                                                                                                                                                                                                                                                                                                                                                        |

J

|        | IEEE Std 603-1991                                                                                                                                                                                                                               |     | Comments                                                                                                                                                                                                                                                                                                                               |
|--------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Clause | Requirements Summary                                                                                                                                                                                                                            | · · |                                                                                                                                                                                                                                                                                                                                        |
| 8.1    | Electrical Power Sources.<br>Those portions of the Class 1E power<br>system required to provide the power<br>to the safety system are a portion of<br>the safety systems.                                                                       | N/A | This requirement is mostly addressed in plant-specific designs.<br>The low voltage power supplies inside the equipment are safety<br>related, Class 1E. This LTR does not address this requirement<br>for external power, but the systems are designed to support<br>installation in electrical systems compliant to this requirement. |
| 8.2    | Non-electrical Power Sources.<br>Non-electrical power sources, such as<br>control-air systems, bottled-gas<br>systems, and hydraulic systems,<br>required to provide the power to the<br>safety systems are a portion of the<br>safety systems. | N/A | The FPGA-based Safety-Related Instrumentation and Control<br>Systems do not require any non-electrical power source.                                                                                                                                                                                                                   |
| 8.3    | Maintenance Bypass. The capability of<br>the safety systems to accomplish their<br>safety functions shall be retained while<br>power sources are in maintenance<br>bypass.                                                                      | N/A | This is a requirement for the plant electrical design.<br>Each plant-specific design will ensure that power is supplied to<br>the safety systems when normal power supplies are in<br>maintenance bypass, to allow the PRM and OPRM to<br>accomplish their safety functions.                                                           |

20

ć

# IV-3 Compliance with IEEE Std 7-4.3.2-2003

Table IV-3-1 documents conformance of the PRM and OPRM to IEEE Std 7-4.3.2-2003 (Reference (a30)). All Toshiba safety systems will comply with the requirements of IEEE Std 7-4.3.2-2003.

Appendix 7.1-D of the SRP (Reference (a4)) provides guidance for evaluation of conformance to IEEE Std 7-4.3.2-2003, including "Cyber Security Criteria" added in Reg. Guide 1.152 Revision 2. Table IV-3-1 is prepared considering the point of views in Appendix 7.1-D of the SRP, except using Regulatory Guide 1.152 Revision 3 instead of Revision 2.

In the table, the IEEE clauses are summarized. Toshiba evaluates system and plant-specific designs against the standard itself, to avoid issues with interpretation that result from changing the IEEE standard wording.

Notes:

- "Comply" means the Toshiba safety system comply with the corresponding IEEE Std 7-4.3.2 requirement.
- "---" means there is no requirement in the IEEE Std7-4.3.2.
- "N/A" means the IEEE Std7-4.3.2 requirement is not applicable.

|        | IEEE Std 7-4.3.2-2003                                                                       |            |                                                     |
|--------|---------------------------------------------------------------------------------------------|------------|-----------------------------------------------------|
| Clause | Requirements Summary                                                                        | Compliance | Comments                                            |
| 1      | Scope. Amplifying criteria in IEEE<br>Std 603-1998                                          |            | No requirements.                                    |
| 2      | Reference                                                                                   |            | No requirements.                                    |
| 3      | Definitions and abbreviations                                                               |            | No requirements.                                    |
| 4      | Safety System design basics<br>No requirements beyond those<br>defined in IEEE Std 603.     |            | No requirements beyond this Clause in IEEE Std 603. |
| 5      | Safety system criteria                                                                      |            | Requirements are in the subclauses                  |
| 5.1    | Single-failure criterion<br>No requirements beyond those<br>defined in IEEE Std 603.        |            | No requirements beyond this Clause in IEEE Std 603. |
| 5.2    | Completion of Protective Action<br>No requirements beyond those<br>defined in IEEE Std 603. |            | No requirements beyond this Clause in IEEE Std 603. |

Table IV-3-1 Conformance with IEEE Std 7-4.3.2-2003

|         | IEEE Std 7-4.3.2-2003                  | Compliance | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
|---------|----------------------------------------|------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Clause  | Requirements Summary                   |            |                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
| 5.3     | Quality                                |            | The Toshiba life cycle processes incorporate both hardware and<br>programmable logic, as the two are heavily interconnected,<br>including the process for integrating programmable logic and<br>hardware and commercial grade dedication of hardware<br>components and assembly.                                                                                                                                                                         |
| 5.3.1   | Software Development                   | Comply     | Section I-3 describes the Software/Hardware development<br>process in the current process, and Section I-A-4 describes<br>Software/Hardware development process in the original<br>process. Both the original and current processes conform to<br>BTP 7-14.<br>Section I-3.3 describes the software development plan in the<br>current process, and Section I-A-4.2 describes the software<br>development planning and practice in the original process. |
| 5.3.1.1 | Software quality metrics               | Comply     | Toshiba uses several metrics in the process.                                                                                                                                                                                                                                                                                                                                                                                                             |
|         |                                        |            | Section I-3.2.6 describes that the Toshiba Project Managers are responsible for metrics in the current process.                                                                                                                                                                                                                                                                                                                                          |
|         |                                        |            | Section I-3.11 describes how the V&V reports and evaluates metrics in the current process.                                                                                                                                                                                                                                                                                                                                                               |
|         |                                        |            | Section I-A-4.1.2 describes software quality metrics for the original process.                                                                                                                                                                                                                                                                                                                                                                           |
| 5.3.2   | Software tools                         | Comply     | Section I-2.2.2 and Section I-A.3.2.2 describe that Toshiba<br>surveyed tool vendors and implemented Critical Digital<br>Reviews of the software tools and vendor software processes,<br>including acceptance of software tools from their sub-vendors.                                                                                                                                                                                                  |
|         |                                        |            | Sections I-3.12.2 and I-A-4.9 describe the software tools are configuration items and controlled under the appropriate processes.                                                                                                                                                                                                                                                                                                                        |
|         |                                        |            | The Netlist Viewer and ModelSim tools are used to detect design errors in the VHDL logic.                                                                                                                                                                                                                                                                                                                                                                |
|         |                                        |            | Part V includes use of the software tools in the V&V in the current process, and Part VI includes use of the software tools in V&V in the original process.                                                                                                                                                                                                                                                                                              |
| 5.3.3   | Verification and validation            | Comply     | Sections I-3.10 and I-A-4.8 describes that the V&V Plans in the current process and the original process cover the requirements of IEEE Std 1012 as endorsed in USNRC Reg. Guide 1.168.                                                                                                                                                                                                                                                                  |
| 5.3.4   | Independent V&V (IV&V)<br>requirements | Comply     | Toshiba performs IV&V activities, with at least as much independence as is required in this clause.                                                                                                                                                                                                                                                                                                                                                      |
|         |                                        |            | Section I-3.2.1 discusses the organization including the IV&V<br>Team in the current process. Section I-A-1.1 discusses the<br>organization including the V&V team in the original process.                                                                                                                                                                                                                                                              |
|         |                                        |            | Sections I-3.2.3.4 describes the independence of the IV&V<br>Leads in the current process. Section I-A-4.1.1 describes the<br>independence of the V&V team in the original process.                                                                                                                                                                                                                                                                      |
|         |                                        |            | Section I-3.10 describes the V&V Plan in the current process.<br>Section I-A-4.8 describes the V&V Plan in the original process.                                                                                                                                                                                                                                                                                                                         |

|                      | IEEE Std 7-4.3.2-2003                                                                                                                             | Compliance | Commente                                                                                                                                                                                                                                                      |
|----------------------|---------------------------------------------------------------------------------------------------------------------------------------------------|------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Clause               | Requirements Summary                                                                                                                              | Compliance | Comments                                                                                                                                                                                                                                                      |
| 5.3.5                | Software configuration<br>Management                                                                                                              | Comply     | Toshiba performs software configuration management in compliance with USNRC RG 1.169 and the endorsed IEEE Std 828-1990 and ANSI/IEEE Std 1042-1987.                                                                                                          |
|                      |                                                                                                                                                   |            | Section I-3.12 describes the software configuration<br>management plan in the current process. Section I-A-4.9<br>describes the configuration management plan in the original<br>process.                                                                     |
| 5.3.6                | Software Project Risk<br>Management                                                                                                               | Comply     | Section I-3.2.5 states that the NED PM is responsible for risk management of the entire project including schedule, budget, resources, and technical issues, and must take appropriate actions to minimize project risks in the current process.              |
|                      |                                                                                                                                                   |            | Section I-A-4.1.2 states that NED Group Manager shall perform risk management in the original process.                                                                                                                                                        |
| 5.4                  | Equipment qualification                                                                                                                           |            | Requirements are in the subclauses.                                                                                                                                                                                                                           |
| 5.4.1                | Computer system testing                                                                                                                           | Comply     | Section I-3.13 describes the Software Test Plan, which describes FPGA testing, Module Validation Testing, and                                                                                                                                                 |
|                      |                                                                                                                                                   |            | System Validation Testing in the current process                                                                                                                                                                                                              |
|                      |                                                                                                                                                   |            | Section I-A-4.10 describes the Software Test Planning and Practice in the original process.                                                                                                                                                                   |
|                      |                                                                                                                                                   |            | Section III-2 describes the PRM Qualification Test . Section III-5 describes the OPRM Qualification Test.                                                                                                                                                     |
| 5.4.2 and subclauses | Qualification of existing commercial computers                                                                                                    | Comply     | Toshiba established a CGD process to procure FPGA-based safety-related I&C systems.                                                                                                                                                                           |
|                      | Including:                                                                                                                                        |            | Section I-2.2 describes the CGD process in the current process.                                                                                                                                                                                               |
|                      | Preliminary phase of the COTS dedication process                                                                                                  |            | Section I-A-3.2 describes CGD process in the original process.                                                                                                                                                                                                |
|                      | Detailed phase of the COTS dedication process                                                                                                     |            | ,                                                                                                                                                                                                                                                             |
|                      | Maintenance of commercial dedication                                                                                                              |            |                                                                                                                                                                                                                                                               |
| 5.5                  | System integrity                                                                                                                                  |            | The requirements are described in the subclauses.                                                                                                                                                                                                             |
| 5.5.1                | Design for computer integrity<br>The computer shall be designed to                                                                                | Comply     | The FPGA-based safety-related I&C systems are designed to have integrity.                                                                                                                                                                                     |
|                      | perform its safety function when<br>subjected to conditions, external or<br>internal, that have significant<br>potential for defeating the safety |            | Section I-3 addresses the software/hardware development<br>processes that ensure the software and hardware integrity of the<br>FPGA-based I&C systems in the current process. The process<br>includes software safety analysis as described in Section I-3.9. |
|                      | function.                                                                                                                                         |            | Section I-3.9.3.3 states that potential hazards associated with design are adequately resolved to eliminate or at least mitigate possible safety concerns in the current process.                                                                             |
|                      |                                                                                                                                                   |            | Section I-A-4.2 describes software development planning and practice and Section I-A-4.7 describes software safety planning and practices including hazard analysis in the original process.                                                                  |

|        | IEEE Std 7-4.3.2-2003                                                                                                                                                                                                                                                                                                                                                                                                          | Compliance | Comments                                                                                                                                                                                                                                                                                                                                                    |
|--------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Clause | Requirements Summary                                                                                                                                                                                                                                                                                                                                                                                                           | Compliance | Comments                                                                                                                                                                                                                                                                                                                                                    |
| 5.5.2  | Design for test and calibration<br>Test and calibration function shall<br>not adversely affect the ability of<br>the computer to perform its safety<br>function. Appropriate bypass of<br>one redundant channel is not<br>considered an adverse effect in<br>this context. It shall be verified<br>that the test and calibration<br>function does not affect any<br>computer function not included in<br>a calibration change. | Comply     | Toshiba designs the PRM and OPRM so that test and<br>calibration functions do not adversely affect the safety<br>functions.<br>Section II-2.2.2.3 describes that the PRM and OPRM<br>configuration is redundant, and the PRM and OPRM can<br>generate a trip signal leading to a scram signal generated in the<br>RPS, under permissible bypass conditions. |
|        | V&V, configuration management,<br>and QA                                                                                                                                                                                                                                                                                                                                                                                       | N/A        | Toshiba does not incorporate a test and calibration computer in the PRM or OPRM.                                                                                                                                                                                                                                                                            |
|        | • shall be required for test and calibration computer providing sole verification of test and calibration data.                                                                                                                                                                                                                                                                                                                |            |                                                                                                                                                                                                                                                                                                                                                             |
|        | • shall be required for the test<br>and calibration function of<br>the safety system.                                                                                                                                                                                                                                                                                                                                          |            |                                                                                                                                                                                                                                                                                                                                                             |
|        | • are not required when the test and calibration function on a separate computer does not provide the sole verification of test and calibration data.                                                                                                                                                                                                                                                                          |            |                                                                                                                                                                                                                                                                                                                                                             |
| 5.5.3  | Fault detection and self diagnostics.                                                                                                                                                                                                                                                                                                                                                                                          | Comply     | Section II-2.2.3.2.2 describes how the PRM and OPRM include self-diagnostic functions that continuously verify proper FPGA                                                                                                                                                                                                                                  |
|        | Self-diagnostics are one means<br>that can be used to assist in<br>detecting failures.                                                                                                                                                                                                                                                                                                                                         | · · ·      | and communications performance.<br>Section II-A-2.7 describes self-diagnostic capabilities                                                                                                                                                                                                                                                                  |
|        | If reliability requirements warrant<br>self-diagnostics, then computer<br>programs shall incorporate<br>functions todetect and report<br>computer system faults and<br>failures in a timely manner.                                                                                                                                                                                                                            |            |                                                                                                                                                                                                                                                                                                                                                             |
|        | Self-diagnostic functionsshall not<br>adversely affect the ability of the<br>computer system to perform its<br>safety function, or causespurious<br>actuations of the safety function.                                                                                                                                                                                                                                         |            |                                                                                                                                                                                                                                                                                                                                                             |

|        | IEEE Std 7-4.3.2-2003                                                                                   | Compliance | Comments                                                                                                                                                                                                                                                                                                                                          |
|--------|---------------------------------------------------------------------------------------------------------|------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Clause | Requirements Summary                                                                                    | Compliance | Comments                                                                                                                                                                                                                                                                                                                                          |
| 5.6    | Independence                                                                                            | Comply     | Toshiba complies with the guidance provided in Digital<br>Instrumentation and Controls Interim Staff Guidance 4,<br>Revision 1.                                                                                                                                                                                                                   |
|        |                                                                                                         |            | Section II-2.1.4.3 and II-2.2.3.2.2 describe communication and data independence. Each division has uni-directional fiber optic communication link, providing fixed data sets from each safety-related division individually to the nonsafety-related, providing Class 1E to non-1E isolation. No engineering unit data passes between divisions. |
| 5.7    | Capability for test and calibration                                                                     | Comply     | No requirements beyond this Clause in IEEE Std 603.                                                                                                                                                                                                                                                                                               |
|        | No requirements beyond those of IEEE Std 603.                                                           |            |                                                                                                                                                                                                                                                                                                                                                   |
| 5.8    | Information displays                                                                                    | N/A        | No requirements beyond this Clause in IEEE Std 603.                                                                                                                                                                                                                                                                                               |
|        | No requirements beyond those of IEEE Std 603.                                                           |            | This LTR does not contain any information Display for Plant<br>Operation.                                                                                                                                                                                                                                                                         |
| 5.9    | Control of access                                                                                       | Comply     | No requirements beyond this Clause in IEEE Std 603.                                                                                                                                                                                                                                                                                               |
|        | No requirements beyond those of IEEE Std 603.                                                           |            |                                                                                                                                                                                                                                                                                                                                                   |
| 5.10   | Repair                                                                                                  | Comply     | No requirements beyond this Clause in IEEE Std 603.                                                                                                                                                                                                                                                                                               |
|        | No requirements beyond those of IEEE Std 603.                                                           |            |                                                                                                                                                                                                                                                                                                                                                   |
| 5.11   | Identification                                                                                          | Comply     | The PC board fabricator installs logic in the FPGA, and the logic cannot be changed later. The correct programmable logic is verified by the commercial grade dedication process and by module testing under Toshiba's NQA-1 compliant NQA program.                                                                                               |
|        |                                                                                                         |            | Section I-3.12 explains software configuration management<br>used to ensure that correct logic is installed in each FPGA in<br>the current process. Section I-A-4.9 describes configuration<br>management in the original process. The configuration<br>management covers the module supplier.                                                    |
| 5.12   | Auxiliary features                                                                                      | Comply     | No requirements beyond this Clause in IEEE Std 603.                                                                                                                                                                                                                                                                                               |
|        | No requirements beyond those of IEEE Std 603.                                                           |            |                                                                                                                                                                                                                                                                                                                                                   |
| 5.13   | Multi-unit stations<br>No requirements beyond those of<br>IEEE Std 603.                                 | Comply     | No requirements beyond this Clause in IEEE Std 603.                                                                                                                                                                                                                                                                                               |
| 5.14   | Human factors considerations<br>No requirements beyond those of<br>IEEE Std 603.                        | Comply     | No requirements beyond this Clause in IEEE Std 603.                                                                                                                                                                                                                                                                                               |
| 5.15   | Reliability                                                                                             | Comply     | No requirements beyond this Clause in IEEE Std 603.                                                                                                                                                                                                                                                                                               |
|        | When reliability goals are<br>identified, the proof of meeting the<br>goals shall include the software. |            |                                                                                                                                                                                                                                                                                                                                                   |

,

|        | IEEE Std 7-4.3.2-2003                                                                                                                                                                                                                                               | Comuliance | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
|--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Clause | Requirements Summary                                                                                                                                                                                                                                                | Compliance | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| 6      | Sense and command<br>features—functional and design<br>requirements<br>No requirements beyond those of<br>IEEE Std 603.                                                                                                                                             | Comply     | No requirements beyond this Clause in IEEE Std 603.                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| 7      | Execute features—functional and<br>design requirements<br>No requirements beyond those of<br>IEEE Std 603.                                                                                                                                                          | N/A        | No requirements beyond this Clause in IEEE Std 603.<br>Neither PRM nor OPRM has any execute features.                                                                                                                                                                                                                                                                                                                                                                                            |
| 8      | Power source requirements<br>No requirements beyond those of<br>IEEE Std 603.                                                                                                                                                                                       | N/A        | No requirements beyond this Clause in IEEE Std 603.<br>No requirement for this LTR.                                                                                                                                                                                                                                                                                                                                                                                                              |
|        | SDOE<br>Appendix 7.1-D of the SRP<br>describes "Cyber Security<br>Criteria" in addition to IEEE Std<br>7-4.3.2 in accordance with Reg.<br>Guide 1.152, Revision 2.<br>Reg. Guide 1.152 was revised to<br>Revision 3, and "Cyber Security"<br>was changed to "SDOE." | Comply     | <ul> <li>Section I-3.14 describes SDOE in the current process. Toshiba's SDOE program complies with RG 1.152, Revision 3, Regulatory Positions 2.1 through 2.5.</li> <li>Toshiba's implementation of SDOE provides sufficient capabilities in the system design to support a utility in evaluation of the system against USNRC Regulatory Guide (RG) 5.71, "Cyber Security Programs for Nuclear Facilities."</li> <li>Section I-A-5 describes Cyber Security in the original process.</li> </ul> |

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

i - i

# IV-4 Conformance with EPRI TR-107330

Table IV-4-1 documents conformance of PRM and OPRM to EPRI TR-107330 (Reference (a46)). Table IV-4-1 shows the mapping of EPRI TR-107330 requirements to the PRM and OPRM.

Notes:

- "Comply" means the Toshiba NRW-FPGA-based Safety-Related I&C Systems comply with corresponding EPRI TR-107330 requirement.
- "N/A" means the EPRI TR-107330 requirement is not applicable to Toshiba NRW-FPGA-based Safety-Related I&C Systems.
- "Exception" means Toshiba NRW-FPGA-based Safety-Related I&C systems can be excepted to the corresponding EPRI TR-107330 requirement.

| Section No | Summary of EPRI TR-107330 Requirements                                                                 | Compliance with EPRI TR-107330 Requirements<br>(or N/A) |
|------------|--------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| 1          | Scope. Description of TR scope.                                                                        | No requirement                                          |
| 2          | Definitions, Abbreviations, Acronyms. List of definitions, abbreviations, and acronyms used in the TR. | No requirement                                          |
| 3          | Reference Documents. List of documents referenced in the TR.                                           | No requirement                                          |
| 4          | System Requirements. (section heading)                                                                 | No requirement                                          |
| 4.1        | Overview of Performance Basis. Descriptive information.                                                | No requirement                                          |
| 4.2        | Functional Requirements. (section heading)                                                             | No requirement                                          |
| 4.2.1      | General Functional Requirements. Descriptive information.                                              | No requirement                                          |

# Table IV-4-1 Conformance with EPRI TR-107330

- -

----

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | Compliance with EPRI TR-107330 Requirements<br>(or N/A)                                                                                                                                                                                                                                                                                                                                   |
|------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 4.2.1.A    | Response Time. The overall response time from an<br>analog or discrete input exceeding its trip condition<br>to the resulting discrete outputs being set shall be 100<br>milliseconds or less. Response time shall include<br>time required for input filtering, input module signal<br>conversion, main processor input data acquisition,<br>two scan times of an application program containing<br>2000 simple logic elements, main processor output<br>data transmission, digital output module signal<br>conversion, and performance of self-diagnostics and<br>redundancy implementation. | Comply. The generic response time requirements in the EPRI TR are for CPU based systems. Toshiba considers that they are inappropriate for the PRM or OPRM based on FPGA technology. Toshiba defines system-specific response time requirements based on the Toshiba BWR design basis documents. The system-system specific response time requirements are documented Section II-2.2.2.2. |
| 4.2.1.B    | Discrete I/O. The PLC shall have the capability to provide a total of at least 400 discrete I/O points.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | N/A. The I/O configuration of the Toshiba NRW-FPGA-based PRM and OPRM hardware is application specific. Therefore, the system configurations are known and fixed for each system.                                                                                                                                                                                                         |
| 4.2.1.C    | Analog I/O. The PLC shall have the capability to provide a total of 100 analog I/O points.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | N/A. The I/O configuration of the Toshiba NRW-FPGA-based PRM and OPRM hardware is application specific. Therefore the system configurations are known and fixed for each system. For the PRM, 172 analog inputs are provided for the Local Power Range Monitors, with additional inputs for reactor flow. For the OPRM, the digitized data from the LPRM and flow inputs are used.        |
| 4.2.1.D    | Combined I/O. The PLC shall have the capability to provide a total of 50 analog and 400 discrete I/O points.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | N/A. The I/O configuration of the Toshiba NRW-FPGA-based PRM and OPRM hardware is application specific. Therefore the system configurations are known and fixed for each system.                                                                                                                                                                                                          |
| 4.2.2      | Control Function Requirements. The PLC shall provide a high-level language designed for control algorithms.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | N/A. The Toshiba NRW-FPGA-based PRM and OPRM hardware systems are application specific. The control function configuration (i.e., logic) is known and fixed for each system. The VHDL code employed is appropriate for the system functionality.                                                                                                                                          |
| 4.2.3      | Availability/Reliability and FMEA. (section heading)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | No requirement                                                                                                                                                                                                                                                                                                                                                                            |
| 4.2.3.1    | Availability/Reliability Overview. Descriptive information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | No requirement                                                                                                                                                                                                                                                                                                                                                                            |
| 4.2.3.2    | Availability/Reliability and Basic Requirements.<br>The overall availability goal of the PLC is 0.99.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | Comply. The hardware-based availability of the full PRM system for a BWR-5 is more than 0.99 (see Section III-3.2.1). The hardware-based availability of the OPRM equipment is more than 0.99 (see Section III-6.2.1).                                                                                                                                                                    |
| 4.2.3.3    | Availability/Reliability Calculation Requirements.<br>An availability calculation shall be prepared which<br>conforms to IEEE Std 352.                                                                                                                                                                                                                                                                                                                                                                                                                                                         | Comply. An availability calculation is prepared in a manner that conforms to IEEE Std 352-1987.                                                                                                                                                                                                                                                                                           |

- - ----

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                                                         | Compliance with EPRI TR-107330 Requirements<br>(or N/A)                                                                                                                                                                                                                                     |
|------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 4.2.3.3.1  | Availability/Reliability Calculation Requirements<br>Applicable to Redundant PLCs. For PLCs that<br>include redundancy, the availability calculation shall<br>address additional, redundancy-specific<br>considerations.       | N/A. The Toshiba PRM or OPRM system does not include redundant components for signal processing.<br>Redundancy is applied at the channel or division level. Toshiba interprets that the redundant LVPSs are not for signal processing.                                                      |
| 4.2.3.4    | PLC Fault Tolerance Requirements. Fault tolerance<br>capability shall be addressed in the availability<br>calculation, and included as part of the qualification<br>envelope definition.                                       | Comply. An Availability/Reliability Analysis for the PRM system is documented in Section III-3.2.1, and Availability/Reliability Analysis for the OPRM system is documented in Section III-6.2.1.                                                                                           |
| 4.2.3.5    | Failure State/FMEA Requirements. An FMEA<br>analysis shall be performed in accordance with IEEE<br>Std 352. The analysis shall evaluate the effects of<br>failures of components in the PLC modules on the<br>PLC performance. | Comply. A Failure Modes and Effects Analysis (FMEA) for the PRM is documented in Section III-3.2.2, and an FMEA for the OPRM is documented in Section III-6.2.2.                                                                                                                            |
| 4.2.3.6    | Failure Detection Requirements. The PLC shall contain features to permit generating an alarm when                                                                                                                              | Comply. The following diagnostic functions are provided:                                                                                                                                                                                                                                    |
|            |                                                                                                                                                                                                                                | (a) Monitoring of the Low Voltage Power Supply module                                                                                                                                                                                                                                       |
|            | the on-line fault detection detects a failure.<br>Processor-to-processor communication for fault<br>detection shall meet the given specific performance<br>requirements.                                                       | The Low Voltage Power Supply (LVPS) module shall monitor its output voltage. If the voltage of the LVPS becomes lower than the setpoint in either of the LVPS module, the STATUS module front panel shall provide the indication and generate discrete output for annunciation in the MCR.  |
|            | requirements.                                                                                                                                                                                                                  | (b) Monitoring Low Voltage Supply for each module                                                                                                                                                                                                                                           |
|            |                                                                                                                                                                                                                                | The LPRM, APRM, SQ-ROOT, FLOW, TRN, RCV, STATUS, CELL, DAT/ST, AGRD, and PBD modules shall monitor the input voltage from the LVPS modules. If the input voltage becomes lower than the setpoint, the module shall be reset, which generates a discrete output for annunciation in the MCR. |
|            |                                                                                                                                                                                                                                | (c) Monitoring of the FPGAs with a watchdog                                                                                                                                                                                                                                                 |
|            |                                                                                                                                                                                                                                | A watchdog timer shall monitor each FPGA that operates periodically as documented in Section II-2.2.3.3.                                                                                                                                                                                    |
|            |                                                                                                                                                                                                                                | (d) Checking data transmission between units through fiber optic cables                                                                                                                                                                                                                     |
|            |                                                                                                                                                                                                                                | The module receiving data from the other unit shall verify the periodic occurrence of the data transmissions, and the validity of transmitted data between units over fiber optic cables. The validity of data shall be verified by Cyclic Redundancy Check (CRC) in the transmitted data.  |
|            |                                                                                                                                                                                                                                | Note: Parity check was used as the method for error checking in the PRM system, for which Toshiba performed the qualification test. Toshiba updated the FPGA logic to use CRC.                                                                                                              |

29

-- ----

| Section No  | Summary of EPRI TR-107330 Requirements | Compliance with EPRI TR-107330 Requirements<br>(or N/A)                                                                                                                                                                                                                                                                                          |
|-------------|----------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 4.2.3.6     |                                        | (e) Checking data transmission from the modules in a same unit                                                                                                                                                                                                                                                                                   |
| (continued) | (continued)                            | The LPRM module, APRM module, and CELL module shall check the periodic transmission of the data frame from the TRN modules and the RCV modules in the same unit. If a timeout error occurs, a Minor Failure signal shall be generated. The Minor Failure generates a discrete output for annunciation in the MCR.                                |
|             |                                        | (f) Checking constants stored in Rewritable ROM                                                                                                                                                                                                                                                                                                  |
|             |                                        | Every Rewritable ROM storing constants used for the signal processing shall protect its stored values with parity bits or dual storage of each value. If an error is detected, a Minor Failure alarm shall be generated. The Minor Failure generates a discrete output for annunciation in the MCR.                                              |
|             |                                        | (g) Checking the voltage of the LPRM High Voltage Power Supply on each LPRM module.                                                                                                                                                                                                                                                              |
|             |                                        | The LPRM module shall monitor the voltage of the High Voltage Power Supply. If the voltage becomes lower than the setpoint, the LPRM shall be inoperable. Inoperable of single LPRM module does not affect the Safety-Related function, but a Minor Alarm will be generated to initiate replacement of the faulted module.                       |
|             |                                        | (h) Checking the input value of the SQ-ROOT module                                                                                                                                                                                                                                                                                               |
|             |                                        | The SQ-ROOT module shall perform range check for the input current value after digital conversion. If the input current value becomes lower than setpoint, the SQ-ROOT module shall output failure signal. The Minor Failure generates a discrete output for annunciation in the MCR.         (i) Checking[       ]on PBD module and AGRD module |
|             |                                        | The PBD module and AGRD module shall perform check for the <b>[</b> ] If <b>[</b> ] is detected the PBD module and AGRD module shall output failure signal. The failure signal generates a discrete output for inoperable trip.                                                                                                                  |
|             |                                        | (j) Checking a,c bon PBD module and AGRD module a,c a,c                                                                                                                                                                                                                                                                                          |
|             |                                        | The PBD module and AGRD module shall perform check for the [ ] If [ ] is detected the PBD module and AGRD module shall output failure signal. The failure signal generates a discrete output for inoperable trip.                                                                                                                                |

\_\_\_\_

Nuclear Energy Systems & Services Division

~

.

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                                                                                         | Compliance with EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
|------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 10054      |                                                                                                                                                                                                                                                                | (See Item 4.2.3.6 in this table)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| 4.2.3.7.A  | Recovery Capability Requirements. The PLC shall include a watchdog timer and power bus monitoring features.                                                                                                                                                    |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| 4.2.3.7.B  | Recovery Capability Requirements. The PLC<br>processor shall contain power bus monitoring<br>features to assure that the processor successfully<br>completes any memory writes and goes into a reset<br>state when the supply voltage is outside of the range. | N/A. The CELL, PBD, module AGRD modules of the OPRM use SRAMs for safety functions. The values of the SRAMs will be cleared to zero if the power supply fails. Because these modules apply a time average filter on the data, any data stored in the SRAM before the reset and re-initialization is useless and is discarded appropriately on power restoration. The PRM does not perform any memory writes during normal operation. Should the plant power supply fail or go out of range, the affected PRM Unit will reinitialize upon restoration of power. |
| 4.2.3.7.C  | Recovery Capability Requirements. Output<br>modules shall initialize to a known state.                                                                                                                                                                         | Comply. Whenever power is applied to the PRM or OPRM equipment, the equipment is initialized by the power-on reset function.<br>All trip and alarm outputs remain tripped until the initialization process has completed (about $\begin{bmatrix} \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ $                                                                                                                                                                                                                                                       |
| 4.2.3.8    | Requirements for Use of Operating Experience. If<br>operating experience is used as a basis for<br>establishing module failure rates, the PLC<br>manufacturer must have a problem reporting and<br>tracking program.                                           | N/A. Operating experience is not used as a basis for establishing module failure rates of the PRM or OPRM system.                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| 4.2.4      | Setpoint Analysis Support Requirements. An<br>analysis shall be prepared to provide the information<br>needed to support an application specific setpoint<br>analysis per ISA RP 67.04.                                                                        | <ul> <li>Comply. The PRM and OPRM trip setpoints can be adjustable by a technician during equipment maintenance or an operator during periodical surveillance service. The PRM and OPRM System support setpoint adjustments of equipment on the front panel of each module.</li> <li>Toshiba supplies sufficient data to support a utility's setpoint program.</li> <li>Section III-3.2.3 provides setpoint support analysis for the PRM and Section III-6.2.3 provides setpoint support analysis for the OPRM.</li> </ul>                                     |
| 4.3        | Hardware Requirements. (section heading)                                                                                                                                                                                                                       | No requirement                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| 4.3.1      | General. (section heading)                                                                                                                                                                                                                                     | No requirement                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                             | Compliance with EPRI TR-107330 Requirements<br>(or N/A)                                                                                                                                                                                  |
|------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 4.3.1.1    | Background. Descriptive information.                                                                                                                                                                                                                                                                               | No requirement                                                                                                                                                                                                                           |
| 4.3.1.2    | Requirements Common to All Modules. All<br>modules shall meet or support the general<br>requirements given in Section 4.2.1, and shall meet<br>the range of environmental conditions given in<br>Section 4.3.6. Special requirements apply to single<br>module assemblies that include both inputs and<br>outputs. | (Compliance documented in Items 4.2.1 and 4.3.6 in this table.)                                                                                                                                                                          |
| 4.3.1.3    | External Device Requirements. External devices<br>used to meet I/O module requirements shall meet the<br>given specific requirements.                                                                                                                                                                              | N/A. The PRM and OPRM do not require external devices, other than sensors and transmitters which are not part of this LTR.                                                                                                               |
| 4.3.1.4    | General Redundancy Requirements. Redundant<br>components may be included in the generic PLC<br>platform.                                                                                                                                                                                                           | N/A. The PRM or OPRM System does not include redundant components for signal processing. Toshiba interprets that the redundant LVPSs are not for signal processing.                                                                      |
| 4.3.2      | Input Requirements. (section heading)                                                                                                                                                                                                                                                                              | No requirement                                                                                                                                                                                                                           |
| 4.3.2.1    | Analog Input Requirements. The PLC shall include modules that provide analog inputs.                                                                                                                                                                                                                               | Comply. The PRM analog inputs are designed to interface with industry standard LPRM detectors and Flow transmitters. The required analog input design specifications are, therefore, known and satisfied. The OPRM has no analog inputs. |
| 4.3.2.1.A  | Monotonicity. The analog inputs shall be monotonic to $\pm 1/2$ LSB.                                                                                                                                                                                                                                               | Comply. The PRM analog inputs have defined monotonicity, based on the design choice of analog-to-digital converter made for each specific module. See Item 4.3.2.1 in this table. The OPRM has no analog inputs.                         |
| 4.3.2.1.B  | Number of Channels. Each analog input module shall provide a minimum of four input channels.                                                                                                                                                                                                                       | The LPRM and SQ-ROOT modules include analog inputs. Both modules are monotonic to $\pm 1/2$ LSB. See Item 4.3.2.1 in this table. The LPRM module has one analog input channel and the FLOW module has one analog input channel.          |
| 4.3.2.1.C  | Over Range. The converted value of each analog<br>input module shall remain at its maximum value for<br>over range inputs up to twice rated.                                                                                                                                                                       | The LPRM and SQ-ROOT modules take specific, appropriate actions when presented with an overrange condition.                                                                                                                              |
| 4.3.2.1.D  | Under Range. The converted value of each analog<br>input module shall remain at its minimum value for<br>low range inputs up to the negative of the rated input<br>value.                                                                                                                                          | The LPRM and SQ-ROOT modules take specific, appropriate actions when presented with an underrange condition.                                                                                                                             |

.....

| Section No  | Summary of EPRI TR-107330 Requirements                                                                                                                                        | Compliance with EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                             |
|-------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|             |                                                                                                                                                                               | (or N/A)                                                                                                                                                                                                                                                                                                                |
| 4.3.2.1.E   | Out of Range Indication. Over and under range<br>conditions shall be indicated in a manner available to<br>the application program.                                           | The LPRM and SQ-ROOT modules take appropriate action when presented with these conditions.                                                                                                                                                                                                                              |
| 4.3.2.1.1   | Voltage Input Requirements.                                                                                                                                                   | N/A. There are no analog voltage inputs in the PRM or OPRM system.                                                                                                                                                                                                                                                      |
| 4.3.2.1.2   | Current Input Requirements. (section heading)                                                                                                                                 | No requirement                                                                                                                                                                                                                                                                                                          |
| 4.3.2.1.2.A | Analog Current Input Module Ranges. The PLC shall include analog current input modules with ranges of: 4 to 20 mA and 10 to 50 mA or 0 to 50 mA.                              | Comply. The PRM FLOW analog input range of 4 to 20 mA is designed to interface with industry standard Flow transmitters. The LPRM input range of 0 to 3 mA is designed to interface with the conventional standard LPRM detectors. The required analog input design specifications are, therefore, known and satisfied. |
| 4.3.2.1.2.B | Analog Current Input Module Accuracies. Overall accuracies shall be $\pm 0.35\%$ of the specified range.                                                                      | Comply. The PRM analog inputs are designed to interface with industry standard LPRM detectors and Flow transmitters, with accuracies appropriate for the specific application. The required analog input design specifications are, therefore, known and satisfied.                                                     |
| 4.3.2.1.2.C | Analog Current Input Module Resolution. The minimum resolution shall be 12 bits.                                                                                              | Comply. The analog inputs are designed to interface with industry standard LPRM detectors and Flow transmitters. The LPRM and FLOW modules convert analog input signals to 12 bits data. The required analog input design specifications are, therefore, known and satisfied.                                           |
| 4.3.2.1.2.D | Analog Current Input Module Common Mode<br>Voltage. The common mode voltage capability<br>shall be at least 10 volts.                                                         | Comply. The PRM analog inputs are not general purpose. The PRM analog inputs are appropriately isolated, and self-powered.                                                                                                                                                                                              |
| 4.3.2.1.2.E | Analog Current Input Module Common Mode<br>Rejection Ratio. The common mode rejection<br>ratio shall be at least 90 dB.                                                       | N/A. For the PRM, the current inputs are not transformed to voltage by external resistors. This requirement is not applicable.                                                                                                                                                                                          |
| 4.3.2.1.2.F | Analog Current Input Module Response Time. The overall response time of the analog current input modules must support the response time requirement given in Section 4.2.1.A. | (See Item 4.2.1.A Response Time in this table.)                                                                                                                                                                                                                                                                         |
| 4.3.2.1.2.G | Analog Current Input Module Group-to-Group<br>Isolation. The group-to-group isolation shall be at<br>least $\pm$ 30 volts peak for 4 to 20 mA inputs.                         | Comply. The FLOW analog current inputs are grouped by unit. The unit to unit isolation is assured by fiber optic cable.                                                                                                                                                                                                 |
| 4.3.2.1.2.H | Analog Current Input Module Class 1E to Non-1E<br>Isolation. The Class 1E to Non-1E isolation<br>capability shall meet the requirements of Section<br>4.6.4.                  | N/A. Since there is no system-specific requirement to accept nonsafety analog data into a safety system, the analog input modules do not perform Class 1E to Non-Class-1E isolation.                                                                                                                                    |
| 4.3.2.1.2.I | Analog Current Input Module Surge Withstand.<br>Surge withstand shall be as given in Section 4.6.2.                                                                           | (See Item 4.6.2 Surge in this table.)                                                                                                                                                                                                                                                                                   |

### TOSHIBA CORPORATION

Nuclear Energy Systems & Services Division

. . .........

| Section No  | Summary of EPRI TR-107330 Requirements                                                                                                                                                                                         | Compliance with EPRI TR-107330 Requirements                                                                                                                                                           |
|-------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|             |                                                                                                                                                                                                                                | (or N/A)                                                                                                                                                                                              |
| 4.3.2.1.2.J | Analog Current Input Module Input Impedance.<br>The input impedance shall be 250 ohms maximum.                                                                                                                                 | Comply. The PRM analog inputs are designed to interface with industry standard LPRM detectors and Flow transmitters.                                                                                  |
| 4.3.2.1.3   | RTD Input Requirements.                                                                                                                                                                                                        | N/A. There is no RTD input in the PRM or OPRM system.                                                                                                                                                 |
| 4.3.2.1.4   | Thermocouple Input Requirements.                                                                                                                                                                                               | N/A. There is no Thermocouple input in the Toshiba NRW-FPGA -based PRM or OPRM system.                                                                                                                |
| 4.3.2.2     | Discrete Input Requirements. The PLC shall<br>include modules that provide discrete inputs. Each<br>module shall provide a minimum of 8 input channels<br>and include indicators that show the ON/OFF status<br>of each point. | Comply. The Toshiba designs provide appropriate discrete input capabilities to meet the specific system needs. The DIO module does not include input channel status ON/OFF indicators for each point. |
| 4.3.2.2.1   | Discrete AC Input Requirements.                                                                                                                                                                                                | N/A. The PRM or OPRM hardware does not include Discrete AC input.                                                                                                                                     |
| 4.3.2.2.2   | Discrete DC Input Requirements. (section heading)                                                                                                                                                                              | No requirement                                                                                                                                                                                        |
| 4.3.2.2.2.A | Discrete DC Input Module Types. The PLC shall<br>include discrete DC input modules for nominal inputs<br>of 125 VDC, 24 VDC, 15 VDC and 12 VDC.                                                                                | Comply. Qualified relays will be used to interface to plant inputs when the input voltages do not match the DIO capabilities. See Item 4.8 in this table.                                             |
| 4.3.2.2.2.B | Discrete DC Input Module ON Transition. The<br>input must transition to ON at 90 VDC max. (125<br>VDC input) or 20 VDC max. (24 VDC input).                                                                                    | Comply. Qualified relays will be used to interface to plant inputs when the input voltages do not match the DIO capabilities. See Item 4.8 in this table.                                             |
| 4.3.2.2.2.C | Discrete DC Input Module OFF Transition. The<br>input must transition to OFF between 65 to 25 VDC<br>(125 VDC input) or 15 to 6 VDC (24 VDC input).                                                                            | Comply. Qualified relays will be used to interface to plant inputs when the input voltages do not match the DIO capabilities. See Item 4.8 in this table.                                             |
| 4.3.2.2.2.D | Discrete DC Input Module Operating Range. The<br>module must operate for inputs up to at least 150<br>VDC (125 VDC input) or 40 VDC (24 VDC input).                                                                            | Comply. Qualified relays will be used to interface to plant inputs when the input voltages do not match the DIO capabilities. See Item 4.8 in this table.                                             |
| 4.3.2.2.2.E | Discrete DC Input Module Response Time. The<br>overall response time of the discrete DC input<br>modules must support the response time requirement<br>given in Section 4.2.1.A.                                               | (See Item 4.2.1.A, Response Time of this table)                                                                                                                                                       |
| 4.3.2.2.2.F | Discrete DC Input Module Group-to-Group Isolation.<br>The group-to-group isolation shall be at least 600<br>volts peak for 125 VDC inputs or 40 volts peak for<br>24 VDC inputs.                                               | Comply. Discrete inputs are grouped by unit. The unit to unit isolation is assured by fiber optic cable.                                                                                              |

2

| Section No  | Summary of EPRI TR-107330 Requirements                                                                                                                                                                                       | Compliance with EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                             |
|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 4,3.2.2.2.G | Discrete DC Input Module Class 1E to Non-1E<br>Isolation. The Class 1E to Non-1E isolation<br>capability shall meet the requirements of Section<br>4.6.4.                                                                    | (or N/A)<br>(See Item 4.6.4, Class 1E to Non-1E Isolation in this table.)                                                                                                                                                                                                                                               |
| 4.3.2.2.2.H | Discrete DC Input Module Surge Withstand. Surge withstand shall be as given in Section 4.6.2.                                                                                                                                | (See Item 4.6.2, Surge in this table.)                                                                                                                                                                                                                                                                                  |
| 4.3.2.2.3   | TTL Input Requirements.                                                                                                                                                                                                      | N/A. There are no TTL inputs in the PRM or OPRM.                                                                                                                                                                                                                                                                        |
| 4,3.2.3     | Other Inputs. (section heading)                                                                                                                                                                                              | No requirement                                                                                                                                                                                                                                                                                                          |
| 4.3.2.3.1   | Pulse Input Requirements.                                                                                                                                                                                                    | N/A. There are no pulse inputs in the PRM or OPRM.                                                                                                                                                                                                                                                                      |
| 4.3.3       | Output Requirements. (section heading)                                                                                                                                                                                       | No requirement                                                                                                                                                                                                                                                                                                          |
| 4.3.3.1     | Analog Output Requirements. The PLC shall include modules that provide analog outputs.                                                                                                                                       | Comply. The PRM System analog outputs are to the plant data recorders and computer. The analog outputs are provided through qualified 1E to non-1E isolators. The PRM system can also provide communication links with a richer data stream, eliminating the requirement for calibration of these extra analog outputs. |
| 4.3.3.1.A   | Monotonicity. The analog outputs shall be<br>monotonic to $\pm 1/2$ LSB.                                                                                                                                                     | Comply. The AO modules outputs are monotonic to $\pm 1/2$ LSB.                                                                                                                                                                                                                                                          |
| 4.3.3.1.B   | Number of Channels. Each analog output module shall provide a minimum of four output channels.                                                                                                                               | Comply. The AO module has sixteen output ports.                                                                                                                                                                                                                                                                         |
| 4.3.3.1.1   | Analog Voltage Output Requirements. (section heading)                                                                                                                                                                        | No requirement                                                                                                                                                                                                                                                                                                          |
| 4.3.3.1.1.A | Analog Voltage Output Module Ranges. The PLC<br>shall include analog voltage output modules with<br>ranges of: 0 to 10 VDC, -10 to 10 VDC and 0 to 5<br>VDC. The PLC shall provide differential outputs<br>for these ranges. | Comply. The voltage output type AO module ranges are 0 to 5 volts, 0 to 1 volt, and 0 to 160 millivolts, as appropriate, to match the requirements of the plant interface.                                                                                                                                              |

| Section No  | Summary of EPRI TR-107330 Requirements                                                      | Compliance with EPRI TR-107330 Requirements<br>(or N/A)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
|-------------|---------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 4.3.3.1.1.B | Analog Voltage Output Module Accuracy. Overall accuracy shall be $\pm 0.3\%$ of full range. | Comply. The Toshiba designs provide appropriate accuracy to meet the specific system needs.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
| 4.3.3.1.1.B | Analog Voltage Output Module Accuracy. Overall<br>accuracy shall be ± 0.3% of full range.   | Comply.       The Toshiba designs provide appropriate accuracy to meet the specific system needs.         The analog output accuracy of the PRM system are as follows:       1.         LPRM function       a. The LPRM drift over a period of two weeks does not exceed []% full scale (FS) at control room environmental conditions.         b.       The LPRM input-and-output linearity (inaccuracy) is within []% FS.         b.       The LPRM input-and-output linearity are measured from the LPRM input current to the LPRM output through the AO module.         2.       The LPRM drift and linearity are measured from the LPRM input current to the LPRM output through the AO module.         2.       APRM function         a.       The APRM drift over a period of two weeks does not exceed []% FS.         c.       The LPRM drift and linearity are measured from the LPRM input current to the LPRM output through the AO module.         2.       APRM function         a.       The APRM drift over a period of two weeks does not exceed []% FS.         b.       The APRM function is designed such that, at control room environmental conditions, trip accuracy is as follows:         Scram signal:       Scram signal:         within []% FS       % FS |
|             |                                                                                             | Rod withdrawal signals:<br>Within $\begin{pmatrix} a, c \\ b'' FS (FLOW: [ b'' b''])'''' b''''''''''''''''''''''''$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
|             |                                                                                             | <ul> <li>Note: 1. FS is from 0% to 125% reactor power.</li> <li>2. The APRM drift, linearity, and trip accuracy are measured from the LPRM input current to the APRM output through the AO module.</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |

- - -

Nuclear Energy Systems & Services Division

. \_\_\_\_ \_\_\_

-- ---

| Section No  | Summary of EPRI TR-107330 Requirements                                                                                                                                                   | Compliance with EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                                                                        |
|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|             |                                                                                                                                                                                          | (or N/A)                                                                                                                                                                                                                                                                                                                                                           |
| 4.3.3.1.1.B |                                                                                                                                                                                          | 3. FLOW function                                                                                                                                                                                                                                                                                                                                                   |
| (continued) | (continued)                                                                                                                                                                              | a. The FLOW function is designed such that, at control room environmental conditions, the drift over a period of two weeks shall not exceed $\pm 1.0$ %FS.                                                                                                                                                                                                         |
|             |                                                                                                                                                                                          | <ul> <li>b. The FLOW function is designed such that the input-and-output linearity (inaccuracy) and the trip accuracy at control room environmental conditions is as follows.</li> <li>Within []% FS (FLOW: []%)</li> <li>Within []% FS (FLOW: []%)</li> <li>within []% FS (FLOW: []%)</li> <li>c. The trip reset point is []% FS below trip set point.</li> </ul> |
|             |                                                                                                                                                                                          | c. The trip reset point is $\int_{\infty}^{\alpha} FS$ below trip set point.                                                                                                                                                                                                                                                                                       |
|             |                                                                                                                                                                                          | Note:                                                                                                                                                                                                                                                                                                                                                              |
|             |                                                                                                                                                                                          | 1. FS is from 0% to 125% recirculation flow.                                                                                                                                                                                                                                                                                                                       |
|             |                                                                                                                                                                                          | 2. The FLOW drift and linearity are measured from the FLOW unit input current to the FLOW output through the AO module.                                                                                                                                                                                                                                            |
|             |                                                                                                                                                                                          | The drift is conservatively evaluated in the overall accuracy from the input to the output through the AO module.                                                                                                                                                                                                                                                  |
|             |                                                                                                                                                                                          | 4. The OPRM has no analog output.                                                                                                                                                                                                                                                                                                                                  |
| 4.3.3.1.1.C | Analog Voltage Output Module Resolution. The minimum resolution shall be 12 bits.                                                                                                        | Comply. The Toshiba NRW-FPGA-based PRM analog outputs are designed to interface with to the plant data recorders and computer. The required analog output design specifications are, therefore, known and satisfied.                                                                                                                                               |
| 4.3.3.1.1.D | Analog Voltage Output Module Load Impedance.<br>The outputs shall support a load impedance of<br>1 Kohm or less.                                                                         | Comply. The Toshiba NRW-FPGA-based PRM analog outputs are designed to interface with to the plant data recorders and computer. The required analog output design specifications are, therefore, known and satisfied.                                                                                                                                               |
| 4.3.3.1.1.E | Analog Voltage Output Module Response Time.<br>The overall response time of the analog voltage<br>output modules must support the response time<br>requirement given in Section 4.2.1.A. | (See Item 4.2.1.A, Response Time of this table.)                                                                                                                                                                                                                                                                                                                   |
| 4.3.3.1.1.F | Analog Voltage Output Module Isolation. The group-to-group, module-to-module and module to backplane isolation shall meet the requirements of Section 4.6.4.                             | Comply. Analog voltage outputs are not grouped in the modules. The AO module outputs are isolated from the unit middle plane using photo couplers and a DC/DC converter.                                                                                                                                                                                           |
| 4.3.3.1.1.G | Analog Voltage Output Module Surge Withstand.<br>Surge withstand shall be as given in Section 4.6.2.                                                                                     | (See Item 4.6.2, Surge in this table.)                                                                                                                                                                                                                                                                                                                             |
| 4.3.3.1.2   | Current Output Requirements.                                                                                                                                                             | N/A. The AO modules do not include current output.                                                                                                                                                                                                                                                                                                                 |

37

• = ••• ------

- ---

| Section No  | Summary of EPRI TR-107330 Requirements                                                                                                                                                                                    | Compliance with EPRI TR-107330 Requirements<br>(or N/A)                                                                                                                                                                |
|-------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 4.3.3.2     | Discrete Output Requirements. The PLC shall include modules that provide discrete outputs.                                                                                                                                | Comply. The discrete input and output module receives discrete signals from external equipment and provides discrete outputs to external equipment. Signals are routed through the unit middle plane in the unit       |
| 4.3.3.2.A   | Number of Channels. Each module shall provide a minimum of 8 output channels.                                                                                                                                             | Comply. The discrete input and output module has 16 output ports.                                                                                                                                                      |
| 4.3.3.2.B   | Leakage Current. Leakage current in the OFF state<br>of non-supervised (no internal ring back) modules<br>shall be less than 80% of the minimum current<br>needed to turn ON any digital input module.                    | Comply. Photo couplers between the unit middle plane and the DIs of the DIO module are provided to isolate the unit and other modules. Photo MOS relays are provided for DOs of the DIO module for isolation.          |
| 4.3.3.2.C   | Output Circuit Interrupter. Outputs must include a circuit interrupter.                                                                                                                                                   | Comply. The DIO modules do not include output circuit interrupters. Toshiba will provide appropriate interrupters when installed, as required by the customer.                                                         |
| 4.3.3.2.D   | Status Indication. Modules must include indicators that show the ON/OFF status of each point.                                                                                                                             | Partially Comply. The DIO module does not include output channel status ON/OFF indicators for each point.<br>However, the module on the front panel that uses the discrete inputs does provide such visual indication. |
| 4.3.3.2.1   | Discrete AC Output Requirements.                                                                                                                                                                                          | N/A. There is no discrete AC output in the PRM or OPRM. AC outputs can be created through use of DC outputs through a qualified relay, selected to meet the specific plant application needs.                          |
| 4.3.3.2.2   | Discrete DC Output Requirements. (section heading)                                                                                                                                                                        | No requirement                                                                                                                                                                                                         |
| 4.3.3.2.2.A | Discrete DC Output Module Types. The PLC shall<br>include discrete DC output modules for nominal<br>outputs of 125 VDC, 48 VDC, 24 VDC, 15 VDC and<br>12 VDC.                                                             | Comply. The DIO modules in PRM or OPRM are used to drive a qualified relay that is selected to meet the specific plant application needs (e.g., voltage). See also Item 4.8 of this table.                             |
| 4.3.3.2.2.B | Discrete DC Output Module Output Current. The outputs must operate with an output current between 50 mA and 0.5 amps with an inrush capability of at least 2 amps.                                                        | Comply. The DIO modules in PRM or OPRM are used to drive a qualified relay that is selected to meet the specific plant application needs (e.g., current). See also Item 4.8 of this table.                             |
| 4.3.3.2.2.C | Discrete DC Output Module ON State Voltage Drop.<br>The ON state voltage drop shall not exceed 2 VDC at 0.5 amps.                                                                                                         | Comply. The DIO modules in PRM or OPRM are used to drive a qualified relay that is selected to meet the specific plant application needs (e.g., voltage). See also Item 4.8 of this table.                             |
| 4.3.3.2.2.D | Discrete DC Output Module OFF State Leakage.<br>The OFF state leakage current shall not exceed 2 mA.                                                                                                                      | Comply. The DIO modules in PRM or OPRM are used to drive a qualified relay that is selected to meet the specific plant application needs. See also Item 4.8 of this table.                                             |
| 4.3.3.2.2.E | Discrete DC Output Module Operating Range. The<br>module points must operate for source inputs of 90 to<br>140 VDC min. (125 VDC output), 35 to 60 VDC<br>min. (48 VDC output), and 20 to 28 VDC min. (24<br>VDC output). | Comply. Qualified relays will be used to interface to plant inputs. See Item 4.8 of this table.                                                                                                                        |

| Section No  | Summary of EPRI TR-107330 Requirements                | Compliance with EPRI TR-107330 Requirements                                                                           |
|-------------|-------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|             |                                                       | (or N/A)                                                                                                              |
| 4.3.3.2.2.F | Discrete DC Output Module Response Time. The          | (See Item 4.2.1.A, Response Time of this table.)                                                                      |
|             | overall response time of the discrete DC output       |                                                                                                                       |
|             | modules must support the response time requirement    |                                                                                                                       |
|             | given in Section 4.2.1.A.                             |                                                                                                                       |
| 4.3.3.2.2.G | Discrete DC Output Module Group-to-Group              | Comply. Each PRM or OPRM System Discrete DC output module (DIO module) is designed to be isolated from other modules. |
|             | Isolation. The group-to-group isolation shall be at   | other modules.                                                                                                        |
|             | least twice nominal output.                           |                                                                                                                       |
| 4.3.3.2.2.H | Discrete DC Output Module Class 1E to Non-1E          | Comply. Qualified relays will be used to meet the isolation requirements. See Item 4.6.4, Class 1E to Non-1E          |
|             | Isolation. The Class 1E to Non-1E isolation           | Isolation of this table.                                                                                              |
|             | capability shall meet the requirements of Section     |                                                                                                                       |
|             | 4.6.4.                                                |                                                                                                                       |
| 4.3.3.2.2.I | Discrete DC Output Module Surge Withstand.            | (See Item 4.6.2, Surge Withstand Capability of this table.)                                                           |
|             | Surge withstand shall be as given in Section 4.6.2.   |                                                                                                                       |
| 4.3.3.2.3   | Relay Output Requirements.                            | N/A. Toshiba will use commercially available qualified relays in the plants.                                          |
| 4.3.3.2.4   | TTL Output Requirements.                              | N/A. There is no TTL output module in the Toshiba NRW-FPGA-based PRM or OPRM system.                                  |
| 4.3.4       | Processor/Other System Component Requirements.        | No requirement                                                                                                        |
|             | (section heading)                                     |                                                                                                                       |
| 4.3.4.1     | Processor Loop Time Requirements. Processor           | (See Item 4.2.1.A. Response Time of this table.)                                                                      |
|             | loop time shall support the response time requirement |                                                                                                                       |
|             | given in Section 4.2.1.A.                             |                                                                                                                       |
|             | Also, processor loop time shall be faster than the    | Comply. The FPGA signal processing time is designed to provide outputs within the required response time.             |
|             | longer of the analog input conversion time or the     |                                                                                                                       |
|             | period associated with 2.5 times the analog filter    |                                                                                                                       |
|             | cutoff frequency.                                     |                                                                                                                       |
| 4.3.4.2     | Memory Capacity and Data Retention Capability         | Comply. PRM and OPRM are application specific systems including the necessary logic in the FPGAs, and have            |
|             | Requirements. The memory capacity of the main         | sufficient size of data retention capacity in the FPGAs, EPROMs, EEPROMs, and SRAMs.                                  |
|             | processor shall provide sufficient memory to execute  |                                                                                                                       |
|             | a single application program with the number of       |                                                                                                                       |
|             | program elements given.                               |                                                                                                                       |
|             | The memory used to contain the program shall be       | Comply. The NRW-FPGA anti-fuse programmable logic is sufficient to hold the logic required for each FPGA.             |
|             | capable of retaining the information for a minimum    |                                                                                                                       |
|             | of 6 months with no power applied.                    |                                                                                                                       |
|             | Any memory used for field modifiable constants        | Comply. Any EEPROM used for field modifiable constants is capable of at least 100,000 write cycles.                   |
|             | shall be capable of at least 100,000 write cycles.    |                                                                                                                       |
|             | shan be capable of at least 100,000 write cycles.     |                                                                                                                       |

39

\_\_\_\_\_

\_\_\_\_\_

\_\_\_\_\_

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                                                                                                               | Compliance with EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                                                                                |
|------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|            | · · · · · · · · · · · · · · · · · · ·                                                                                                                                                                                                                                                | (or N/A)                                                                                                                                                                                                                                                                                                                                                                   |
| 4.3.4.3    | Data Acquisition Requirements. The PLC shall be<br>capable of transferring information between the main<br>processor and I/O modules mounted in the same or<br>expansion chassis. The data transfer rate shall<br>support the response time requirement given in<br>Section 4.2.1.A. | Comply. Each unit of the PRM or OPRM is capable of transferring information between modules in the same unit.                                                                                                                                                                                                                                                              |
| 4.3.4.3.A  | Main Chassis Interconnect Device Operation.<br>Devices used to interface remote or expansion<br>chassis to the main chassis shall meet the range of                                                                                                                                  | Comply. The PRM or OPRM system operates not only within the normal environmental condition in the located area, but also within the abnormal environmental conditions of anticipated transients and accidents, in order to preserve the safety system functions.                                                                                                           |
|            | environmental conditions given in Section 4.3.6.<br>Failures of the chassis interconnect devices shall not                                                                                                                                                                           | The PRM or OPRM units will be located in a mild environment such as the main control room, so only mild environmental conditions are considered.                                                                                                                                                                                                                           |
|            | defeat the ability to transfer data on the main chassis.                                                                                                                                                                                                                             | Failures of one or more units shall not defeat any other unit's capability to transfer data.                                                                                                                                                                                                                                                                               |
| 4.3.4.3.B  | Main Chassis Interconnect Device Failure. Failures<br>of the chassis interconnect devices shall not affect<br>memory capacity or main processor data retention.                                                                                                                      | Comply. The NRW-FPGA anti-fuse programmable logic is sufficient to hold the logic required for each FPGA.<br>Any memory devices in the PRM or OPRM are not connected to the middle planes (Main Chassis Interconnect<br>devices), Thus, the memory devices are not affected by the failures of other units. Thus failure of other units does<br>not affect the FPGA logic. |
| 4.3.4.3.C  | Main Chassis Interconnect Device Loss of Power.<br>Loss of power to chassis interconnect devices shall<br>not defeat the ability to transfer data on the main<br>chassis or I/O on any other chassis.                                                                                | Comply. Loss of power to one module does not defeat the capability of other modules in the same unit.<br>Loss of power to one unit does not defeat the capability of other unit.                                                                                                                                                                                           |
| 4.3.4.3.D  | Main Chassis Interconnect Device Class 1E to<br>Non-1E Isolation. The Class 1E to Non-1E<br>isolation capability shall meet the requirements of<br>Section 4.6.4.                                                                                                                    | Comply. Fiber optic cable inherently provides Class 1E to Non-1E isolation. Data isolation is provided by one-way transmission from safety to nonsafety.                                                                                                                                                                                                                   |
| 4.3.4.3.E  | Main Chassis Interconnect Device Surge Withstand.<br>Surge withstand shall be as given in Section 4.6.2.                                                                                                                                                                             | Comply. Fiber optic cable inherently provides surge protection.                                                                                                                                                                                                                                                                                                            |
| 4.3.4.3.F  | Main Chassis Interconnect Device Data Acquisition<br>Time. Data acquisition time shall be deterministic<br>or manufacturer shall provide information to<br>establish timing effect.                                                                                                  | Comply. Data acquisition of the LPRM module and Flow module are cyclic and sequential, thus the data acquisition time of the PRM or OPRM system is consistent with the overall system response time.                                                                                                                                                                       |
| 4.3.4.3.G  | Redundant Inter-Processor Data Acquisition<br>Backplane Busses. Descriptive information.                                                                                                                                                                                             | N/A. The PRM or OPRM hardware does not need redundant backplane busses.                                                                                                                                                                                                                                                                                                    |

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                                                           | Compliance with EPRI TR-107330 Requirements                                                                                                                                                                                                                                                             |
|------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 4.3.4.4    | Communication Port Requirements. The main processor shall provide at least one communication port.                                                                                                                               | (or N/A)<br>N/A. Special purpose communication links are provided as necessary to meet system requirements.                                                                                                                                                                                             |
| 4.3.4.5    | Coprocessor Module Requirements. Detailed<br>requirements for coprocessors that may be installed<br>in I/O slots but contain local processing capability<br>independent of the main processor.                                   | N/A. There is no Coprocessor in the Toshiba NRW-FPGA-based PRM or OPRM system.                                                                                                                                                                                                                          |
| 4.3.4.6    | Chassis Requirements. Chassis must be suitable for<br>mounting in a standard 19 inch rack, and must have<br>adequate strength and provide positive hold down of<br>modules sufficient to meet seismic withstand<br>requirements. | Comply. Chassis that are used as the enclosure of the units are suitable for mounting in a standard 19 inch rack, and must have adequate strength and provide positive hold down for the modules. The chassis were qualified to be mounted in a 19 inch rack.<br>The chassis meets seismic requirements |
| 4.3.4.7    | Backup Devices/Redundancy Requirements.<br>Descriptive information.                                                                                                                                                              | No requirement                                                                                                                                                                                                                                                                                          |
| 4.3.4.7.A  | Redundant Device Requirements. Transfer to a redundant device shall occur within the larger of the main processor scan cycle or three data conversion cycles of the failed module.                                               | Comply. Each PRM or OPRM unit has two LVPS modules that operate in parallel. Each LVPS module has enough capacity to supply power to all modules mounted in the chassis.                                                                                                                                |
| 4.3.4.7.B  | Redundant Device Requirements. Undetected<br>failures in redundant components shall be detectable<br>during periodic surveillance.                                                                                               | N/A. Failures of one of redundant LVPS module as well as failure of one of redundant optical communication link between units are indicated in the STATUS module. Such failures are annunciated to the MCR. There are no undetected failures in redundant components.                                   |
| 4.3.4.7.C  | Redundant Device Requirements. Diagnostics shall<br>not result in indeterminate failure states and<br>repetitive switching between redundant components.                                                                         | N/A. The redundant LVPS modules or the redundant optical communication between units operate in parallel. So repetitive switching between redundant LVPS modules or between redundant optical communications links does not occur.                                                                      |
| 4.3.4.7.D  | Redundant Device Requirements. Requirements for effect of transfer mechanism operation on input/output module operation.                                                                                                         | Comply. Any failure of a redundant LVPS modules or the failure of a redundant optical communications between units causes no change in the analog input and output signals, which exceeds the 5% requirement in the EPRI TR-107330.                                                                     |
| 4.3.5      | Programming Terminal Requirements. Special programming terminal hardware or software shall meet the requirements of Sections 4.4.4, 7.7.2 and 7.5.2.                                                                             | N/A. The Toshiba NRW-FPGA-based systems do not require end user programming terminal hardware or software.                                                                                                                                                                                              |
| 4.3.6      | Environmental Requirements. (section heading)                                                                                                                                                                                    | No requirement                                                                                                                                                                                                                                                                                          |

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                                                            | Compliance with EPRI TR-107330 Requirements<br>(or N/A)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
|------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 4.3.6.1    | Normal Environmental Basic Requirements. The normal PLC operating environment is:                                                                                                                                                                                                                                                                 | Comply.         Normal Environmental         Temperature Range       16 to 40°C         Humidity Range       40 to 95% non-condensing         Radiation Exposure       Up to 10Gy                                                                                                                                                                                                                                                                                                                                                                                                     |
| 4.3.6.2    | Abnormal Environmental Basic Requirements. The abnormal PLC operating environment is:                                                                                                                                                                                                                                                             | Comply.         Abnormal Environmental         Temperature Range       4 to 50°C         Humidity Range       10 to 95% non-condensing         Radiation Exposure       Up to 10Gy                                                                                                                                                                                                                                                                                                                                                                                                    |
| 4.3.6.3    | Environmental Withstand Specific Requirements.<br>PLC shall operate for the temperature/humidity<br>profile given in TR Figure 4-4 with operability as<br>given in Section 5.3. Evaluations may be used to<br>establish radiation withstand capability.                                                                                           | Comply. PRM and OPRM units were qualified using the temperature/humidity profile given in the EPRI TR-107330.<br>Environmental test results of the PRM are documented in Section III-2.2.1, and environmental test results of OPRM unit are documented in Section III-5.2.1.                                                                                                                                                                                                                                                                                                          |
| 4.3.7      | EMI/RFI Withstand Requirements. The PLC shall<br>withstand EMI/RFI levels given in EPRI TR-102323.<br>When exposed to the radiated and conducted test<br>levels, the PLC processors shall continue to function,<br>I/O data transfer shall not be interrupted, discrete I/O<br>shall not change state, analog I/O shall not vary more<br>than 3%. | Comply. The PRM and OPRM units are designed to minimize susceptibility to and generation of electromagnetic interference (EMI) and radio frequency interference (RFI).<br>The PRM and OPRM units were subjected to test for EMI/RFI conditions that conform to the guidelines given in RG 1.180, Revision 1.<br>The results of the susceptibility testing showed that the PRM and OPRM units continued to function correctly throughout all test exposure levels. For the emissions tests, the PRM and OPRM units were found to comply with the allowable equipment emissions levels. |
| 4.3.8      | Electrostatic Discharge (ESD) Withstand<br>Requirements. The PLC shall withstand ESD levels<br>given in EPRI TR-102323.                                                                                                                                                                                                                           | Comply. The PRM and OPRM instruments were qualified to cope with electrostatic discharges at a severity of Level 4 as specified in IEC 61000-4-2. (EPRI TR-107330 Section 4.3.8. and EPRI TR-102323, Appendix B, Section 3.5).                                                                                                                                                                                                                                                                                                                                                        |
| 4.3.9      | Seismic Withstand Requirements. PLC shall be<br>suitable for qualification as a Category 1 Seismic<br>device. The PLC shall meet performance<br>requirements during and after exposure to OBE and<br>SSE levels shown in TR Figure 4-5. Relay contacts<br>of relay output modules shall not chatter.                                              | Exception. For the PRM Units, the seismic test table was unable to meet the required seismic levels, but testing was performed to table limits (see Section III-2.2.2). For the OPRM unit, the seismic test satisfies the required seismic levels.                                                                                                                                                                                                                                                                                                                                    |

- --

- - -

**Nuclear Energy Systems & Services Division** 

-----

Ţ

| Section No | Summary of EPRI TR-107330 Requirements                                                                        | Compliance with EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
|------------|---------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 4.4        | Software/Firmware. (section heading)                                                                          | No requirement                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| 4.4.1      | Executive. (section heading)                                                                                  | No requirement                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| 4.4.1.1    | Background. Descriptive information.                                                                          | No requirement                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| 4.4.1.2    | Main Processor Executive Capability Requirements.<br>The main processor executive shall: (section<br>Heading) | No Requirement<br>This requirement is made for microprocessor based platforms that uses an executive. The FPGA implementation<br>of the PRM and OPRM meets requirements "A" through "J" without using any executive.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| 4.4.1.2.A  | A. Acquire inputs from the modules.                                                                           | Comply. FPGA acquires inputs from the modules.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| 4.4.1.2.B  | B. Implement the application program in a continuous loop.                                                    | Comply. FPGA implements the signal processing in a continuous cycle.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| 4.4.1.2.C  | C. Load outputs to the modules.                                                                               | Comply. FPGA provides signal outputs.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| 4.4.1.2.D  | D. Perform power-up and run time diagnostics.                                                                 | Comply. Whenever power is applied to the PRM or OPRM module, the equipment is initialized by power on reset function.<br>All trip and alarm outputs remain de-energized and thus tripped until the initialization process has completed (about $\begin{bmatrix} a,c\\ ms \end{bmatrix}$ . After initialization, the trip and alarm outputs assume the states indicated by calculations and bypass settings.<br>The power on reset function also is executed when the power supply low voltage is detected.<br>Each module is provided with the power supply monitoring IC, which provides about $\begin{bmatrix} a,c\\ ms \end{bmatrix}$ ms reset action and initial startup of FPGA at the time when the module is energized. In addition, it executes a reset action also at the time when the power supply low voltage continues to be low, the module remains in initialization state, and keeps all trip and alarm outputs tripped.<br>The PRM System is capable of performing run time diagnostics. |
| 4.4.1.2.E  | E. Manage communications.                                                                                     | Comply. The PRM and OPRM include dedicated function communication links to provide data to external                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
|            |                                                                                                               | systems.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| 4.4.1.2.F  | F. Upload application programs.                                                                               | Comply. The FPGA used in the PRM and OPRM is non-rewritable and therefore this requirement does not apply.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| 4.4.1.2.G  | G. Support on-line diagnostics, maintenance. and troubleshooting.                                             | (See Items 4.4.6 and 4.7 in this table.)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| 4.4.1.2.H  | H. Implement the application program functions.                                                               | N/A. Application logic is implemented in FPGAs on the PRM or OPRM modules.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| 4.4.1.2.I  | I. Perform power-up initialize functions.                                                                     | (See Section 4.4.1.2.D in this table.)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |

\_\_\_\_

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                                                   | Compliance with EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                                       |
|------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 4.4.1.2.J  | J. Implement redundancy functions.                                                                                                                                                                                                                                                                                                       | (or N/A)<br>Comply. The Toshiba NRW-FPGA-based PRM system does not use redundant I/O. Redundant power feeds and<br>power supplies are provided.                                                                                                                                                                                   |
| 4.4.1.3    | Program Flow Control Requirements.                                                                                                                                                                                                                                                                                                       | Comply. Each execution of the PRM or OPRM application logic is preceded by an input module data request. The FPGA logic does not use interrupts.                                                                                                                                                                                  |
| 4.4.1.4    | Unintended/Unused Function Isolation<br>Requirements. Descriptive information.                                                                                                                                                                                                                                                           | Only functions that are used and documented are incorporated in the PRM and OPRM documentation on FPGAs.<br>The Software/Hardware development process (see Section I) through software life cycle assures the integrity against Unintended/Unused Function isolation.                                                             |
| 4.4.1.5    | Coprocessor Executive Capability.                                                                                                                                                                                                                                                                                                        | N/A. The PRM and OPRM do not use any coprocessors.                                                                                                                                                                                                                                                                                |
| 4.4.2      | Media Requirements. Software media provided by<br>the manufacturer shall be high quality and new.<br>CD-ROMS or 3-1/2 inch floppy disks are acceptable.<br>Packaging shall preclude damage during shipping.<br>Media shall be clearly labeled including revision and<br>serial number. Media shall include electronic<br>identification. | N/A. Logic (or software) for on the PRM and OPRM is shipped in the FPGAs on the modules and is not shipped separately from the modules. Toshiba uses the Non-Rewritable (NRW)-FPGA, so Toshiba does not provide software media to utilities.                                                                                      |
| 4.4.3      | Ladder Logic Requirements.                                                                                                                                                                                                                                                                                                               | N/A. The PRM and OPRM application logic is written in VHDL hardware programming language.                                                                                                                                                                                                                                         |
| 4.4.4      | Software Tools Requirements. A tool shall be<br>provided for programming, debugging, and<br>documentation.                                                                                                                                                                                                                               | N/A. The PRM and OPRM are provided with permanently installed application specific logic, which does not need any software tools for programming, debugging, documentation, or maintenance. Toshiba does not provide end utilities software tools for changing programs.                                                          |
| 4.4.5      | Configuration Identification. (section heading)                                                                                                                                                                                                                                                                                          | No requirement                                                                                                                                                                                                                                                                                                                    |
| 4.4.5.1    | Configuration Identification Background.<br>Descriptive information.                                                                                                                                                                                                                                                                     | No requirement                                                                                                                                                                                                                                                                                                                    |
| 4.4.5.2    | Configuration Management Aids Requirements.<br>Descriptive information.                                                                                                                                                                                                                                                                  | No requirement                                                                                                                                                                                                                                                                                                                    |
| 4.4.5.2.A  | Configuration Management. The PLC executive shall include a retrievable, embedded electronic revision level.                                                                                                                                                                                                                             | Comply. The PRM or OPRM modules do not have an equivalent of a PLC executive. Toshiba provides an equivalent configuration management capability since each module type number defines the programmable logic version installed in that module. Changes to the programmable logic will generate a new, unique module type number. |
| 4.4.5.2.B  | Configuration Management. Configuration<br>information of configurable modules shall be<br>retrievable in the field.                                                                                                                                                                                                                     | N/A. The PRM and OPRM system reconfigurations are only accomplished through mechanical devices (switches or pushbuttons) provided on the hardware chasses. The only configuration updated and provided externally is the gain adjustment factors for LPRMs.                                                                       |

| Section No             | Summary of EPRI TR-107330 Requirements                                                                                                                                                             | Compliance with EPRI TR-107330 Requirements<br>(or N/A)                                                                                                                                                                                         |
|------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 4.4.5.2.C              | Configuration Management. Software tools for modifying device configurations shall provide                                                                                                         | N/A. The PRM and OPRM system configuration cannot be modified by any software tool.                                                                                                                                                             |
|                        | measures to prevent unauthorized access.                                                                                                                                                           |                                                                                                                                                                                                                                                 |
| 4.4.5.2.D              | Configuration Management. PLC and support tools<br>shall provide capability to extract and record<br>database information, including program constants.                                            | N/A. The PRM and OPRM systems do not need to implement data bases and modifiable program constants. The only configuration provided externally is the gain adjustment factors for LPRMs, which are set from an external core monitoring system. |
| 4.4.5.2.E              | Configuration Management. All PLC devices that<br>include firmware shall be marked with an identifier<br>that includes revision level.                                                             | Comply. All modules and units of PRM and OPRM are marked with an identifier that includes revision level.                                                                                                                                       |
| 4.4.5.2.F              | Configuration Management. For PLCs with<br>redundancy, tools shall provide capability to confirm<br>that configurations are consistent.                                                            | N/A. The PRM and OPRM do not employ internal redundancy except LVPS modules. The Master Configuration List is the tool to manage the configuration items.                                                                                       |
| 4.4.6                  | Diagnostics Requirements. (section heading)                                                                                                                                                        | No requirement                                                                                                                                                                                                                                  |
| 4.4.6.1                | General Diagnostic Requirements. PLC must have<br>sufficient diagnostics and test capability to detect all<br>failures that could prevent the PLC from performing<br>its intended safety function. | Comply. The PRM and OPRM have diagnostic functions to detect failures that could prevent the FPGA equipment from performing its intended safety function.                                                                                       |
| 4.4.6.1<br>(continued) | Items 4.4.6.1.1 through 4.4.6.1.6 must be covered by<br>on-line self test. Items 4.4.6.1.7 and 4.4.6.1.8 must<br>be covered in power-up tests.                                                     | (See Items 4.4.6.1.1 through 4.4.6.1.8 in this table.)                                                                                                                                                                                          |
|                        | Short term diagnostics changes in module outputs<br>shall be 2 msec or less for DC outputs and 1/2 cycle<br>or less for AC outputs. Capability to disable these<br>diagnostics shall be provided.  | N/A. The output modules of PRM and OPRM do not use output short changes of state for self-test or diagnosis.                                                                                                                                    |
| 4.4.6.1.1              | Processor Stall. For PLCs with redundant<br>processors, the PLC shall detect processor stall and<br>halt operation of the failed processor.                                                        | Comply. The PRM and OPRM do not include redundant processors. However, failure of any FPGA to complete its required computations is detected and annunciated in the MCR.                                                                        |
| 4.4.6.1.2              | Executive Program Error. Check of executive firmware integrity using a checksum or similar test.                                                                                                   | N/A. The PRM and OPRM do not use executive firmware.                                                                                                                                                                                            |
| 4.4.6.1.3              | Application Program Error. Check of application program integrity using a checksum or similar test.                                                                                                | N/A. A checksum is verified during FPGA fusemap implementation. After programming, no additional checksums are possible, based on the FPGA internal configuration.                                                                              |
| 4.4.6.1.4              | Variable Memory Error. Read/Write memory test<br>by writing and reading back bit patterns that test both<br>states of all bits, or similar test.                                                   | Exception. The PRM does not use read/write memory, and the application cannot be modified. The AGRD and PBD modules of OPRM have a small SRAM to retain a small amount of processed temporal data. The values in the SRAM are protected by ECC. |

1

# TOSHIBA CORPORATION

٩....

45

| Section No | Summary of EPRI TR-107330 Requirements                                                                    | Compliance with EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                                                                                                                                    |
|------------|-----------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 4.4.6.1.5  | Module Communication Error. Check of communication data integrity.                                        | (or N/A)<br>Comply. The TRN and RCV modules implement data transmission checks, between units, through fiber optic<br>cables                                                                                                                                                                                                                                                                                                   |
|            |                                                                                                           | The module receiving data from the other unit shall verify the periodic occurrence of the data transmissions, and the validity of transmitted data between units over fiber optic cables. The data is protected by CRC attached to the data.                                                                                                                                                                                   |
|            |                                                                                                           | Checking data transmission from the modules in a same unit: The APRM module in the PRM and the CELL module in the OPRM check the periodic transmission of the data frame from the TRN and the RCV modules in the same unit. The AGRD and PBD modules of the OPRM check the periodic transmission of the data frame from the CELL module. If a timeout error occurs, a Minor Failure alarm is generated.                        |
| 4.4.6.1.6  | Memory Battery Low. Check of memory battery capacity.                                                     | N/A. The PRM or OPRM system does not use any memory battery.                                                                                                                                                                                                                                                                                                                                                                   |
| 4.4.6.1.7  | Module Loss of Configuration. For software configurable modules, validate configuration.                  | N/A. The PRM or OPRM system does not use software configurable modules.                                                                                                                                                                                                                                                                                                                                                        |
| 4.4.6.1.8  | Failure of Watchdog Timer. Check of operation of watchdog timer.                                          | Comply. Each module that has one or more FPGAs has one or two watchdog timer. Each watchdog timer can be checked for correct operation by the removal of a jumper. Watchdog timer time outs are detected and annunciated in the MCR.                                                                                                                                                                                           |
| 4.4.6.1.9  | Application not Executing. Failure to complete application program scan.                                  | Comply. If a signal processing FPGA halts, the module containing the FPGA generates an inoperable signal.<br>Failures of the Human Machine Interface (HMI) FPGAs do not generate an inoperable signal, but a Minor Failure<br>Alarm, except for the LPRM module. The watchdog timers are external, not built into the FPGA logic, and do not<br>depend on the clock signal used by the FPGA. See Item 4.4.6.1.8 in this table. |
| 4.4.6.1.10 | Analog Output not Following. Failure of analog<br>output to follow commanded value.                       | Comply. Failure of an analog output can be detected by an upscale or downscale alarm in the receiving equipment. For the AO module, failure to update the output would invoke the watchdog timer, with the result defined in Item 4.4.6.1.8 in this table.                                                                                                                                                                     |
| 4.4.6.1.11 | Analog Input not Responding. Failure of analog input to respond to input signal.                          | Comply. Failure of analog input can be detected by upscale or downscale alarm in the receiving equipment.                                                                                                                                                                                                                                                                                                                      |
| 4.4.6.1.12 | Discrete Input/Output not Responding. Failure of discrete input/output to operate correctly.              | N/A. The PRM or OPRM systems do not have functions to detect the failure of discrete inputs or outputs.                                                                                                                                                                                                                                                                                                                        |
| 4.4.6.1.13 | Analog I/O out of Calibration. Analog input or output point out of calibration.                           | Comply. For PRM System, range check of analog input value is conducted. Analog output calibration would be part of periodic surveillance.                                                                                                                                                                                                                                                                                      |
| 4.4.6.1.14 | Power Supply out of Tolerance. Power supply to PLC is interrupted or a chassis power supply module fails. | Comply. The Low Voltage Power Supply (LVPS) module monitors its output voltage. If the voltage of the LVPS becomes lower than the setpoint $-10\%\pm5\%$ in either of the LVPS module, the STATUS module (PRM) or the DAT/ST module (OPRM) front panel provides the indication.                                                                                                                                                |

\_

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                                                                                                                              | Compliance with EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
|------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 4.4.6.2    | On-Line Self-Test Requirements. On-line self-tests<br>shall cover at least items 4.4.6.1.1 through 4.4.6.1.6<br>above. Results shall be made available to the                                                                                                                                       | (or N/A)<br>(See Items 4.4.6.1.1 through 4.4.6.1.6 in this table.)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| 4.4.6.3    | application program.<br>Power Up Diagnostics Requirements. Power up<br>diagnostics shall include all on-line self tests,<br>configuration verification, and test of failure to<br>complete a scan. Application program execution<br>shall be inhibited if power up diagnostics detect a<br>failure. | Comply. Whenever power is applied to the PRM or OPRM module, the equipment is initialized by the power on reset function.<br>All trip and alarm outputs remain de-energized and thus tripped until the initialization process has completed (about [ jns]). After initialization, the trip and alarm outputs assume the states indicated by calculations and bypass settings.<br>Power on reset function is also executed when the power supply low voltage is detected.<br>Each module is provided with the power supply monitoring IC, which provides about [ ]ms reset action and initial startup of FPGA at the time when the module is energized. In addition, it executes a reset action also at the time |
|            |                                                                                                                                                                                                                                                                                                     | when the power supply voltage lowers, i.e. if the power supply low voltage continues to be low, the module remains<br>in initialization state, and keeps all trip and alarm outputs tripped.<br>The PRM System is capable of performing run time diagnostics.                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| 4.4.7      | Data and Data Base. (section heading)                                                                                                                                                                                                                                                               | No requirement.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| 4.4.7.1    | The data base resident in a PLC are those items<br>necessary to cause the application program to operate<br>as designed or to establish the configuration and/or<br>types of I/O modules connected to the PLC.                                                                                      | N/A. The Toshiba NRW-FPGA -based PRM or OPRM does not have a resident data base for the application program.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| 4.4.7.2 A  | The PLC shall support usage of user-defined program<br>constants that are contained in non-volatile memory.<br>For redundant systems, features shall be provided to<br>confirm that the constants in redundant processors<br>are the same.                                                          | Comply. The PRM and OPRM have non-volatile memory to store constants. The PRM and OPRM do not have redundant processors.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| 4.47.2 B   | The PLC shall provide functions to permit reading<br>and modifying the constants in the application<br>program. For redundant systems, features shall be<br>included to assure that the modification of constants<br>is consistent between the redundant processors.                                | Comply. The FPGA logic used in the PRM and OPRM have functions to read and modify constants, but does not have any function to modify the constants because it is unnecessary. The PRM and OPRM do not have redundant processors.                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| 4.4.7.2 C  | The PLC shall provide features to prevent<br>modifications to the local data table over peer-to-peer<br>communication paths and any other on-line<br>communication paths.                                                                                                                           | Comply. In the PRM and OPRM, constants stored in non-volatile memory cannot be modified over any kind of on-line communication path, and the communication paths do not support any messages other than the pre-defined data transfer messages, which are not programmed or designed to modify constants.                                                                                                                                                                                                                                                                                                                                                                                                       |

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                                | Compliance with EPRI TR-107330 Requirements<br>(or N/A)                                                                                                                                                                                                                                                   |
|------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 4.4.7.2 D  | The PLC shall provide features to permit transmitting<br>inputs, outputs, and calculated values to other devices<br>over a serial port.                                                               | Comply. The PRM and OPRM can transmit inputs, outputs, status, and calculated values to other devices over a (serial) fiber optic communication link.                                                                                                                                                     |
| 4.4.8      | Other Non-Ladder Logic Programming Languages.                                                                                                                                                         | N/A. The PRM and OPRM application logic will be designed in VHDL, which is a specific hardware programming language.                                                                                                                                                                                      |
| 4.4.9      | Sequence of Events Processing Requirements.                                                                                                                                                           | N/A. The PRM and OPRM are provided with an application specific logic. Sequence of events logic is not provided in the PRM or OPRM, but can be created in external systems based on data sent by the PRM and OPRM.                                                                                        |
| 4.4.10     | System Integration Requirements. An appropriate level of system integration and integration testing shall be applied to the test specimen and TSAP.                                                   | (See Item 5.2.C in this table.)                                                                                                                                                                                                                                                                           |
| 4.5        | Human/Machine Interface (HMI). (section heading)                                                                                                                                                      | No requirement                                                                                                                                                                                                                                                                                            |
| 4.5.1      | Human/Machine Interface (HMI) Background.<br>Descriptive information.                                                                                                                                 | No requirement                                                                                                                                                                                                                                                                                            |
| 4.5.2      | Requirements for Human/Machine Interface<br>Functions. Descriptive information.                                                                                                                       | No requirement                                                                                                                                                                                                                                                                                            |
| 4.5.2.A    | HMI Functions. PLC shall support switching a loop<br>controller between manual and automatic via switch<br>inputs. For control loops with integral action,<br>auto/manual tracking shall be provided. | N/A. The PRM and OPRM applications do not include loop controllers logics.                                                                                                                                                                                                                                |
| 4.5.2.B    | HMI Functions. PLC shall support setpoint<br>adjustments via switch inputs. Adjustments shall<br>include increase, decrease, and rate of change of<br>setpoint.                                       | Comply. The PRM and OPRM setpoints are adjustable by a technician during equipment maintenance or an operator during periodical surveillance service. The PRM and OPRM support setpoint adjustments of equipment on the front panel. Adjustments include increasing and decreasing the selected setpoint. |
| 4.5.2.C    | HMI Functions. PLC shall support manual<br>initiation of equipment via switch inputs. PLC shall<br>support detection of manually initiated equipment.                                                 | N/A. The PRM or OPRM does not require manual initiation of equipment.                                                                                                                                                                                                                                     |
| 4.5.2.D    | HMI Functions. PLC shall support display of status<br>of discrete and continuous value parameters via<br>connected devices.                                                                           | Comply. Status of discrete and continuous value parameters are shown on the front panel indication on each module.                                                                                                                                                                                        |

· - · · · ·

-

- - - ---

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                                                                                                                      | Compliance with EPRI TR-107330 Requirements                                                                                                                                                                                                                                                              |
|------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 4.5.2.E    | HMI Functions. PLC shall support sending<br>information to a serial port device. Information sent<br>shall include input, output and internal variable<br>values, on-line diagnostics, sequence of events (SOE)<br>data, and results of calculations, comparisons and bit<br>manipulations. | (or N/A)<br>Comply. The PRM or OPRM does not support sending information to a serial port device. Instead, the PRM and<br>OPRM provide fiber optic communication ports, running a defined protocol, sending defined datasets to external<br>safety or nonsafety systems.                                 |
| 4.5.3      | Requirements for Interactive Features. The PLC<br>shall provide mechanisms to prevent unauthorized<br>access to or inadvertent use of on-line functions.                                                                                                                                    | N/A. The PRM and OPRM are provided with an application specific logic that cannot be modified. This feature is not required. A keylock switch is provided for each module to prevent inadvertent setpoint changes.                                                                                       |
| 4.5.4      | Requirements for Operator Action System Response<br>Times. For any operator action that requires PLC<br>confirmation, the PLC shall include features to<br>enable confirmation within 0.5 seconds.                                                                                          | Comply. Operator action that requires FPGA processing is executed sequentially with rapid response to operator action. For operator actions that require confirmation, the HMI FPGAs in each module providing the required processing ensures quick response.                                            |
| 4.5.5      | Display Requirements. Status shall be easily visible.                                                                                                                                                                                                                                       | Comply. Status of each function is shown on the indicators on the front panel of each module.                                                                                                                                                                                                            |
| 4.5.6      | Alarm Processing Requirements. Descriptive information.                                                                                                                                                                                                                                     | No requirement                                                                                                                                                                                                                                                                                           |
| 4.5.6.A    | Alarm Processing. PLC shall have ability to compare inputs or derived parameters to setpoints.                                                                                                                                                                                              | Comply. The PRM and OPRM have ability to compare the signal input and calculated values to appropriate setpoints, and generate alarms or trip signals.                                                                                                                                                   |
| 4.5.6.B    | Alarm Processing. PLC shall have ability to latch<br>an alarm condition and reset based on alarm reset<br>condition.                                                                                                                                                                        | Comply. The PRM and OPRM have ability to latch alarm conditions and reset based on alarm reset conditions. The module front panels of the PRM and OPRM provide a manual reset button to perform this action.                                                                                             |
| 4.5.6.C    | Alarm Processing. PLC shall have ability to blink<br>an output indicator.                                                                                                                                                                                                                   | Exception. The PRM and OPRM have the ability to provide an alarm signal to the plant annunciator which has the capability to flash an annunciator. The front panel HMI LEDs on the PRM and OPRM modules do not blink.                                                                                    |
| 4.5.6.D    | Alarm Processing. PLC shall have ability to acknowledge an alarm.                                                                                                                                                                                                                           | Exception. The PRM and OPRM provide alarm signals that lock in until the alarm condition clears and is reset.<br>All alarm acknowledgements is performed by the external, annunciator system and not by the Toshiba safety equipment.                                                                    |
| 4.5.6.E    | Alarm Processing. Application program shall have ability to capture results of self-diagnostics.                                                                                                                                                                                            | Exception. The PRM or OPRM does not use an application program to capture results of self-diagnostics. When a failure is detected, inoperable signal or minor failure alarm is generated, which is latched by the detected condition, and indicated on the module detecting the self-diagnostic failure. |
| 4.5.6.F    | Alarm Processing. Application program shall have<br>ability to store results of items A through E in a<br>buffer and transmit the data via a communication<br>port.                                                                                                                         | Exception. Alarms and internal conditions are transmitted on the fiber optic output link to external safety or nonsafety systems.                                                                                                                                                                        |

,

| Section No | Summary of EPRI TR-107330 Requirements                                                                                          | Compliance with EPRI TR-107330 Requirements<br>(or N/A)                                                                                                                                                                                    |
|------------|---------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 4.5.7      | Hard Manual Backup. Descriptive information.                                                                                    | No requirement                                                                                                                                                                                                                             |
| 4.6        | Electrical. (section header)                                                                                                    | No requirement                                                                                                                                                                                                                             |
| 4.6.1      | Power Supply Requirements. (section heading)                                                                                    | No requirement                                                                                                                                                                                                                             |
| 4.6.1.1    | PLC Power Sources and Power Supply<br>Requirements. Descriptive information.                                                    | No requirement                                                                                                                                                                                                                             |
| 4.6.1.1.A  | Power supplies. AC sources shall operate from at least 90 VAC to 150 VAC and 57 to 63 Hz.                                       | Comply. The PRM and OPRM operate on an AC source range of 90 to 150 VAC and frequency range of 57 to 63 Hz (EPRI TR-107330 Section 4.6.1).                                                                                                 |
|            | AC sources shall operate at the temperature and humidity range given in Section 4.3.6.                                          | Each LVPS module is capable of supplying 1.2 times the bus loading in a fully loaded main chassis.<br>The LVPS modules operate under the qualified temperature and humidity of the main control room as demonstrated<br>during EQ testing. |
| 4.6.1.1.B  | Power supplies. DC sources shall operate from at least 20.4 VDC to 27.6 VDC.                                                    | N/A. The PRM or OPRM configuration was not qualified with DC power sources.                                                                                                                                                                |
|            | DC sources shall operate at the temperature and humidity range given in Section 4.3.6.                                          |                                                                                                                                                                                                                                            |
| 4.6.1.1.C  | Power supplies. DC sources shall operate for seven days from a 30VDC source.                                                    | N/A. The PRM or OPRM configuration was not qualified with DC power sources.                                                                                                                                                                |
| 4.6.1.1.D  | Power supplies. Power supplies shall be capable of supplying 1.2 times bus loading for a fully loaded                           | Comply. The PRM and OPRM operate on an AC source range of 90 to 150 VAC and frequency range of 57 to 63 Hz (EPRI TR-107330 Section 4.6.1).                                                                                                 |
|            | main chassis.                                                                                                                   | Each LVPS module is capable of supplying 1.2 times the bus loading in a fully loaded main chassis.                                                                                                                                         |
| 4.6.1.1.E  | Power supplies. Power supplies shall be capable of supplying 1.2 times bus loading for a fully loaded expansion chassis.        | N/A. The PRM or OPRM do not support or require an expansion chassis.                                                                                                                                                                       |
| 4.6.1.1.F  | Power Sources. Hold up time for AC sourced power supplies shall be 40 msec.                                                     | Comply. During Hold up time for AC power sources (40 msec), discrete I/O values do not change and analog I/O values do not change, which is within the EPRI TR-107330 requirement for less than a 5% of full scale change.                 |
| 4.6.1.1.G  | Power supplies. Power supplies shall meet the EMI/RFI, surge withstand and ESD requirements of Sections 4.3.7, 4.6.2 and 4.3.8. | (See Item 4.3.7 EMI/RFI in this table.)<br>(See Item 4.6.2 Surge in this table.)<br>(See Item 4.3.8 ESD in this table.)                                                                                                                    |
|            | Sources shall meet the grounding requirements of Section 4.6.8.                                                                 | (See Section 4.6.8 in this table.)                                                                                                                                                                                                         |
| 4.6.1.1.H  | Power supplies. Requirements for fan cooled power supplies.                                                                     | N/A. The PRM and OPRM system does not require or provide forced air cooling for the power supplies.                                                                                                                                        |

\_ \_

50

- -----

~

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                                                                                                                      | Compliance with EPRI TR-107330 Requirements<br>(or N/A)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
|------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 4.6.1.1.I  | Power supplies. Faults in redundant power sources shall not prevent operation of the alternate supply.                                                                                                                                                                                                                                                                                                      | Comply. The failure of one of the redundant power supplies for more than 2 msec does not cause the discrete I/O values to change state and the analog I/O values do not change, which is within the EPRI TR-107330 requirements for less than 5% of full scale change.                                                                                                                                                                                                                                                                                                                                                        |
| 4.6.1.2    | Loop Power Supply Requirements. Power supply<br>modules shall be provided for external devices.<br>Modules shall provide at least 500 mA at 24 VDC.<br>The modules shall meet requirements A, B, C, F. G<br>and H above.                                                                                                                                                                                    | N/A. The PRM and OPRM do not provide Loop Power Supply. The FLOW inputs are powered from external sources.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| 4.6.2      | Surge Withstand Capability Requirements. PLC<br>platform shall withstand IEEE Std C62.41 ring wave<br>and combination wave, 3000 volt peak surges.<br>Withstand capability applies to power sources,<br>analog and discrete I/O interfaces, and<br>communication port interfaces. Per Section 6.3.5,<br>surge testing shall be conducted in accordance IEEE<br>Std C62.45.                                  | Exception. Power sources meet surge withstand criteria. IEEE Std C62.45 does not address surge testing of I/O and communications circuits. External communications are on fiber optic links, which do not require surge withstand testing, as they are nonconductive. These circuits were tested in accordance with RG 1.180 Revision 1, IEC 61000-4-5, and IEC 61000-4-12. All circuits met EPRI TR-107330 Section 4.6.2 acceptance criteria. Section III-2.2.3.3 describes results of the surge withstand capability test for PRM system, and Section III-5.2.3.3 describes result of the power surge test for OPRM system. |
| 4.6.3      | Separation. Descriptive information.                                                                                                                                                                                                                                                                                                                                                                        | No requirement                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| 4.6.4      | Class 1E/Non-1E Isolation Requirements. The PLC<br>modules shall provide isolation of at least 600 VAC<br>and 250 VDC applied for 30 seconds. Isolation<br>features shall conform to IEEE Std 384. Isolation<br>testing shall be performed on the modules.                                                                                                                                                  | Comply. Isolation capability of Class 1E to Non-Class 1E was tested with ¥600VAC and 250 VDC applied for 30 seconds. Test level voltages were applied to the test points and the test specimen of the PRM units and OPRM unit operated normally during and after the application.                                                                                                                                                                                                                                                                                                                                             |
| 4.6.5      | Cable/Wiring Requirements. Manufacturer shall<br>supply all PLC hardware interconnecting cabling.<br>All cabling shall be suitable for UL Class 2 service.<br>Specifically, withstand rating shall be larger of 3<br>times the signal level voltage or 150 volts.<br>Temperature rating shall be 60°C or greater.<br>Vendor shall identify the quantities of PVC type wire<br>and cable used in the system. | <ol> <li>Comply.</li> <li>The PRM and OPRM include all cabling and wiring necessary to connect and operate the units (and the system).</li> <li>All cables and connectors do not contain any polyvinylchloride (PVC).</li> <li>All cables are suitable for UL Class 2 service. Specifically, withstand rating shall be more than 3 times the signal level voltage or 150 volts.</li> <li>Temperature rating shall be 60°C or greater.</li> </ol>                                                                                                                                                                              |
| 4.6.6      | Termination Requirements. Modules shall be able<br>to be removed without disconnecting field wiring.                                                                                                                                                                                                                                                                                                        | Comply. Modules can be removed without disconnecting field wiring.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |

| Section No                                                                                   | Summary of EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                                                               | Compliance with EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                                                                                       |
|----------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|                                                                                              |                                                                                                                                                                                                                                                                                                                                                      | (or N/A)                                                                                                                                                                                                                                                                                                                                                                          |
|                                                                                              | Features shall be provided to substitute test signals or<br>monitoring instruments for field connections.<br>Connectors to the PLC shall have positive hold down<br>mechanisms.                                                                                                                                                                      | Comply. Test signals or monitoring instruments can be connected with PRM and OPRM units by connectors for field connections.                                                                                                                                                                                                                                                      |
|                                                                                              | Connectors and terminations to the PLC shall be qualified with the generic PLC.                                                                                                                                                                                                                                                                      | Comply. Any connectors and terminations to the units are included in qualification testing.                                                                                                                                                                                                                                                                                       |
| 4.6.7                                                                                        | Backup Power. Descriptive information.                                                                                                                                                                                                                                                                                                               | No requirement                                                                                                                                                                                                                                                                                                                                                                    |
| 4.6.8                                                                                        | Grounding/Shielding Requirements. The PLC<br>equipment shall meet IEEE Std 1050 and EPRI<br>TR-102323 grounding requirements. This includes<br>supporting connection to single point, multi-point<br>and floating ground systems, and providing separate<br>ground connection points on each chassis for AC<br>ground, DC ground, and signal ground. | Comply. The PRM and OPRM meet IEEE Std 1050 and EPRI TR-102323 grounding requirements. This includes supporting connection to single point, multi-point, and floating ground systems, and providing a ground connection point on each chassis.                                                                                                                                    |
| The PLC equipment shall meet IEEE Std 1050 and Comply. The PRM and OPRM meet IEEE Std 1050 a | Comply. The PRM and OPRM meet IEEE Std 1050 and R.G. 1.180 Revision 1 shielding requirements. This includes providing shielding connection points for the I/O module field terminations.                                                                                                                                                             |                                                                                                                                                                                                                                                                                                                                                                                   |
| 4.7                                                                                          | Maintenance. (section heading)                                                                                                                                                                                                                                                                                                                       | No requirement                                                                                                                                                                                                                                                                                                                                                                    |
| 4.7.1                                                                                        | Maintenance Background. Descriptive information.                                                                                                                                                                                                                                                                                                     | No requirement                                                                                                                                                                                                                                                                                                                                                                    |
| 4.7.2                                                                                        | Diagnosis/Built-in Testability Requirements.<br>Descriptive information.                                                                                                                                                                                                                                                                             | No requirement                                                                                                                                                                                                                                                                                                                                                                    |
| 4.7.3                                                                                        | Module Replacement Requirements. The PLC shall contain features to aid in module replacement.                                                                                                                                                                                                                                                        | Comply. Each module is designed for easy access of removal and installation as documented in Section II-2.1.3.                                                                                                                                                                                                                                                                    |
|                                                                                              | The maintenance manual shall contain a description of any hardware configuration item for each module.                                                                                                                                                                                                                                               | Comply. The Instructions for the LPRM Unit (Reference (d45)), Instructions for the LPRM/APRM Unit (Reference (d46)), Instructions for the FLOW Unit (Reference (d47)), and the OPRM Unit User's Manual (Reference (c27)) include each hardware configuration item for each unit.                                                                                                  |
|                                                                                              | The module hold downs shall be easily accessible<br>and provide ease of removal and reinstallation.                                                                                                                                                                                                                                                  | Comply. The module is designed for easy access for removal and installation as documented in Section II-2.1.3.                                                                                                                                                                                                                                                                    |
| 4.7.4                                                                                        | Preventive Maintenance Requirements. Equipment<br>manuals shall contain preventive maintenance<br>information. Preventive maintenance shall also<br>include components identified in Section 4.7.8.2.                                                                                                                                                | Comply. The Instructions for the LPRM Unit (Reference (d45)), Instructions for the LPRM/APRM Unit (Reference (d46)), Instructions for the FLOW Unit (Reference (d47)), and the OPRM Unit User's Manual (Reference (c27)) include information for preventive maintenance, including air filter cleanliness, termination checks, power supply checks, and instrument ground checks. |

---

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                                                                                                           | Compliance with EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
|------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 4.7.5      | Surveillance Testing Requirements. The PLC shall support IEEE Std 338 surveillance testing.                                                                                                                                                                                      | (or N/A)<br>Exception. Although the Toshiba NRW-FPGA-based PRM and OPRM do not support all the recommendations in<br>the EPRI TR, the hardware dose support the applicable requirements of IEEE Std 338 Surveillance Testing,<br>including Channel Checks, Calibration Verification, Functional Tests, Time Response Tests, and Analog Trip Signal<br>Tests. Section II-A-2.8 discusses surveillance capabilities of the PRM and OPRM.                                                                                                                  |
| 4.7.6      | Output Bypass/Control Devices. Descriptive information.                                                                                                                                                                                                                          | No requirement.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| 4.7.7      | Hot Repair Capability. The PLC shall support<br>installing I/O modules with backplane power applied.<br>Low power modules shall support removal with field<br>power applied. When output modules are removed<br>from the backplane, the state of the outputs should be<br>known. | Exception. Since Toshiba's engineers concluded that the additional hardware required to support hot-swap will increase the module complexity unnecessarily, the PRM or OPRM does not support powered removal or installation of components with power applied.                                                                                                                                                                                                                                                                                          |
| 4.7.8      | Manufacturer System Life Cycle Maintenance.<br>(section heading)                                                                                                                                                                                                                 | No requirement                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
| 4.7.8.1    | Parts Replacement Life Cycle Requirements. The baseline configuration of the qualified PLC shall be established.                                                                                                                                                                 | Comply. Configuration management is conducted in accordance with internal Toshiba procedures as documented in Section I-3.12 for the current process and Section I-A-4.9 for the original process. The design baseline of the qualified units is maintained in the configuration management. The Instructions for the LPRM Unit (Reference (d45)), Instructions for the LPRM/APRM Unit (Reference (d46)), Instructions for the FLOW Unit (Reference (d47)), and the OPRM Unit User's Manual (Reference (c27)) contain information on parts replacement. |
|            | Records shall be maintained for revision history and changes.                                                                                                                                                                                                                    | Comply. Each module has a type number as shown in Table II-2-6 in Section II-2.2.4. When there is a design change, the module type number is changed. The type number and all applicable configuration item data is maintained in configuration management.                                                                                                                                                                                                                                                                                             |
|            | Records shall be maintained for tracking failures.                                                                                                                                                                                                                               | Comply. Failures are controlled as nonconformance under the Toshiba QA program and are recorded and tracked.                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|            | Testing shall be performed as necessary to maintain a qualified platform based on future revisions or replacements.                                                                                                                                                              | Comply. Periodic surveillance testing will be performed as necessary to maintain a qualified platform based on future revisions or replacements.                                                                                                                                                                                                                                                                                                                                                                                                        |
| 1          | The information necessary fulfill these task shall be obtained from manufacturer.                                                                                                                                                                                                | Comply. The information necessary to fulfill these tasks shall be provided by Toshiba.                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| 4.7.8.2    | Component Aging Analysis Requirements. A<br>periodic surveillance and maintenance interval shall<br>be determined per IEEE Std 323 to account for any<br>significant aging mechanisms.                                                                                           | Comply. System specific periodic surveillance and maintenance intervals will be determined. There are no significant aging mechanisms, based on an evaluation of IEEE Std 323. The maintenance frequency is discussed in Section II-A-2.8.                                                                                                                                                                                                                                                                                                              |
| 4.7.9      | Maintenance Human Factors. Descriptive information.                                                                                                                                                                                                                              | No requirement                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | Compliance with EPRI TR-107330 Requirements<br>(or N/A)                                                                                                                                                                                                                                                                                                   |
|------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 4.7.9.A    | Special PLC Manufacturer Equipment. The manufacturer shall provide documentation for PLC support equipment.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | N/A. No special tools are required for routine maintenance of the PRM system.                                                                                                                                                                                                                                                                             |
| 4.7.9.B    | Test Equipment Connections. Test equipment<br>connections shall be supported by documentation and<br>hardware, including interconnection devices. The<br>manufacturer shall provide any special instruction for<br>use of test equipment connections.                                                                                                                                                                                                                                                                                                                                              | Comply. The Instructions for the LPRM Unit (Reference (d45)), Instructions for the LPRM/APRM Unit (Reference (d46)), Instructions for the FLOW Unit (Reference (d47)), and the OPRM Unit User's Manual (Reference (c27)) include information for maintenance, including requirements for measuring and test equipment and connection of M&TE.             |
| 4.7.9.C    | Job Aids. Aids for operating the PLC equipment shall be provided.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | Comply. The Instructions for the LPRM Unit (Reference (d45)), Instructions for the LPRM/APRM Unit (Reference (d46)), Instructions for the FLOW Unit (Reference (d47)), and the OPRM Unit User's Manual (Reference (c27)) include necessary information for operation of the PRM system.                                                                   |
| 4.7.9.D    | Help Screens. Help screens for software used to support maintenance shall be provided.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | N/A. Toshiba may determine that supplying a software tool for validation of certain ROM content would be appropriate, in which case, Toshiba will supply a software tool for such validation to customers. Such a software tool would include any required help screens.                                                                                  |
| 4.8        | Requirements for Third Party/Sub-Vendor Items.<br>All items provided by sub-vendors or third parties<br>shall be subjected to all applicable requirements and<br>tests. Compatibility of operation with the PLC shall<br>be demonstrated through tests.                                                                                                                                                                                                                                                                                                                                            | Comply. All items provided by sub-vendors or third parties are subjected to all applicable Toshiba requirements and tests performed by Toshiba. Compatibility of operation with the FPGA-based unit is demonstrated through tests. Toshiba performed CG survey and CDR for Third Party/Sub-Vendor as documented in Section I-2.2.2 and Section I-A-3.2.2. |
| 4.9        | Other. (section heading)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | No requirement                                                                                                                                                                                                                                                                                                                                            |
| 4.9.1      | Data Handling and Communication Interface<br>Overview. Descriptive information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | No requirement                                                                                                                                                                                                                                                                                                                                            |
| 4.9.1.1    | Peripheral Communication Requirements. The PLC<br>executive and/or application software tools shall<br>provide features to prevent loss of serial<br>communication from degrading the application<br>program. Communication overhead time shall be<br>deterministic. Peripheral communications shall<br>support at least 1000 character communication<br>buffers. (Note: 1 character = 1 byte. A real<br>variable uses 8 bytes or eight characters). Serial<br>communications shall support checksum (or<br>equivalent) data quality checks. Requirements for<br>redundant communication hardware. | N/A. This requirement does not apply since the PRM and OPRM do not require or use a peripheral communication port.                                                                                                                                                                                                                                        |

!

54

\_

.

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | Compliance with EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
|------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|            |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | (or N/A)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| 4.9.1.2    | PLC Peer-to-Peer Communication Requirements.<br>Peer-to-peer link shall meet requirements of Section<br>4.3.4.4, except item B. Communication time shall<br>be deterministic. Communication errors shall not<br>affect other portions of the application program or<br>inhibit the PLC scan cycle. Queues for<br>communicated data shall be supported and queue<br>status shall be available to the communication<br>program. Loss of communication shall be detected<br>and made available to the application program. Use<br>of the peer-to-peer communication link shall support<br>the response time requirement given in Section<br>4.2.1.A. | Comply. Communication on fiber optic communication links between units is documented in Section II-2.1.4.3.                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| 4.9.2      | Overall System Security Requirements. Switching<br>the main processor from RUN mode to other modes<br>shall be by key lock switch.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | Comply. Since no portion of the application program can be changed at the utility, the PRM application cannot be changed from the front panel. The configuration, including adjustable parameters, is protected by keylock switches. Toshiba implements an SDOE-compliant process for the design, development, manufacturing, review, and testing of these systems.                                                                                                                                                                                                                       |
|            | Features shall ensure that redundant components<br>operate in the same mode, and that program changes<br>are loaded into all redundant processors.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | N/A. The PRM or OPRM does not use redundant processors.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
|            | Provisions shall prevent modification of the application program and operating system while the PLC in on-line.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | N/A. The application logic of the PRM and OPRM is installed in the NRW-FPGAs, and cannot be modified in the field.                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| 4.9.3      | Heartbeat Requirements. The PLC shall provide<br>capability to activate a "heartbeat" external to the<br>PLC.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | N/A. Alternative implementation: The Toshiba PRM hardware does not include an available output point to operate an external "heartbeat" indicator. Rather, each module includes separate internal hardware to verify that each module completes its programmable logic program within the expected time frame. Each module receiving data from a separate FPGA module verifies that the module transmitting data sends the data in a timely manner. Thus, Toshiba provides an equivalent implementation of this requirement using internal hardware separate from the programmable logic. |
| 4.9.4      | Hazardous Materials Requirements. Material data sheets shall be provided for all hazardous materials associated with the PLC.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | Comply. There are no hazardous materials to be included with the PRM or OPRM.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| 4.10       | Shipping and Handling Requirements. Packaging<br>and shipping shall be in accordance with ANSI<br>N45.2.2.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | Comply. Packaging and shipping will be in accordance with ANSI N45.2.2 Level A when shipped to the plant.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |

## TOSHIBA CORPORATION

~

Nuclear Energy Systems & Services Division

.

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                           | Compliance with EPRI TR-107330 Requirements                                                                                                                                                                                                 |
|------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 4.10.1     | Packaging Requirements. Descriptive information.                                                                                                                                                 | (or N/A) No requirement                                                                                                                                                                                                                     |
| 4.10.1.A   | Items Shipped. Shall be packaged to avoid damage<br>or degradation due to various environmental and<br>handling factors which may be encountered during<br>shipping and storage.                 | Comply. Items will be packaged to avoid damage or degradation due to various environmental and handling factors which may be encountered during shipping and storage when shipped to the plant.                                             |
| 4.10.1.B   | Items Shipped. Packaging shall include desiccant materials as required.                                                                                                                          | Comply. Packaging will include desiccant materials as required by the customer.                                                                                                                                                             |
| 4.10.1.C   | Items Shipped. Items shall be inspected for<br>cleanliness prior to packaging. Items not<br>immediately packaged shall be protected from<br>contamination.                                       | Comply. Items will be inspected for cleanliness prior to packaging when shipped to the plant. Items not immediately packaged will be protected from contamination when shipped to the plant.                                                |
| 4.10.1.D   | Items Shipped. Cushioning shall be provided to protect against shock and vibration.                                                                                                              | Comply. Cushioning will be provided to protect against shock and vibration when shipped to the plant.                                                                                                                                       |
| 4.10.1.E   | Items Shipped. Items and containers shall be marked with appropriate identification.                                                                                                             | Comply. Items and containers will be marked with appropriate identification when shipped to the plant.                                                                                                                                      |
| 4.10.1.F   | Items Shipped. Copies of packing lists shall be included with each carton shipped.                                                                                                               | Comply. Copies of packing lists will be included with each carton shipped when shipped to the plant.                                                                                                                                        |
| 4.10.1.G   | Items Shipped. ESD sensitive items shall be appropriately packaged, handled and marked.                                                                                                          | Comply. ESD sensitive items will be appropriately packaged, handled, and marked when shipped to the plant.<br>This will include all modules having integrated circuits.                                                                     |
| 4.10.1.H   | Items Shipped. Packaging shall be suitable for movement using hand trucks.                                                                                                                       | Comply. Packaging will be suitable for movement using hand trucks when shipped to the plant.                                                                                                                                                |
| 4.10.1.I   | Items Shipped. Special handling or storage requirements shall be marked on the containers.                                                                                                       | Comply. Special handling or storage requirements will be marked on the containers when shipped to the plant.                                                                                                                                |
| 4.10.1.J   | Items Shipped. See Section 4.4.2 for requirements for software storage media.                                                                                                                    | N/A. The PRM or OPRM do not provide software media to utilities. The NRW-FPGA is not rewritable, so no media is necessary, as the program is permanently embedded in the FPGA antifuse memory.                                              |
| 4.10.2     | Shipping Requirements. Requirements for mode of shipping, use of fully enclosed vehicles, special handling and stacking instructions as necessary, and container markings and protective covers. | Comply. Shipping requirements will be specified when shipped to the plant. Requirements will include use of fully enclosed vehicles, special handling and stacking instructions as necessary, and container markings and protective covers. |
| 4.10.3     | Storage Requirements. Storage and shelf life requirements shall be provided for all PLC items.                                                                                                   | Comply. Storage requirements will be provided for all items. Requirements for storage will include temperature, humidity, and any static control requirements.                                                                              |
| 5          | Acceptance/Operability Testing. Descriptive information.                                                                                                                                         | No requirement                                                                                                                                                                                                                              |

-

-

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                                | Compliance with EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                                                                                                                         |
|------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 5.1        | Acceptance/Operability Testing Overview. The                                                                                                                                                          | (or N/A) (See Item 8.14 in this table.)                                                                                                                                                                                                                                                                                                                                                                             |
|            | development, design and performance of acceptance<br>testing shall use the documentation requirements of<br>Section 8.14.                                                                             |                                                                                                                                                                                                                                                                                                                                                                                                                     |
| 5.2        | Pre-Qualification Acceptance Test Requirements.<br>Descriptive information.                                                                                                                           | No requirement                                                                                                                                                                                                                                                                                                                                                                                                      |
| 5.2.A      | Application Software Objects Testing. Testing of<br>the software objects in the PLC library shall be<br>performed. This testing shall be in addition to any<br>testing performed by the manufacturer. | Comply. All FPGA application programs are developed using Functional Elements (FEs) as documented in Part V (VVR of PRM) and Part VI (VVR of OPRM) of this LTR. FEs are similar to Application Software Objects (ASOs). FEs are written by Toshiba and are completely tested using pattern test methods. The pattern tests are considered to be comparable to application software objects acceptance (ASOA) tests. |
| 5.2.B      | Initial PLC Calibration. The generic qualification<br>sample PLC shall be calibrated to NIST traceable<br>sources.                                                                                    | Comply. The test specimens were tested using test equipment calibrated to sources traceable to the National Metrology Institute of Japan (NMIJ). NMIJ is a signatory to the Bureau International des Poids et Mesures (BIPM), as is the National Institute of Standard and Technology (NIST). Test facility's calibrations are thus traceable to NIST.                                                              |
| 5.2.C      | System Integration. System integration testing<br>portion of TSAP V&V shall be performed during<br>acceptance testing.                                                                                | Comply. The system integration testing portion of the V&V phase in the digital system life cycle is performed during system validation testing as documented in Part V (VVR of PRM) and Part VI (VVR of OPRM) of this LTR.                                                                                                                                                                                          |
| 5.2.D      | Operability Tests. The Operability Test shall be performed during acceptance testing.                                                                                                                 | Comply. The operability test is performed during pre-qualification testing, and during qualification testing as documented in Section III-2.1.1 and Section III-2.2 for the PRM qualification test, and in Section III-5.1.1 and Section III-5.2 for the OPRM qualification test.                                                                                                                                   |
| 5.2.E      | Prudency Tests. The Prudency Test shall be<br>performed during acceptance testing.                                                                                                                    | Comply. The prudency test is performed during pre-qualification testing, and during qualification testing as documented in Section III-2.1.1 and Section III-2.2 for PRM qualification test, and in Section III-5.1.1 and Section III-5.2 for the OPRM qualification test.                                                                                                                                          |
| 5.2.F      | Burn-In Test. A minimum 352 hour burn-in test shall be performed during acceptance testing.                                                                                                           | Comply. Toshiba's 352 hour burn-in test was performed on the PRM units as documented in Section III-2.1.1. For OPRM unit, the 352 hours burn-in occurred during system validation test.                                                                                                                                                                                                                             |
| 5.3        | Operability Test Requirements. Descriptive information.                                                                                                                                               | No requirement                                                                                                                                                                                                                                                                                                                                                                                                      |
| 5.3.A      | Accuracy. Accuracy checks shall be performed on the analog input/output modules.                                                                                                                      | Comply. Accuracy checks were performed for safety-related functions for analog inputs and outputs in the operability test during the PRM qualification testing. Test results for the PRM qualification testing are documented in Section III-2.                                                                                                                                                                     |
|            |                                                                                                                                                                                                       | For the OPRM, there are no analog inputs or outputs, and thus this does not apply, as documented in Section 5.1.5.3 of the EDS (Reference (c28)).                                                                                                                                                                                                                                                                   |

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                                                                                                                                                 | Compliance with EPRI TR-107330 Requirements<br>(or N/A)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
|------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 5.3.B      | Response Time. Response time of analog input to<br>discrete output and discrete input to discrete output<br>sequences shall be measured. For baseline<br>(acceptance) testing, the acceptance criteria are that<br>the measured response time shall not vary more than<br>20% from the value calculated from manufacturer's<br>data. For all subsequent testing, the measured value<br>shall not vary more than 10% from the baseline. | Comply. For PRM, the response time between receiving an analog input and generating a discrete output for safety-related functions, and the response time between receiving a discrete input and generating a discrete output for safety-related functions were tested in the System Validation Testing. The results of the response time test for the PRM are documented in the Part VI of this LTR. For the OPRM, the response time test was conducted in the System Validation Testing. The results of the response time test for OPRM are documented in the Part VI of this LTR. |
| 5.3.C      | Discrete Input Operability. Discrete inputs shall be tested for capability to detect changes in the inputs.                                                                                                                                                                                                                                                                                                                            | Comply. For the PRM and OPRM, the discrete inputs were tested for their ability to detect changes for safety-related functions in operability test during qualification testing.                                                                                                                                                                                                                                                                                                                                                                                                     |
|            |                                                                                                                                                                                                                                                                                                                                                                                                                                        | Test results for the PRM qualification testing are documented in Section III-2, and test results for the OPRM qualification testing are documented in Section III-5.                                                                                                                                                                                                                                                                                                                                                                                                                 |
| 5.3.D      | Discrete Output Operability. Discrete outputs shall be tested for ability to operate within rated voltages                                                                                                                                                                                                                                                                                                                             | Comply. For the PRM and OPRM, the discrete outputs for safety-related functions were tested for their ability to perform their safety related functions in operability test during qualification testing.                                                                                                                                                                                                                                                                                                                                                                            |
|            | and currents.                                                                                                                                                                                                                                                                                                                                                                                                                          | Test results for the PRM qualification testing are documented in Section III-2, and test results for the OPRM qualification testing are documented in Section III-5.                                                                                                                                                                                                                                                                                                                                                                                                                 |
| 5.3.E      | Communication Operability. If any communication functions are included in the qualification envelope,                                                                                                                                                                                                                                                                                                                                  | Comply. For the PRM and OPRM, communication functions were included in the qualification envelope of the qualification testing. Faults and failures would be detected and alarmed.                                                                                                                                                                                                                                                                                                                                                                                                   |
|            | then operability of the ports shall be tested. Tests<br>shall look for degradation in bit rates, signal levels<br>and pulse shapes of communication protocol.                                                                                                                                                                                                                                                                          | Test results of the PRM qualification testing are documented in Section III-2 and test results for the OPRM qualification testing are documented in Section III-5.                                                                                                                                                                                                                                                                                                                                                                                                                   |
| 5.3.F      | Coprocessor Operability. If any coprocessors are<br>included in the qualification envelope, then tests shall<br>be performed specifically on these coprocessors.                                                                                                                                                                                                                                                                       | N/A. The PRM or OPRM does not use coprocessors.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| 5.3.G      | Timer Tests. Accuracy of timer functions shall be tested.                                                                                                                                                                                                                                                                                                                                                                              | N/A. The PRM or OPRM does not provide any separate timer functions.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| 5.3.H      | Test of Failure to Complete Scan Detection. The<br>function of the mechanism to detect failure to<br>complete a scan shall be tested. The power up<br>testing of this feature may be used to establish its<br>operability.                                                                                                                                                                                                             | Comply. The PRM or OPRM does not need separate scan failure detection. Each module includes separate hardware to verify that each module completes its programmed logic within the expected time frame. Each module receiving data from a separate FPGA module verifies that the module transmitting data sends the data in a timely manner. Thus, Toshiba provides an equivalent implementation of this requirement using internal hardware and programmed logic.                                                                                                                   |

Nuclear Energy Systems & Services Division

-

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                                                                         | Compliance with EPRI TR-107330 Requirements<br>(or N/A)                                                                                                                                                                                                                                                                                                                                                                                                  |
|------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 5.3.1      | Failover Operability Tests. If redundancy with<br>automatic transfer to a redundant device is used, tests<br>shall be performed to establish operability of the<br>failover hardware.                                                          | Comply. For the PRM and OPRM, failover to the redundant AC power source test was performed during prudency testing during qualification testing.<br>Test results for the PRM qualification testing are documented in Section III-2 and test results for the OPRM qualification testing are documented in Section III-5.                                                                                                                                  |
| 5.3.J      | Loss of Power Test. The AC and DC power sources shall be shut off for at least 30 seconds and reapplied.                                                                                                                                       | Comply. The AC power source shuts off for at least 30 seconds and is then reapplied. For the PRM and OPRM, the loss of power tests were performed during operability testing during qualification testing.<br>Test results for the PRM qualification testing are documented in Section III-2 and test results for the OPRM qualification testing are documented in Section III-5.                                                                        |
| 5.3.K      | Power Interrupt Test. The AC power sources shall<br>be interrupted for a 40 millisecond hold-up time.                                                                                                                                          | Comply. The AC power source is interrupted for 40ms. For the PRM and OPRM, the power interruption tests were performed during the operability testing during qualification testing.<br>Test results for the PRM qualification testing are documented in Section III-2 and test results for the OPRM qualification testing are documented in Section III-5.                                                                                               |
| 5.4        | Prudency Testing Requirements. The Prudency<br>tests shall be performed with the power supply<br>sources at the minimum values specified in Section<br>4.6.1.1.                                                                                | Comply. Failure of one of the redundant LVPS modules is simulated in the fault simulation test. The PRM and OPRM system successfully detected the failure and continued normal operation with power from the other LVPS module in the prudency test during qualification testing.<br>Test results for the PRM qualification testing are documented in Section III-2 and test results for the OPRM qualification testing are documented in Section III-2. |
| 5.4.A      | Burst of Events Test. Tests shall be performed to<br>verify operation of the PLC under highly dynamic<br>input/output variation conditions.                                                                                                    | Comply. The Burst of Events Tests was performed to verify operation with simultaneously toggling of discrete inputs and simultaneously driving all inputs in the prudency test during qualification testing.<br>Test results for the PRM qualification testing are documented in Section III-2 and test results for the OPRM qualification testing are documented in Section III-5.                                                                      |
| 5.4.B      | Failure of Serial Port Receiver Test. The receiving<br>device connected to the main processor serial<br>communication port shall be simulated to fail in<br>various modes. PLC response time shall be verified<br>to not degrade unacceptably. | Comply. There is no Serial Port Receiver for the PRM. The Failure of Serial Port Receiver Test was performed for the OPRM optical serial transmission port during the OPRM prudency test. Test results for the OPRM qualification testing are documented in Section III-5.                                                                                                                                                                               |
| 5.4.C      | Serial Port Noise Test. The transmit line to the<br>main processor serial communication shall be subject<br>to white noise. PLC response time shall be verified<br>to not degrade unacceptably.                                                | <ul> <li>Comply. The Toshiba NRW-FPGA-based PRM and OPRM uses fiber optic links. The ability of the PRM or OPRM to withstand noise on the fiber optic links was evaluated during the EMC testing during qualification testing.</li> <li>Test results for the PRM EMC test are documented in Section III-2.2.3 and test results for the OPRM EMC test are documented in Section III-5.2.3.</li> </ul>                                                     |

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | Compliance with EPRI TR-107330 Requirements<br>(or N/A)                                                                                                                                                                                                                                                                                                                                                                                                                               |
|------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 5.4.D      | Fault Simulation. For PLCs that include<br>redundancy, failures in redundant elements shall be<br>simulated.                                                                                                                                                                                                                                                                                                                                                                                                | Comply. For the PRM and OPRM, failure of one of the redundant LVPS modules was simulated in prudency test during qualification testing. The PRM and OPRM system successfully detected the failure (using self-diagnosis) and transferred to the other LVPS module. The PRM and continued normal operation without suffering from any degraded operation.                                                                                                                              |
|            |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | Test results for the PRM qualification testing are documented in Section III-2, and test results for the OPRM qualification testing are documented in Section III-5.                                                                                                                                                                                                                                                                                                                  |
| 5.5        | Operability/Prudency Testing Applicability<br>Requirements. As a minimum, Operability and                                                                                                                                                                                                                                                                                                                                                                                                                   | Comply. For the PRM and OPRM, operability and prudency tests were performed at the Pre-qualification test, the Environmental test, Post SSE test, and Performance Proof test during qualification test.                                                                                                                                                                                                                                                                               |
|            | Prudency tests shall be performed:                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | Test results for the PRM qualification testing are documented in Section III-2, and test results for the OPRM qualification are documented in Section III-5.                                                                                                                                                                                                                                                                                                                          |
|            | <ul> <li>During acceptance testing: Operability – All,<br/>Prudency – All</li> <li>During environ. testing: Operability – All,<br/>Prudency – All</li> <li>During seismic testing: Operability – All,<br/>Prudency – All</li> <li>After seismic testing: Operability – All, Prudency<br/>– None</li> <li>During EMI/RFI testing: Operability – All except<br/>analog I/O<br/>checks, Prudency – Only burst of<br/>events test</li> <li>After ESD testing: Operability – All, Prudency -<br/>None</li> </ul> | Exception. Due to the short duration of seismic SSE tests, and special set-up required for the EMI/RFI tests,<br>Operability and Prudency Tests cannot be performed during the seismic event or during EMI/RFI testing. Toshiba<br>chose to monitor the equipment operation during the test and perform the operability and prudency tests before and<br>after the tests to ensure that the PRM and OPRM remained operable during and after the seismic event and<br>EMI/RFI testing. |
| 5.6        | Application Software Objects Acceptance (ASOA)<br>Testing. Requirements for ASOA testing.                                                                                                                                                                                                                                                                                                                                                                                                                   | (See Item 5.2.A in this table.)                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| 6          | Qualification Testing and Analysis. Descriptive information.                                                                                                                                                                                                                                                                                                                                                                                                                                                | No requirement                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| 6.1        | Qualification Process Overview. Descriptive information.                                                                                                                                                                                                                                                                                                                                                                                                                                                    | No requirement                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| 6.1.1      | PLC System Qualification Overview. Descriptive information.                                                                                                                                                                                                                                                                                                                                                                                                                                                 | No requirement                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| 6.2        | PLC System Test Configuration Requirements.<br>Descriptive information.                                                                                                                                                                                                                                                                                                                                                                                                                                     | No requirement                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                                                                             | Compliance with EPRI TR-107330 Requirements                                                                                                                                                                                                           |
|------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 6.2.1      | Test Specimen Hardware Configuration                                                                                                                                                                                                                                                                                                                               | (or N/A)<br>(See Item 6.5 and 8.6.2 in this table.)                                                                                                                                                                                                   |
| 0.2.1      | Requirements. Hardware configuration shall be                                                                                                                                                                                                                                                                                                                      |                                                                                                                                                                                                                                                       |
|            | developed and documented consistent with the requirements of Sections 6.5 and 8.6.2.                                                                                                                                                                                                                                                                               |                                                                                                                                                                                                                                                       |
| 6.2.1.A    | Module Types. The test specimen shall include at<br>least one type of module needed to encompass the<br>requirements of Section 4.3. Multiple samples of<br>configurable modules shall be included to cover the<br>different configurations. For T/C modules, only one<br>T/C type needs to be tested unless different types use<br>different signal conditioning. | Comply. The test specimens for the qualification testing of the PRM and OPRM includes all modules needed to encompass the system requirements. Section II-A-3 provides the Unit/Module configuration qualified for the PRM and for the OPRM.          |
| 6.2.1.B    | Module Types. The test specimen shall include<br>modules needed to support Operability testing.                                                                                                                                                                                                                                                                    | Comply. The PRM and OPRM test specimens for the qualification testing included all modules needed to support system testing. Section II-A-3 provides the Unit/Module configuration qualified for the PRM and for the OPRM.                            |
| 6.2.1.C    | Ancillary Devices. The test specimen shall include<br>at least one of each type of ancillary device needed to<br>meet the TR requirements.                                                                                                                                                                                                                         | Comply. The test specimens for the qualification testing of the PRM and OPRM includes all equipment needed to meet the system specific requirements. Section II-A-3 provides the Unit/Module configuration qualified for the PRM and for the OPRM.    |
| 6.2.1.D    | Chassis Types. The test specimen shall include at<br>least one of each type of chassis needed to meet the<br>TR requirements. Connections between chassis<br>shall use maximum permissible cable lengths.                                                                                                                                                          | Comply. The test specimens for the qualification testing of the PRM and OPRM includes all required unit chassis needed to meet the system requirements. Section II-A-3 provides the Unit/Module configuration qualified for the PRM and for the OPRM. |
| 6.2.1.E    | Power Supplies. The test specimen shall include the<br>power supplies needed to meet the TR requirements.<br>Additional resistive loads shall be placed on each<br>power supply output so that the power supply<br>operates at rated conditions.                                                                                                                   | Comply. The test specimens for the qualification testing of the PRM and OPRM includes the LVPS modules needed to meet the system requirements. Section II-A-3 provides the Unit/Module configuration qualified for the PRM and for the OPRM.          |
| 6.2.1.F    | Dummy Modules. Dummy modules shall be used<br>to fill all remaining slots in the main chassis and at<br>least one expansion chassis. The dummy modules<br>shall provide a power supply and weight load<br>approximately equal to an eight point discrete input<br>module.                                                                                          | Comply. The PRM and OPRM test specimens for the qualification testing included dummy modules to fill all remaining slots in each unit chassis. Section II-A-3 provides the Unit/Module configuration qualified for the PRM and for the OPRM.          |
| 6.2.1.G    | Termination Devices. The test specimen shall<br>include at least one of each type of termination<br>device and associated cabling used to provide field<br>connections.                                                                                                                                                                                            | Comply. The PRM and OPRM test specimens for the qualification testing included all required connectors in the modules. Section II-A-3 provides the Unit/Module configuration qualified for the PRM and for the OPRM.                                  |

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                               | Compliance with EPRI TR-107330 Requirements<br>(or N/A)                                                                                                                                                                                                                                                                                                                                                                                                                    |
|------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 6.2.1.H    | Redundant Devices. The test specimen shall<br>include any devices needed to implement any<br>redundancy included in the qualification envelope.                                      | Comply. The test specimens for the qualification testing for the PRM and OPRM includes redundant LVPS modules, which is the only internal redundancy provided. Section II-A-3 provides the Unit/Module configuration qualified for the PRM and for the OPRM.                                                                                                                                                                                                               |
| 6.2.1.I    | Additional Modules. The test specimen shall<br>include any additional modules needed to support<br>Operability and Prudency testing and to support<br>module arrangement variations. | Comply. The test specimens for the qualification testing for the PRM and OPRM includes all required modules needed to support Operability and Prudency testing. Section II-A-3 provides the Unit/Module configuration qualified for the PRM and for the OPRM.                                                                                                                                                                                                              |
| 6.2.1.1    | Test Specimen Hardware Arrangement<br>Requirements.                                                                                                                                  | Comply. The hardware configuration of the Test Specimen is the qualified PRM or OPRM system. The Test Specimen for PRM qualification included one LPRM/APRM unit, one LPRM unit, and one FLOW unit. The Test Specimen for OPRM qualification includes one OPRM unit. Section II-A-3 provides the Unit/Module configuration qualified for the PRM and for the OPRM.                                                                                                         |
| 6.2.2      | Test Specimen Application Program (TSAP)<br>Configuration Requirements.                                                                                                              | Comply. The Toshiba NRW-FPGA-based PRM and OPRM systems were manufactured with the application specific logic required for each system. The Operability and Prudency testing were tailored to that application logic.                                                                                                                                                                                                                                                      |
| 6.2.2.1    | Coprocessor TSAP Requirements. If a coprocessor<br>uses a high-level language, then it shall have its own<br>TSAP which implements the given functions.                              | N/A. The Toshiba NRW-FPGA-based PRM or OPRM systems do not use coprocessors.                                                                                                                                                                                                                                                                                                                                                                                               |
| 6.2.3      | Test Support Equipment Requirements. Test<br>equipment to support Acceptance and Operability<br>testing shall be provided.                                                           | Comply. The test support equipment was documented for the PRM and OPRM qualification testing.<br>Test support equipment for PRM qualification is documented in the Preliminary Technical Evaluation Report<br>(PTER) (Reference (d38)), and test support equipment for OPRM qualification is documented in the Environmental<br>Qualification Report (Reference (c20)), EMC Qualification Report (Reference (c21)), and Dynamic Qualification<br>Report (Reference (c22)). |
| 6.2.3.A    | Test Support Equipment. Equipment shall include panels for connecting and simulating inputs and                                                                                      | Comply. Panels for connecting to the inputs and outputs and equipment for simulating inputs and monitoring outputs were provided for the PRM and QPRM qualification test.                                                                                                                                                                                                                                                                                                  |
|            | outputs.                                                                                                                                                                             | Test support equipment for PRM qualification is documented in the Preliminary Technical Evaluation Report (PTER) (Reference (d38)), and test support equipment for the OPRM qualification is documented in the EQ Test Plan (Reference (c10)) and EMC Test Plan (Reference (c11)).                                                                                                                                                                                         |
| 6.2.3.B    | Test Support Equipment. Equipment shall include test and measurement equipment with required                                                                                         | Comply. Test and measurement equipment with required accuracy was provided for the PRM and OPRM qualification tests.                                                                                                                                                                                                                                                                                                                                                       |
|            | accuracy.                                                                                                                                                                            | Test support equipment for the PRM qualification tests is documented in the Preliminary Technical Evaluation<br>Report (PTER) (Reference (d38)), and test support equipment for the OPRM qualification tests is documented in<br>the EQ Test Plan (Reference (c10)) and EMC Test Plan (Reference (c11)).                                                                                                                                                                   |

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                                                  | Compliance with EPRI TR-107330 Requirements<br>(or N/A)                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 6.2.3.C    | Test Support Equipment. Equipment shall include special tools and devices needed to support testing.                                                                                                                    | Comply. Tools and devices needed to support testing were provided for the PRM and OPRM qualification test.<br>Test support equipment for the PRM qualification tests is documented in the Preliminary Technical Evaluation<br>Report (PTER) (Reference (d38)), and test support equipment for the OPRM qualification tests is documented in<br>the EQ Test Plan (Reference (c10)) and EMC Test Plan (Reference (c11)).                                                                             |
| 6.2.3.D    | Test Support Equipment. All test equipment shall be controlled per IEEE Std 498.                                                                                                                                        | Comply. All test equipment used in the PRM and OPRM qualification testing were controlled per IEEE Std 498.                                                                                                                                                                                                                                                                                                                                                                                        |
| 6.3        | Qualification Tests and Analysis Requirements. All testing shall be performed on a calibrated system with all user setpoint values adjusted to default values.                                                          | Comply. All tests were performed on the calibrated PRM and OPRM systems with setpoint values adjusted to the values defined in the test procedures.                                                                                                                                                                                                                                                                                                                                                |
| 6.3.1      | Aging Requirements. Testing shall include<br>environmental, electrostatic discharge (ESD),<br>seismic, EMI/RFI and surge withstand testing.<br>Environmental testing shall be performed first.                          | Comply. For convenience in testing, environmental testing for the PRM and OPRM qualification tests were performed before the other tests. Test results for the PRM qualification testing are documented in Section III-2, and test results for the OPRM are documented in Section III-5.                                                                                                                                                                                                           |
| 6.3.2      | EMI/RFI Test Requirements. EMI/RFI testing to be<br>performed as described in Section 4.3.7.<br>Susceptibility tests to be performed at 25%, 50% and<br>75% of specified levels in addition to the specified<br>levels. | Exception. The EMI/RFI tests for the PRM and OPRM qualification tests were performed at the maximum levels<br>and the equipment passed, so no further threshold testing was required. Test results for the PRM qualification<br>testing are documented in Section III-2 and test results for the OPRM qualification testing are documented in<br>Section III-5.                                                                                                                                    |
| 6.3.2.1    | EMI/RFI Mounting Requirements. Test specimen<br>shall be mounted on a non-metallic surface six feet<br>above floor with no secondary enclosure.                                                                         | Exception. Due to space limitations in the test facility's EMI/RFI chamber, the PRM and OPRM test specimens were not mounted six feet above the floor. The test specimens were mounted on an open metal rack that provided no significant shielding within the restrictions of the test chamber.                                                                                                                                                                                                   |
|            |                                                                                                                                                                                                                         | Test specimen mounting for the EMI/RFI testing for the PRM qualification testing is documented in the Qualification Summary Test Report (Reference (d16)), and test mounting for the EMI/RFI testing for the OPRM qualification testing is documented in the EMC Qualification Report (Reference (c21)).                                                                                                                                                                                           |
|            | EMI/RFI Mounting Requirements. PLC shall be grounded per manufacturer's recommendations.                                                                                                                                | Comply. The PRM and OPRM test specimens were connected to ground. The grounding used for these tests meets the grounding and shielding requirements documented in the Application Guide.<br>Test specimen mounting for the EMI/RFI testing in the PRM qualification testing is documented in the Qualification Summary Test Report (Reference (d16)), and the mounting for the EMI/RFI testing for the OPRM qualification testing is documented in the EMC Qualification Report (Reference (c21)). |

\_\_\_\_ -

. ......

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | Compliance with EPRI TR-107330 Requirements<br>(or N/A)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
|------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 6.3.3      | Environmental Testing Requirements. Testing shall<br>be performed using the temperature and relative<br>humidity profile given in TR Figure 4-4. Margin<br>shall be applied to maximum and minimum specified<br>temperatures and humidifies. Power sources shall<br>be set to maximize heat dissipation. PLC shall be<br>energized with TSAP operating. One-half of all<br>discrete and relay outputs shall be on and energized<br>to rated current. All analog outputs shall be set to<br>one-half to two-thirds full scale output. | Comply. Environmental testing was performed to the environmental withstand requirements documented in EPRI TR-107330 to assure that the PRM and OPRM systems do not fail due to temperature and humidity stressors. Environmental tests were performed with power supply conditions that resulted in maximum heat dissipation into the PRM and OPRM systems. Test results for the PRM qualification testing are documented in Section III-2, and test results for the OPRM qualification testing are documented in Section III-5.                                                                          |
| 6.3.3.1    | Environmental Test Mounting Requirements. PLC<br>shall be mounted on a simple structure. Air<br>temperature at bottom of chassis shall be monitored.<br>No additional cooling fans shall be included.                                                                                                                                                                                                                                                                                                                                | Comply. The PRM and OPRM test specimens were mounted in the environmental chamber on a simple structured rack that does not enclose the chassis. Air temperature was monitored at the bottom of the chassis. No additional cooling fan was included in the chamber.<br>Test specimen mounting for the environment testing in the PRM qualification testing is documented in the Qualification Summary Test Report (Reference (d16)), and test specimen mounting for the OPRM qualification testing is documented in the Environmental Qualification Report (Reference (c20)).                              |
| 6.3.4      | Seismic Test Requirements. PLC shall be vibration<br>aged using five OBEs with the RRS as shown in TR<br>Figure 4-5 followed by an SSE with the RRS shown<br>in TR Figure 4-5. Testing shall conform to IEEE<br>Std 344. Tri-axial, random, multi-frequency tests<br>shall be used. Repairs during testing shall conform<br>to IEEE Std 344.                                                                                                                                                                                         | <ul> <li>Comply. Seismic testing uses five OBEs with the Required Response Spectrum (RRS) as shown in EPRI TR-107330 followed by an SSE in both the PRM and OPRM qualification testing.</li> <li>Test results of the PRM qualification testing are documented in Section III-2, and test results for the OPRM qualification are documented in Section III-5.</li> </ul>                                                                                                                                                                                                                                    |
| 6.3.4.1    | Seismic Test Mounting Requirements. Test<br>specimen shall be mounted per manufacturer's<br>recommendations. Mounting structure shall have<br>no resonances below 100 Hz. Most susceptible<br>mounting configuration shall be tested. All<br>mounting screws shall be torqued to known values.                                                                                                                                                                                                                                       | Comply. The PRM and OPRM test specimens were mounted on a structure that is stiff enough so that there are no resonances below 100Hz with the test specimen mounted on the test structure and the shake table. A resonance search was performed to verify this requirement for both PRM and OPRM.<br>Test specimen mounting for the seismic test for the PRM qualification testing is documented in the Qualification Summary Test Report (Reference (d16)), and the mounting for the seismic test for the OPRM qualification testing is documented in the Dynamic Qualification Report (Reference (c22)). |

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | Compliance with EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
|------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|            |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | (or N/A)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| 6.3.4.2    | Seismic Test Measurement Requirements. Relay<br>contacts shall be monitored for chatter. One half of<br>the relays shall be energized and on half<br>de-energized. One quarter of the relays shall<br>transition from ON to OFF and one quarter from OFF<br>to ON during the tests. The PLC shall be powered<br>with the TSAP operating. One half of the digital<br>outputs shall be ON and loaded to their rated current.<br>Power sources shall be at lower voltage and<br>frequency limits. One or more response<br>accelerometers shall be mounted on each chassis. | N/A. Relay contacts were not included in the PRM and OPRM qualification tests.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| 6.3.4.3    | Seismic Test Performance Requirements. Seismic<br>test shall include a resonance search, five OBE's, one<br>SSE and an Operability test.                                                                                                                                                                                                                                                                                                                                                                                                                                | <ul> <li>Comply. The following tests were performed in the order shown for both the PRM and the OPRM qualification:</li> <li>(1) Resonance Search</li> <li>(2) Five tri-axial OBEs</li> <li>(3) One tri-axial SSE</li> <li>(4) Operability Test</li> <li>Test results for the PRM qualification testing are documented in Section III-2 and test results for the OPRM qualification testing are documented in Section III-2 and test results for the OPRM</li> </ul>                                                                                                                                                                                                  |
| 6.3.4.4    | Seismic Test Spectrum Analysis Requirements.<br>The test response spectrum from the control and<br>specimen response accelerometers shall be reported<br>at 1/2, 1, 2, 3 and 5% damping.                                                                                                                                                                                                                                                                                                                                                                                | Comply. The test response spectrum from the control and specimen response accelerometers provided 5% damping for the both the PRM and the OPRM qualification testing. Test results for the PRM qualification testing are documented in Section III-2, and test results for the OPRM qualification are documented in Section III-5.                                                                                                                                                                                                                                                                                                                                    |
| 6.3.5      | Surge Withstand Capability Testing. Surge testing shall be conducted per Section 4.6.2 and IEEE Std C62.45.                                                                                                                                                                                                                                                                                                                                                                                                                                                             | N/A. See Item 4.6.2 in this table for a description of the testing performed.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| 6.3.5.1    | Surge Withstand Test Mounting Requirements.<br>Test specimen shall be mounted on a non-metallic<br>surface six feet above floor with no secondary<br>enclosure. PLC shall be grounded per<br>manufacturer's recommendations.                                                                                                                                                                                                                                                                                                                                            | <ul> <li>Exception. Due to space limitations in the test facility's EMI/RFI chamber, the PRM and OPRM test specimens were not mounted six feet above the floor while performing this test. The test specimens were mounted on an open metal rack that provided no significant shielding. The test specimens were grounded to meet Toshiba's requirements.</li> <li>Test specimen mounting for the Surge Withstand testing for the PRM qualification testing is documented in the Qualification Summary Test Report (Reference (d16)), and the mounting for the OPRM qualification testing is documented in the EMC Qualification Report (Reference (c21)).</li> </ul> |

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                                          | Compliance with EPRI TR-107330 Requirements<br>(or N/A)                                                                                                                                                                                                                                                                                                                                                                    |
|------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 6.3.6      | Class 1E to Non-Class 1E Isolation Testing. Test<br>specimen shall be mounted on a non-metallic surface<br>six feet above floor with no secondary enclosure.<br>PLC shall be grounded per manufacturer's        | Exception. Due to space limitations in the test facility's EMI/RFI chamber, the PRM test specimen was not mounted exactly six feet above the floor while performing this test. The PRM test specimen was mounted on an open metal rack that provided no significant shielding. The PRM test specimen was grounded based on Toshiba's requirements. For OPRM, Class 1E to Non-Class 1E isolation testing was not performed. |
|            | recommendations.                                                                                                                                                                                                | Test specimen mounting for the PRM for Class 1E to Non-Class 1E testing for the PRM qualification testing is documented in the Qualification Summary Test Report (Reference (d16)).                                                                                                                                                                                                                                        |
| 6.4        | Other Tests and Analysis. (section heading)                                                                                                                                                                     | No requirement                                                                                                                                                                                                                                                                                                                                                                                                             |
| 6.4.1      | FMEA. An FMEA analysis of the PLC shall be performed.                                                                                                                                                           | Comply. Separate Failure Modes and Effects Analysis (FMEA) were performed for the PRM and OPRM in accordance with IEEE Std 352-1987. For each component in each module, the analysis evaluates the component failure modes and effects on the PRM and OPRM units' performance.                                                                                                                                             |
|            |                                                                                                                                                                                                                 | The FMEA for PRM is discussed in Section III-3.2.2 and the FMEA for the OPRM is discussed in Section III-6.2.2.                                                                                                                                                                                                                                                                                                            |
| 6.4.2      | Electrostatic Discharge (ESD) Testing Requirements.<br>ESD testing of the PLC shall be performed per EPRI<br>TR-102323.                                                                                         | Comply. ESD tests were performed to assure that the PRM and OPRM test specimen do not fail due to service condition for an ESD event level at a severity of Level 4, as specified in IEC 61000-4-2. (EPRI TR-107330 Section 4.3.8. and EPRI TR-102323, Appendix B, Section 3.5).                                                                                                                                           |
|            |                                                                                                                                                                                                                 | Test results for the PRM are documented in Section III-2, and test results for the OPRM are documented in Section III-5.                                                                                                                                                                                                                                                                                                   |
| 6.4.3      | Power Quality Tolerance Requirements. Power quality tolerance testing shall be performed during                                                                                                                 | Comply. Power Quality Tolerance tests to the input voltage range were performed in operability tests during qualification testing for both the PRM and OPRM.                                                                                                                                                                                                                                                               |
|            | acceptance testing, at the end of the elevated<br>temperature test while still at high temperature and                                                                                                          | The redundant power supply modules were tested with the same AC power supply connected to both modules during the test.                                                                                                                                                                                                                                                                                                    |
|            | following seismic tests. The same AC source shall<br>be connected to redundant power supplies during<br>testing.                                                                                                | Test results for the PRM are documented in Section III-2, and test results for the OPRM are documented in Section III-5.                                                                                                                                                                                                                                                                                                   |
| 6.4.4      | Requirements for Compliance to Specifications.<br>Test instrumentation measurement accuracy shall be<br>considered. Compliance to specifications shall be<br>considered for each module or grouping of modules. | Comply. The Master Test Plan (Reference (d19)) defines the acceptance criteria for the PRM qualification testing, conforming to the requirements in Section 6.4.4 of EPRI TR-107330. The EQ Test Plan (Reference (c10)) and the EMC Qualification Test Plan (Reference (c11)) define the acceptance criteria for the OPRM qualification testing.                                                                           |
| 6.4.4.A    | Environmental Test Compliance. Environmental<br>Operability test results shall be evaluated for                                                                                                                 | Comply. Environmental Operability test results were evaluated for compliance to the specification for both PRM and OPRM qualification testing.                                                                                                                                                                                                                                                                             |
|            | compliance to specifications.                                                                                                                                                                                   | Test results for the PRM qualification testing are documented in Section III-2, and test results for the OPRM are documented in Section III-5.                                                                                                                                                                                                                                                                             |

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                 | Compliance with EPRI TR-107330 Requirements<br>(or N/A)                                                                                                                                                                                                                                                                                                       |
|------------|--------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 6.4.4.B    | Seismic Test Compliance. The seismic levels<br>achieved during testing shall be used as the seismic<br>withstand response spectrum.                    | Comply. The seismic levels achieved during testing were used as the seismic withstand response spectrum in qualification testing for both the PRM and the OPRM.<br>The seismic level achieved during PRM seismic testing is documented in Section II-A-4.5.1, and the seismic level achieved during OPRM seismic testing is documented in Section II-A-4.5.2. |
| 6.4.4.C    | Class 1E to Non-Class 1E Test Compliance. Test<br>levels shall be checked for compliance to Section<br>4.6.4 specifications.                           | Comply. Test levels were checked for compliance to the specifications in the PRM qualification testing. The result of the PRM qualification testing is documented in Section III-2.<br>For OPRM, Class 1E to Non-Class 1E isolation testing was not performed.                                                                                                |
| 6.4.4.D    | Surge Withstand Test Compliance. Test levels shall<br>be checked for compliance to Section 4.6.2<br>specifications.                                    | Comply. Test levels were checked for compliance to the specifications in qualification testing for both the PRM and the OPRM.<br>Test results for the PRM qualification testing are documented in Section III-2 and test results for the OPRM qualification testing are documented in Section III-5.                                                          |
| 6.4.4.E    | EMI/RFI Test Compliance. PLC performance shall<br>be checked for compliance to Section 4.3.7<br>specifications.                                        | Comply. The performance of the PRM units was checked for compliance to the specifications in qualification testing for both the PRM and the OPRM.<br>Test results for the PRM qualification testing are documented in Section III-2, and test results for the OPRM qualification testing are documented in Section III-5.                                     |
| 6.4.4.F    | Power Quality Test Compliance. Results shall be<br>evaluated for compliance to Sections 4.6.1 and<br>4.2.3.7 specifications.                           | Comply. Power quality tests were performed during operability testing during qualification testing for both the PRM and OPRM.<br>Test results for the PRM qualification testing are documented in Section III-2, and test results for the OPRM qualification testing are documented in Section III-5.                                                         |
| 6.4.4.G    | ASOA Test Compliance. Results shall be evaluated for compliance to Section 5.6 requirements.                                                           | (See Item 5.2.A in this table.)                                                                                                                                                                                                                                                                                                                               |
| 6.4.4.H    | Quality Assurance Program Compliance. Results of audits of manufacturer's QA Program shall be checked for compliance to Section 7 requirements.        | Comply. Quality Assurance Program Compliance. Results of annual internal audits of QA Programs were checked. Toshiba concluded that the QA program was effectively implemented.                                                                                                                                                                               |
| 6.4.5      | Human Factors. Descriptive Information.                                                                                                                | No requirement                                                                                                                                                                                                                                                                                                                                                |
| 6.5        | Quality Assurance Measures Applied to Qualification<br>Testing. (Section Heading)                                                                      | No requirement                                                                                                                                                                                                                                                                                                                                                |
| 6.5.A      | Quality Assurance Measures Applied to Qualification<br>Testing. Test program TSAP development shall<br>meet the requirements of 10 CFR 50, Appendix B. | Comply. The FPGA logic lifecycle meets the requirements of 10 CFR 50, Appendix B, as documented in various USNRC Regulatory Guides and in the Standard Review Plan, Chapter 7, BTP 7-14. Section I-2.1 describes the QA programs in the current process, and Section I-A-3 describes the QA process in the original process.                                  |

\_\_\_\_

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                  | Compliance with EPRI TR-107330 Requirements<br>(or N/A)                                                                                                                                                                                                                                              |
|------------|---------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 6.5.B      | Quality Assurance Measures Applied to Qualification<br>Testing. Hardware procurement shall meet the<br>requirements of 10 CFR 50, Appendix B.           | Comply. The hardware used for the qualification tests meets the requirements of 10 CFR 50, Appendix B.<br>The procurement process in the current process is documented in Section I-2.2.3, and the procurement process in the original process is documented in Section I-A-3.2.3.                   |
| 6.5.C      | Quality Assurance Measures Applied to Qualification<br>Testing. Test specimen chain of custody shall meet<br>the requirements of 10 CFR 50, Appendix B. | Comply. The PRM and OPRM test specimens were controlled in accordance with the Toshiba QA program, which complies with 10 CFR 50 Appendix B Program.<br>Section I-2 describes the QA program used in the current process, and Section I-A-3.1 describes the QA program used in the original process. |
| 6.5.D      | Quality Assurance Measures Applied to Qualification<br>Testing. Tests and data analysis shall meet the<br>requirements of 10 CFR 50, Appendix B.        | Comply. Tests and data analysis were conducted in accordance with the Toshiba QA program, which complies with 10 CFR 50 Appendix B Program.<br>Section I-2 describes the QA program used in the current process, and Section I-A-3.1 describes the QA program used in the original process.          |
| 7          | Quality Assurance. Descriptive information.                                                                                                             | No requirement                                                                                                                                                                                                                                                                                       |
| 7.1        | QA Overview. Descriptive information.                                                                                                                   | No requirement                                                                                                                                                                                                                                                                                       |
| 7.2        | 10 CFR 50 Appendix B Requirements for<br>Safety-Related Systems. Descriptive information.                                                               | No requirement                                                                                                                                                                                                                                                                                       |
| 7.2.A      | 10 CFR 50 Applicability. Regulations apply to all qualification activities.                                                                             | Comply. The PRM and OPRM system qualification activities were performed in accordance with the requirements of the US Nuclear Regulations (including 10 CFR 50, Appendix B) and the Toshiba Corporation, Power Systems Company, Nuclear Energy (PSNE) QA Program.                                    |
|            |                                                                                                                                                         | Section I-2 describes the QA program used in the current process, and Section I-A-3.1 describes the QA program used in the original process.                                                                                                                                                         |
| 7.2,B      | 10 CFR 50 Applicability. Regulations apply to application specific activities.                                                                          | Comply. The PRM and OPRM system specific activities were performed in accordance with the requirements of the US Nuclear Regulations (including 10 CFR 50, Appendix B) and the Toshiba Corporation, Power Systems Company, Nuclear Energy (PSNE) QA Program.                                         |
|            |                                                                                                                                                         | Section I-2 describes the QA program used in the current process, and Section I-A-3.1 describes the QA program used in the original process.                                                                                                                                                         |
| 7.2.C      | 10 CFR 50 Applicability. Regulations apply to PLC dedication activities.                                                                                | Comply. The commercial grade dedication activities for the PRM and OPRM were performed in accordance with the requirements of the US Nuclear Regulations (including 10 CFR 50, Appendix B) and the Toshiba Corporation, Power Systems Company, Nuclear Energy (PSNE) QA Program.                     |
|            |                                                                                                                                                         | Section I-2.2 describes the commercial grade dedication (CGD) process and activities performed under the current process, and Section I-A-3.2 describes the commercial grade dedication process and activities performed under the original process.                                                 |

---

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | Compliance with EPRI TR-107330 Requirements<br>(or N/A)                                                                                                                                                                                                                                                                                        |
|------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 7.2.D      | 10 CFR 50 Compliance. Quality processes other<br>than 10 CFR 50 shall be shown to be commensurate<br>with 10 CFR 50.                                                                                                                                                                                                                                                                                                                                                                                         | N/A. Toshiba has integrated 10 CFR 50, Appendix B into Toshiba's nuclear quality assurance program. All software and hardware lifecycle activities were performed in accordance with Toshiba's nuclear quality assurance program.                                                                                                              |
| 7.2.E      | 10 CFR 50 Compliance. Qualifier shall perform<br>audits to confirm that manufacturer's quality process<br>has been applied to the PLC product.                                                                                                                                                                                                                                                                                                                                                               | Comply. Audits were conducted to confirm that various quality programs in different Toshiba divisions were applied to the PRM and OPRM qualification activities.                                                                                                                                                                               |
| 7.2.F      | 10 CFR 50 Compliance. Audits performed against<br>manufacturer programs other than 10 CFR 50 shall<br>demonstrate that the program process is<br>commensurate with 10 CFR 50.                                                                                                                                                                                                                                                                                                                                | N/A. Toshiba has integrated 10 CFR 50, Appendix B into their nuclear quality assurance program. The activities performed under ISO 9001 quality programs used work products that were successfully dedicated under Toshiba's commercial grade dedication program.                                                                              |
| 7.2.G      | V&V Program Evaluation. Qualifier shall evaluate<br>the manufacturer's V&V program to the criteria in<br>Section 7.4.                                                                                                                                                                                                                                                                                                                                                                                        | Comply. The V&V efforts for the PRM and OPRM were conducted under Toshiba's nuclear QA program, which complies with 10 CFR 50 Appendix B Program.<br>Sections I-3.10 and I-3.11 describe software V&V as applied under the current process, and Section I-A-4.8 describes software V&V as applied under the original process.                  |
| 7.2.H      | Qualification Test Witnessing. The qualifier shall have the right to witness qualification tests.                                                                                                                                                                                                                                                                                                                                                                                                            | <ul> <li>N/A. The PRM and OPRM qualification tests were conducted under the Toshiba's nuclear QA program, which complies with 10 CFR 50 Appendix B Program.</li> <li>Section I-2 describes the QA program as applied under the current process, and Section I-A-3.1 describes the QA program as applied under the original process.</li> </ul> |
| 7.3        | 10 CFR 21 Compliance Requirements. Section lists<br>10 CFR 21 compliance requirements of a utility<br>which applies the PLC in a safety-related application.<br>PLC manufacturer shall support problem reporting<br>and tracking.                                                                                                                                                                                                                                                                            | Comply. Toshiba will support problem reporting and tracking. As documented in Section I-3.3.7, Toshiba will address any problem that occurs in the Operation and Maintenance phases of the system lifecycle.                                                                                                                                   |
| 7.4        | Verification and Validation Requirements.<br>Qualifier shall evaluate the manufacturer's V&V<br>process for software, firmware and software tools<br>against IEEE Std 7-4.3.2 and IEEE Std 1012. The<br>qualifier shall confirm the following basic<br>requirements are met: a) there is a V&V Plan for the<br>PLC product, b) software development shall be done<br>in accordance with a life cycle approach (see IEEE<br>Std 1074-1995), and c) the software requirements<br>document shall be reviewable. | Comply. The V&V efforts for the PRM and OPRM were conducted under Toshiba's nuclear QA program, which<br>complies with 10 CFR 50 Appendix B Program.<br>Section I-3.10 and Section I-3.11 describes software V&V as applied under the current process and Section I-A-4.8<br>describes software V&V as applied under the original process.     |

~

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                                                                                                                                                                   | Compliance with EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 7.5        | Manufacturer Qualification Maintenance Throughout<br>Product Life Cycle. (section heading)                                                                                                                                                                                                                                                                                                                                                               | (or N/A)<br>Comply. Toshiba understands the regulatory requirements for maintenance of qualification through the<br>equipment's installed life. Toshiba understands that changes to plans, programs, procedures, and instructions as<br>well as changes in hardware are to be communicated to the USNRC. Toshiba understands that changes to<br>hardware result in requirements to verify that the qualification still applies. Toshiba understands that changes to<br>the programmable logic also require communication to the USNRC. |
| 7.5.1      | Overview of Manufacturer Qualification<br>Maintenance Throughout Product Life Cycle.<br>Descriptive information.                                                                                                                                                                                                                                                                                                                                         | No requirement                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| 7.5.2      | Requirements for Manufacturer Qualification<br>Maintenance Throughout Product Life Cycle. The<br>qualifier shall obtain documentation confirming that<br>the PLC manufacturer will ensure upward<br>compatibility, maintain rigor of processes, commit to<br>at least five year support for the qualified PLC<br>configuration, and commit to six months notice<br>before withdrawing product support.                                                   | N/A. Toshiba will ensure upward compatibility, maintain processes of, commit to at least [ ] <sup>a,c</sup> support for the qualified configuration, and commit to six months notice before withdrawing product support.                                                                                                                                                                                                                                                                                                               |
| 7.5.3      | Life Cycle Support for Tools Requirement. PLC<br>manufacturer shall ensure continued access to the<br>same versions of application software development<br>tools, or capability to reconstruct functionality with<br>using revised tools.                                                                                                                                                                                                                | Comply. Toshiba will maintain the same versions of software tools, or capability to reconstruct the same functionality with the newer versions of software tools under the configuration management documented in Section I-3.12.2.1.                                                                                                                                                                                                                                                                                                  |
| 7.6        | Compensatory Quality Activities for Legacy<br>Software. (section heading)                                                                                                                                                                                                                                                                                                                                                                                | No requirement                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| 7.6.1      | Overview of Compensatory Quality Activities for<br>Legacy Software. Descriptive information.                                                                                                                                                                                                                                                                                                                                                             | Comply. Toshiba treats FEs as legacy software. Control of FEs is documented in Section I-2.2.                                                                                                                                                                                                                                                                                                                                                                                                                                          |
| 7.6.2      | Requirements for Compensatory Quality Activities<br>for Legacy Software. The qualifier may<br>compensate for shortcomings in legacy software by<br>evaluating documented operating experience in<br>applications similar to nuclear safety related<br>applications, and by performing tests of legacy<br>software to confirm conformance to requirements.<br>The manufacturer shall place legacy software under<br>configuration control once baselined. | Comply. Toshiba treats FEs as legacy software. Control of FEs the is documented in Section I-2.2                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| 7.7        | Configuration Management. (section heading)                                                                                                                                                                                                                                                                                                                                                                                                              | No requirement                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |

70

.

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                                                                      | Compliance with EPRI TR-107330 Requirements<br>(or N/A)                                                                                                                                                                                                                                   |
|------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 7.7.1      | Configuration Management Overview. Descriptive information.                                                                                                                                                                                 | No requirement                                                                                                                                                                                                                                                                            |
| 7.7.2      | Hardware Configuration Management Requirements.<br>The scope shall include revisions to module design,<br>module component configuration, compatibility of<br>revised modules with existing hardware, and<br>manufacturer documentation.    | Comply. Configuration Management includes the module type number which identifies the FPGA version, module design, and module component configuration. Configuration management is documented in Section I-3.12 for the current process and in Section I-A-4.9 for the original process.  |
| 7.7.2.A    | Hardware Configuration Management Review.<br>Utility (and Qualifier) shall evaluate the<br>manufacturer configuration management process for<br>design revisions to NQA-1.                                                                  | Comply. Toshiba, as the Qualifier, reviews the configuration management. Configuration management is documented in Section I-3.12 for the current process and in Section I-A-4.9 for the original process.                                                                                |
| 7.7.2.B    | Hardware Configuration Management Review.<br>Utility (and Qualifier) shall evaluate the<br>manufacturer configuration management process for<br>methods of identification of each constituent<br>component within the PLC modules to NQA-1. | Comply. Toshiba, as the Qualifier, reviews the configuration management. Configuration management is documented in Section I-3.12 for the current process and in Section I-A-4.9 for the original process.                                                                                |
| 7.7.2.C    | Hardware Configuration Management Review.<br>Utility (and Qualifier) shall evaluate the<br>manufacturer configuration management process for<br>methods of document control to NQA-1.                                                       | Comply. Toshiba, as the Qualifier, reviews the configuration management. Configuration management is documented in Section I-3.12 for the current process and in Section I-A-4.9 for the original process.                                                                                |
| 7.7.3      | Software Configuration Management Requirements.<br>The scope of software configuration management<br>includes creation and revision of firmware, runtime<br>software libraries, software engineering tools, and<br>documentation.           | Comply. Configuration Management includes each module type number which identifies the FPGA version, module design, and module component configuration. Configuration management is documented in Section I-3.12 for the current process and in Section I-A-4.9 for the original process. |
| 7.7.3.A    | Software Configuration Management Review.<br>Utility (and Qualifier) shall evaluate the<br>manufacturer software configuration management<br>process for definition of organization and<br>responsibilities to Reg. Guide 1.169, Section C. | Comply. Toshiba, as the Qualifier, reviews the configuration management. Configuration management is documented in Section I-3.12 for the current process and in Section I-A-4.9 for original process.                                                                                    |

#### Licensing Topical Report for Toshiba NRW-FPGA-based Instrumentation and Control System for Safety-Related Application PART IV Compliance to the Codes and Standards

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | Compliance with EPRI TR-107330 Requirements                                                                                                                                                                                                                            |
|------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|            |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | (or N/A)                                                                                                                                                                                                                                                               |
| 7.7.3.B    | Software Configuration Management Review.<br>Utility (and Qualifier) shall evaluate the<br>manufacturer software configuration management<br>process for methods of configuration identification,<br>control, status and audits to Reg. Guide 1.169,<br>Section C.                                                                                                                                                                                                                                                                            | Comply. Toshiba, as the Qualifier, reviews the configuration management. Configuration management is documented in Section I-3.12 for current process and in Section I-A-4.9 for original process.                                                                     |
| 7.7.3.C    | Software Configuration Management Review.<br>Utility (and Qualifier) shall evaluate the<br>manufacturer configuration management process to<br>ensure sub-tier suppliers maintain comparable levels<br>of configuration management per Reg. Guide 1.169,<br>Section C.                                                                                                                                                                                                                                                                        | Comply. Toshiba, as the Qualifier, reviews the configuration management. Configuration management is documented in Section I-3.12 for the current process and in Section I-A-4.9 for the original process.                                                             |
| 7.8        | Problem Reporting/Tracking Requirements. PLC<br>manufacturer shall maintain a problem reporting and<br>tracking system that includes classification of<br>problems, description of problems, identification of<br>affected hardware, type of application, description of<br>configuration, name of reporting site and means to<br>contact site, type of site, and cumulative operating<br>time of PLC when problem occurred. Manufacturer<br>shall provide a mechanism for making this<br>information available to all nuclear utility users. | Comply. As documented in Section I-3.3.7, Toshiba will address any problem occur in the Operation and Maintenance plant lifecycle phases                                                                                                                               |
| 8          | Documentation. Descriptive information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | No requirement                                                                                                                                                                                                                                                         |
| 8.1        | Equipment General Overview Document<br>Requirements. Descriptive information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | No requirement                                                                                                                                                                                                                                                         |
| 8.1.A      | Manufacturer Documentation. Documentation shall include a description of the PLC.                                                                                                                                                                                                                                                                                                                                                                                                                                                             | Comply. Description of each unit, chassis, module, and FPGA is documented in design documents as documented in Section I-3.3.2 and I-3.3.3 for the current process and I-A-4.2 for the original process.                                                               |
| 8.1.B      | Manufacturer Documentation. Documentation shall include a description of the chassis interconnections.                                                                                                                                                                                                                                                                                                                                                                                                                                        | N/A. PRM and OPRM system unit interconnections are documented in Section II-A-7 (Application Guide).                                                                                                                                                                   |
| 8.1.C      | Manufacturer Documentation. Documentation shall include a module overview and selection guide.                                                                                                                                                                                                                                                                                                                                                                                                                                                | Comply. Appendix II-B, Module Summary Description, of this LTR provides a complete module overview for PRM and OPRM. For the PRM and OPRM, Toshiba selects the appropriate modules and generates the plant specific configuration and programmable logic applications. |

· \_

\_

\_

----

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                                                       | Compliance with EPRI TR-107330 Requirements<br>(or N/A)                                                                                                                                                                                                                                                                                                                                                                     |
|------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 8.1.D      | Manufacturer Documentation. Documentation shall include a description of the overall I/O capacity and processing speeds.                                                                                                     | Comply. Description of the overall I/O capacity and processing speed is documented in the design specifications.                                                                                                                                                                                                                                                                                                            |
| 8.1.E      | Manufacturer Documentation. Documentation shall include installation information.                                                                                                                                            | Comply. The Instructions for the LPRM Unit (Reference (d45)), Instructions for the LPRM/APRM Unit (Reference (d46)), Instructions for the FLOW Unit (Reference (d47)), and the OPRM Unit User's Manual (Reference (c27)) document the installation information.                                                                                                                                                             |
| 8.1.F      | Manufacturer Documentation. Documentation shall include handling and storage requirements.                                                                                                                                   | Comply. The Instructions for the LPRM Unit (Reference (d45)), Instructions for the LPRM/APRM Unit (Reference (d46)), Instructions for the FLOW Unit (Reference (d47)), and the OPRM Unit User's Manual (Reference (c27)) include handling and storage requirements.                                                                                                                                                         |
| 8.1.G      | Manufacturer Documentation. Documentation shall include a description of the self-diagnostics and redundancy features.                                                                                                       | Comply. Self-diagnostics are documented in the LPRM Unit EDS (Reference (d42)), the LPRM/APRM Unit EDS (Reference (d43)), the FLOW monitoring Unit EDS (Reference (d44)), and the OPRM Unit Detailed Design Specification (Reference (c29)).                                                                                                                                                                                |
| 8.2        | Equipment General Specifications Requirements.<br>Manufacturer documentation shall provide general<br>specifications for the PLC.                                                                                            | Comply. The FPGA Design Specification provides general specification of for the FPGA as documented in Section I-3.3.1 for the current process and Section I-A-4.2 for the original process. Design specifications and the system descriptions provide specific requirements for the PRM and OPRM. Based on the non-generic, specific applications for this equipment, there is no need for general, generic specifications. |
| 8.3        | Operator's Manual Requirements. Manufacturer documentation shall include information on operation of the PLC.                                                                                                                | Comply. Instructions for the LPRM Unit (Reference (d45)), Instructions for the LPRM/APRM Unit (Reference (d46)), Instructions for the FLOW Unit (Reference (d47)), and the OPRM Unit User's Manual (Reference (c27)) provide guidance for Operation and Maintenance of the equipment.                                                                                                                                       |
| 8.4        | Programmer's Manual Requirements. Manufacturer shall provide detailed information on the use of the functions available in the PLC processors.                                                                               | N/A. Based on the NRW-FPGA technology, utilities cannot change the programmable logic in the FPGAs.<br>Therefore, Toshiba does not provide the utility with a Programmer's Manual for the NRW-FPGA-based PRM or<br>OPRM system.                                                                                                                                                                                             |
| 8.5        | Equipment Maintenance Manual Requirements.<br>Manufacturer documentation shall contain<br>information for calibration, trouble shooting,<br>maintenance, required special tools or software, and<br>communication protocols. | Comply. Instructions for the LPRM Unit (Reference (d45)), Instructions for the LPRM/APRM Unit (Reference (d46)), Instructions for the FLOW Unit (Reference (d47)), and the OPRM Unit User's Manual (Reference (c27)) provide guidance for troubleshooting, calibration, surveillance, and other utility functions during the Operation and Maintenance plant system lifecycle.                                              |
|            | Manufacturer documentation shall include results of component aging analysis.                                                                                                                                                | N/A. Aging analysis is not necessary where equipment is qualified for use only in mild environments. Toshiba also notes there are no significant aging mechanisms in this FPGA-based equipment.                                                                                                                                                                                                                             |
| 8.6        | Qualification Documentation Requirements.<br>(Section Heading)                                                                                                                                                               | No requirement                                                                                                                                                                                                                                                                                                                                                                                                              |
| 8.6.1      | Programmatic Documentation Requirements.<br>Descriptive information.                                                                                                                                                         | No requirement                                                                                                                                                                                                                                                                                                                                                                                                              |

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                                                            | Compliance with EPRI TR-107330 Requirements<br>(or N/A)                                                                                                                                                                                                                                                                                                                                                                                      |
|------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 8.6.1.A    | Programmatic Documentation. A test plan shall be<br>prepared which includes test plans for environmental,<br>seismic, surge, Class 1E to Non-1E, EMI/RFI,<br>availability/reliability, FMEA and ASOA<br>qualification activities. | Comply. The Master Test Plan (Reference (d19)) for the PRM qualification testing as well as the EQ Test Plan (Reference (c10)) and EMC Qualification Test plan (Reference (c11)) for the OPRM qualification testing were prepared. These include test plans for radiation exposure, environmental (temperature and humidity), seismic, EMI/RFI, surge, EFT/B, ESD, and Class 1E to Non-Class 1E testing.                                     |
| 8.6.1.B    | Programmatic Documentation. Test specifications<br>shall be prepared which include equipment<br>identifications, interfaces and service conditions.                                                                               | Comply. The Master Test Plan (Reference (d19)) for the PRM qualification testing as well as the EQ Test Plan (Reference (c10)) and EMC Qualification Test plan (Reference (c11)) for the OPRM qualification testing were prepared. These include documentation of the required equipment identification, interfaces, and conditions.                                                                                                         |
| 8.6.1.C    | Programmatic Documentation. Procedures shall be prepared for qualification testing.                                                                                                                                               | Comply. Test procedures for the PRM Qualifications testing (Reference $(d20) - (d29)$ ) and the test procedures for OPRM qualification testing (Reference $(c12) - (c19)$ ) were prepared to direct the performance, evaluation, and data recording for each qualification test.                                                                                                                                                             |
| 8.6.1.D    | Programmatic Documentation. Test reports shall be prepared for each qualification test performed.                                                                                                                                 | Comply. The Qualification Test Summary Report (Reference (d16)) was prepared for PRM qualification testing.<br>The EQ Report (Reference (c20)), EMC Qualification Report (Reference (c21)), and Dynamic Qualification Report<br>(Reference (c22)) were prepared for the OPRM qualification testing.                                                                                                                                          |
| 8.6.1.E    | Programmatic Documentation. Reports on audits performed on the manufacturer shall be prepared.                                                                                                                                    | Comply. Toshiba prepares and retains audit reports for each audit (Reference (d3) - (d6)).                                                                                                                                                                                                                                                                                                                                                   |
| 8.6.1.F    | Programmatic Documentation. Reports on design evaluations shall be prepared.                                                                                                                                                      | Comply. The Final Technical Evaluation Report (Reference (d39)) was prepared for design evaluation of the PRM. The Final Technical Evaluation Report (Reference (c26)) was prepared for design evaluation of the OPRM.                                                                                                                                                                                                                       |
| 8.6.2      | Technical Items and Acceptance Criteria<br>Documentation Requirements. Descriptive<br>information.                                                                                                                                | No requirement                                                                                                                                                                                                                                                                                                                                                                                                                               |
| 8.6.2.A    | Technical Items Documentation. Documentation shall include test specimen requirements.                                                                                                                                            | Comply. The Preliminary Technical Evaluation Report (PTER) (Reference (d38)) includes test specimen requirements for the PRM qualification testing. The EQ Test Plan (Reference (c10)) and EMC Qualification Test plan (Reference (c11)) include test specimen requirements for the OPRM qualification testing.                                                                                                                              |
| 8.6.2.B    | Technical Items Documentation. Documentation shall include test specimen purchasing records.                                                                                                                                      | Comply. The Job Order includes purchasing activities for the test specimen as documented in Section I-3.3.1.5 for current process and in Section I-A-4.2.1 for the original process.                                                                                                                                                                                                                                                         |
| 8.6.2.C    | Technical Items Documentation. Documentation shall include TSAP development documentation.                                                                                                                                        | Comply. In the PRM and OPRM system qualification project, the equipment being qualified had the actual PRM and OPRM system logic embedded in the FPGAs. This approach meets the intent of this requirement (TSAP development documentation), which is used to test the range of possible PLC program features that may be employed when the PLC is programmed for a specific application to ensure that the system-level test is meaningful. |
| 8.6.2.D    | Technical Items Documentation. See Sections 8.8, 8.9, 8.10, 8.12 and 8.13.                                                                                                                                                        | (See Items 8.8, 8.9, 8.10, 8.12 and 8.13 in this table.)                                                                                                                                                                                                                                                                                                                                                                                     |
| 8.6.2.E    | Technical Items Documentation. See Section 8.14.                                                                                                                                                                                  | (See Items 8.14 in this table.)                                                                                                                                                                                                                                                                                                                                                                                                              |

-----

\_

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                      | Compliance with EPRI TR-107330 Requirements                                                                                                                                                                                        |
|------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 8.6.3      | Application Guide Documentation Requirements.<br>A qualification summary document shall be                                                                  | (or N/A)<br>Comply. Test summaries for the PRM and OPRM qualification testing are documented in Section II-A-4<br>(Application Guide).                                                                                             |
| 0.67.4     | provided.                                                                                                                                                   | Comply Test rough for the DDM and ODDM environmental exceptility tests are documented in Section II.A.A.                                                                                                                           |
| 8.6.3.A    | Application Guide. Guide shall include results of<br>environmental Operability testing to support each<br>specific safety related application.              | Comply. Test results for the PRM and OPRM environmental operability tests are documented in Section II-A-4 (Application Guide).                                                                                                    |
| 8.6.3.B    | Application Guide. Guide shall include results of seismic testing including seismic withstand capability for all damping values used in test data analysis. | Comply. Test results for the PRM and OPRM seismic tests are documented in Section II-A-4 (Application Guide). The Application Guide includes the torque requirements for screws and fasteners.                                     |
| 8.6.3.C    | Application Guide. Guide shall include results of Class 1E to Non-1E isolation testing.                                                                     | Comply. Test results for the PRM Class 1E to Non-Class 1E isolation testing are documented in Section II-A-4. For the OPRM, Class 1E to Non-1E isolation testing was not required, and was thus not conducted.                     |
| 8.6.3.D    | Application Guide. Guide shall include results of surge withstand testing.                                                                                  | Comply. Test results for the PRM and OPRM surge withstand testing are documented in Section II-A-4 (Application Guide).                                                                                                            |
| 8.6.3.E    | Application Guide. Guide shall include results of EMI/RFI testing.                                                                                          | Comply. Test results for the PRM and OPRM EMI/RFI testing are documented in Section II-A-4 (Application Guide).                                                                                                                    |
| 8.6.3.F    | Application Guide. Guide shall include results of power quality testing.                                                                                    | Comply. The power quality testing was conducted during the operability test in the PRM and OPRM qualification testing. The results of the PRM and OPRM qualification testing are documented in Section II-A-4 (Application Guide). |
| 8.6.3.G    | Application Guide. Guide shall describe any<br>combination of software objects or special purpose<br>objects created to support testing.                    | N/A. No software objects or special purpose objects are used in testing. Toshiba uses the final, shippable application for all qualification testing.                                                                              |
| 8.6.3.H    | Application Guide. Guide shall include a description of the as-tested PLC configuration.                                                                    | Comply. The unit, module, wiring, support equipment, and interconnection configuration of the PRM and OPRM qualification testing is documented in Section II-A-3 (Application Guide).                                              |
| 8.6.3.I    | Application Guide. Guide shall include a<br>description of the executive software and software<br>tools revision levels included in qualification.          | N/A. The PRM or OPRM does not include executive software or software tools.                                                                                                                                                        |
| 8.6.3.J    | Application Guide. Guide shall include a description of the as-tested PLC configuration.                                                                    | Comply. The unit, module, wiring, support equipment, and interconnection configuration of the PRM and OPRM qualification testing is documented in Section II-A-3 (Application Guide).                                              |
| 8.6.3.K    | Application Guide. Guide shall include a summary of the FMEA and availability analysis.                                                                     | Comply. The FMEA and availability analysis are documented in Section III-3.2.2 for the PRM and in Section III-6.2.2 for the OPRM.                                                                                                  |
| 8.6.3.L    | Application Guide. Guide shall include the setpoint analysis support document.                                                                              | Comply. The setpoint support analysis is documented in Section III-3.2.3 for PRM and in Section III-6.2.3 for OPRM.                                                                                                                |

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                     | Compliance with EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                                                                                                                                                 |
|------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|            | Summary of EX NI TR-107550 Requirements                                                                                                                                                    | (or N/A)                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| 8.6.3.M    | Application Guide. Guide shall include information<br>from manufacturer audits and surveys applicable to<br>future purchasing.                                                             | N/A. Since Toshiba performed commercial grade dedication on commercial products, this data is not required in the Application Guide.                                                                                                                                                                                                                                                                                                        |
| 8.6.3.N    | Application Guide. Guide shall include a description of the redundancy features included in qualification.                                                                                 | Comply. The Application Guide includes a description of the tested system configuration including redundancy features.                                                                                                                                                                                                                                                                                                                      |
| 8.6.3.0    | Application Guide. Guide shall include a description of external devices included in qualification.                                                                                        | N/A. There were no external devices included in the qualification, as stated in the Application Guide.                                                                                                                                                                                                                                                                                                                                      |
| 8.6.3.P    | Application Guide. Guide shall include a description of the PLC configuration management methods.                                                                                          | Comply. The Application Guide includes the configuration data (module numbers) applicable to a given installation. The plant-specific portion of the Application Guide will be revised for each utility if changes are required to modules, which results in new module numbers.                                                                                                                                                            |
| 8.6.3.Q    | Application Guide. Guide shall include a summary of the component aging analysis.                                                                                                          | N/A. Aging analysis is not necessary where equipment is qualified for use only in mild environments. USNRC RG 1.209 does not require equipment aging for mild environment. Toshiba also notes there are no significant aging mechanisms in this FPGA-based equipment.                                                                                                                                                                       |
| 8.6.3.R    | Application Guide. Guide shall include a description of seismic mounting methods.                                                                                                          | Comply. The mounting methods used in the PRM and OPRM qualification testing is documented in Sections III-2.2.2 and III-5.2.2.                                                                                                                                                                                                                                                                                                              |
| 8.6.3.8    | Application Guide. Guide shall include a<br>description of qualification envelopes for specific<br>modules if different from the overall envelope.                                         | N/A. The PRM and OPRM qualification used the same qualification envelopes for all modules.<br>The envelopes for the PRM and OPRM qualification testing is documented in Section II-A-4 (Application Guide).                                                                                                                                                                                                                                 |
| 8.6.3.T    | Application Guide. Guide shall include a<br>description of any application hardware or software<br>features that are assumed in order to meet<br>qualification requirements.               | Comply. Appendix II-B of this LTR provides a module summary description of application hardware or modules which have FPGA programmable logics features that are assumed in order to meet qualification requirements.                                                                                                                                                                                                                       |
| 8.6.4      | Supporting Analyses Documentation Requirements.<br>Documentation shall be provided of the FMEA and<br>Availability/Reliability Analyses.                                                   | Comply. The FMEA and availability analysis is documented in Section III-3.2.2 for PRM and in Section III-6.2.2 for OPRM. These LTR sections will be supplied with the Application Guide.                                                                                                                                                                                                                                                    |
| 8.6.5      | Class 1E to Non-Class 1E Isolation Test Plan. A<br>Class 1E to Non-1E Isolation test plan and report<br>shall be provided. The test plan shall be reviewed<br>and approved by the utility. | <ul> <li>Comply. The Master Test Plan (Reference (d19)) provides the test plan for Class 1E to Non-1E Isolation Test.</li> <li>The Qualification Test Summary Report (Reference (d16)) provides the report for Class 1E to Non-Class 1E Isolation test. A summary of the results is documented in the Application Guide.</li> <li>For OPRM, Class 1E to Non-Class 1E Isolation Test is not required, and was thus not conducted.</li> </ul> |
| 8.7        | V&V Documentation Requirements. Descriptive information.                                                                                                                                   | No requirement                                                                                                                                                                                                                                                                                                                                                                                                                              |

- --

| Section No | Summary of EPRI TR-107330 Requirements                                                                         | Compliance with EPRI TR-107330 Requirements<br>(or N/A)                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |  |  |  |
|------------|----------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|--|
| 8.7.A      | V&V Documentation. Documentation shall include<br>a software quality assurance plan.                           | Comply. The systems are implemented under a programmable logic life cycle that includes a Software Quality<br>Assurance Plan as documented in Section I-3.4 for the current process in Section I-A-4.3 for the original process;<br>and a Software Verification and Validation Plan as documented in Verification and Validation Plan for PRM<br>(Reference (d41)) and Verification and Validation Plan for OPRM (Reference (c6)). Documentation is generated<br>that documents the activities and findings from independent V&V. |  |  |  |
| 8.7.B      | V&V Documentation. Documentation shall include<br>a software requirements specification.                       | Comply. The systems are implemented under a programmable logic life cycle that includes a FPGA design specification documents the FPGA requirement specification as documented in Section I-3.3.1 for the current process and in Section I-A-4.2.1 for the original process.                                                                                                                                                                                                                                                      |  |  |  |
| 8.7.C      | V&V Documentation. Documentation shall include<br>a software design description.                               | Comply. The systems are implemented under a programmable logic life cycle that includes appropriate FPGA design descriptions as documented in Section I-3.3.3 for the current process and in Section I-A-4.2.3 for the original process.                                                                                                                                                                                                                                                                                          |  |  |  |
| 8.7.D      | V&V Documentation. Documentation shall include<br>a software V&V plan.                                         | Comply. The systems are implemented under a programmable logic life cycle that includes a Software V&V Plan as well as appropriate V&V documentation as documented in Section I-3.10 for the current process and in Section I-A-4.8 for the original process.                                                                                                                                                                                                                                                                     |  |  |  |
| 8.7.E      | V&V Documentation. Documentation shall include<br>a software V&V report.                                       | Comply. The systems are implemented under a programmable logic life cycle that includes appropriate V&V phase summary reports and a final summary report as documented in Section I-3.11 for the current process and in Section I-A-4.8 for the original process.                                                                                                                                                                                                                                                                 |  |  |  |
| 8.7.F      | V&V Documentation. Documentation shall include software user documentation.                                    | Comply. The systems are implemented under a programmable logic life cycle that includes appropriate user documentation as documented in Section I-3.3.2.3 for the current process and in section 3.2 of Attachment-5 of Part V for the original process.                                                                                                                                                                                                                                                                          |  |  |  |
| 8.7.G      | V&V Documentation. Documentation shall include<br>a software configuration management plan.                    | Comply. The systems are implemented under a programmable logic life cycle that includes a Software Configuration Management Plan as documented in Section I-3.12 for the current process and in Section I-A-4.9 for the original process.                                                                                                                                                                                                                                                                                         |  |  |  |
| 8.8        | System Description Requirements. A test specimen hardware and software description document shall be provided. | Comply. Hardware and software documents for the PRM and OPRM test specimen were prepared in accordance with the software/hardware development lifecycle documented in Section I-3.3 for PRM and documented in Section I-A-4.2 for the OPRM.                                                                                                                                                                                                                                                                                       |  |  |  |
| 8.9        | Critical Characteristics Listing Requirement. A critical characteristics listing document shall be provided.   | Comply. The Final Technical Evaluation Report for the PRM (Reference (d39)) and the Final Technical Evaluation Report for the OPRM (Reference (c26)) list the Critical Characteristics.                                                                                                                                                                                                                                                                                                                                           |  |  |  |
| 8.10       | System Drawing Requirements. (Section Heading)                                                                 | No requirements.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |  |  |  |
| 8.10.A     | System Drawing Requirements. Drawings shall include a functional description of the test specimen.             | Comply. The Preliminary Technical Evaluation Report (PTER) (Reference (d38)) includes test specimen requirements for the PRM qualification testing. The EQ Test Plan (Reference (c10)) and EMC Qualification Test plan (Reference (c11)) include test specimen requirements for the OPRM qualification testing.                                                                                                                                                                                                                   |  |  |  |

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                                                                                                                                                    | Compliance with EPRI TR-107330 Requirements<br>(or N/A)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
|------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 8.10.B     | System Drawing Requirements. Drawings shall include a schematic of the test specimen.                                                                                                                                                                                                                                                                                                                                                     | Comply. The Preliminary Technical Evaluation Report (PTER) (Reference (d38)) includes test specimen schematics for the PRM qualification testing. The EQ Test Plan (Reference (c10)) and EMC Qualification Test plan (Reference (c11)) include test specimen schematics for the OPRM qualification testing. Both sets of schematics include all test equipment and wiring for the test equipment.                                                                                                                                                                                                                                                                                                                                   |
| 8.10.C     | System Drawing Requirements. Drawings shall include diagrams that define the TSAP.                                                                                                                                                                                                                                                                                                                                                        | (See Item 8.6.2.C in this table.)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| 8.10.D     | System Drawing Requirements. Drawings shall<br>show test specimen wiring, power distribution and<br>grounding.                                                                                                                                                                                                                                                                                                                            | Comply. The Preliminary Technical Evaluation Report (PTER) (Reference (d38)) includes test specimen internal<br>and external wiring, power distribution and grounding for the PRM qualification testing. The EQ Test Plan<br>(Reference (c10)) and EMC Qualification Test plan (Reference (c11)) include test specimen internal and external<br>wiring, power distribution, and grounding for the OPRM qualification testing. Test documents include the test<br>specimen internal and external wiring, power distribution and grounding.                                                                                                                                                                                           |
| 8.10.E     | System Drawing Requirements. Drawings shall<br>show layout of test specimen chassis, modules and<br>qualification test fixtures.                                                                                                                                                                                                                                                                                                          | Comply. The Preliminary Technical Evaluation Report (PTER) (Reference (d38)) includes a description of the layout of the test specimen chassis, modules, internal and external wiring, and qualification test fixtures for the PRM qualification testing. The EQ Test Plan (Reference (c10)) and EMC Qualification Test plan (Reference (c11)) include description for layout of the test specimen chassis, modules, internal and external wiring, and qualification test fixtures for the OPRM qualification testing. |
| 8.10.F     | System Drawing Requirements. Drawings shall<br>show test specimen mounting and mounting fixtures,<br>including special installation requirements.                                                                                                                                                                                                                                                                                         | Comply. The Master Test Plan for PRM (Reference (d19)) includes the description of the test specimen mounting and mounting fixtures, including special installation requirements. The EQ Test Plan (Reference (c10)) and EMC Qualification Test Plan (Reference (c11)) for the OPRM includes a description of the test specimen mounting and mounting fixtures, including special installation requirements.                                                                                                                                                                                                                                                                                                                        |
| 8.11       | System Software/Hardware Configuration Document<br>Requirements. Software and hardware<br>configuration used for qualification testing shall be<br>documented, including identification and revision of<br>executive software, module firmware, software tools,<br>downloadable PLC executive packages, and the<br>TSAP (including printout). The identification,<br>revision level and serial number of hardware shall be<br>documented. | Comply. The Master Configuration List for the PRM (Reference (d48)) and the Master Configuration List for the OPRM (Reference (c30)) document all module type numbers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| 8.12       | System Database Documentation Requirements.<br>The TSAP database used for qualification testing<br>shall be documented.                                                                                                                                                                                                                                                                                                                   | (See Items 8.6.2.C in this table.)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| 8.13       | System Setup/Calibration/Checkout Procedure<br>Requirements. All setup, calibration and checkout<br>procedures used during qualification shall be<br>documented.                                                                                                                                                                                                                                                                          | Comply. All setup, calibration, and checkout procedures used during qualification are documented in the System Set-Up and Check-out Test Procedure for the PRM (Reference (d20)) and the Setup and Check-out Test Procedure for the OPRM (Reference (c12)).                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |

#### TOSHIBA CORPORATION

\_ \_\_ \_

\_\_\_\_\_

Nuclear Energy Systems & Services Division

\_

- ---

| Section No | Summary of EPRI TR-107330 Requirements                                                                                                                                                                                                                                                                                 | Compliance with EPRI TR-107330 Requirements<br>(or N/A)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
|------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 8.14       | System Test Documentation Requirements. A test<br>plan and test report shall be provided covering<br>qualification Operability testing. The documents<br>shall include test requirements, acceptance criteria,<br>sequence of testing, data recording methods, test<br>equipment requirements and a test data summary. | Comply. The Master Test Plan (Reference (d19)) provides the test plan for Operability Testing and .the Qualification Test Summary Report (Reference (d16)) provides the report for Operability Testing for the PRM. The EQ Test Plan (Reference (c10)) and EMC Qualification test Plan (Reference (c11)) provide the test plan for Operability Testing and the EQ report (Reference (c20)), EMC Qualification Report (Reference (c21)), and Dynamic Qualification Report (Reference (c22)) provides the report for Operability Testing for the OPRM. |
| 8.15       | Manufacturer's Quality Documentation<br>Requirements. The manufacturer shall provide its<br>Quality Assurance Plan.                                                                                                                                                                                                    | Comply. The systems are implemented under a programmable logic life cycle that includes a Software Quality Assurance Plan. Section I-3.4.1 describes the software quality assurance plan in the current process and Section I-A-4.3 describes the software quality assurance plan in the original process.                                                                                                                                                                                                                                           |
| 8.16       | Manufacturer's Certifications Requirements.<br>Manufacturer shall provide certificates of<br>conformance for all test specimen hardware.                                                                                                                                                                               | Comply. The Final Technical Evaluation Report document conformance for all test specimen hardware. The activity in the current process is documented in Section I-2.2.3, and the activity in the original process is documented in Section I-A-3.2.3.                                                                                                                                                                                                                                                                                                |

\_\_\_\_\_\_

# IV-5 Compliance to DI&C ISG-04 "Highly-Integrated Control Rooms—Communications Issues (HICRc)"

Table IV-5-1 documents conformance of a typical Toshiba safety system to DI&C ISG-04 (Reference (a22)).

Notes:

- "Comply" means the corresponding section in the ERS comply with corresponding DI&C ISG-04 requirement.
- "---" means there is no requirement in the ISG-04.

| Table IV-5-1 Conformatice with 150- | able IV-5-1 | nformance with ISG-04 |
|-------------------------------------|-------------|-----------------------|
|-------------------------------------|-------------|-----------------------|

| NRC Guidance ISG-04                                                                                                                                                                                                                                                                                                                                                                       | Compliance | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1. Inter Divisional Communications                                                                                                                                                                                                                                                                                                                                                        |            | Section title                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| Staff Position 1.1<br>A safety channel should not be dependent upon any information or<br>resource originating or residing outside its own safety division to<br>accomplish its safety function. This is a fundamental consequence of<br>the independence requirements of IEEE-603. It is recognized that<br>division voting logic must receive inputs from multiple safety<br>divisions. | Comply     | The PRM or OPRM does not require data from any other safety systems residing outside its<br>own safety division or external to its own safety division except PRM application to small<br>core BWR-3s where the limited number of LPRM detectors forces data sharing between<br>specific APRM units in different division in order to have sufficient data to perform the<br>APRM and OPRM functions This arrangement is documented in existing licensing basis<br>for US BWR-3 plants.<br>Section II-2.2 explains the application of Toshiba FPGA-Based Safety-Related I&C Systems<br>including the PRM and OPRM.<br>Section II-2.2.3 explains FPGA application principles.<br>For PRM and OPRM, functional, physical, electrical, and communication independence<br>exists between redundant safety-related divisions, between each safety-related division and<br>other divisions in other safety-related systems, and between safety-related systems and<br>non-safety-related systems; data independence is exhibited in PRM and OPRM. Data<br>transmission within the PRM and OPRM is documented in detail in the Application Guide<br>(See Part II, Appendix A).<br>Section II-2.2.3.2 describes the independence that exists in PRM and OPRM. |

| NRC Guidance ISG-04                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | Compliance | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| <b>Staff Position 1.2</b><br>The safety function of each safety channel should be protected from adverse influence from outside the division of which that channel is a                                                                                                                                                                                                                                                                                                                                                                                        | Comply     | The PRM and OPRM use uni-directional fiber optic links for interdivisional communication to protect the safety function of each safety channel from adverse influence from outside the division of which that channel is a member.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| member. Information and signals originating outside the division must<br>not be able to inhibit or delay the safety function. This protection must<br>be implemented within the affected division (rather than in the sources<br>outside the division), and must not itself be affected by any condition<br>or information from outside the affected division. This protection must<br>be sustained despite any operation, malfunction, design error,<br>communication error, or software error or corruption existing or<br>originating outside the division. |            | Section II-2.2.3.2 and II-2.2.3 3 describe independence, an FPGA application principle.<br>Each division of PRM or OPRM can accomplish its safety function regardless of the<br>operability or adverse impact of other redundant divisions or other systems. Each division<br>of PRM or OPRM independently performs its safety function without requiring data from<br>other divisions except PRM application to small core BWR-3s where the limited number of<br>LPRM detectors forces data sharing between specific APRM units in different division in<br>order to have sufficient data to perform the APRM and OPRM functions This arrangement<br>is documented in existing licensing basis for US BWR-3 plants. The data links information<br>is transmitted in packets with a fixed length, fixed content, and predefined format. Failures<br>in the communication links do not adversely affect operation of the divisions receiving<br>malformed, incorrect, or inappropriate data messages. |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |            | Section II-2.2.3.2.1 explains physical and electrical independence between the divisions.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |            | Section II-2.1.4.3 explains error detection in the fiber optic communication.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |            | To detect failures, the fiber optic link is always operating, using a self-clock of each module.<br>The data link uses Manchester encoding to send zeros and ones. Each message includes<br>Cyclic Redundancy Check (CRC), which detects data corruption. When data needs to be<br>transferred, a special pattern is sent to indicate the start of a data packet. The fixed length<br>data packet is sent.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |            | Note: Toshiba has updated the FPGA logic to use CRC in addition to parity check used in the old FPGA logic.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |            | The transmitting module is configured to send all required data from the unit to external equipment. The serial communication link to the outside world is electrically isolated using uni-directional fiber optic communication.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |

------

| NRC Guidance ISG-04                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | Compliance | Comments                                                                                                                                                       |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
| <b>Staff Position 1.3</b><br>A safety channel should not receive any communication from outside<br>its own safety division unless that communication supports or enhances<br>the performance of the safety function. Receipt of information that<br>does not support or enhance the safety function would involve the<br>performance of functions that are not directly related to the safety<br>function. Safety systems should be as simple as possible.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | Comply     | The PRM and OPRM are designed to ensure the independence of each safety channel.<br>Section II-2.2.3.2 describes the independence that exists in PRM and OPRM. |
| Functions that are not necessary for safety, even if they enhance<br>reliability, should be executed outside the safety system. A safety<br>system designed to perform functions not directly related to the safety<br>function would be more complex than a system that performs the same<br>safety function, but is not designed to perform other functions. The<br>more complex system would increase the likelihood of failures and<br>software errors. Such a complex design, therefore, should be avoided<br>within the safety system. For example, comparison of readings from<br>sensors in different divisions may provide useful information<br>concerning the behavior of the sensors (for example, On-Line<br>Monitoring). Such a function executed within a safety system,<br>however, could also result in unacceptable influence of one division<br>over another, or could involve functions not directly related to the<br>safety functions, and should not be executed within the safety system. |            |                                                                                                                                                                |
| Receipt of information from outside the division, and the performance<br>of functions not directly related to the safety function, if used, should<br>be justified. It should be demonstrated that the added system/software<br>complexity associated with the performance of functions not directly<br>related to the safety function and with the receipt of information in<br>support of those functions does not significantly increase the likelihood<br>of software specification or coding errors, including errors that would<br>affect more than one division. The applicant should justify the<br>definition of "significantly" used in the demonstration.                                                                                                                                                                                                                                                                                                                                              |            |                                                                                                                                                                |

-

Licensing Topical Report for Toshiba NRW-FPGA-based Instrumentation and Control System for Safety-Related Application PART IV Compliance to the Codes and Standards

- -----

| NRC Guidance ISG-04                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | Compliance                                                                                                 | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| <b>Staff Position 1.4</b><br>The communication process itself should be carried out by a communications processor separate from the processor that executes the safety function, so that communications errors and malfunctions will not interfere with the execution of the safety function. The communication and function processors should operate asynchronously, sharing information only by means of dual-ported memory or some other shared memory resource that is dedicated exclusively to this exchange of information. The function processor, the communications processor, and the shared memory, along with all                                                  | Comply<br>except the<br>difference of<br>the<br>FPGA-based<br>I&C systems<br>from<br>CPU-based<br>systems. | <ul> <li>Section II-2.1.4.3 describes communication on fiber optic link.</li> <li>The PRM and OPRM use two types of communication modules, TRN (transmitter) modules and RCV (receiver) modules. These modules implement the communication process separation between units required by Staff Position 1.4. Communication within the unit is not part of this discussion.</li> <li>Each TRN module talks to one or more RCV modules that receive data through a uni-directional, point-to-point communication link. The TRN and RCV modules are separated from safety functions performed by safety-function modules, such as the APRM module.</li> <li>In safety function modules, the PRM or OPRM handles data in a different way from</li> </ul> |
| supporting circuits and software, are all considered to be safety-related,<br>and must be designed, qualified, fabricated, etc., in accordance with 10<br>C.F.R. Part 50, Appendix A and B. Access to the shared memory<br>should be controlled in such a manner that the function processor has<br>priority access to the shared memory to complete the safety function in<br>a deterministic manner. For example, if the communication processor<br>is accessing the shared memory at a time when the function processor<br>needs to access it, the function processor should gain access within a<br>timeframe that does not impact the loop cycle time assumed in the       |                                                                                                            | microprocessor based systems.<br>Section II-2.2.3.5 describes that the FPGA circuits are constructed of discrete logic blocks<br>that are similar to older, analog and discrete relay circuits in existing operating plants. The<br>PRM or OPRM implements the required functionality in fixed gates, in dedicated FPGAs for<br>necessary functions.<br>Therefore, the PRM and OPRM achieve the separation of safety functions from<br>communications and the prioritization of the safety functions over communication in a finer<br>granularity than CPU-based systems.                                                                                                                                                                           |
| plant safety analyses. If the shared memory cannot support unrestricted<br>simultaneous access by both processors, then the access controls should<br>be configured such that the function processor always has precedence.<br>The safety function circuits and program logic should ensure that the<br>safety function will be performed within the timeframe established in<br>the safety analysis, and will be completed successfully without data<br>from the shared memory in the event that the function processor is<br>unable to gain access to the shared memory.                                                                                                      |                                                                                                            | Staff Position 1.4 discusses a concern of the communication processor is accessing the shared memory at a time when the function processor should gain access.<br>The RCV module checks for the periodic data transmission through each fiber optic cable. If the RCV module fails to receive data packets three times in row, the RCV module issues an alarm, the RCV module marks the link failed.<br>The RCV module conducts CRC in the received data. Failure of data to arrive is detected and will be alarmed.                                                                                                                                                                                                                                |
| <b>Staff Position 1.5</b><br>The cycle time for the safety function processor should be determined<br>in consideration of the longest possible completion time for each access<br>to the shared memory. This longest-possible completion time should<br>include the response time of the memory itself and of the circuits<br>associated with it, and should also include the longest possible delay in<br>access to the memory by the function processor assuming worst-case<br>conditions for the transfer of access from the communications<br>processor to the function processor. Failure of the system to meet the<br>limiting cycle time should be detected and alarmed. | Comply<br>except the<br>difference of<br>the<br>FPGA-based<br>I&C systems<br>from<br>CPU-based<br>systems. | The PRM and OPRM uses multiple FPGAs that operate in sequence in a deterministic time<br>as documented in Section II-2.2.3.3. Since the cycle is fixed, the PRM and OPRM always<br>operate on exactly the same cycle.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |

.....

| NRC Guidance ISG-04                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | Compliance | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Staff Position 1.6<br>The safety function processor should perform no communication<br>handshaking and should not accept interrupts from outside its own<br>safety division.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | Comply     | The communication data link provided in each division is over a point-to-point,<br>uni-directional communication links using the TRN and RCV modules. The link has no<br>physical or logic provisions for communication handshaking.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| Staff Position 1.7<br>Only predefined data sets should be used by the receiving system.<br>Unrecognized messages and data should be identified and dispositioned<br>by the receiving system in accordance with the pre-specified design<br>requirements. Data from unrecognized messages must not be used<br>within the safety logic executed by the safety function processor.<br>Message format and protocol should be pre-determined. Every message<br>should have the same message field structure and sequence, including<br>message identification, status information, data bits, etc. in the same<br>locations in every message. Every datum should be included in every<br>transmit cycle, whether it has changed since the previous transmission<br>or not, to ensure deterministic system behavior. | Comply     | <ul> <li>Section II-2.1.4 describes three types of communication links. All communication within the PRM or OPRM uses pre-defined, fixed length, fixed format, fixed content messages.</li> <li>Sections II-2.2.3.2 and II-2.2.3.3 describes the communication protocols as using pre-defined, fixed length, fixed format, and fixed content, as well as being generated only at specific times in the FPGA logic execution.</li> <li>The transmitted data is encapsulated in a data packet consisting of a fixed number of data fields. Headers and CRC are added to this frame to detect the start of the frame and determine if bit errors have occurred within the frame.</li> <li>To detect failures, all fiber optic links are always operating, using a self-clocking data signal. Each message includes CRC. When data needs to be transferred, a special pattern is sent to indicate the start of a data packet.</li> </ul> |
| <b>Staff Position 1.8</b><br>Data exchanged between redundant safety divisions or between safety<br>and nonsafety divisions should be processed in a manner that does not<br>adversely affect the safety function of the sending divisions, the<br>receiving divisions, or any other independent divisions.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | Comply     | The PRM and OPRM are designed to preserve the safety function of the safety divisions, the receiving divisions, or any other independent divisions by the use of dedicated function, point-to-point, uni-directional fiber optic communication.<br>Section II-2.2.3.2.1 describes physical and electrical independence.<br>Section II-2.2.3.2.2 describes communication independence.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| Staff Position 1.9<br>Incoming message data should be stored in fixed predetermined<br>locations in the shared memory and in the memory associated with the<br>function processor. These memory locations should not be used for any<br>other purpose. The memory locations should be allocated such that<br>input data and output data are segregated from each other in separate<br>memory devices or in separate pre-specified physical areas within a<br>memory device.                                                                                                                                                                                                                                                                                                                                    | Comply     | Section II-2.2.3.2.2 describes that each communication links has its own independent communication buffer.<br>Each dedicated function communication buffer is designed in a manner to preclude buffer overflow from having any effect.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |

| NRC Guidance ISG-04                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | Compliance | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                      |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Staff Position 1.10<br>Safety division software should be protected from alteration while the<br>safety division is in operation. On-line changes to safety system<br>software should be prevented by hardwired interlocks or by physical<br>disconnection of maintenance and monitoring equipment. A<br>workstation (e.g. engineer or programmer station) may alter<br>addressable constants, setpoints, parameters, and other settings<br>associated with a safety function only by way of the dual-processor /<br>shared-memory scheme described in this guidance, or when the<br>associated channel is inoperable. Such a workstation should be<br>physically restricted from making changes in more than one division at<br>a time. The restriction should be by means of physical cable<br>disconnect, or by means of keylock switch that either physically opens<br>the data transmission circuit or interrupts the connection by means of<br>hardwired logic. "Hardwired logic" as used here refers to circuitry that<br>physically interrupts the flow of information, such as an electronic<br>AND gate circuit (that does not use software or firmware) with one<br>input controlled by the hardware switch and the other connected to the<br>information source: the information appears at the output of the gate<br>only when the switch is in a position that applies a "TRUE" or "1" at<br>the input to which it is connected. Provisions that rely on software to<br>effect the disconnection are not acceptable. It is noted that software<br>may be used in the safety system or in the workstation to accommodate<br>the effects of the open circuit or for status logging or other purposes. | Comply     | The FPGA-based system uses antifuse FPGA architecture that is non-volatile and<br>non-rewritable.<br>Once safety functions are programmed into the FPGA, there is no method to change the<br>logic, i.e., the logic is protected from alteration.<br>Section II-A-2.7 describes how an attached EEPROM is used to store setpoint values for the<br>PRM. Section II-A-2.7 describes use of an attached one-time programmable EPROM .           |
| <b>Staff Position 1.11</b><br>Provisions for interdivisional communication should explicitly<br>preclude the ability to send software instructions to a safety function<br>processor unless all safety functions associated with that processor are<br>either bypassed or otherwise not in service. The progress of a safety<br>function processor through its instruction sequence should not be<br>affected by any message from outside its division. For example, a<br>received message should not be able to direct the processor to execute a<br>subroutine or branch to a new instruction sequence.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | Comply     | The FPGA-based system uses antifuse FPGA architecture that is non-volatile and<br>non-rewritable. Once safety functions are programmed into the FPGA, there is no method<br>to change the logic, i.e., the logic is protected from alteration.<br>Changing the instructions requires unsoldering the FPGA from the module, replacing the<br>original with an updated FPGA, and soldering the physically updated FPGA back onto the<br>module. |

| NRC Guidance ISG-04                                                                                                                                                                                                                                                                                                                                                                                                                      | Compliance | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Staff Position 1.12<br>Communication faults should not adversely affect the performance of<br>required safety functions in any way. Faults, including communication<br>faults, originating in nonsafety equipment, do not constitute "single<br>failures" as described in the single failure criterion of 10 C.F.R. Part<br>50, Appendix A. Examples of credible communication faults include,<br>but are not limited to, the following: | Comply     | The Response provided for Staff Position 1.9 is also applicable to Staff Position 1.12.<br>The PRM or OPRM does not receive data from nonsafety equipment. The PRM and<br>OPRM provide data to nonsafety equipment through unidirectional fiber optic<br>communication links. Therefore communication faults cannot adversely affect safety<br>functions in the Toshiba design.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| <ul> <li>Messages may be corrupted due to errors in communications<br/>processors, errors introduced in buffer interfaces, errors<br/>introduced in the transmission media, or from interference or<br/>electrical noise.</li> </ul>                                                                                                                                                                                                     | Comply     | The data packet consists of fixed fields or channels. RCV modules check for periodic arrival of data packets, in addition to data corruption checks using CRC. The RCV module checks the received data. If the RCV module finds an error in a frame, the frame is discarded. EMC qualification was performed for the PRM and the OPRM. The results are documented in Part III                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| • Messages may be repeated at an incorrect point in time.                                                                                                                                                                                                                                                                                                                                                                                | Comply     | Communication between the TRN and RCV modules is point-to-point, and uni-directional.<br>Optical receivers of the RCV module detect the frame preambles of the messages even if the<br>message was sent at an incorrect point in time, and stores the accepted data in a buffer.<br>However, the remaining FPGAs in the receiver train operate cyclically in a pre-determined<br>time interval. The messages do not affect adversely to the RCV module, and the other<br>modules using the data.                                                                                                                                                                                                                                                                                                                                                                                        |
| Messages may be sent in the incorrect sequence.                                                                                                                                                                                                                                                                                                                                                                                          | Comply     | The data communication over the fiber optic link uses only one type of data packet on each link. The TRN (transmitter) and RCV (receiver) modules are used for the fiber optic links, using only one type of fixed data packet. In PRM or OPRM, a sender module may send a large data to a destination module residing in another unit through a pair of TRN and RCV modules. In this case, the sender module divides the data set into more than one message with sequence numbers attached to each message, and sends the messages through the TRN module in the same unit. The RCV modules deliver the messages to the target module in the same unit, without regard to the order of the sequence numbers. The target module checks the sequence numbers of the message, and if the target module detect an incorrect sequence of messages, the whole set of messages is discarded. |
| • Messages may be lost, which includes both failures to receive an uncorrupted message or to acknowledge receipt of a message.                                                                                                                                                                                                                                                                                                           | Comply     | RCV modules check for periodic arrival of data packets. If the RCV module fails to receive data packets three times in row, the RCV module issues an alarm. RCV modules have dedicated FPGAs for error detection.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| <ul> <li>Messages may be delayed beyond their permitted arrival time<br/>window for several reasons, including errors in the transmission<br/>medium, congested transmission lines, interference, or by delay<br/>in sending buffered messages.</li> </ul>                                                                                                                                                                               | Comply     | The RCV modules checks for corruption of data packets by CRC and/or Parity. If the RCV module fails to receive data packets three times in row, the RCV module issues an alarm. RCV modules have dedicated FPGAs for error detection.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |

**Nuclear Energy Systems & Services Division** 

-

| NRC Guidance ISG-04 |                                                                                                       | Compliance | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
|---------------------|-------------------------------------------------------------------------------------------------------|------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| •                   | Messages may be inserted into the communication medium from<br>unexpected or unknown sources.         | Comply     | The communication of the PRM and OPRM are point-to-point through the fiber optic link. It<br>is unlikely to receive messages from unexpected or unknown sources. Additionally, the fiber<br>optic cables must be maintained in vital plant areas, to ensure that the fiber optic cables are<br>protected.                                                                                                                                                                                                                             |
| •                   | Messages may be sent to the wrong destination, which could treat<br>the message as a valid message.   | Comply     | The communications of the PRM and OPRM are point-to-point through the fiber optic link.<br>It is unlikely to send messages to a wrong destination.<br>In addition, the RCV module checks the source of the data packet. It is possible that fiber<br>optic connections will be confused during installation or maintenance activities. The<br>source, unit type, and unit number detect such errors and generate appropriate external<br>notification of the error.                                                                   |
| •                   | Messages may be longer than the receiving buffer, resulting in buffer overflow and memory corruption. | Comply     | The RCV module is designed to receive messages of pre-defined lengths. If a message is longer than the defined length, the RCV module will discard the excess. If a message is shorter than the defined length, the RCV module will detect a message corruption error. The PRM and OPRM have no problem with buffer overflow or memory corruption since all messages are stored in pre-defined, pre-allocated registers and there is no possibility of storing data beyond the end of the pre-defined, pre-allocated register length. |
| •                   | Messages may contain data that is outside the expected range.                                         | Comply     | If the cause is due to message corruption, the corruption will be detected by CRC; otherwise the redundant portion of the PRM and OPRM will perform the required safety functions.                                                                                                                                                                                                                                                                                                                                                    |
| •                   | Messages may appear valid, but data may be placed in incorrect locations within the message.          | Comply     | This would require faults or failures in the programmable logic in the transmitter or receiver with multiple cross-connections, which is unlikely. It is more likely that data would not be inserted from single hardware faults and failures. Even if this kind of random failures happened, the remainder of the redundant system would continue to function and perform the safety functions that the failed unit can no longer perform.                                                                                           |
| •                   | Messages may occur at a high rate that degrades or causes the system to fail (i.e., broadcast storm). | Comply     | Because the PRM and OPRM exchanges messages over point-to-point data links, there can<br>be no broadcast storm. Data packages are sent based on pre-determined, fixed rate clocks<br>generated in the FPGA logic and based on hardware timing signals.                                                                                                                                                                                                                                                                                |
| •                   | Message headers or addresses may be corrupted.                                                        | Comply     | The data packet in the PRM and OPRM has a field that identifies the TRN module at the opposite end of the communication link. The field is protected by CRC. The RCV module checks the identification numbers to identify the message source. If headers or addresses are corrupted, the message will be rejected, as the header or the source would not be as expected.                                                                                                                                                              |

-----

| NRC Guidance ISG-04                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | Compliance | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Staff Position 1.13<br>Vital communications, such as the sharing of channel trip decisions for<br>the purpose of voting, should include provisions for ensuring that<br>received messages are correct and are correctly understood. Such<br>communications should employ error-detecting or error-correcting<br>coding along with means for dealing with corrupt, invalid, untimely, or<br>otherwise questionable data. The effectiveness of error detection /<br>correction should be demonstrated in the design and proof testing of<br>the associated codes, but once demonstrated is not subject to periodic<br>testing. Error-correcting methods, if used, should be shown to always<br>reconstruct the original message exactly or to designate the message as<br>unrecoverable. None of this activity should affect the operation of the<br>safety-function processor. | Comply     | Data transmission from the TRN module to the RCV module has features (CRC and source<br>checking) to detect communication faults.<br>For this discussion, Toshiba assumes that proof testing is a combination of verification and<br>validation tests and equipment qualification type tests. As documented in Part VI of this<br>LTR, verification and validation tests demonstrated CRC function in communication links.                                                                                                                                                                                                                                                                                                                                                                                                          |
| Staff Position 1.14<br>Vital communications should be point-to-point by means of a dedicated<br>medium (copper or optical cable). In this context, "point-to-point"<br>means that the message is passed directly from the sending node to the<br>receiving node without the involvement of equipment outside the<br>division of the sending or receiving node. Implementation of other<br>communication strategies should provide the same reliability and<br>should be justified.                                                                                                                                                                                                                                                                                                                                                                                            | Comply     | As documented in Section II- 2.2.3.2.2, and shown in Figure II-2-13, communications in the PRM and OPRM are point-to-point over fiber optic cables.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| Staff Position 1.15<br>Communication for safety functions should communicate a fixed set of<br>data (called the "state") at regular intervals, whether data in the set has<br>changed or not.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | Comply     | As documented in Section II-2.2.3.3, the communication protocols are pre-defined, fixed length, fixed format, generated at specific times in the FPGA logic execution, and always contain all data required to be communicated.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| Staff Position 1.16<br>Network connectivity, liveness, and real-time properties essential to the<br>safety application should be verified in the protocol. Liveness, in<br>particular, is taken to mean that no connection to any network outside<br>the division can cause an RPS/ESFAS communication protocol to stall,<br>either deadlock or livelock. (Note: This is also required by the<br>independence criteria of: (1) 10 C.F.R. Part 50, Appendix A, General<br>Design Criteria ("GDC") 24, which states, "interconnection of the<br>protection and control systems shall be limited so as to assure that<br>safety is not significantly impaired."; and (2) IEEE Std 603-1991, IEEE<br>Standard Criteria for Safety Systems for Nuclear Power Generating<br>Stations.) (Source: NUREG/CR-6082, 3.4.3)                                                               | Comply     | As documented in Section II-2.2.3.3, the communication protocols are pre-defined, fixed<br>length, fixed format, and generated at specific times in the FPGA logic execution. The<br>communication links that perform safety functions include data, data checking, and time out<br>error checking. The communication protocols and logic in the communication receivers<br>include self-diagnostics that will generate module failure signals upon detection of<br>communication failures, taking conservative actions, and alerting operators.<br>Communication with other safety and non-safety related systems each use different<br>implementations of the programmable logic and separate TRN/RCV modules to avoid the<br>possibility of communication errors on any link affecting any other link or the safety<br>function. |

Nuclear Energy Systems & Services Division

Ň

| NRC Guidance ISG-04                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | Compliance | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Staff Position 1.17<br>Pursuant to 10 C.F.R. § 50.49, the medium used in a vital<br>communications channel should be qualified for the anticipated normal<br>and post-accident environments. For example, some optical fibers and                                                                                                                                                                                                                                                      | Comply     | Toshiba fiber optic and copper cables for the equipment in this LTR are all installed in mild<br>environments, and have been demonstrated to work effectively in the expected radiation<br>fields, even with prompt dose exposure rates. For harsh environments, which are not part<br>of this LTR, Toshiba uses qualified cables.                                                                                                                                                                                                            |
| components may be subject to gradual degradation as a result of<br>prolonged exposure to radiation or to heat. In addition, new digital<br>systems may need susceptibility testing for EMI/RFI and power surges,                                                                                                                                                                                                                                                                       |            | Section III-2.2.3 describes electromagnetic compatibility (EMC) test including EMI/RFI,<br>Surge Withstand Capability (SWC), EFT, ESD, and Class-1E to Non Class-1E Isolation<br>Tests of PRM.                                                                                                                                                                                                                                                                                                                                                |
| if the environments are significant to the equipment being qualified.                                                                                                                                                                                                                                                                                                                                                                                                                  |            | Section III-5.2.3 describes electromagnetic compatibility (EMC) test including EMI/RFI, Power Surge, EFT/B, and ESD tests of OPRM.                                                                                                                                                                                                                                                                                                                                                                                                            |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |            | The applicability of the RG 1.180, Revision 1, test levels will need to be evaluated for plant applications significantly different from the light water reactors surveyed to generate the levels in the regulatory guide. This activity would be a joint responsibility of Toshiba and the utility.                                                                                                                                                                                                                                          |
| Staff Position 1.18<br>Provisions for communications should be analyzed for hazards and                                                                                                                                                                                                                                                                                                                                                                                                | Comply     | Section I-3.9 describes Software Safety Analysis, which includes hazard analyses. Toshiba analyzes communication hazards in the analysis.                                                                                                                                                                                                                                                                                                                                                                                                     |
| performance deficits posed by unneeded functionality and complication.                                                                                                                                                                                                                                                                                                                                                                                                                 |            | Section III-3.2.2 describes the FMEA performed for the PRM system. Section III-6.2.2 describes the FMEA performed for the OPRM system.                                                                                                                                                                                                                                                                                                                                                                                                        |
| Staff Position 1.19<br>If data rates exceed the capacity of a communications link or the ability                                                                                                                                                                                                                                                                                                                                                                                       | Comply     | As documented in Section II-2.2.3.2.2, the FPGA-based system uses fiber optic links; and as documented in Section II-2.2.3.3, fixed length data packets are generated at specific times.                                                                                                                                                                                                                                                                                                                                                      |
| of nodes to handle traffic, the system will suffer congestion. All links<br>and nodes should have sufficient capacity to support all functions. The<br>applicant should identify the true data rate, including overhead, to<br>ensure that communication bandwidth is sufficient to ensure proper<br>performance of all safety functions. Communications throughput<br>thresholds and safety system sensitivity to communications throughput<br>issues should be confirmed by testing. |            | Therefore, the fixed, designed, computed data rate cannot exceed the capacity of the links,<br>and will not suffer congestion, since all data is transmitted in each message. The data links<br>run at the same communication loading at all times. Operation of the links is tested<br>continuously at the same loading, without regard to the plant conditions. This loading is<br>tested during V&V activities, equipment qualification testing, Factory Acceptance Test, and<br>continuously while the system operates, or is maintained. |

| NRC Guidance ISG-04                                                                                                                                                                                                                                        | Compliance | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Staff Position 1.20<br>The safety system response time calculations should assume a data<br>error rate that is greater than or equal to the design basis error rate and<br>is supported by the error rate observed in design and qualification<br>testing. | Comply     | The FPGA-based I&C systems uses fiber optic links for communications.<br>According to the data sheet of the optic device, the error rate of data transmission is less than<br>$\begin{bmatrix} & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ & & \\ $ |
| 2. Command Prioritization                                                                                                                                                                                                                                  |            |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
| Staff Positions 2.1 through 2.10                                                                                                                                                                                                                           | N/A        | Does not apply to this LTR, since a priority logic module is not included in the PRM and OPRM. Neither the PRM nor the OPRM directly initiate equipment in the plant,                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| <ol> <li>Multidivisional Control and Display Stations, including</li> <li>3.1, Independence and Isolation;</li> <li>3.2, Human Factors Considerations; and</li> <li>3.3 Diversity and Defense-in-Depth (D3) Considerations</li> </ol>                      |            | Does not apply to this LTR, since human-system interfaces in the operator consoles in the main control room are not included in this topical report.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |

\_\_\_\_\_

-----

- ---

# IV-6 Document Mapping with DI&C ISG-06

Table IV-6-1 provides the mapping from the Digital Instrumentation and Controls Interim Staff Guidance (DI&C ISG)-06 (Reference (a23)) to the reference documents in this LTR. Toshiba concludes that the original process and the current process both comply with DI&C ISG-06 expectations. The Reference provided points to the section of the LTR that contains a summary of the item required by ISG-06. In that summary, references are usually provided to Toshiba documents containing more detailed information.

| Items | required by DI&C ISG-06 for LAR                | Reference in the Current Process                                                  | Reference in the Original Process                                                                                            |  |
|-------|------------------------------------------------|-----------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|--|
| 1.1   | Hardware Architecture Descriptions             | Section II-2 FPGA System Description                                              | Same as the current process.                                                                                                 |  |
| 1.2   | Quality Assurance Plan for Digital<br>Hardware | Section I-2.1 QA Program and Section I-3 Software/Hardware<br>Development Process | Section I-A-3 QA Program in the original process and Section I-A-4<br>Software/Hardware Development in the original Process. |  |
| 1.3   | Software Architecture Description              | Section II-2.1 FPGA Platform                                                      | Same as the current process.                                                                                                 |  |
| 1.4   | Software Management Plan                       | Section I-3.2 Software Management Plan.                                           | Section I-A-4.1 Software Management Planning and Practice.                                                                   |  |
| 1.5   | Software Development Plan                      | Section I-3.3 Software Development Plan                                           | Section I-A-4.2 Software Development Planning and Practice.                                                                  |  |
| 1.6   | Software QA Plan                               | Section I-3.4 Software Quality Assurance Plan                                     | Section I-A-4.3 Software Quality Assurance Planning and Practice.                                                            |  |
| 1.7   | Software Integration Plan                      | Section I-3.5 Software Integration Plan                                           | Section I-A-4.4 Software Integration Planning and Practice.                                                                  |  |
| 1.8   | Software Safety Plan                           | Section I-3.9 Software Safety Analysis                                            | Section I-A-4.7 Software Safety Planning and Practice.                                                                       |  |
| 1.9   | Software V&V Plan                              | Section I-3.10 Software V&V Plan                                                  | Section I-A-4.8 Software V&V Planning and Practice.                                                                          |  |
| 1.10  | Software Configuration Management Plan         | Section I-3.12 Software Configuration Management Plan                             | Section I-A-4.9 Configuration Management Planning and Practice.                                                              |  |

## Table IV-6-1 Document Mapping with DI&C ISG-06

---

| Items | required by DI&C ISG-06 for LAR                                                                 | Reference in the Current Process                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | Reference in the Original Process                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
|-------|-------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1.11  | Software Test Plan                                                                              | Section I-3.13 Software Test Plan                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | Section I-A-4.10 Software Test Planning and Practice.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| 1.12  | Software Requirement Specification                                                              | To be addressed in the design specification documents.<br>See Section I-3.3.2.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | To be addressed in the design specification documents.<br>See Section I-A-4.2.2.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| 1.13  | Software Design Specification                                                                   | See Section I-3.3.3.2 Module Design Specification (MDS) and Section I-3.3.3.3 FPGA Design Specification.                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | See Section I-A-4.2.2 Requirements Definition Phase and Section I-A-4.2.3 Design Phase.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| 1.14  | Equipment Qualification Testing Plans<br>(including EMI, Temperature, Humidity,<br>and Seismic) | Section III-5 Qualification Test of OPRM.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | Section III-2 Qualification Test of PRM.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| 1.15  | D3 Analysis                                                                                     | Out of scope of the LTR, and addressed in the licensee's LAR<br>See Section II-2.2.3.4 Diversity                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | Same as the current process.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| 1.16  | Design Analysis Reports                                                                         | Section III-6.2.1 Availability/Reliability Analysis of OPRM<br>System of this LTR.<br>Section III-6.2.2 FMEA for OPRM System of this LTR.<br>Section III-6.2.3 Setpoint Support Analysis for OPRM System<br>Section 6.3.1 of EPRI TR-107330 requires performing aging<br>analysis. However, aging analysis is not necessary where<br>equipment is qualified for use only in mild environments, where<br>USNRC RG 1.209 (Reference (16a)) does not require equipment<br>aging. Toshiba states that there are no significant aging<br>mechanisms in this FPGA-based equipment. | Section III-3.2.1 Availability/Reliability Analysis of PRM System<br>of this LTR.<br>Section III-3.2.2 FMEA for PRM System of this LTR.<br>Section III-3.2.3 Setpoint Support Analysis for PRM System.<br>Section 6.3.1 of EPRI TR-107330 requires performing aging<br>analysis. However, aging analysis is not necessary where<br>equipment is qualified for use only in mild environments, where<br>USNRC RG 1.209 (Reference (16a)) does not require equipment<br>aging. Toshiba states that there are no significant aging<br>mechanisms in this FPGA-based equipment. |
| 1.17  | System Description (To block diagram level)                                                     | Section II-2 FPGA System Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | Same as the current process.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |

| Items | required by DI&C ISG-06 for LAR      | Reference in the Current Process                                                                                                                                                         | Reference in the Original Process                                                                                                                                                                                                                                                                                                                                                                                                                                                           |  |
|-------|--------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
| 1.18  | and Calibration, and Fault Detection | design report for these functions, as the functions are defined<br>completely in existing documents, including the User's Manuals.<br>Basically, these are same as the original process. | For each phase, NED prepared a V&V report to document that<br>phase's V&V activities. The V&V report for the System<br>Validation Testing Phase summarizes all V&V activities. Each<br>V&V report contains the following information:<br>Results of reviews of design, planning, review, and test documents.<br>Results of RTM efforts.<br>Results of reviews of hazard analyses.<br>Summary of validation test results, as applicable.<br>Problem reporting and corrective action, if any. |  |
| 1.19  | System Response Time Analysis Report | This item is addressed in the design specification documents.                                                                                                                            | The unit design specification specifies the performance.                                                                                                                                                                                                                                                                                                                                                                                                                                    |  |
| 1.20  | Theory of Operation Description      | This item is documented in the design specification documents and User's Manuals.                                                                                                        | Theory of Operation Description is documented in the design specification documents and Users Manuals.                                                                                                                                                                                                                                                                                                                                                                                      |  |
| 1.21  | Setpoint Methodology                 | The setpoint analysis result is documented in Section III-6.2.3<br>Qualification Analysis of OPRM.                                                                                       | The setpoint analysis result is documented in Section III-3.2.3<br>Qualification Analysis of PRM                                                                                                                                                                                                                                                                                                                                                                                            |  |

| Items required by DI&C ISG-06 for | R Reference in the Current Process                                                                                         | Reference in the Original Process                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
|-----------------------------------|----------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1.22 Vendor Software Plan         | FPGA development. Those plans are outlined in Sections I-3 of this LTR. In accordance with IEEE Std 7-4.3.2, Clause 5.3.1, | <ul> <li>The SQAP (Reference (d40)) addresses the plan for software quality assurance for the following activities. Also, V&amp;V activities covered to review and approve vendor software Plan, and assure vendor's V&amp;V activities include evaluation of :</li> <li>Developing the logic for implementing functions for FPGAs.</li> <li>Using a software tool suite to translate the VHDL code written by NICSD design engineers into fuse maps, to test the logic, and to embed the logic onto the FPGA chips.</li> <li>Using commercially available software programs for the test equipment (e.g., data acquisition, signal generators, etc.) for:</li> <li>Unit/Module Validation testing</li> <li>System Validation and acceptance testing</li> <li>For these activities, the SQAP provides the following information:</li> <li>A description of the project software Quality Assurance (QA) planning measures to be used to demonstrate how the project requirements are met. This description is provided for NED's basic approach in the SQAP.</li> <li>A description of the required interactions between NED and NICSD and subcontractors. This description is provided in the SQAP where special provisions must be made to define an interaction or division of responsibilities between NED and NICSD.</li> <li>A determination of the SQAP. See Appendix A of this SQAP for the Software Integrity Level for the types of software covered by the SQAP.</li> </ul> |

| Items | required by DI&C ISG-06 for LAR                           | Reference in the Current Process                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | Reference in the Original Process                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |   |
|-------|-----------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---|
| 1.23  | Software Tool Verification Program                        | Nuclear Instrumentation & Control Systems Department<br>FA32-3702-1000 "Nuclear Instrumentation & Control Systems<br>Department Software Management Plan for FPGA-based<br>Safety-Related Systems" (Reference (c3)).<br>See also Section I-3.2 Software Management Plan.<br>When Toshiba established the NQA-1 program, Toshiba performed<br>a Critical Digital Review of Actel, to evaluate the Actel software<br>tool life cycle and the Actel acceptance process for purchased<br>software tools. The Toshiba V&V process was informed by the<br>Actel evaluation.<br>The current process and the original process are based on the same<br>processes and evaluations. | <ul> <li>NICSD engineers followed the NICSD standard when they use software tools in the design activities. In addition, NICSD performed necessary activities to ensure the reliability of the software tools. The activities includes the following items:</li> <li>Confirming that the software tools used are applicable to the project objectives.</li> <li>Establishing the software tool Software Integrity Level based on the significance of the system where the tool will be used.</li> <li>Establishing the software tool acceptance criteria, and determining if the software tool update criteria.</li> <li>Establishing the software tool update criteria and the version control methods based on the criteria in accordance with the configuration management.</li> <li>Establishing procedures to use the software tool, including the methods to record and resolve any errors in accordance with the configuration management.</li> <li>Training and recording the personnel to use the software tool. NED V&amp;V activities assure above NICSD activities.</li> </ul> |   |
| 1.24  | Software Project Risk Management<br>Program               | Section I-3.2 Software Management Plan.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | Section I-A-4.1 Software Management Planning and Practice.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |   |
| 1.25  | Commercial Grade Dedication Plan                          | Section I-2.2 CGD in the current process.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | Section I-A-3.2 CGD in the original process.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | 1 |
| 1.26  | Vulnerability Assessment                                  | This item was addressed in the V&V Report.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | This item was addressed in V&V Report.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | 1 |
| 1.27  | Secure Development and Operational<br>Environment Control | Section I-3.14 Secure Development and Operational Environment (SDOE).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | Section I-A-5 Cyber Security.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |   |
| 2.1   | Safety Analysis                                           | This item is addressed in the Software Safety Analysis Report.<br>See also Section I-3.9 Software Safety Analysis.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | This item is addressed in the Hazard Analysis Report.<br>See also Section I-A-4.7 Software Safety Planning and Practices.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |   |
| 2.2   | V&V Report                                                | This item is addressed in the V&V reports. See also Section<br>I-3.11 Software V&V Report and OPRM V&V report (Part VI).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | This item is addressed in the V&V reports. See also Section<br>I-A-4.8 Software V&V Planning and PRM V&V report (Part V).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |   |

Nuclear Energy Systems & Services Division

------

,

- ---

| Items | required by DI&C ISG-06 for LAR                                         | Reference in the Current Process                                                                                                                                  | Reference in the Original Process                                                                                                                                                                                             |  |
|-------|-------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
| 2.3   | As-Manufactured, System Configuration<br>Documentation                  | This item is addressed in the Master Configuration List. See also<br>Section I-3.3.1.11 Configuration Management.                                                 | This item is addressed in the Master Configuration List. See also<br>Section I-A-9 Configuration Management Planning and Practice.                                                                                            |  |
| 2.4   | Test Design Specification                                               | This item was addressed in test plan, test procedures, and test reports.                                                                                          | This item was addressed in the test plan, test procedures, and test reports.                                                                                                                                                  |  |
| 2.5   | Summary Test Reports (Including FAT)                                    | This item is addressed in test plan, test procedures, and test reports.<br>FAT is out of scope for this project.                                                  | This item was addressed in the test plan, test procedures, and test reports. Summary V&V Reports, incorporating the Test Reports and Test Results, are provided for the PRM in Part V. FAT is out of scope for this project.  |  |
| 2.6   | Summary of Test Results (Including FAT)                                 | This item is addressed in test plans, test procedures, and test reports. FAT is out of scope for this project.                                                    | This item was addressed in the test plans, test procedures, and test reports. Summary V&V Reports, incorporating the Test Reports and Test Results, are provided for the PRM in Part V. FAT is out of scope for this project. |  |
| 2.7   | Requirement Traceability Matrix                                         | This item is included in the Requirement Traceability Matrix (RTM) for each software lifecycle phase                                                              | This item was addressed in the RTM reports for each phase.                                                                                                                                                                    |  |
| 2.8   | FMEA                                                                    | This item is addressed in the FMEA report.<br>See also Section III-6.2.2.                                                                                         | This item is addressed in the FMEA report.<br>See also Section III-3.2.2.                                                                                                                                                     |  |
| 2.9   | System Build Documents                                                  | This item is listed in the OPRM Master Configuration List (Reference (c30)).                                                                                      | This item is listed in the PRM Master Configuration List (Reference (d48)).                                                                                                                                                   |  |
| 2.10  | This raw is left blank in the ISG-06 Enclosu                            | ire B                                                                                                                                                             |                                                                                                                                                                                                                               |  |
| 2.11  | Qualification Test Methodologies                                        | This item is addressed in the OPRM test plan.<br>See also Section III-5 Qualification Test.                                                                       | This item is addressed in the PRM test plan.<br>See also Section III-2 Qualification Test.                                                                                                                                    |  |
| 2.12  | Summary of Digital EMI, Temp.,<br>Humidity, and Seismic Testing Results | This item is addressed in the OPRM test report.<br>See also Section III-5.2.                                                                                      | This item is addressed in the PRM test report.<br>See also Section III-2.2.                                                                                                                                                   |  |
| 2.13  | As Manufactured Logic Diagrams                                          | As-manufactured logic diagrams are available through the Netlist<br>Viewer using the electronic files maintained in Toshiba's<br>configuration management system. | Same as the current process.                                                                                                                                                                                                  |  |

Nuclear Energy Systems & Services Division

- -

#### Licensing Topical Report for Toshiba NRW-FPGA-based Instrumentation and Control System for Safety-Related Application PART IV Compliance to the Codes and Standards

| Items | required by DI&C ISG-06 for LAR             | Reference in the Current Process                                                                                                                                                                                                                                                                                                                                                 | Reference in the Original Process                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
|-------|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 2.14  | System Response Time Confirmation<br>Report | The response time test was conducted in the software validation test. The result of the response time test is documented in Part VI.                                                                                                                                                                                                                                             | The response time test was conducted in the Unit/Module<br>Validation Testing. The result of the response time test is<br>documented in Part V.                                                                                                                                                                                                                                                                                                                                                                                                |
| 2.15  | Reliability Analysis                        | This item is addressed in the OPRM reliability analysis report.<br>See also Section III-6.2.1.                                                                                                                                                                                                                                                                                   | This item is addressed in the PRM reliability analysis report.<br>See also Section III-3.2.1.                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| 2.16  | Setpoint Calculations                       | This item is addressed in the OPRM setpoint support analysis.<br>See also Section III-6.2.3.                                                                                                                                                                                                                                                                                     | This item is addressed in the PRM setpoint support analysis.<br>See also Section III-3.2.3.                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| 2.17  | Software Tool Analysis Report               | When Toshiba established their NQA-1 program, Toshiba<br>performed a Critical Digital Review (CDR) of Actel, to evaluate<br>the Actel software tool life cycle and the Actel acceptance process<br>for purchased software tools.<br>See also Section I-2.2.2.                                                                                                                    | The FPGA software tools used in the project were reviewed using<br>the CDR technique and a commercial grade survey of Actel (now<br>Microsemi) for acceptance early in the project.<br>See also Section I-A-3.2.2.<br>In the Implementation & Integration (Implementation) Phase, the<br>NICSD V&V team confirmed the control of the software tools<br>used in the design and V&V activities. The NED V&V team<br>reviewed the results of the activities and determined that NICSD<br>controlled the tools appropriately throughout their use. |
|       | Commercial Grade Dedication Report(s)       | This item is addressed in the OPRM Commercial Grade Dedication (CGD) package, discussed in Section I-2.2.3.                                                                                                                                                                                                                                                                      | This item was addressed in the PRM CGD package, discussed in Section I-A-3.2.3.                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| 3.1   | Software Integration Report                 | Since the programmable logic is installed in the FPGAs as part of<br>the manufacturing process, the Commercial Grade Dedication<br>discussion in Section I-2.2 of this LTR applies. The test reports<br>and V&V reports issued for each testing provide the data<br>normally expected in the software integration report.<br>See also Section I-3.6 Software Integration Report. | Since the programmable logic is installed in the FPGAs as part of<br>the manufacturing process, the Commercial Grade Dedication<br>discussion in Section I-A-3.2 applies. The test reports and V&V<br>reports issued for each testing provide the data normally expected<br>in the software integration report.                                                                                                                                                                                                                                |
| 3.2   | Individual V&V Problem Report up to<br>FAT  | This item is addressed in the V&V reports (Part V of this LTR).<br>See also Section I-3.11 Software V&V Report.                                                                                                                                                                                                                                                                  | This item is addressed in the V&V reports (Part VI of this LTR).<br>See also Section I-A-4.8 Software V&V Planning and Practice.                                                                                                                                                                                                                                                                                                                                                                                                               |
| 3.3   | Configuration Management Report             | This item is addressed in the OPRM Master Configuration List<br>and the OPRM Baseline Review Report, which are discussed in<br>Section I-3.12.                                                                                                                                                                                                                                   | This item is addressed in the PRM Master Configuration List,<br>which is discussed in Section I-A-4.9.                                                                                                                                                                                                                                                                                                                                                                                                                                         |

Nuclear Energy Systems & Services Division

. . .

| Items | required by DI&C ISG-06 for LAR         | Reference in the Current Process                                                                                                                                                                                                                                                                                                                   | Reference in the Original Process                                                                                                                    |
|-------|-----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|
| 3.4   | Test Procedure Specification            | This item is addressed in the test procedures, which are discussed in Section I-3-13.                                                                                                                                                                                                                                                              | This item is addressed in the test procedures, which are discussed in Section I-A-4.10.                                                              |
| 3.5   | Completed Test Procedure and Reports    | This item is addressed in test procedures and test reports, which are discussed in Section I-3-13.                                                                                                                                                                                                                                                 | This item is addressed in the test procedure and test report, which are discussed in Section I-A-4.10.                                               |
| 3.6   | Test Incident Reports                   | This item is addressed in the test reports, which are discussed in Section I-3-13.                                                                                                                                                                                                                                                                 | This item is addressed in the test reports, which are discussed in Section I-A-4.10.                                                                 |
| 3.7   | Code Listing                            | VHDL Code is discussed in Section I-3.3.4 of the LTR. The code is maintained electronically, and is available for inspection at the Fuchu Complex.                                                                                                                                                                                                 | VHDL Code is discussed in Section I-A.4.2.4 of the LTR. The code is maintained electronically, and is available for inspection at the Fuchu Complex. |
| 3.8   | Software Project Risk Management Report | See Section I-3.2.5 Risk Management of this LTR. When the PM identifies any risks that may have considerable impacts on the project, the PM reports the risks to the customer in a timely manner.                                                                                                                                                  | See Section I-A-4.1.2 Project Management.                                                                                                            |
| 3.9   | Circuit Schematics                      | This item is addressed in unit/module circuit diagrams, which are available for inspection at the Fuchu Complex.                                                                                                                                                                                                                                   | Same as the current process.                                                                                                                         |
| 3.10  | Detailed System and Hardware Drawings   | This item is addressed in equipment design specification documents.                                                                                                                                                                                                                                                                                | Same as the current process.                                                                                                                         |
| 4.1   | Software Installation Plan              | See Section I-3.5 Software Integration Plan. FPGA Software is<br>installed in the Implementation and Integration Phase.<br>Programmable logic is installed during the manufacturing process,<br>with nuclear Quality Assurance oversight of the embedding<br>process. The embedding process is part of the Commercial<br>Grade Dedication program. | See Section I-A-4.4 Software Integration Planning and Practice.                                                                                      |

| Item | s required by DI&C ISG-06 for LAR | Reference in the Current Process                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | Reference in the Original Process                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |  |
|------|-----------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
| 4.2  | Software Maintenance Plan         | <ul> <li>NED has overall responsibility for maintenance, including deciding when a design change is necessary. NICSD is responsible to provide to NED any required or suggested changes identified by NICSD. If NED decides to change the design, NED requests NICSD to perform the change activity.</li> <li>Modifications and/or enhancements to FEs and FPGAs require that the NICSD design group follow the lifecycle process that focus on the design and development of the required or desired changes. After installation in a nuclear power plant, any modifications are tested at Toshiba and then installed and tested at the plant.</li> <li>Maintenance activities are as follows:</li> <li>Identify software improvement needs.</li> <li>Implement problem reporting method.</li> <li>Reapply software lifecycle.</li> <li>Update the design baseline.</li> <li>See also Section I-3.7.</li> </ul> | Same as the current process.<br>See also Section I-A-4.5.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |  |
| 4.3  | Software Training Plan            | Nuclear Energy Systems and Services Division FA32-3702-0005<br>"Nuclear Energy Systems and Services Division FPGA-based<br>Safety-Related Systems Software Management Plan" (Reference<br>(c2))<br>Nuclear Instrumentation & Control Systems Department<br>FA32-3702-1000 "Nuclear Instrumentation & Control Systems<br>Department Software Management Plan for FPGA-based<br>Safety-Related Systems" (Reference (c3)).<br>See also Section I-3.8 Software Training Plan. Customer training<br>requirements will be designed on a plant-specific basis.                                                                                                                                                                                                                                                                                                                                                          | All Toshiba personnel involved in this project were trained based<br>on requirements established in Toshiba plans, procedures, and<br>instructions, and shall be trained based on the work each does, and<br>their roles and responsibilities in the Toshiba organization.<br>Training and training documentation by NED for the PRM system<br>complied with the requirements documented in the NED Procedure<br>for Indoctrination and Training.<br>Training and training documentation by NICSD for the PRM<br>System complied with the requirements documented in the NICSD<br>Procedure for FPGA Products Development.<br>See also Section I-A-4.6. |  |
| 4.4  | Software Operations Plan          | Recommendations and requirements for operation and<br>maintenance of the equipment are provided in the OPRM Unit<br>User's Manual (Reference (c27)) which establishes methods to be<br>used in applying the equipment.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | Recommendations and requirements for operation and maintenance<br>of the equipment are provided Instructions for the LPRM Unit<br>(Reference (d45)), Instructions for the LPRM/APRM Unit<br>(Reference (d46)), and Instructions for the FLOW Unit (Reference<br>(d47)), which establish methods to be used in applying the<br>equipment.                                                                                                                                                                                                                                                                                                                |  |

Nuclear Energy Systems & Services Division

—··

| Item | s required by DI&C ISG-06 for LAR | Reference in the Current Process                                                                                                                                                                                                     | Reference in the Original Process                                                                                                                                                                                                                                     |   |
|------|-----------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---|
| 4.5  | Site Test Documentation           | Site acceptance documentation will be prepared                                                                                                                                                                                       | Same as current process.                                                                                                                                                                                                                                              | Ì |
| 4.6  | Operations Manual                 | This item is addressed in the OPRM Unit User's Manual (Reference (c27)).                                                                                                                                                             | This item is addressed in the Instructions for the LPRM Unit<br>(Reference (d45)), Instructions for the LPRM/APRM Unit<br>(Reference (d46)), and Instructions for the FLOW Unit (Reference<br>(d47)).                                                                 |   |
| 4.7  | Software Maintenance Manuals      | See Section I-3.7 Software Maintenance Plan. Since utilities are<br>not modifying the FPGA programmable logic, software<br>maintenance activities are not performed by utility engineers.                                            | Same as current process.<br>See also Section I-A-4.5.                                                                                                                                                                                                                 |   |
| 4.8  | Software Training Manuals         | Nuclear Energy Systems and Services Division FA32-3702-0005<br>"Nuclear Energy Systems and Services Division FPGA-based<br>Safety-Related Systems Software Management Plan" (Reference<br>(c2))                                      | All Toshiba personnel involved in this project was trained based on<br>requirements established in Toshiba plans, procedures, and<br>instructions, and were trained based on the work each does, and<br>their roles and responsibilities in the Toshiba organization. |   |
|      |                                   | Nuclear Instrumentation & Control Systems Department<br>FA32-3702-1000 "Nuclear Instrumentation & Control Systems<br>Department Software Management Plan for FPGA-based                                                              | Training and training documentation by NED for the PRM system<br>complied with the requirements documented in NED Procedure for<br>Indoctrination and Training.                                                                                                       |   |
|      |                                   | Safety-Related Systems" (Reference (c3)).<br>See also Section I-3.8 Software Training Plan. In addition, the<br>User's Manuals will contain instructions for system-specific utility                                                 | Training and training documentation by NICSD for the PRM<br>System complied with the requirements documented in NICSD<br>Procedure for FPGA Products Development.                                                                                                     |   |
|      |                                   | training activities for each system. Since utilities are not<br>supplied with the programmable logic, software maintenance<br>activities are not performed by utility engineers and training for<br>such activities is not required. | See also Section I-A-4.6.                                                                                                                                                                                                                                             |   |
| 4.9  | Installation Configuration Tables | This item is listed in the system specific Master Configuration<br>List.<br>See also Section I-3.12.                                                                                                                                 | This item is listed in the system specific Master Configuration List.<br>See also Section I-A-4.9.                                                                                                                                                                    |   |

.

# IV-7 Correspondence of Toshiba Process to RG 1.152

Table IV-7-1 documents correspondence of Toshiba process to RG 1.152 (Reference (a11)).

| RG 1.152                     | Toshiba Process                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
|------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 2.1 Concepts Phase           | This Concept Phase corresponds to the Project Planning and Concept Definition Phase in the Toshiba process.<br>Section I-3.3.1 describes the Project Planning and Concept Definition Phase in the current process. Section I-A-4.2.1 describes the Project Planning and Concept Definition Phase in the original process. In the security review in the Project Planning and Concept Definition Phase, NICSD evaluated access control to design deliverables in servers and security of PCs (see also Part VI of this LTR)                                                                                                                                                                                                                        |
| 2.2 Requirements Phase       | This Requirements Phase corresponds to the Requirements Definition Phase in the Toshiba process.<br>Section I-3.3.2 describes the Requirements Definition Phase in the current process.<br>Section I-A-4.2.2 describes the Requirement Definition Phase in the original process.                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| 2.2.1 System Features        | Toshiba defines the security requirements for the external interfaces, the physical system, the functional system, and the programmable logic. The requirements are based on the requirements defined in the previous phase, which ensures that a secure operational environment will exist in the finished system.<br>Communication links are carefully considered in the system designs, with the preference for uni-directional communication out of the safety system being designed and into other systems.<br>Toshiba does not embed commercial products or products developed by others in the Toshiba-designed programmable logic, so Toshiba is completely aware of the capabilities or vulnerabilities of each item used in the system. |
| 2.2.2 Development Activities | All requirements are subject to the V&V activities including independent reviews, traceability<br>analyses, and validation testing throughout the software lifecycle phases. Requirements<br>Traceability Matrices (RTMs) are maintained to ensure that only requirements defined in the<br>upstream documents are implemented in the final system, which helps prevent the<br>introduction of unnecessary or extraneous requirements in the Requirements Definition<br>Phase.<br>Section I-3.14.2 describes the RTM activities in the current process. Part V documents the<br>V&V activities for the PRM.                                                                                                                                       |
| 2.3 Design Phase             | This Design Phase corresponds to the Design Phase in the Toshiba process.<br>Section I-3.3.3 describes the Design Phase in the current process. Section I-A-4.2.3 describes the Design Phase in the original process.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |

Licensing Topical Report for Toshiba NRW-FPGA-based Instrumentation and Control System for Safety-Related Application UTLR-0020NP Part IV Rev 2 PART IV Compliance to the Codes and Standards

I

| RG 1.152                     | Toshiba Process                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 2.3.1 System Features        | The security requirements defined in the Requirements Definition Phase are translated into designs for both modules and FPGAs. The concepts and requirements for a secure operational environment are incorporated into the Toshiba design.                                                                                                                                                                                                                |
|                              | Section I-3.14 describes the secure operation environment in the current process. Section I-A-5 describes the secure operation environment in the original process.                                                                                                                                                                                                                                                                                        |
|                              | In the Project Planning and Concept Definition Phase, the security assessment evaluates the absence of remote access and use of uni-directional communication. The RTM ensures that the design reflects the result of the security assessment.                                                                                                                                                                                                             |
|                              | Section I-3.9.2 describes requirement management activities in the current process. Part V documents the V&V activities for the PRM.                                                                                                                                                                                                                                                                                                                       |
| 2.3.2 Development Activities | The RTM ensures that the design reflects the result of the security assessment.                                                                                                                                                                                                                                                                                                                                                                            |
|                              | Section I-3.14.2 describes requirement management activities in the current process. Part V documents the V&V activities for the PRM.                                                                                                                                                                                                                                                                                                                      |
| 2.4 Implementation Phase     | This Implementation Phase corresponds to the Implementation and Integration Phase in the Toshiba process.                                                                                                                                                                                                                                                                                                                                                  |
| · · ·                        | Section I-3.3.4 describes the Implementation and Integration Phase in the current process.<br>Section I-A-4.2.4 describes the Implementation and Integration Phase in the original process.                                                                                                                                                                                                                                                                |
| 2.4.1 System Features        | The FPGA design is translated into programmable logic. The NICSD V&V Team verifies the translation.                                                                                                                                                                                                                                                                                                                                                        |
|                              | Section I-3.3.4 describes the activities in the current process. Section I-A-4.2.4 describes the activities in the original process.                                                                                                                                                                                                                                                                                                                       |
| 2.4.2 Development Activities | The NICSD V&V Team conducts security reviews to identify any potential susceptibilities to inadvertent access from external sources, by searching for hidden functions or vulnerable features embedded in the code. If any vulnerable feature found, the feature is modified, removed, or appropriate mitigation measures are taken.                                                                                                                       |
|                              | Based on the tested nature of Functional Elements and the requirement that all code be implemented using only 100% tested Functional Elements, the basic building blocks of the programmable logic are verified and validated to be free of unnecessary and inappropriate coding.                                                                                                                                                                          |
|                              | Section I-3.10.2 describes the activities in the current process. Part V documents the activities for the PRM.                                                                                                                                                                                                                                                                                                                                             |
| 2.5 Test Phase               | This Test Phase corresponds to the Module Validation Testing and the System Validation<br>Testing Phases in the Toshiba process.                                                                                                                                                                                                                                                                                                                           |
|                              | Testing is performed on modules with integrated FPGAs, on units (i.e., chassis) with the required modules, and on the complete, integrated system.                                                                                                                                                                                                                                                                                                         |
|                              | Section I-3.3.5 describes the Module Validation Testing Phase and Section I-3.3.6 describes the System Validation Testing Phase in the current process. Section I-A-4.2.5 describes the Unit/Module Validation Testing Phase and Section I-A-4.2.6 describes the System Validation Testing Phase in the original process.                                                                                                                                  |
| 2.5.1 System Features        | Toshiba performs the Module Validation Testing and the System Validation Testing for all requirements including security requirements and for the integrated system.<br>Section I-3.3.5 describes the Module Validation Testing Phase and Section I-3.3.6 describes the System Validation Testing Phase in the current process. Section I-A-4.2.5 describes the Unit/Module Validation Testing Phase and Section I-A-4.2.6 describes the System Validation |

Licensing Topical Report for Toshiba NRW-FPGA-based Instrumentation and Control System for Safety-Related Application UTLR-0020NP Part IV Rev.2 PART IV Compliance to the Codes and Standards

| RG 1.152                     | Toshiba Process                                                                                                                                                                                                                                                  |  |  |
|------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|
| 2.5.2 Development Activities | In the Module Validation Testing and the System Validation Testing Phases, Toshiba tests communication links between the TRN and RCV modules.                                                                                                                    |  |  |
|                              | The result of the Unit/Module Validation Testing and the System Validation Testing of PRM<br>are documented in Part V of this LTR The result of the Module Validation Testing and the<br>System Validation Testing of OPRM are documented in Part VI of this LTR |  |  |



UTLR-0020NP Part V Rev.2 August 2015

# **Topical Report**

Licensing Topical Report for Toshiba NRW-FPGA-based Instrumentation and Control System for Safety-Related Application

> Part V V&V report of the BWR-5 PRM

Approved by Electrical System Design & Engineering Dept.

Masahiko Hamada

Toshiba Corporation Nuclear Energy Systems & Services Division

©2012 - 2015 Toshiba Corporation All Rights Reserved

Licensing Topical Report for Toshiba NRW-FPGA-based Instrumentation and Control System for Safety-Related Application UTLR-0020NP Part V Rev.2 PART V V&V report of the BWR-5 PRM

The use of the information contained in this document by anyone for any purpose other than that for which it is intended is not authorized. In the event the information is used without authorization from TOSHIBA CORPORATION, TOSHIBA CORPORATION makes no representation or warranty and assumes no liability as to the completeness, accuracy, or usefulness of the information contained in this document.

TOSHIBA CORPORATION NUCLEAR ENERGY SYSTEMS & SERVICES DIV.

,

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division This is Part V of the Licensing Topical Report (LTR) for Toshiba Non-Rewritable Field Programmable Gate Array-based (NRW-FPGA-based) Instrumentation and Control (I&C) System for Safety-Related Applications. This part contains the V&V reports for the Power Range Monitor (PRM) for Boiling Water Reactor (BWR)-5.

This LTR consists of the following six parts.

Part I describes software Lifecycle and development processes.

Part II describes design description of the PRM for BWR-5 and Oscillation Power Range Monitor (OPRM) for Advanced Boiling Water Reactor (ABWR) and includes an application guide.

Part III describes the qualification results of the PRM for BWR-5 and the OPRM for ABWR.

Part IV provides compliance tables for Toshiba processes to important Codes and Standards.

Part V provides the BWR-5 PRM V&V report.

Part VI provides the ABWR OPRM V&V report.

# **US Safety-Related**

2008

Design & Engineering Dept.

Mar. 28, 2008

| <u></u>                              |         |         | <u></u>                             |                                                      | To             | shiba Proj                                  | ect Docu  | ument N                    | 0.              | Rev. No.    |
|--------------------------------------|---------|---------|-------------------------------------|------------------------------------------------------|----------------|---------------------------------------------|-----------|----------------------------|-----------------|-------------|
|                                      |         |         |                                     | Γ                                                    |                | FPG-DF                                      | RT-C51-   | 0016                       |                 | .1          |
|                                      | ſ       |         | Softw                               | ⊔<br>d PRM Sys<br>a <b>re Valid</b> a<br>tion and Va | tion           | Repo                                        | <b>rt</b> |                            | ject            |             |
| Custom                               |         |         |                                     |                                                      | <u>11Ua</u>    |                                             | lai no    | port                       |                 |             |
| Custome                              | -       |         |                                     |                                                      |                |                                             |           |                            |                 |             |
| Project N                            |         |         | V-FPGA-Bas<br>em Qualifica          |                                                      |                |                                             |           |                            |                 |             |
| Item Nar                             |         |         | 1 Equipment                         |                                                      |                |                                             |           |                            |                 |             |
| Item Nu                              | nber    | C51     |                                     |                                                      |                |                                             |           |                            | •               |             |
| Job Number FPG                       |         |         |                                     |                                                      |                |                                             |           |                            |                 |             |
| Applicat                             | ole Pla | nt Non  | e                                   |                                                      |                |                                             |           |                            |                 |             |
|                                      |         |         |                                     |                                                      |                |                                             |           |                            |                 |             |
| 1 Aug. 28, 2012 DCN-FPG-DRT-C51-0010 |         |         | 001                                 | 7. Marta<br>Ay 28. 2                                 | eun.<br>15/2 A | T. J.                                       | 20/2      | T. Huyani<br>Aug. 28, 2012 |                 |             |
| Rev. No.                             | Iss     | ue Date | D                                   | escription                                           |                | Approve                                     |           | Reviewe                    | d by            | Prepared by |
| Initial Issue                        |         | Issi    | aed by                              | Approved by                                          |                |                                             |           | Docu                       | ment filing No. |             |
| Mar. 23                              | 5       |         | numentation &Control Systems T. Ito |                                                      |                | T. Ito T. Hayashi Mar 28 2008 Mar 24 2008 R |           | S-5166186                  |                 |             |

1/166

Mar. 28, 2008 Mar. 24, 2008

| Rev No. | Date              | History        | Approved<br>by    | Reviewed          | Prepared<br>by    |
|---------|-------------------|----------------|-------------------|-------------------|-------------------|
| 0       | See Cover<br>Page | Initial Issue  | See Cover<br>Page | See Cover<br>Page | See Cover<br>Page |
| 1       | See Cover<br>Page | See Cover Page | See Cover<br>Page | See Cover<br>Page | See Cover<br>Page |
|         |                   |                |                   |                   |                   |
|         |                   |                |                   |                   |                   |
|         |                   |                |                   |                   |                   |
|         |                   |                |                   |                   |                   |
|         |                   |                |                   |                   |                   |
|         |                   |                |                   |                   |                   |
|         |                   |                |                   |                   |                   |
|         |                   |                |                   |                   |                   |
|         |                   |                |                   |                   |                   |
|         |                   |                |                   |                   |                   |
|         |                   |                |                   |                   |                   |
|         |                   |                |                   |                   |                   |
|         |                   |                |                   |                   |                   |

- - - - \_\_\_\_\_

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

\_ .\_...

I.

## **Table of Contents**

| 1  | Intr                       | oduction                                      | 4   |
|----|----------------------------|-----------------------------------------------|-----|
|    | 1.1                        | Purpose                                       | 4   |
|    | 1.2                        | Background                                    | 4   |
| 2  | Ref                        | erences                                       | 4   |
| 3  | Summary of V&V Efforts     |                                               |     |
|    | 3.1 Summary of V&V Process |                                               |     |
|    | 3.2                        | Organization                                  | 8   |
|    | 3.3                        | Master Schedule                               | .11 |
|    | 3.4                        | Software Integrity Level Scheme               | .11 |
|    | 3.5                        | Resource Summary                              | .11 |
|    | 3.6                        | Responsibilities                              | .11 |
|    | 3.6.1                      | Responsibilities in Original Process          | .11 |
|    | 3.6.2                      | Responsibilities in Current Process           | .13 |
|    | 3.7                        | Tools, Techniques, and Methodologies          | .13 |
|    | 3.8                        | Project Planning and Concept Definition Phase | .14 |
|    | 3.9                        | Establishment of the NICSD V&V Plan           | .15 |
|    | 3.10                       | Requirements Definition Phase                 |     |
|    | 3.11                       | Design Phase                                  | .17 |
|    | 3.12                       | Implementation and Integration Phase          | .18 |
|    | 3.13                       | Unit/Module Validation Testing Phase          | .20 |
| 4  | Sys                        | tem Validation Phase V&V activities           |     |
|    | 4.1                        | System Validation Testing                     |     |
|    | 4.2                        | Document Reviews                              | .24 |
|    | 4.3                        | System Validation Testing Phase RTM Efforts.  | .24 |
|    | 4.4                        | Assessment of Test Equipment Software         |     |
| 5  | Cor                        | ifiguration Management.                       |     |
| 6  |                            | blem Reporting and Corrective Actions         |     |
| 7  |                            | trics                                         |     |
| 8  | Fine                       | dings and Recommendations                     |     |
| 9  |                            | clusions                                      |     |
| 1( | ) Abł                      | previations                                   | 26  |

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

\_ \_ . . . .

## 1 Introduction

### 1.1 Purpose

This Verification and Validation (V&V) Report summarizes the V&V efforts for the Non-Rewritable Field Programmable Gate Array (NRW-FPGA)-Based Power Range Monitor (PRM) system, which was developed for use in a reactor safety protection system in Boiling Water Reactor (BWR) plants in the US market. Toshiba performed the V&V efforts in a manner that meets the US regulatory expectations.

The V&V efforts verified that all requirements for the NRW-FPGA-Based PRM system (hereafter, simply called as "PRM system") were fulfilled in the final product, and validated that the PRM system was suitable for nuclear plant neutron power monitoring.

#### 1.2 Background

In 2008, Toshiba Nuclear Energy Systems and Services Division (NED) developed the PRM System. The Verification and Validation (V&V) team of the Control & Electrical Systems Design & Engineering Department (Old ICDD)<sup>1</sup> of NED completed the V&V efforts, and issued Revision 0 of this V&V report.

In 2011, the Nuclear Instrumentation & Control Systems Department (NICSD) and the Power Platform Development Department  $(PPDD)^2$  of the Fuchu Complex found a problem in the FPGA testing performed in the V&V efforts, and notified to the Instrumentation & Control Systems Design & Engineering Dept. (ICDD). The problem was a dynamic timing simulation had not appropriately been performed. ICDD issued a Corrective Action Request (CAR)-11-176, which requested resolution of the problem.

To resolve the problem, the NICSD and PPDD performed the dynamic timing simulation as FPGA retesting, and issued a supplemental V&V report FPG-DRT-C51-1000 "Implementation and Integration Phase V&V Report (Supplemental Report for FPGA Retesting)" (Reference 46) (Attachment-6).

This Revision 1 of the V&V Report updates the Revision 0 by incorporating the result of the FPG-DRT-C51-1000.

## 2 References

1 U.S. Nuclear Regulatory Commission Regulatory Guide 1.168 Verification, Validation, Reviews, And Audits For Digital Computer Software Used in Safety Systems of Nuclear Power

<sup>&</sup>lt;sup>1</sup> Currently, the Instrumentation & Control Systems Design & Engineering Dept. (ICDD) derived from the Control & Electrical Systems Design & Engineering Department (Old ICDD) is responsible for Instrumentation & Control (I&C) equipment.

<sup>&</sup>lt;sup>2</sup> PPDD derived from the Nuclear Instrumentation & Control Systems Department. This report uses "Old NICSD" and "New NICSD" to distinguish the then Nuclear Instrumentation & Control Systems Department including the roles of PPDD and the new Nuclear Instrumentation & Control Systems Department not including the roles of PPDD, when necessary.

|              |                 |                                                                           | _ |
|--------------|-----------------|---------------------------------------------------------------------------|---|
|              |                 | Plants, Revision 1 Feb. 2004                                              |   |
| 2 IEEE Std 1 | 012-1998        | IEEE Standard for Software Verification and Validation                    |   |
| 3 AS-200A1   |                 | Digital System Development Procedure, Rev. 0                              |   |
| 4 AS-200A1   | 30              | Digital System Verification and Validation Procedure, Rev. 1 <sup>3</sup> |   |
| 5 AS-300A0   |                 | Nonconformance Control and Corrective Action Procedure, Rev. 9            | • |
| 6 ICDD P-10  |                 | NICSD Manufacture of FPGA-Based Equipment, Rev. 2                         |   |
| 7 FPG-PRD-   |                 | NRW-FPGA-Based PRM System Qualification Project Master                    |   |
|              | -               | Engineering Schedule, Rev. 8                                              |   |
| 8 FPG-PLN-   | C51-0001        | NRW-FPGA-Based PRM System Qualification Project                           |   |
|              |                 | Sub-Master Engineering Schedule, Rev. 6                                   |   |
| 9 FPG-RQS-   | -C51-0001       | Equipment Requirement Specification of FPGA based Units,                  |   |
|              |                 | Rev. 6                                                                    |   |
| 10 FPG-PLN-  | C51-0002        | Software Quality Assurance Plan, Rev. 2                                   |   |
| 11 FPG-PLN-  | C51-0006        | NRW-FPGA-Based PRM System Qualification Project                           |   |
|              |                 | Verification and Validation Plan, Rev. 4                                  |   |
| 12 FPG-DRT-  | C51-0011        | Project Planning and Concept Phase V&V Report, Rev. 2                     |   |
| 13 FPG-DRT-  | C51-0012        | Requirements Definition Phase V&V Report, Rev. 1                          |   |
| 14 FPG-DRT-  |                 | Design Phase V&V Report, Rev. 1                                           |   |
| 15 FPG-DRT-  | C51-0014        | Implementation & Integration Phase V&V Report, Rev. 0                     |   |
| 16 FPG-DRT-  | C51-0015        | Unit/Module Validation Testing Phase V&V Report, Rev. 0                   |   |
| 17 FPG-DRT-  | C51-0002        | Preliminary Hazard Analysis Report, Rev. 1                                |   |
| 18 FPG-DRT-  | C51-0018        | Requirements Definition Phase Preliminary Hazard Analysis                 |   |
|              |                 | Report, Rev. 0                                                            |   |
| 19 FPG-DRT-  |                 | Design Phase Preliminary Hazard Analysis Report, Rev. 0                   |   |
| 20 FPG-DRT-  | C51-0020        | Implementation and Integration Phase Preliminary Hazard                   |   |
|              |                 | Analysis Report, Rev. 0                                                   |   |
| 21 FPG-DRT-  | C51-0021        | Unit/Module Validation Testing Phase Preliminary Hazard                   |   |
|              |                 | Analysis Report, Rev. 0                                                   |   |
| 22 FPG-DRT-  |                 | System Validation Testing Phase Hazard Analysis Report, Rev. 0            |   |
| 23 FPG-DRT-  | C51-0010        | Project Planning and Concept Definition Phase Requirement                 |   |
|              |                 | Traceability Matrix Report, Rev. 5                                        |   |
| 24 FPG-VDN   | -C51-0076       | Requirement Definition Phase Requirement Traceability Matrix              |   |
|              | <b></b>         | Report, Rev. 1                                                            |   |
| 25 FPG-VDN   |                 | Design Phase Requirement Traceability Matrix Report, Rev. 3               |   |
| 26 FPG-VDN   | -C51-0120       | Implementation Phase Requirement Traceability Matrix Report,              |   |
|              | <b>GE1</b> 0100 | Rev. 2                                                                    |   |
| 27 FPG-VDN   | -C51-0122       | Unit/Module Validation Testing Phase Requirement Traceability             |   |
|              | 0.51 0005       | Matrix Report, Rev. 1                                                     |   |
| 28 FPG-DRT-  | C51-0025        | System Validation Testing Phase Requirement Traceability Matrix           |   |
|              | <b>GE1</b> 0000 | Report, Rev. 0                                                            |   |
| 29 FPG-VDN   |                 | Verification and Validation Plan, Rev. 2                                  |   |
| 30 FPG-VDN   |                 | Requirement Definition Phase V&V Report, Rev. 1                           |   |
| 31 FPG-VDN   |                 | Design Phase V&V Report, Rev. 2                                           |   |
| 32 FPG-VDN   |                 | Implementation & Integration Phase V&V Report, Rev. 2                     |   |
| 33 FPG-VDN   |                 | Unit/Module Validation Testing Phase V&V Report, Rev. 2                   |   |
| 34 FPG-VDN   |                 | V&V Final Report, Rev. 2                                                  |   |
| 35 FPG-VDN   |                 | NICSD, Verification and Validation Plan, Rev. 0                           |   |
| 36 FPG-VDN   | -051-313        | NICSD, Unit/Module Validation Testing Phase RTM Report,                   |   |
|              | ·               | Rev.0                                                                     |   |
|              |                 |                                                                           |   |

 $<sup>^{3}</sup>$  Revision 2 was used for the FPGA retesting described in Section 3.12

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

| 37 FPG-VDN-C51-310      | NICSD, V&V Final Report, Rev. 0                                |
|-------------------------|----------------------------------------------------------------|
| 38 FPG-PLN-C51-0012     | System Validation Test Plan, Rev. 2                            |
| 39 FPG-TPRC-C51-0001    | System Validation Test Procedure, Rev. 2                       |
| 40 FPG-VDN-C51-0047     | Schematic Diagrams, Rev. 11                                    |
| 41 FPG-06-ETR-001       | System Validation Test Records                                 |
| 42 FPG-CFM-C51-0001     | Master Configuration List, Rev. 6                              |
| 43 Nonconformance Notic | e Report 06-002-I                                              |
| 44 FA32-3709-0001       | NRW-FPGA-Based I&C System Qualification Project, Rev.2         |
|                         | Nuclear Energy Systems and Services Division FPGA-based        |
|                         | Safety-Related Systems Verification and Validation Plan        |
| 45 FA32-3709-1000       | NRW-FPGA-Based I&C System Qualification Project, Rev.1         |
|                         | Nuclear Instrument & Control Systems Department Verification & |
|                         | Validation Plan for FPGA-Based Safety-Related Systems          |
| 46 FPG-DRT-C51-1000 Im  | plementation and Integration Phase V&V Report (Supplemental    |
|                         | Desit C EDCA Detection) De 2                                   |

Report for FPGA Retesting), Rev.2

## 3 Summary of V&V Efforts

## 3.1 Summary of V&V Process

Toshiba Nuclear Energy Systems and Service Division (NED) developed the PRM System with the intent of marketing it to US nuclear plants. The PRM system design is based on equivalent products Toshiba has supplied to Japanese nuclear plants. Toshiba developed the PRM System in accordance with Toshiba's AS-200A129 Digital System Development Procedure (Reference 3).

To meet US regulatory expectations, NED Control & Electrical Systems Design & Engineering Department (ICDD) performed the V&V efforts for the PRM System in accordance with Regulatory Guide 1.168 (Reference 1), IEEE Std 1012 (Reference 2), and applicable NED internal QA procedures.

To develop the PRM System, NED ordered the PRM units and modules constituting the PRM System from the Toshiba Nuclear Instrumentation & Control Systems Department (NICSD), with the accompanying V&V efforts.

NED had defined the PRM System lifecycle phases as shown in Figure 3-1, and V&V activities were performed following the lifecycle phases. Figure 3-1 shows the original process, including seven development phases; though the Operational and Maintenance Phase was not included in this project scope, but this phase is included in the Toshiba plans and procedures. NED working under their Appendix B QA program performed the first phase, the Project Planning and Concept Definition Phase (Concept Phase), and the System Validation Testing Phase. The remaining Requirements Definition Phase (Requirements Phase), the Design Phase, the Implementation and Integration Phase (Implementation Phase), and the Unit/Module Validation Testing Phase were performed by NICSD.

For those phases that were performed by either NED or NICSD, independent V&V teams within both organizations performed verification and validation activities. For those phases performed by NICSD, the independent NED V&V team assessed the acceptability of the NICSD results. For these phases that NICSD performed, the NED design engineers performed hazard analyses, and the NED V&V team wrote, reviewed, and approved V&V reports (VVR) based on the NICSD VVRs and observation of NICSD V&V activities.



Figure 3-1 Lifecycle Phases in Original Process for FPGA-Based Safety-Related Systems

Later, NED and Fuchu Complex improved the development process. Figure 3-2 shows the current process. In the current process, Old NICSD split to New NICSD, which work under their Appendix B QA program, and PPDD, which work under their ISO QA program. As a result, the scope of work under Appendix B QA programs expanded.

The definitions of each phase were slightly changed in the current process from the original process. The Module Design Specification was move from the Requirements Definition Phase to the Design Phase, and the accompanying module testing, was placed in the Module Validation Testing Phase, while the unit testing was placed in the System Validation Testing Phase. This changes in phase definition did not affect the FPGA retesting.

#### FPG-DRT-C51-016 Rev.1



Figure 3-2 Lifecycle Phases in Current Process for FPGA-Based Safety-Related Systems

### 3.2 Organizations

Figure 3-3 shows the NED Organizations relating to the PRM system V&V activities. The project was established by a Vice President in the Power Systems Company, Nuclear Energy (PSNE). The Quality Assurance (QA) Department is responsible for ensuring that the project works within the Toshiba 10 CFR 50 Appendix B program and engineering plans, procedures, and instructions that implement that program. The V&V team consists of persons who are assigned to the Control & Electrical Systems Design & Engineering Department (ICDD), and who are independent from the Monitoring System Engineering Group with separate budget, schedule, and resources. The Project Quality Assurance (PQA) Group is responsible for QA planning, survey, audit, and System Validation Testing.

As shown in this figure, the V&V team was independent from the design engineers belonging to the Monitoring System Engineering Group, who designed the system.

Figure 3-4 shows the NICSD organization relating to the V&V efforts for the PRM units and modules. The NICSD V&V team was independent of the design activities.



\* The V&V team consists of persons who belong to the Control & Electrical Systems Design & Engineering Department, and who are independent from the Monitoring System Engineering Group with separate cost, schedule and resources.

Figure 3-3 NED Organizations Relating to the PRM System V&V Activities (Original)



Figure 3-4 NICSD Organization Relating to the V&V Activities (Original)

#### (Copied and Translated from the Original NICSD VVP)

Figure 3-5 shows the current Toshiba organizations for FPGA-based Safety-Related I&C system design and development. Engineers from ICDD and NICSD organized IV&V Teams (i.e., the ICDD IV&V Team and the NICSD IV&V Team) for the V&V of the FPGA logic.

#### FPG-DRT-C51-016 Rev.1



- (1) Oversight of IV&V team
- (2) Submittal of Design Documents
- (3) Report of V&V Results

### Figure 3-5 Organizations for the FPGA-based Safety-Related Systems Design and Development (Current)

The engineers from ICDD and the engineers from NICSD in the IV&V Teams communicate with each other as one IV&V Team as needed for the quality of the products. The Monitoring System Engineering Group in ICDD is responsible for design and development of the PRM. The ICDD IV&V Team performs the V&V activities defined in the NED VVP (Reference 44) independently of the development engineers in the Monitoring System Engineering Group.

It should be noted that in the current process, the V&V team is called "IV&V Team," emphasizing the independence. This VVR uses the term "V&V team" to mean the V&V team in the original process.

### 3.3 Master Schedule

Toshiba planned and performed V&V activities according to the Sub-Master Engineering Schedule (Reference 8) that was based on the Master Engineering Schedule (Reference 7). However, the completions of the V&V activities were repeated until all concerns that might relate to the safety functions of the PRM system were resolved.

### 3.4 Software Integrity Level Scheme

The software integrity level (SIL) scheme was determined based on Table A-1 of AS-200A129 "Digital System Development Procedure" (Reference 3), which Toshiba considers equivalent to Appendix B of IEEE Std 1012 (Reference 2).

Toshiba applied SIL 4 practices for the PRM System.

### 3.5 Resource Summary

For the NED V&V activities, the Senior Manager of ICDD assigned persons to the V&V team. This is common in the original and current processes. The V&V team members met the following restrictions:

- Be independent of the design activities in schedule and budget;
- Not have contributed to the design; and
- Be technically qualified for the work.

In the original process, NED requested NICSD to assign appropriate persons to the NICSD V&V team to perform the NICSD V&V activities, meeting the following restrictions:

- Be independent of the design activities in schedule and budget;
- Not have contributed to the design; and
- Be technically qualified for the work.

The NICSD Senior Manager assigned the NICSD V&V team members in accordance with the NED request. This is further explained in Section 3.9 of this document.

In the current process, NICSD assigned the IV&V Team in accordance with their Appendix B QA program. The current NICSD VVP (Reference 45) stated as follows:

The Senior Manager (SM) of NICSD as the NICSD Project Manager (NICSD PM) shall provide appropriate resources for the V&V activities defined in this NICSD VVP. For human resources, the following conditions shall be met.

All NICSD IV&V Team members shall:

- Be independent of the design activities in management, budget, and resource.
- Be technically qualified for the work performed.

### 3.6 Responsibilities

- 3.6.1 Responsibilities in Original Process
- (1) NED V&V Responsibilities

The responsibilities of the NED V&V activities followed the AS-200A130 Digital System V&V Procedure (Reference 4), which defined the responsibilities as follows:

The Preparer(s) of documentation for V&V activities must:

- Be in the V&V team, which is independent of the Engineering/Design Group that has responsibility for the software development activities, with separate budget and schedule;
- Not have contributed to the design; and
- Be technically qualified for the work.

The Independent Reviewer of documentation of V&V activities must:

- Be in the V&V team, which is independent of the Engineering/Design Group that has responsibility for the software development activities, with separate budget and schedule.;
- Not have contributed to the design;
- Be independent of the Preparer of the V&V Activity Output Document (that is, the Independent Reviewer must not have collaborated on the preparation of the document); and
- Be technically qualified for the work to be reviewed.

All safety related development documents must also be approved in writing prior to use. The Approver of the V&V activities must:

- Be manager-level.
- Not be same person as the Preparer.
- Be independent of the Engineering/Design Group that has responsible for the software development activities.
- Be cognizant of the role the activity plays in order to be sure that the document is appropriate and serves its intended purpose. NED prefers that the same Approver is used for all V&V documents.

The NED V&V team performed the independent reviews of V&V documentation, namely NED V&V Plan (VVP) (Reference 11) and NED Verification and Validation Reports (Reference 12-16). The independent reviewer was selected another person who did not prepared the reviewed documents.

The NED V&V team reviewed the VVP, Requirements Traceability Matrix (RTM) reports, and the VVRs established by the NICSD V&V team.

At first, the Manager of the Monitoring System Group approved all reviewed documents, including the V&V documentation. Later, Toshiba decided that the V&V team must be responsible for the approval of all V&V documentation.

### (2) NICSD V&V Responsibilities

The NICSD Senior Manager assigned the NICSD V&V team members for the NICSD V&V activities. The responsibilities of the Preparer, the Independent Reviewer, and the Approver of NICSD was equivalent to those of the NED roles stated above.

The NICSD V&V team was responsible for the following activities:

- Establishing the NICSD VVP
- Reviewing the design documents independently
- Compiling the Requirements Traceability Matrix
- Issuing the NICSD RTM reports
- Issuing the NICSD VVRs

In addition, NED V&V team observed the works of NED and NICSD design engineers to verify that they were acceptable for the V&V activities.

### 3.6.2 Responsibilities in Current Process

In the current process, the NED VVP (Reference 44) defined the responsibilities of the following roles:

- Senior Manager (SM) of ICDD
- NED Project Manager (NED PM)
- Group Manager (GPM)
- IV&V Lead and IV&V Team

A difference from the original process is that the SM of ICDD can appoint another person as an NED PM. In this supplemental V&V efforts, the SM of ICDD took the NED PM's responsibilities. The responsibilities of the Preparers and Independent Reviewers were not changed.

For NICSD, the NICSD VVP (Reference 45) defined the responsibilities of the following roles:

- Senior Manager (SM) of ICDD
- NICSD Project Manager (NICSD PM)
- IV&V Lead and IV&V Team
- Software Test Lead

### 3.7 Tools, Techniques, and Methodologies

NICSD used the following tools in relation to the V&V activities:

1. Synplify® Tool

The Synplify® tool synthesized logic from the VHDL source codes and produced netlists. The Synplify® tool is integrated into the Actel Libero® Integrated Design Environment.

2. Netlist Viewer Tool

The Netlist Viewer tool depicted the logic block diagrams according to the netlists. NICSD used the Netlist Viewer tool to inspect the netlist to ensure the correct conversion of the logic.

The Netlist Viewer tool is integrated into the Actel Libero® Integrated Design Environment.

3. Designer Tool

The Designer tool is a layout tool that converts a gate-level netlist into a fusemap file. To generate the fusemap file, the Designer tool determines which cells in an FPGA chip are to be used, and makes connections to obtain the desired circuit defined by the Netlist. The Designer tool is used to generate the gate-level delay information.

The Designer tool is integrated into the Actel Libero® Integrated Design Environment.

4. ModelSim® Tool

NICSD used ModelSim® tool for the FPGA simulation using the gate-level netlists and the gate-level delay information generated by the Designer tool, and for generation of the test signals in FPGA testing. ModelSim® tool was also used to measure the toggle coverage. While the ModelSim®tool is integrated into the Actel Libero® Integrated Design Environment, Toshiba purchased and used a more flexible version of the tool from the tool vendor.

5. Silicon Sculptor Tool

NICSD uses the Silicon Sculptor tool to embed the fusemaps generated by the Designer tool into the FPGA integrated circuits. This tool is part of the Actel Libero® Integrated Design Environment and is provided by BP Microsystems.

6. PinPort Device

NICSD used the PinPort device for FPGA testing. The PinPort device connected the Test PC running the ModelSim<sup>®</sup> tool to a socketed FPGA. The PinPort hardware provides a high-speed path between the ModelSim<sup>®</sup> software running in the PC and the FPGA, allowing stimulus and response verification of the FPGA logic. The PinPort hardware and software are purchased tools.

7. Unit/Module Test Equipment

NICSD designed and implemented special test equipment for module testing. The sub-racks and the PC Interface boards were designed to test the Local Power Range Monitor (LPRM), Square Root (SQ-ROOT), Flow Conversion (FLOW), Average Power Range Monitor (APRM), STATUS, Transmitter (TRN), and Receiver (RCV) modules. NICSD used Test PCs to control module testing. For further details, refer to the Unit/Module Validation Testing Phase VVR.

8. System Test Equipment

In the System Validation Testing, NED used a standard Trip Auxiliary unit, a current monitor box, and a data recorder. For further details, see Section 4.

### 3.8 Project Planning and Concept Definition Phase

This phase was completed in the original process. FPGA-DRT-C51-0011 "Project Planning and Concept Phase V&V Report" (Reference 12) (Attachment-1) documented the V&V activities.

The summary of the V&V activities were as follows:

The ICDD Senior Manager assigned V&V personnel to the NED V&V team. The NED V&V team performed the following activities for the Project Planning and Concept Definition Phase:

(1) Preparation of the Verification and Validation Plan

The NED V&V team prepared the NED VVP in accordance with AS-200A130 and the Software Quality Assurance Plan (SQAP) (Reference 10). The NED VVP implements the regulatory expectations defined in RG 1.168 (Reference 1) and IEEE Std 1012 (Reference 2).

NED revised the NED VVP as necessary. NED made revisions to the NED VVP in accordance with the deviation policy stated in Section 7.3 of the NED VVP.

### (2) Document Reviews

The NED V&V team performed independent reviews of the following documents for completeness, correctness, consistency, and accuracy:

- SQAP, including the Project Specific Configuration Management Plan
- Equipment Requirement Specification (ERS) (Reference 9)
- Preliminary Hazard Analysis Report (PHA) (Reference 17)
- NED VVP
- Project Planning and Concept Definition Phase RTM (Reference 23)
- FPGA-DRT-C51-0011 Project Planning and Concept Definition Phase VVR

(3) Project Planning and Concept Definition Phase RTM Efforts

The NED design engineers prepared the Project Planning and Concept Definition Phase RTM, to trace the implementation of requirements, and issued the Project Planning and Concept Definition Phase RTM Report.

(4) Project Planning and Concept Definition Phase VVR

The NED V&V team and appropriate management wrote, reviewed, and approved the Project Planning and Concept Definition Phase VVR.

### 3.9 Establishment of the NICSD V&V Plan

In the original process, NED required NICSD to establish their VVP (Reference 29) conforming to the NED VVP. NICSD submitted the NICSD VVP to the NED V&V team for review and approval. NICSD followed the NICSD VVP to perform the V&V activities of the PRM modules and units that NED ordered from NICSD.

Figure 3-6 shows the NICSD V&V process copied and translated from the Japanese language NICSD VVP. As shown in this figure, NICSD planned to perform the V&V activities independent of their design activities. The NED V&V team accepted the NICSD VVP.

In the current process, NICSD established their V&V Plan (New NICSD VVP) (Reference 45). Although, the New NICSD VVP did not include a schematic equivalent to Figure 3-6, the New NICSD VVP defines the V&V process clearly. NICSD used the New NICSD VVP for the supplemental V&V activities for the FPGA retesting.

á;c

Figure 3-6 NICSD V&V Process (Copied and Translated from the NICSD VVP)

### 3.10 Requirements Definition Phase

This phase was completed in the original process. FPGA-DRT-C51-0012 "Requirements Definition Phase V&V Report" (Reference 13) (Attachment-2) documented the V&V activities. The summary of the V&V activities are as follows:

NED and NICSD performed the following V&V activities in the Requirements Definition Phase.

#### (1) Document Reviews

The NICSD V&V team performed document reviews of the Software Requirements Specification (SRS) included in the Unit Design Equipment Specifications and Module Design Equipment Specifications, for completeness, correctness, consistency, and accuracy.

The NED V&V team reviewed the Requirements Definition Phase PHA Report (Reference 18) prepared by NED design engineers.

(2) Requirements Definition Phase RTM Efforts

The NICSD V&V team prepared the Requirements Phase RTM that traced the requirements in the Project Planning and Concept Definition Phase RTM to the Requirements Phase, and issued the Requirements Definition Phase RTM Report (Reference 24).

NICSD engineers iterated in the Requirements Phase RTM efforts and the Design Phase RTM efforts until NICSD engineers eliminated all untraceable requirements between the Project Planning and Concept Definition Phase and the Design Phase. NICSD performed these iterations in accordance with the task iteration policy stated in Section 7.2 of VVP.

(3) Issuance of the Requirements Definition Phase V&V Report The NICSD V&V team prepared and issued the NICSD Requirements Definition Phase VVR (Reference 30), based on the results of the document reviews, and the NICSD RTM efforts.

The NED V&V team prepared the NED Requirements Definition Phase VVR, based on the NICSD VVR, and the review of the Requirements Definition Phase PHA Report.

### 3.11 Design Phase

This phase was completed in the original process. FPGA-DRT-C51-0013 "Design Phase V&V Report" (Reference 14) (Attachment-3) documented the V&V activities. The summary of the V&V activities are as follows:

NED and NICSD performed the following V&V activities in the Design Phase.

#### (1) Document Reviews

The NICSD V&V team performed document reviews of the Software Design Description (SDD) included in the FPGA Design Specifications, for completeness, correctness, consistency, and accuracy. The NICSD design engineers decomposed the SDD into [] separate FPGA Design Specifications. The FPGA Design Specifications were further decomposed into distinct function, which Toshiba refers to as Functional Elements (FEs). The NICSD V&V team reviewed the Functional Element documents.

The NED V&V team reviewed the Design Phase PHA Report (Reference 19) prepared by the NED design engineer.

### (2) Design Phase RTM Efforts

The NICSD V&V team prepared the Design Phase RTM that traced the requirements from and to the Requirements Phase, and issued the Design Phase RTM Report (Reference 25). NICSD engineers iterated in the Design Phase RTM efforts and the Requirements Phase RTM efforts until NICSD engineers eliminated all untraceable requirements.

### (3) Issuance of the Design Phase V&V Report

The NICSD V&V team prepared and issued the NICSD Design Phase VVR (Reference 31) based on the results of the document reviews, and the NICSD RTM efforts.

The NED V&V team prepared the NED Design Phase VVR, based on the NICSD VVR, and the review of the Design Phase PHA Report.

### 3.12 Implementation and Integration Phase

This phase was completed in the original process except the FPGA retesting performed as the supplemental V&V activities. FPGA-DRT-C51-0014 "Implementation & Integration Phase V&V Report" (Reference 15) (Attachment-4) documented the original V&V activities. FPG-DRT-C51-1000 (Reference 46) (Attachment-6) documented the supplemental V&V activities.

FPG-DRT-C51-1000 superseded the following sections of FPGA-DRT-C51-0014:

- 3.3 Document Reviews (except Implementation Phase PHA)
- 3.4 Implementation Phase RTM effort (FPG-DRT-C51-1000 stated that the retesting had no effect on the previous RTM.)
- 3.5 Assessment of Software tools
- 4 Problem Reporting and Corrective Actions
- 5 Metrics

FPG-DRT-C51-1000 reported that all the FPGAs passed the dynamic simulation testing without any logic change. FPG-DRT-C51-1000 concluded that the report did not change the previous conclusions of this Implementation & Integration Phase, and no further V&V effort for the subsequent phases were necessary.

The summary of the V&V activities are as follows:

(1) Verifying VHDL Source Codes, Logic Synthesis and Layout The NICSD design engineers performed the following:

- Development of the VHDL source codes based on the FPGA Design Specifications
- Conversion of the VHDL source codes into the netlists using the Synplify® Tool
- Conversion of the netlists into fusemaps
- The NICSD V&V activities included the following:
  - Reviews of the VHDL source codes
  - Timing Analyses
  - Review of Software Tool Messages
  - Visual Inspection of the netlists

(2) Performing FPGA Validation Testing

The NICSD design engineers performed FPGA validation testing of the FPGAs that embedded the fusemaps, in a manner that achieved the 100% toggle coverage criteria.

The NICSD V&V team reviewed the simulation and hardware test results, and concluded that they were satisfactory, which the NED V&V team reviewed and approved.

For the FPGA retesting, PPDD performed the testing. Section 6.2 of FPG-DRT-C51-1000 provides further information.

#### (3) Document Reviews

The NICSD V&V team performed document reviews of the FPGA Test Procedures, the FPGA Test Reports, and the Software Baseline, which the NED V&V team reviewed and approved.

The NED V&V team reviewed the Implementation and Integration Phase PHA Report (Reference 20), prepared by the NED design engineer.

For the FPGA retesting, the NICSD IV&V Team performed the document reviews. FPG-DRT-C51-1000 reported that a sentence "Simulation shall be performed for all the types of the delay information included in the delay information file (i.e.  $d^{a,c}$  was added in Section 6.1 "VHDL functional test" of each of those FPGA Test procedures. This sentence ensure the dynamic timing simulation clearly requiring use of the delay information. Section 6.1 of FPG-DRT-C51-1000 provides further information.

#### (4) Implementation and Integration Phase RTM Efforts

The NICSD V&V team prepared the Implementation and Integration Phase RTM that traced the Design Phase to the FPGA Test Procedures, and traced the FPGA Test Procedures back to the Design Phase. The NISCD V&V team issued the Implementation and Integration Phase RTM Report (Reference 26), which the NED V&V team reviewed and approved.

The FPGA retesting activities updated the FPGA Test Procedures. FPG-DRT-C51-1000 stated, however, that the retesting had no effect on the previous RTM, because the update portions were limited to inclusion of dynamic timing simulation requirements and correction of clerical errors, and the RTMs did not trace the test method.

#### (5) Assessment of Software Tools

The NICSD V&V team confirmed the control of the software tools used in the design and V&V activities. The NED V&V team reviewed and approved the results of these activities.

For the FPGA retesting, the NICSD IV&V Team assessed the software tools. Section 6.3 of FPG-DRT-C51-1000 provides further information.

(6) Issuance of the Implementation and Integration Phase V&V Report

The NICSD V&V team prepared and issued the NICSD Implementation and Integration Phase VVR (Reference 32) summarizing the V&V activities, which the NED V&V team reviewed and approved.

The NED V&V team prepared the NED Implementation and Integration Phase VVR based on the NICSD VVR, observation on the NICSD V&V activities, and review of the Implementation and Integration Phase PHA Report.

For the FPGA retesting, the NICSD IV&V Team issued FPG-DRT-C51-1000, which concluded that the report did not change the previous conclusions of the Implementation and Integration Phase NICSD VVR. The ICDD IV&V Team concluded that the NED conclusions of FPGA-DRT-C51-0014 Implementation and Integration Phase NED VVR were not changed.

### 3.13 Unit/Module Validation Testing Phase

This phase was completed in the original process. NED and NICSD performed the following V&V activities in the Unit/Module Validation Testing Phase. In this phase, NICSD integrates the module, containing the FPGAs, a printed circuit board, the front panel, and all ancillary circuits and tests the whole as a module. FPGA-DRT-C51-0014 "Unit/Module Validation Testing Phase V&V Report" (Reference 16) (Attachment-5) documented the V&V activities.

Because the Implementation and Integration Phase was not changed as the result of the supplemental V&V activities, the activities and conclusions of this phase were not affected. The summary of the V&V activities are as follows:

### (1) Performing Unit/Module Validation Testing

The NICSD quality control engineers performed the Unit and Module validation testing. This testing covered all requirements in the Unit/Module Equipment Design Specifications. In the testing, the FPGAs operated at their design frequency. The design frequency is the frequency at which the design requires the FPGAs to operate.

### (2) Document Reviews

The NICSD V&V team performed document reviews of the Module Validation Test Procedures, the Unit Validation Test Procedures, the Module Validation Test Reports, and the Unit Validation Test Reports.

The NED V&V team reviewed the Unit/Module Validation Testing Phase PHA Report (Reference 21) prepared by NED.

### (3) Unit/Module Validation Testing Phase RTM Efforts

The NICSD V&V team prepared the Unit/Module Validation Testing Phase RTM that traced the Requirements Phase to the Unit/Module Test Procedures, and traced the Unit/Module Test Procedures back to the Requirements Phase. The NISCD V&V team issued the Unit/Module Validation Testing Phase RTM Report (Reference 27).

### (4) Assessment of Test Equipment Software

The NED and NICSD V&V team assessed the test equipment software used in the Unit/Module Validation Testing, and concluded that the test equipment software were acceptable.

(5) Issuance of the Unit/Module Validation Testing Phase V&V Report The NICSD V&V team prepared, reviewed, and approved the NICSD Unit/Module Validation Testing Phase VVR (Reference 33), and the NICSD V&V Final Report (Reference 37) summarizing the V&V activities. The NICSD V&V Final Report includes the summary of the hardware V&V.

The NED V&V team prepared the NED Unit/Module Validation Testing Phase VVR based on NED review and approval of the NICSD VVR, observation of the V&V activities, and review of the Unit/Module Validation Testing Phase PHA Report.

In addition, NICSD performed the same level of V&V activities for the two modules designs for

enhanced Electro Magnetic Interference (EMI) immunity, as replacements for the original module designs. NICSD documented the V&V activities for these modules in reference 35, 36, and 37. The NED Unit/Module Validation Testing Phase VVR includes descriptions on these V&V activities.

## 4 System Validation Phase V&V activities

This phase was completed in the original process. Because the Unit/Module Validation Testing Phase was not changed as the result of the supplemental V&V activities, the activities and conclusions of this phase were not affected.

The NED VVP states that the Unit/Module Validation Testing Phase V&V shall be performed with the following inputs and outputs. For these reviews, the Base Documents are design inputs to the review, and NED checks the Review Documents against the Base Documents and against other Review Documents. The documents in this phase included the following:

V&V Inputs:

- (1) ERS (Base Document)
- (2) System Validation Test Procedure (Review Document)
- (3) System Validation Test Records (Review Document)
- (4) System Validation Testing Phase RTM Report (Review Document)
- (5) Project Planning and Concept Definition Phase RTM Report (Base Document)
- (6) System Validation Testing Phase Hazard Analysis Report (Review Document)

### V&V Outputs:

- (1) Document Review Reports (by NED)
- (2) System Validation Testing Phase RTM Report (by NED)
- (3) Verification and Validation Final Report (by NED)

The NICSD team reported the results of the Unit/Module Validation Testing Phase V&V activities in the NICSD Unit/Module Validation Testing Phase VVR (Reference 33) and the NICSD V&V Final Report (Reference 37).

### 4.1 System Validation Testing

The ICDD Monitoring System Engineering Group prepared the System Validation Test Plan (Reference 38). Based on the System Validation Test Plan, the Monitoring System Engineering Group prepared the System Validation Test Procedure (Reference 39).

The procedure included not only the items that were required from the software V&V point of view, but also those remaining items required from the NRW-FPGA-Based PRM System Qualification Project.

The procedure included the following:

- System Set-up and Check-out Testing
- Operability Testing
- Prudency Testing
- Power Quality Tolerance Testing
- Burn-in Testing

These tests are part of the EPRI TR-107330 Equipment Qualification process. Toshiba uses the EPRI technical report as guidance to create Toshiba's equipment qualification process.

The V&V efforts required Operability Testing, which included the following tests:

(1) Testing Accuracy

This NED testing measured the linearity of the Local Power Range Monitor, Average Power Range Monitor, Simulated Thermal Power, and Recirculation Flow.

(2) Testing Discrete I/O Function and Response

This test measures the response time of the APRM Upscale (High-High), and the Simulated Thermal Power Upscale trips. Tests also include the APRM Inoperable Trip, and the changes of the safety-related setpoints responding to the FLOW bypass and the reactor mode changes.

- (3) Testing Failure Detection and Self-Test The fail alarm for the redundant low voltage power supply (LVPS) modules was tested., The watchdog timer of each module was tested. The alarm for the SQ-ROOT module input signal low was tested.
- (4) Testing Loss of Power and Restoration The test checked I/O signals and status across relatively long AC power interruptions and restorations.
- (5) Testing Short Power Interruptions The test checked output signals across relatively short power interruptions.

The System Validation Testing Phase RTM efforts described below confirmed the traceability of the requirements in the Project Planning and Concept Definition Phase to the Unit/Module Validation Testing Phase and the System Validation Testing Phase. This review showed that the System Validation Testing must cover two requirements that could not be adequately addressed in the Unit/Module Validation Testing. They were:

- Response Time of the APRM Upscale (High-High) trip
- Response Time of the Simulated Thermal Power Upscale trip

These two items were included in the test sequences for item (2), Testing Discrete I/O Function and Response, above.

Prior to the System Validation Testing, NICSD integrated the test specimen and test equipment as based on instructions provided by NED, as described in Figure 3-1. The test specimen consisted of:

- One LPRM unit
- One LPRM/APRM unit
- One FLOW unit

This test setup corresponds to a one APRM channel in a typical BWR.

Figure 4-1 shows the test setup for the System Validation Testing, which was copied from the Schematic Diagrams for the PRM System (Reference 40). The test setup was similar to that for

a,c

a,c

In order to measure the response time of the APRM Upscale (High-High) and the Simulated

#### Figure 4-1 Setup of System Validation Testing

The qualified testers from the PQA Group performed the System Validation Testing, and issued the System Validation Test Records (Reference 41). Table 4-1 shows the results of the response time measurements copied from the System Validation Test Records. The test results confirmed that the response times of the APRM Upscale (High-High) and the Simulated Thermal Power Upscale trips were less than the required 40 milliseconds from the standard BWR design.

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

a.c

#### Table 4-1 APRM and Simulated Thermal Power Upscale Trip Response Times



### 4.2 Document Reviews

The NED V&V team reviewed the following documents:

- The System Validation Test Procedure
- The System Validation Testing Phase RTM Report (Reference 28)
- The System Validation Testing Phase Hazard Analysis Report (Reference 22)

In addition, the NED V&V team checked the System Validation Test Records, and confirmed that the test results were satisfactory.

### 4.3 System Validation Testing Phase RTM Efforts

The NED design engineers performed the System Validation Testing Phase RTM efforts, and prepared the System Validation Testing Phase RTM Report. The System Validation Testing Phase RTM Report also summarized all RTM efforts for the PRM System developments.

The System Validation Testing Phase RTM Report concluded that:

"The System Validation Testing Phase RTM efforts were completed without any open items, and confirmed that all requirements identified in the Concept Phase were traced to and traced from the final PRM System."

The NED V&V team reviewed the System Validation Testing Phase RTM Report.

### 4.4 Assessment of Test Equipment Software

The PQA Group engineers used the same test equipment software in the Unit/Module Validation Testing Phase. The test equipment software was controlled. The NED VVP required the control of the test equipment software using the Master Configuration List (MCL) (Reference 42).

data recorder is a programmable device, in that it allows the user to define mathematical formulas to calculate the data. Prior to the validation testing, the PQA Group engineers verified the formulas prepared for the testing, and issued the test results in the System Validation Testing Records. The System Testing Records included the calibration records for the test equipment. The NED V&V team checked the test records, and concluded that the formulas and the test results were acceptable.

The formulas for the data recorder were simple, and listed in the System Validation Testing Procedure, which was controlled using the MCL.

## 5 Configuration Management

The NED design engineers performed configuration management of the PRM System using the MCL. The NED design engineer produced the MCL in the Project Planning and Concept Definition Phase, and the NICSD design engineers updated the MCL. The NED V&V team checked the MCL.

# 6 Problem Reporting and Corrective Actions

(1) Nonconformance Notice Report (NNR)

One Nonconformance Notice Report (NNR) 06-002-I (Reference 43) was issued for the NED activities. The NNR was related to inappropriate acceptance of the NICSD VVRs. The nonconformance was resolved by correcting the NICSD VVRs, in accordance with AS-300A008 Nonconformance Control and Corrective Action Procedure (Reference 5).

(2) Corrective Action Request (CAR)

For the problem of the FPGA testing, CAR-11-176 was issued. This CAR-11-176 will be closed by the issuance of this VVR.

Section 4 of FPG-DRT-C51-0015 "Unit/Module Validation Testing Phase V&V Report" (Reference 16) (Attachment-5) and Section 6.5 of FPG-DRT-C51-1000 "Implementation and Integration Phase V&V Report (Supplemental Report for FPGA Retesting" (Reference 46) (Attachment-6) provides information on problems in the NICSD activities.

# 7 Metrics

The following metrics were measured through the project.

(1) Numbers of Nonconformance Reports (NNRs) and Corrective Action Requests (CARs) []NNR and []CAR were issued for the NED activities as describe in Section 6.

(2) Number of changes applied for the design documents.

It was observed that the number of changes applied to the design documents reduced as the revision proceeded. The NED V&V team considered that the reduction in identified concerns reflected the maturity of the documents.

NED concluded that the metrics indicated a controlled high quality process, performed by qualified people. For further detail, refer to each phase VVR.

# 8 Findings and Recommendations

NRW-FPGA-Based PRM systems would be developed and fabricated for use in the nuclear plants. The PRM system that this project verified and validated is a prototype for type testing, and representative of the deliverable system. Therefore, in the future, V&V efforts for the products should be performed to verify and validate the changed portions from this verified PRM system. To clarify the difference between future PRM systems and this PRM system, Requirements Traceability Matrix would be a good tool. The basic concepts in the PRM remain the same, but the number of detectors available in the final design will change, and the ability to change the number of detectors has been considered in the APRM system design.

## 9 Conclusions

In 2008, the V&V efforts were once completed. The then NED V&V team concluded that all requirements for the PRM system were fulfilled in the final product, and that the PRM system was suitable for nuclear plant power monitoring.

In 2011, a problem in the FPGA testing was found, and a supplemental V&V activities have been performed to resolve the problem. In the past years after the first completion of the V&V efforts, Toshiba improved the lifecycle process for FPGA-Based Safety-Related I&C systems, in a manner in which the scope of work under Appendix B programs was expanded. The supplemental V&V activities were performed using the current improved process.

The supplemental V&V activities including the retesting of the FPGA ensured the FPGA logic without any change. The ICDD IV&V Team confirmed that the problem did not affect the PRM system, and concluded again that the PRM system was suitable for nuclear plant power monitoring.

## 10 Abbreviations

| APRM     | Average Power Range Monitor                                                                                                                       |
|----------|---------------------------------------------------------------------------------------------------------------------------------------------------|
| EMI      | Electro Magnetic Interference                                                                                                                     |
| ERS      | Equipment Requirement Specification                                                                                                               |
| FE       | Functional Element                                                                                                                                |
| I&C      | Instrumentation and Control                                                                                                                       |
| ICDD     | Control & Electrical Systems Design & Engineering Department (Original)<br>Instrumentation & Control Systems Design & Engineering Dept. (Current) |
| IEEE     | Institute of Electrical and Electronics Engineers                                                                                                 |
| FLOW     | Flow Conversion                                                                                                                                   |
| LPRM     | Local Power Range Monitor                                                                                                                         |
| LVPS     | Low Voltage Power Supply                                                                                                                          |
| MCL      | Master Configuration List.                                                                                                                        |
| NED      | Nuclear Energy Systems and Services Division                                                                                                      |
| NICSD    | Nuclear Instrumentation & Control Systems Department                                                                                              |
| NNR      | Nonconformance Notice Report                                                                                                                      |
| NRW-FPGA | Non Re-Writable Field Programmable Gate Array                                                                                                     |
| PM       | Project Manager                                                                                                                                   |
| PHA      | Preliminary Hazard Analysis                                                                                                                       |
| PPDD     | Power Platform Development Department                                                                                                             |
| PQA      | Project Quality Assurance                                                                                                                         |
| PSNE     | Power Systems Company, Nuclear Energy                                                                                                             |
| PRM      | Power Range Monitor                                                                                                                               |
| QA       | Quality Assurance                                                                                                                                 |
| RCV      | Receiver                                                                                                                                          |
| RTM      | Requirements Traceability Matrix                                                                                                                  |
| SDD      | Software Design Description                                                                                                                       |
| SIL      | Software Integrity Level                                                                                                                          |
| SQ-ROOT  | Square Root                                                                                                                                       |
| SQAP     | Software Quality Assurance Plan                                                                                                                   |
| SRS      | Software Requirements Specification                                                                                                               |
| TRN      | Transmitter                                                                                                                                       |
| VVP      | Verification and Validation Plan                                                                                                                  |

VVRVerification and Validation ReportV&VVerification and Validation

| US Sa               | afety-Rela                   | ted                          |                                                        |               |             |
|---------------------|------------------------------|------------------------------|--------------------------------------------------------|---------------|-------------|
|                     |                              |                              | Document No.                                           | FPG-DRT-C51   | -0011 Rev 2 |
|                     |                              |                              | <b>PRM System Q</b><br>Document Title                  |               |             |
|                     | <u>110</u>                   | eet Flammig                  | and Concept Phas                                       | se væv keport |             |
|                     |                              |                              |                                                        |               |             |
|                     |                              |                              |                                                        |               |             |
|                     |                              |                              |                                                        |               |             |
|                     |                              |                              |                                                        |               |             |
| EPEC STOP           | TOMER NAME                   |                              | None                                                   |               |             |
| EPEC STOP           | TOMER NAME<br>JECT NAME      | NRW-FPC                      | GA-Based PRM                                           |               |             |
| PRO                 |                              | NRW-FPC<br>System Qua        | A-Based PRM<br>lification Project                      |               |             |
| PRO                 | JECT NAME                    | NRW-FPC<br>System Qua<br>PRM | A-Based PRM<br>lification Project<br>Equipment         |               |             |
| PRO                 | JECT NAME<br>I NAME<br>I NO. | NRW-FPC<br>System Qua<br>PRM | A-Based PRM<br>lification Project                      |               |             |
| PRO<br>ITEN<br>ITEN | JECT NAME<br>I NAME<br>I NO. | NRW-FPC<br>System Qua<br>PRM | GA-Based PRM<br>lification Project<br>Equipment<br>C51 |               |             |

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

Feb. 21, 2007

Feb, 21 2007

Feb 20,2007

FPG-DRT-C51-0016 Rev.1 Attachment-1

### FPG-DRT-C51-0011 Rev. 2

| Rev No. | Date          | History                                        | Approved | Reviewed | Prepared |
|---------|---------------|------------------------------------------------|----------|----------|----------|
|         |               |                                                | by       | by       | by       |
| 0       | Apr.13,2006   | The first issue                                | N.Oda    | T. Ito   | T.Hayash |
| I       | June 9 2006   | Update                                         | N.Oda    | T.Ito    | T.Hayash |
| 2       | Feb. 21, 2007 | Update                                         | N.Oda    | T.Ito    | T.Hayash |
|         |               |                                                |          |          |          |
|         |               | alar yan an a |          |          |          |
|         |               |                                                |          |          |          |
|         |               |                                                |          |          |          |
|         |               |                                                |          |          |          |
|         |               |                                                |          |          |          |
|         |               |                                                |          |          |          |
|         |               |                                                |          |          |          |
|         |               |                                                |          |          |          |
|         |               |                                                |          |          |          |

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

2/9

### FPG-DRT-C51-0011 Rev. 2

### Document Review Sheet

| Review Results | Acceptable | Acceptable with Unverified Portions | □Not Acceptable |
|----------------|------------|-------------------------------------|-----------------|
| Comments       |            |                                     |                 |
|                |            |                                     |                 |
|                |            | None                                |                 |
|                |            | 10 ME                               |                 |
|                |            |                                     |                 |

| Items                            |             | Results |      |
|----------------------------------|-------------|---------|------|
| Is the document complete?        | <b>VYES</b> | □NO     | □N/A |
| Are the descriptions correct?    | EYES        | □NO     | □N/A |
| Are the descriptions consistent? | <b>WYES</b> | □NO     | □N/A |
| Are the descriptions accurate?   | <b>VYES</b> | □NO     | □N/A |

| Independent Reviewer<br>(Sign & Date) |
|---------------------------------------|
| Portual: Ho                           |
| Feb. 21, 2007                         |

## **Table of Contents**

| 1. | Purpose                                  | 5 |
|----|------------------------------------------|---|
|    | References                               |   |
| 3. | V&V activities                           | 5 |
| 4. | Problem Reporting and Corrective Actions | 8 |
| 5. | Metrics                                  | 8 |
|    | Abbreviations                            |   |
| 7. | Conclusions                              | 9 |
|    |                                          |   |

## 1. Purpose

This report summarizes the Project Planning and Concept Definition Phase (Concept Phase) Verification & Validation (V&V) activities that have been performed in accordance with the Verification and Validation Plan (VVP) Rev.3.

## 2. References

- 2.1 AS-200A002, "Design Verification Procedure"
- 2.2 AS-200A130, "Digital System Verification and Validation Procedure"
- 2.3 AS-300A006, "Nonconformance Control Procedure for Procured Items and Services"
- 2.4 AS-300A008, "Nonconformance Control and Corrective Action Procedure"

2.5 ICDD P-101, "NICSD Manufacture of FPGA-Based Equipment"

2.6 FPG-PLN-C51-0002, "Software Quality Assurance Plan," Rev.2

2.7 FPG-PLN-C51-0006, "Verification and Validation Plan," Rev. 3

# 3. V&V activities

The VVP states that the Concept Phase V&V activities shall be performed with the following inputs and outputs.

V&V Inputs:

- (1) ERS (Review Document)
- (2) SQAP (Review Document)
- (3) Preliminary Hazard Analysis (PHA) Report (Review Document)

V&V Outputs:

- (1) **VVP**
- (2) Document Review Reports
- (3) Project Planning and Concept Definition Phase RTM

## 3.1 Preparation of VVP

The VVP has been prepared in accordance with AS-200A130. Revision 3 of VVP was issued after Rev.0 of this Concept Phase V&V Report (VVR) was issued. This VVP revision was prepared to compensate for three issues appeared in the later phase V&V activities, which were performed by Toshiba Nuclear Instrumentation & Control Systems Dep. (NICSD).

The newest VVP does not affect this Concept Phase V&V activities.

The issues were:

- (1) The responsibility for the system integrity was corrected.
- (2) A reference to NICSD procedure was corrected.
- (3) The Plan was changed to allow some modification to the RTM format, because the RTM in the later phase became larger than the size to which the initial format was appropriate.

## 3.2 Document Reviews

Two methods were used to review documents, in accordance with ICDD procedure P-101: "(1) Design Verification

The Design Verification process is used for verification of designs, in accordance with AS-200A002 "Design Verification Procedure." In this method, the independent reviewer, also called as the verifier, verified the design, and prepared the Design Verification Report to

document the verification. If there were any unverified items, a Verification Follow Sheet (VFS), which includes the items, were attached to the Design Verification Report (DVR). These items are subjected to the later verification, or shall be resolved when the Design Verification is repeated for the revised document."

#### "(2) Document Review

The Document Review Sheet is used for documents that do not include any design information. After the independent reviewer finished the review and all issues found by the reviewer were resolved, the reviewer put his signature on the Document Review Sheet contained in the reviewed document."

The Concept Phase document reviews have been performed (see Table 3-1).

## 3.3 Concept Phase RTM effort

The Project Planning and Concept Definition Phase RTM effort has been established by the "Project Planning and Concept Definition Phase Requirement Traceability Matrix Report," Rev. 5 (see Table 3-2).

The RTM was revised several times after the issuance of Revision 0 of this Concept Phase VVR. These revisions were made to accommodate the revisions of the ERS, and compensate for some findings in the later phase V&V activities. Table 3-1 lists the summary of the RTM revisions since Rev. 1. As shown in the table, much effort was made to trace the requirements from the Concept Phase to the later phases. This effort was consistent with the Task Iteration Policy in Section 7.2 of VVP, and considered to be acceptable.

| Revision |         |  |     | Corresponding | Reasons                                                 |
|----------|---------|--|-----|---------------|---------------------------------------------------------|
|          | changes |  |     | ERS Revision  |                                                         |
| 2        |         |  | a,c | 3 and 4       | ERS Rev.3 and 4 were prepared to resolve findings in    |
|          |         |  |     |               | ERS Rev.2. RTM Rev.2 confirmed the resolutions.         |
| 3        |         |  |     | 5             | RTM Rev.3 was prepared to reflect the changes in ERS    |
|          |         |  |     |               | Rev.5, and resolve an issue pointed out in the          |
|          |         |  |     |               | Requirements Definition Phase RTM efforts.              |
| 4        |         |  |     | 5             | RTM Rev.4 resolved some errors in RTM Rev.3             |
| 5        |         |  |     | 6             | RTM Rev.5 was prepared to reflect the changes in ERS    |
|          |         |  |     |               | Rev.6, which had been issued to resolve two findings in |
|          |         |  |     |               | the later Phase RTM efforts.                            |

#### Table 3-1 Summary of RTM updates

### Table 3-2 Document Reviews

| PCD No. and Rev.       | Document Name                                                                | Prepared by | Independent | Review | DVR No. and Rev.   |
|------------------------|------------------------------------------------------------------------------|-------------|-------------|--------|--------------------|
|                        |                                                                              |             | Reviewer    | method |                    |
| FPG-RQS-C51-0001 Rev.0 | Equipment Requirement Specification of FPGA based Units                      | T. Miyazaki | T. Hayashi  | DVR    | DVR-IM-20050526-1  |
| FPG-RQS-C51-0001 Rev.1 | Equipment Requirement Specification of FPGA based Units                      | T. Miyazaki | T. Hayashi  | DVR    | DVR-IM-20050622-1  |
| FPG-RQS-C51-0001 Rev.2 | Equipment Requirement Specification of FPGA based Units                      | T. Miyazaki | T. Hayashi  | DVR    | DVR-IM-20051031-1  |
| FPG-RQS-C51-0001 Rev.3 | Equipment Requirement Specification of FPGA based Units                      | T. Miyazaki | T. Hayashi  | DVR    | DVR-IM-20051228-1  |
| FPG-RQS-C51-0001 Rev.4 | Equipment Requirement Specification of FPGA based Units                      | T. Miyazaki | T. Hayashi  | DVR    | DVR-IM-20060317-1  |
| FPG-RQS-C51-0001 Rev.5 | Equipment Requirement Specification of FPGA based Units                      | T. Miyazaki | T. Hayashi  | DVR    | DVR-IM-20060530    |
| FPG-RQS-C51-0001 Rev.6 | Equipment Requirement Specification of FPGA based Units                      | T. Miyazaki | T. Ito      | DVR    | DVR-IM-2007/0214-1 |
| FPG-PLN-C51-0002 Rev.0 | Software Quality Assurance Plan                                              | T. Miyazaki | T. Ito      | DVR    | DVR-IM-20050613-1  |
| FPG-PLN-C51-0002 Rev.1 | Software Quality Assurance Plan                                              | T. Miyazaki | T. Ito      | DVR    | DVR-IM-20050708-1  |
| FPG-PLN-C51-0002 Rev.2 | Software Quality Assurance Plan                                              | T. Miyazaki | T. Ito      | DVR    | DVR-IM-20060329-1  |
| FPG-PLN-C51-0006 Rev.0 | Verification and Validation Plan                                             | T. Hayashi  | T. Ito      | DRS    | N/A                |
| FPG-PLN-C51-0006 Rev.1 | Verification and Validation Plan                                             | T. Hayashi  | T. Ito      | DRS    | N/A                |
| FPG-PLN-C51-0006 Rev.2 | Verification and Validation Plan                                             | T. Hayashi  | T. Ito      | DRS    | N/A                |
| FPG-PLN-C51-0006 Rev.3 | Verification and Validation Plan                                             | T. Hayashi  | T. Ito      | DRS    | N/A                |
| FPG-DRT-C51-0010 Rev.0 | Project Planning and Concept Phase Requirement Traceability<br>Matrix Report | T. Miyazaki | T. Hayashi  | DRS    | N/A                |
| FPG-DRT-C51-0010 Rev.1 | Project Planning and Concept Phase Requirement Traceability<br>Matrix Report | T. Miyazaki | T. Hayashi  | DRS    | N/A                |
| FPG-DRT-C51-0010 Rev.2 | Project Planning and Concept Phase Requirement Traceability<br>Matrix Report | T. Miyazaki | T. Hayashi  | DRS    | N/A                |
| FPG-DRT-C51-0010 Rev.3 | Project Planning and Concept Phase Requirement Traceability<br>Matrix Report | T. Miyazaki | T. Hayashi  | DRS    | N/A                |
| FPG-DRT-C51-0010 Rev.4 | Project Planning and Concept Phase Requirement Traceability<br>Matrix Report | T. Miyazaki | T. Hayashi  | DRS    | N/A                |
| FPG-DRT-C51-0010 Rev.5 | Project Planning and Concept Phase Requirement Traceability<br>Matrix Report | T. Miyazaki | T. Ito      | DRS    | N/A                |
| FPG-DRT-C51-0002 Rev.0 | Preliminary Hazard Analysis Report                                           | T. Miyazaki | T. Ito      | DVR    | DVR-IM-20050613-1  |
| FPG-DRT-C51-0002 Rev.1 | Preliminary Hazard Analysis Report                                           | T. Miyazaki | T. Ito      | DVR    | DVR-IM-20060330-1  |
| FPG-DRT-C51-0011 Rev.0 | Project Planning and Concept Phase V&V Report                                | T. Hayashi  | T. Ito      | DRS    | N/A                |
| FPG-DRT-C51-0011 Rev.1 | Project Planning and Concept Phase V&V Report                                | T. Hayashi  | T. Ito      | DRS    | N/A                |

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

7/9

\_\_\_\_

\_\_\_\_\_

# 4. Problem Reporting and Corrective Actions

No problem reporting regarding to the Concept Phase V&V activities has been made.

## 5. Metrics

Section 5.5 of the Software Quality Assurance Plan (SQAP) lists the metrics that should be maintained for the PRM System. According to the SQAP, we chose the followings metrics for the Concept Phase:

- (1) The number of changes applied to each revision of the Equipment Requirement Specification (ERS)
- (2) The number of Nonconformance Notice Report issued

For (2), no Nonconformance Notice Report (NNR) has been issued in the Concept Phase. About NNR, see AS-300A006 and AS-300A008.

For (1), the author examined the changes that had been applied to each revision of ERS, and classify them into the following types:

| <b>Corrections:</b> | This type of changes is made to correct any incorrect requirements, incorrect descriptions or errors.                                                                                                                                                 |
|---------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Additions:          | This type of changes is made to add new design requirements or new information to the ERS.                                                                                                                                                            |
| Others:             | This type of changes is made to improve readability, and does not change any requirements nor add new information. Adding new sentences for clarification or explanation belongs to this type of changes, as long as it does not add new information. |

Table 5-1 shows the numbers of changes for each ERS revision. The table indicates that the numbers of Corrections decreased from the revision 2 through the revision 6. From the figures, the author concluded that remaining uncovered errors are likely to be few.

| ERS Revision | <br>Corrections | Additions | Others | Totala,c                              |
|--------------|-----------------|-----------|--------|---------------------------------------|
| 1            |                 |           |        | , , , , , , , , , , , , , , , , , , , |
| 2            |                 |           |        |                                       |
| 3            |                 |           |        |                                       |
| 4            |                 |           |        |                                       |
| 5            |                 |           |        |                                       |
| 6            |                 |           |        |                                       |

## 6. Abbreviations

- DVR Design Verification Report
- ERS Equipment Requirement Specification
- NNR Nonconformance Notice Report

NRW-FPGA Non Re-Writable Field Programmable Gate Array

- PHA Preliminary Hazard Analysis
- PRM Power Range Monitor
- RTM Requirements Traceability Matrix
- SQAP Software Quality Assurance Plan
- VFS Verification Follow Sheet
- VVP Verification and Validation Plan
- V&V Verification and Validation

## 7. Conclusions

The V&V team confirmed that the Concept Phase V&V activities had been performed in accordance with the VVP, and concluded that the V&V activities for the Concept Phase were acceptable.

| US Safety-Related         Document No.       FPG-DRT-C51-0012       Rev         NRW-FPGA-Based PRM System Qualification Project         Document Title         Requirements Definition Phase V&V Report |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| NRW-FPGA-Based PRM System Qualification Project<br>Document Title                                                                                                                                       |
| Document Title                                                                                                                                                                                          |
| Document Title                                                                                                                                                                                          |
| Document Title                                                                                                                                                                                          |
| Document Title                                                                                                                                                                                          |
| Document Title                                                                                                                                                                                          |
|                                                                                                                                                                                                         |
| Kequirements Definition Phase V&V Kepon                                                                                                                                                                 |
| ·                                                                                                                                                                                                       |
|                                                                                                                                                                                                         |
|                                                                                                                                                                                                         |
|                                                                                                                                                                                                         |
|                                                                                                                                                                                                         |
|                                                                                                                                                                                                         |
|                                                                                                                                                                                                         |
| CUSTOMER NAME None                                                                                                                                                                                      |
| CUSTOMER NAME         None           PROJECT NAME         NRW-FPGA-Based PRM                                                                                                                            |
| System Qualification Project                                                                                                                                                                            |
| ITEM NAME         PRM Equipment           ITEM NO.         C51                                                                                                                                          |
| JOB NO. FPG                                                                                                                                                                                             |

1/20

FPG-DRT-C51-0016 Rev.1 Attachment-2

### Requirements Definition Phase V&V Report

.

### FPG-DRT-C51-0012 Rev. 1

| Rev No.   | Date          | History                               | Approved<br>by | Reviewed<br>by | Prepared  |
|-----------|---------------|---------------------------------------|----------------|----------------|-----------|
| Q         | May 7 2007    | The first issue                       | N.Oda          | T. Ito         | T.Hayashi |
| 1         | Sep. 12, 2007 | Update                                | T. Ito         | T. Ito         | T.Hayashi |
|           |               |                                       |                |                |           |
|           |               |                                       |                |                |           |
|           |               |                                       |                |                |           |
|           |               |                                       |                |                |           |
| · · · · · |               |                                       |                |                |           |
|           |               |                                       |                |                |           |
|           |               |                                       |                |                |           |
|           |               |                                       |                |                |           |
|           |               |                                       |                |                |           |
|           |               | · · · · · · · · · · · · · · · · · · · |                |                |           |
|           |               |                                       |                | <u> </u>       |           |
|           |               |                                       |                |                |           |
|           |               | ·                                     |                |                |           |

### Requirements Definition Phase V&V Report

### FPG-DRT-C51-0012 Rev. 1

## Document Review Sheet

| Review Results | <b></b> <sup>t</sup> Acceptable | Acceptable with Unverified Portions | □Not Acceptable |
|----------------|---------------------------------|-------------------------------------|-----------------|
| Comments       |                                 |                                     |                 |
|                |                                 | 1                                   |                 |
|                | λ                               | Jone                                |                 |
|                | /                               |                                     |                 |
|                |                                 |                                     |                 |
|                |                                 |                                     |                 |

| Items                            | Results      |             |      |  |
|----------------------------------|--------------|-------------|------|--|
| Is the document complete?        | <b>E</b> YES |             | □N/A |  |
| Are the descriptions correct?    | <b>⊠YES</b>  |             | DN/A |  |
| Are the descriptions consistent? | <b>VYES</b>  | <b>□</b> NÔ | DN/A |  |
| Are the descriptions accurate?   | <b>VES</b>   | ⊡NÖ         | DN/A |  |

Independent Reviewer (Sign & Date) Julinta Ho Sep-12, 2007

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

3/20

ı,

## **Table of Contents**

| 1. Purpose                                                             | 5       |
|------------------------------------------------------------------------|---------|
| 2. References                                                          |         |
| 3. Establishment of NICSD V&V Plan                                     | 6       |
| 4. V&V activities                                                      | 8       |
| 4.1 Document Reviews                                                   | 8       |
| 4.2 Requirements Definition Phase RTM effort                           | 10      |
| 5. Problem Reporting and Corrective Actions                            | 13      |
| 6. Metrics                                                             | 13      |
| 7. Findings and Recommendations, and Conclusions                       | 16      |
| 8. Additional V&V Activities                                           | 16      |
| 8.1 EMI immunity enhanced modules and VVP                              | 16      |
| 8.2 Requirements Phase Documentation for the EMI immunity enhanced mod | ules.16 |
| 9. Abbreviations                                                       | 17      |
| Appendix                                                               |         |
|                                                                        |         |

# 1. Purpose

This report summarizes the Requirements Definition Phase Verification & Validation (V&V) activities that have been performed in accordance with NRW-FPGA-Based PRM System Qualification Project Verification and Validation Plan (NED VVP) (Reference 2).

NICSD established the NICSD Verification & Validation Plan (NICSD VVP) (Reference 7) that satisfied the requirements of the NED VVP. NICSD performed the Requirements Definition Phase V&V activities in accordance with the NICSD VVP and summarized their V&V activities in the NICSD Requirements Definition Phase V&V Report (NICSD VVR) (Reference 9).

Later, NICSD added two new modules having the characteristics of enhanced Electro Magnetic Interference (EMI) immunity as replacements for the older modules. NICSD established the new NICSD VVP (Reference 18) for these new modules, based on the original NICSD VVP (Reference 7), covering the differences of these modules from the older modules. NICSD performed V&V activities for these new modules in accordance with the new NICSD VVP. As the results of the additional V&V activities, NICSD updated the NICSD Requirement Definition Phase RTM Report (Reference 8) to the new Requirement Definition Phase RTM Report (Reference 19), and summarized the V&V activities in the V&V Final Report (Reference 20). The Requirement Definition Phase portion of the additional NICSD V&V activities were reviewed and added in Section 8 of this VVR.

This report confirmed the NICSD V&V activities through the NICSD VVP and VVR. In addition, this report reviewed the Requirements Phase Preliminary Hazard Analysis performed by NED (Reference 5).

# 2. References

- 1 FPG-PLN-C51-0002, Software Quality Assurance Plan, Rev.2
- 2 FPG-PLN-C51-0006 NRW-FPGA-Based PRM System Qualification Project Verification and Validation Plan, Rev. 4
- 3 FPG-RQS-C51-0001, Equipment Requirement Specification, Rev. 6
- 4 FPG-DRT-C51-0002, Preliminary Hazard Analysis Report, Rev.1
- 5 FPG-DRT-C51-0018, Requirements Definition Phase Hazard Analysis Report, Rev. 0
- 6 FPG-DRT-C51-0011, Project Planning and Concept Phase V&V Report, Rev.2
- 7 FPG-VDN-C51-0003, Verification & Validation Plan, Rev.2
- 8 FPG-VDN-C51-0076, Requirement Definition Phase RTM Report, Rev.2
- 9 FPG-VDN-C51-0075, Requirement Definition Phase V&V Report, Rev.2
- 10 FPG-VDN-C51-0005, LPRM/APRM Unit HNU200 Equipment Design Specification, Rev.3
- 11 FPG-VDN-C51-0010, LPRM Module HNS011 Equipment Design Specification, Rev.2
- 12 FPG-VDN-C51-0011, APRM Module HNS020 Equipment Design Specification, Rev.1
- 13 FPG-VDN-C51-0017, AO Module HNS511, 512, 513, 514 Equipment Design Specification
- 14 FPG-VDN-C51-0019, TRN Module HNS530 Equipment Design Specification, Rev.2
- 15 FPG-VDN-C51-0020, RCV Module HNS540 Equipment Design Specification, Rev.3
- 16 Nonconformance Notice Report 06-002-I
- 17 Vendor Nonconformance Notice Report 06-012
- 18 FPG-VDN-C51-0309, Verification and Validation Plan, Rev.0

- 19 FPG-VDN-C51-0307, Requirement Definition Phase RTM Report, Rev.0
- 20 FPG-VDN-C51-0310, V&V Final Report, Rev.0
- 21 FPG-VDN-C51-0301, LPRM Module HNS011, 013 Equipment Design Specification, Rev.0
- 22 FPG-VDN-C51-0302, AO Module HNS511-518 Equipment Design Specification, Rev.0

## 3. Establishment of NICSD V&V Plan

The NED VVP (Reference 2) states that the NICSD V&V team shall establish its own VVP conforming to the NED VVP, and that the NED V&V personnel shall review the NICSD VVP (Reference 7) before the Requirements Definition Phase.

The NED V&V team reviewed the NICSD VVP in accordance with the NED VVP. This revision was performed in accordance with the Software Quality Assurance Plan (SQAP) (Reference 1), which requires the review including the followings:

- Verify that the plan meets the requirements of the NED VVP.
- Verify that the plan has adequate direction for performing the NICSD V&V activities.
- Evaluate if the methods used in the plan are practical and appropriate for the purpose of V&V.
- Evaluate if the plan specifies adequate resources to perform the planned V&V activities.

After reviewing the NICSD VVP, NED V&V found that:

- The NICSD VVP included the items that the NED VVP required.
- The NICSD VVP described the project organization. The NICSD VVP assigned the resources for the V&V team, which was independent from the design group as the NED VVP required.
- The NICSD VVP depicted the V&V process in the NICSD, which was consistent with the NED VVP requirements.
- Figure 3-1 is quoted and translated from the NICSD VVP, which shows the NICSD V&V process. The figure indicates that:
  - > NICSD performs the design and V&V activities in the phases defined in the NED VVP
  - The NICSD V&V team activities are independent of the development activities, and will establish the NICSD V&V report for each phase.
  - The NICSD V&V team will review the documents prepared by the design team. The VHDL source codes will be also reviewed in the same manner.
  - > The messages generated by the logic synthesis tools and the Place & Route tools are checked.
- The V&V activity methods described in the NICSD VVP were practical and appropriate.
- The NICSD VVP specified the design documents to be reviewed. These design documents were appropriate.
- The NICSD VVP defined the output from the V&V activities appropriately.

As a result, the NED V&V team concluded that the NICSD VVP was appropriate, and acceptable to NED.

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

#### FPG-DRT-C51-0016 Rev.1 Attachment-2 FPG-DRT-C51-0012 Rev. 1

a,c

1

Figure 3-1 NICSD V&V Process (Copied and Translated from the NICSD VVP)

## 4. V&V activities

The NED VVP (Reference 2) states that the Requirements Definition Phase V&V activities shall be performed with the following inputs and outputs.

V&V Inputs:

(1) ERS (Base Document)

(2) Project Planning and Concept Definition Phase RTM (Base Document)

(3) Unit/Module Design Specifications (Review Document)

(4) NICSD Requirements Definition Phase VVR (Review Document)

(5) PHA Report (Review Document)

V&V Outputs:

(1) Document Review Reports (by both NICSD and NED)

(2) Requirements Definition Phase RTM (by NICSD)

(3) Requirements Definition Phase VVR (by NED)

## 4.1 Document Reviews

The NED VVP requires the reviews identified in items (1) and (2) below.

"(1) The NICSD V&V team shall review the Software Requirements Specification (SRS) included in the Unit Design Specifications and Module Design Specifications, for completeness, correctness, consistency, and accuracy."

The NED V&V team and the NICSD V&V team discussed document reviews several times to assure that the NICSD V&V team perform the document reviews in the manner that the NED V&V team required for the point of views, the methods, and the level of intensity to be applied to these reviews. In the discussion, the NED V&V team commented on the preliminary reviews performed by the NICSD V&V team when they found some discrepancies from what they expected. These included corrections in the point of views, the methods, and the level of intensity. Through the discussion, the NED V&V team confirmed that the NICSD V&V team could perform document reviews as NED required.

Section 3 of the NICSD Requirements Definition Phase VVR (Reference 9) states that the document reviews listed in Table 4-1, which was copied and translated from Table 4-1 of the NICSD Requirements Definition Phase VVR, have been performed. The NED V&V team confirmed that the documents in Table 4-1 were same as the documents that were listed in the NICSD VVP (Reference 7).

#### Table 4-1 Reviewed Documents by NICSD

|     | · -                                          |          |      |                    |
|-----|----------------------------------------------|----------|------|--------------------|
| No. | Name                                         | Doc No.* | Rev. | Remark             |
| 1   | LPRM Unit Equipment Design Specification     | 5G8HA748 | 3    | HNU100             |
| 2   | LPRM/APRM Unit Equipment Design              | 5G8HA749 | 3    | HNU200             |
|     | Specification                                |          |      |                    |
| 3   | FLOW Unit Equipment Design Specification     | 5G8HA750 | 2    | HNU300             |
| 4   | LPRM Module Equipment Design Specification   | 5G8HA751 | 2    | HNS011             |
| 5   | APRM Module Equipment Design Specification   | 5G8HA752 | 1    | HNS020             |
| 6   | SQ-ROOT Module Equipment Design              | 5G8HA753 | 2    | HNS030             |
|     | Specification                                |          |      |                    |
| 7   | FLOW Module Equipment Design Specification   | 5G8HA754 | 1    | HNS040             |
| 8   | STATUS Module Equipment Design Specification | 5G8HA755 | 3    | HNS091/HNS093      |
| 9   | BLANK Module Equipment Design Specification  | 5G8HA756 | 0    | HNS490             |
| 10  | LVPS Module Equipment Design Specification   | 5G8HA757 | 0    | HNS500             |
| 11  | AO Module Equipment Design Specification     | 5G8HA758 | 0    | HNS511/512/513/514 |
| 12  | DIO Module Equipment Design Specification    | 5G8HA759 | 0    | HNS520             |
| 13  | TRN Module Equipment Design Specification    | 5G8HA760 | 2    | HNS530             |
| 14  | RCV Module Equipment Design Specification    | 5G8HA761 | 3    | HNS540             |
|     |                                              | •        | •    | <u> </u>           |

(Copied and Translated from the Requirement Definition Phase V&V Report (Reference 9))

\* NICSD Document Number

For the documents listed in Table 4-1, the NED V&V team made spot checks, along with reviews of the RTM efforts, as described below. The checked documents were:

- LPRM/APRM Unit HNU200 Equipment Design Specification (Reference 10)
- LPRM Module HNS011 Equipment Design Specification (Reference 11)
- APRM Module HNS020 Equipment Design Specification (Reference 12)
- TRN Module HNS530 Equipment Design Specification (Reference 14)
- RCV Module HNS540 Equipment Design Specification (Reference 15)

These documents are most important to the safety functions of the PRM system. The objective of the spot checks was to examine if the NICSD V&V team had performed the document reviews as required and expected by NED.

During the spot checks, the NED V&V team made thorough reviews of the five documents for completeness, correctness, consistency, and accuracy as required by the NED VVP. The NED V&V team found that the five documents were appropriately reviewed from these view points, methods of review, and with the level of intensity that NED required and expected.

Considering the discussion with the NICSD V&V team, and the result of the spot check, the NED V&V team concluded that the document reviews in the Table 4-1 conformed to the NICSD VVP, and therefore the reviewed documents were acceptable.

In addition to Table 4-1, NED also reviewed the Requirements Definition Phase RTM Report (Reference 8). See Section 4.2 for the RTM Report.

"(2) The NED V&V personnel shall independently review the Requirements Definition Phase

a.c

a.c

a.c

#### PHA."

The NED V&V team reviewed the Requirements Definition Phase Hazard Analysis Report (Requirements Definition Phase PHA Report) (Reference 5) for completeness, correctness, consistency, and accuracy as required by the NED VVP.

In the Preliminary Hazard Analysis Report (Concept Phase PHA Report)(Reference 4), a fault tree analysis was performed for the following most undesired events for the plant safety:

The Concept Phase PHA Report reported the following two concerns must be addressed in the later phases.

The Requirements Definition Phase PHA Report pointed out that an error in the software tools might introduce Common Cause Failure (CCF) in the FPGA commonly used in the PRM system. In the Requirements Definition Phase PHA, a Failure Modes and Effects Analysis (FMEA) was performed to search possible failure modes occurring as CCF, and leading to the above undesired events. As a result, the Requirements Definition Phase PHA reported that the some errors of some specific FPGAs might lead to the undesired events. These FPGAs and their failure modes are summarized as follows:

The Requirements Definition Phase PHA Report concluded that the risks of the PRM System were same as the risks revealed in the Project Planning and Concept Definition Phase (Concept Phase), provided that the above FPGA failures would be addressed in the later phases.

The NED V&V team concluded that the Requirements Definition Phase PHA Report was acceptable, and the FPGA failures should be addressed in the later V&V phases.

#### 4.2 Requirements Definition Phase RTM effort

The Requirements Definition Phase RTM traces the requirements forward from the Concept Phase to the Software Requirements Specification (SRS) included in the Unit/Module Design Specifications, and traces the requirements backward from the SRS to the Concept Phase.

The NED VVP requires the reviews identified in items (1) and (2).

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

"(1) Preparation of Requirements Definition Phase RTM"

"(2) Compilation of the Requirements Definition Phase RTM report"

The Requirements Definition Phase RTM report was prepared by NICSD. Table 4-2 shows the structure of the Requirements Definition Phase RTM. The left column lists the requirements from the Concept Phase, and the right side columns list corresponding requirements in the Requirements Definition Phase, grouped by each Unit/Module Equipment Design Specification for columns.

For example, the "Req.1" in the Concept Phase corresponds to "Req. L1" in the LPRM Unit Equipment Design Specification, and "Req.LM1" in the LPRM Module Equipment Design Specification. The "Req.2" corresponds to the "Req.L2" in the LPRM Unit Equipment Design Specification, "Req.LA1" in the LPRM/APRM Unit Equipment Design Specification, "Req.LM2" in the LPRM Module Equipment Design Specification, and the "Req.AM1" in the APRM Module Equipment Design Specification.

The table in Appendix is an example of the Requirements Phase RTM that was copied and translated from the Requirement Definition Phase RTM Report (Reference 8).

| Concept      | Requirements Definition Phase Requirements |           |      |          |          |               |  |  |  |
|--------------|--------------------------------------------|-----------|------|----------|----------|---------------|--|--|--|
| Phase        | LPRM Unit                                  | LPRM/APRM | FLOW | LPRM     | APRM     | Other Modules |  |  |  |
| Requirements |                                            | Unit      | Unit | Module   | Module   |               |  |  |  |
| Req. 1       | Req. L1                                    |           |      | Req. LM1 |          |               |  |  |  |
| Req. 2       | Req. L2                                    | Req. LA1  |      | Req. LM2 | Req. AM1 |               |  |  |  |
| Req. 3       |                                            | Req. LA1  |      |          | Req. AM2 |               |  |  |  |
| Other        |                                            |           |      |          |          |               |  |  |  |
| Requirements |                                            |           |      |          |          |               |  |  |  |

#### Table 4-2 Structure of the Requirements Definition Phase RTM

The earlier Requirements Definition Phase RTM reports found some untraceable requirements between the Concept Phase and this Requirements Definition Phase. These untraceable requirements were considered to be defects in the RTM.

The Requirements Definition Phase RTM effort has been performed to resolve these defects in the manner that if any defects were found in the Requirements Definition Phase RTM, appropriate corrections were made in the Requirements Definition Phase or in the Concept Phase. Some corrections in the Concept Phase often led to discoveries of further defects. In this case, further corrections were made.

Table 4-3 shows how the number of defects in the Requirements Definition Phase RTM has been reduced. A defect in forward traceability means a requirement in the Concept Phase that cannot be traced to the Requirements Definition Phase; a defect in backward traceability means a requirement in the Requirements Definition Phase that cannot to be traced back to the Concept Phase.

One example of defects was the following requirement in the Concept Phase RTM:

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

a,c

This requirements had no specific meaning, hence could not be traced to the Requirements Definition Phase (forward traceability). To resolve this defect, the requirement was deleted in the Concept Phase RTM.

| Requirements Definition Phase<br>RTM | Number of Defects in<br>Forward Traceability | Number of Defects in<br>Backward Traceability |
|--------------------------------------|----------------------------------------------|-----------------------------------------------|
| Rev.0                                |                                              | Ja,c                                          |
| Rev.1                                |                                              |                                               |
| Rev.2                                |                                              | , <u>1</u> -1                                 |

Table 4-3 Number of Defects in the Requirements Definition Phase RTM (Reference 8)

Another example of defects was the analog output port requirement in the SRS, which was designed for function check. This was a defect in backward traceability. To resolve this defect, the ERS was revised.

In order to verify the RTM effort, the NED V&V team made spot checks of the Requirements Definition Phase RTM through three steps. In the first step, the NED V&V team checked if the requirements in the Concept Phase RTM were traced to and traced from these of the Requirements Definition Phase documents. The NED V&V team focused on the following documents:

- LPRM/APRM Unit HNU200 Equipment Design Specification (Reference 10)
- LPRM Module HNS011 Equipment Design Specification (Reference 11)
- APRM Module HNS020 Equipment Design Specification (Reference 12)
- TRN Module HNS530 Equipment Design Specification (Reference 14)
- RCV Module HNS540 Equipment Design Specification (Reference 15)

This verification was to examine vertically the Concept Phase RTM and the Requirements Definition Phase RTM, i.e., examining the columns corresponding to the above documents, verifying that all requirements can be traced from the Concept phase to this Requirements Definition phase. See Table 4-2 for the Requirements Definition Phase RTM structure.

In the second step, the NED V&V team selected three requirements in the Concept Phase RTM, and checked if each requirement can be traced to appropriate descriptions in the Requirements Definition Phase documents. This verification was to examine the Requirements Definition Phase RTM horizontally, i.e. examining the selected requirements for all units and modules.

The selected requirements were followings:

- The equipment shall be initialized whenever power is applied;
- The watchdog timers shall be external, and not built into the FPGA logic;
- The watchdog timers shall not depend on the clock signal used by the FPGA.

These requirements were selected because they were relatively common to all units and modules. The NED V&V team confirmed that the selected requirements were traced to the units and modules specifications.

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

At the third and last step, the NED V&V team made the backward traceability check for the Requirement Definition Phase RTM. During this check, the NED V&V team verified that every requirement in the Requirements Definition Phase could be traced back to appropriate requirements from the Concept Phase, i.e. all the requirements in the Requirements Definition Phase documents came from the Concept Phase requirements.

The check method was examining each selected document from the first section through the last section, by checking if each section corresponded to one or more Concept Phase requirements. Since the Unit and Module Equipment Specifications include hardware specifications, not every section corresponded to the Concept Phase requirements. These hardware requirements were excluded in the check.

Section 3 of the Requirements Definition Phase RTM report noted that the output data set from the LPRM/APRM Unit to the RBM system were not same as that from the APRM Module. The LPRM/APRM Unit relays these data from the ARPM Module to the RBM system. This discrepancy is considered as a matter of architectural design choice, and does not affect the PRM system functions.

By reviewing the latest revisions of the RTMs listed in Table 4-3 the NED V&V team concluded that the Requirements Definition Phase RTM was appropriate, in that all requirements were traceable to the Concept Phase, the requirements were appropriate, and no new requirements were created in the Requirements Definition Phase.

The NED V&V team concluded that the Requirements Definition Phase RTM effort left no open item, and was acceptable.

## 5. Problem Reporting and Corrective Actions

Nonconformance Notice Report (NNR) 06-002-I (Reference 16) was issued, reporting problems through V&V phases. For the Requirements Definition Phase V&V activities, the NNR reported that the NED V&V team accepted:

- the earlier revision of the RTM report, despite the fact that the RTM had some discrepancy.
- the earlier revision of the NICSD VVR, despite the fact that the NICSD VVR had no remark on the "recommendation and the suggestion for the risk reduction."

These two problems corresponded to the problems that were reported by the Vendor Nonconformance Report (VNNR) 06-012 (Reference 17).

The NICSD VVR (Reference 9) reported that the corresponding problems in the VNNR 06-012 had been resolved, and the VNNR had been closed. The NED V&V team confirmed the resolution of the problems through this phase V&V activities.

### 6. Metrics

The number of changes applied to newer revisions of individual documents, and the number of Nonconformance Notice reports were used as the metrics for NED and NICSD V&V activities.

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

13/20

Section 5 of the NICSD VVR reported that:

- Nonconformance Notice Report was issued
- The Number of the changes applied to newer revisions of each Equipment Design Specification decreased as its revision proceeds.

Table 6-1 summarizes the number of changes applied to newer revisions of each Equipment Design Specification. This table was copied and translated from the NICSD Design Phase V&V Report (Reference 9).

## Table 6-1 The number of changes applied to newer revisions of each Unit/Module Equipment Design Specification

|     |                                                  | Doc No.           |     | Тур         | e of Changes |        |       |
|-----|--------------------------------------------------|-------------------|-----|-------------|--------------|--------|-------|
| No. | Name                                             | (NICSD<br>number) | Rev | Corrections | Additions    | Others | Total |
|     | LPRM Unit<br>Equipment Design                    | 5G8HA748          | 1   | [[          |              | 1      |       |
| 1   | Specification                                    |                   | 2   |             |              |        | +     |
|     | LPRM/APRM Unit                                   | 5G8HA749          | 3   | H           |              |        | ł     |
| 2   | Equipment Design<br>Specification                |                   | 2   | 1           |              |        | Ì     |
|     |                                                  |                   | 3   |             |              |        |       |
| 3   | FLOW Unit<br>Equipment Design                    | 5G8HA750          | 1   |             |              |        | ļ     |
| 5   | Specification                                    |                   | 2   |             |              |        |       |
| 4   | LPRM Module<br>Equipment Design                  | 5G8HA751          | 1   |             |              |        | Į     |
| 4   | Specification                                    |                   | 2   |             |              |        |       |
| 5   | APRM Module<br>Equipment Design<br>Specification | 5G8HA752          | 1   |             |              |        |       |
| 6   | SQ-ROOT Module<br>Equipment Design               | 5G8HA753          | 1   | II<br>II    |              |        |       |
|     | Specification                                    |                   | 2   |             |              |        |       |
| 7   | FLOW Module<br>Equipment Design<br>Specification | 5G8HA754          | 1   |             |              |        |       |
|     | STATUS Module<br>Equipment Design                | 5G8HA755          | 1   |             |              |        | Į     |
| 6   | Specification                                    |                   | 2   |             |              |        | +     |
|     |                                                  |                   | 3   | ۱L ,        |              | ۰ I    |       |

(Copied and translated from the Requirement Definition Phase V&V Report (Reference 9))

|     |                                                   | Doc No.           |     | Тур         | e of Changes |        | Total |
|-----|---------------------------------------------------|-------------------|-----|-------------|--------------|--------|-------|
| No. | Name                                              | (NICSD<br>number) | Rev | Corrections | Additions    | Others | TOTAL |
| 7   | BLANK Module<br>Equipment Design<br>Specification | 5G8HA756          | 0   |             |              |        |       |
| 8   | LVPS Module<br>Equipment Design<br>Specification  | 5G8HA757          | 0   |             |              |        |       |
| 9   | AO Module<br>Equipment Design<br>Specification    | 5G8HA758          | 0   |             |              |        |       |
| 10  | DIO Module<br>Equipment Design<br>Specification   | 5G8HA759          | 0   |             |              |        |       |
| 11  | TRN Module<br>Equipment Design<br>Specification   | 5G8HA760          | 1 2 |             |              | 1      |       |
| 12  | RCV Module<br>Equipment Design                    | 5G8HA761          | 1   |             |              |        |       |
|     | Specification                                     |                   | 3   |             |              | 1      |       |

Table 6-1 The number of changes applied to newer revisions of each Unit/Module Equipment DesignSpecification(continued)

The types of the changes are the same changes reported in the Concept Phase VVR. These changes are:

- **Corrections:** This type of changes is made to correct any incorrect requirements, incorrect descriptions or errors.
- Additions: This type of changes is made to add new design requirements or new information to the documents.
- Others: This type of changes is made to improve readability, and does not change any requirements nor add new information. Adding new sentences for clarification or explanation belongs to this type of changes, as long as it does not add new information.

From the Table 6-1, the NED V&V team found that the numbers of the changes decreases in the latest revisions, except the SQ-ROOT Module Equipment Design Specification.

The SQ-ROOT Module Equipment Design Specification has undergone relatively large numbers of changes. However, most changes that applied to the SQ-ROOT Module Equipment Design Specification are classified as "Others." These changes do not affect any requirements for the module or add new information.

The APRM and FLOW Module Equipment Design Specifications have undergone relatively large numbers of changes, which belong to "Corrections" and "Additions." However, these documents have been revised only once, so the specifications of the APRM and FLOW modules were thought to be under control.

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

The NED V&V team concluded that the maturity of the documents in Table 6-1 is high enough to be acceptable.

For the NED V&V activities, no change has been made for the Requirement Phase PHA Report.

One VNNR was issued for the NICSD V&V activities, and one NNR was issued for the NED V&V activities. The number was small and arise no problem to the metrics.

## 7. Findings and Recommendations, and Conclusions

The NED V&V team have reviewed the Requirements Definition Phase V&V activities of NED and NICSD, including observation. Although one VNNR was issued for the NICSD V&V activities, and one NNR was issued for the NED V&V activities, the problem was resolved before this Requirements Definition Phase VVR was issued.

The NED V&V team concluded that this Requirements Definition Phase V&V activities were acceptable.

## 8. Additional V&V Activities

#### 8.1 EMI immunity enhanced modules and VVP

NICSD developed the new LPRM and AO modules having enhanced EMI immunity as replacements for the older modules, in August 2007.

In order to verify and validate these modules, NICSD established the new separate VVP (Reference 18) for these modules based on the original NICSD VVP (Reference 7). Organization, Software Integrity Level (SIL) scheme, and responsibilities defined in the new NICSD VVP were same as those of the original NICSD VVP.

The scope of the V&V activities defined in the new NICSD VVP were abbreviated from the older VVP to address the changes of the EMI immunity enhanced modules.

NED V&V team verified that the new NICSD VVP covered all the changes made to the EMI immunity enhanced modules, and approved the new NICSD VVP.

# 8.2 Requirements Phase Documentation for the EMI immunity enhanced modules

Following the new VVP, NICSD revised Requirements Phase Documentation for the EMI immunity enhanced modules and Requirements Phase RTM Report, as shown in Table 8-1.

The new requirements for the EMI immunity enhanced modules were added to the original Requirements Phase RTM in new columns, which were aligned beside the columns for the older modules requirements. The Requirements Phase RTM Report concluded that the design requirements for the EMI immunity enhance modules were same as original models, except model numbers.

The NED V&V team confirmed the differences in RTM, and obtained some additional information

about the EMI immunity enhanced modules from NICSD. According to NICSD, the EMI immunity was achieved by adding some capacitors to the modules. These were issues of implementation, and did not affect equipment design. However, because the NICSD rules require changing the module model numbers if new parts were added, the LPRM and AO module equipment design specifications were revised.

| Table 8-1 Revised Documents for | the EMI immunity Enhance modules |
|---------------------------------|----------------------------------|
|---------------------------------|----------------------------------|

| No. | Name                                                  | Doc No.* | Rev | Remark             |
|-----|-------------------------------------------------------|----------|-----|--------------------|
| 1   | LPRM Module Equipment Design Specification            | 5G8HA751 | 3   | HNS011/013         |
|     | (Reference 21)                                        |          |     |                    |
| 2   | AO Module HNS511, 512, 513, 514 Equipment             | 5G8HA758 | 2   | HNS511/512/513/514 |
|     | Design Specification (Reference 22)                   |          |     | /515/516/517/518   |
| 3   | Requirement Definition Phase Requirement Traceability | 5B8H6238 | 0   |                    |
|     | Matrix Report (Reference 19)                          |          |     |                    |

\* NICSD Document Number

The additional NICSD V&V Final Report (Reference 20) for the new modules had the portion corresponding to the Requirements Definition Phase, and it stated that the differences of the new modules were model numbers.

The NED V&V team observed the additional V&V activities for the new modules, and concluded that the NICSD V&V team performed the V&V activities in accordance with the new NICSD VVP. They performed independent document reviews, RTM activities, and reporting.

Considering the changes made to the EMI immunity enhanced modules, the NED V&V team concluded that NICSD had performed additional V&V activities commensurate with the levels of the changes, and V&V activities of this Requirements Definition Phase for the EIM immunity enhanced modules were acceptable.

### 9. Abbreviations

| ADC      | Analog Digital Converter                                     |
|----------|--------------------------------------------------------------|
| APRM     | Average Power Range Monitor                                  |
| CCF      | Common Cause Failure                                         |
| EMI      | Electro Magnetic Interference                                |
| ERS      | Equipment Requirement Specification                          |
| FMEA     | Failure Modes and Effects Analysis                           |
| FPGA     | Field Programmable Gate Array                                |
| ICDD     | Control & Electrical Systems Design & Engineering Department |
| LPRM     | Local Power Range Monitor                                    |
| NED      | Nuclear Energy Systems and Services Division                 |
| NICSD    | Nuclear Instrumentation & Control Systems Department         |
| NNR      | Nonconformance Notice Report                                 |
| NRW-FPGA | Non Re-Writable Field Programmable Gate Array                |
| PHA      | Preliminary Hazard Analysis                                  |
| PRM      | Power Range Monitor                                          |
| RTM      | Requirements Traceability Matrix                             |

- SIL Software Integrity Level
  - Software Quality Assurance Plan SQAP
  - SRS Software Requirements Specification

Very High Speed Integrated Circuit Hardware Definition Language (A hardware VHDL description language that defines the FPGA circuit)

- Vendor Nonconformance Notice Report
- VNNR Verification and Validation Plan
- VVP Verification and Validation Report
- VVR
- Verification and Validation V&V

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

æ

#### FPG-DRT-C51-0012 Rev. 1

## Appendix

16

#### Table An Example of the Requirements Phase RTM

#### (Partly copied and translated from the Requirements Phase RTM Report for demonstration)



TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

#### FPG-DRT-C51-0012 Rev. 1

|        |                 |                                                  |          |                          |                                         | ents Phase RTM (continued)     |                                         |                                              |
|--------|-----------------|--------------------------------------------------|----------|--------------------------|-----------------------------------------|--------------------------------|-----------------------------------------|----------------------------------------------|
|        |                 |                                                  |          |                          |                                         | nts Phase RTM Report for demon | stration)                               |                                              |
| No     | Findings<br>and | Project Planning and<br>Concept Definition Phase | Re       | quirements Definition Pl | nase                                    |                                |                                         |                                              |
|        | Open            |                                                  | a,c      | Unit Design              | Specifications<br>LPRM/APRM Unit        | Module Design Specifications   |                                         |                                              |
| l      | Items           |                                                  |          | (5G8HA748 Rev.3)         | (5G8HA749 Rev.3)                        | LPRM Module                    | APRM Module<br>(5G8HA752 Rev.1)         | STATUS Module<br>(5G8HA755 Rev.3)            |
|        |                 |                                                  | F        |                          | · · · · · · · · · · · · · · · · · · ·   |                                | <b>–</b>                                | ר (יייייי)<br>ר                              |
| 3      |                 |                                                  |          |                          |                                         |                                |                                         |                                              |
|        |                 |                                                  |          |                          |                                         |                                |                                         |                                              |
| l      |                 |                                                  | l.       |                          |                                         |                                |                                         |                                              |
|        |                 |                                                  |          |                          |                                         |                                |                                         |                                              |
|        |                 |                                                  |          |                          |                                         |                                |                                         |                                              |
|        |                 |                                                  |          |                          |                                         |                                |                                         |                                              |
|        |                 |                                                  | ll I     |                          |                                         |                                |                                         |                                              |
|        |                 |                                                  |          |                          |                                         |                                |                                         |                                              |
|        |                 |                                                  |          |                          |                                         |                                |                                         |                                              |
|        |                 |                                                  |          |                          |                                         |                                |                                         |                                              |
|        |                 |                                                  |          |                          |                                         |                                |                                         |                                              |
|        |                 |                                                  |          |                          |                                         |                                |                                         |                                              |
|        |                 |                                                  |          |                          |                                         |                                |                                         |                                              |
|        |                 |                                                  | 4        |                          |                                         |                                |                                         |                                              |
| 4<br>5 |                 |                                                  | H        |                          |                                         |                                |                                         | ł                                            |
| 5      |                 |                                                  |          |                          |                                         |                                |                                         |                                              |
|        |                 |                                                  |          |                          |                                         |                                |                                         |                                              |
|        |                 |                                                  | 1        |                          |                                         |                                |                                         |                                              |
|        |                 |                                                  |          |                          |                                         |                                |                                         |                                              |
|        |                 |                                                  | 1        |                          |                                         |                                |                                         |                                              |
|        |                 |                                                  |          |                          |                                         |                                |                                         |                                              |
|        |                 |                                                  | <u> </u> |                          | • • • • • • • • • • • • • • • • • • • • |                                | - • • • • • • • • • • • • • • • • • • • | <u>.                                    </u> |

#### 1 C.1 D ..... . -----. ----- 15

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

.

|        | hment                   | -3                             |                                  |               | FPG            | -DRT-C51-0<br>Attac |   |
|--------|-------------------------|--------------------------------|----------------------------------|---------------|----------------|---------------------|---|
| us sar | ety-Relat               | ed                             |                                  |               |                |                     |   |
|        |                         |                                | Document                         | No. FF        | G-DRT-C51-001: | 3 Rev               | Ι |
|        |                         |                                |                                  |               |                |                     |   |
|        |                         |                                |                                  |               |                |                     |   |
|        |                         |                                |                                  |               |                |                     |   |
| N      | RW-FPG                  | A-Based P                      | RM System                        | u Quali       | fication Pro   | ject                |   |
|        |                         |                                | Document Titl                    |               |                |                     |   |
|        |                         | Design                         | Phase V&V                        | <u>Report</u> |                |                     |   |
|        |                         |                                |                                  |               |                |                     |   |
|        |                         |                                |                                  |               |                |                     |   |
|        |                         |                                |                                  |               |                |                     |   |
|        |                         |                                |                                  |               |                |                     |   |
|        |                         |                                |                                  |               |                |                     |   |
|        |                         |                                |                                  |               |                |                     |   |
| CUST   | OMER NAME               |                                | None                             | _1            |                |                     |   |
|        | OMER NAME               | NRW-FPG                        | None<br>A-Based PRM              | _             |                |                     |   |
| PROJI  | ECT NAME                | NRW-FPG<br>System Qua          | A-Based PRM<br>lification Projec |               |                |                     |   |
|        | ECT NAME<br>NAME<br>NO. | NRW-FPG<br>System Qua<br>PRM I | A-Based PRM                      | .t            |                |                     |   |

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

۵

, <sup>·</sup>

1 .

. ...

İ.

i I

ļ

FPG-DRT-C51-0016 Rev.1 Attachment-3 FPG-DRT-C51-0013 Rev.0

| Rev No.    | Date          | History                                | Approved | Reviewed<br>by | Prepared<br>by |
|------------|---------------|----------------------------------------|----------|----------------|----------------|
| Ó          | Sep. 29, 2007 | The first issue                        | T.Ito    | T. Ito         | T.Hayashi      |
|            |               |                                        |          |                |                |
|            |               |                                        |          |                |                |
| <u>.</u>   |               |                                        |          |                |                |
|            |               |                                        |          |                |                |
|            |               | ·                                      |          |                |                |
|            |               |                                        |          |                |                |
|            |               |                                        |          |                |                |
|            |               |                                        |          |                |                |
| - <u>-</u> |               | ······································ |          |                |                |
|            |               |                                        |          |                |                |
|            |               |                                        |          |                |                |
|            |               |                                        |          |                |                |
|            |               |                                        |          |                |                |
|            |               |                                        |          | <u>·</u>       |                |
|            |               |                                        | ·<br>    |                |                |
|            |               |                                        |          |                |                |
|            |               |                                        |          |                |                |

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

.

FPG-DRT-C51-0016 Rev.1 Attachment-3 FPG-DRT-C51-0013 Rev.0

### Document Review Sheet

| Review Results | Acceptable | Acceptable with Unverified Portions | □Not Acceptable |
|----------------|------------|-------------------------------------|-----------------|
| Comments       |            |                                     |                 |
| }              |            |                                     |                 |
|                | Ni         | one.                                |                 |
|                | 1          |                                     |                 |
|                |            |                                     |                 |
|                |            |                                     |                 |

| Items                            |              | Results |      |
|----------------------------------|--------------|---------|------|
| Is the document complete?        | ⊠YES         |         | □N/A |
| Are the descriptions correct?    | TYES         |         | □N/A |
| Are the descriptions consistent? | <b>D</b> YES |         | □N/A |
| Are the descriptions accurate?   | 1 YES        | □NO     | □N/A |

ť

Independent Reviewer (Sign & Date) Jahialai Ho Sep. 27, 2007

#### **Table of Contents**

| 1.  | Purpose                                    | 5  |
|-----|--------------------------------------------|----|
|     | References                                 |    |
|     | V&V activities                             |    |
|     | 1 Document Reviews                         |    |
| 3.  | 2 Design Phase RTM effort                  | 9  |
|     | Problem Reporting and Corrective Actions   |    |
| 5.  | Metrics                                    | 11 |
| 6.  | Findings, Recommendations, and Conclusions | 13 |
| 7.  | Abbreviations                              | 13 |
| App | endix                                      | 15 |

## 1. Purpose

This report summarizes the Design Phase Verification & Validation (V&V) activities that have been performed in accordance with NRW-FPGA-Based PRM System Qualification Project Verification and Validation Plan (VVP) (Reference 2).

NICSD performed the Design Phase V&V activities in accordance with the NICSD Verification and Validation Plan (NICSD VVP) (Reference 5), and summarized their V&V activities in the NICSD Design Phase V&V Report (NICSD Design Phase VVR) (Reference 7).

Later, NICSD added two new modules having the characteristics of enhanced Electro Magnetic Interference (EMI) immunity as replacements for the older modules. NICSD established the new NICSD VVP (Reference 23) for these new modules, based on the original NICSD VVP (Reference 5), covering the differences of these modules from the older modules. NICSD performed V&V activities for these new modules in accordance with the new NICSD VVP. As the results of the additional V&V activities, NICSD updated the Design Phase RTM Report (Reference 6) to the Design Phase RTM Report (Reference 24), and summarized the V&V activities in the V&V Final Report (Reference 25).

This report confirmed the NICSD V&V activities through the NICSD Design Phase VVR and V&V Final Report for the new modules. In addition, this report reviewed the Design Phase Preliminary Hazard Analysis (PHA) performed by NED (Reference 3).

## 2. References

- 1 FPG-PLN-C51-0002, Software Quality Assurance Plan, Rev.2
- 2 FPG-PLN-C51-0006, NRW-FPGA-Based PRM System Qualification Project Verification and Validation Plan, Rev. 4

a.c

- 3 FPG-DRT-C51-0019, Design Phase Preliminary Hazard Analysis Report, Rev.0
- 4 FPG-DRT-C51-0012, Requirements Definition Phase V&V Report, Rev.1
- 5 FPG-VDN-C51-0003, Verification & Validation Plan, Rev.2
- 6 FPG-VDN-C51-0078, Design Phase RTM Report, Rev.2
- 7 FPG-VDN-C51-0077, Design Phase V&V Report, Rev.2
- 8 FPG-VDN-C51-0032
- 9 FPG-VDN-C51-0065,
- 10 FPG-VDN-C51-0072
- 11 FPG-VDN-C51-0022
- 12 FPG-VDN-C51-0023
- 13 FPG-VDN-C51-0024,
- 14 FPG-VDN-C51-0025
- 15 FPG-VDN-C51-0043
- 16 FPG-VDN-C51-0019, TRN Module HNS530 Equipment Design Specification, Rev.2
- 17 NICSD D-68017, NICSD Procedural Standard for FPGA Device Development, Rev.2
- 18 NICSD D-68018, NICSD Procedural Standard for Functional Element Development, Rev.3
- 19 NICSD D-68019, NICSD Procedural Standard for FPGA Configuration Management, Rev.2

- 20 NICSD D-68020, NICSD Procedural Standard for Control of Software Tools Used with FPGA Based Systems, Rev.2
- 21 Nonconformance Notice Report 06-002-I
- 22 Vendor Nonconformance Notice Report 06-012
- 23 FPG-VDN-C51-0309, Verification and Validation Plan, Rev.0
- 24 FPG-VDN-C51-312, Design Phase RTM Report, Rev.0
- 25 FPG-VDN-C51-0310, V&V Final Report, Rev.0

## 3. V&V activities

The NED VVP (Reference 2) states that the Design Phase V&V activities shall be performed with the following inputs and outputs.

V&V Inputs:

- (1) Unit/Module Design Specifications (Base Document)
- (2) Requirements Definition Phase RTM (Base Document)
- (3) FPGA Design Specification (Review Document)
- (4) Design Phase Preliminary Hazard Analysis Report (Review Document)

#### V&V Outputs:

- (1) Document Review Reports (by NICSD and NED)
- (2) Design Phase RTM (by NICSD)
- (3) NICSD Design Phase VVR (by NICSD)
- (4) Design Phase VVR (by NED)

3.1 Document Reviews

The NED VVP requires the reviews identified in items following (1) and (2) below.

"(1) The NICSD V&V team shall perform an independent review of the Software Design Description (SDD) included in the FPGA Design Specifications for completeness, correctness, consistency, and accuracy. The special instruction to be applied in the review is that the logic of the FPGA shall be constructed of previously tested Functional Elements (FEs), and the interface to each FE shall be consistent with that specified in FE specifications. The review includes the check of FE documents."

Section 3 of the NICSD Design Phase VVR (Reference 7) reported that NICSD has reviewed the documents listed in Table 3-1, which was copied and translated from the NICSD Design Phase VVR. The NED V&V team confirmed that the documents listed in Table 3-1 correspond to the SDD in the NED VVP.

The NICSD Design Phase VVR reported that the reviews had been performed stressing the following points:

- Completeness, correctness, consistency and accuracy of the SDD included in the FPGA Design Specifications.
- Compliance with the design rules of FPGA logic in Appendix A of NICSD procedure D-68017 (Reference 17).
- If the FPGAs were constructed of FEs, and the interface to each FE was consistent with that was specified in FE specifications?

• If the FEs were previously tested?

#### Table 3-1<u>Reviewed Documents by NICSD</u>

(Copied and Translated from the NICSD Design Phase VVR (Reference 7))

| No. | Name | Doc. No.<br>(NICSD number) | Rev. | Remark |
|-----|------|----------------------------|------|--------|
|     |      | •                          |      | a,c    |
|     |      |                            |      |        |
|     |      |                            |      | ]      |
|     |      |                            |      |        |
|     |      |                            |      | +      |
|     |      |                            |      |        |
|     |      |                            |      |        |
|     |      |                            |      | +      |
|     |      |                            |      | H      |
|     |      |                            |      |        |
|     |      |                            |      | +      |
|     |      |                            |      | +      |
|     |      |                            |      | H      |
|     |      |                            |      |        |
|     |      |                            |      |        |

In order to check the reviews performed by NICSD V&V team, the NED V&V team made spot checks on selected documents. The checked documents were:

a,c

NED V&V team performed the checks in accordance with the Section 5.4.1 of the NED VVP. NED V&V team made thorough reviews of the eight selected documents for completeness, correctness, consistency, and accuracy as required by the NED VVP. NED V&V team found that NICSD had reviewed the eight documents appropriately and with the level of intensity that NED required and expected.

The FPGAs listed in Table 3-1 use FEs to implement their functions. Section 5.4 of the NED VVP states that all the FEs used in design are registered in the FE library through the life-cycle activities defined in the NICSD D-68018 "NICSD Procedural Standard for Functional Element Development" (Reference 18). The NICSD Design Phase VVR reported as follows:

FEs to be used in this project, were designed and evaluated in accordance with NICSD D-68018 "NICSD Procedural Standard for Functional Element Development," and the following checks to be performed in this V&V activities following the NICSD VVP.

1) FE documents checks 2) FE library and software library management checks

For the first check, NICSD V&V team confirmed the full pattern testing had been performed for all FEs, and the requirements in the FE Requirements Specifications had been traced to and traced from the FE Specifications and FE Test Procedures using Requirements Traceability Matrix (RTM).

For the second check, NICSD V&V team confirmed that the FEs were managed using FE Control Sheets in the FE library, in accordance with the NICSD D-68019 "NICSD Procedural Standard for FPGA Configuration Management" (Reference 19), and the Software Library was managed using Software Tool Information Sheets, in accordance with the NICSD D-68020 "NICSD Procedural Standard for Control of Software Tools Used with FPGA Based Systems" (Reference 20).

The NED V&V team observed the selected NICSD V&V team activities for FEs, and concluded that the FEs were appropriately controlled.

As a result of the check, the NED V&V team concluded that the NICSD V&V review was appropriate and acceptable.

"(2) The NED V&V team shall independently review the Design Phase PHA."

The NED V&V team performed the review of the Design Phase PHA Report (Reference 3) for completeness, correctness, consistency, and accuracy as required by the NED VVP.

The Design Phase PHA analyzed the concerns of FPGA designs that arose in the Requirements Definition Phase, by examining the FPGA Design Specifications of the [\_\_\_\_\_\_]<sup>a,c</sup> [\_\_\_\_\_\_]FPGAs. These specifications describe the internal FPGA design with block diagrams, and show how the FPGA operates. The analysis was performed to resolve the above concerns, and examined each FPGA from the following points of views.

- The FPGA is designed to prevent the event.
- The FPGA is so designed that limited number of test cases can assure that the event is unlikely.
- If the event occurs, the occurrence of the event is likely to be noticed.

The analysis tracked the signal paths and examined the structures and functions of relating blocks.

The Design Phase PHA concluded that

- The failure of the FPGA would not lead to non-update of the RCV Module output.
- Appropriate testing of the FPGAs could assure that the output data non-update event, or the incorrect data transmission events of these FPGA were unlikely.

The NED V&V team deemed that the method of the analysis was detailed enough to clarify the functional mechanism that might have relations with the concerns, and concluded that the Design Phase PHA and its conclusions were acceptable.

Note that this VVR includes the "Document Review Report" required as the V&V output by the NED VVP (Reference 2).

3.2 Design Phase RTM effort

The NICSD VVP requires the following (1) and (2).

(1) Preparation of the Design Phase RTM

- The RTM shall be prepared to confirm the following.
  - The basic requirements from the Requirements Definition Phase were traced to the FPGA Design Specifications, and the Software Integrity Level (SIL) requirements from the Requirements Definition Phase were reflected in the FPGA Design Specifications.
  - 2) The requirements were traced from the FPGA Design Specifications back to Requirements Definition Phase.

(2) Compilation of the Design Phase RTM report

The NICSD V&V established a separate Design Phase RTM for each of the LPRM, APRM, STATUS, SQ-ROOT, FLOW, TRN, and RCV modules. NICSD did not prepare RTMs for the remaining AO, DIO, LVPS, and BLANK modules, because these modules have no FPGA, and implement no requirement from the Software Requirements Specifications included in the Unit/Module Design Specifications.

Each RTM is consisting of rows and columns. The first and leftmost column of the RTM corresponds to a Module Equipment Design Specification, and FPGA Design Specifications are placed from the second column. The last and rightmost column is labeled as "Hardware," and includes requirements that are not assigned to any FPGAs. Each row of the first column identifies section numbers of the Module Equipment Design Specification including the requirements in the Requirements Definition Phase. These Requirements Definition Phase requirements were traced from and to the Concept Definition Phase in the Requirements Definition Phase RTM efforts.

Appendix shows the TRN Module RTM, which was copied and translated from the NICSD Design Phase RTM Report (Reference 6). The first column corresponds to the TRN Module HNS530 Equipment Design Specification (Reference 16); the second, third and fourth columns correspond to the [\_\_\_\_\_\_]FPGA Design Specification (Reference 11, 12, 13). The fifth column is labeled as "Hardware."

The second row of the first column reads "2.3 AD Conversion Data Interface," and the second row of the second column reads as follows:

3. Functions

3.1 AD Conversion Data Interface

3.2 Address Counter

3.3 Data Selector

3.4 Parallel to Serial Conversion

3.5 Alarm Data Generation

3.6 Test Circuit

That shows that the requirements in the 2.3 AD Conversion Data Interface are traced to Section 3.1, 3.2, 3.3, 3.4, 3.5, and 3.6 of the FPGA Design Specification. The NICSD Design Phase RTM Report reported that the NICSD V&V team confirmed the traceability by checking the TRN Module HNS530 Equipment Design Specification and FPGA Design Specifications.

In the similar way, Section 2.4 of the TRN Module HNS530 Equipment Design Specification is traced to Section 3.1, 3.2, and 3.3 of FPGA Design Specification, and Section 2.5 of the TRN Module HNS530 Equipment Design Specification is traced to Section 3.1, 3.2, 3.3, 3.4, and 3.5 of the FPGA Design Specification. Section 2.6 of the TRN Module HNS530 Equipment Design Specification is traced to Section 3.2 and 3.6 of the FPGA Design Specification. Section 3.2 and 3.6 of the FPGA Design Specification.

Section 2.7 of the TRN Module HNS530 Equipment Design Specification is traced to "Hardware" column, because the Power On Reset is not implemented in FPGAs, but in hardware.

In order to verify the RTM efforts, the NED V&V team made spot checks of the NICSD Design Phase RTM Report against the following FPGA Design Specifications.

For the SIL requirements, the NICSD Design Phase VVR stated that all Module Equipment Design Specifications required SIL 4 for all FPGAs.

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

By reviewing the NICSD Design Phase RTM Report against the above documents, the NED V&V team concluded that the Design Phase RTM was appropriate, in that all requirements were traceable to the Requirements Definition Phase, the requirements were appropriate, and no new requirements were created in the Design Phase.

For the new EMI immunity enhanced modules, the Design Phase RTM Report (Reference 24) and the Design Phase portion of the NICSD V&V Final Report (Reference 25) concluded that there was no difference in the FPGA designs for the new modules. Since the difference of the new modules from the older modules was addition of some capacitors to the modules, as reported in the Requirements Definition Phase VVR (Reference 4), this conclusion was anticipated.

## 4. Problem Reporting and Corrective Actions

Nonconformance Notice Report (NNR) 06-002-I (Reference 21) was issued. It is the same NNR referred in the Requirements Definition Phase VVR (Reference 4).

For the NICSD Design Phase V&V activities, the NNR reported the following problems:

- "A part of fabrication design documents provided by the ERS of PRM system was not described in the RTM report."
- "The recommendation and the suggestion for the risk reduction were not described in the V&V report."

These two problems corresponded to the problems that were reported in the Vendor Nonconformance Report (VNNR) 06-012 (Reference 22).

The NICSD Design Phase VVR (Reference 7) reported that the corresponding problems in the VNNR 06-012 had been resolved, and the VNNR had been closed. The NED V&V team confirmed the resolution of the problems through this phase V&V activities.

## 5. Metrics

The number of changes applied to newer revisions of individual documents, and the number of Nonconformance Notice Reports are used as the metrics for NED and NICSD V&V activities.

Section 5 of the NICSD Design Phase VVR (Reference 7) reported that:

- (1) Problem Reporting and Nonconformance Notice Report were issued for the NICSD V&V activities, and they were closed.
- (2) The number of changes applied to newer revisions of each FPGA Design Specification decreases as its revision proceeds. Therefore, the remaining issues that should be changed are few.

For (1), the number of the Problem Reporting and the Nonconformance Notice Report is small, so it is acceptable.

For (2), **Table 5-1** is the number of changes applied to newer revisions of each FPGA Design Specification, which was copied and translated from the NICSD Design Phase VVR. Checking the table, the conclusion of the NICSD Design Phase VVR on this issue is acceptable.

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

|     |      | Doc No.           |     | Type of Cha | anges |        |       |
|-----|------|-------------------|-----|-------------|-------|--------|-------|
| No. | Name | (NICSD<br>number) | Rev | Corrections |       | Others | Total |
| •   |      |                   |     |             |       | •      |       |
|     |      |                   |     |             |       |        |       |
|     |      |                   |     |             |       |        |       |
|     |      |                   |     |             |       |        |       |
|     |      |                   |     |             |       |        |       |
|     |      |                   |     |             |       |        |       |
|     |      |                   |     |             |       |        |       |
|     |      |                   |     |             |       |        |       |
|     |      |                   |     |             |       |        |       |
|     |      |                   |     |             |       |        |       |
|     |      |                   |     |             |       |        |       |
|     |      |                   |     |             |       |        |       |
|     |      |                   |     |             |       |        |       |
|     |      |                   |     |             |       |        |       |
|     |      |                   |     |             |       |        |       |
|     |      |                   |     |             |       |        |       |
|     |      |                   |     |             |       |        |       |
|     |      |                   |     |             |       |        |       |
|     |      |                   |     |             |       |        |       |
|     |      |                   |     |             |       |        |       |
|     |      |                   |     |             |       |        |       |
|     |      |                   |     |             |       |        |       |
|     |      |                   |     |             |       |        |       |
|     |      |                   |     |             |       |        |       |
|     |      |                   |     |             |       |        |       |
|     |      |                   |     |             |       |        |       |
|     |      |                   |     |             |       |        |       |

#### Table 5-1 The number of changes applied to newer revisions of each FPGA Design Specification

.

į

|             |                 |                     | 131. 3   | VVR (Reference 7))  |
|-------------|-----------------|---------------------|----------|---------------------|
| I onled and | Translated trop | n tha NHE NHE Hacia | n Phoco  | VVR (Rotoronco ()). |
|             | Hansiated Har   |                     | и т паэс |                     |
|             |                 |                     |          |                     |

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

-----

| (Continued) |  |   |  |  |
|-------------|--|---|--|--|
|             |  |   |  |  |
|             |  |   |  |  |
|             |  |   |  |  |
|             |  |   |  |  |
|             |  |   |  |  |
|             |  |   |  |  |
|             |  |   |  |  |
|             |  |   |  |  |
|             |  |   |  |  |
|             |  |   |  |  |
|             |  |   |  |  |
|             |  |   |  |  |
|             |  |   |  |  |
|             |  |   |  |  |
|             |  | ل |  |  |

#### Table 5-2 The number of changes applied to newer revisions of each FPGA Design Specification

For the NED V&V activities, no change has been made for the Preliminary Hazard Analysis Report for the Design Phase. And one Nonconformance Notice Report has been issued. Because the number of the NNR is small, it is acceptable.

## 6. Findings, Recommendations, and Conclusions

The NED V&V team have reviewed the Design Phase V&V activities of NED and NICSD, including observation. Although one VNNR was issued for the NICSD V&V activities, and one NNR was issued for the NED V&V activities, the problems were resolved.

The NED V&V team conclude that this Design Phase V&V activities are acceptable.

For SIL requirements, the NED V&V team recommend that the SIL requirements should be identified on the cover page of FPGA Design Specifications in future projects. A project may not require SIL four for every FPGA in a project. In that case, the identification on the cover page will clearly distinguish the SIL 4 FPGAs from other FPGAs.

### 7. Abbreviations

APRM Average Power Range Monitor

- ERS Equipment Requirement Specification
- FE Functional Element
- FPGA Field Programmable Gate Array

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

- LPRM Local Power Range Monitor
- NED Nuclear Energy Systems and Services Division

NICSD Nuclear Instrumentation & Control Systems Department

NNR Nonconformance Notice Report

NRW-FPGA Non Re-Writable Field Programmable Gate Array

PHA Preliminary Hazard Analysis

PRM Power Range Monitor

RTM Requirements Traceability Matrix

SDD Software Design Description

- SIL Software Integrity Level
- SQAP Software Quality Assurance Plan
- VNNR Vendor Nonconformance Notice Report
- VVP Verification and Validation Plan

VVR Verification and Validation Report

V&V Verification and Validation

## Appendix

Example of a Design Phase RTM.

| Requirements Definition<br>Phase | Design Phase                                   | Ja,c | h, |
|----------------------------------|------------------------------------------------|------|----|
|                                  |                                                |      |    |
|                                  |                                                |      |    |
|                                  |                                                |      |    |
|                                  |                                                |      |    |
|                                  |                                                |      |    |
|                                  |                                                |      |    |
|                                  |                                                |      |    |
|                                  |                                                |      |    |
|                                  |                                                |      |    |
|                                  |                                                |      |    |
|                                  |                                                |      |    |
|                                  |                                                |      |    |
|                                  |                                                |      |    |
|                                  |                                                |      |    |
|                                  |                                                |      | 1  |
|                                  |                                                |      |    |
|                                  |                                                |      | 1  |
|                                  |                                                |      |    |
|                                  |                                                |      |    |
|                                  |                                                |      |    |
|                                  |                                                |      |    |
|                                  |                                                |      |    |
|                                  |                                                |      |    |
|                                  |                                                |      |    |
|                                  |                                                |      |    |
|                                  |                                                |      |    |
|                                  |                                                |      |    |
|                                  |                                                |      |    |
|                                  |                                                |      |    |
|                                  |                                                |      |    |
|                                  |                                                |      |    |
|                                  |                                                |      |    |
|                                  | ODI Nuclear Energy Systems & Services Division |      | ٦  |
| OSHIBA CORPORATI                 | ON Nuclear Energy Systems & Services Division  |      |    |
|                                  | 15/16                                          |      |    |

FPG-DRT-C51-0016 Rev.1

FPG-DRT-C51-0013 Rev.0

.....

| Requirements Definition Phase | Design Phase |      | Hardware |   |
|-------------------------------|--------------|------|----------|---|
| Phase                         |              | Ja,c |          |   |
|                               |              |      |          | - |
|                               |              |      |          |   |
|                               |              |      |          |   |
|                               |              |      |          |   |
|                               |              |      |          |   |
|                               |              |      |          |   |
|                               |              |      |          |   |
|                               |              |      |          |   |
|                               |              |      |          |   |
|                               |              |      |          |   |
|                               |              |      |          |   |
|                               |              |      |          |   |
|                               |              |      |          |   |
|                               |              |      |          |   |
|                               |              |      |          |   |
|                               |              |      |          |   |
|                               |              |      |          |   |
|                               |              |      |          |   |
|                               |              |      |          |   |
|                               |              |      |          |   |
|                               |              |      |          |   |
|                               |              |      |          |   |
|                               |              |      |          |   |
|                               |              |      |          |   |
|                               |              |      |          |   |
|                               |              |      |          |   |
|                               |              |      |          |   |
|                               |              |      |          |   |

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | hment<br>ety-Relat                   |                    |                                                                 |         |          |               |      |     |  |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------|--------------------|-----------------------------------------------------------------|---------|----------|---------------|------|-----|--|
| 2                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |                                      |                    | Docume                                                          | ent No. | FPG-DR   | T-C51-0       | 0014 | Rev |  |
| , N                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |                                      |                    | PRM Syste                                                       |         | alificat | tion P        | roje | ct  |  |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | Imple                                | mentation :        | and Integratio                                                  |         | e V&V ]  | <u>Report</u> |      |     |  |
| CHET                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |                                      |                    | and Integratio                                                  |         | 2 V&V ]  | <u>Report</u> |      |     |  |
| A DESCRIPTION OF THE OWNER OWNER OF THE OWNER OWNER OF THE OWNER OWNE | OMER NAME<br>ECT NAME                | NRW-FI             | None<br>PGA-Based PR                                            | M       | 2 V&V ]  | Report        |      |     |  |
| PROJ                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | OMER NAME<br>ECT NAME<br>NAME        | NRW-FI<br>System Q | None<br>PGA-Based PR<br>Pualification Pro<br>M Equipment        | M       | 2 V&V ]  | <u>Report</u> |      |     |  |
| PROJ                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | OMER NAME<br>ECT NAME<br>NAME<br>NO. | NRW-FI<br>System Q | None<br>PGA-Based PR<br>Pualification Pro                       | M       | 2 V&V ]  | Report        |      |     |  |
| PROJ<br>ITEM<br>ITEM                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | OMER NAME<br>ECT NAME<br>NAME<br>NO. | NRW-FI<br>System Q | None<br>PGA-Based PR<br>Pualification Pro<br>M Equipment<br>C51 | M       | 2 V&V ]  | Report        |      |     |  |

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

12,2008

Feb \$ 2000

Feb. R, 2008

FPG-DRT-C51-0016 Rev.1 Attachment-4

#### FPG-DRT-C51-0014 Rev. 0

| Rev No. | Date        | History                                    | Approved                                                                                                         | Reviewed<br>by   | Prepared<br>by |
|---------|-------------|--------------------------------------------|------------------------------------------------------------------------------------------------------------------|------------------|----------------|
| 0       | Feb.12,2008 | Initial Issue                              | T. Ito                                                                                                           | T. Ito           | T.Hayash       |
|         |             | an a   | and the second |                  |                |
|         |             |                                            |                                                                                                                  |                  |                |
|         | 5           |                                            |                                                                                                                  |                  |                |
|         |             |                                            |                                                                                                                  |                  |                |
|         |             |                                            |                                                                                                                  |                  |                |
|         |             |                                            |                                                                                                                  |                  |                |
|         |             |                                            |                                                                                                                  |                  |                |
|         |             | nangala, maga antar ng sa ana ang sa katag |                                                                                                                  |                  |                |
|         |             |                                            |                                                                                                                  |                  |                |
|         |             |                                            |                                                                                                                  |                  |                |
|         |             |                                            |                                                                                                                  |                  |                |
|         |             |                                            |                                                                                                                  |                  |                |
|         |             |                                            |                                                                                                                  |                  |                |
|         |             |                                            | a                                                                                                                | Service Sciences |                |

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

÷

FPG-DRT-C51-0016 Rev.1 Attachment-4

#### FPG-DRT-C51-0014 Rev. 0

#### Document Review Sheet

| Acceptable | Acceptable with Unverified Portions | □Not Acceptable |                                                                  |
|------------|-------------------------------------|-----------------|------------------------------------------------------------------|
|            |                                     |                 |                                                                  |
|            | None                                |                 |                                                                  |
|            | ⊠Acceptable                         |                 | ØAcceptable □Acceptable with Unverified Portions □Not Acceptable |

| <b>⊠YES</b>  | □NO          | □N/A                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
|--------------|--------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| <b>⊠</b> YES | □NO          | □N/A                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| <b>⊠</b> YES | □NO          | □N/A                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| <b>YES</b>   | □NO          | □N/A                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
|              | ⊠yes<br>⊠yes | Image: Second state     Image: Second state |

Independent Reviewer (Sign & Date) Tahiaki Ho Feb. 12, 2008

### **Table of Contents**

| 1  | Pur                                      | pose                                                        | 5  |  |  |
|----|------------------------------------------|-------------------------------------------------------------|----|--|--|
| 2  | References                               |                                                             |    |  |  |
| 3  | V&V activities6                          |                                                             |    |  |  |
|    | 3.1                                      | VHDL Source Codes, Logic Synthesis, and Layout Verification |    |  |  |
|    | 3.2                                      | FPGA Validation Testing                                     | 23 |  |  |
|    | 3.3                                      | Document Reviews                                            |    |  |  |
|    | 3.4                                      | Implementation Phase RTM effort                             |    |  |  |
|    | 3.5                                      | Assessment of Software tools                                |    |  |  |
| 4  | Problem Reporting and Corrective Actions |                                                             |    |  |  |
| 5  | Metrics                                  |                                                             |    |  |  |
| 6  |                                          |                                                             |    |  |  |
| 7  |                                          |                                                             |    |  |  |
| Ap | Appendix42                               |                                                             |    |  |  |

## 1 Purpose

This report summarizes the Integration & Implementation Phase (Implementation Phase) Verification & Validation (V&V) activities that have been performed in accordance with the Non-Re-Writable Field Programmable Gate Array (NRW-FPGA)-Based Power Range Neutron Monitoring (PRM) System Qualification Project Verification and Validation Plan (VVP) (Reference 2).

Nuclear Instrumentation and Control Systems Department (NICSD) performed the Implementation Phase V&V activities in accordance with the NICSD Verification and Validation Plan (NICSD VVP) (Reference 3), and summarized their V&V activities in the NICSD Implementation & Integration Phase V&V Report (NICSD Implementation Phase VVR) (Reference 8).

This report confirmed successful and acceptable completion of the NICSD V&V activities through the NICSD Implementation Phase VVR, and reviewed and accepted the Implementation and Integration Phase Preliminary Hazard Analysis Report (PHA) performed by NED (Reference 4).

## 2 References

| 1_F                                          | PG-DRT-C51-0005                                            | NICSD's CDR Report, Rev. 1                                       |  |  |  |  |
|----------------------------------------------|------------------------------------------------------------|------------------------------------------------------------------|--|--|--|--|
|                                              | FPG-PLN-C51-0006                                           | NRW-FPGA-Based PRM System Qualification Project Verification     |  |  |  |  |
|                                              |                                                            | and Validation Plan, Rev. 4                                      |  |  |  |  |
| 3 F                                          | FPG-VDN-C51-0003                                           | NICSD Verification & Validation Plan, Rev. 2                     |  |  |  |  |
|                                              | FPG-DRT-C51-0020                                           | Implementation and Integration Phase Preliminary Hazard Analysis |  |  |  |  |
| - T 1                                        |                                                            | Report, Rev. 0                                                   |  |  |  |  |
| 5 F                                          | FPG-VDN-C51-0077                                           | NICSD Design Phase V&V Report, Rev. 2                            |  |  |  |  |
|                                              | FPG-DRT-C51-0013                                           | Design Phase V&V Report, Rev. 1                                  |  |  |  |  |
|                                              | FPG-VDN-C51-0120                                           | Implementation and Integration Phase RTM, Rev. 1                 |  |  |  |  |
|                                              | FPG-VDN-C51-0120                                           | NICSD Implementation and Integration Phase V&V Report, Rev. 2    |  |  |  |  |
|                                              | FPG-VDN-C51-0119                                           | a,c                                                              |  |  |  |  |
|                                              |                                                            |                                                                  |  |  |  |  |
|                                              | FPG-VDN-C51-0045                                           |                                                                  |  |  |  |  |
|                                              | FPG-VDN-C51-0048                                           |                                                                  |  |  |  |  |
|                                              | FPG-VDN-C51-0059                                           | -                                                                |  |  |  |  |
|                                              | FPG-VDN-C51-0112                                           | •                                                                |  |  |  |  |
|                                              | FPG-VDN-C51-0108                                           |                                                                  |  |  |  |  |
|                                              | FPG-VDN-C51-0110                                           |                                                                  |  |  |  |  |
| 16 N                                         | NICSD D-68016                                              | NICSD for FPGA Products Development, Rev. 3                      |  |  |  |  |
| 17 N                                         | NICSD D-68017                                              | NICSD Procedural Standard for FPGA Device Development, Rev. 3    |  |  |  |  |
| 18 P                                         | NICSD D-68019                                              | NICSD Procedural Standard for FPGA Configuration Management,     |  |  |  |  |
|                                              |                                                            | Rev. 2                                                           |  |  |  |  |
| 19 N                                         | NICSD D-67003                                              | NICSD Procedural Standard for Software Media Registration and    |  |  |  |  |
|                                              |                                                            | Change, Rev. 9                                                   |  |  |  |  |
| 20 N                                         | NICSD 5B8H6182                                             | FPGA Design Timing Verification Report                           |  |  |  |  |
| 21 N                                         | Nonconformance Notice Report 06-002-I                      |                                                                  |  |  |  |  |
|                                              | 2 Vendor Nonconformance Notice Report 06-012               |                                                                  |  |  |  |  |
|                                              | 23 Actel, "Antifuse Macro Library Guide" for software v7.2 |                                                                  |  |  |  |  |
| 24 Actel, datasheet "SX-A Family FPGAs" v5.2 |                                                            |                                                                  |  |  |  |  |
|                                              | _ · · · · · · · · · · · · · · · · · · ·                    |                                                                  |  |  |  |  |

## 3 V&V activities

The development activities in the Implementation Phase are divided into the following steps. Step (1): VHDL Source Coding

NICSD design engineers coded the FPGA design into VHDL source codes. Step (2):FPGA Implementation

The VHDL source codes were compiled into gate-level Netlists by the Synplify<sup>®</sup> tool. Step (3):FPGA Validation

The NICSD design engineers tested the design using simulation tools, and then tested the logic in FPGA chips using the PinPort device and ModelSim<sup>®</sup> tool.

The NED VVP states that the Implementation Phase V&V activities shall be performed with the following inputs and outputs.

V&V Inputs:

- (1) FPGA Design Specifications (Base Document)
- (2) Design Phase RTM (Base Document)
- (3) FPGA Source Codes written in Very High Speed Integrated Circuit Hardware Definition Language (VHDL) language (Review Document)
- (4) Log files produced by software tools (Review Document)
- (5) FPGA validation test procedures (Review Document)
- (6) FPGA validation test reports (Review Document)
- (7) Software Baseline (Review Document)
- (8) Implementation Phase Requirements Traceability Matrix (RTM) (Review Document)
- (9) PHA Report (Review Document)

V&V Outputs:

- (1) Document Review Reports (by NICSD and NED)
- (2) Implementation Phase RTM (by NICSD)
- (3) NICSD Implementation Phase VVR (by NICSD)
- (4) Implementation Phase VVR (by NED)

# 3.1 VHDL Source Codes, Logic Synthesis, and Layout Verification

In the Implementation Phase, the NICSD engineers coded the FPGA design represented as logic diagrams into VHDL source codes in accordance with NICSD D-68017 "NICSD Procedural Standard for FPGA Device Development" (Reference 17). Since the logic diagram specifies the connections among the Functional Elements (FEs) and macros in the Actel<sup>®</sup> Macro Library (Reference 23), the relation between a logic diagram and the corresponding VHDL source code was clear. The NICSD engineers used the Synplify<sup>®</sup> tool to convert a VHDL source code into the netlist, which was stored in an Electric Design Interchange Format (EDIF) file. The Designer tool, or "place and route" tool, converted the netlist into a fusemap, which can be directly embedded in the FPGA. The FEs and macros were merged in the fusemap by the Designer tool. The generated fusemaps were subjected to FPGA testing.

After the FPGA testing, the NICSD engineers prepared the FPGA control sheets for the tested fusemaps, in accordance with NICSD D-68019 "NICSD Procedural Standard for FPGA Configuration Management" (Reference 18), and registered the fusemap with attached Engineering Communication Sheet (ECS), in accordance with NICSD procedure D-67003 "NICSD Procedural Standard for Software Media Registration and Change" (Reference 19).

Table 3-1, which was copied and translated from the NICSD Implementation Phase VVR (Reference 8), shows the Registered FPGAs with the FPGA control sheet number, the Fusemap registration number, and the media attached ECS number.

## Table 3-1 Registered FPGAs

|   | No. | FPGA Name                             | FPGA Control Sheet<br>No. | Fusemap<br>Registration No. | Media Attached<br>ECS No. | a,c |
|---|-----|---------------------------------------|---------------------------|-----------------------------|---------------------------|-----|
| ſ | - · | · · · · · · · · · · · · · · · · · · · | r                         | r                           |                           |     |
|   |     |                                       |                           |                             |                           |     |
| l |     |                                       |                           |                             |                           |     |
|   |     |                                       |                           |                             |                           |     |
|   |     |                                       |                           |                             |                           |     |
|   |     |                                       |                           |                             |                           |     |
|   |     |                                       |                           |                             |                           |     |
|   |     |                                       |                           |                             |                           |     |
| ł |     |                                       |                           |                             |                           |     |
|   |     |                                       |                           |                             |                           |     |
|   |     |                                       |                           |                             |                           |     |
|   |     |                                       |                           |                             |                           |     |
|   |     |                                       |                           |                             |                           |     |
|   |     |                                       |                           |                             |                           |     |
|   | ·   |                                       |                           |                             |                           |     |
|   |     |                                       |                           |                             |                           |     |
|   |     |                                       |                           |                             |                           |     |
|   |     |                                       |                           |                             |                           |     |
|   |     |                                       |                           |                             |                           |     |
|   | -   |                                       |                           |                             |                           |     |
|   | -   |                                       |                           |                             |                           |     |

#### Table 3-1 Registered FPGAs (Continued)

|   | No. | FPGA Name | FPGA Control Sheet<br>No. | Fusemap<br>Registration No. | Media Attached<br>ECS No. | a,c |
|---|-----|-----------|---------------------------|-----------------------------|---------------------------|-----|
|   |     | ·         | •                         | •                           |                           |     |
|   |     |           |                           |                             |                           |     |
|   |     |           |                           |                             |                           |     |
|   |     | ¢         |                           |                             |                           |     |
|   |     |           |                           |                             |                           |     |
|   |     |           |                           |                             |                           |     |
| _ |     |           |                           |                             |                           |     |

The NICSD V&V team performed the following V&V activities in accordance with the NICSD VVP (Reference 3):

- (1) Verify that the VHDL source codes were prepared in accordance with Appendix A "FPGA Logic Design Rule" of NICSD procedure D-68017.
- (2) Verify that the logic synthesis and the layout (placing and routing) were appropriately performed using software tools, by checking the tool log files including option setting and warning messages.
- (3) Review the results of the visual inspection of netlists, in which the netlists were drawn in logic diagram, and visually compared with VHDL source codes and the FPGA specification.

#### 3.1.1 Verification of VHDL Source Codes

The NICSD Implementation Phase VVR reported that the NICSD V&V team verified the following five requirements in the Appendix A of the NICSD procedure D-68017 were fulfilled:

- (1) Use of FE
- (2) Synchronous Design
- (3) Maximum Logic Depth
- (4) Naming Rules
- (5) VHDL Coding

#### (1) Use of FE

The NICSD procedure D-68017 states that the FPGA logic shall be designed only as combinations of the verified FEs and the macros in the Actel<sup>®</sup> Macro Library. The NICSD Design Phase VVR (Reference 5) reported that the verified FEs were controlled using the FE control sheets. Each FPGA design specification listed the verified FEs to be used in the FPGA. The NICSD Implementation Phase VVR reported that the NICSD V&V team examined the VHDL source codes and confirmed that the FEs used in the VHDL source codes matched the FEs listed in the corresponding FPGA design specification.

Based on the NICSD Implementation Phase VVR and additional information obtained from the NICSD V&V team, the NED V&V team confirmed that the VHDL source codes were produced

#### TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

8/43

only using FEs and macros in the Actel<sup>®</sup> Macro Library, in accordance with the NICSD procedure D-68017.

(2) Synchronous Design

Appendix A of the NICSD procedure D-68017 states that "the propagation delays of

a,c

The NICSD Implementation Phase VVR reported that the synchronous design was evaluated in the FPGA Design Timing Verification Report (Reference 20), which was prepared by the NICSD design engineer, and reviewed by the NICSD V&V team. The following explanation is based on the NICSD Implementation Phase VVR and information obtained from the NICSD V&V team.

The NICSD design engineers compared the actual FPGA operating frequencies with their maximum possible operating frequencies, which were calculated by the Designer tool based on the logic and their place and layout information. Based on these comparisons, the NICSD design engineers screened the FPGAs whose actual operating frequencies exceed[]] of their maximum possible operating frequencies. This operating frequency based screening method is considered to be an appropriate method to apply the propagation delay criteria in the NICSD procedure D-68017, because an FPGA operating at a frequency[] fitmes its actual operating frequency would still need the propagation delay between all synchronous FEs in the FPGA. If the FPGA cannot operate correctly at[] fitmes its actual operating frequency, then additional evaluation are required to verify the propagation delays between synchronous FEs at its actual frequency.

Table 3-2, which was copied and translated from the NICSD Implementation Phase VVR, shows the maximum possible and actual operating frequency of each FPGA. The FPGAs whose maximum possible operating frequency is less than [ ]times its actual frequency were screened, and are marked "Yes" in the column "Needs Further Analysis." [ ]FPGAs in total of [ ]<sup>a,c</sup> FPGAs required further review from this screening process.

| Module<br>Name | No | FPGA Name | Device<br>Type * | Actual<br>Frequency<br>MegaHertz<br>(MHz) | Maximum<br>Possible<br>Frequency<br>(MHz) | Four times the<br>Actual<br>Frequency<br>(MHz) | Needs<br>Further<br>Analysis | 2.0   |
|----------------|----|-----------|------------------|-------------------------------------------|-------------------------------------------|------------------------------------------------|------------------------------|-------|
| TRN<br>Module  |    |           |                  |                                           |                                           |                                                |                              | L a,c |

## Table 3-2 Maximum Possible and Actual Operating Frequency of FPGA

L

| Module<br>Name                     | No                    | FPGA Name | Device<br>Type* | Actual<br>Frequency<br>(MHz) | Maximum<br>Possible<br>Frequency<br>(MHz) | Four times the<br>Actual<br>Frequency<br>(MHz) | Needs<br>Further<br>Analysis |     |
|------------------------------------|-----------------------|-----------|-----------------|------------------------------|-------------------------------------------|------------------------------------------------|------------------------------|-----|
| RCV<br>Module                      |                       | ↓         |                 | <b>ا</b>                     |                                           |                                                | <u>ا</u>                     | a,c |
| STATUS<br>Module<br>APRM<br>Module | +<br>-<br>-<br>-<br>- |           |                 |                              |                                           |                                                |                              |     |
| Module                             |                       |           |                 |                              |                                           |                                                |                              |     |
|                                    |                       |           |                 |                              |                                           |                                                |                              |     |
|                                    |                       |           |                 |                              |                                           |                                                |                              |     |
|                                    |                       |           |                 |                              |                                           |                                                |                              |     |
|                                    |                       |           |                 |                              |                                           |                                                |                              |     |
|                                    |                       |           |                 |                              |                                           |                                                |                              |     |
| LPRM<br>Module                     |                       |           |                 |                              |                                           |                                                |                              |     |
|                                    | ,                     |           |                 |                              |                                           |                                                |                              |     |
| FLOW<br>Module                     | k<br>:                |           |                 |                              |                                           |                                                |                              |     |
|                                    |                       |           |                 |                              |                                           |                                                |                              |     |
|                                    |                       |           |                 |                              |                                           |                                                |                              |     |

## Table 3-2 Maximum Possible and Actual Operating Frequency of FPGA (Continued)

| Module<br>Name | No   | FPGA Name | Device<br>Type* | Actual<br>Frequency<br>(MHz) | Maximum<br>Possible<br>Frequency<br>(MHz) | Four times the<br>Actual<br>Frequency<br>(MHz) | Needs<br>Further<br>Analysis |
|----------------|------|-----------|-----------------|------------------------------|-------------------------------------------|------------------------------------------------|------------------------------|
| SQ-ROOT        | T    | +         |                 | •                            | +                                         |                                                |                              |
| Module         | -    |           |                 |                              |                                           |                                                |                              |
|                |      |           |                 |                              |                                           |                                                |                              |
|                |      |           |                 |                              |                                           |                                                |                              |
|                | ł    |           |                 |                              |                                           |                                                |                              |
|                | ll l |           |                 |                              |                                           |                                                |                              |
|                |      |           |                 |                              |                                           |                                                |                              |
|                |      |           |                 |                              |                                           |                                                |                              |

### Table 3-2 Maximum Possible and Actual Operating Frequency of FPGA (Continued)

\* Actel FPGA Device Type: 72 means SXA-72, 32 means SXA-32

Further timing analysis was performed for the []screened FPGAs. The NICSD design engineers consulted the timing analysis reports produced by the Designer tool to identify the signal paths between two synchronous FEs whose propagation delay exceed[] of the clock cycle time. Table 3-3, which was copied and translated from the NICSD Implementation Phase VVR, summarizes the Timing Analyses.

#### Table 3-3 Summary of the Timing Analyses

| No | FPGA Name | Device<br>Type* | Actual<br>Frequency<br>(MHz) | Maximum<br>Possible<br>Frequency | Number<br>propagat | of Paths w<br>ion delays<br>clock cycle | hose<br>exceed<br>e time | Remark                                                        |                                          |     |
|----|-----------|-----------------|------------------------------|----------------------------------|--------------------|-----------------------------------------|--------------------------|---------------------------------------------------------------|------------------------------------------|-----|
|    |           |                 |                              | (MHz)                            | Туре 1             | Type 2                                  | Total                    | Maximum<br>delay of the<br>type 2 paths<br>(Nano-<br>seconds) | Timing<br>margin**<br>(Nano-<br>seconds) |     |
|    |           |                 | •                            |                                  | •                  | <b></b> "                               |                          | 4 · /                                                         |                                          | a,c |
|    |           |                 |                              |                                  |                    |                                         |                          |                                                               |                                          |     |
|    |           |                 |                              |                                  |                    |                                         |                          |                                                               |                                          |     |
|    |           |                 |                              |                                  |                    |                                         |                          |                                                               |                                          |     |
|    |           |                 |                              |                                  |                    |                                         |                          |                                                               |                                          |     |
| -  |           |                 |                              |                                  |                    |                                         |                          |                                                               |                                          | I   |

| No | FPGA Name                             | Device<br>Type | Actual<br>Frequency<br>(MHz) | Maximum<br>Possible<br>Frequency | propagat | agation delays exceed |       | Number of Paths whose     Remark       propagation delays exceed |                                          |  |
|----|---------------------------------------|----------------|------------------------------|----------------------------------|----------|-----------------------|-------|------------------------------------------------------------------|------------------------------------------|--|
|    |                                       |                |                              | (MHz)                            | Туре 1   | Туре 2                | Total | Maximum<br>delay of the<br>type 2 paths<br>(Nano-<br>seconds)    | Timing<br>margin**<br>(Nano-<br>seconds) |  |
|    | · · · · · · · · · · · · · · · · · · · | <b>-</b>       | <b>↓</b>                     | · · · · · ·                      |          | <b>.</b>              | ł     | seconds)                                                         | <b>ļ</b>                                 |  |
|    | •                                     |                |                              |                                  |          |                       | -     |                                                                  |                                          |  |
|    | ٢                                     |                |                              |                                  |          |                       |       |                                                                  |                                          |  |
|    |                                       |                |                              |                                  |          |                       |       |                                                                  |                                          |  |
|    |                                       |                |                              |                                  |          |                       |       |                                                                  |                                          |  |
|    |                                       |                |                              |                                  |          |                       |       |                                                                  |                                          |  |

#### Table 3-3 Summary of the Timing Analyses (Continued)

\* Actel FPGA Device Type: 72 means SXA-72, 32 means SXA-32

\*\* Clock cycle time minus Maximum delay of the type2 paths

The NICSD design engineers examined each identified signal path, and classified the paths into

] <sup>a,c</sup>

a,c

Figure 3-1 MLP22 Logic diagram

An example of the Type 1 paths is the signal path from the

]<sup>a,c</sup>

a,c

a,c

a,c

which is drawn highlighted in Figure 3-1. The calculated propagation delay for the path is

The NICSD Implementation Phase VVR concluded that all FPGAs including the Type 1 of paths would operate correctly, because the FEs had sufficient time to be setup.

### Figure 3-2 MLP22 Timing Chart of FE\_DFFEC\_4 path

An example of the Type 2 signal path is also drawn highlighted in Figure 3-1. The path runs

The major difference between the Type 1 and Type 2 paths is that the timing margin is shrinking in the Type 2 paths. The "Maximum delay of the type 2 paths" and "Timing margin" columns of Table 3-3 show the timing margins. According to Table 3-3, the minimum timing margin is [ ]<sup>anonoseconds in the[ ]</sup> FPGA, which calculates the Average Power.

The NICSD Implementation Phase VVR concluded that all FPGA including the Type 2 paths would also operate correctly, because the FPGAs had been designed to have sufficient timing margins.

a.c

a,c

#### Figure 3-3 MLP22 Timing Chart of FE\_DFF path

The NED V&V team reviewed the NICSD implementation Phase VVR, and referred to the Actel SX-A Family datasheet. Based on the review and additional information from NICSD, NED V&V team concluded that the NICSD V&V team conclusions were appropriate and acceptable.

#### (3) Maximum Logic Depth

Generally speaking, shallower logic depth reduces glitches in the digital circuits. About the maximum logic depth, the NICSD procedure D-68017 states as follows:

From the technical point of view, the NED V&V team concludes that the maximum logic depth should be defined as an empirical rule to avoid timing problems, and the existing rule does not produce designs that exceed the level of assurance that is obtained through detailed timing analysis. The NED V&V team concluded that the identified timing problems had been resolved in the analyses described in (2) "Synchronous Design."

#### (4) Naming Rules

Appendix A of the NICSD procedure D-68017 requires that the files, signals, constants, and architectures be named following defined rules. The NICSD Implementation Phase VVR reported that the NICSD V&V team confirmed the rules were kept by examining the VHDL source codes.

#### (5) VHDL Coding

The NICSD Implementation Phase VVR reported compliance with the coding rules in Appendix A of the NICSD procedure D-68017.

In addition to the above five requirements, the NED VVP states that the review includes the trace.

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

14/43

of the source code to the FPGA design specifications to verify correctness, consistency, completeness, and accuracy. The NICSD Implementation Phase VVR reported that each logic diagram displayed by the Netlist Viewer corresponded to the original logic diagram in the FPGA Design Specification, and the VHDL source code (see Section 3.1.3).

The NED V&V team asked the NICSD V&V team about the manner of the source code review and visual inspection of the Netlist in detail, and observed these activities. As a result, NED V&V concluded that they reviewed the VHDL source codes, with the depth and intensity commensurate with the Software Integrity Level (SIL) 4 as required in the NED VVP, and that the VHDL source codes were acceptable.

## 3.1.2 Tool Log files

The NICSD V&V team checked the log files produced by the software tools. These checks were performed to confirm that the NICSD design engineers used the software tools in an appropriate manner, and did not ignore any warnings reported by the software tools without thinking.

## (1) Log files produced by Synplify<sup>®</sup> tool

The Synplify<sup>®</sup> tool converts the VHDL source codes to the gate-level netlists by synthesizing the logic. The Synplify<sup>®</sup> tool makes a log file including coded errors and warnings each time it synthesizes the logic. The log file recorded the error messages beginning with "@E," the warning messages beginning with "@W," and the notice messages beginning with "@N." The notice messages only inform the progress of internal processing, and can be ignored. The NICSD Implementation Phase VVR reported that no error message was found.

Table 3-4 summarizes the warning messages listed in the NICSD Implementation Phase VVR. The "Evaluation" column for each warning message was filled in based on the NICSD Implementation Phase VVR and additional information from the NICSD V&V team.

NED V&V team concluded that the NICSD V&V team had reviewed the use of the Synplify<sup>®</sup> tool in an appropriate manner, and that the VHDL source codes were appropriately converted to the netlists based on the NICSD V&V team evaluations.

| Warning<br>Message<br>Code | Messages | FPGA for which the<br>message was<br>generated | Evaluation | a |
|----------------------------|----------|------------------------------------------------|------------|---|
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
| ·                          |          |                                                |            |   |

## Table 3-4 Summary of Synplify® Warning Messages

| Warning<br>Message<br>Code | Messages | FPGA for which the<br>message was<br>generated | Evaluation |   |
|----------------------------|----------|------------------------------------------------|------------|---|
| Code                       |          | generated                                      |            |   |
|                            |          | * <b>* *</b> *                                 | •          |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            | 1 |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            | 1 |
|                            |          |                                                |            | 1 |
|                            |          |                                                |            | 1 |
|                            |          |                                                |            | 1 |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          | la <u></u>                                     |            |   |

## Table 3-4 Summary of Synplify<sup>®</sup> Warning Messages (Continued)

<sup>1</sup> GND : Ground

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

| Warning<br>Message<br>Code | Messages | FPGA for which the<br>message was<br>generated | Evaluation | a  |
|----------------------------|----------|------------------------------------------------|------------|----|
|                            |          |                                                | _ <b>_</b> | a, |
|                            |          |                                                |            |    |
|                            |          |                                                |            |    |

## Table 3-4 Summary of Synplify<sup>®</sup> Warning Messages (Continued)

Note: Refer to Table 3-2 for FPGA names.

## (2) Log files produced by Designer tool

The Designer tool lays out (or, exactly speaking, places and routes) the logic in the netlists, and produces fusemap files. The Designer tool produces a log file including errors and warning messages each time it creates a layout.

The NICSD Implementation Phase VVR reported that the Designer tool generated two types of warning messages.

| The first r | nessage was o          | coded                        |                            | ] <sup>a,c</sup> |
|-------------|------------------------|------------------------------|----------------------------|------------------|
| [           | ] <sup>a,o</sup> The N | IICSD Implementation Phase V | /VR reported that those si | gnal ports were  |
| not used;   | hence there w          | ere no problem that they[    | ] <sup>a,c</sup>           |                  |
|             | •                      | -                            | <b>-</b> a.c               |                  |

| The second message was                                   |        | ] <sup>a,c</sup> |                                         |
|----------------------------------------------------------|--------|------------------|-----------------------------------------|
| [                                                        |        | -                | ] <sup>a,c</sup>                        |
| This message was only generated for the that the design. | JFPGA. | This message     | was caused by the fact<br>]in the NICSD |

The NICSD Implementation Phase VVR concluded that the Designer tool had not raised any problems, and correctly generated the fusemap files.

NED V&V team concluded that the NICSD V&V team reviewed the use of the Designer tools in an appropriate manner, and concluded that the fusemap files were generated appropriately.

## 3.1.3 Visual Inspection of Netlists

The NED VVP required that the NICSD design engineers compare the VHDL source codes with the logic diagrams produced from the netlists, in order to verify that the Synplify<sup>®</sup> tool converted the VHDL source codes to the netlists correctly. The NICSD Implementation Phase VVR reported that NICSD visually inspected the netlists by comparing the original VHDL source codes with the logic diagrams produced by the Netlist Viewer tool from the netlists.

## (1) Approach

The NICSD Implementation Phase VVR reported that the comparison of the VHDL source codes and the logic diagrams were performed in the following manner:

• The engineer performing the comparison received the VHDL source code files and the netlists files from the design engineers.

a.c

The engineer printed the VHDL source codes on sheets of paper. A VHDL source code has a hierarchical structure. The top level of the code was broken down to the components, and each component might be further broken down to lower level components. The FEs came to the lowest level components. Figure 3-4 shows the structure of the[ ]FPGA source code, as an example. The top-level was broken down to, or consisted of[ ]<sup>a,c</sup> []<sup>a,c</sup> [

name begins with "FE" are FEs, and could not be broken down in the VHDL source codes and logic diagrams, because the internal structure of FEs was given by independent netlists that would be linked by the Designer tool.

Figure 3-4 Example of Hierarchical Structure of VHDL Source Codes

• The engineer converted the netlists to logic diagrams using the Netlist Viewer tool, and printed them on sheets of paper. Since the VHDL source code had a hierarchical structure, the logic diagrams were organized in the same structure. Figure 3-5 shows the

top-level logic diagram of the JFPGA. The J<sup>a,c</sup> J<sup>a,c</sup> J<sup>were</sup> placed at the top-level logic diagram, corresponding to Figure 3-4. These components except FEs were expanded on other lower level logic diagrams.

- The engineer went down the hierarchy comparing the VHDL source codes with the corresponding logic diagrams from the top-level to the bottom-level, where the FEs were placed.
- Some components were commonly used in the FPGA design, i.e. a same component was used at more than one place in the VHDL source codes. When the component was preserved without optimization, the internal structure was identical for each use of the component. In that case, the engineer examined the component internal structure for its first use, and checked for its interface for its second or later use.

For the **[ ] F**PGA, whose logic was optimized to reduce its size so that the logic could be embedded in one FPGA chip, the structure of the components except FE was not preserved. The engineer examined all components structure in the FPGA.

- At each level of the hierarchy, the engineer compared the following items between the VHDL source codes with the logic diagrams:

Figure 3-6 illustrates how the comparisons were performed for an example of [ ]<sup>a,c</sup> component used in the [ ]FPGA. The arrows drawn over the figure indicate the correspondence between the elements in the VHDL source code and the elements on the logic diagram.

• The engineer recorded any elements on the logic diagram for which correspondence to the element in the VHDL source code were not apparent. The engineer examined these elements in detail to identify whether there was an obvious correspondence between the logic diagram and the VHDL source code. For cases where there was no obvious correspondence, (2) "Results" of this section describes how they were resolved.

#### Figure 3-5 The Top-level Logic diagram of TRNUNIT

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

19/43

a,c

FPG-DRT-C51-0016 Rev.1 Attachment-4 FPG-DRT-C51-0014 Rev. 0

a,c

-

Figure 3-6 Comparison of the Logic Diagram and the VHDL Source Codes

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

20/43

a,c

(2) Results

The NICSD Implementation Phase VVR reported that the comparison had been performed for all FPGAs. The NICSD VVR confirmed that all elements in the logic diagram produced from the netlists corresponded to elements of the VHDL source code, although there were <code>[]</code> cases in which finding the correspondence was not simple. These cases were:



Figure 3-7 Example of CM8 macro used as an inversion buffer

a,c



#### Figure 3-8 CM8 Macro and its Truth Table



]<sup>a,c</sup> component was declared as follows:





## (3) Conclusions

The NED V&V team considered that the comparison of the VHDL source code and the netlist had crucial importance to verify the conversion of the VHDL source code into the netlist. From this point of view, the NED V&V team reviewed the NICSD Implementation Phase VVR, observed the NICSD activities, and interviewed the NICSD design engineers and V&V team to clarify all the details. As a result, NED V&V team concluded that the netlists were acceptable.

## 3.2 FPGA Validation Testing

The NICSD Implementation Phase VVR reported that the FPGA validation testing had been performed following the FPGA Validation Test Procedures, which had been prepared by the engineers who did not contribute the FPGA design in accordance with the NICSD procedure D-68016 (Reference 16). The FPGA Validation Test Procedures included:

- (1) Test Environment
- (2) Test Setup
- (3) Test Cases
- (4) Testing

The following sections explain the above items based on the NICSD Implementation Phase VVR and additional information from the NICSD V&V team.

## 3.2.1 Test Environment

The test environment consisted of hardware test environment and software test environment. A set of the hardware test environment consisted of a personal computer (PC) and an FPGA testing device called the PinPort. The PC runs two pieces of test equipment software, a software VHDL simulator called ModelSim<sup>®</sup> and the PinPort device driver.

The FPGA validation testing was divided into VHDL testing and FPGA testing.

## VHDL Testing

The VHDL testing was performed to validate the fusemap to be embedded in the product FPGAs by simulation using the ModelSim<sup>®</sup> tool.

The ModelSim<sup>®</sup> tool simulated the FPGA behaviors using the back-annotated timing data and the corresponding VHDL source codes, which were generated by the Designer tool when the tool converted the netlists into a placed, routed fusemap by placing logic elements and routing interconnections between elements in the FPGA.

In the VHDL testing, the ModelSim<sup>®</sup> tool generated input signals, simulated the FPGA embedding the fusemap, and generated the resulting output signals in chronological order. The tester compared the output signals with their desired values for the prepared test cases, and confirmed if the FPGA had the intended functions.

One of the objectives of the VHDL testing is to validate the FPGA behaviors that cannot be validated by the FPGA testing (explained below) directly. Experiences show that the test cases

## FPGA Testing

The FPGA testing was performed on the FPGA with an embedded fusemap. Figure 3-10 shows the test equipment configuration for testing. The FPGA chip was mounted in a socket in the PinPort device. The PinPort device has a small computer system interface (SCSI), which is connected by an SCSI cable to a PC containing the ModelSim<sup>®</sup> tool.

The ModelSim<sup>®</sup> tool generated inputs signals for the same test cases as the VHDL testing, fed them into the FPGA through the PinPort device, and received the output signals from the FPGA. The received signals were recorded by the PC, and the tester compared them with their desired values to confirm if the FPGA provided the required functions, by verifying the input to output against a predefined test pattern.

#### FPG-DRT-C51-0016 Rev.1 Attachment-4 FPG-DRT-C51-0014 Rev. 0

a.c

#### **Figure 3-10 FPGA Testing Equipment**

## 3.2.2 Test Setup

The NICSD Implementation Phase VVR reported that the test equipment had been set up following the FPGA Test Procedures. The version numbers of the test equipment hardware and software were confirmed before testing.

## 3.2.3 Test Cases and Procedures

The NICSD Implementation Phase VVR reported that the test cases were prepared following two approaches: functional test cases and exceptional test cases.

#### (1) Functional Test Cases

The functional test cases were prepared to ensure that FPGAs operated as required in their specification. From this perspective, the input signals to and the output signals from the FPGAs were changed in chronological order following the assumed operating conditions for the module that would mount the FPGA. The NICSD Implementation Phase VVR explained the functional test cases for the [ ]FPGA as examples.

<sup>1</sup>"The NICSD

engineer calculated the toggle coverage ratio of the active FE connections in the FPGA using ModelSim<sup>®</sup> tool, and confirmed that the ratio was 100%, as expected from the bit patterns of the test data.

The NED V&V team thought the testing method was appropriate, because:

• The. JFPGA handled serial signals, toggling of each bit in the data frame

#### TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

a.c

<sup>&</sup>lt;sup>2</sup> "h" denotes hexadecimal number.

a,c

ļ

ensured that the any data frame including arbitrary data is conveyed correctly.

• The test case checked for full [bits included in the data frame.

FPG-DRT-C51=0016 Rev.1 Attachment-4 FPG-DRT-C51-0014 Rev.0

a.c

a.c

a.c

### (2) Exceptional Test Cases

The above functional test cases were not sufficient to achieve toggle coverage ratio of 100%, because some portions of the FPGA did not operate in the functional test cases. To achieve toggle coverage ratio of 100%, the NICSD engineer prepared additional test cases. These additional test cases NICSD calls exceptional test cases.

According to the information from the NICSD engineers, the methods to add exceptional test cases were not simple. One method to add new test cases was examining the logic diagram in detail, and determining the input values to toggle the remaining untoggled portions of the FPGA. Note that not all connections in an FPGA can be toggled, because some connections are connected to ground level or power level directly. These connections were excluded from the toggle coverage calculations. These exceptional test cases were documented in the FPGA Test Procedures.

#### 3.2.4 Testing

The NICSD Implementation Phase VVR reported that the FPGA testing was performed following the Test Procedures prepared for each FPGA in accordance with NICSD procedures D-68016 and D-68017. The testers were assigned to the tests in the manner that each individual tester tests the FPGA that the tester had not contributed its design. The testers performed the VHDL testing first, and then performed the FPGA testing.

#### VHDL Testing

The Tester performed the VHDL testing in the following order:

FPGA Testing

The tester performed the FPGA testing in the following order:

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

27/43

a.c

The NICSD Implementation Phase VVR concluded that the test results were satisfactory and acceptable.

## 3.2.5 Additional Testing

The NED V&V team had some concerns about the functional test cases, because NICSD seemed to assume the FPGA was a "black box." The NED V&V team thought that although the toggle coverage ratio achieved 100%, the issue raised by the NICSD CDR might remain (See Section 3.2.1). To resolve this concern, the NED V&V team required NICSD to reconsider the FPGA testing so that it checked the connections between FEs more thoroughly.

Responding to this requirement from the NED V&V team, the NICSD engineers prepared additional test cases, in which sets of FPGA input signals were defined to toggle the connections between FEs, and lead to the observable changes of the FPGA output signals.

| In the followings, additional tests are explained a 3-11 illustrates the signal processing in the | for the[]]FPGA. | ]FPGA a | as an example.<br>]FPGA takes t | Figure<br>hea,c |
|---------------------------------------------------------------------------------------------------|-----------------|---------|---------------------------------|-----------------|
|                                                                                                   |                 |         | <b>a</b>                        |                 |
|                                                                                                   |                 |         |                                 | , a,ċ           |
| Figure 3-11 Overview                                                                              | v of the APAV   | Æ FPGA  |                                 |                 |

(1) Input Processing Testing In this testing, while the

]<sup>a,c</sup>

#### FPG-DRT-C51=0016 Rev.1 Attachment-4 FPG-DRT-C51-0014 Rev. 0

a,c

For the PRM System, an APRM module is required to receive signals from up to 22 LPRM modules, this fact will not raise any problems. However, the FPGA Design Specification did not describe this limitation on the [ ] Later, NICSD revised the [ ] FPGA Design Specification, and the [ ] FPGA Test Procedure reflecting this limitation.

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

a,c

a.c

The NICSD design engineers performed FPGA testing for these additional test cases. The NICSD V&V team reviewed the additional testing, and concluded that the results of the testing were satisfactory. The NED V&V team also reviewed the additional testing as well as the original testing, and concluded that these FPGA testing were sufficient to confirm the FPGA functions.

## 3.3 Document Reviews

The NED VVP requires the reviews identified in Items (1) through (4) below in this section. The NICSD V&V team reviewed items (1) through (3). The NED V&V team reviewed item (4). The items are listed below, and then the remainder of this section addresses each in detail. The items required are as follows:

- Item (1) FPGA validation test procedures
- Item (2) FPGA validation test reports
- Item (3) Software Baseline
- Item (4) Implementation Phase PHA

## Item (1) FPGA validation test procedures

Review the FPGA validation test procedures prepared by the NICSD Design Group for completeness, correctness, consistency, and accuracy. The FPGA Validation tests shall achieve 100% toggle coverage of the active FE connections using the toggle coverage scheme provided by the ModelSim<sup>®</sup> tool.

## Item (2) FPGA validation test reports

After NICSD design engineers (who are independent of the design engineers of the FPGA product being tested as required by D-68016) perform these tests, the NICSD V&V Team shall review the FPGA validation test reports to verify:

- The tests have been appropriately performed according to the test procedures.
- There are sufficient tests records, including any findings during the validation testing.
- The tests results are acceptable.
- If the above are not satisfied, the test shall be performed again.

Table 3-5 and 3-6 show the FPGA Test Procedures and the FPGA Test Reports. These two tables were copied and translated from the NICSD Implementation Phase VVR. This NICSD Implementation Phase VVR reported that these documents were reviewed in accordance with the NICSD VVP, and concluded they were accepted. The NICSD Implementation Phase VVR also reported that [\_\_\_\_\_] Problem Reporting Sheet (PRS) had been issued during the testing, and the problem had been resolved. The Problem Reporting Sheet is attached to the NICSD Implementation Phase VVR.

#### **Table 3-5 FPGA Test Procedures**

(Copied and Translated from the NICSD Implementation Phase VVR)

|   | No. | Name | Doc. No.<br>(NICSD number) | Rev. | Remark     |                  |
|---|-----|------|----------------------------|------|------------|------------------|
| Γ | . 1 |      |                            | 1    | · <u>1</u> | ] <sup>a,c</sup> |
|   |     |      |                            |      |            |                  |
|   |     |      |                            |      |            |                  |
|   |     |      |                            |      |            |                  |
|   |     |      |                            |      |            | ļ                |
|   |     |      |                            |      |            |                  |
|   |     |      |                            |      |            |                  |
|   |     |      |                            |      |            |                  |
|   |     |      |                            |      |            |                  |
|   |     |      |                            |      |            |                  |
|   |     |      |                            |      |            |                  |
|   |     |      |                            |      |            |                  |
|   |     |      |                            |      |            |                  |
|   |     |      |                            |      |            |                  |
|   |     |      |                            |      |            |                  |
|   |     |      |                            |      |            |                  |
|   |     |      |                            |      |            |                  |
|   |     |      |                            |      |            |                  |
|   |     |      |                            |      |            |                  |
|   |     |      |                            |      |            |                  |

The NED V&V team made spot checks on the six selected FPGA Test Procedures listed below, along with the reviews of the requirements traceability matrices.

a,c

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

31/43

a,c

## Table 3-6 FPGA Validation Test Reports

## (Copied and Translated from the NICSD Implementation Phase VVR)

| No. | Name   | Doc. No.<br>(NICSD number) | Rev. |
|-----|--------|----------------------------|------|
|     |        | (NICSD number)             |      |
|     |        |                            |      |
|     |        |                            |      |
|     |        |                            |      |
|     |        |                            |      |
| •   |        |                            |      |
|     |        |                            |      |
|     |        |                            |      |
|     |        |                            |      |
|     |        |                            |      |
|     |        |                            |      |
|     |        |                            |      |
|     |        |                            |      |
|     | $\sim$ |                            |      |
|     |        |                            |      |
|     |        |                            |      |
|     |        |                            |      |
|     |        |                            |      |
|     |        |                            |      |
|     |        |                            |      |
|     |        |                            |      |
|     |        |                            |      |
|     |        |                            |      |
|     |        |                            |      |
|     |        |                            |      |
|     |        |                            |      |
|     |        |                            |      |
|     |        |                            |      |
|     |        |                            |      |
|     | •      |                            |      |
|     |        |                            |      |
|     |        |                            |      |
|     |        |                            |      |
|     |        |                            |      |
|     |        |                            |      |

NED V&V team made thorough reviews of the six selected documents listed above for completeness, correctness, consistency, and accuracy as required by the NED VVP. NED V&V team found that NICSD had reviewed the six documents appropriately and with the level of intensity that NED required and expected.

The NED V&V team also made spot checks on the six selected FPGA Test Reports listed below.



NED V&V team made thorough reviews of the six selected test reports for completeness, correctness, consistency, and accuracy as required by the NED VVP. NED V&V team found that NICSD had reviewed the above documents appropriately and with the level of intensity that NED required and expected.

Item (3) Software Baselines

The NICSD design engineers shall establish the Software Baseline after FPGA Validation Testing is finished. The NICSD V&V Team shall review the Software Baseline to confirm that the items required by NICSD Procedure D-68019 have been appropriately established.

NED V&V team checked that the Software Baseline of the PRM System was controlled in accordance with NICSD Procedure D-68019, which required the following configuration management activities:

- Identification of Configuration Items
- Configuration Status Accounting using Software Baseline
- Configuration Records
- Change control and Documentation

The NICSD Implementation Phase VVR reported that the Software Baseline including configuration items required by the NICSD procedure D-68019 had been established and controlled using the Master Configuration List (MCL). The NED V&V team observed that the required configuration items had been controlled using the MCL. In particular, the VHDL source code, netlist, and fusemap files of FPGAs were stored in the compact disk-recordable (CD-R) disks, which can only be written to once but read many times. These disks were labeled with control numbers that were registered in the MCL. See Section 3.1 for the FPGA files being stored.

The NED V&V team concluded that the Software Baseline had been appropriately controlled.

Item (4) Implementation Phase PHA

The NED V&V personnel shall independently review the Implementation Phase PHA, and document the results of the review in accordance with AS-200A002.

The NED V&V team performed the review of the Implementation Phase PHA Report (Reference 4) for completeness, correctness, consistency, and accuracy as required by the NED VVP.

The Implementation Phase PHA examined if appropriate testing was performed on the [\_\_\_\_\_\_]<sup>a,c</sup> [\_\_\_\_\_\_]FPGAs in order to resolve any identified concerns. In addition, the Implementation Phase PHA addressed some new hazards that might be raised in this Implementation Phase.

The Implementation Phase PHA concluded that the concerns from the Design Phase were the non-update events for the []FPGA, and incorrect data transmission event for the []FPGA, and that these concerns were resolved by the

]<sup>a,c</sup>

\_a,c ]

FPGA testing performed in this Implementation Phase.

The Implementation Phase PHA Report addressed the hazards relating to the

Management, as new hazards that were raised in this Implementation Phase. The PHA report concluded that the only remaining concern was that the FPGAs might not operate at their intended frequency without being affected by glitches and that this should be addressed in the next Unit/Module Validation Testing Phase.

The NED V&V team deemed that the method and conclusion of the Implementation Phase PHA were acceptable.

## 3.4 Implementation Phase RTM effort

The NICSD VVP requires the following Items (1) and (2).

Item (1) Preparation of the Implementation Phase RTM

The engineer shall prepare the RTM to confirm that the FPGA Test Procedures can be traced to and from the RTM prepared in the preceding phase.

The V&V team shall review the RTM, and verify the followings:

- 1) The basic requirements were traced to the FPGA, i.e. all the requirements were reflected in the FPGA Test Procedures.
- 2) The requirements were traced from the FPGA Test Procedures back to Design Phase.

Item (2) Compilation of the Implementation Phase RTM

The Implementation Phase RTM Report shall include the RTM, any open items, and non-conformance items. The report shall also describe how the requirements were reflected in the FPGA Test Procedures.

The NICSD V&V team established a separate Implementation Phase RTM for each FPGA in Table 3-1. Each RTM consists of two primary columns and a remark column. The left column corresponds to the Design Phase, and the right column corresponds to this Implementation Phase. Each row of the left column identifies the section numbers of the FPGA Design Specification including the requirements in the Design Phase, with the cell in the row's of the right column identifying the section numbers of the FPGA Test Procedure that can be traced from and to the row's left column. Thus, the Implementation Phase RTM shows the traceability between the Design Phase and this Implementation Phase.

Appendix provides the [] FPGA RTM, which was copied and translated from the NICSD a,c Implementation Phase RTM Report (Reference 7). The left column corresponds to the [] FPGA Design Specification (Reference 9); the right column corresponds to the APAVE FPGA Test Procedure (Reference 13). The original sheet contained a column labeled "Remarks" which NED deleted because it was blank.

In the matrix, functional descriptions from Section 3.1 [1] Through Section 3.7 [1] If PGA Design Specification are traced to Section 4.1.1, 4.1.2, and 4.1.6 (2), (5) of the [1] JFPGA Test Procedure. These functional descriptions in the [1] FPGA Design Specification were implemented as logic blocks in the [1] FPGA. These logic blocks construct signal paths through which the input signals pass, and process the signals along the paths. At the ends of these signal paths, the output signals from the [1] FPGA were obtained. The corresponding Sections of the [1] FPGA Test

Procedure describe the test cases prepared to test if the actual output signal values from the [ JFPGA match the desired signal values that were expected as the results of the signal processing.

In order to verify the Implementation Phase RTM efforts, the NED V&V team made spot checks of the NICSD Implementation Phase RTM Report against the following FPGA Test Procedures.



After reviewing the above RTM report, the NED V&V team concluded that the Implementation Phase RTM was appropriate, in that all requirements in the Design Phase were traced to the test items in the FPGA Test Procedures and that no Test Procedure items reflected implemented FPGA functionality that was not included in the Design Phase documentation.

**]**a,c The NICSD Implementation Phase RTM Report described that Section 3.7 and 3.8 of FPGA Design Specification could not be traced to the JFPGA Test Procedures. Section 3.7 described a synchronous signal, and Section 3.8 describes calibration data setting. According to the RTM report, these items were introduced in the JFPGA Design Specification by reuse of the logic design from the **JFPGA**. The logic design included the logic blocks corresponding to the items. In the **J**FPGA, because the input signals to the logic blocks were connected to ground level in the design, these logic blocks could never be activated. Therefore, no test cases were prepared for these items. The NED V&V team **TFPGA** Test Procedures. considered it acceptable that these items were not traced to the and that appropriate explanations existed in the design documentation for the existence of these features, in that the risk of removing these reused design features outweighed the risk with leaving these unused hardwired features in place in the design.

# 3.5 Assessment of Software tools

The NED VVP states that NED V&V team shall assess the NICSD control of the software tools used in the design and V&V activities, and review NICSD's records for software tool control to ensure:

- FPGAs used for the project are manufactured with the correct tool versions.
- NICSD is controlling the software tools in accordance with procedures that NED has reviewed and approved.

The NICSD Implementation Phase VVR reported that the NICSD V&V team had confirmed the control of the software tools used in the design. According to the VVR, NICSD used two types of control records, and Software Tool Installation Verification to control the software tools.

The first type of the control records is called the Software Tool Information Sheet, and is used to identify software tool names, tool numbers, and their licenses. Table 3-7 lists the Software Tool Information Sheets. The table indicates that two sets of the Libero<sup>®</sup> Integrated Development Environment (IDE), Silicon Sculptor, ModelSim<sup>®</sup> SE PLUS, and PinPort192 software tools were used in the design. The Libero<sup>®</sup> IDE includes the Designer and Netlist

## Viewer tools.

The second type of the control record is called the Installation Verification Sheet, and is used to record the software tool installations to the PCs. Table 3-8 lists the Installation Verification Sheets. The table indicates that two PC were used in the design, and each PC was installed with the Libero<sup>®</sup> IDE, Silicon Sculptor, ModelSim<sup>®</sup> SE PLUS, and PinPort192 software tools.

#### **Table 3-7 Software Tool Information Sheets**

(Copied and translated from the NICSD Implementation Phase VVR)

| No | Software Tool |         | Software Tool Information Sheet |     |  |
|----|---------------|---------|---------------------------------|-----|--|
|    | Name          | Version | Sheet No.                       | Rev |  |
| -  |               |         | •                               |     |  |
|    |               |         |                                 |     |  |
|    |               |         |                                 |     |  |
|    |               |         |                                 |     |  |
|    |               |         |                                 |     |  |
|    |               |         |                                 |     |  |
|    |               |         |                                 |     |  |
| _  |               |         |                                 |     |  |

#### Table 3-8 Installation Verification Sheets

## (Copied and translated from the NICSD Implementation Phase VVR)

| No  | Computer   |    | Computer Software Tool |         | Installation Verification Shee |     |  |
|-----|------------|----|------------------------|---------|--------------------------------|-----|--|
|     | Equipment  | OS | Name                   | Version | Sheet No                       | Rev |  |
|     | Control No |    |                        |         |                                |     |  |
| F 7 |            |    | 1                      | I I     |                                | . • |  |
|     |            |    |                        |         |                                |     |  |
|     |            |    |                        |         |                                |     |  |
|     |            |    |                        |         |                                |     |  |
|     |            |    |                        |         |                                |     |  |
|     |            |    |                        |         |                                |     |  |
|     |            |    |                        |         |                                |     |  |
|     |            |    |                        |         |                                |     |  |
|     |            |    |                        |         |                                |     |  |
|     |            |    |                        |         |                                |     |  |
|     |            |    |                        |         |                                |     |  |
|     |            |    |                        |         |                                |     |  |

The Software Tool Installation Verification documents referenced the FPGA Development Tool Installation Verification Test Procedure, and FPGA Development Tool Installation Verification Test Report. Table 3-9 lists these documents used for the software tool in Table 3-8. The FPGA Development Tool Installation Verification Test Procedure described the tests to be performed to verify that the software tools were correctly installed in the computer. The FPGA Development Tool Installation Verification Test Report described the installation test results for the each computer.

### **Table 3-9 Software Tool Verification Documents**

| No | Name                                                              | Doc. No  | Rev | Remark |                 |
|----|-------------------------------------------------------------------|----------|-----|--------|-----------------|
| 1  | FPGA Development Tool Installation<br>Verification Test Procedure | 8T8H3418 | 0   |        |                 |
| 2  | FPGA Development Tool Installation<br>Verification Test Report    | 9H8H0348 | 0   |        | ] <sup>a,</sup> |
| 3  | FPGA Development Tool Installation<br>Verification Test Report    | 9H8H0349 | 0   |        |                 |

(Copied and translated from the NICSD Implementation Phase VVR)

# 4 Problem Reporting and Corrective Actions

The NICSD Implementation Phase VVR (Reference 8) documents that only one Problem Reporting Sheet had been issued during the testing. The problem was that the requirement for

The NICSD Implementation Phase VVR reported that NICSD engineers updated the corresponding test procedures, and performed the testing again. In addition, the NICSD engineers reviewed the other test reports from the same point of view, and found similar problems, in the [\_\_\_\_\_\_]FPGAs. These problems were fixed in the similar manner as for the FLPANEL FPGA before these tests were run.

Besides the PRS during FPGA testing, the NICSD Implementation Phase VVR reported six PRSs were issued for the following problems:

The NICSD V&V team updated the NICSD Implementation Phase VVR from Rev. 0 to Rev. 1, and the above problems were resolved.

The Nonconformance Notice Report (NNR) 06-002-I (Reference 21) was issued. It is the same

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

109/166

a.c

1

NNR referred in the NED Design Phase VVR (Reference 6). The NNR reported the following problems, for the NICSD Implementation Phase V&V activities:

These problems corresponded to the problems that were reported in the Vendor Nonconformance Report (VNNR) 06-012 (Reference 22). The NICSD Implementation Phase VVR (Reference 8) reported that the NICSD V&V team resolved the problems in VNNR 06-012 by revising the report and adding the required descriptions in the NICSD Implementation Phase VVR, and closed VNNR 06-012. The NED V&V team confirmed the resolution of the problems, and closed NNR 06-002-I.

# 5 Metrics

The number of changes applied to newer revisions of individual documents, and the number of the Nonconformance Notice Reports were used as the metrics for NED and NICSD V&V activities.

Section 5 of the NICSD Implementation Phase VVR (Reference 8) reported that:

- (1) Nonconformance Notice Report was issued for the NICSD V&V activities.
- (2) The number of changes applied to newer revisions of each FPGA Test Procedure decreases as its revision proceeds. From NED evaluation, the magnitude of the issues reported also appears to decrease. Therefore, the remaining issues are likely to be few and of limited significance.

For (1), because the number of the NNR is small, the NED V&V team considered it acceptable.

For (2), Table 5-1 shows the number of changes applied to newer revisions of each FPGA Test Procedure, which was copied and translated from the NICSD Implementation Phase VVR. Checking the table, the NED engineer concluded that the NICSD Implementation Phase VVR is acceptable, and that the activities performed by NICSD implement the NICSD requirements. In this table, revisions to the test procedures are broken down by the major reasons for change. If no revision was required, the cells associated with the types of changes and total changes are marked as not applicable by a diagonal line in the cell.

|     | (Copied and Translated fro | Doc No.           | Doc No. | Туре        |           | ٦          |          |   |
|-----|----------------------------|-------------------|---------|-------------|-----------|------------|----------|---|
| No. |                            | (NICSD<br>number) | Rev     | Corrections | Additions | Others     | Total    |   |
|     | 1                          |                   | 1.      | 1           | <b>.</b>  | - <b>-</b> | <u> </u> | Ţ |
|     |                            |                   |         |             |           |            |          |   |
|     |                            |                   |         |             |           |            |          |   |
|     |                            |                   |         |             |           |            |          |   |
|     |                            |                   |         |             |           |            |          |   |
|     |                            |                   |         |             |           |            |          |   |
|     |                            |                   |         |             |           |            |          |   |
|     |                            |                   |         |             |           |            |          |   |
|     |                            |                   |         |             |           |            |          |   |
|     |                            |                   |         |             | •         |            |          |   |
|     |                            |                   |         |             |           |            |          | 1 |
|     |                            |                   |         |             |           |            |          |   |
|     |                            |                   |         |             |           |            |          |   |
|     |                            |                   |         |             |           |            |          |   |
|     |                            |                   |         |             |           |            |          |   |
|     |                            |                   |         |             |           |            |          |   |
|     |                            |                   |         |             |           |            |          |   |
|     |                            |                   |         |             |           |            |          |   |
|     |                            |                   |         |             |           |            |          |   |
|     |                            |                   |         |             |           |            |          |   |
|     |                            |                   |         |             |           |            |          |   |
|     |                            |                   |         |             |           |            |          |   |
|     |                            |                   |         | ·           |           |            |          |   |
|     |                            |                   |         |             |           |            |          |   |
|     |                            |                   |         |             |           |            |          |   |
|     |                            |                   |         |             |           |            |          |   |
|     |                            |                   |         |             |           |            |          |   |
|     |                            |                   |         |             |           |            |          |   |
|     |                            |                   |         |             |           |            |          |   |
|     |                            |                   |         |             |           |            |          |   |

## Table 5-1 Number of Changes applied to the FPGA Test Procedure

# 6 Findings and Recommendations, and Conclusions

The NED V&V team has reviewed the Implementation Phase V&V activities performed by both NED and NICSD, and identified no finding that needs any additional corrective action. One Vendor Nonconformance Report was issued for the NICSD V&V activities, and one Nonconformance Report was issued for the NED V&V activities as described in Section 4. These NNRs pointed out that the review by NED on the NICSD VVR was not sufficient. Responding to the findings by the NNRs, the NED V&V team changed the methods used in their review, in which the NED V&V team checked newer versions of the NICSD Implementation Phase VVR (Reference 8) against the NICSD VVP (Reference 3) and NED VVP (Reference 2) more strictly, and resolved the findings. As a result, these NNRs were closed. The NED V&V team considered that NICSD performed an excellent job in terms of providing reasonable assurance that the FPGAs perform the required safety functions.

The NED V&V team provided one recommendation to make further improvements in future V&V activities. NICSD should make a guideline for designing FPGA test cases. Since the FPGA logic is developed constructing the verified FEs, the test case should be designed to assure the proper operation of the connections between the FEs, and validate that the FPGA operates correctly. The guideline should explain how to design good test cases to achieve these objectives.

For this Implementation Phase, the NED V&V team observed that the activities defined in the NED VVP were performed correctly, and that the results of the activities were satisfactory. Except for the clock issue that is confirmed in the Unit/Module Validation Phase (see Section 3.3), the NED V&V team concluded that the Implementation Phase V&V activities provides reasonable assurance that the FPGAs would perform their required functions, and that the activities completed successfully.

# 7 Abbreviations

| APRM     | Average Power Range Monitor                            |
|----------|--------------------------------------------------------|
| CD-R     | Compact Disk-Rewrittable                               |
| ECS      | Engineering Communication Sheet                        |
| EDIF     | Electronic Design Interchange Format                   |
| EEPROM   | Electrically-Erasable Programming Read-Only Memory     |
| FE       | Functional Element                                     |
| IDE      | Integrated Development Environment                     |
| LED      | Light Emitting Diode                                   |
| MCL      | Master Configuration List                              |
| MHz      | MegaHertz                                              |
| NED      | Nuclear Energy Systems and Services Division           |
| NICSD    | Nuclear Instrumentation and Control Systems Department |
| NNR      | Nonconformance Notice Report                           |
| NRW-FPGA | Non Re-Writable Field Programmable Gate Array          |
| PC       | Personal Computer                                      |
| PHA      | Preliminary Hazard Analysis                            |
| PRM      | Power Range Monitor                                    |
| PRS      | Problem Reporting Sheet                                |
| RTM      | Requirements Traceability Matrix                       |
| SCSI     | Small Computer System Interface                        |

## FPG-DRT-C51-0016 Rev.1 Attachment-4 FPG-DRT-C51-0014 Rev. 0

| SIL  | Software Integrity Level                                        |
|------|-----------------------------------------------------------------|
| VHDL | Very High Speed Integrated Circuit Hardware Definition Language |
| VNNR | Vendor Nonconformance Report                                    |
| VVP  | Verification and Validation Plan                                |
| VVR  | Verification and Validation Report                              |
| V&V  | Verification and Validation                                     |
| V&V  | Verification and Validation                                     |

ŧ.

# Appendix

#### Selected Part of the Implementation Phase RTM

## (Copied and Translated from the NICSD RTM Report)

| Design Phase | Implementation Phase |
|--------------|----------------------|
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              | L                    |
|              |                      |
|              |                      |
|              |                      |
|              |                      |
|              | ,                    |

#### Selected Part of the Implementation Phase RTM (continued)

| Design Phase                              | Implementation Phase                        |
|-------------------------------------------|---------------------------------------------|
| Design Phase<br>FPGA Design Specification | Implementation Phase<br>FPGA Test Procedure |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
| `                                         |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           |                                             |
|                                           | _                                           |

Notice: This table was copied for explanation only, and was not used to verify any FPGAs.

# Attachment-5

**US Safety-Related** 

|        |                 |                   | Docume          | nt No.     | FPG-DRT-C51-00      | 15 Rev        | 0      |
|--------|-----------------|-------------------|-----------------|------------|---------------------|---------------|--------|
|        |                 |                   |                 |            |                     |               |        |
|        |                 |                   |                 |            |                     |               |        |
|        |                 |                   |                 |            |                     |               |        |
|        |                 |                   |                 |            |                     |               |        |
|        |                 |                   |                 |            |                     |               |        |
|        |                 |                   |                 |            |                     |               |        |
|        |                 |                   |                 |            |                     |               |        |
| N      | RW-FPG          | A-Based PF        | RM Svste        | m Ou       | alification Pr      | oiect         |        |
|        |                 |                   |                 |            |                     |               |        |
|        |                 | Ð                 | ocument T       | itle       |                     |               |        |
|        | Unit/Mc         |                   |                 |            | se V&V Repa         | ort           |        |
|        | <u>OHIO</u> MIC | and vandat        | <u>ion</u> rosu | 15 1 110   |                     |               |        |
|        |                 |                   |                 |            |                     |               |        |
|        |                 |                   |                 |            |                     |               |        |
|        |                 |                   |                 |            |                     |               |        |
|        |                 |                   |                 |            |                     |               |        |
|        |                 |                   |                 |            |                     |               |        |
|        |                 |                   |                 |            |                     |               |        |
|        |                 |                   |                 |            |                     |               |        |
|        |                 | 1                 |                 | <b>-</b> 1 |                     |               |        |
| 1 -    | MER NAME        |                   | one             |            |                     |               |        |
| PROJE  |                 | NRW-FPGA          |                 |            |                     |               |        |
| TEM N  | AME             | System Quali      | quipment        | ect        |                     |               |        |
| ITEM N | , .             |                   | 251             |            |                     |               |        |
| JOB NO |                 |                   | PG              |            |                     |               |        |
|        |                 |                   |                 | J          |                     |               |        |
|        |                 |                   |                 |            |                     |               |        |
|        |                 |                   |                 |            |                     |               |        |
|        |                 |                   |                 |            |                     |               |        |
|        |                 |                   |                 |            |                     | i.            |        |
|        |                 |                   |                 |            |                     |               |        |
|        |                 |                   |                 |            |                     |               |        |
|        |                 |                   |                 |            |                     |               |        |
|        |                 |                   |                 |            | <u> </u>            |               |        |
|        |                 |                   | Approved        | Review     | ed Prepared         |               |        |
| Date   | Issi            | ied by            | by              | by         | by                  | Document Fili | ing No |
| i 'n   | Control & E     | lectrical Systems | 7.95            | <i>I.9</i> | by<br>5 7. Mayor h. | RS-5124       | 650    |

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

Design & Engineering Dept.

Feb 29 200

Feb, 29, 2008

Teb. 21, 2008

29 2008

E.b

FPG-DRT-C51-0016 Rev.1 Attachment-5

#### FPG-DRT-C51-0015 Rev. 0

| Rev No. | Date         | History                                | Approved<br>by | Reviewed<br>by | Prepared<br>by                        |
|---------|--------------|----------------------------------------|----------------|----------------|---------------------------------------|
| 0.      | Feb. 29,200f | The first issue                        | T.Ito          | T. Ito         | T.Hayashi                             |
|         |              |                                        |                | -              |                                       |
|         |              |                                        | -              |                |                                       |
|         |              | ······································ |                |                |                                       |
|         |              |                                        |                |                |                                       |
|         |              |                                        |                |                |                                       |
|         |              |                                        |                |                | · · · · · · · · · · · · · · · · · · · |
|         |              |                                        |                |                |                                       |
|         |              |                                        |                |                |                                       |
|         |              |                                        |                |                |                                       |
|         |              |                                        |                |                |                                       |
|         |              |                                        |                |                |                                       |
|         |              |                                        |                | <br>           |                                       |
|         |              | · · · · · · · · · · · · · · · · · · ·  |                |                |                                       |
|         |              | · · · · · · · · · · · · · · · · · · ·  |                |                |                                       |
|         |              | -                                      |                |                |                                       |

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

.

FPG-DRT-C51-0016 Rev.1 Attachment-5

FPG-DRT-C51-0015 Rev. 0

### Document Review Sheet

| Review Results | MAcceptable | Acceptable with Unverified Portions | □Not Acceptable |
|----------------|-------------|-------------------------------------|-----------------|
| Comments       |             |                                     |                 |
|                | ,           |                                     |                 |
|                | N           | DNE                                 |                 |
|                |             |                                     |                 |
|                |             |                                     |                 |

.

| Items                            |             | Results |      |
|----------------------------------|-------------|---------|------|
| Is the document complete?        | <b>⊻YES</b> | □NO     | □N/A |
| Are the descriptions correct?    | <b>VES</b>  |         | □n/A |
| Are the descriptions consistent? | ⊡ YES       | □NO     | □N/A |
| Are the descriptions accurate?   | TYËS 🛛      | DNO     | □N/A |

Independent Reviewer (Sign & Date) Toursh . .../ 25 Feb. 29, 2008

### **Table of Contents**

| 1 Purpose                                       | 5  |  |  |  |
|-------------------------------------------------|----|--|--|--|
| 2 References                                    |    |  |  |  |
| 3 V&V activities                                |    |  |  |  |
| 3.1 Unit and Module Validation Testing          |    |  |  |  |
| 3.2 Document Reviews                            |    |  |  |  |
| 3.3 Unit/Module Validation Phase RTM effort     | 25 |  |  |  |
| 3.4 Assessment of Test Equipment Software       |    |  |  |  |
| 3.5 Issuance of the Unit/Module VVR             |    |  |  |  |
| 3.6 Configuration and Security Issues           | 27 |  |  |  |
| 4 Problem Reporting and Corrective Actions      |    |  |  |  |
| 5 Metrics                                       |    |  |  |  |
| 6 Findings and Recommendations, and Conclusions |    |  |  |  |
| 7 Abbreviations                                 |    |  |  |  |
| Appendix                                        |    |  |  |  |

# 1 Purpose

This report summarizes the Unit/Module Validation Testing Phase Verification & Validation (V&V) activities that Toshiba has performed in accordance with the Non Re-Writable Field Programmable Gate Array (NRW-FPGA) Based Power Range Monitor (PRM) System Qualification Project Verification and Validation Plan (VVP) (Reference 2).

The previous phase, the Implementation & Integration Phase (Implementation Phase), implemented and tested operation of the individual FPGAs. The Implementation Phase tested the FPGAs against the requirements from the Design. This phase, the Unit/Module Validation Testing Phase, integrates the FPGAs onto printed circuit boards within modules, and integrates modules into units.

As in the Requirements Phase, the Design Phase, and the Implementation Phase, the Toshiba Nuclear Instrumentation & Control Systems Department (NICSD) performed V&V activities for the Unit/Module Validation Testing Phase in accordance with the NICSD VVP (Reference 3). NICSD issued the Unit/Module Validation Testing Phase V&V Reports (VVR) (Reference 8), and the V&V Final Report (Reference 9). The NICSD V&V Final Report included the result of the Unit/Module validation testing and the summaries of the NICSD V&V activities.

This report evaluates the NICSD VVR through the Unit/Module Validation Testing Phase VVR and the NICSD V&V Final Report, and describes the V&V activities assigned and performed by the Toshiba Nuclear Energy Systems and Services Division (NED). The NED concludes that the work performed by NICSD was acceptable after review and approval of these NICSD and NED reports.

# 2 References

- 1 FPG-PLN-C51-0002 Software Quality Assurance Plan, Rev. 2
- 2 FPG-PLN-C51-0006 NRW-FPGA-Based PRM System Qualification Project Verification and Validation Plan, Rev. 4
- 3 FPG-VDN-C51-0003 NICSD, Verification & Validation Plan, Rev. 2
- 4 FPG-DRT-C51-0014 Implementation and Integration Phase V&V Report, Rev. 0
- 5 FPG-DRT-C51-0021 Unit/Module Validation Testing Phase PHA Report, Rev. 0
- 6 FPG-VDN-C51-0076 Requirements Phase RTM Report, Rev. 1
- 7 FPG-VDN-C51-0122 Unit/Module Validation Phase RTM Report, Rev. 0
- 8 FPG-VDN-C51-0121 NICSD, Unit/Module Validation Testing Phase V&V Report, Rev. 2
- 9 FPG-VDN-C51-0126 NICSD, V&V Final Report, Rev. 2
- 10 FPG-VDN-C51-309 NICSD, Verification and Validation Plan, Rev. 0
- 11 FPG-VDN-C51-313 NICSD, Unit/Module Validation Testing Phase RTM Report, Rev.0
- 12 FPG-VDN-C51-310 NICSD, V&V Final Report, Rev. 0
- 13 NICSD D-67003 NICSD Procedural Standard for Software Media Registration and Change, Rev. 9
- 14 9H8H0232, Over Clock Test Report
- 15 Nonconformance Notice Report 06-002-I
- 16 Vendor Nonconformance Notice Report 06-012

# 3 V&V activities

The NED VVP states that the Unit/Module Validation Testing Phase V&V shall be performed

with the defined inputs and outputs. For this phase, Toshiba defines input documents as Base Documents in the list below. For all phases, Toshiba defines output documents as Review Documents in the list below. It is possible for Toshiba to have documents that are inputs to and modified in this phase, which Toshiba defines as Base Documents and Review Documents below:

#### V&V Inputs:

- (1) Module validation test procedures (Base Document and Review Document)
- (2) Unit validation test procedures (Base Document and Review Document)
- (3) Module validation test reports (Review Document)
- (4) Unit validation test reports (Review Document)
- (5) User Documentation for Unit and Module (Review Document)
- (6) Requirements Definition Phase Requirements Traceability Matrix (RTM) (Base Document)
- (7) Preliminary Hazard Analysis (PHA) Report (Review Document)

V&V Outputs:

- (1) Document Review Reports (by NICSD and NED)
- (2) Unit/Module Validation Phase RTM (by NICSD)
- (3) NICSD Unit/Module Validation Testing Phase VVR (by NICSD)
- (4) Unit/Module Validation Testing Phase VVR (by NED)

The NICSD V&V team reported the results of the Unit/Module Validation Testing Phase V&V activities in the NICSD Unit/Module Validation Testing Phase VVR (Reference 8) and the NICSD V&V Final Report (Reference 9).

The NICSD Unit/Module Validation Testing Phase VVR explained how NICSD tested modules and units in the Unit/Module Validation Testing. The NED V&V team reviewed and approved the description of modules and units fabrication from this report.

NICSD recorded the FPGA fusemap files, for which FPGA testing was finished in the Implementation Phase, on write-once CD-Rs, and registered the fusemaps in accordance with NICSD procedure D-67003 (Reference 13). NICSD sent copies of the registered CD-Rs to Toshiba Design and Manufacturing Service Corporation (TDMS), where the fusemap files were embedded in the FPGAs, and the FPGAs were mounted in the module boards. TDMS fabricated the modules that NICSD tested in the Unit/Module Validation Testing, using the same processes that Toshiba plans to use for FPGA products that would be shipped to customers for installation.

#### 3.1 Unit and Module Validation Testing

NICSD performed the Unit and Module validation testing by testers who were independent of the design group. NICSD performed testing following individual test procedures prepared for each module or unit. Engineers who did not contribute to the design prepared these test procedures before the tests were performed.

#### 3.1.1 Test Environment and Setup

This section explains the test environment and setup for testing several modules. The Local Power Range Monitor (LPRM), Transmit (TRN) and Receive (RCV) module testing are explained as examples of testing performed on all modules. In addition, the Local Power Range Monitor / Average Power Range Monitor (LPRM/APRM) unit testing is explained as an

example of testing a unit.



a.c

a,c

Figure 3-1 Test Setup for the LPRM module validation testing

#### 3.1.1.2 TRN and RCV Module Testing

In the TRN and RCV module validation testing, up to pairs of the TRN and RCV modules were mounted in the pairs of the TRN and RCV modules module was linked together with fiber optic cable, enabling data transmission from the TRN module to the RCV module. In the TRN module testing, the associated RCV module behaved as a part of the test equipment, and vice versa.

#### TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

123/166



# ]<sup>a,c</sup>

#### 3.1.1.3 LPRM/APRM Unit Testing

Figure 3-3 shows the test setup for the LPRM/APRM unit validation testing. The LPRM/APRM unit contains LPRM, APRM, analog output (AO), discrete input and output (DIO), TRN, RCV, BLANK, and LVPS modules. This test verifies correct integrated operation of all modules,

#### LPRM Unit

NICSD used an LPRM unit to test the LPRM/APRM and LPRM units in integrated testing. NICSD did not use the Test PC to simulate the LPRM unit during this testing.

Test PC



Figure 3-3 Test Setup for the LPRM/APRM unit validation testing

a,c

#### 3.1.2 Test Items

The test items in the LPRM module testing, the TRN module testing, and the LPRM/APRM unit testing are explained below.

3.1.2.1 LPRM Module Testing

#### <u>Appearance, Structure, Power Supply, Frequency, Power Consumption, and Internal</u> <u>Voltage Adjustment</u>

Prior to LPRM module testing, NICSD checked the following items:

a,c

a,c

#### **Functional Testing**

In functional testing, the behaviors and the output signals from the LPRM module were checked by varying the input signals into the LPRM module in accordance with the requirements from the LPRM module specification.

] a,c

a.c

a,c

-a.c

#### LPRM Characteristic Testing

This testing included linearity, gain accuracy, frequency response, and LPRM alarm accuracy testing. The test equipment controlled the linearity testing and the gain accuracy testing with its automatic test functions.

Linearity Testing

Gain Accuracy Testing

Frequency Response Testing

LPRM Alarm Accuracy Testing

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

a,c

a,c

a,c

а,с

a,c

a,c

<u>Environmental Testing</u> <u>Power Supply Voltage Testing</u>

Environmental Temperature Testing

#### 3.1.2.2 TRN Module Testing

#### <u>Appearance, Structure, Power Supply, Frequency, Power Consumption, and Internal</u> <u>Voltage Adjustment</u>

**Functional Testing** 

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

14/32

]a,c

#### TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

\_- \_-

a,c

a.c

#### **Environmental Testing**

The following items were tested in the environmental testing.

Power Supply Voltage

Environmental Temperature

#### 3.1.2.3 LPRM/APRM Unit Validation Testing

Appearance, Structure, Weight, and Initial Setup

Before testing the LPRM/APRM unit, checked the following items:

#### **Functional Testing**

The functional testing checked for the LPRM/APRM unit self-diagnostic functions.

]a,c

a,c





17/32

a,c

LPRM Level Analog Output Response Time

<sup>&</sup>lt;sup>1</sup> SRI: Selective Rod Insertion

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

a,c

**Combination Testing** 

3.1.2.4 Other Module and Unit Validation Testing

For the other modules, NICSD performed validation testing in a similar manner to the LPRM module validation testing. The following paragraphs describe the differences between LPRM module testing and the module validation testing performed.

APRM module validation testing

SO-ROOT module validation testing

FLOW module validation testing

]a,c

a,c

a,c

a,c

∎a,c

a,ċ

a,c

a,c

#### STATUS module

The BLANK, Analog Output, and Discrete Input and Output modules do not require an FPGA.

BLANK module

AO module

DIO module

For DI, similar testing was performed.

LPRM unit

a.c

a:c

FLOW unit

#### 3.1.3 Performing Testing

Each module and unit test procedure provided special forms for data recording during testing. Each form specified the input signal values with the desired output signal values, and areas for the test engineer to record test results. The tester compared the desired output signal values and acceptance limits with the actual output signal values in the testing. When values were within acceptance limits, the tester recorded the test result on the form as "satisfactory." If values were not within accepted limits, the tester would issue the Problem Report Sheet on the problem. Then, the NICSD engineers would resolve the problem. At the end of the testing, the module and unit testing reports, including these forms, were prepared for each module and unit.

The RTM efforts described in Section 3.3, Unit/Module Validation Phase RTM effort, confirmed that the above testing covered all requirements in the Unit/Module Equipment Design Specifications.

The testers were independent of the design engineers. The tester performed the module and unit validation testing following the test procedures listed on Table 3-3. The tester recorded the test results in the test reports listed in Table 3-4. The test reports stated that the results of the module and unit validation testing were satisfactory. The NICSD V&V team reviewed the test reports, and confirmed the results.

In the functional testing, the FPGAs operated at their design frequency, the frequency at which Toshiba designed the FPGAs to operate. The crystals used in the modules come from their manufacturers with very accurate frequencies. The datasheet shows that the accuracy is  $\pm 0.01\%$  in the  $-20^{\circ}$ C to  $+70^{\circ}$ C temperature range, which covers worst possible environmental conditions.

margins.

| No | Module     | Design      | Clock Increase | Higher Frequency Testing                       |
|----|------------|-------------|----------------|------------------------------------------------|
|    | Name       | Frequency   | and Decrease   |                                                |
|    |            | (Megahertz) | [ <b>]</b> %   |                                                |
| 1  | LPRM       | a,c         | Satisfactory   | Beyond ] <sup>ac</sup> egahertz the LPRM level |
|    | module     |             |                | on the front panel display decreased           |
|    |            |             |                | gradually. Note that []MHz is []%              |
|    |            |             |                | greater than the design frequency.             |
| 2  | APRM       |             | Satisfactory   | Beyond Inegahertz, the number of               |
|    | module     |             |                | the LPRMs on the front panel display           |
|    |            |             |                | decreased.                                     |
| 3  | SQ-ROOT    |             | Satisfactory   | Beyond [] megahertz, the watchdog              |
|    | module     |             |                | timer indicated a failure.                     |
| 4  | FLOW       |             | Satisfactory   | Beyond megahertz, the watchdog                 |
|    | module     |             |                | timer indicated a failure.                     |
| 5  | STATUS     |             | Satisfactory   | Beyond Inegahertz, the watchdog                |
|    | module     |             |                | timer indicated a failure.                     |
| 6  | RCV module |             | Satisfactory   | Beyond megahertz, the watchdog                 |
|    |            |             | -              | timer indicated a failure.                     |
| 7  | TRN module |             | Satisfactory   | Beyond Inegahertz, the watchdog                |
|    |            |             |                | timer indicated a failure.                     |

#### Table 3-2 Over-clocking Testing Results Summary

#### 3.2 Document Reviews

3.2.1 NICSD Document Reviews

The NED VVP requires NICSD V&V team to review the following documents:

- (1) Module validation test procedures
- (2) Unit validation test procedures
- (3) Module validation test reports
- (4) Unit validation test reports
- (5) User Documentation for Unit and Module

Reviews of Module and Unit Validation Test Procedures

NICSD prepared the module test procedures and the unit test procedures listed in Table 3-3 for Unit/Module Validation Testing. The table contains the test procedure name, highest revision level, and a remarks column. The remarks column defines the device type which the procedures are applicable.

The NICSD Unit/Module Validation Testing Phase VVR reported that the NICSD V&V team had reviewed those test procedures for completeness, correctness, consistency, and accuracy, as required in the NED and NICSD VVPs. The NED V&V team checked for all unit test procedures and module test procedures along with the reviews of the RTM described in Section 3.3, and concluded that the NICSD V&V team reviews were appropriate.

#### Reviews of Module and Unit Validation Test Reports

The NICSD Final VVR reported that the NICSD V&V team had confirmed the module validation test reports and the unit validation test reports listed in Table 3-4 from the following perspectives, as required in the NICSD VVP:

- Each test followed the test procedure.
- Testing checked all test items described in the test procedure.
- The tester documented Pass/Fail judgments based on the criteria defined in the test procedure.

#### Table 3-3 Unit and Module Testing Procedures

(Copied and Translated from the NICSD Unit/Module Validation Testing Phase VVR)

| No. | Name                          | Doc No.        | Rev | Remark                      |
|-----|-------------------------------|----------------|-----|-----------------------------|
|     |                               | (NICSD number) |     |                             |
| 1   | LPRM Unit Test Procedure      | 5T8H6724       | 3   | HNU100                      |
| 2   | LPRM/APRM Unit Test Procedure | 5T8H6725       | 3   | HNU200                      |
| 3   | FLOW Unit Test Procedure      | 5T8H6726       | 5   | HNU300                      |
| 4   | LPRM Module Test Procedure    | 5T8H6727       | 3   | HNS011                      |
| 5   | APRM Module Test Procedure    | 5T8H6728       | 3   | HNS020                      |
| 6   | SQ-ROOT Module Test Procedure | 5T8H6729       | 3   | HNS030                      |
| 7   | FLOW Module Test Procedure    | 5T8H6730       | 2   | HNS040                      |
| 8   | STATUS Module Test Procedure  | 5T8H6731       | 3   | HNS091/HNS093               |
| 9   | BLANK Module Test Procedure   | 5T8H6732       | 1   | HNS490                      |
| 10  | LVPS Module Test Procedure    | 5T8H6733       | 3   | HNS500                      |
| 11  | AO Module Test Procedure      | 5T8H6734       | 4   | HNS511/HNS512H/HNS513/NS514 |
| 12  | DIO Module Test Procedure     | 5T8H6735       | 4   | HNS520                      |
| 13  | TRN Module Test Procedure     | 5T8H6736       | 4   | HNS530                      |
| 14  | RCV Module Test Procedure     | 5T8H6737       | 4   | HNS540                      |

As a result, the NICSD Final VVR concluded that NICSD had performed the validation testing appropriately, and the fabricated units and modules satisfied the functional requirements in the Unit/Module Equipment Design Specifications.

The NED V&V team made spot checks in the following test reports, which correspond to the modules selected in Section 3.1 of this report:

- LPRM module test report.
- TRN module test report.
- LPRM/APRM unit test report.

This project fabricated a large number of modules and spares, as follows:

- [ ]LPRM/APRM units
- [ ]LPRM units
- FLOW units
- [ ]LPRM modules
- [ APRM modules
- ]TRN modules
- [ RCV modules
- [ ]LVPS modules
- []]AO modules
- [ ]AO modules
- [ ]DIO modules
- $\begin{bmatrix} \frac{1}{2} & 0 \\ 0 & 0 \end{bmatrix}$  **Solution** ROOT modules
- [ JFLOW modules

• [ ]STATUS modules

• [ ]BLANK modules

The test reports covered each individual device. The NED V&V team selected one sample from each LPRM, TRN, and LPRM/APRM unit test report, and checked the report. As a result, the NED V&V team concluded that the reviews of the NICSD V&V team on the test reports were acceptable.

#### Table 3-4 Results of Test Reports Review

(Copied and Translated from the NICSD Unit/Module Validation Phase VVR)

| No. |   | Unit/Module Name | Туре   | Doc No. of Test | Number of | Remark                                                                                 |
|-----|---|------------------|--------|-----------------|-----------|----------------------------------------------------------------------------------------|
|     |   |                  |        | Report          | tested    |                                                                                        |
|     |   |                  |        | (NICSD number)  | devices   |                                                                                        |
| 1   |   | LPRM Unit        | HNU100 | ATC-060391      | a,c       |                                                                                        |
| 2   |   | LPRM/APRM Unit   | HNU200 | ATC-060392      |           |                                                                                        |
| 3   |   | FLOW Unit        | HNU300 | ATC-060393      |           |                                                                                        |
|     | 1 | LPRM Module      | HNS011 | ATC-060389      |           |                                                                                        |
| 4   | 2 | LPRM Module      | HNS011 | ATC-060418      |           | Documented in another<br>report, because of issues<br>with one nonconforming<br>module |
| 5   |   | APRM Module      | HNS020 | ATC-060390      |           |                                                                                        |
| 6   |   | SQ-ROOT Module   | HNS030 | ATC-060385      |           |                                                                                        |
| 7   |   | FLOW Module      | HNS040 | ATC-060386      |           |                                                                                        |
| 8   | 1 | STATUS Module    | HNS091 | ATC-060387      |           | Use in the LPRM/APRM<br>unit                                                           |
| 8   | 2 | STATUS Module    | HNS093 | ATC-060388      |           | Use in the LPRM and FLOW units.                                                        |
| 9   |   | BLANK Module     | HNS490 | ATC-060376      |           |                                                                                        |
|     | 1 | AO Module        | HNS511 | ATC-060379*     |           |                                                                                        |
| 10  | 2 | AO Module        | HNS512 | ATC-060380*     |           |                                                                                        |
| 10  | 3 | AO Module        | HNS513 | ATC-060381*     |           |                                                                                        |
|     | 4 | AO Module        | HNS514 | ATC-060382*     |           |                                                                                        |
| 11  | - | DIO Module       | HNS520 | ATC-060378      |           |                                                                                        |
| 12  |   | TRN Module       | HNS530 | ATC-060383      | <u> </u>  |                                                                                        |
| 13  |   | RCV Module       | HNS540 | ATC-060384      |           | · · · · · · · · · · · · · · · · · · ·                                                  |
| 14  |   | LVPS Module      | HNS500 | ATC-060377      |           |                                                                                        |

\*ATC-060379, ATC-060380, ATC-060381, and ATC-060382 differ in their outpt voltage range.

#### Reviews of User Documentation

Section 5.6 of the NED VVP requires the following for user documentation:

"The NICSD design engineers shall prepare the Unit and Module user documentation, which includes the contents stated in Section 4.1.6 of SQAP at minimum. The NICSD V&V personnel shall perform an independent review of the user documentation."

Section 4.1.6 of the Software Quality Assurance Plan (SQAP) (Reference 1) stated that the purpose of user documentation is to provide sufficient information to users for installing, operating, and maintaining the PRM System. The SQAP also stated more specific requirements to user documentation, such as maintenance and surveillance recommendations, and other data

needed to compute setpoint values with vendor-supplied uncertainties.

Section 5.5 of the NICSD VVP stated that the Unit/Module Equipment Design Specifications that exists would be sufficient for Toshiba to provide to PRM users met the purpose of the user documentation, and that NED should perform an independent review of these documents. Section 3.2 of the NICSD Unit/Module Validation Testing Phase VVR reported that the review in the Requirements Phase already included these documents.

The NED V&V team considered that the SQAP requirements were for user documentation that should be prepared for the PRM system, and required a broader document than the Unit/Module Equipment Design Specifications provided, in such areas as maintenance and surveillancë recommendations. The NED V&V team concluded that the Unit/Module Equipment Design Specifications provided sufficient information required to the user documentation for this Unit/Module Validation Testing Phase, because according to NICSD, all test procedures were prepared based on the Unit/Module Equipment Design Specifications. As a result, the NED V&V team concluded that the NICSD review of the user documentation for this Unit/Module Validation Testing Phase was acceptable.

However, NED concludes that additional user documentation would be required for the PRM system users.

#### 3.2.2 NED Document Reviews

The NED VVP requires that the NED V&V team review the Unit/Module Validation Testing Phase PHA Report (Reference 5). The NED V&V team reviewed the Unit/Module Validation Testing Phase PHA report, and concluded that the PHA report and the following conclusions of the PHA report were acceptable:

"The concern from the Implementation Phase, if the FPGA operates at their design frequency, was resolved. Other possible hazards in this phase were surveyed, evaluated, and concluded as unlikely.

This Unit/Module Validation Phase PHA Report concludes that the risk remaining in this phase is minimal."

#### **3.3 Unit/Module Validation Phase RTM effort** The NICSD VVP requires the following:

"(1) Preparation of the Unit/Module Validation Testing Phase RTM

The engineer shall perform RTM activities that trace the requirements between the Unit/Module Validation Test Procedures and the Unit/Module Equipment Design Specifications.

The V&V team shall review the RTM, and verify the followings:

- 1) The basic requirements were traced to the Unit/Module Validation Test Procedures, i.e. all the requirements in the Unit/Module Equipment Design Specifications were reflected in the Unit/Module Validation Test Procedures.
- 2) The requirements were traced from the Unit/Module Validation Test Procedures back to the Unit/Module Equipment Design Specifications.

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

(2) Compilation of the Unit/Module Validation Testing Phase RTM The Unit/Module Validation Testing Phase RTM Report shall include the RTM, any open items, and non-conformance items. The report shall also describe how the requirements were reflected in the Unit/Module Validation Test Procedures."

Based on this requirement, the NICSD V&V team established a separate RTM for each unit and module. Each RTM consisted of three columns. The left column was prepared based on the Requirements Phase RTM (Reference 6), and corresponded to the Requirements Phase. The center column corresponded to this Unit/Module Validation Testing Phase. The right column included some comments. Each row identified the section numbers of the Unit/Module Equipment Design Specification, including the requirements in the Requirements Phase, in the left column. The associated cell in that row in the center column identified the section numbers of the Unit/Module Validation Test Procedure that could be traced from and to the that requirement in the Unit/Module Equipment Design Specification. Thus, the Unit/Module Validation Testing Phase RTM showed the traceability between the Requirements Phase and this Unit/Module Validation Testing Phase. The Unit/Module Validation Testing Phase. The Unit/Module Validation Testing Phase.

The Appendix shows part of the Unit/Module Validation Testing Phase RTM on the LPRM/APRM unit.

Later, NICSD added two new modules designs for enhanced Electro Magnetic Interference (EMI) immunity, as replacements for the original module designs. NICSD established the new NICSD VVP (Reference 10) for these new modules, based on the original NICSD VVP (Reference 3), covering the differences of these modules from the older modules.

For the new EMI immunity enhanced modules, the FPG-VDN-C51-313 Unit/Module Validation Testing Phase RTM Report (Reference 11) and the Unit/Module Validation Testing portion of the FPG-VDN-C51-310 NICSD V&V Final Report (Reference 12) concluded that there was no difference in the FPGA designs for the new modules.

In order to verify the Unit/Module Validation Testing Phase RTM efforts, the NED V&V team checked the Unit/Module Validation Testing Phase RTM, and concluded that the Unit/Module Validation Testing Phase RTM efforts were appropriate and acceptable.

#### 3.4 Assessment of Test Equipment Software

The NED V&V team assessed the test equipment software used in the Unit/Module Validation Testing. The NICSD Unit/Module Testing Phase VVR reported that the NICSD Quality Control Group had tested each piece of the test equipment and test equipment software prepared for the LPRM, APRM, SQ-ROOT, FLOW, STATUS, TRN, RCV, AO, and DIO modules. NICSD tested the test equipment and software using the test procedures prepared for each piece of test equipment software, and recorded their results in test reports. NICSD performed the test outside this project scope. The NICSD VVR also reported that NICSD controlled the test procedures and test reports in accordance with NICSD Procedure D-67003. This required that NICSD had registered the test equipment and test equipment software in their system.

The NED V&V team interviewed the NICSD V&V team about the test equipment software testing, and concluded that the control of the test equipment software was acceptable.

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

26/32

#### 3.5 Issuance of the Unit/Module VVR

The NED VVP requires the NICSD V&V team to establish the NICSD Unit/Module Validation Testing Phase VVR including:

- (1) A description of how the V&V activities were completed.
- (2) A description of how NICSD demonstrated adherence to each software life cycle requirement and system requirement.
- (3) Copies of or references to the NICSD VVRs issued for the requirements phase through implementation phase.
- (4) References to the independent reviews of the unit and module hardware.
- (5) Copies of or references to Unit/Module Validation Test Reports, including the test specimen configuration.
- (6) Reference to the Unit/Module Validation Phase RTM.

The NICSD VVP divided the required "Unit/Module Validation Testing Phase VVR" into two reports, the Unit/Module Validation Testing Phase VVR (Reference 8), and the V&V Final Report (Reference 9). The NICSD V&V team issued these two VVRs at the end of this Unit/Module Validation Testing Phase. The Unit/Module Validation Testing Phase V&V Report included item (6) above, and the V&V Final Report included items (1) through (5) above.

The NICSD V&V Final Report summarized all V&V efforts made by NISCD, including

- Summaries of V&V activities in each phase, from the Requirements Phase through this Unit/Module Validation Testing Phase.
- V&V activities on functional elements (FEs).
- Description on the hardware V&V activities, which explained that the hardware designs were independently reviewed and upper level requirements were traced to hardware.
- Configuration management activities.
- Description of the V&V management, which explained how problem reporting and corrective actions were made, how V&V tasks were iterated, and how the V&V Plan was changed.

#### 3.6 Configuration and Security Issues

TDMS, a Toshiba affiliate company, embedded the fusemaps in the FPGAs and fabricated the modules. The NED V&V team interviewed NICSD and TDMS personnel, and observed their activities to confirm that the FPGA fusemap files were appropriately embedded in the FPGAs.

The one-time writable CD-Rs that contained the fusemap files were registered and kept in a locked locker in the NICSD office. NICSD made copies of the CD-Rs in accordance with NICSD procedure D-67003, and sent the copies to TDMS with their registration numbers. TDMS performed special training on the personnel who were engaged in these FPGA related tasks. The TDMS personnel followed the process on which they had been trained and checked and recorded those CD-R registration numbers and the checksums unique to each fusemap, every time they used the CD-Rs to embed the fusemaps into FPGAs.

Considering the process used the fusemap files, the NED V&V team concluded that TMDS staff did and would succeed in embedding the fusemaps appropriately into the FPGAs.

# 4 Problem Reporting and Corrective Actions

The NICSD Unit/Module Validation Testing Phase VVR (Reference 8) reported that 33 Problem Reporting Sheets (PRSs) were issued during the Unit/Module Validation Testing. NICSD classified the PRSs in Table 4-1.

The NICSD Unit/Module Validation Testing Phase VVR reported that the NICSD V&V team confirmed those PRSs including their corrections, and concluded that all problems were resolved. The NED V&V team reviewed the NICSD Unit/Module Validation Testing Phase VVR, interviewed the NICSD V&V team, and agreed with the NICSD V&V team.

#### **Table 4-1 Classifications of PRSs**

|   |    |        | ( |                                              |
|---|----|--------|---|----------------------------------------------|
| · |    |        | ( |                                              |
|   |    |        | , |                                              |
|   |    |        |   |                                              |
|   |    |        |   |                                              |
|   |    |        |   |                                              |
|   |    |        |   |                                              |
|   |    | •<br>• |   |                                              |
|   |    |        |   |                                              |
|   |    |        |   |                                              |
|   |    |        |   |                                              |
|   |    |        |   |                                              |
|   | ι. |        |   |                                              |
|   |    |        |   |                                              |
|   |    |        |   |                                              |
|   |    |        |   |                                              |
|   |    |        |   |                                              |
|   |    |        |   |                                              |
|   |    |        |   |                                              |
|   |    |        |   |                                              |
|   |    |        |   |                                              |
|   |    |        |   |                                              |
|   | ·  | *      |   |                                              |
|   |    |        |   |                                              |
|   |    |        |   |                                              |
|   |    |        |   | Votice Report (NNR) 06-002-I (Reference 15). |

• "V&V reports for each phase were not attached to the final V&V report. The result of

confirmation that hardware design documents are reviewed by independent reviewer was not described in the final V&V report."

These nonconformances corresponded to the problems that were reported in the Vendor Nonconformance Report (VNNR) 06-012 (Reference 16). The NED V&V team confirmed the resolution of the problems through the NICSD Unit/Module Validation Testing Phase VVR (Reference 8) and the NICSD Final V&V Report (Reference 9), and closed NNR 06-002-I.

# 5 Metrics

NED and NICSD used the number of changes applied to newer revisions of individual documents and the number of the Nonconformance Notice Reports as the metrics for NED and NICSD V&V activities. Note that the number of RPS relating to test procedures resulted in changes to the test procedures, and not in changes to modules or FPGA logic.

Section 5 of the NICSD Unit/Module Validation Testing Phase VVR (Reference 8) reported that:

- (1) NED only issued Nonconformance Notice Report for the NICSD V&V activities.
- (2) The number of changes applied to newer revisions of each Unit/Module Test Procedure decreases as revisions proceed. The issues identified were resolved adequately. The total number of remaining issues in the documents should be small.

NED considers the number of NNR acceptable, because the number of the NNR is small.

Table 5-1 shows the number of changes applied to newer revisions of each Unit/Module Test Procedure, which NED copied and translated from the NICSD Unit/Module Validation Testing Phase VVR. Checking the table, NED concludes that the NICSD Unit/Module Validation Testing Phase VVR is acceptable.

#### Table 5-1 Number of Updates applied to the Test Procedures

| No. | Name                             | Doc No.           | Rev.           | Τ            | ype of Cha  | nges      |        |             |
|-----|----------------------------------|-------------------|----------------|--------------|-------------|-----------|--------|-------------|
|     |                                  | (NICSD<br>number) |                | c            | Corrections | Additions | Others | Total<br>a, |
| 1   | LPRM Unit Test Procedure         | 5T8H6724          | 1              |              | <b></b>     |           |        | <u> </u>    |
|     |                                  |                   | 2              |              | -           |           |        | t t         |
|     |                                  |                   | 3              |              | -           |           |        | t           |
| 2   | LPRM/APRM Unit Test              | 5T8H6725          | 1              |              | -           |           |        | t           |
| -   | Procedure                        | 010110/20         | 2              | +            | -           |           |        | t-          |
|     |                                  |                   | 3              |              | -           |           |        | - t         |
| 3   | FLOW Unit Test Procedure         | 5T8H6726          | 1              |              | -           |           |        | - F         |
| 5   |                                  |                   | 2              | H            | -           |           |        | - t         |
|     |                                  |                   | 3              | $\vdash$     | -           |           |        | ÷           |
|     |                                  |                   | 4              | $\square$    | -           |           |        | ł           |
|     |                                  |                   | 5              | $\vdash$     | -           |           |        | ł           |
| 4   | LPRM Module Test                 | 5T8H6727          | $\frac{1}{1}$  |              | -           |           |        | ł           |
| 4   | Procedure                        | 516110727         | 2              |              | -           |           |        | +           |
|     | Trocedure                        |                   | 3              | +            | -           |           |        | ł           |
| 5   | APRM Module Test                 | 5T8H6728          | $\frac{-3}{1}$ |              | -           |           |        | · +         |
| 5   | Procedure                        | 51660728          | 2              |              | -           |           |        | H           |
|     | Flocedule                        |                   |                |              | -           |           |        | +           |
|     | SO BOOTMALL TH                   | CTOLL(720         | 3              | +            | -           |           |        | - F         |
| 6   | SQ-ROOT Module Test<br>Procedure | 5T8H6729          | 1              | -            | -           |           |        | ł           |
|     | Procedure                        |                   | 2              | +            | Ļ           |           |        | ł           |
|     | FLOWING 11 T                     | 55011(520         | 3              |              | -           |           |        | H           |
| 7   | FLOW Module Test                 | 5T8H6730          | 1              | $\square$    | -           |           |        | +           |
|     | Procedure                        |                   | 2              |              | _           |           |        | Ļ           |
| 8   | STATUS Module Test               | 5T8H6731          | 1              |              | _           |           |        | Ļ           |
|     | Procedure                        |                   | 2              |              | _           |           |        | Ļ           |
|     |                                  |                   | 3              |              | _           |           |        | Ļ           |
| 9   | BLANK Module Test                | 5T8H6732          | 1              |              |             |           |        |             |
|     | Procedure                        |                   |                |              | -           |           |        | Ļ           |
| 10  | LVPS Module Test                 | 5T8H6733          | 1              |              | -           |           |        |             |
|     | Procedure                        |                   | 2              |              | -           |           |        | Ļ           |
|     |                                  |                   | 3              |              | _           |           |        | Ļ           |
| 11  | AO Module Test Procedure         | 5T8H6734          | 1              |              | _           |           |        | L           |
|     |                                  |                   | 2              |              | _           |           |        | L           |
|     |                                  |                   | 3              |              | _           |           |        | L           |
|     |                                  |                   | 4              |              | -           |           |        |             |
| 12  | DIO Module Test Procedure        | 5T8H6735          | 1              |              | _           |           |        | L           |
|     |                                  |                   | 2              |              |             |           |        |             |
|     |                                  |                   | 3              |              |             |           |        | Γ           |
|     |                                  |                   | 4              |              |             |           |        | Г           |
| 13  | TRN Module Test Procedu          | 5T8H6736          | 1              | Π            | Γ           |           |        | T           |
|     | re                               |                   | 2              | Π            | ſ           |           |        | ſ           |
|     |                                  |                   | 3              | $ \uparrow $ | [           |           |        | f           |
|     | ļ                                |                   | 4              | П            | Ē.          |           |        | f           |
| 14  | RCV Module Test Procedure        | 5T8H6737          | 1              | Π            | -           |           |        | T           |
|     |                                  |                   | 2              |              | F           |           |        | f           |
|     |                                  |                   | 3              | $\square$    | F           |           |        | F           |
|     |                                  |                   | 4              | $\square$    | F           |           |        | H           |

### (Copied and Translated from the NICSD Unit/Module Validation Phase VVR)

# 6 Findings and Recommendations, and Conclusions

The NED V&V team reviewed the NICSD V&V activities and concluded that the Unit/Module Validation Testing Phase V&V activities were performed in accordance with the NICSD VVP, and covered all NED VVP requirements.

The NED V&V team concluded that the Unit/Module Validation Testing Phase V&V activities were acceptable.

Although user documentation was reviewed in this Unit/Module Validation Testing Phase, additional user documentation is required for the PRM system.

# 7 Abbreviations

| AO    | Analog Output                                        |
|-------|------------------------------------------------------|
| APRM  | Average Power Range Monitor                          |
| BYP   | Bypass                                               |
| DIO   | Discrete Input and Output                            |
| DIP   | Dual In-line Package                                 |
| EMI   | Electro Magnetic Interference                        |
| FE    | Functional Element                                   |
| FP    | Frame Pulse                                          |
| FPGA  | Field Programmable Gate Array                        |
| GPIB  | General Purpose Interface Bus                        |
| Ical  | Calibration Current                                  |
| I/V   | Current to Voltage                                   |
| LEDs  | Light Emitting Diodes                                |
| LPRM  | Local Power Range Monitor                            |
| LSB   | Least Significant Bit                                |
| LVPS  | Low Voltage Power Supply                             |
| MSB   | Most Significant Bit                                 |
| NED   | Nuclear Energy Systems and Services Division         |
| NICSD | Nuclear Instrumentation & Control Systems Department |
| NNR   | Nonconformance Notice Report                         |
| NRW   | Non Re-Writable                                      |
| OP    | Operate                                              |
| PHA   | Preliminary Hazard Analysis                          |
| PRM   | Power Range Monitor                                  |
| PRS   | Problem Reporting Sheet                              |
| RTM   | Requirements Traceability Matrix                     |
| RCV   | Receive                                              |
| SQAP  | Software Quality Assurance Plan                      |
| SRI   | Selective Rod Insertion                              |
| TDMS  | Toshiba Design and Manufacturing Service Corporation |
| TRN   | Transmit                                             |
| USB   | Universal Serial Bus                                 |
| VVP   | Verification and Validation Plan                     |
| VVR   | Verification and Validation Report                   |
| V&V   | Verification and Validation                          |
|       |                                                      |

# Appendix

#### Example of the Unit/Module Validation Testing Phase RTM (LPRM/APRM unit) (Copied and Translated from the NICSD RTM Report)

| cequirements Definition Phase                                        | Validation Testing Phase                                   | Remark |     |
|----------------------------------------------------------------------|------------------------------------------------------------|--------|-----|
| Requirements Definition Phase<br>Init Equipment Design Specification | Validation Testing Phase<br>Unit Validation Test Procedure |        | L L |
|                                                                      |                                                            |        | 1   |
|                                                                      |                                                            |        | 1   |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        | 1   |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        | 1   |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      | •                                                          |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        | 1   |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        | 1   |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        | 1   |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |
|                                                                      |                                                            |        |     |

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division

. . .. .



**Nuclear Instrumentation & Control Systems Department** 

1/19

FPG-DRT-C51-1000 Rev.2

FPG-DRT-C51-0016 Rev.1 Attachment-6

| Rev No. | Date              | Description                    | Approved                   | Reviewed                   | Prepared                 |
|---------|-------------------|--------------------------------|----------------------------|----------------------------|--------------------------|
| 0       | See Cover<br>Page | Initial Issue                  | by<br>See Cover<br>Page    | by<br>See Cover<br>Page    | by<br>See Cover<br>Page  |
| 1       | Aug.17,2012       | See<br>DECN-FPG-DRT-C51-1000-1 | H. Kitazono<br>Aug.17,2012 | H. Kitazono<br>Aug.17,2012 | T. Yonaha<br>Aug.17,2012 |
| 2       | See Cover<br>Page | See<br>DECN-FPG-DRT-C51-1000-2 | See Cover<br>Page          | See Cover<br>Page          | See Cover<br>Page        |
|         |                   |                                |                            |                            |                          |
|         |                   |                                |                            |                            |                          |
|         |                   |                                |                            |                            |                          |
|         |                   |                                |                            |                            |                          |
|         |                   |                                |                            |                            |                          |
|         |                   |                                |                            |                            |                          |
| <u></u> |                   |                                |                            |                            |                          |
|         |                   |                                |                            |                            |                          |
|         |                   |                                |                            |                            |                          |
|         |                   |                                |                            |                            |                          |
|         |                   |                                |                            |                            |                          |

TOSHIBA CORPORATION Nuclear Instrumentation & Control Systems Department FPG-DRT-C51-0016 Rev.1 Attachment-6 ł

### Table of Contents

| 1  | Pu         | rpose4                                                                         |
|----|------------|--------------------------------------------------------------------------------|
| 2  | Bac        | ckground4                                                                      |
| 3  | Sco        | pe4                                                                            |
| 4  | Ab         | breviations4                                                                   |
| 5  | Ref        | ferences                                                                       |
| 6  | Imj        | plementation and Integration Phase V&V Reporting (Supplemental Report for FPGA |
| Re | testi      | ng)5                                                                           |
| e  | <b>5.1</b> | FPGA Test Procedure Review6                                                    |
| 6  | <b>5.2</b> | FPGA Retesting 7                                                               |
|    | 6.2.       | 1 FPGA Retesting8                                                              |
|    | 6.2.       | 2 FPGA Test Report Review8                                                     |
|    | 6.2.       | 3 Re-Establishment of Software Baseline11                                      |
| 6  | <b>5.3</b> | Software Tool Control Review15                                                 |
| 6  | 5.4        | Implementation and Integration Phase RTM efforts16                             |
| 6  | 5.5        | Problem Reporting and Corrective Actions16                                     |
| 6  | 5.6        | Metrics17                                                                      |
| e  | 5.7        | Findings, Recommendations, or Suggestions19                                    |
| 7  | Co         | nclusion                                                                       |

-

# **1** Purpose

This report supplements the Implementation and Integration Phase V&V Report (Reference (7)) issued in the Non-Rewritable (NRW) - Field Programmable Gate Array (FPGA)-Based Power Range Neutron Monitoring (PRM) System Qualification Project (hereinafter referred to as "PRM Qualification Project").

This report documents the result of V&V activities performed by the Nuclear Instrumentation & Control Systems Department (NICSD) Independent Verification and Validation (IV&V) Team for retest activities on the FPGA logics for the PRM, which have been developed in the PRM Qualification Project.

# 2 Background

This section describes the background leading to retesting of the FPGA logics for the PRM, which have been developed in the PRM Qualification Project that has completed in 2008.

In 2011, Nuclear Energy Systems and Services Division (NED), NICSD, and Power Platform Development Department (PPDD) found a problem in the already completed PRM Qualification Project. The problem is that a dynamic timing simulation has not been performed in the FPGA testing. NICSD issued the Fuchu Site Corrective Action Request (SCAR) (SCAR-11-013) in accordance with the NED Standard AS-300A009 "Corrective Action Request Application Procedure" (Reference (2)). As part of disposition of the problem, the FPGA retesting was performed to include dynamic timing simulation.

# 3 Scope

Scope of activities to be covered by this report is V&V activities for FPGA retesting to supplement the V&V activities that were performed in the Implementation and Integration Phase of the PRM Qualification Project.

# 4 Abbreviations

| APRM  | Average Power Range Monitor                                 |
|-------|-------------------------------------------------------------|
| DVR   | Design Verification Report                                  |
| FE    | Functional Element                                          |
| FPGA  | Field Programmable Gate Array (a programmable logic device) |
| IV&V  | Independent Verification and Validation                     |
| LPRM  | Local Power Range Monitor                                   |
| MCL   | Master Configuration List                                   |
| NED   | Nuclear Energy Systems & Services Division                  |
| NICSD | Nuclear Instrumentation & Control Systems Department        |
| NNR   | Nonconformance Notice Report                                |
| PPDD  | Power Platform Development Department                       |
| SCAR  | Fuchu Site Corrective Action Request                        |
| VFS   | Verification Follow Sheet                                   |
| V&V   | Verification and Validation                                 |

TOSHIBA CORPORATION

Nuclear Instrumentation & Control Systems Department

VHDLVery High Speed Integrated Circuit Hardware Description LanguageVVPVerification and Validation Plan

## **5** References

- Toshiba Nuclear Energy Systems and Service Division AS-200A002 "Design Verification Procedure," Rev.8
- (2) Toshiba Nuclear Energy Systems and Service Division AS-300A009 "Corrective Action Request Application Procedure," Rev.15
- (3) Toshiba Power Platform Development Department E-68017
   "PPDD Procedural Standard for FPGA Device Development," Rev.8
- (4) Toshiba Power Platform Development Department E-68019
   "PPDD Procedural Standard for FPGA Configuration Management," Rev.6
- (5) Toshiba Power Platform Development Department E-68020 "PPDD Procedural Standard for Control of Software Tools for FPGA-based Systems," Rev.6
- (6) NRW-FPGA-Based I&C System Qualification Project, FA32-3709-1000
   "Nuclear Instrument & Control Systems Department Verification & Validation Plan for FPGA-Based Safety-Related Systems," Rev. 3
- (7) NRW-FPGA-Based PRM System Qualification Project, 5B8H6112 "Implementation and Integration Phase V&V Report," Rev. 4
- (8) NRW-FPGA-Based PRM System Qualification Project, 5B8H6117"Master Configuration List," Rev. 7

## 6 Implementation and Integration Phase V&V Reporting (Supplemental Report for FPGA Retesting)

The NICSD IV&V Team performed part of the Implementation and Integration Phase V&V activities for FPGA retesting in accordance with Section 5.5 of the NICSD VVP (Reference (6)) to supplement the V&V activities that were performed in the Implementation and Integration Phase of the PRM Qualification Project.

This section is organized in the following subsections.

- 6.1 FPGA Test Procedure Review
- 6.2 FPGA Retesting
- 6.3 Software Tool Control Review
- 6.4 Problem Reporting and Corrective Actions
- 6.5 Metrics
- 6.6 Findings, Recommendations, or Suggestions

### 6.1 FPGA Test Procedure Review

Table 6-1 lists the FPGA Test Procedures that have been reviewed. The reviews were performed in accordance with Section 4.6.1 of the NICSD VVP (Reference (6)) that requires document review in accordance with NED AS-200A002 "Design Verification Procedure" (Reference (1)). Table 6-1 refers to the Design Verification Report (DVR). NED AS-200A002 defines the use of the DVR as a design verification report.

PPDD revised all the  $\mathbf{L}^{a,c}$  FPGA Test Procedures listed in Table 3-3-1a of the Implementation and Integration Phase V&V Report (Reference (7)) in the PRM Qualification Project to add test specifications of the retest to include dynamic timing simulation requirements.

After the revision to include dynamic timing simulation requirements, PPDD reported to NICSD that FPGA tester found clerical errors in Revision 2 of LPPARAM FPGA Test Procedure (No. 20 of Table 6-1). NICSD issued the SCAR-11-029 requesting PPDD to take corrective actions. As a disposition of this problem, the FPGA Test Procedures of No.[ ]<sup>a,c</sup>

[ ] In Table 6-1 were revised to correct clerical errors. Refer to Section 6.4.

The NICSD did not issued DVRs for Revision 4 of APLPRCV FPGA Test Procedure (No. 7 in Table 6-1), Revision 4 of FLPANEL FPGA Test Procedure (No. 25 in Table 6-1), and Revision 5 of SQPANEL FPGA Test Procedure (No. 30 in Table 6-1), because PPDD withdrew these revisions of FPGA Test Procedures during the document reviews by the NICSD IV&V Team, and issued revised FPGA Test Procedures.

The NICSD IV&V Team performed an independent review of these procedures. a The NICSD IV&V Team verified that a sentence "Simulation shall be performed for all the I types of delay information included in the delay information file (i.e. Typ, Max, and Min)" was added in Section 6.1 "VHDL functional test" of each of those FPGA Test Procedures. The NICSD IV&V Team also verified that the same test vectors as those used in the PRM Qualification Project were used and no change was made to them. The functional test to be performed using FPGA chips as described in Section 6.2 "FPGA functional test" in each of those FPGA Test Procedures was out of the scope of the retest, since the retests were only concerned on the dynamic timing simulation using a VHDL simulator.

Through the reviews of the revised FPGA Test Procedures, the NICSD IV&V Team concluded that it was acceptable to use the revised procedures for the FPGA retesting.

| No | Document Name               | Document<br>No.   | Rev. | Prepared<br>by | Reviewed<br>by | Approved<br>by | Independent<br>Reviewer | DVR No.        |
|----|-----------------------------|-------------------|------|----------------|----------------|----------------|-------------------------|----------------|
| 1  | TRNAD FPGA Test Procedure   | 8T8H3379          | 3    | T. Kumagai     | S. Shozaki     | S. Igawa       | K. Kasai                | DVR-JHS-000071 |
| 1  | TRNAD FFGA Test Flocedure   | 81803379          | 4    | T. Kumagai     | S. Shozaki     | S. Igawa       | K. Kasai                | DVR-JHS-000130 |
| 2  | TRNUNIT FPGA Test Procedure | 8T8H3380          | 2    | T. Kumagai     | S. Shozaki     | S. Igawa       | K. Kasai                | DVR-JHS-000072 |
| 3  | TRNOPT FPGA Test Procedure  | 8T8H3381          | 2    | T. Kumagai     | S. Shozaki     | S. Igawa       | K. Kasai                | DVR-JHS-000073 |
| 4  | RCVUNIT FPGA Test Procedure | 8T8H3382          | 3    | T. Kumagai     | S. Shozaki     | S. Igawa       | K. Kasai                | DVR-JHS-000074 |
| 5  | RCVOPT FPGA Test Procedure  | 8T8H3383          | 2    | T. Kumagai     | S. Shozaki     | S. Igawa       | K. Kasai                | DVR-JHS-000077 |
| 6  | STSIF FPGA Test Procedure   | 8T8H3384          | 3    | T. Kumagai     | S. Shozaki     | S. Igawa       | K. Kasai                | DVR-JHS-000078 |
|    | SISIF FFOA Test Procedure   | 81 <b>81</b> 5384 | _4   | T. Kumagai     | S. Shozaki     | S. Igawa       | K. Kasai                | DVR-JHS-000131 |
|    |                             |                   | 3    | N. Umemura     | S. Igawa       | S. Igawa       | K. Kasai                | DVR-JHS-000079 |
| 7  | APLPRCV FPGA Test Procedure | 8T8H3385          | 4    | N. Umemura     | S. Igawa       | S. Igawa       | -                       | -              |
|    |                             |                   | 5    | N. Umemura     | S. Shozaki     | S. Igawa       | K. Kasai                | DVR-JHS-000169 |
| 8  | APAVE FPGA Test Procedure   | 8T8H3386          | 2    | N. Umemura     | S. Igawa       | S. Igawa       | K. Kasai                | DVR-JHS-000080 |
| Ľ  |                             | 010115580         | 3    | N. Umemura     | S. Shozaki     | S. Igawa       | K. Kasai                | DVR-JHS-000170 |

#### Table 6-1 FPGA Test Procedures Reviewed

TOSHIBA CORPORATION

Nuclear Instrumentation & Control Systems Department

| o Document Name <u>No. Rev by by By Reviewer</u>                          | DVR No.    |
|---------------------------------------------------------------------------|------------|
|                                                                           | <u> </u>   |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
|                                                                           |            |
| -· Nona this revision was superseded                                      | by the new |
| -: None, this revision was superseded revision before the review is compl | eted       |
|                                                                           |            |
|                                                                           |            |

## **Table 6-1 FPGA Test Procedures Reviewed**

The FPGA retests were performed for all the  $\mathbf{J}_{FP}^{a,c}$  GAs used in the PRM. The V&V activities related to the FPGA retest are reported below.

TOSHIBA CORPORATION Nuclear Instrumentation & Control Systems Department

154/166

.

#### 6.2.1 FPGA Retesting

This FPGA retesting was performed by FPGA testers under the dedicated test environment in the PPDD development room during the period of December 14<sup>th</sup>, 2011 through March 8<sup>th</sup>, 2012.

Except the items specified below, the test environment, test setup, test items for VHDL functional tests, and acceptance criteria by test item were all the same as those specified in Section 3.2 of the Implementation and Integration Phase V&V Report (Reference (7)) in the PRM Qualification Project.

### Test Environment

The computers, in which the VHDL simulator (ModelSim<sup>®</sup>) was installed, dedicated for testing placed in PPDD development room was used. The security of the development room is controlled using[\_\_\_\_\_] to allow only authorized individuals to enter. The control status of the software tool used for this test is reported in Section 6.3.

### FPGA Testing

PPDD performed a dynamic timing simulation with the delay information in accordance with the FPGA Test Procedures approved by NICSD. See Section 6.1.

The NICSD IV&V Team performed oversight of the FPGA testing.

During this oversight, the NICSD IV&V Team found that the CD-Rs storing VHDL source codes to be used for FPGA testing had been kept without being renewed more than their [ ]year limit specified in the PPDD Standard E-68019 "PPDD Procedural Standard for Configuration Management" (Reference (4)). The NICSD IV&V Team issued an SCAR (SCAR-11-025). After checking and retrieving all the data recorded in the old CD-Rs without any problem, the NICSD IV&V Team determined that it was acceptable to use these data in the testing. See Section 6.4.

The NICSD IV&V team confirmed and concluded that there were no problems on the processes to perform the tests and to prepare test reports.

#### 6.2.2 FPGA Test Report Review

PPDD submitted [ ]FPGA Test Reports listed in Table 6-2 to NICSD after completion of the retesting. The NICSD IV&V Team reviewed these reports. For the FPGA Test Reports of No. 23 and 26 in Table 6-2, the NICSD did not issued DVRs for their Revision 0, because PPDD withdrew Revision 0, and issued Revision 1. The NICSD IV&V Team confirmed that these revisions were made to correct clerical errors and did not require retesting.

The NICSD IV&V Team confirmed that the dynamic timing simulation (i.e., VHDL functional test) was performed in accordance with the last revision of the FPGA Test Procedures listed in Table 6-1.

Figure 6-1 shows an example of a VHDL functional test result that was excerpted from the Revision 0 of [ ] FPGA Test Report (No. 1 of Table 6-2). The rows, labeled "Input Signals" in the "Type" column show the input signals to the FPGA; the rows labeled "Expected Output Signals (Acceptance Criteria)" show the expected output signals from the FPGA against the input signals; the rows labeled "Record" in the "Type" column show the output signals from

the FPGA obtained as the test result. The input signals were entered into the FPGA, and were changed in []steps shown in the Figure 6-1. The NICSD IV&V Team verified that the output signals matched the expected output signals. Thus, the NICSD IV&V Team verified that the test results satisfied the acceptance criteria, and concluded the test results for the TRNAD FPGA were satisfactory and acceptable.

The NICSD IV&V team concluded that the test results for all []FPGAs were satisfactory and acceptable.

### Table 6-2 FPGA Test Reports Reviewed

| No | Document Name | Document<br>No. | Rev.   | Prepared<br>by | Reviewed<br>By | Approved<br>by | Independent<br>Reviewer | DVR No.    | a,c |
|----|---------------|-----------------|--------|----------------|----------------|----------------|-------------------------|------------|-----|
|    |               |                 |        |                |                |                |                         |            |     |
|    |               |                 |        |                |                |                |                         |            |     |
|    |               |                 |        |                |                |                |                         |            |     |
|    |               |                 |        |                |                |                |                         |            |     |
|    |               |                 |        |                |                |                |                         |            |     |
|    |               |                 |        |                |                |                |                         |            |     |
|    |               |                 |        |                |                |                |                         |            |     |
|    |               |                 |        |                |                |                |                         |            |     |
|    |               |                 |        |                |                |                |                         |            |     |
|    |               |                 |        |                |                |                |                         |            |     |
|    |               |                 |        |                |                |                |                         |            |     |
|    |               |                 |        |                |                |                |                         |            |     |
|    |               |                 |        |                |                |                |                         |            |     |
|    |               |                 |        |                |                |                |                         |            |     |
|    |               |                 |        |                |                |                |                         |            |     |
|    |               |                 |        |                |                |                |                         |            |     |
|    |               |                 |        |                |                |                |                         |            |     |
| _  |               |                 |        |                |                |                |                         |            |     |
|    |               |                 | - · No | ne, this rev   | ision was s    | unerseded      | l by the nev            | v revision |     |

before the review is completed.

TOSHIBA CORPORATION Nuclear Instrumentation & Control Systems Department

)

|                                                               | · ]         | Table 4.1.1.1.1 Multiplexing Function (1/1) |     |
|---------------------------------------------------------------|-------------|---------------------------------------------|-----|
| Турс                                                          | Signal Name | STEP a                                      | С   |
| Input<br>Signals                                              |             | <sup>μ</sup>                                | a,c |
| Expected<br>Output<br>Signals<br>(Accepta<br>nce<br>Criteria) |             | ١                                           |     |
| Record                                                        |             |                                             |     |
|                                                               | -<br>Result | Pass                                        | 1   |

Note: This example was excerpted from Table 4.1.1.1.1 of TRNAD FPGA Test Report (9H8H1034 Rev.0) that was translated from Japanese into English.

#### Figure 6-1 Example of VHDL Functional Test Result

-- --

TOSHIBA CORPORATION Nuclear Instrumentation & Control Systems Department

#### 6.2.3 Re-Establishment of Software Baseline

The PPDD design engineers re-established the software baseline of FPGA logics after the FPGA retesting was finished.

The software baseline includes the fusemaps, VHDL source code, Functional Element (FE) files and all the documents applicable as baseline. PPDD has reestablished the software baseline to update the identification information of the FPGA Test Procedures and FPGA Test Reports included in the software baseline. In accordance with the PPDD Standard E-68017 "Procedural Standard for FPGA Device Development" (Reference (3)), software baseline for FPGA logic has been maintained and controlled with document and revision numbers of the FPGA Control Sheet, which is prepared by each FPGA logic. The NICSD IV&V Team confirmed that no changes have been made to the VHDL source code and fusemap qualified in the PRM Qualification Project. The NICSD IV&V Team confirmed that the FPGA Control Sheet identified the information of the FPGA Design Specification, FPGA Test Procedure, FPGA Test Report, VHDL source code, fusemap, tools used, and storage media, which comprised the software baseline. Table 6-3 lists the FPGA Control Sheets that have been checked.

Each of FEs to be used for FPGAs was also included in the software baseline. Like FPGA, an FE Control Sheet was prepared for each FE to maintain and control those FEs. The NICSD IV&V Team confirmed that the FEs used in the PRM Qualification Project were maintained and not changed in this FPGA retest. The NICSD IV&V Team verified that the revision numbers of the FE Control Sheet used for each FPGA logic design were identified in the FPGA Design Specifications.

PPDD has performed configuration control for the components of the PRM System using the Master Configuration List (MCL) (Reference (8)), and has controlled the document numbers and revision numbers of the FPGA Control Sheet and the FE Control Sheet with the list. The NICSD IV&V Team checked that the MCL included the applicable revisions of the FPGA Control Sheets and the FE Control Sheets. Thus, the NICSD IV&V Team concluded that the software baseline for FPGA logic has been re-established.

# Table 6-3 List of FPGA Control Sheets

| FPGA Name                                                    | Fusemap<br>Registration No. | FPGA Control Sheet Rev.<br>No. | Preparer | Reviewer | Approver | Reason for Revision |                                       |
|--------------------------------------------------------------|-----------------------------|--------------------------------|----------|----------|----------|---------------------|---------------------------------------|
|                                                              |                             |                                |          |          |          |                     | · · · · · · · · · · · · · · · · · · · |
|                                                              |                             |                                |          |          |          |                     |                                       |
|                                                              |                             |                                |          |          |          |                     |                                       |
|                                                              |                             |                                |          |          |          |                     |                                       |
|                                                              |                             |                                |          |          |          |                     |                                       |
|                                                              |                             |                                |          |          |          |                     |                                       |
|                                                              |                             |                                |          |          |          |                     |                                       |
|                                                              |                             |                                |          |          |          |                     |                                       |
|                                                              |                             |                                |          |          |          |                     |                                       |
|                                                              |                             |                                |          |          |          |                     |                                       |
|                                                              |                             |                                |          |          |          |                     |                                       |
|                                                              |                             |                                |          |          |          |                     |                                       |
|                                                              |                             |                                |          |          |          |                     |                                       |
|                                                              |                             |                                |          |          |          |                     |                                       |
|                                                              |                             |                                |          |          |          |                     |                                       |
|                                                              |                             |                                |          |          |          |                     |                                       |
|                                                              |                             |                                |          |          |          |                     |                                       |
|                                                              |                             |                                |          |          |          |                     |                                       |
|                                                              |                             |                                |          |          |          |                     |                                       |
|                                                              |                             |                                |          |          |          |                     |                                       |
|                                                              |                             |                                |          |          |          |                     |                                       |
|                                                              |                             |                                |          |          |          |                     |                                       |
|                                                              |                             |                                |          |          |          |                     |                                       |
|                                                              |                             |                                |          |          |          |                     |                                       |
| TOSHIBA CORPORATION<br>Auclear Instrumentation & Control Sys |                             | , <u></u>                      |          |          |          |                     |                                       |

\_\_\_\_ · \_ ·

- ---

- -

# Table 6-3 List of FPGA Control Sheets

| lo. FPGA Name | Fusemap<br>Registration No. | FPGA Control Sheet<br>No. | Rev. | Preparer | Reviewer | Approver | Reason for Revision                   |  |
|---------------|-----------------------------|---------------------------|------|----------|----------|----------|---------------------------------------|--|
|               |                             | •                         |      |          |          |          | · · · · · · · · · · · · · · · · · · · |  |
|               |                             |                           |      |          |          |          |                                       |  |
|               |                             |                           |      |          |          |          |                                       |  |
| -             |                             |                           |      |          |          |          |                                       |  |
|               |                             |                           |      |          |          |          |                                       |  |
|               |                             |                           |      |          |          |          |                                       |  |
|               |                             |                           |      |          |          |          |                                       |  |
|               |                             |                           |      |          |          |          |                                       |  |
|               |                             |                           |      |          |          |          |                                       |  |
|               |                             |                           |      |          |          |          |                                       |  |
|               |                             |                           |      |          |          |          |                                       |  |
|               |                             |                           |      |          |          |          |                                       |  |
|               |                             |                           |      |          |          |          |                                       |  |
|               |                             |                           |      |          |          |          |                                       |  |
|               |                             |                           |      |          |          |          |                                       |  |
|               |                             |                           |      |          |          |          |                                       |  |
|               |                             |                           |      |          |          |          |                                       |  |
|               |                             |                           |      |          |          |          |                                       |  |
|               |                             |                           |      |          |          |          |                                       |  |
|               |                             |                           |      |          |          |          |                                       |  |
|               |                             |                           |      |          |          |          |                                       |  |
|               |                             |                           |      |          |          |          |                                       |  |
|               |                             |                           |      |          |          |          |                                       |  |
|               |                             |                           |      |          |          |          |                                       |  |
| 1             |                             |                           |      |          |          |          |                                       |  |
|               |                             |                           |      |          |          |          |                                       |  |
|               |                             |                           |      |          |          |          |                                       |  |

Nuclear Instrumentation & Control Systems Department

# Table 6-3 List of FPGA Control Sheets

| No. FPGA Name | Fusemap<br>Registration No. | FPGA Control Sheet Rev.<br>No. | Preparer | Reviewer | Approver | Reason for Revision | _ a,c |
|---------------|-----------------------------|--------------------------------|----------|----------|----------|---------------------|-------|
|               |                             |                                |          |          |          |                     |       |

TOSHIBA CORPORATION Nuclear Instrumentation & Control Systems Department

14/19

- - - -

161/166

-

## 6.3 Software Tool Control Review

PPDD had installed a software tool, VHDL simulator (ModelSim<sup>®</sup>) in the computers used for the FPGA retesting. The NICSD IV&V Team confirmed that the version of ModelSim<sup>®</sup> used for the FPGA retesting was the same as that used for the FPGA test in the PRM Qualification Project.

The NICSD IV&V Team confirmed that this software tool was controlled in accordance with the PPDD Standard E-68020 "PPDD Procedural Standard for Control of Software Tools Used with FPGA Based Systems" (Reference (5)) using the Software Tool Information Sheet for the software tool in Table 6-4. PPDD had verified that the VHDL simulator operated correctly on the computers prior to the FPGA Retesting and documented in the Installation Verification Sheets in Table 6-5. The Installation Verification Test Procedure and the Installation Verification Test Reports used for installation verification are listed in Table 6-6.

#### **Table 6-4 Software Tool Information Sheets**



## **Table 6-5 Installation Verification Sheets**

|     | Computer                 |    | Softwar | e Tool  | Installation Verification |            |          |          |          |
|-----|--------------------------|----|---------|---------|---------------------------|------------|----------|----------|----------|
| No. | Equipment<br>Control No. | OS | Name    | Version | Sheet No                  | Rev.       | Preparer | Reviewer | Approver |
|     |                          |    |         |         |                           | _ <b>_</b> | +        |          | ф        |
|     |                          |    |         |         |                           |            |          |          |          |
|     |                          |    |         |         |                           |            |          |          |          |
|     |                          |    |         |         |                           |            |          |          |          |

### **Table 6-6 Software Tool Verification Documents**

| No. | Name | Doc. No | Rev. | Remark |     |
|-----|------|---------|------|--------|-----|
|     |      |         |      |        | a,c |
|     |      |         |      |        |     |
|     |      |         |      |        |     |

## 6.4 Implementation and Integration Phase RTM efforts

Requirements Traceability Matrices (RTMs) had been developed for the Implementation and Integration Phase, and documented in the 5B8H6108 "Implementation and Integration Phase Requirements Traceability Matrix Report" (RTM report). The RTMs compared FPGA Design Specifications and the FPGA Test Procedures. Though the FPGA Test Procedures were updated in this retesting activities, the update portions were limited to inclusion of dynamic timing simulation requirements and correction of clerical errors as reported in Section 6.1. The RTMs did not trace a test method, such as dynamic timing simulation. The NICSD IV&V Team confirmed that the update of the FPGA Test Procedures had no effect on the existing RTMs, and concluded that the RTM report was still applicable without revision.

## 6.5 Problem Reporting and Corrective Actions

As reported in Sections 6.1 and 6.2.1, SCARs for the problems found during the retest activities.

were issued

### SCAR-11-025

The PPDD Standard E-68019 "PPDD Procedural Standard for Configuration Management" (Reference (4)) requires to backup the electronic data of the software baseline stored in CD-R within a period not exceeding [ ]years from the day of previous backup. During the oversight of the FPGA retesting, the NICSD IV&V Team found that the CD-R in which PPDD has stored the electronic data of the software baseline of the FPGA logic had been kept more than [ ]years after the data was written. NICSD issued the SCAR-11-025 requesting PPDD to take corrective actions.

After PPDD checked and retrieved the data in the CD-Rs without any problem, the NICSD IV&V Team determined that it was acceptable to use the data in the testing.

#### SCAR-11-029

PPDD reported to NICSD that PPDD found clerical errors in Revision 2 of LPPARAM FPGA Test Procedure (No. 20 of Table 6-1) after the revision to include dynamic timing simulation requirements. NICSD issued the SCAR-11-029 requesting PPDD to take corrective actions.

PPDD checked whether or not there is an error in the JFPGA Test Procedures listed in Table 6-1, and corrected clerical errors in the FPGA Test Procedures of No.

[ Jin Table 6-1. The NICSD IV&V Team reviewed the revised FPGA Test Procedures and determined that it was acceptable to use the revised procedures for the testing.

TOSHIBA CORPORATION Nuclear Instrumentation & Control Systems Department

16/19

## 6.6 Metrics

Section 4.6.6 of the NICSD VVP (Reference (6)) defines metrics to be monitored. The NICSD IV&V Team monitors these metrics as follows:

(1) Number of changes applied for the design documents

The NICSD IV&V Team examined the changes that had been applied to revision of the FPGA Test Procedures, and classified them into the following types:

- **Corrections:** This type of changes is made to correct any incorrect requirements, incorrect descriptions or errors.
- Additions: This type of changes is made to add new design requirements or new information to the document.
- Others: This type of changes is made to improve readability, and does not change any requirements nor add new information. Adding new sentences for clarification or explanation belongs to this type of changes, as long as it does not add new information.

Table 6-7 shows the number of changes in the FPGA Test Procedures. Revisions with "\*1" in the Remarks column means the procedures were revised to contain the test requirements for dynamic timing simulation. After the revision to include dynamic timing simulation requirements,[ \_\_\_\_\_\_\_] were revised to correct clerical errors. The number of changes to No. 17 was large, because there were many similar test items to be revised that had same clerical errors.

 $\mathcal{C}$ 

#### TOSHIBA CORPORATION Nuclear Instrumentation & Control Systems Department

17/19

| No | Document Name | Document | Rev. | Тур         | e of Changes |        | Total | Remark |   |  |
|----|---------------|----------|------|-------------|--------------|--------|-------|--------|---|--|
|    |               | No.      | Lev. | Corrections | Additions    | Others |       | Kemark | 4 |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              |        |       |        | ļ |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              |        |       |        | 1 |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              | ,      |       |        |   |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              |        |       |        | ł |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              |        |       |        |   |  |
|    |               |          |      |             |              |        |       |        | _ |  |

## Table 6-7 Number of Changes Applied to FPGA Test Procedures

TOSHIBA CORPORATION Nuclear Instrumentation & Control Systems Department

\_.. \_\_\_\_\_

\_\_\_\_

\_\_\_\_\_

\_\_\_\_

· ·· \_\_\_

## Table 6-7 Number of Changes Applied to FPGA Test Procedures

| No       | Document Name                                                       | Document<br>No. | Rev.   | Тур                        | e of Changes | 3          | Total     | Remark   |
|----------|---------------------------------------------------------------------|-----------------|--------|----------------------------|--------------|------------|-----------|----------|
|          |                                                                     |                 |        | Corrections                | Additions    | Others     |           |          |
| -        | Revisions with "*1" in the Repute the test requirements for dynamic |                 |        |                            | e procedure  | es were re | evised to | contain  |
| (2)      | Number of open items carried                                        | -               |        |                            |              |            |           |          |
| No       | _                                                                   |                 | P      | -                          |              |            |           |          |
|          |                                                                     | • .1            |        |                            |              |            |           |          |
| (3)      | Number of open items closed                                         | in the curre    | nt ph  | lase                       |              |            |           |          |
| No       | one                                                                 |                 |        |                            |              |            |           |          |
| (4)      | Number of Site Corrective Ac                                        | tion Reque      | sts (S | SCARs)                     |              |            |           |          |
| [<br>rep | SCARs [<br>ported in Section 6.4.                                   |                 |        | ] <sup>a,c</sup> were issu | ied during   | the V&     | &V activ  | ities as |
| (5)      | Number of Site Nonconforma                                          | nce Notice      | Repo   | orts (SNNRs)               | )            |            |           |          |
| No       | one                                                                 |                 |        |                            |              |            |           |          |
| (6)      | Number of problems found du                                         | iring V&V       | testir | ıg                         |              |            |           |          |
| No       | one                                                                 |                 |        |                            |              |            |           |          |

### 6.7 Findings, Recommendations, or Suggestions

Through the V&V activities for the FPGA retesting, the NICSD IV&V Team found the problem on media storage status as reported in Section 6.4. This problem was dispositioned as reported in Section 6.4.

# 7 Conclusion

The NICSD IV&V Team concluded that the V&V activities for the FPGA retesting have completed, supplementing the Implementation and Integration Phase V&V Report (Reference (7)) of the PRM Qualification Project.

The NICSD IV&V Team confirmed that the dynamic timing simulation of each FPGA was performed as defined in the revised FPGA Test Procedures, and obtained acceptable results. All the FPGAs passed the dynamic timing simulation testing without any logic change. This supplemental report does not change the previous conclusions of the Implementation and Integration Phase V&V Report (Reference (7)) of the PRM Qualification Project. No further V&V efforts for the Module Validation Testing Phase and the System Valuation Testing Phase are necessary.

TOSHIBA CORPORATION Nuclear Instrumentation & Control Systems Department

# **TOSHIBA** Leading Innovation >>>

UTLR-0020NP Part VI Rev.1 August 2015

# **Topical Report**

Licensing Topical Report for Toshiba NRW-FPGA-based Instrumentation and Control System for Safety-Related Application

> Part VI V&V report of the ABWR OPRM

Approved by Electrical System Design & Engineering Dept.

Masahiko Hamada

Toshiba Corporation Nuclear Energy Systems & Services Division

©2015 Toshiba Corporation All Rights Reserved

Licensing Topical Report for Toshiba NRW-FPGA-based Instrumentation and Control System for Safety-Related Application UTLR-0020NP Part VI Rev.1 PART VI V&V report of the ABWR OPRM

> The use of the information contained in this document by anyone for any purpose other than that for which it is intended is not authorized. In the event the information is used without authorization from TOSHIBA CORPORATION, TOSHIBA CORPORATION makes no representation or warranty and assumes no liability as to the completeness, accuracy, or usefulness of the information contained in this document.

TOSHIBA CORPORATION NUCLEAR ENERGY SYSTEMS & SERVICES DIV. This is Part VI of the Licensing Topical Report (LTR) for Toshiba Non-Rewritable Field Programmable Gate Array-based (NRW-FPGA-based) Instrumentation and Control (I&C) System for Safety-Related Applications. This part contains the V&V reports for the Oscillation Power Range Monitor (OPRM) for Advanced Boiling Water Reactor (ABWR).

This LTR consists of the following six parts.

Part I describes software Lifecycle and development processes.

Part II describes design description of the Power Range Monitor (PRM) for Boiling Water Reactor (BWR)-5 and the OPRM for ABWR and includes an application guide.

Part III describes the qualification results of the PRM for BWR-5 and the OPRM for ABWR.

Part IV provides compliance tables for Toshiba processes to important Codes and Standards.

Part V provides the BWR-5 PRM V&V report.

Part VI provides the ABWR OPRM V&V report.

| FC51-3704-0001     9       FC51-3704-0001     9       NRW-FPGA-Based I&C System Qualification Project<br>Software Validation Report       Title: Nuclear Energy Systems and Services Division<br>Verification and Validation Report<br>for Oscillation Power Range Monitor (OPRM)       Customer Name     None       Project Name     NRW-FPGA-Based I&C<br>System Qualification Project       Item Name     None       Project Name     NRW-FPGA-Based I&C<br>System Qualification Project       Item Name     None       9     Feb. 20 2015       See DCN-FC51-3704-0001-009     M::Tolkare       9     Feb. 20 2015       See DCN-FC51-3704-0001-009     Reviewed by       Prepared     Description       Approved by     Reviewed by       Prepared     Issue Date       Description     Then Thurstin                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | S             | bafe                                          | ty-Re        | lated                                         | i                |                       |                |                   |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|-----------------------------------------------|--------------|-----------------------------------------------|------------------|-----------------------|----------------|-------------------|
| 9       Feb. 20 2015       See DCN-FC51-3704-0001-009       Mr: Them       Mr: Them       The project         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       Mr: Them       The project         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       Mr: Them       The project         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       Mr: Them       The project         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       Mr: Them       The project         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       Mr: Them       The project         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       Mr: Them       The project         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       Mr: Them       The project         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       Mr: Them       The project         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       Mr: Them       The project         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       Mr: Them       The project         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       Mr: Them       The project         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       Mr: Them                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | <u>_</u>      | . <u>.                                   </u> | <u></u>      | ·                                             |                  | Toshiba Proj          | ect Document N | No. Rev. N        |
| NRW-FPGA-Based I&C System Qualification Project<br>Software Validation Report         Title: Nuclear Energy Systems and Services Division<br>Verification and Validation Report<br>for Oscillation Power Range Monitor (OPRM)         Customer Name       None         Project Name       NRW-FPGA-Based I&C<br>System Qualification Project         Item Name       None         Item Number       C51         Job Number       9P04482         Applicable Plant       None         9       Feb. 20 2015       See DCN-FC51-3704-0001-009         Muithlane       1.9 fro<br>Fob. 20.2055       Fob. 20.205         Prepared       Description       Approved by       Reviewed by         Initial Issue Date       Issued by       /Approved by       Reviewed by       Prepared by                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |               |                                               |              |                                               | -                | FC51                  | 3704-0001      | 9                 |
| NRW-FPGA-Based I&C System Qualification Project<br>Software Validation Report         Title: Nuclear Energy Systems and Services Division<br>Verification and Validation Report<br>for Oscillation Power Range Monitor (OPRM)         Customer Name       None         Project Name       NRW-FPGA-Based I&C<br>System Qualification Project         Item Name       None         Item Name       None         Project Name       NRW-FPGA-Based I&C<br>System Qualification Project         Item Name       None         Project Name       None         Project Name       None         Project Name       New-FPGA-Based I&C<br>System Qualification Project         Item Number       C51         Job Number       9P04482         Applicable Plant       None         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       MicTolare       J. Howget         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       MicTolare       J. Howget       Tolare         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       MicTolare       J. Howget       Tolare         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       MicTolare       J. Howget       Tolare         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       MicTolare       J. MicTolare                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |               |                                               |              |                                               |                  | •'                    |                |                   |
| NRW-FPGA-Based I&C System Qualification Project<br>Software Validation Report         Title: Nuclear Energy Systems and Services Division<br>Verification and Validation Report<br>for Oscillation Power Range Monitor (OPRM)         Customer Name       None         Project Name       NRW-FPGA-Based I&C<br>System Qualification Project         Item Name       None         Item Name       None         Item Number       C51         Job Number       9P04482         Applicable Plant       None         9       Feb. 20 2015       See DCN-FCS1-3704-0001-009       Min Tolkico       T.Magnet<br>Feb. 20205       Feb. 20 2015       Feb. 20;<br>Prepared         9       Feb. 20 2015       See DCN-FCS1-3704-0001-009       Min Tolkico       T.Magnet<br>Feb. 20205       Feb. 20205       Feb. 20;<br>Prepared         1       Issue Date       Description       Approved by       Reviewed by       Prepared by                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |               |                                               |              |                                               |                  |                       |                | -                 |
| NRW-FPGA-Based I&C System Qualification Project<br>Software Validation Report         Title: Nuclear Energy Systems and Services Division<br>Verification and Validation Report<br>for Oscillation Power Range Monitor (OPRM)         Customer Name       None         Project Name       NRW-FPGA-Based I&C<br>System Qualification Project         Item Name       None         Item Name       None         Item Number       C51         Job Number       9P04482         Applicable Plant       None         9       Feb. 20 2015       See DCN-FCS1-3704-0001-009       Min Tolkico       T.Magnet<br>Feb. 20205       Feb. 20 2015       Feb. 20;<br>Prepared         9       Feb. 20 2015       See DCN-FCS1-3704-0001-009       Min Tolkico       T.Magnet<br>Feb. 20205       Feb. 20205       Feb. 20;<br>Prepared         1       Issue Date       Description       Approved by       Reviewed by       Prepared by                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |               |                                               |              |                                               |                  |                       | •              |                   |
| NRW-FPGA-Based I&C System Qualification Project<br>Software Validation Report         Title: Nuclear Energy Systems and Services Division<br>Verification and Validation Report<br>for Oscillation Power Range Monitor (OPRM)         Customer Name       None         Project Name       NRW-FPGA-Based I&C<br>System Qualification Project         Item Name       None         Item Name       None         Item Number       C51         Job Number       9P04482         Applicable Plant       None         9       Feb. 20 2015       See DCN-FCS1-3704-0001-009       MicTolare<br>Feb. 20205       Feb. 29-205         9       Feb. 20 2015       See DCN-FCS1-3704-0001-009       MicTolare<br>Feb. 20205       Feb. 29-205         9       Feb. 20 2015       See DCN-FCS1-3704-0001-009       MicTolare<br>Feb. 20205       Feb. 29-205         9       Feb. 20 2015       See DCN-FCS1-3704-0001-009       MicTolare<br>Feb. 20205       Feb. 29-205         9       Feb. 20 2015       See DCN-FCS1-3704-0001-009       MicTolare<br>Feb. 20205       Feb. 29-205         9       Feb. 20 2015       See DCN-FCS1-3704-0001-009       MicTolare<br>Feb. 20205       Feb. 29-205         9       Feb. 20 2015       See DCN-FCS1-3704-0001-009       MicTolare       Prepared                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |               |                                               | ÷            |                                               |                  |                       | •              |                   |
| Software Validation Report         Title: Nuclear Energy Systems and Services Division<br>Verification and Validation Report<br>for Oscillation Power Range Monitor (OPRM)         Customer Name       None         Project Name       NRW-FPGA-Based I&C<br>System Qualification Project         Item Name       None         See DCN-FC51-3704-0001-009       Mi: The         9       Feb. 20 2015       See DCN-FC51-3704-0001-009         1       Sue Date       Description         Approved by       Reviewed by       Prepared         Titial Issue Date       Issued by       Approved by       Reviewed by       Document filling                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |               |                                               |              |                                               |                  | X                     |                |                   |
| Software Validation Report         Title: Nuclear Energy Systems and Services Division<br>Verification and Validation Report<br>for Oscillation Power Range Monitor (OPRM)         Customer Name       None         Project Name       NRW-FPGA-Based I&C<br>System Qualification Project         Item Name       None         System Qualification Project       Item Name         Job Number       9P04482         Applicable Plant       None         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       Mic Theoremark         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       Mi                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |               |                                               |              | S                                             |                  |                       | · · ·          |                   |
| Title: Nuclear Energy Systems and Services Division<br>Verification and Validation Report<br>for Oscillation Power Range Monitor (OPRM)         Customer Name       None         Project Name       NRW-FPGA-Based I&C<br>System Qualification Project         Item Name       None         Item Name       None         Item Number       C51         Job Number       9P04482         Applicable Plant       None         9       Feb. 20 2015       See DCN-FC51-3704:0001-009       Mit Tables       1.9 fro<br>Fab. 20,2075       The system Fab. 20, 7<br>Fab. 20, 7<br>Fab |               | Ĩ                                             | NRW-F        | PGA-Bas                                       | ed I&C Sys       | tem Qualif            | ication Pro    | ject              |
| Verification and Validation Report<br>for Oscillation Power Range Monitor (OPRM)         Customer Name       None         Project Name       NRW-FPGA-Based I&C<br>System Qualification Project         Item Name       None         Item Name       None         Item Name       None         Item Name       None         Item Number       C51         Job Number       9P04482         Applicable Plant       None         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       M: Thick       If Africa         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       M: Thick       If Africa       If Abs. 20, 1         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       M: Thick       If Abs. 20, 1       Feb. 20, 2015                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |               |                                               |              | Softw                                         | vare Valida      | ation Repo            | rt             |                   |
| Verification and Validation Report<br>for Oscillation Power Range Monitor (OPRM)         Customer Name       None         Project Name       NRW-FPGA-Based I&C<br>System Qualification Project         Item Name       None         Item Name       None         Item Name       None         Item Name       None         Item Number       C51         Job Number       9P04482         Applicable Plant       None         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       M: Thick       If Africa         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       M: Thick       If Africa       If Abs. 20, 1         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       M: Thick       If Abs. 20, 1       Feb. 20, 2015                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |               |                                               |              |                                               |                  |                       |                |                   |
| Verification and Validation Report<br>for Oscillation Power Range Monitor (OPRM)         Customer Name       None         Project Name       NRW-FPGA-Based I&C<br>System Qualification Project         Item Name       None         Item Name       None         Item Name       None         Item Name       None         Item Number       C51         Job Number       9P04482         Applicable Plant       None         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       M: Thick       If Africa         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       M: Thick       If Africa       If Abs. 20, 1         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       M: Thick       If Abs. 20, 1       Feb. 20, 2015                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |               |                                               | Title: N     | uclear En                                     | ergy Syster      | ns and Serv           | vices Divis    | ion               |
| Customer Name       None         Project Name       NRW-FPGA-Based L&C         System Qualification Project       System Qualification Project         Item Name       None         Item Name       None         Item Number       C51         Job Number       9P04482         Applicable Plant       None         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       M. Johnse         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       M. Johnse       J. Haype-         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       M. Johnse       J. Haype-         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       M. Johnse       J. Haype-         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       M. Johnse       J. Haype-         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       M. Johnse       J. Haype-         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       M. Johnse       J. Haype-         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       M. Johnse       J. Haype-         9       Feb. 20 2015       Reviewed by       Prepared       J. Johnse         9       Feb. 20 2015       Reviewed by                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |               |                                               | · · · ·      |                                               |                  | 1 1 1 1 1 1 1 1 1 1 1 |                | •.                |
| Project Name     NRW-FPGA-Based I&C       System Qualification Project       Item Name     None       Item Number     C51       Job Number     9P04482       Applicable Plant     None       9     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Tolkica     J. How Tolkica       9     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Tolkica     J. How Tolkica       9     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Tolkica     J. How Tolkica       9     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Tolkica     J. How Tolkica       9     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Tolkica     J. How Tolkica       9     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Tolkica     J. How Tolkica       9     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Tolkica     J. How Tolkica       9     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Tolkica     J. How Tolkica       9     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Tolkica     J. How Tolkica       9     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Tolkica     J. How Tolkica       9     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Tolkica     J. How Tolkica       9     Feb. 20 2015                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |               |                                               | <u>for (</u> | Dscillation                                   | n Power Ra       | nge Monito            | or (OPRM)      |                   |
| Project Name     NRW-FPGA-Based I&C       System Qualification Project       Item Name     None       Item Number     C51       Job Number     9P04482       Applicable Plant     None       9     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Tolkica     J. How Tolkica       9     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Tolkica     J. How Tolkica       9     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Tolkica     J. How Tolkica       9     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Tolkica     J. How Tolkica       9     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Tolkica     J. How Tolkica       9     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Tolkica     J. How Tolkica       9     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Tolkica     J. How Tolkica       9     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Tolkica     J. How Tolkica       9     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Tolkica     J. How Tolkica       9     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Tolkica     J. How Tolkica       9     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Tolkica     J. How Tolkica       9     Feb. 20 2015                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |               |                                               |              |                                               | •                |                       |                |                   |
| Project Name     NRW-FPGA-Based I&C       System Qualification Project       Item Name     None       Item Number     C51       Job Number     9P04482       Applicable Plant     None       9     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Johna     J. Hayse       g     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Johna     J. Hayse       g     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Johna     J. Hayse       g     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Johna     J. Hayse       g     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Johna     J. Hayse       g     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Johna     J. Hayse       g     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Johna     J. Hayse       g     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Johna     J. Hayse       g     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Johna     J. Hayse       g     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Johna     J. Hayse       g     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Johna     J. Hayse       g     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Johna     J. Hayse <td>Custome</td> <td>r Nam</td> <td>e None</td> <td><br/>7.</td> <td>]</td> <td></td> <td></td> <td></td>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | Custome       | r Nam                                         | e None       | <br>7.                                        | ]                |                       |                |                   |
| Item Name     None       Item Number     C51       Job Number     9P04482       Applicable Plant     None       9     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Johne       9     Feb. 20 2015     Feb. 20,20/5     Feb. 20,20/5       9     Issue Date     Description     Approved by       9     Reviewed by     Prepared by     Document filing                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |               |                                               |              |                                               | sed I&C          |                       |                |                   |
| Item Number     C51       Job Number     9P04482       Applicable Plant     None       9     Feb. 20 2015       See DCN-FC51-3704-0001-009     M. Tablica <i>feb. 20,2015</i> See DCN-FC51-3704-0001-009       Rev. No.     Issue Date       Description     Approved by       Reviewed by     Prepared       Initial Issue Date     Issued by       Approved by     Reviewed by       Prepared by     Document filing                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |               |                                               | Syste        | em Qualifica                                  | tion Project     |                       |                |                   |
| Job Number     9P04482       Applicable Plant     None       9     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Telera     J. Harge-<br>Feb. 20,2015       Rev. No.     Issue Date     Description     Approved by     Reviewed by       Initial Issue Date     Issued by     Approved by     Reviewed by     Prepared by                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | Item Nan      | ne                                            | None         | e                                             | <u> </u>         |                       |                |                   |
| Applicable Plant       None         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       M. Tablica       J. Harge-<br>Feb. 20,2015       J. Harge-<br>Table         9       Feb. 20 2015       See DCN-FC51-3704-0001-009       M. Tablica       J. J. Harge-<br>Feb. 20,2015       J. Harge-<br>Table 20,<br>Prepared         Rev. No.       Issue Date       Description       Approved by       Reviewed by       Prepared         Initial Issue Date       Issued by       Approved by       Reviewed by       Prepared by       Document filing         Initial Issue Date       Issued by       Approved by       Reviewed by       Prepared by       Document filing                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |               |                                               |              |                                               |                  |                       |                |                   |
| 9     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Johina     J. Ito       9     Feb. 20 2015     See DCN-FC51-3704-0001-009     M. Johina     J. Ito     J. Ito       Rev. No.     Issue Date     Description     Approved by     Reviewed by     Prepared       Initial Issue Date     Issued by     Approved by     Reviewed by     Prepared by     Document filing                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |               |                                               |              | · · · · · · · · · · · · · · · · · · ·         |                  |                       |                |                   |
| Feb. 20,2015     Feb. 20,2015     Feb. 20,2015       Rev. No.     Issue Date     Description     Approved by       Reviewed by     Reviewed by     Prepared       Initial Issue Date     Issued by     Approved by       Reviewed by     Reviewed by     Prepared                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | Applicab      | le Plar                                       | it None      | <u>, , , , , , , , , , , , , , , , , , , </u> |                  |                       |                |                   |
| Feb. 20,2015     Feb. 20,2015     Feb. 20,2015     Feb. 20,15       Rev. No.     Issue Date     Description     Approved by     Reviewed by     Prepared       Initial Issue Date     Issued by     Approved by     Reviewed by     Prepared       Initial Issue Date     Issued by     Approved by     Reviewed by     Prepared                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |               |                                               |              |                                               |                  |                       |                |                   |
| Feb. 20,2015     Feb. 20,2015     Feb. 20,2015       Rev. No.     Issue Date     Description     Approved by       Reviewed by     Reviewed by     Prepared       Initial Issue Date     Issued by     Approved by       Reviewed by     Reviewed by     Prepared                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |               |                                               | ·            |                                               |                  | no tak                | 19             | t = 74            |
| Rev. No.     Issue Date     Description     Approved by     Reviewed by     Prepared       Initial Issue Date     Issued by     Approved by     Reviewed by     Prepared by     Document filing       Initial Issue Date     Issued by     Approved by     Reviewed by     Prepared by     Document filing                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | 9             | Feb.                                          | 20 2015      | See DCN-F                                     | °C51-3704-0001-0 |                       |                |                   |
| T Maekawa T Ito T Havachi                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | Rev. No.      | Iss                                           | ue Date      | Ľ                                             | Description      |                       |                | 4                 |
| T Maekawa T Ito T Havachi                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | initial Issue | Date                                          | Issi         | ued by                                        | Approved by      | Reviewed by           | Prepared by    | Document filing 1 |
| Feb. 13, 2012 Instrumentation & Control Systems Feb. 13, 2012 Feb. 13, 2012 Feb. 13, 2012 RS-5159667                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | <u> </u>      |                                               | _            |                                               | T. Maekawa       | T. Ito                | T. Hayashi     | RS-5159667        |

TOSHIBA CORPORATION Nuclear Energy Systems & Services Division 1/188

۰,

|         |                   |                            | Approved                   | Reviewed                  | Prepared                   |
|---------|-------------------|----------------------------|----------------------------|---------------------------|----------------------------|
| Rev No. | Date              | Description                | by                         | by                        | by                         |
| 0       | See Cover<br>Page | Initial Issue              | See Cover<br>Page          | See Cover<br>Page         | See Cover<br>Page          |
| 1       | Feb 27, 2012      | See DCN-FC51-3704-0001-001 | T. Maekawa<br>Feb. 27 2012 | T. Ito<br>Feb 27. 2012    | T. Hayashi<br>Feb 27. 2012 |
| 2       | Aug. 23, 2012     | See DCN-FC51-3704-0001-002 | T. Maekawa<br>Aug. 23 2012 | T. Ito<br>Aug. 23<br>2012 | T. Hayashi<br>Aug. 23 2012 |
| 3       | Oct. 22, 2012     | See DCN-FC51-3704-0001-003 | T. Maekawa<br>Oct. 22 2012 | T. Ito<br>Oct. 22 2012    | T. Hayashi<br>Oct. 22 2012 |
| 4       | Nov. 13, 2012     | See DCN-FC51-3704-0001-004 | T. Maekawa<br>Nov. 13 2012 | T. Ito<br>Nov. 12 2012    | T. Hayashi<br>Nov.12 2012  |
| 5       | Nov. 13, 2012     | See DCN-FC51-3704-0001-005 | T. Maekawa<br>Nov. 13 2012 | T. Ito<br>Nov. 13 2012    | T. Hayashi<br>Nov.13 2012  |
| 6       | Nov. 14, 2012     | See DCN-FC51-3704-0001-006 | T. Maekawa<br>Nov. 14 2012 | T. Ito<br>Nov. 14 2012    | T. Hayashi<br>Nov.14 2012  |
| 7       | Nov. 16, 2012     | See DCN-FC51-3704-0001-007 | T. Maekawa<br>Nov.16, 2012 | T. Ito<br>Nov.15, 2012    | T. Hayashi<br>Nov.15, 2012 |
| 8       | Sep. 10, 2014     | See DCN-FC51-3704-0001-008 | M. Tahira<br>Sep.10, 2014  | T. Ito<br>Sep.10, 2014    | T. Hayashi<br>Sep. 9, 2014 |
| 9       | See Cover<br>Page | See Cover Page             | See Cover<br>Page          | See Cover<br>Page         | See Cover<br>Page          |
|         |                   |                            |                            |                           |                            |
|         |                   |                            |                            |                           |                            |
|         |                   |                            |                            |                           |                            |
|         |                   |                            |                            |                           |                            |

# **Table of Contents**

- -

| 1  | Int        | troduction4                                      |
|----|------------|--------------------------------------------------|
| 2  | Re         | ference Documents5                               |
| 2  | 2.1        | Code of Federal Regulations                      |
| 2  | 2.2        | Regulatory Guides and NRC Documents              |
| 2  | 2.3        | Industry Standards                               |
| 2  | 2.4        | Toshiba Internal Documents                       |
| 2  | 2.5        | Project Documents ····· 6                        |
| 3  | De         | finitions and Acronyms8                          |
| 3  | <b>5.1</b> | Definitions ······8                              |
| 3  | 5.2        | Acronyms ······8                                 |
| 4  | Ve         | rification and Validation Overview10             |
| 4  | <b>.1</b>  | Organization 10                                  |
| 4  | .2         | Master Schedule 11                               |
| 4  | 1.3        | Software Integrity Level Scheme                  |
| 4  | 1.4        | Resource Summary 11                              |
| 4  | .5         | Responsibilities 11                              |
| 4  | .6         | Tools, Techniques, and Methodologies             |
| 5  | Ve         | rification and Validation Activities13           |
| 5  | 5.1        | Management 13                                    |
| 5  | 5.2        | Project Planning and Concept Definition Phase 14 |
| 5  | 5.3        | <b>Requirements Definition Phase</b> 25          |
| 5  | 5.4        | Design Phase 29                                  |
| 5  | 5.5        | Implementation and Integration Phase 34          |
| 5  | 5.6        | Module Validation Testing Phase 39               |
| 5  | 5.7        | System Validation Testing Phase 43               |
| 6  | Co         | onclusions and Recommendations50                 |
| At | tacł       | 1ment                                            |

# 1 Introduction

This Nuclear Energy Systems and Services Division (NED) FPGA-based Safety-Related Systems Verification and Validation (V&V) Report for the Oscillation Power Range Monitor (OPRM) (VVR) summarizes the V&V activities for OPRM. The OPRM is a part of the Neutron Monitoring System (NMS) for Advanced Boiling Water Reactor (ABWR) plants, and being developed as an FPGA-based Safety-Related I&C System. The V&V activities of the OPRM have been performed in accordance with FA32-3709-0001"Nuclear Energy Systems and Services Division FPGA-based Safety-Related Systems Verification and Validation Plan" (NED VVP) (Reference (18)) throughout the life cycle phases.

The Instrumentation and Control Systems Design and Engineering Department (ICDD) of NED ordered OPRM from the Nuclear Instrumentation and Control Systems Department (NICSD) in Toshiba Fuchu Complex, in which software development mostly occurs. For V&V of the OPRM, engineers from NICSD and ICDD organized Independent V&V (IV&V) Teams.

The V&V activities began from the upstream part of the life cycle, where ICDD determined the requirements for OPRM. The ICDD IV&V Team performed the V&V activities for this part and prepared the first revision of this NED VVR. The upstream requirements were passed to NICSD, and NICSD developed the OPRM along with the life cycle. The NICSD IV&V Team performed V&V activities for each phase of the life cycle, and documented the results of the activities in the NICSD VVR, which is attached to this NED VVR. The ICDD V&V Team reviewed the NICSD VVR, and documented the results of the reviews by updating the NED VVR, in which a new subsection was added for each life cycle phase. In addition, each new subsection included the review of a Software Safety Analysis Report (SSAR), which ICDD performed for each life cycle phase.

Some V&V activities were iterated after the phase was once completed in accordance with NED VVP. The iterated V&V activities were documented in a subsection after the conclusion of each phase.

This Revision 9 of the NED VVR is the final NED VVR, resolving all issues in the older revisions of the NED VVR.

# **2** Reference Documents

## 2.1 Code of Federal Regulations

This NED VVR does not refer to the Code of Federal Regulations (CFR) directly. The Toshiba internal standards in Section 2.4 are based on the CFR.

## 2.2 Regulatory Guides and NRC Documents

- Regulatory Guide 1.168
   "Verification, Validation, Reviews and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," Rev.1, 2004
- Regulatory Guide 1.152
   "Criteria for Use of Computers in Safety Systems of Nuclear Power Plants," Rev.3, July 2011

Other regulatory guides may be referred through the Toshiba internal standards in Section 2.4.

## 2.3 Industry Standards

- (3) IEEE Std 1012-1998"IEEE Standard for Software Verification and Validation"
- (4) IEEE Std 1028-1997"IEEE Standard for Software Reviews"

#### **2.4** Toshiba Internal Documents

- (5) Toshiba Corporation, Power Systems Company 4401-4 "Nuclear Energy QA Program Description" Rev.7
- (6) Toshiba Nuclear Energy Systems and Services Division AS-100A004 "Document Control Procedure" Rev.15
- (7) Toshiba Nuclear Energy Systems and Services Division AS-200A002"Design Verification Procedure" Rev.8
- (8) Toshiba Nuclear Energy Systems and Services Division AS-200A010 "Control Procedure of vendor generated documents" Rev.5
- (9) Toshiba Nuclear Energy Systems and Services Division AS-200A015"Design Change Control Procedure" Rev.6
- (10) Toshiba Nuclear Energy Systems and Services Division AS-200A128"Digital System Life Cycle Procedure" Rev.1
- (11) Toshiba Nuclear Energy Systems and Services Division AS-200A129 "Digital System Development Procedure" Rev.0
- (12) Toshiba Nuclear Energy Systems and Services Division AS-200A130"Digital System Verification & Validation Procedure" Rev.3
- (13) Toshiba Nuclear Energy Systems and Services Division AS-300A008 "Nonconformance Control and Corrective Action Procedure" Rev.16
- (14) Toshiba Nuclear Energy Systems and Services Division AS-300A009

"Corrective Action Request Application Procedure" Rev.16

#### 2.5 **Project Documents**

- (15)NRW-FPGA-Based I&C System Qualification Project, FA10-0301-0001 "Project Specific Document Control Procedure" Rev.0
- (16)NRW-FPGA-Based I&C System Qualification Project, FA10-0501-0024 "Software Program Plan" Rev. 1
- (17)NRW-FPGA-Based I&C System Qualification Project, FA32-3702-0005
   "Nuclear Energy Systems and Services Division FPGA-based Safety-Related Systems Software Management Plan" Rev.2
- (18)NRW-FPGA-Based I&C System Qualification Project, FA32-3709-0001
   "Nuclear Energy Systems and Services Division FPGA-based Safety-Related Systems Verification and Validation Plan" Rev.3
- (19)NRW-FPGA-Based I&C System Qualification Project, FA32-3709-1000
   "Nuclear Instrumentation & Control Systems Department Verification & Validation Plan for FPGA-Based Safety-Related Systems" Rev. 7
- (20)NRW-FPGA-Based I&C System Qualification Project, FC51-1001-0001 "System Design Description Neutron Monitoring System" Rev. 8
- (21)NRW-FPGA-Based I&C System Qualification Project, FC51-3002-1000 "Equipment Design Specification for Power Range Neutron Monitor" Rev. 4
- (22)NRW-FPGA-Based I&C System Qualification Project, FC51-3704-0004 "Nuclear Energy Systems and Services Division Software Safety Analysis Report for Safety-Related Oscillation Power Range Monitor (OPRM)" Rev.5
- (23)NRW-FPGA-Based I&C System Qualification Project, FC51-3702-1000
   "OPRM Unit Detailed Design Specification for Power Range Neutron Monitor" Rev. 4
- (24)NRW-FPGA-Based I&C System Qualification Project, FC51-3704-1001
   "Nuclear Instrumentation & Control Systems Department Verification and Validation Report for OPRM of FPGA-based Safety-Related Systems" Rev.12
- (25)NRW-FPGA-Based I&C System Qualification Project, FC51-0704-0001 "NRW-FPGA-Based I&C System Qualification Project Sub Master Engineering Schedule" Rev.3
- (26)NRW-FPGA-Based I&C System Qualification Project, FC51-8001-1000 "OPRM Unit User's Manual" Rev. 4
- (27)NRW-FPGA-Based I&C System Qualification Project, FC51-3704-1000
   "Nuclear Instrumentation & Control Systems Department Software Safety Analysis Report for Safety-Related Oscillation Power Range Monitor (OPRM) (Project Planning and Concept Definition Phase)" Rev. 1
- (28) NRW-FPGA-Based I&C System Qualification Project, FC51-3704-1002
   "Nuclear Instrumentation & Control Systems Department Software Safety Analysis Report for Safety-Related Oscillation Power Range Monitor (OPRM) (Requirements Definition Phase)" Rev. 2

- (29)NRW-FPGA-Based I&C System Qualification Project, FC51-3704-1101
   "Nuclear Instrumentation & Control Systems Department Software Safety Analysis Report for Safety-Related Oscillation Power Range Monitor (OPRM) (Design Phase)" Rev. 2
- (30)NRW-FPGA-Based I&C System Qualification Project, FC51-3704-1106
   "Nuclear Instrumentation & Control Systems Department Software Safety Analysis Report for Safety-Related Oscillation Power Range Monitor (OPRM) (Implementation and Integration Phase)" Rev. 2
- (31)NRW-FPGA-Based I&C System Qualification Project, FC51-3704-1108
   "Nuclear Instrumentation & Control Systems Department Software Safety Analysis Report for Safety-Related Oscillation Power Range Monitor (OPRM) (Module Validation Testing Phase)" Rev. 1
- (32)NRW-FPGA-Based I&C System Qualification Project, FC51-3704-1114
   "Nuclear Instrumentation & Control Systems Department Software Safety Analysis Report for Safety-Related Oscillation Power Range Monitor (OPRM) (System Validation Testing Phase)" Rev. 2

Note: This reference section lists the final revisions of the documents. When referring to an older revision in this VVR, a revision number is clarified as "*Revision X of document*."

7/188

#### TOSHIBA CORPORATION

# **3** Definitions and Acronyms

## 3.1 Definitions

**Module:** A part of a unit. Each module consists of one or more printed circuit boards, on which the FPGAs and other circuitry are mounted, and a front panel.

**Unit:** A major component of the FPGA-based Safety-Related I&C systems. A unit is a chassis that has front slots and back slots to mount modules. Each unit consists of several modules. There is a vertical middle plane between the front and back slots in each unit. This plane consists of two circuit boards. These circuit boards provide backplanes for the front and rear modules. Modules plug into the backplanes using connectors. Once a module is plugged into the appropriate connector, it exchanges data with other modules in the unit, connects to other units and any external field equipment, and is powered.

**Validation:** Validation is used to ensure that the final product satisfies the user requirements. Validation shall be performed on the final product, although validation may be necessary or performed prior to the final code being produced. See Section 4.2 of the SPP (Reference (16)).

**Verification:** Verification consists of reviews performed on the results of each development phase to ensure the phase was completed appropriately and correctly. See Section 4.2 of the SPP.

## 3.2 Acronyms

| ABWR Advanced Boiling Water Reactor                              |  |
|------------------------------------------------------------------|--|
| BRR Baseline Review Report                                       |  |
| CAR Corrective Action Request                                    |  |
| CDR Critical Digital Review                                      |  |
| CFR Code of Federal Regulation                                   |  |
| CG Commercial Grade                                              |  |
| CM Configuration Management                                      |  |
| CRC Cyclic Redundancy Check                                      |  |
| DVR Design Verification Report                                   |  |
| EDS Equipment Design Specification                               |  |
| EPROM Erasable Programmable Read Only Memory                     |  |
| ES Engineering Schedule                                          |  |
| FE Functional Element                                            |  |
| FPGA Field Programmable Gate Array (a programmable logic device) |  |
| Fuchu-PS         Toshiba Fuchu Complex Power Systems Segment     |  |
| GRA Growth Rate detection Algorithm                              |  |
| I&C Instrumentation and Control                                  |  |

8/188

| ]BD      | Interlock Block Diagram                                             |
|----------|---------------------------------------------------------------------|
| ICDD     | Instrumentation & Control Systems Design and Engineering Department |
| IED      | Instrumentation Electrical Diagram                                  |
| IEEE     | Institute of Electrical and Electronics Engineers                   |
| ľV&V     | Independent Verification and Validation                             |
| LPRM     | Local Power Range Monitor                                           |
| MDS      | Module Design Specification                                         |
| NED      | Nuclear Energy Systems and Services Division                        |
| NICSD    | Nuclear Instrumentation & Control Systems Department                |
| NMS      | Neutron Monitoring System                                           |
| NNR      | Nonconformance Notice Report                                        |
| NQ       | Nuclear Quality (standards for NICSD)                               |
| NQAD     | Nuclear Quality Assurance Department                                |
| NRW      | Non-Rewritable                                                      |
| PBDA     | Period Based Detection Algorithm                                    |
| PM       | Project Manager                                                     |
| PPDD     | Power Platform Development Department                               |
| PRM      | Process Review Meeting                                              |
| RG       | Regulatory Guide                                                    |
| RPS      | Reactor Protection System                                           |
| RTM      | Requirements Traceability Matrix                                    |
| SD       | Software Development                                                |
| SDD      | System Design Description                                           |
| SDOE     | Secure Development and Operational Environment                      |
| SIL      | Software Integrity Level                                            |
| SMP      | Software Management Plan                                            |
| SPP      | Software Program Plan                                               |
| SSAR     | Software Safety Analysis Report                                     |
| Unit DDS | Unit Detailed Design Specification                                  |
| V&V      | Verification and Validation                                         |
| VDCL     | Vendor generated Documents Check List                               |
| VHDL     | Very High Speed Integrated Circuit Hardware Description Language    |
| VVP      | Verification and Validation Plan                                    |
| VVR      | Verification and Validation Report                                  |
|          |                                                                     |

9/188

# **4** Verification and Validation Overview

## 4.1 Organization

Figure 4-1 shows the Toshiba organizations for FPGA-based Safety-Related I&C system design and development. Engineers from ICDD and NICSD organized IV&V Teams (i.e., the ICDD IV&V Team and the NICSD IV&V Team) for the V&V of the FPGA logic.



- (1) Oversight of IV&V team
- (2) Submittal of Design Documents
- (3) Report of V&V Results

#### Figure 4-1 Toshiba Organizations for the FPGA-based Safety-Related Systems Design and Development

The engineers from ICDD and the engineers from NICSD in the IV&V Teams communicate with each other as one IV&V Team as needed for the quality of the products. The Monitoring System Engineering Group in ICDD is responsible for design and development of the OPRM. The ICDD IV&V Team performs the V&V activities defined in the NED VVP

(Reference (18)) independently of the development engineers in the Monitoring System Engineering Group.

## 4.2 Master Schedule

The IV&V activities and milestones are developed and controlled as described in the NED "Software Management Plan" (SMP) (Reference (17)).

The Monitoring System Engineering Group prepared a Sub-master Engineering Schedule FC51-0704-0001 (Reference (25)).

## 4.3 Software Integrity Level Scheme

The software integrity level (SIL) scheme was determined based on Table A-1 of NED AS-200A129 (Reference (11)), which is substantially equivalent to Appendix B of IEEE Std 1012 (Reference (3)).

For FPGA logic used in the OPRM, the SIL 4 is applied. All project software documents labeled as "US Safety-Related" or "Safety-Related" on the cover sheet are considered SIL 4 software documents. All software embedded in the OPRM were developed, verified, and validated as SIL 4 Safety-Related software.

## 4.4 **Resource Summary**

For NED V&V activities, only human resource is required. Resources for the V&V activities were prepared as described in Section 7 and Section 13 of the NED SMP (Reference (17)).

## 4.5 Responsibilities

The NED SMP (Reference (17)) describes the responsibilities of the following personnel:

- Senior Manager (SM) of ICDD
- NED Project Manager (PM)
- Group Manager (GPM)
- IV&V Lead and IV&V Team

## 4.6 Tools, Techniques, and Methodologies

The ICDD IV&V Team use several commercial office software tools, e.g., Microsoft® Office, for V&V activities of the FPGA-based Safety-Related I&C systems.

### 4.6.1 Verification

The ICDD IV&V Team conducts the verification by reviewing the Requirements Traceability Matrix (RTM) and the Software Safety Analysis Reports (SSARs). The ICDD IV&V Team also reviews NICSD V&V Reports (NICSD VVRs) and SSARs.

Document review is a method of verification, and shall be performed in accordance with NED AS-200A002 "Design Verification Procedure" (Reference (7)), and NED AS-200A130

TOSHIBA CORPORATION 11/188

(Reference (12)). IEEE Std 1012 (Reference (3)), and IEEE Std 1028 (Reference (4)) provide guidance for the reviews.

Document review performed as technical review confirms whether:

- a) The document conforms to its upstream requirements
- b) The document adheres to regulations, standards, guidelines, plans, and procedures applicable to the project
- c) Changes to the document are properly implemented and affect only those system areas identified by the change specification

For planning documents, implementation process documents, and design outputs including SSARs and VVRs, document reviews are performed for completeness, consistency, correctness, and verifiability as applicable.

#### 4.6.2 Requirements Traceability Activities

Requirements Traceability Matrices (RTMs) are generated by the Software Development Team and reviewed by the IV&V Team to ensure the software has completely, accurately, correctly, and consistently addressed the requirements. The RTM shall provide traceability, verification, and validation of requirements.

#### 4.6.3 Baseline Reviews

The ICDD IV&V Team attends all life cycle baseline reviews. The ICDD IV&V Team performs baseline reviews at the end of the Project Planning and Concept Definition Phase and the System Validation Testing Phase which ICDD is responsible for. The System Validation Testing Phase baseline review is the final baseline review, and confirms the completion of the system development.

The ICDD IV&V Team confirms the following:

- The NED design activities are performed, and the design outputs are prepared as planned in the NED SMP.
- NED V&V activities are performed as planned in the NED VVP (Reference (18)).
- The NED design outputs are documented and controlled in accordance with the project document "Project Specific Document Control Procedure" (Reference (15)), and NED AS-100A004 "Document Control Procedure" (Reference (6)).

#### 4.6.4 Metrics

The ICDD IV&V Team monitors and tracks the following metrics provided in the NED and NICSD VVRs through the lifecycle phases.

- (1) Number of changes applied for the design documents
- (2) Number of closed items in current phase and open items carried to next phase

12/188

- (3) Number of Corrective Action Requests (CARs)
- (4) Number of Nonconformance Notice Reports (NNRs)
- (5) Number of problems found during testing

# 5 Verification and Validation Activities

The following subsections describe the V&V activities for NED scope.

#### 5.1 Management

#### 5.1.1 Management of V&V

The following management activities are being performed in accordance with Section 5.1 of the NED VVP (Reference (18)):

- (1) Software Verification and Validation Plan (SVVP) Update
- (2) Baseline Change Assessment
- (3) Management Review
- (4) Management and Technical Review Support
- (5) Organizational and Supporting Processes Interface

These activities are reported in Section 5.2 through 5.7.

#### 5.1.2 V&V Phases

Section 11 of the NED SMP (Reference (17)) defines the software life cycle for the FPGA-based Safety-Related I&C systems. Figure 5-1 illustrates the life cycle process for FPGA-based Safety-Related I&C systems.



Figure 5-1 Life Cycle Process for FPGA-based Safety-Related I&C Systems

13/188

#### 5.1.3 Interface with NICSD

(1) Review of NICSD V&V Documents by ICDD IV&V Team

The ICDD IV&V Team reviewed and evaluated the following NICSD V&V documents, and the ICDD PM approved these documents in accordance with NED AS-200A010 "Control Procedure of vendor generated documents" (Reference (8)).

• NICSD V&V Plan (VVP)

See Section 5.2.1.

• NICSD V&V Report (VVR)

The ICDD IV&V Team reviewed the NICSD VVR (Reference (24)) prepared for the Project Planning and Concept Definition Phase. The NICSD VVR is attached to the | NED VVR, and approved by the ICDD PM as a part of the NED VVR.

(2) Incorporation of NICSD V&V Report to NED V&V Report

The ICDD IV&V Team reviews and incorporates the NICSD VVR to the NED VVR.

## 5.2 **Project Planning and Concept Definition Phase**

The outputs of this Project Planning and Concept Definition Phase are listed in Table-A of the NED SMP (Reference (17)).

During this phase, ICDD generates the System Design Description (SDD) (Reference (20)), Interlock Block Diagram (IBD), and Instrumentation Electrical Diagrams (IEDs).

The ICDD IV&V Team prepared the NED VVP (Reference (18)) in accordance with NED AS-200A130 (Reference (12)). The NED VVP was reviewed as a part of the document review in the next subsection.

#### 5.2.1 Document Reviews

The ICDD IV&V Team reviewed the document listed in Table 5-1. Design Verification Reports (DVRs) were used in accordance with Table-A of NED SMP. A Vendor generated Documents Check List (VDCL) was used for the review of the NICSD VVP in accordance with AS-200A010 (Reference (8)). For further records of reviews, review reports were prepared as necessary. These reports were numbered as IM-yyyy-nnnn, where "yyyy" is the year of issue, and "nnnn" is a number.

(1) V&V Plan (VVP) Review

A V&V engineer other than the VVP preparer reviewed the NED VVP. Revision 1 of the NED VVP was approved by the ICDD PM.

#### (2) Design Documents Review

The System Desciption (SDD) (Reference (20)), Interlock Block Diagram (IBD), and Instrumentation Electrical Diagram (IED) are design documents and drawings that the ICDD IV&V Team reviewed. The SDD, IBD, and IEDs were prepared for the NMS that includes the OPRM as its subsystem. The ICDD IV&V Team reviewed the portions relating to the OPRM.

Section 3 of the SDD provided the NMS and OPRM functions and description.

Section 3 of the SDD described that the NMS monitored the core neutron flux, using the

Local Power Range Monitors (LPRMs). Four LPRM detectors located at the four different elevations in the core composes an LPRM string, and a total of 52 LPRM strings are distributed horizontally in the core. The LPRM channels provide LPRM signals to the OPRM, after applying signal conditioning and analog-to-digital conversion.

Section 3 of the SDD described that the OPRM received the LPRM signals, and provides trip signals to the Reactor Protection System (RPS) when the OPRM detects thermal hydraulic instability of the core. To detect thermal hydraulic instability of the core, the LPRM signals are grouped into OPRM cells, in which four LPRM signals from four LPRM strings at the four corners of the  $4 \times 4$  fuel bundle square and located at the different elevations compose a OPRM cell, and detection algorithms are applied for each OPRM cell. Section 3 of the SDD provided only the name of the trips, Amplitude-Based, Growth Rate-Based, and Period-Based trips. Section 3 of the SDD described the OPRM cell configuration, the assignment of the LPRM detectors to the OPRM.

In addition, Section 3 of the SDD described self-diagnoses, trip and alarm resets, isolation requirements, security measures, field modifiable constants, which are applied for the whole NMS, and described the interfaces of the NMS with other I&C systems, such as Engineering Safety Feature Actuation System.

Section 4 of the SDD provided specific requirements for the NMS components that constitute the NMS system. Section 4 of the SDD includes requirements for the OPRM component, by breaking down the description in Section 3 as appropriate. For example, the OPRM algorithms to detect thermal hydraulic instability described in Section 3 were explained using diagrams.

The reviewer confirmed that these descriptions were consistent with the requirements in the design inputs FC51-0901-0001 "Design Input Sheet for NMS."

| Document<br>Number | Title                                                                        | Rev. | Reviewer | Remark                         |
|--------------------|------------------------------------------------------------------------------|------|----------|--------------------------------|
| FA32-3709-0001     | Nuclear Energy Systems and<br>Services Division<br>FPGA-based Safety-Related |      | T. Ito   |                                |
|                    | Systems Verification and<br>Validation Plan                                  | 1    | T. Ito   |                                |
| FC51-1001-0001     | System Design Description<br>Neutron Monitoring System                       | 0    | T. Ito   | DVR<br>FC51-0904-0001<br>Rev.0 |
|                    |                                                                              | 1    | T. Ito   | DVR<br>FC51-0904-0005<br>Rev.0 |
|                    |                                                                              | 2    | T. Ito   | DVR<br>FC51-0904-0007<br>Rev.0 |

#### Table 5-1 Reviewed Documents

TOSHIBA CORPORATION

----

| Document<br>Number          | Title                                                                                                                                                 | Rev. | Reviewer | Remark                          |
|-----------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|------|----------|---------------------------------|
| FC51-1001-0001<br>(Cont'd)  | System Design Description<br>Neutron Monitoring System<br>(Cont'd)                                                                                    | 3    | T. Ito   | DVR<br>RC51-0904-0010<br>Rev.0  |
| FC51-2205-0001              | Interlock Block Diagram                                                                                                                               | 0    | T. Ito   | DVR<br>FC51-0904-0003<br>Rev.0  |
|                             |                                                                                                                                                       | 1    | T. Ito   | DVR<br>FC51-0904-0009<br>Rev.0  |
| FC51-2202-0001-<br>00001    | Neutron Monitoring System<br>IED                                                                                                                      | 0    | T. Ito   | DVR<br>FC51-0904-0002<br>Rev.0* |
|                             |                                                                                                                                                       | 1    | T. Ito   | DVR<br>FC51-0904-0004<br>Rev.0  |
| FC51-2202-0001-<br>00002    | Neutron Monitoring System<br>IED                                                                                                                      | 0    | T. Ito   | DVR<br>FC51-0904-0002<br>Rev.0* |
| FC51-2202-0001-<br>00003    | Neutron Monitoring System<br>IED                                                                                                                      | 0    | T. Ito   | DVR<br>FC51-0904-0002<br>Rev.0* |
| FC51-2202-0001-<br>00004    | Neutron Monitoring System<br>IED                                                                                                                      | 0    | T. Ito   | DVR<br>FC51-0904-0002<br>Rev.0* |
|                             |                                                                                                                                                       | 1    | T. Ito   | DVR<br>FC51-0904-0008<br>Rev.0  |
| FC51-3704-0004 <sup>†</sup> | Nuclear Energy Systems and<br>Services Division<br>Software Safety Analysis<br>Report for Safety-Related<br>Oscillation Power Range<br>Monitor (OPRM) | 0    | T. Ito   | DVR<br>FC51-0904-0006<br>Rev.0  |

# Table 5-1 Reviewed Documents (Cont'd)

TOSHIBA CORPORATION

- - ---- - - -

| Document<br>Number | Title                                                                                                                                                                                                               | Rev. | Reviewer      | Remark                           |
|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|---------------|----------------------------------|
| FC51-3704-1000     | Nuclear Instrumentation &<br>Control Systems Department<br>Software Safety Analysis<br>Report for Safety-Related<br>Oscillation Power Range<br>Monitor (OPRM) (Project<br>Planning and Concept<br>Definition Phase) | 0    | T. Ito        |                                  |
| FA32-3709-1000     | <ul> <li>Nuclear Instrumentation &amp;<br/>Control Systems Department<br/>Verification and Validation<br/>Plan for FPGA-based<br/>Safety-Related Systems</li> </ul>                                                 | 0    | T.<br>Hayashi | VDCL-IM-0001<br>(IM-2012-000115) |
|                    |                                                                                                                                                                                                                     | 1    | T.<br>Hayashi | VDCL-IM-0009<br>(IM-2012-000199) |
| FC51-3704-1001     | Nuclear Instrumentation &<br>Control Systems Department<br>Verification and Validation                                                                                                                              | 0    | T.<br>Hayashi |                                  |
|                    | Report for OPRM of<br>FPGA-based Safety-Related<br>Systems<br>(NICSD VVR)                                                                                                                                           | 1    | T.<br>Hayashi |                                  |
| FC51-3704-0001     | Nuclear Energy Systems and<br>Services Division<br>Verification and Validation                                                                                                                                      | 0    | T. Ito        | This document<br>(old revisions) |
|                    | Report for Oscillation Power<br>Range Monitor (OPRM)<br>(NED VVR)                                                                                                                                                   | 1    | T. Ito        |                                  |

### Table 5-1 Reviewed Documents (Cont'd)

\*DVR FC51-0904-0008 verified Revision 0 of FC51-2202-0001-0001 through FC51-2202-0001-0004.

<sup>†</sup> Initially issued as FC51-3809-0001

(3) NICSD VVP Review

The ICDD IV&V Team reviewed two revisions of the FA32-3709-1000 NICSD VVP listed in Table 5-1 and Table 5-2.

The ICDD IV&V Team documented the results of the NICSD VVP review in the NICSD Verification and Validation Plan Review Reports, and sent the review reports to NICSD with the VDCLs, which were approved by the ICDD PM.

| NICSD VVP Rev. | Review Reports                                                            | Number o | of Issues        |
|----------------|---------------------------------------------------------------------------|----------|------------------|
| 0              | IM-2012-000062<br>NICSD Verification and Validation Plan Review<br>Report | Ε        | ] <sup>a,c</sup> |
| 1              | IM-2012-000191<br>NICSD Verification and Validation Plan Review<br>Report | Γ        | ] <sup>a,c</sup> |

#### Table 5-2 Relation of the NICSD VVP and Review Reports

For Revision 0 of the NICSD VVP, the review raised []<sup>a,c</sup> issues. Most of the issues were editorial or grammatical errors, however, there were some issues which the ICDD IV&V Team considered significant. The following issues were examples.

(a) Revision 0 of the NICSD VVP read that the NICSD Software IV&V Lead assigned the Software Installation Lead, despite the fact that the software installation would be performed by the Power Platform Development Department (PPDD), not by NICSD.

(b) Revision 0 of the NICSD VVP stated that functional elements (FEs) were evaluated by a Commercial Grade (CG) Survey or a Critical Digital Review (CDR), however the ICDD IV&V Team did not think that neither CG survey nor CDR would review FEs with the degree of strength that is expected as V&V efforts.

These issues do not impact the Project Planning and Concept Definition Phase, because the activities of PPDD would begin after the Design Phase.

For Revision 0 of the NICSD VVP, the ICDD PM considered that the number of the issues was too large, as well as the number of issues of the RTM efforts discussed in Section 5.2.2, to complete the Project Planning and Concept Definition Phase. Revision 1 of the NICSD VVP was prepared to reduce the number of the issues.

For Revision 1 of the NICSD VVP, the review reported  $\begin{bmatrix} 3c \\ 1ssues \end{bmatrix}$ . The ICDD IV&V Team considered that the issues would not affect the V&V activities in the current and the next phases, because the  $\begin{bmatrix} 3c \\ 1ssues \end{bmatrix}$  issues were about PPDD activities not planed in these two phases, and the other  $\begin{bmatrix} 3c \\ 1ssues \end{bmatrix}$  issues were editorial errors having no direct effect on the V&V activities.

(4) SSAR Review

The ICDD IV&V Team reviewed FC51-3704-0004\* NED SSAR (Reference (22)) and FC51-3704-1000 NICSD SSAR (Reference (27)) prepared for the Project Planning and Concept Definition Phase.

For NED SSAR, the ICDD IV&V Team issued DVR FC51-0904-0006 to document the result of the review, verifying the inputs, methods, and procedures. The NED SSAR concluded that all software safety requirements of the OPRM safety functions described in the ABWR Design Control Documents were included in the SDD, and concluded the OPRM design did not introduce any new hazard.

For the NICSD SSAR, the ICDD IV&V Team issued the following report:

IM-2012-000156 "Project Planning and Concept Definition Phase NICSD SSAR Review Report"

TOSHIBA CORPORATION 18/188

]<sup>a,c</sup>

The report included an evaluation of the NICSD SSAR. The evaluation confirmed:

- The NICSD SSAR identified the software requirements from the SDD and NED SSAR.
- The NICSD SSAR identified the software requirements from the EDS.
- The NICSD SSAR reported

The ICDD IV&V Team concluded that both SSARs were acceptable.

\* Note that NED SSAR was initially issued as FC51-3809-0001.

(5) NICSD VVR Review

The ICDD IV&V Team reviewed the NICSD VVR (Reference (24)) prepared for the Project Planning and Concept Definition Phase, see Section 5.2.3 for detail.

#### 5.2.2 **Project Planning and Concept Definition Phase RTM efforts**

(1) Preparation of the RTM

The ICDD design engineers prepared the RTM, collecting base requirements from the SDD, and tracing the base requirements to, and back from the IBDs and IEDs. Snap shots of the RTM were prepared as the next documents:

FC51-3704-0002 "Project Planning and Concept Definition Phase Requirements Traceability Matrix," Rev.0

FC51-3704-0002 "Project Planning and Concept Definition Phase Requirements Traceability Matrix," Rev.1

FC51-3704-0002 "Project Planning and Concept Definition Phase Requirements Traceability Matrix," Rev.2

Note that Revision 1 of the RTM was prepared to resolve the issues of Revision 0 of the RTM, and Revision 2 of the RTM was prepared to resolve the issues reported in Revision 0 of the NICSD VVR.

(2) Compilation of the Project Planning and Concept Definition Phase RTM

The ICDD IV&V Team reviewed Revisions 0, 1 and 2 of the RTM, and documents the results in review reports. Revisions 1 and 2 of the RTM were sent to NICSD for their RTM efforts. The NICSD VVR (Reference (24)) reported the issues in the RTM efforts.

Table 5-3 shows the relations of the SDD and RTM revisions, the RTM review reports, NICSD VVR, and the numbers of issues reported in the RTM review reports and the NICSD VVR.

| SDD Rev. | RTM Rev. | Review Reports and NICSD VVR                                                                                                  | Number of Issues   |
|----------|----------|-------------------------------------------------------------------------------------------------------------------------------|--------------------|
| 1        | 0        | IM-2011-000949<br>Project Planning and Concept<br>Definition Phase Requirements<br>Traceability Matrix Review Report          |                    |
| 2        | 1        | IM-2012-000157<br>Project Planning and Concept<br>Definition Phase Requirements<br>Traceability Matrix Rev.1 Review<br>Report | [] <sup>a,c</sup>  |
|          |          | NICSD VVR Rev.0                                                                                                               |                    |
| 3        | 2        | IM-2012-000186<br>Project Planning and Concept<br>Definition Phase Requirements<br>Traceability Matrix Rev.2 Review<br>Report | [ ] <sup>a,c</sup> |
|          |          | NICSD VVR Rev.1                                                                                                               |                    |

Table 5-3 Relation of the SDD, RTM, RTM Review Reports, and NICSD VVR

\* One of the issues is the same as the issue reported in IM-2012-000186, see text.

For Revision 0 of the RTM, the review report IM-2011-000949 revealed a total of 56 issues concerning the SDD, IBD, or IEDs. Most issues were concerning lack of descriptions of the SDD. The SDD includes Section 3 in which system requirements should be described, and Section 4 in which component requirements broken down from system requirements should be described. The issues were that some requirements were only described in Section 3, and not described in Section 4, or vice versa.

For example, Section 3 of Revision 1 of the SDD includes the following description:

The OPRM trip protection algorithm consists of trip logic depending on signal oscillation amplitude, a signal oscillation period, and signal oscillation growth rate.

Section 4 of Revision 1 of the SDD does not include any corresponding description. IM-2011-000949 reported this type of inconsistencies.

To resolve the issues in Revision 0 of the RTM, the SDD was updated from Revision 1 to Revision 2, and the RTM was updated from Revision 0 to Revision 1.

For Revision 1 of the RTM, the review report IM-2012-000157 stated that all issues were resolved in Revision 1 of the RTM. Revision 1 of the RTM was sent to NICSD, and the NICSD Software Development (SD) Team and the NICSD IV&V Team performed their RTM efforts. The NICSD SD Team prepared the NMS Equipment Design Specification (EDS) (Reference (21)) based on the SDD. The NICSD RTM efforts addressed the traceability between the SDD and EDS.

Revision 0 of the NICSD VVR reported the result of their RTM efforts that the NICSD SD Team had found [] issues, and the NICSD IV&V Team found [] issues, resulting in []<sup>a,c</sup>

issues in total. Some of the issues related to the SDD and its accompanying RTM. For these issues, refer to the NICSD VVR.

For Revision 2 of the RTM, the review report IM-2012-000186 reported [] issue, which was found in a changed portion in Revision 2 of the RTM. NICSD performed their RTM efforts for Revision 2 of the RTM, and reported in Revision 1 of the NICSD VVR that there were [] issues. One of the [] issues was the same as the issue reported in the IM-2012-000186. The issue was that the two requirements in Revision 2 of the RTM correspond to the same sentence in the SDD, and difference of the two requirements could not be identified. The sentence was as follows (Italic):

The combined Growth Rate-Based Trip, Amplitude-Based Trip, Period-Based Trip, and Inoperative (in negative logic) signals shall be combined by "AND" logic, and the combined trip signal shall be transmitted to all division of the RPS.

Note: trip signals described are generated as negative logic signals.

The other issue was that two requirements in Revision 2 of the RTM seemed overlapping.

The ICDD and NICSD IV&V Teams considered that these [] issues were not a matter of the design, but the matter of how to divide the requirements in the RTM. The ICDD IV&V Team concluded that the remaining two issues would have minimal impact on the project, and could be corrected in the later phases.

# 5.2.3 Evaluation of the NICSD VVR for the Project Planning and Concept Definition Phase

The ICDD IV&V Team reviewed and evaluated the NICSD VVR (Reference (24)). The result of the review was documented in the following report, as listed in **Table 5-4**.

| NICSD VVR Rev. | Review Reports                                                                                   | Open Items |
|----------------|--------------------------------------------------------------------------------------------------|------------|
| 0              | IM-2012-000152<br>Project Planning and Concept Definition Phase<br>NICSD VVR Review Report       |            |
| 1              | IM-2012-000204<br>Project Planning and Concept Definition Phase<br>NICSD VVR Rev.1 Review Report |            |

The NICSD VVR at this point was written for the Project Planning and Concept Definition Phase activities. The ICDD IV&V Team confirmed that the Project Planning and Concept Definition Phase NICSD V&V activities were performed in accordance with the NICSD VVP. Although the NICSD VVP reported two open items, the ICDD IV&V Team considered these items did not affect the Project Planning and Concept Definition Phase activities, and could be resolved in the later phases. The ICDD IV&V Team concluded that the NICSD VVR was acceptable for the Project Planning and Concept Definition Phase.

#### 5.2.4 Metrics

(1) Number of changes applied for the design documents

The IV&V Team examined the changes that had been applied to each revision of the SDD, and classified them into the following types:

**Correction**: This type of changes is made to correct any incorrect requirements, incorrect descriptions or errors.

Addition: This type of changes is made to add new design requirements or new information to the SDD.

**Other:** This type of changes is made to improve readability, and does not change any requirements or add new information. Addition of a new sentence to clarify or explain the design belongs to this type of changes, as long as it does not add new information.

Table 5-5 lists the numbers of changes classified. The increase in "Other" type changes in Revision 2 is due to the reflections of the comments raised in the RTM efforts. In Revision 3, the number of corrections and additions is only one.

#### Table 5-5 Numbers of Changes Applied to each Revision of the SDDs

| SDD Revision | Corrections | Additions | Others | Total | ~ ~ |
|--------------|-------------|-----------|--------|-------|-----|
| SDD Rev.1    |             |           |        |       | a,c |
| SDD Rev.2    |             |           |        |       |     |
| SDD Rev.3    |             |           |        |       |     |

(2) Number of new open items carried to next phases

open items were carried to the next phase, of which,

- [ ] issues were identified in the review of the NICSD VVP
- **I** issues were on the NICSD RTM efforts reported in the NICSD VVR.
- (3) Number of Corrective Action Requests (CARs)

No CAR was issued for the ICDD activities.

(4) Number of Nonconformance Notice Reports (NNRs)

No NNR was issued for the ICDD activities.

(5) Number of problems found during testing

No problem was found, because no test was performed in this phase.

#### 5.2.5 Result of the ICDD Configuration Management (CM) process assessment

The ICDD IV&V Team assessed control of the SDD, IBD, and IEDs, which was considered the ICDD configuration management (CM) process in accordance with the NED VVP (Reference (18)), and documented the result in IM-2012-000151.

The IV&V Team concluded that the SDD, IBD, and IEDs were controlled appropriately, and recommends continuing the activity.

| 5.2.6 | Management of V&V                                                                                                                                                                                                                           |
|-------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| (1)   | Software Verification and Validation Plan (SVVP)                                                                                                                                                                                            |
|       | The NED VVP was prepared and updated as describe in Section 5.2.1.                                                                                                                                                                          |
| (2)   | Baseline Change Assessment                                                                                                                                                                                                                  |
|       | The design changes were traced in the RTM efforts.                                                                                                                                                                                          |
| (3)   | Management Review                                                                                                                                                                                                                           |
|       | The ICDD PM had been informed of the ICDD IV&V Team activities. The ICDD                                                                                                                                                                    |
|       | PM reviewed the activities at the baseline review meeting being held as a completion                                                                                                                                                        |
|       | of this Project Planning and Concept Definition Phase.                                                                                                                                                                                      |
|       | At the first Baseline Review meeting, the ICDD PM determined that the Project Planning and Concept Definition Phase could not be closed with advice from NQAD, because the number of the open items reported by the IV&V team is too large. |
|       | At the second Baseline Review meeting, this issue was closed.                                                                                                                                                                               |
| (4)   | Management and Technical Review Support                                                                                                                                                                                                     |
|       | The ICDD IV&V Team attended the Process Review Meeting (PRM).                                                                                                                                                                               |
| (5)   | Organizational and Supporting Processes Interface                                                                                                                                                                                           |
|       | The ICDD IV&V Team attended the PRM.                                                                                                                                                                                                        |
| 5.2.7 | Findings, Recommendations, and Suggestions                                                                                                                                                                                                  |
|       | nount of the efforts needed to complete the Project Planning and Concept Definition                                                                                                                                                         |

t Definition Phase V&V activities was more than previously anticipated. This was mainly due to the large amount of the RTM activities. For later phases, the ICDD IV&V Team was afraid that even larger efforts would be needed, because the number of design documents would be larger, and source code must be reviewed. Therefore, the ICDD IV&V Team recommended that the NICSD IV&V Team should be reinforced, considering future NICSD V&V activities.

#### 5.2.8 **Conclusions of the Project Planning and Concept Definition Phase**

The ICDD IV&V Team concluded that the V&V activities for the Project Planning and Concept Definition Phase were completed, though there were of open items in total. These open items in this phase would be resolved in the later phases, because the ICDD IV&V Team considered these items did not affect this phase activities.

#### 5.2.9 Updating of the Project Planning and Concept Definition Phase

This subsection describes updating of the Project Planning and Concept Definition Phase.

Some documents were updated after the Project Planning and Concept Definition Phase was completed.

Table 5-6 lists the updated documents. The updates were made for:

- Resolve open items in the Project Planning and Concept Definition Phase, (1)
- (2)Resolve new issues that were found in the Requirements Definition Phase,
- (3) Clarify descriptions or give additional explanations to improve readability,
- (4) Extend the scope of the communication error detection, and

### (5) Add the response time requirement.

In particular, Revision 6 of the SDD introduced item (4), and Revision 7 of the SDD introduced item (5). (Revision 8 of SDD corrected typographical errors.)

These updated documents were reviewed and approved in the same manner which was taken in the Project Planning and Concept Definition Phase.

| Document<br>Number | Title                                                                                        | Rev. | Reviewer   | Remark                           |
|--------------------|----------------------------------------------------------------------------------------------|------|------------|----------------------------------|
| FC51-1001-0001     | 1-0001 System Design Description<br>Neutron Monitoring System                                | 4    | T. Ito     | DVR<br>FC51-0904-0012<br>Rev.0   |
|                    |                                                                                              | 5    | T. Ito     | DVR<br>FC51-0904-0013<br>Rev.0   |
|                    |                                                                                              | 6    | T. Ito     | DVR<br>FC51-0904-0016<br>Rev.0   |
|                    |                                                                                              | 7    | T. Ito     | DVR<br>FC51-0904-0019<br>Rev.0   |
|                    |                                                                                              | 8    | T. Hayashi | DVR<br>FC51-0904-0021<br>Rev.0   |
| FC51-2205-0001     | Interlock Block Diagram                                                                      | 2    | T. Ito     | DVR<br>FC51-0904-0011<br>Rev.0   |
| FA32-3709-1000     | Nuclear Instrumentation &<br>Control Systems Department                                      | 2    | T. Hayashi | VDCL-IM-0014<br>(IM-2012-000434) |
|                    | Verification and Validation<br>Plan for FPGA-based                                           | 3    | T. Hayashi | VDCL-IM-0015<br>(IM-2012-000649) |
|                    | Safety-Related Systems                                                                       | 4    | T. Hayashi | VDCL-IM-0098<br>(IM-2012-001112) |
|                    |                                                                                              | 5    | T. Hayashi | VDCL-IM-0107<br>(IM-2013-000070) |
|                    |                                                                                              | 7    | T. Hayashi | VDCL-IM-0113<br>(IM-2014-000550) |
| FA32-3709-0001     | 09-0001 Nuclear Energy Systems and<br>Services Division FPGA-based<br>Safety-Related Systems | 2    | T. Ito     |                                  |
|                    | Verification and Validation<br>Plan                                                          | 3    | T. Ito     |                                  |

24/188

#### Table 5-6 Updated Documents

TOSHIBA CORPORATION

In the reviews, the ICDD IV&V Team confirmed that the open items on the RTM efforts were resolved in the later phases, and concluded that the Project Planning and Concept Definition Phase was completed with no open items.

### 5.3 **Requirements Definition Phase**

#### 5.3.1 Document Reviews

The ICDD IV&V Team reviewed the documents listed in Table 5-7, using DVRs in accordance with Table-A of NED SMP (Reference (17)) in the same manner as described in Section 5.2.1.

#### (1) NED SSAR Review

The ICDD IV&V Team reviewed the NED SSAR (Reference (22)). The NED SSAR evaluated the NICSD SSAR for the Requirements Definition Phase (Reference (28)). The NED SSAR agreed with the conclusions of the NICSD SSAR, that there was a concern on the implementation of the Amplitude Based detection Algorithm (ABA), Growth Rate detection Algorithm (GRA), and Period Based Detection Algorithm (PBDA).

The ICDD IV&V Team concluded that the NED SSAR was acceptable.

(2) NICSD VVR Review

The ICDD IV&V Team reviewed Revision 3 of the NICSD VVR (Reference (24)), which had additional description for the Requirements Definition Phase, see Section 5.3.2 for detail. Note that Revision 2 of the NICSD VVR was withdrawn before review.

| Document<br>Number | Title                                                                                                                                                               | Rev. | Reviewer   | Remark                                                |
|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|------------|-------------------------------------------------------|
| FC51-3704-0004     | Nuclear Energy Systems and<br>Services Division<br>Software Safety Analysis<br>Report for Safety-Related<br>Oscillation Power Range<br>Monitor (OPRM)               | 2    | T. Ito     | DVR<br>FC51-0904-0015<br>Rev.0                        |
| FC51-3704-1001     | Nuclear Instrumentation &<br>Control Systems Department<br>Verification and Validation<br>Report for OPRM of<br>FPGA-based Safety-Related<br>Systems<br>(NICSD VVR) | 3    | T. Hayashi | VDCL-IM-0016<br>(IM-2012-000655)<br>(For information) |

#### Table 5-7 Reviewed Documents

TOSHIBA CORPORATION

| Document<br>Number | Title                                                                                                                                               | Rev. | Reviewer | Remark        |
|--------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|------|----------|---------------|
| FC51-3704-0001     | Nuclear Energy Systems and<br>Services Division<br>Verification and Validation<br>Report for Oscillation Power<br>Range Monitor (OPRM)<br>(NED VVR) | 2    | T. Ito   | This document |

#### Table 5-7 Reviewed Documents (Cont'd)

#### 5.3.2 Evaluation of the NICSD VVR for the Requirements Definition Phase

The NICSD IV&V Team issued Revision 3 of the NICSD VVR (Reference (24)). The ICDD IV&V Team evaluated Revision 3 of the NICSD VVR, and documented the result in VDCL-IM-0016.

The revised portions of Revision 3 of the NICSD VVR include:

(1) Descriptions on the Requirements Definition Phase V&V activities

Revision 3 of the NICSD VVR described as follows:

- Document Reviews
   The NICSD IV&V Team reviewed the OPRM Unit Detailed Design Specification
   (Unit DDS) (Reference (23)), OPRM Unit Outline Drawing, OPRM Unit User's
   Manual, and SSAR.
- RTM efforts The RTM traced the requirements in the EDS to the Unit DDS, and traced back from the Unit DDS to the EDS.
- Security Review

The NICSD IV&V Team confirmed that the security measures identified in the Project Planning and Concept Definition Phase were incorporated in the unit design, and the security of the development environment was maintained.

SSAR Review

The NICSD IV&V Team concluded that the NICSD SSAR for the Requirements Definition Phase (Reference (29)) was acceptable.

- Metrics The NICSD VVR reported the metrics. Section 5.3.3 discusses the metrics.
- Findings, recommendations, and suggestions The NICSD IV&V Team considered that the Jissues on the implementation of the ABA, GRA, and PBDA algorithms had a risk.
- Conclusions The NICSD IV&V Team concluded that the NICSD V&V activities for the Requirements Definition Phase were completed.

VDCL-IM-0016 concluded that the NICSD VVR was acceptable. The ICDD IV&V Team confirmed that these descriptions conformed with the requirements for the V&V

report in the NICSD VVP (Revision (19)).

Two open issues relating to the OPRM Unit User's Manual (Reference (26)) were mentioned in Revision 3 of the NICSD VVR, which were:

- Instructions for security were not addressed.
- Validity of contents should be confirmed through operation of the actual OPRM unit during the System Validation Testing Phase.

The NICSD VVR reported that these two issues should be resolved by the System Validation Testing Phase, because NICSD would need the information obtained in the later phases to resolve these two issues. The ICDD IV&V Team agreed with this opinion.

<sup>a,c</sup> <sup>comments</sup> relating to the RTM efforts were made in Revision 3 of the NICSD VVR Of the three comments, two comments were on the OPRM algorithms, i.e., the ABA, GRA, and PBDA algorithms, in the Unit DDS could not be confirmed as the same as those algorithms in the EDS. They were the results of the RTM efforts and software safety analysis. The other one comment was on the wording used in the RTM. The ICDD IV&V Team agreed with the NICSD IV&V Team that these comments were open items, and considered they should be resolved early as practicable.

[]open items from the Project Planning and Concept Definition Phase (see Section 5.2.3) were still open according to Revision 3 of the NICSD VVR. The ICDD IV&V Team considered these items should be closed by the end of the next Design Phase.

Revision 3 of the NICSD VVR mentioned that there was one issues in the NICSD VVP, which was included in VDCL-IM0014, see Table 5-6. This issue was resolved after the issuance of the NICSD VVR.

(2) Some additional explanation to the Project Planning and Concept Definition Phase

Revision 3 of the NICSD VVR added some descriptions to the Project Planning and Concept Definition Phase. The ICDD IV&V Team considered that these additional descriptions explained the V&V activities, and would improve the readability of the NICSD VVR.

Though there were seven items remained, the ICDD IV&V Team concluded that the NICSD VVR was acceptable for the Requirements Definition Phase.

#### 5.3.3 Metrics

(1) Number of changes applied for the design documents

The Monitoring System Engineering Group updated the SDD (Reference (20)) to Revision 5 at the time when the Requirements Definition Phase was first completed. Although NICSD did not use newer revisions than Revision 3 as the baseline, the IV&V Team examined the changes that had been applied to newer revisions of the SDD, and classified them into the three types explained in Section 5.2.4.

Table 5-8 extends Table 5-5 and lists the numbers of changes for each revision of the SDD. Figure 5-2 shows the trend of the changes. Most changes were made for "others."

| SDD Revision | Corrections | Additions | Others | Total |
|--------------|-------------|-----------|--------|-------|
| SDD Rev.1    |             |           |        | a,c   |
| SDD Rev.2    |             |           |        |       |
| SDD Rev.3    |             |           |        |       |
| SDD Rev.4    |             |           |        |       |
| SDD Rev.5    |             |           |        |       |

Table 5-8 Numbers of Changes Applied to each Revision of the SDDs



#### Figure 5-2 Trend of Numbers of Changes Applied to each Revision of the SDDs

- (2) Number of closed items in current phase and open items carried to next phase
  - items on the NICD VVP from the previous phase were closed,

The NICSD VVR counted the open items as follows:

- [ litems on the OPRM Unit User's Manual were newly identified,
- items on the RTM efforts of this phase were newly identified.

One issue in Revision 2 of the NICSD VVP was found by the ICDD IV&V Team and reported in VDCL-IM-0014.

- items in total were carried to the next phase.
- (3) Number of Corrective Action Requests (CARs)

No CAR was issued for the ICDD activities.

(4) Number of Nonconformance Notice Reports (NNRs)

No NNR was issued for the ICDD activities.

(5) Number of problems found during testing

No problem was found, because no test was performed in this phase.

Nuclear Energy Systems & Services Division

Γ

| 5.3.4 | Management of V&V                                                      |
|-------|------------------------------------------------------------------------|
| (1)   | Software Verification and Validation Plan (SVVP)                       |
|       | The NED VVP (Reference (18)) was updated as describe in Section 5.2.9. |
| (2)   | Baseline Change Assessment                                             |
|       | The design changes were traced in the RTM efforts.                     |
| (3)   | Management Review                                                      |
|       | The ICDD IV&V Team explained this NED VVR for approval to the PM.      |
| (4)   | Management and Technical Review Support                                |
|       | There was no need for this activity in this phase.                     |

(5) Organizational and Supporting Process Interface

There was no need for this activity in this phase.

#### 5.3.5 Findings, Recommendations, and Suggestions

The ICDD IV&V Team confirmed that the NICSD IV&V Team performed the V&V activities in accordance with the NICSD VVP. The ICDD IV&V Team considered that the quality and intensity of their activities were appropriate for safety-related systems. The ICDD IV&V Team expected that the ICDD IV&V would keep the current quality of work.

However, the ICDD IV&V Team found two concerns to complete the project.

- (1) The latest EDS issued by NICSD did not reflect the latest SDD. This inconsistency should be resolved early.
- (2) The activities were behind the schedule. The ICDD IV&V Team hoped that the NICSD IV&V Team worked efficiently without sacrificing the quality of work.

### 5.3.6 Conclusions of the Requirements Definition Phase

The ICDD IV&V Team concluded that the V&V activities for the Requirements Definition Phase were completed, though there were seven open items relating to the V&V activities.

#### 5.3.7 Updating of Requirements Definition Phase V&V activities

After the first completion of the Requirements Definition Phase, ICDD revised the SDDs, and NICSD revised the downstream documents including the Unit DDS (Reference (23)). The NICSD IV&V Team performed V&V activities on the changed portion in the revised revisions of the Unit DDS and NICSD SSARs, and documented the result in the revised NICSD VVRs, which are listed in Tables 5-9, 5-11, 5-12, and 5-13.

The ICDD IV&V Team reviewed the NICSD VVRs, and concluded that the NICSD VVRs were acceptable.

### 5.4 Design Phase

### 5.4.1 Document Reviews

The ICDD IV&V Team reviewed the documents listed in Table 5-9.

(1) NED SSAR Review

The ICDD IV&V Team did not review the NED SSAR, because NICSD did not prepare any SSAR for this Design Phase, and the NED SSAR was not updated. This is an open item of the Design Phase. Section 5.4.5 discuss this issue.

#### (2) NICSD VVR Review

The ICDD IV&V Team reviewed Revision 5 of the NICSD VVR (Reference (24)), which had additional description for the Design Phase, Section 5.4.2 describes evaluation of the NICSD VVR. Note that Revision 4 of the NICSD VVR was withdrawn before review.

| Document<br>Number | Title                                                                                                                                                               | Rev. | Reviewer      | Remark                                                |
|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|---------------|-------------------------------------------------------|
| FC51-3704-1001     | Nuclear Instrumentation &<br>Control Systems Department<br>Verification and Validation<br>Report for OPRM of<br>FPGA-based Safety-Related<br>Systems<br>(NICSD VVR) | 5    | T.<br>Hayashi | VDCL-IM-0097<br>(IM-2012-001065)<br>(For information) |
| FC51-3704-0001     | Nuclear Energy Systems and<br>Services Division<br>Verification and Validation<br>Report for Oscillation Power<br>Range Monitor (OPRM)<br>(NED VVR)                 | 3    | T. Ito        | This document                                         |

#### Table 5-9 Reviewed Documents

#### 5.4.2 Evaluation of the NICSD VVR for the Design Phase

The NICSD IV&V Team issued Revision 5 of the NICSD VVR (Reference (24)). The ICDD IV&V Team evaluated Revision 5 of the NICSD VVR, and documented the result in VDCL-IM-0097. The revised portions include:

(1) Descriptions on the Design Phase V&V activities

Revision 5 of the NICSD VVR described as follows:

• Document Review

The NICSD IV&V Team reviewed the Module Design Specifications (MDSs) for the modules used in the OPRM, and the FPGA Design Specifications for the FPGAs used in the modules, and concluded that these documents were acceptable.

- FE documents and software tools control checks The NICSD IV&V Team confirmed that the FEs and the software tools were appropriately controlled.
- RTM efforts The RTM traced requirements in the Unit DDS (Reference (23)) to the MDSs, and

to the FPGA Design Specifications. The RTM<sub>ac</sub> also traced back from the FPGA Design Specifications to the Unit DDS. [\_\_\_\_\_minor comments were found in this efforts.

- Security Review The NICSD IV&V Team concluded that the OPRM design in the MDSs would appropriately protect the logic and parameters determining the safety functions, and that the development environment was controlled appropriately.
- Metrics The NICSD VVR reported the metrics. Section 5.4.3 discusses the metrics.
- Findings, recommendations, and suggestions The absence of the SSAR was described.
- Conclusions The NICSD IV&V Team concluded that the Design Phase activities were completed except the review of the SSAR.

VDCL-IM-0097 reported [ ]<sup>a,c</sup> comments which were summarized as follows:

- [1] NICSD should issue the Software Safety Analysis Report to complete the Design Phase.
- [2] The NICSD VVR reported close of [ ]<sup>a,c</sup> open items without specifying them. The NICSD VVR should report the closed issued of the NICSD RTM.
- [3] The NICSD VVR reported close of []<sup>a,c</sup> open items without specifying them. The NICSD VVR should report the closed issued of the NICSD RTM. Section 5.4.3 explains this issue.

The ICDD IV&V Team confirmed that these descriptions conformed with the requirements for the V&V report in the NICSD VVP (Revision (19)) except that the SSAR was not reviewed. Afterward, NICSD prepared the NICSD SSAR, and the NICSD IV&V Team performed a review of the NICSD SSAR, see Section 5.5.2.

(2) Updating of Requirements Definition Phase V&V activities

Revision 5 of the NICSD VVR reported updating of the OPRM Unit DDS and the OPRM Unit User's Manual.

#### 5.4.3 Metrics

(1) Number of changes applied for the design documents

The Monitoring System Engineering Group updated the SDD (Reference (20)) to Revision 6 as described in Section 5.2.9. The IV&V Team examined the changes that had been applied to newer revisions of the SDD, and classified them into the three types explained in Section 5.2.4

Table 5-10 extends Table 5-8 and lists the numbers of changes for each revision of the SDD. Figure 5-3 shows the trend of the changes. Most changes were made for "others."

| SDD Revision | Corrections | Additions | Others | Total |
|--------------|-------------|-----------|--------|-------|
| SDD Rev.1    |             |           |        | a,c   |
| SDD Rev.2    |             |           |        |       |
| SDD Rev.3    |             |           |        |       |
| SDD Rev.4    |             |           |        |       |
| SDD Rev.5    |             |           |        |       |
| SDD Rev.6    |             |           |        |       |

Table 5-10 Numbers of Changes Applied to each Revision of the SDDs



#### Figure 5-3 Trend of Numbers of Changes Applied to each Revision of the SDDs

(2) Number of closed items in current phase and open items carried to next phase

]<sup>a,c</sup> ]items out of eight items from the previous phase were closed, and two items on the OPRM Unit User's Manual remained.

Revision 5 of the NICSD VVR closed \_\_\_\_\_\_\_items including the issue of Revision 2 of the NICSD VVP and the issues on the ABA, GRA, and PBDA algorithms. Revision 5 of the NICSD VVR reported the following new open items:

- $\begin{bmatrix} \\ \\ \end{bmatrix}^{a,c}_{item, absence of the SSAR}$
- [\_\_\_\_]items regarding to the RTM efforts

[ ]items [2] and [3] reported in VDCL-IM-0097 as described in Section 5.4.2 are additional open item. Note Item [1] was the same as the first item in the NICSD VVR.

items in total, including the two from the previous phase were carried to the next

TOSHIBA CORPORATION 32/188

phase.

- (3) Number of Corrective Action Requests (CARs) No CAR was issued for the ICDD activities.
- (4) Number of Nonconformance Notice Reports (NNRs) No NNR was issued for the ICDD activities.
- (5) Number of problems found during testingNo problem was found, because no test was performed in this phase.

#### 5.4.4 Management of V&V

- Software Verification and Validation Plan (SVVP)
   There was no need to update the NED VVP (Reference (18)).
- (2) Baseline Change Assessment

The design changes were traced in the RTM efforts.

- (3) Management ReviewThe ICDD IV&V Team explains this NED VVR for approval to the PM.
- (4) Management and Technical Review Support

There was no need for this activity in this phase.

(5) Organizational and Supporting Process Interface

There was no need for this activity in this phase.

#### 5.4.5 Findings, Recommendations, and Suggestions

The ICDD IV&V Team considered the absence of the SSAR planned in the Design Phase was a big issue and considered a deviation from the NICSD VVP (Reference (19)), because the SSAR might reveal some issues that would require a design change. NICSD should perform the SSAR as early as practicable.

Afterward, NICSD issued the SSAR.

#### 5.4.6 Conclusions of the Design Phase

The ICDD IV&V Team concluded that the V&V activities for the Design Phase were completed, except the SSAR and minor issues.

#### 5.4.7 Updating of the Design Phase V&V Activities

After the first completion of the Design Phase, the NICSD IV&V Team performed additional V&V activities on some MDSs and the FPGA Design Specifications, which were revised or added responding to the changes described in Section 5.3.7. In addition, the NICSD IV&V Team performed V&V activities on the NICSD SSARs for the Design Phase, which were issued later. The NICSD IV&V Team documented the results in the revised NICSD VVRs, which are listed in Tables 5-11, 5-12, and 5-13.

The ICDD IV&V Team reviewed the NICSD VVRs, and concluded that the NICSD VVRs were acceptable.

#### 5.5 Implementation and Integration Phase

#### 5.5.1 Document Reviews

The ICDD IV&V Team reviewed the documents listed in Table 5-11. DVRs were used in accordance with Table-A of NED SMP (Reference (17)) in the same manner as described in Section 5.2.1.

#### (1) NED SSAR Review

The ICDD IV&V Team reviewed Revision 3 of the NED SSAR (Reference (22)), which was revised including the safety analysis for the Design Phase and this Implementation and Integration Phases. The NED SSAR evaluated the NICSD SSARs for the Design Phase (Reference (29)) and for the Implementation and Integration Phase (Reference (30)), and accepted the conclusions of the both NICSD SSARs, that:

- The NICSD SSAR Design Phase was acceptable, and mentioned the following issues for further SSA.
  - ▷ There were FPGA, (2)[ ]<sup>a,c</sup> FPGA, (3)[ ]<sup>a,c</sup> FPGA, logic design, (1)<sub>a,c</sub> FPGA, and (4)[ ]
  - $\succ$  [ ]issues from the previous phase, (1) software tool error and (2) timing errors in an FPGA.
- The NISCD SSAR Implementation and Integration Phase was acceptable. The issues from the Design Phase were closed.

Revision 3 of the NED SSAR reported that the issues on the implementation of the ABA and GRA algorithms mentioned Section 5.3.1 were resolved.

Revision 3 of the NED SSAR raised a concern on the surveillance testing to check the Erasable Programmable Read Only Memory (EPROM) retaining the filter constants.

The ICDD IV&V Team concluded that Revision 3 of the NED SSAR was acceptable.

(2) NICSD VVR Review

The ICDD IV&V Team reviewed Revision 6 of the NICSD VVR (Reference (24)), which had additional description for the Implementation and Integration Phase. Section 5.4.2 describes evaluation of the NICSD VVR.

| Document<br>Number | Title                                                                                                                                                 | Rev. | Reviewer | Remark                         |
|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|------|----------|--------------------------------|
| FC51-3704-0004     | Nuclear Energy Systems and<br>Services Division<br>Software Safety Analysis<br>Report for Safety-Related<br>Oscillation Power Range<br>Monitor (OPRM) | 3    | T. Ito   | DVR<br>FC51-0904-0017<br>Rev.0 |

#### **Table 5-11 Reviewed Documents**

TOSHIBA CORPORATION

| Document<br>Number | Title                                                                                                                                                               | Rev. | Reviewer      | Remark                                                |
|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|---------------|-------------------------------------------------------|
| FC51-3704-1001     | Nuclear Instrumentation &<br>Control Systems Department<br>Verification and Validation<br>Report for OPRM of<br>FPGA-based Safety-Related<br>Systems<br>(NICSD VVR) | 6    | T.<br>Hayashi | VDCL-IM-0101<br>(IM-2012-001123)<br>(For information) |
| FC51-3704-0001     | Nuclear Energy Systems and<br>Services Division<br>Verification and Validation<br>Report for Oscillation Power<br>Range Monitor (OPRM)<br>(NED VVR)                 | 4    | T. Ito        | This document                                         |

#### Table 5-11 Reviewed Documents (Cont'd)

#### 5.5.2 Evaluation of the NICSD VVR for the Implementation and Integration Phase

The NICSD IV&V Team issued Revision 6 of the NICSD VVR (Reference (24)). The ICDD IV&V Team evaluated Revision 6 of the NICSD VVR, and documented the result in VDCL-IM-0101. The revised portions include:

(1) Descriptions on the Implementation and Integration Phase V&V activities

Revision 6 of the NICSD VVR described as follows:

• Very High Speed Integrated Circuit Hardware Description Language (VHDL) Source Code Reviews

The NICSD IV&V Team reviewed the VHDL source code for the FPGAs, and concluded that the source code was acceptable.

• Logic Synthesis and Layout Verification

The NICSD IV&V Team checked the log files produced by the Synplify<sup>®</sup> tool and the Microsemi<sup>®</sup> Designer tool. The Synplify<sup>®</sup> tool produces netlists from the VHDL source code, and the Designer tool produces fuse map files from the netlists. The NICSD IV&V Team concluded that the tools were used in an appropriate manner as a result of the checks.

• Signal Timing

The NICSD IV&V Team evaluated each FPGA against the timing requirement in the synchronous design, which was specified in a PPDD procedure requiring each signal to arrive at the synchronous FE with a certain margin. This evaluation was performed based on timing analysis reports generated by a timing analysis tool. All FPGAs except satisfied this timing requirement. For the FPGAs that did not satisfy the requirement, the NICSD IV&V Team performed the further timing analysis in accordance with the PPDD procedure, and concluded that the

FPGAs would operate correctly, because the unsatisfactory result of the first timing analysis report was due to some special signals, such as those designed to operate at a multiple of clock cycle.

Netlist Inspection

The NICSD IV&V Team inspected the netlists by comparing the original VHDL files with the logic diagrams generated from the netlists using the Netlist Viewer tool. The NICSD IV&V Team concluded that the VHDL source code was converted correctly to the netlists

• Document Review

The NICSD IV&V Team reviewed the FPGA Test Procedures, FPGA Test Reports, and the Module Test Procedures.

• FPGA Testing

The NICSD IV&V Team oversaw the FPGA testing and determined that PPDD performed the FPGA testing in an accessible manner.

- Software Tool control Review The NICSD IV&V Team confirmed that in the FPGA implementation process and in the FPGA testing, PPDD used the same versions of the software tools confirmed in the Design Phase.
- Implementation and Integration Phase RTM efforts The RTM traced the requirements in the FPGA Design Specifications to the FPGA Test Procedures, and traced back from the FPGA Test Procedures to the FPGA Design Specification. The NICSD VVR reported that no open item remain in the NICSD RTM.
- Result of Security Review The NICSD IV&V Team performed the security reviews, and the NICSD VVR reported satisfactory conclusions.
- Software Safety Analysis Report (SSAR) Review The NICSD IV&V Team concluded that the NICSD SSAR for the Implementation and Integration Phase was acceptable.
- Monitoring of Metrics The NICSD VVR reported the metrics. Section 5.4.3 discusses the metrics.

Findings, recommendations, and suggestions to reduce any risk identified in the V&V activities
 The ICDD IV&V Team considers that the description of this section was unclear, see item [9] below.

• Conclusions of Implementation and Integration Phase V&V Activities The NICSD IV&V Team concluded that the Implementation and Integration Phase activities were completed except the review of the SSAR.

VDCL-IM-0101 reported the following open comments:

- [1] The NICSD VVR reported close of [ ]open items without specifying them. The NICSD VVR should report the closed issued of the NICSD RTM.
- [2] Section 6.8 of the NICSD VVR reported that the review of the Design Phase SSAR was not yet performed, however Section 6.6 reported the review of the SSAR.

٦<sup>a,c</sup>

a.c

- [3] A sentence below Section 7.1 seventh bullet has two periods.
- [4] Section 7.3 includes a typo.
- [5] Section 7.3 reported a further timing analysis for the FPGAs, but information for FPGA was not sufficient.
- [6] In Table 7-7, Items No. 8 and 9 document names were partially hidden.
- [7] In Table 7-8, Items No. 21 lacked the DVR No.
- [8] Section 7.6.2 "Testing" should provide further technical information on the test.
- [9] Description in Section 7.12 "Findings, recommendations, and suggestions to reduce any risk identified in the V&V activities" was unclear.
- [10] The NICSD VVR did not included the following two items that were required by the NICSD VVP:
  - (7) Reference to the FPGA Control Sheets
  - (8) Reference to the Purchase Specification to PPDD

The ICDD IV&V Team confirmed that these descriptions conformed with the requirements for the V&V report in the NICSD VVP except above comments.

(2) Updating of Design Phase V&V activities

Revision 6 of the NICSD VVR reported updating of the Design Phase V&V activities including the review of the Design Phase SSAR.

#### 5.5.3 Metrics

(1) Number of changes applied for the design documents

No design document of ICDD was changed.

(2) Number of closed items in current phase and open items carried to next phase

\_\_\_\_\_\_item out of \_\_\_\_\_\_items from the previous phase was closed, and \_\_\_\_\_\_\_items remained. The closed items were items [1] (Design Phase SSAR (Reference (29)) issue) and [3] in VDCL-IM-0097.

Revision 6 of the NICSD VVR closed one item, and reported the following items were carried to the next phase:

- $\begin{bmatrix} \\ \\ \\ \end{bmatrix}$  items regarding to the RTM efforts, and
- new item relating to source code review.

items were reported in VDCL-IM-101 as described in Section 5.5.2.

37/188

A total of litems were open, and carried to the Module Validation Testing Phase.

(3) Number of Corrective Action Requests (CARs)

No CAR was issued for the ICDD activities.

(4) Number of Nonconformance Notice Reports (NNRs)

No NNR was issued for the ICDD activities.

(5) Number of problems found during testing

TOSHIBA CORPORATION

See Section 8.12 of the NICSD VVR.

#### 5.5.4 Management of V&V

- Software Verification and Validation Plan (SVVP)
   There was no need to update the NED VVP (Reference (18)).
- (2) Baseline Change AssessmentDesign changes were traced in the RTM efforts.
- (3) Management Review

The ICDD IV&V Team explains this NED VVR for approval to the PM.

(4) Management and Technical Review Support

There was no need for this activity in this phase.

(5) Organizational and Supporting Process Interface

There was no need for this activity in this phase.

#### 5.5.5 Findings, Recommendations, and Suggestions

The ICDD IV&V Team suggests the NICSD IV&V Team to keep quality of work, though the work schedule is tight.

#### 5.5.6 **Conclusions of the Implementation and Integration Phase**

The ICDD IV&V Team concluded that the V&V activities for the Implementation and Integration Phase were completed except some open issues.

#### 5.5.7 Updating of the Implementation and Integration Phase V&V Activities

After the first completion of the Implementation and Integration Phase, the NICSD performed V&V activities for the following issues:

A) Tests cases for the some FPGAs did not meet the toggle coverage criteria as suggested by the ICDD IV&V Team;

B) The  $\begin{bmatrix} & & & \\ & & & \\ & & & \end{bmatrix}^{a,c}$  FPGAs were revised to the  $\begin{bmatrix} & & \\ & & \\ & & \end{bmatrix}^{a,c}$  FPGAs responding to the design changes described in 5.4.7.

The NICSD IV&V Team documented the results of the V&V activities in Revision 11 of NICSD VVR.

The revised NICSD VVR reported that the additional V&V activities were performed in accordance with the NICSD VVP (Reference (19)) and concluded that the Implementation and Integration Phase V&V activities had completed without any remaining issue. The NICSD VVR noticed for A) that the additional testing to achieve the toggle coverage criteria had no effect on the subsequent phases except additional confidence that the FPGAs operates correctly.

The ICDD IV&V Team reviewed Revision 11 of the NICSD VVR, and concluded that the NICSD VVR was acceptable.

#### 5.6 Module Validation Testing Phase

#### 5.6.1 Document Reviews

The ICDD IV&V Team reviewed the documents listed in Table 5-12. DVRs were used in accordance with Table-A of NED SMP (Reference (17)) in the same manner as described in Section 5.2.1.

#### (1) NED SSAR Review

The ICDD IV&V Team reviewed Revision 4 of the NED SSAR (Reference (22)), which was revised including the safety analysis for this Module Validation Testing Phase. The NED SSAR evaluated the NICSD SSAR for the Module Validation Testing Phase (Reference (31)), and accepted the conclusions of the NICSD SSAR, that:

- The NICSD SSAR Module Validation Testing Phase was acceptable.
- One concern on the surveillance testing of EPROM which ICDD found in the Implementation and Integration Phase was not resolved.

#### (2) NICSD VVR Review

The ICDD IV&V Team reviewed Revision 7 of the NICSD VVR (Reference (24)), which had additional description for the Module Validation Testing Phase. Section 5.6.2 describes evaluation of the NICSD VVR.

| Document<br>Number | Title                                                                                                                                                               | Rev. | Reviewer      | Remark                                                |
|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|---------------|-------------------------------------------------------|
| FC51-3704-0004     | Nuclear Energy Systems and<br>Services Division<br>Software Safety Analysis<br>Report for Safety-Related<br>Oscillation Power Range<br>Monitor (OPRM)               | 4    | T. Ito        | DVR<br>FC51-0904-0018<br>Rev.0                        |
| FC51-3704-1001     | Nuclear Instrumentation &<br>Control Systems Department<br>Verification and Validation<br>Report for OPRM of<br>FPGA-based Safety-Related<br>Systems<br>(NICSD VVR) | 7    | T.<br>Hayashi | VDCL-IM-0103<br>(IM-2012-001144)<br>(For information) |
| FC51-3704-0001     | Nuclear Energy Systems and<br>Services Division<br>Verification and Validation<br>Report for Oscillation Power<br>Range Monitor (OPRM)<br>(NED VVR)                 | 5    | T. Ito        | This document                                         |

#### Table 5-12 Reviewed Documents

TOSHIBA CORPORATION

#### 5.6.2 Evaluation of the NICSD VVR for the Module Validation Testing Phase

The NICSD IV&V Team issued Revision 7 of the NICSD VVR (Reference (24)). The ICDD IV&V Team evaluated Revision 7 of the NICSD VVR, and documented the result in VDCL-IM-0103.

Revision 7 of the NICSD VVR described as follows:

• Module Validation Testing

PPDD performed the validation testing of the individual modules consisting the OPRM unit. The NICSD IV&V Team oversaw the testing. The modules included the CELL, AGRD, PBD, DAT/ST, TRN, and RCV modules. PPDD used a special test environment for the module validation testing, and the test cases were selected to validate the module functions. PPDD documented the test results in Module Test Reports and submitted to NICSD for review and approval. The NICSD IV&V Team concluded that the test results were acceptable, as described after the next bullet.

• Document Review

The NICSD IV&V Team reviewed the Module Test Reports and the Module User's Manual for the CELL, AGRD, PBD, DAT/ST, TRN, and RCV modules.

For the Module Test Reports, the NICSD IV&V did not find any significant issues that required design changes.

The NICSD IV&V Team reviewed the Module User's Manuals for the individual OPRM modules, and concluded that the manuals provided sufficient information to users for installation, operation and maintenance.

- Module Validation Testing Phase RTM efforts The RTM traced requirements in the MDSs to the Module Test Procedures. The NICSD IV&V Team reviewed forward and backward traceability.
- Test Equipment Software Reviews

The NICSD IV&V Team confirmed that PPDD had controlled the test equipment software used in the Module Validation Testing appropriately.

- Result of Security Review The NICSD IV&V Team performed security reviews, and the NICSD VVR reported the security measures taken in this phase were acceptable.
- Software Safety Analysis Report (SSAR) Review The NICSD IV&V Team concluded that the NICSD SSAR for the Module Validation Testing Phase was acceptable.
- Monitoring of Metrics The NICSD VVR reported the metrics. Section 5.6.3 discusses the metrics.
- Findings, recommendations, and suggestions to reduce any risk identified in the V&V activities

The NICSD  $\ensuremath{\text{IV&V}}$  Team reported no recommendation or suggestions.

• Conclusions of Module Validation Testing Phase V&V Activities The NICSD IV&V Team confirmed that there were some open items in the Module Validation Testing Phase V&V activities, but they were not considered to have negative effect in the System Validation Testing Phase.

VDCL-IM-0103 reported the following open comments:

TOSHIBA CORPORATION 40/188

- [1] The NICSD VVR reported close of ] open items without specifying them. The NICSD VVR should report the closed issued of the NICSD RTM.
- [2] Section 7.6.2 "Testing" should provide further technical information on the test.
- [3] Description in Section 7.12 "Findings, recommendations, and suggestions to reduce any risk identified in the V&V activities" was unclear.
- [4] The NICSD VVR did not included the following two items that were required by the NICSD VVP:
  - (7) Reference to the FPGA Control Sheets
  - (8) Reference to the Purchase Specification to PPDD
- [5] Revision 7 of the NICSD VVR refers to Revision 4 of the NICSD VVP that ICDD disapproved.
- [6] Figure 8-1 is too simplified to explain the test setup.
- [7] Section 8.1.2 "Test Cases and Procedures" should provide further technical information on the test.
- [8] Caption for Table 8-4 should be placed appropriately.
- [9] Section 8.4 "Test Equipment Software Reviews" includes a confusing description, "confirmed that test was performed in accordance with the test procedure," in which "test" can be taken as a test of a module or a test of the test equipment.
- [10] Section 8.9 "Conclusions of Module Validation Testing Phase V&V Activities" includes a description "concluded that the NICSD V&V activities for the Implementation and Integration Phase." "Implementation and Integration" seems a typo.

The ICDD IV&V Team confirmed that the NICSD VVR for the Module Validation Testing Phase conformed with the requirements for the V&V report in the NICSD VVP except above comments.

#### 5.6.3 Metrics

(1) Number of changes applied for the design documents

No design document of ICDD was changed.

(2) Number of closed items in the current phase and open items carried to next phase

[] items out of 17 items from the previous phase were closed. These closed items are Items [2] through [7] of VDCL-IM-0101, see Section 5.5.3. The remaining \_\_\_\_\_\_items were included in VDCL-IM-0103 as Items [1] through [4], see Section 5.6.2.

Revision 7 of the NICSD VVR closed no item, and reported the following eight items were carried to the next phase:

- [ ]items relating to the OPRM Unit User's Manual,
- [ ]tems regarding to the RTM efforts,
- [ ]item relating to source code review, and
  - new item related to the Module Validation Testing Phase RTM efforts.
- litems were reported in VDCL-IM-0103.

a,c

- A total of litems were open, and carried to the System Validation Testing Phase.
- Number of Corrective Action Requests (CARs) No CAR was issued for the ICDD activities.
   Number of Corrective Action Requests (CARs)
- (4) Number of Nonconformance Notice Reports (NNRs) No NNR was issued for the ICDD activities.
- (5) Number of problems found during testing See Section 9.7 of the NICSD VVR.

#### 5.6.4 Management of V&V

- Software Verification and Validation Plan (SVVP)
   There was no need to update the NED VVP (Reference (18)).
- (2) Baseline Change Assessment

Design changes were traced in the RTM efforts.

(3) Management Review

The ICDD IV&V Team explains this NED VVR for approval to the PM.

(4) Management and Technical Review Support

There was no need for this activity in this phase.

(5) Organizational and Supporting Process Interface

There was no need for this activity in this phase.

#### 5.6.5 Findings, Recommendations, and Suggestions

The ICDD IV&V Team recognized that to complete the System Validation Testing Phase, the TRN and RCV modules need to be modified to include a Cyclic Redundancy Check (CRC) function, because a Design Review Record DR-16292 issued September 14 2012 determined the implementation of the CRC function to detect communication errors.

#### 5.6.6 Conclusions of the Module Validation Testing Phase

The ICDD IV&V Team concluded that the V&V activities for the Module Validation Testing Phase were completed except some open issues.

#### 5.6.7 Updating of the Module Validation Testing Phase V&V Activities

After the first completion of the Module Validation Testing Phase, NICSD performed V&V activities for the new TRN and RCV modules which were developed responding to the design changes described in 5.4.7. The V&V activities included reviews of the TRN and RCV modules testing, which PPDD performed.

The NICSD IV&V Team documented the results in Revision 11 of the NICSD VVR. The NICSD VVR concluded that the new TRN and RCV modules were acceptable.

The ICDD IV&V Team reviewed Revision 11 of the NICSD VVR, and concluded that the NICSD VVR was acceptable.

#### 5.7 System Validation Testing Phase

This System Validation Testing Phase was the last phase of the V&V. To complete the OPRM development, all V&V activities need to be completed without leaving any issue. The V&V for the OPRM system included iteration of some V&V activities before completion. The ICDD IV&V Team iterated V&V activities when necessary, for example, when an already reviewed document was revised. Several System Validation Testing Phase V&V activities were iterated in part, because the changes in the upstream requirements described in Section 5.2.9 were made after the System Validation Testing was once completed, though there were some issues. Revision 7 of the NED VVR documented the first completion.

This section documents the result of the System Validation Test Phase activities finalizing the V&V efforts for the OPRM system, referring to the earlier activities as needed.

#### 5.7.1 Document Reviews

The ICDD IV&V Team reviewed the documents listed in Table 5-13.

(1) NED SSAR Review

The ICDD IV&V Team reviewed Revision 5 of the NED SSAR (Reference (22)), which was revised from Revision 4 including the safety analysis for the System Validation Testing Phase and the updates for the other phases.

Revision 5 of the NED SSAR closed the concern on the surveillance testing of EPROM, by recommending establishment of an appropriate test method.

The NED SSAR reported that NICSD and ICDD performed safety analyses throughout the life cycle phases, including evaluation of the NICSD SSARs. The NED SSAR confirmed that EDS (Reference (21)) identified all safety requirements and the Validation Testing demonstrated the specified safety functions in EDS, and concluded that the software safety analysis of the FPGA-based safety-related OPRM for ABWR plants was completed. The risk of using this OPRM in the ABWR plants are considered minimal as long as the recommendations in the NED SSAR are implemented.

This NED VVR concludes Revision 5 of the NED SSAR is acceptable.

#### (2) NICSD VVR Review

The ICDD IV&V Team reviewed Revisions 8, 9, 11, and 12 of the NICSD VVR (Reference (24)), which reported the NICSD V&V activities from the Project Planning and Concept Phase through the System Validation Testing Phase. Revision 12 is the final NCSD | VVR. Section 5.7.3 describes evaluation of the NICSD VVRs.

43/188

| Document<br>Number | Title                                                                                                                                                               | Rev. | Reviewer   | Remark                                                |
|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|------------|-------------------------------------------------------|
| FC51-3704-0004     | Nuclear Energy Systems and<br>Services Division<br>Software Safety Analysis<br>Report for Safety-Related<br>Oscillation Power Range<br>Monitor (OPRM)               | 5    | T. Ito     | DVR<br>FC51-0904-0022<br>Rev.0                        |
|                    | Nuclear Instrumentation &<br>Control Systems Department<br>Verification and Validation<br>Report for OPRM of<br>FPGA-based Safety-Related<br>Systems<br>(NICSD VVR) | 8    | T. Hayashi | VDCL-IM-0105<br>(IM-2012-001153)<br>(For information) |
|                    |                                                                                                                                                                     | 9    | T. Hayashi | VDCL-IM-0106<br>(IM-2012-001157)<br>(For information) |
|                    |                                                                                                                                                                     | 11   | T. Hayashi | VDCL-IM-0122<br>(IM-2014-000834)                      |
|                    |                                                                                                                                                                     | 12   | T. Hayashi | VDCL-IM-0123<br>(IM-2015-000150)                      |
| FC51-3704-0001     | Nuclear Energy Systems and<br>Services Division<br>Verification and Validation<br>Report for Oscillation Power<br>Range Monitor (OPRM)<br>(NED VVR)                 | 6    | T. Ito     | This document                                         |
|                    |                                                                                                                                                                     | 7    |            |                                                       |
|                    |                                                                                                                                                                     | 8    |            |                                                       |
|                    |                                                                                                                                                                     | 9    |            |                                                       |

#### **Table 5-13 Reviewed Documents**

#### 5.7.2 Assessment of Test Equipment Software

The NICSD VVR (Reference (24)) reported a test equipment software review. The NICSD IV&V Team concluded that the test equipment software was acceptable. The ICDD IV&V Team checked the test records and report of the test equipment software used in the units and system validation testing, and confirmed that they were well controlled. This is reported in MIN-IM-01418 "17th NRW-FPGA-Based I&C System Qualification Project IV&V Team Meeting."

#### 5.7.3 Evaluation of the NICSD VVR for the System Validation Testing Phase

The NICSD IV&V Team issued Revisions 8 through 12 of the NICSD VVR referring to the System Validation Testing Phase. Since Revision 12 is the final NICSD VVR that documented all NICSD V&V activities including the updates for preceding phases, this section focuses on Revision 12. Note that Revision 9 corrected some errors in Revision 8, the ICDD IV&V Team did not review Revision 10, and Revision 12 corrected minor errors in Revision 11.

(1) Descriptions on the System Validation Testing Phase V&V activities

Revision 12 of the NICSD VVR described as follows:

TOSHIBA CORPORATION 44/188

• System Validation Testing

The NICSD VVR explained the software validation testing. The description included test system, test specimen, test equipment, test items (cases), and results. The tests validated the OPRM functions including the ABA, GRA, and PBDA trips.

The OPRM Unit includes the OPRM modules. The new TRN and RCV modules were used in the response time test only; the other tests used the older TRN and RCV modules.

The NICSD IV&V Team evaluated the system validation test record, and documented the result in the Software Validation Test Report. The NICSD IV&V Team concluded that test result was satisfactory.

- Document Review The NICSD IV&V Team reviewed the NICSD SSAR.
- Test Equipment Software Review The NICSD IV&V Team reviewed the test equipment software used in the System Validation Testing.
- System Validation Testing Phase RTM efforts The RTM traced the requirements in the EDS (Reference (21)) and the OPRM Unit DDS (Reference (23)) to the System Test Specification. The NICSD IV&V Team checked forward and backward traceability, and confirmed that there was no open item.
- Result of Security Review The NICSD IV&V Team performed the security reviews, and the NICSD VVR reported the security measures taken in this phase were acceptable.
- Software Safety Analysis Report (SSAR) Review The NICSD IV&V Team concluded that the NICSD SSAR for the System Validation Testing Phase was acceptable as the final safety analysis report for the OPRM equipment.
- Hardware V&V Activities
   The NICSD VVR reported that the NICSD IV&V Team performed reviews of the Unit
   DDS and MDSs in accordance with an NICSD standard.
- Monitoring of Metrics The NICSD VVR reported the metrics. Section 5.7.4 discusses the metrics.
- Findings, recommendations, and suggestions to reduce any risk identified in the V&V activities

The NICSD IV&V Team considered that the System Validation Testing together with the Module Validation Testing ensured a differently configured OPRM having different setpoints from the OPRM system tested in this Validation Testing, because the FPGA and Module Validation testing had already validated operability of each module within any setpoint values allowed in its design.

- Conclusions of System Validation Testing Phase V&V Activities The NICSD IV&V Team concluded the completion of the System Validation Testing.
- Conclusions

The NICSD IV&V Team considered that the V&V activities provided sufficient confidence that the OPRM met the requirements in the SDD (Reference (20)) and the intensions for use. The NICSD IV&V Team concluded that the OPRM system is

TOSHIBA CORPORATION 45/188 Nuclear Energy Systems & Services Division appropriate for safety-related use for ABWR plants.

The ICDD IV&V Team uses VDCLs in reviews of the NICSD VVR, and recorded the comments made to revisions of the NICSD VVR.

The next table lists the comments, which were open at the end of Module Validation Testing Phase and added afterward, with the revision of the NICSD VVR and the VDLCs in which the comment became open, and the revision of the NICSD VVR and the VDLCs in which the comment was closed. Note that Revision 7 of the NICSD VVR was evaluated in the Module Validation Testing Phase (see Section 5.6.2).

| Comment Summary                                                                                                                                                                                                                                                | Open<br>(VVR Rev. and<br>VDCL) | Close<br>(VVR Rev. and<br>VDCL) |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------|---------------------------------|
| [1] The NICSD VVR reported close of two open<br>items without specifying them. The NICSD VVR<br>should report the closed issued of the NICSD RTM.                                                                                                              | 7<br>VDCL-IM-0103              | 8<br>VDCL-IM-0105               |
| [2] Section 7.6.2 "Testing" should provide further technical information on the test.                                                                                                                                                                          | 7<br>VDCL-IM-0103              | 11<br>VDCL-IM-0122              |
| [3] Description in Section 7.12 "Findings, recommendations, and suggestions to reduce any risk identified in the V&V activities" was unclear.                                                                                                                  | 7<br>VDCL-IM-0103              | 8<br>VDCL-IM-0105               |
| [4] The NICSD VVR did not included the following two items that were required by the NICSD VVP:                                                                                                                                                                | 7<br>VDCL-IM-0103              | 8<br>VDCL-IM-0105               |
| (7) Reference to the FPGA Control Sheets<br>(8) Reference to the Purchase Specification to<br>PPDD                                                                                                                                                             |                                |                                 |
| [5] Revision 7 of the NICSD VVR refers to<br>Revision 4 of the NICSD VVP that ICDD<br>disapproved.                                                                                                                                                             | 7<br>VDCL-IM-0103              | 8<br>VDCL-IM-0105               |
| [6] Figure 8-1 is too simplified to explain the test setup.                                                                                                                                                                                                    | 7<br>VDCL-IM-0103              | 11<br>VDCL-IM-0122              |
| [7] Section 8.1.2 "Test Cases and Procedures" should provide further technical information on the test.                                                                                                                                                        | 7<br>VDCL-IM-0103              | 11<br>VDCL-IM-0122              |
| [8] Caption for Table 8-4 should be placed appropriately.                                                                                                                                                                                                      | 7<br>VDCL-IM-0103              | 8<br>VDCL-IM-0105               |
| [9] Section 8.4 "Test Equipment Software<br>Reviews" includes a confusing description,<br>"confirmed that test was performed in accordance<br>with the test procedure," in which "test" can be taken<br>as a test of a module or a test of the test equipment. | 7<br>VDCL-IM-0103              | 11<br>VDCL-IM-0122              |

FC51-3704-0001 Rev. 9

I

i.

|                                                                                                                                                                                                                                                                                       | 1051                           | -3/04-0001 Rev. 9               |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------|---------------------------------|
| Comment Summary                                                                                                                                                                                                                                                                       | Open<br>(VVR Rev. and<br>VDCL) | Close<br>(VVR Rev. and<br>VDCL) |
| [10] Section 8.9 "Conclusions of Module<br>Validation Testing Phase V&V Activities" includes a<br>description "concluded that the NICSD V&V<br>activities for the Implementation and Integration<br>Phase." "Implementation and Integration" seems a<br>typo.                         | 7<br>VDCL-IM-0103              | 8<br>VDCL-IM-0105               |
| [11] In Table 7-7, Prepares, Reviewers, Approvers,<br>Independent Reviewers, and DVR No. were missing<br>for FPGA Test Procedures.                                                                                                                                                    | 8<br>VDCL-IM-0105              | 9<br>VDCL-IM-0106               |
| [12] Section 9.1 reported that the NICSD IV&V<br>Team confirmed test results of the Hardware Test,<br>Burn-In Test, Prudency Test, and Operability Test.<br>Are they in the V&V scope?                                                                                                | 8<br>VDCL-IM-0105              | 9<br>VDCL-IM-0106               |
| [13] Section 9.1.1 reported that the NICSD IV&V<br>Team documented the Software Validation Test<br>Report based on the result in the System Validation<br>Test Record. What was additional portion of the<br>Software Validation Test Report to the System<br>Validation Test Record. | 8<br>VDCL-IM-0105              | 11<br>VDCL-IM-0122              |
| [14] Section 9.1.1 and 9.1.2 mention PFCs. It should be clarified whether the PFCs were a part of the OPRM or not.                                                                                                                                                                    | 8<br>VDCL-IM-0105              | 9<br>VDCL-IM-0106               |
| [15] Section 9.1 should be modify to improve<br>readability, for example, description of the Optical<br>Signal Receiver and its Figure 9-2.                                                                                                                                           | 8<br>VDCL-IM-0105              | 9<br>VDCL-IM-0106               |
| [16] Table 9-2 List of Test Specimen is unclear.                                                                                                                                                                                                                                      | 8<br>VDCL-IM-0105              | 9<br>VDCL-IM-0106               |
| [17] Section 9.1.4 should be modified to improve readability.                                                                                                                                                                                                                         | 8<br>VDCL-IM-0105              | 11<br>VDCL-IM-0122              |
| [18] Section 9.1.5 explained the validation testing focusing on the PBDA. This section should explain how the test cases were selected to ensure the functions of the OPRM.                                                                                                           | 8<br>VDCL-IM-0105              | 11<br>VDCL-IM-0122              |
| [19] Section 9.3.1, "Table 6-1" must be a typo.                                                                                                                                                                                                                                       | 8<br>VDCL-IM-0105              | 9<br>VDCL-IM-0106               |
| [20] Section 9.3.3 explains a theory to generate test<br>pattern, i.e., sine waves. However, the OPRM can<br>detect more generic types of waves, so long as the<br>wave has peaks. The NICSD VVR should explains<br>this functionally of the OPRM.                                    | 8<br>VDCL-IM-0105              | 11<br>VDCL-IM-0122              |

47/188

Nuclear Energy Systems & Services Division

l.

FC51-3704-0001 Rev. 9

1

| Comment Summary                                                                                                                                                                                    | Open<br>(VVR Rev. and<br>VDCL) | Close<br>(VVR Rev. and<br>VDCL) |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------|---------------------------------|
| [21] The NICSD final VVR should demonstrate the effect of the Butterworth filter, and explain the effect of a digital implementation of the filter.                                                | 8<br>VDCL-IM-0105              | 11<br>VDCL-IM-0122              |
| [22] This Revision of the NICSD VVR provided<br>limited information on the RTM efforts. The<br>NICSD final VVR should provide some examples of<br>requirements traceability throughout the phases. | 8<br>VDCL-IM-0105              | 11<br>VDCL-IM-0122              |
| [23] The NICSD final VVR should address or refer<br>to methods of the surveillance testing mentioned in<br>the NICSD SSAR for the Design Phase.                                                    | 8<br>VDCL-IM-0105              | 11<br>VDCL-IM-0122              |
| [24] Section 9.1 should be modify to improve readability.                                                                                                                                          | 9<br>VDCL-IM-0106              | 11<br>VDCL-IM-0122              |

All comments on the NICSD VVRs were closed in Revision 11 of the NICSD VVR. That is, the final NICSD VVR left no open items.

(2) Updating of Other Phases V&V activities

Revision 11 of the NICSD VVR included updating of the V&V activities from the Project Planning and Concept Definition Phase to the Module Validation Testing Phase to close remaining open items.

#### 5.7.4 Other Activities

The NICSD VVR confirmed the RTM efforts checked the forward and backward traceability from the EDS (Reference (21)) and Unit DDS (Reference (23)) to the System Validation Test Specification. Since the Project Planning and Concept Definition Phase RTM efforts confirmed the forward and backward traceability from the SDD (Reference (20)), IEDs and IBDs to EDS, the forward and backward traceability from the SDD, IEDs and IBDs to the System Validation Test Specification was confirmed.

#### 5.7.5 Metrics

(1) Number of changes applied for the design documents

No design document of ICDD was changed.

(2) Number of open items closed in this phase

A total of  $\begin{bmatrix} a,c \\ items carried from the previous phase were closed as follows: \end{bmatrix}$ 

(a) open items in the NICSD VVR were closed in Section 10.8 of the NICSD VVR.

(b) open items in VDCL-IM-0103 were closed, see Section 5.7.3.

(3) Number of Corrective Action Requests (CARs)

No CAR was issued for the ICDD activities.

(4) Number of Nonconformance Notice Reports (NNRs)

No NNR was issued for the ICDD activities.

TOSHIBA CORPORATION 48/188

(5) Number of problems found during testing See Section 10.8 of the NICSD VVR.

#### 5.7.6 Management of V&V

(1) Software Verification and Validation Plan (SVVP)

The ICDD IV&V Team revised the NED VVP (Reference (18)) to Revision 3, which corrected wrong references to some documents.

- Baseline Change Assessment (2)Design changes were traced in the RTM efforts.
- (3) Management Review

The ICDD IV&V Team explains this NED VVR for approval to the PM.

Management and Technical Review Support (4)

There was no need for this activity.

(5) Organizational and Supporting Process Interface

There was no need for this activity.

#### 5.7.7 Findings, Recommendations, and Suggestions

The NICSD VVR described a suggestion on a differently configured OPRM having different setpoints from the OPRM system tested in this Validation Testing. The ICDD V&V Team recommends that the suggestion should be considered in future OPRM system.

#### 5.7.8 **Conclusions of the System Validation Testing Phase**

The ICDD IV&V Team evaluated the final NICSD VVR and the final NED SSAR, and determined that these reports were acceptable.

The ICDD IV&V Team concluded that the V&V activities for the System Validation Testing Phase were completed without leaving any open issue.

### 6 Conclusions and Recommendations

The ICDD IV&V Team confirmed all V&V activities for the OPRM system had completed in accordance with the NED VVP (Reference (18)). The V&V activities had been performed through the following life cycle phases:

- (1) Project Planning and Concept Definition Phase,
- (2) Requirements Definition Phase,
- (3) Design Phase,
- (4) Implementation and Integration Phase,
- (5) Module Validation Testing Phase, and
- (6) System Validation Testing phase.

Through these phases, most software developments were occurred in NICSD. The NICSD IV&V Team performed their V&V activities, including document reviews, requirements traceability efforts, security reviews, FPGA testing, module validation testing, and system validation testing.

As reported in the NICSD VVR, the following issues were raised in the performance of the V&V activities:

- Tests cases for some FPGAs did not meet the toggle coverage criteria.
- Design was changed to add the CRC function to the communication modules.

The NICSD and ICDD IV&V Team iterated necessary V&V activities to resolve the issues in accordance with the NICSD VVP (Reference (19)), NED VVP, and applicable QA procedures. The V&V activities including the iterated activities were performed without any deviation from these plans and QA procedures, and left no open issue.

ICDD performed software safety activities throughout the life cycle phases, including reviews of the NICSD SSARs, and documented the result in the NED SSAR. The NED SSAR included a recommendation, establishment of an appropriate test method to detect possible EPROM failures.

This NED VVR reviewed revisions of the NICSD VVR and the NED SSAR throughout the life cycle phases, and considered they were acceptable.

This NED VVR concludes, confirming the conclusions of the NICSD VVR and NED SSAR, that the OPRM developed in this project is appropriate for safety-related use for ABWR plants as long as the recommendations in the NICSD VVR and the NED SSAR are implemented.



يا ۾. •

 $\gamma^{\prime}$ 

# **Record of Revisions**

| Rev No. | Date              | Description                   | Approved<br>by             | Reviewed<br>by              | Prepared<br>by           |
|---------|-------------------|-------------------------------|----------------------------|-----------------------------|--------------------------|
| 0       | See Cover<br>Page | Initial Issue                 | See Cover<br>Page          | See Cover<br>Page           | See Cover<br>Page        |
| 1       | Feb.24,2012       | See<br>DECN-FC51-3704-1001-01 | H. Kitazono<br>Feb.24,2012 | M. Shirasaki<br>Feb.24,2012 | T. Yonaha<br>Feb.24,2012 |
| 2       | Jun.1,2012        | See<br>DECN-FC51-3704-1001-02 | H. Kitazono<br>Jun.1,2012  | M. Shirasaki<br>Jun.1,2012  | T. Yonaha<br>Jun.1,2012  |
| 3       | Jun.29,2012       | See<br>DECN-FC51-3704-1001-03 | H. Kitazono<br>Jun.29,2012 | M. Shirasaki<br>Jun.29,2012 | T. Yonaha<br>Jun.28,2012 |
| 4       | Sep.22,2012       | See<br>DECN-FC51-3704-1001-04 | H. Kitazono<br>Sep.22,2012 | H. Kitazono<br>Sep.22,2012  | T. Yonaha<br>Sep.22,2012 |
| 5       | Oct.16,2012       | See<br>DECN-FC51-3704-1001-05 | H. Kitazono<br>Oct.16,2012 | H. Kitazono<br>Oct.16,2012  | T. Yonaha<br>Oct.16,2012 |
| 6       | Nov.2,2012        | See<br>DECN-FC51-3704-1001-06 | H. Kitazono<br>Nov.2,2012  | H. Kitazono<br>Nov.2,2012   | T. Yonaha<br>Nov.2,2012  |
| 7       | Nov.8,2012        | See<br>DECN-FC51-3704-1001-07 | H. Kitazono<br>Nov.8,2012  | H. Kitazono<br>Nov.8,2012   | T. Yonaha<br>Nov.8,2012  |
| 8       | Nov.12,2012       | See<br>DECN-FC51-3704-1001-08 | H. Kitazono<br>Nov.12,2012 | H. Kitazono<br>Nov.12,2012  | T. Yonaha<br>Nov.12,2012 |
| 9       | Nov.15,2012       | See<br>DECN-FC51-3704-1001-09 | H. Kitazono<br>Nov.15,2012 | H. Kitazono<br>Nov.15,2012  | T. Yonaha<br>Nov.15,2012 |
| 10      | Feb.7,2013        | See<br>DECN-FC51-3704-1001-10 | H. Kitazono<br>Feb.7,2013  | H. Kitazono<br>Feb.7,2013   | K. Kasai<br>Feb.7,2013   |
| 11      | Aug.7,2014        | See<br>DECN-FC51-3704-1001-11 | H. Kitazono<br>Aug.7,2014  | H. Kitazono<br>Aug.7,2014   | K. Kasai<br>Aug.5,2014   |
| 12      | See Cover<br>Page | See<br>DECN-FC51-3704-1001-12 | See Cover<br>Page          | See Cover<br>Page           | See Cover<br>Page        |
|         |                   |                               |                            |                             |                          |
|         |                   |                               |                            |                             |                          |

TOSHIBA CORPORATION Nuclear Instrumentation & Control Systems Department

2/138

## **Table of Contents**

| 1. | Int         | roduction                                                                                 | 6         |
|----|-------------|-------------------------------------------------------------------------------------------|-----------|
| 2. | De          | finitions and Abbreviations                                                               | 7         |
| 2  | 2.1         | Definitions                                                                               | 7         |
| 2  | 2.2         | Abbreviations                                                                             | 7         |
| 3. | Re          | ference Documents                                                                         | 10        |
| 4. | Ve          | rification and Validation Overviews                                                       | 15        |
| 4  | 4.1         | Organizations and Responsibilities                                                        | 15        |
| 4  | 4.2         | Tools, Techniques, and Methodologies                                                      | 16        |
| 5. | Pro         | oject Planning and Concept Definition Phase V&V Activities                                | 17        |
| Ę  | 5.1         | Preparation of NICSD VVP                                                                  | 17        |
| ŧ  | 5.2         | Preparation of Software Test Plan                                                         | 17        |
| Ę  | 5.3         | Documents Reviews                                                                         | 17        |
| 5  | 5.4         | Project Planning and Concept Definition Phase RTM Efforts                                 | 20        |
| ŧ  | 5.5         | Result of Security Review                                                                 | 21        |
| Ę  | 5.6         | Software Safety Analysis Report (SSAR) Review                                             | 22        |
| Ę  | 5.7         | Monitoring of Metrics                                                                     | <b>23</b> |
| Đ  | 5.8         | Findings, recommendations, and suggestions to reduce any risk identified in the $V\delta$ | &V        |
| 8  | activi      | ties                                                                                      | 24        |
| Ę  | 5.9         | Conclusions of Project Planning and Concept Definition Phase V&V Activities               | <b>24</b> |
| ł  | 5.10        | Updating of Project Planning and Concept Definition Phase V&V Activities                  | 24        |
| 6. | Re          | quirements Definition Phase V&V Activities                                                | 27        |
| 6  | 6.1         | Documents Reviews                                                                         | <b>27</b> |
| (  | 3. <b>2</b> | Requirements Definition Phase RTM efforts                                                 | 29        |
| 6  | 5.3         | Result of Security Review                                                                 | 30        |
| 6  | 6.4         | Software Safety Analysis Report (SSAR) Review                                             | 30        |
| 6  | 6.5         | Monitoring of Metrics                                                                     | 31        |
| (  | 5.6         | Findings, recommendations, and suggestions to reduce any risk identified in the Va        | &V        |
| 8  | activi      | ties                                                                                      | 32        |
| 6  | <b>5.7</b>  | Conclusions of Requirements Definition Phase V&V Activities                               | 32        |
| (  | 5.8         | Updating of Requirements Definition Phase V&V Activities                                  | 32        |
| 7. | De          | sign Phase V&V Activities                                                                 | 34        |
| 7  | 7.1         | Preparation of SVTP                                                                       | 34        |
| 5  | 7.2         | Documents Reviews                                                                         | 34        |

, |

TOSHIBA CORPORATION Nuclear Instrumentation & Control Systems Department

,

| 7.3         | Results of FE Document and Software Tool Control Checks                  | 49            |
|-------------|--------------------------------------------------------------------------|---------------|
| 7.4         | Design Phase RTM Efforts                                                 |               |
| 7.5         | Result of Security Review                                                |               |
| 7.6         | Software Safety Analysis Report (SSAR) Review                            |               |
| 7.7         | Monitoring of Metrics                                                    | 53            |
| 7.8         | Findings, recommendations, and suggestions to reduce any risk identified | ed in the V&V |
| acti        | vities                                                                   |               |
| 7.9         | Conclusions of Design Phase V&V Activities                               | 54            |
| 7.10        | 0 Updating of Design Phase V&V Activities                                | 55            |
| 8. I        | mplementation and Integration Phase V&V Activities                       |               |
| 8.1         | VHDL Source Code Reviews                                                 | 58            |
| 8.2         | Logic Synthesis and Layout Verification                                  | 59            |
| 8.3         | Signal Timing                                                            | 63            |
| 8.4         | Netlist Inspection                                                       | 65            |
| 8.5         | Document Reviews                                                         | 66            |
| 8.6         | FPGA Testing                                                             |               |
| 8.7         | Software Tool Control Review                                             |               |
| 8.8         | Implementation and Integration Phase RTM efforts                         |               |
| 8.9         | Result of Security Review                                                |               |
| 8.10        | ) Software Safety Analysis Report (SSAR) Review                          |               |
| 8.11        | Control of Configuration Items                                           |               |
| 8.12        | 2 Monitoring of Metrics                                                  |               |
| 8.13        | Findings, recommendations, and suggestions to reduce any risk identified | ed in the V&V |
| activ       | vities                                                                   | 80            |
| 8.14        | Conclusions of Implementation and Integration Phase V&V Activities       | 80            |
| 8.15        | Updating of Implementation and Integration Phase V&V Activities          | 80            |
| 9. N        | Iodule Validation Testing Phase V&V activities                           |               |
| 9.1         | Module Validation Testing                                                |               |
| 9.2         | Document Reviews                                                         |               |
| 9.3         | Module Validation Testing Phase RTM effort                               |               |
| 9.4         | Test Equipment Software Reviews                                          | 100           |
| 9.5         | Result of Security Review                                                | 100           |
| 9.6         | Software Safety Analysis Report (SSAR) Review                            | 102           |
| 9.7         | Monitoring of Metrics                                                    | 102           |
| <b>9</b> .8 | Findings, recommendations, and suggestions to reduce any risk identifie  |               |
| activ       | vities                                                                   | 103           |
| 9.9         | Conclusions of Module Validation Testing Phase V&V Activities            | 103           |

1

|

ŀ

| 9.10    | Updating of Module Validation Testing Phase V&V Activities            | 103             |
|---------|-----------------------------------------------------------------------|-----------------|
| 10. Sys | stem Validation Testing Phase V&V Activities                          |                 |
| 10.1    | System Validation Testing                                             | 105             |
| 10.2    | Document Reviews                                                      | 117             |
| 10.3    | Test Equipment Software Review                                        | 117             |
| 10.4    | System Validation Testing Phase RTM efforts                           | 117             |
| 10.5    | Result of Security Review                                             |                 |
| 10.6    | Software Safety Analysis Report (SSAR) Review                         | 118             |
| 10.7    | Hardware V&V                                                          | 119             |
| 10.8    | Monitoring of Metrics                                                 | 119             |
| 10.9    | Findings, recommendations, and suggestions to reduce any risk identi- | fied in the V&V |
| activi  | ties                                                                  | 120             |
| 10.10   | Conclusions of System Validation Testing Phase V&V Activities         | 120             |
| 11. Co  | nclusions                                                             |                 |
| Appen   | dix A Project Planning and Concept Definition Phase RTM               |                 |
| Appen   | dix B Requirements Definition Phase RTM                               |                 |
| Appen   | dix C Design Phase RTM                                                |                 |
| Appen   | dix D Implementation and Integration Phase RTM                        |                 |
| Appen   | dix E Module Validation Testing Phase RTM                             |                 |
| Appen   | dix F System Validation Testing Phase RTM                             |                 |
| Appen   | dix G ABA Trip Testing                                                |                 |

# 1. Introduction

This report summarizes the Verification & Validation (V&V) activities for the Non-Rewritable (NRW) Field Programmable Gate Array (FPGA) Based Oscillation Power Range Monitor (OPRM) System of the NRW-FPGA-Based I&C System Qualification Project. The Nuclear Instrumentation and Control Systems Department (NICSD) Independent V&V (IV&V) Team performed the V&V activities in accordance with FA32-3709-1000 "Nuclear Instrumentation & Control Systems Department Verification Plan for FPGA-Based Safety-Related Systems," (VVP) (Reference (17)), and prepared this report in accordance with NICSD NQ-2014 "Preparation Guide for V&V Report" (Reference (6)).

The NICSD IV&V team performed the V&V activities through the following phases:

- (1) Project Planning and Concept Definition Phase,
- (2) Requirements Definition Phase,
- (3) Design Phase,
- (4) Implementation and Integration Phase,
- (5) Module Validation Testing Phase, and
- (6) System Validation Testing Phase.

This V&V Report (VVR) was updated at the completion of each phase, adding a new section describing the V&V activities performed for the phase. Ideally, once a phase was completed, any activities need not to be corrected or iterated. However, in accordance with task iteration policy in the VVP, the NICSD had to iterate several activities that were once declared completed for several reasons. These iterated activities were described in subsections entitled "updating of XXX phase activities" at the end of each section.

# 2. Definitions and Abbreviations

# 2.1 Definitions

**Confirmation Count:** Confirmation Count is the variable counting the neutron flux oscillation for each OPRM cell. The Confirmation Count is the sum of the peaks and valleys in the flux minus one.

**Functional Element (FE):** A Functional Element is a component of digital logic that is completely verified and validated through full pattern testing, i.e. tests that are performed for all possible input combinations. An FE is written in Very High Speed Integrated Circuit Hardware Description Language (VHDL). All VHDL source codes for the NRW-FPGA-based System solely consist of FEs and interconnect between FEs. [This definition is extracted from Section 3.1 of the NICSD Software Management Plan (SMP) (Reference (14))]

**Module:** A part of a unit. Each module consists of one or more printed circuit boards, on which the FPGAs and other circuitry are mounted, and a front panel.

**Netlist:** Description of logic created by the logic synthesis tool. A design engineer describes FPGA logic in the form of VHDL source codes and FEs. The logic synthesis tool converts the VHDL source code into forms of digital circuits and outputs the resulting circuit in the form of a netlist. The layout tool transforms the netlist into physical placement of interconnects on the FPGA, which are represented as an FPGA fuse-map. [This definition is extracted from Section 3.1 of the NICSD Software Management Plan (SMP) (Reference (14))]

**Unit:** A major component of FPGA-based equipment. A unit is a chassis that has front slots and back slots to mount modules. Each unit consists of several modules. There is a vertical middle plane between the front and back slots in each unit. This plane consists of two circuit boards. These circuit boards provide backplanes for the front and rear modules. Modules plug into the backplanes using connectors. Once a module is plugged into the appropriate connector, it exchanges data with other modules in the unit, connects to other units and any external field equipment, and is powered. [This definition is extracted from Section 3.1 of the NICSD Software Management Plan (SMP) (Reference (14))]

**Validation:** Validation is used to ensure that the final product satisfies the user requirements. Validation shall be performed on the final product, although validation may be necessary or performed prior to the final code being produced. See Section 4.2 of the Software Program Plan (SPP) (Reference (13)).

**Verification:** Verification consists of reviews performed on the results of each development phase to ensure the phase was completed appropriately and correctly. See Section 4.2 of the SPP.

# 2.2 Abbreviations

- ABA Amplitude Based Detection Algorithm
- APRM Average Power Range Monitor
- CCF Common Cause Failure
- CRC Cyclic Redundancy Check
- DCTR Design Change Technical Report
- DCN Design Change Notice
- DDS Detailed Design Specification
- DP-SRAM Dual Port SRAM

i

| DVR      | Design Verification Report                                          |
|----------|---------------------------------------------------------------------|
| ECWD     | Elementary Control Wiring Diagram                                   |
| EDIF     | Electric Design Interchange Format                                  |
| EDS      | Equipment Design Specification                                      |
| EEPROM   | Electrically Erasable Programmable Read-Only Memory                 |
| ELCS     | Engineered Safety Features (ESF) Logic and Control System           |
| ES       | Engineering Schedule                                                |
| ESF      | Engineered Safety Features                                          |
| FD       | Flat Display                                                        |
| FDMS     | Fuchu Documents Management System                                   |
| FE       | Functional Element                                                  |
| FPGA     | Field Programmable Gate Array (a programmable logic device)         |
| FTA      | Fault Tree Analysis                                                 |
| Fuchu-PS | Fuchu Complex Power Systems Segment                                 |
| GRA      | Growth Rate-Based Detection Algorithm                               |
| HMI      | Human Machine Interface                                             |
| I&C      | Instrumentation and Control                                         |
| ICDD     | Instrumentation & Control Systems Design and Engineering Department |
| IV&V     | Independent Verification and Validation                             |
| LAN      | Local Area Network                                                  |
| LPRM     | Local Power Range Monitor                                           |
| LVPS     | Lower Voltage Power Supply                                          |
| MDS      | Module Design Specification                                         |
| MTP      | Master Test Plan                                                    |
| NED      | Nuclear Energy Systems and Services Division                        |
| NISD     | Nuclear Instrumentation Systems Development & Designing Group       |
| NICSD    | Nuclear Instrumentation & Control Systems Department                |
| NICS-QC  | Quality Control Group for Nuclear Instrumentation & Control Section |
| NNR      | Nonconformance Notice Report                                        |
| NQ       | Nuclear Quality (standards for NICSD)                               |
| NRW      | Non-Rewritable                                                      |
| OPRM     | Oscillation Power Range Monitor                                     |
| PBDA     | Period Based Detection Algorithm                                    |
| PC       | Personal Computer                                                   |
| PCB      | Printed Circuit Board                                               |
| PCDL     | Project Control Document List                                       |
| PDP      | Project Design Plan                                                 |
| PFC      | Power Factor Correction module                                      |
| PICS     | Plant Information & Control System                                  |
|          |                                                                     |

## FC51-3704-0001 Rev.9 FC51-3704-1001 Rev.12

I

| PM    | Project Manager                                                                                                                  |
|-------|----------------------------------------------------------------------------------------------------------------------------------|
| PPDD  | Power Platform Development Department                                                                                            |
| PRM   | Power Range Monitor                                                                                                              |
| PRM   | Process Review Meeting                                                                                                           |
| PRNM  | Power Range Neutron Monitor                                                                                                      |
| PTER  | Preliminary Technical Evaluation Report                                                                                          |
| QA    | Quality Assurance                                                                                                                |
| RPS   | Reactor Protection System                                                                                                        |
| RTIS  | Reactor Trip and Isolation System                                                                                                |
| RTM   | Requirements Traceability Matrix                                                                                                 |
| SCAR  | Fuchu Site Corrective Action Request                                                                                             |
| SCMP  | Software Quality Configuration Management Plan                                                                                   |
| SD    | Software Development                                                                                                             |
| SDD   | System Design Description                                                                                                        |
| SDOE  | Secure Development and Operational Environment                                                                                   |
| SMP   | Software Management Plan                                                                                                         |
| SNNR  | Site Nonconformance Notice Report                                                                                                |
| SRAM  | Static Random Access Memory                                                                                                      |
| SVNNR | Site Vendor Nonconformance Notice Report                                                                                         |
| SOE   | Sequence of Event                                                                                                                |
| SQA   | Software Quality Assurance                                                                                                       |
| SQAP  | Software Quality Assurance Management Plan                                                                                       |
| SPP   | Software Program Plan                                                                                                            |
| SSAR  | Software Safety Analysis Report                                                                                                  |
| STARC | Semiconductor Technology Academic Research Center                                                                                |
| SVTP  | Software Validation Test Plan                                                                                                    |
| SVTR  | Software Validation Test Report                                                                                                  |
| TDR   | Transient Data Recorder                                                                                                          |
| V&V   | Verification and Validation                                                                                                      |
| VDCL  | Vendor generated Document Check List                                                                                             |
| VFS   | Verification Follow Sheets                                                                                                       |
| VHDL  | Very High Speed Integrated Circuit Hardware Description Language (A hardware description language that defines the FPGA circuit) |
| VVP   | Verification and Validation Plan                                                                                                 |
| VVR   | Verification and Validation Report                                                                                               |
|       |                                                                                                                                  |

Table 3-1 of the NICSD SMP (Reference (14)) provides a better understanding of terminological difference between the SPP and NICSD SMP. This NICSD VVR also uses Table 3-1 of the NICSD SMP.

TOSHIBA CORPORATION Nuclear Instrumentation & Control Systems Department

> 9/138 59/188

# **3. Reference Documents**

- (1) IEEE Std 1012-1998"IEEE Standard for Software Verification and Validation"
- (2) IEEE Std 1028-1997"IEEE Standard for Software Reviews"
- (3) Toshiba Nuclear Energy Systems and Service Division AS-200A002 "Design Verification Procedure," Rev.8
- (4) Toshiba Nuclear Energy Systems and Service Division AS-200A130
   "Digital System Verification & Validation Procedure," Rev.3
- (5) Toshiba Nuclear Instrumentation & Control Systems Department NQ-2013
   "Preparation Guide for Verification and Validation Plan," Rev.4
- (6) Toshiba Nuclear Instrumentation & Control Systems Department NQ-2014
   "Preparation Guide for V&V Report," Rev.5
- (7) Toshiba Nuclear Instrumentation & Control Systems Department NQ-2015
   "Preparation Procedure for RTM and RTM Report," Rev.5
- (8) Toshiba Nuclear Instrumentation & Control Systems Department NQ-2035
   "Procedure for Design Change Control," Rev.4
- (9) Toshiba Nuclear Instrumentation & Control Systems Department NQ-2036
   "Digital System Verification & Validation Procedure," Rev.6
- (10) Toshiba Nuclear Instrumentation & Control Systems Department NQ-2037
   "Cyber Security Procedures of Safety Related Digital System," Rev.3
- (11) Unused
- (12) Toshiba Fuchu Complex Power Systems Segment D-81018
   "Information security criteria of control for Toshiba Fuchu Complex Power Systems Segment" Rev.2 (in Japanese)
- (13) NRW-FPGA-Based I&C System Qualification Project, FA10-0501-0024"Software Program Plan," Rev. 1
- (14) NRW-FPGA-Based I&C System Qualification Project, FA32-3702-1000
   "Nuclear Instrumentation & Control Systems Department Software Management Plan for FPGA-based Safety-Related Systems," Rev. 2
- (15) NRW-FPGA-Based I&C System Qualification Project, FA32-3701-1001
   "Nuclear Instrumentation & Control Systems Department Software Quality Assurance Plan for FPGA-Based Safety-Related Systems," Rev. 1
- (16) NRW-FPGA-Based I&C System Qualification Project, FA32-3708-1000
   "Nuclear Instrumentation & Control Systems Department Software Configuration Management Plan for FPGA-Based Safety-Related Systems," Rev. 1
- (17) NRW-FPGA-Based I&C System Qualification Project, FA32-3709-1000
   "Nuclear Instrumentation & Control Systems Department Verification & Validation Plan for FPGA-Based Safety-Related Systems," Rev. 7
- (18) NRW-FPGA-Based I&C System Qualification Project, FC51-7021-1000
   "Master Test Plan for NRW-FPGA-Based I&C Safety Qualification Project," Rev.1
- (19) NRW-FPGA-Based I&C System Qualification Project, FC51-3705-1000

"Software Test Plan for FPGA-Based Safety-Related Systems," Rev. 0

- (20) NRW-FPGA-Based I&C System Qualification Project, FC51-3002-1000 "Equipment Design Specification for Power Range Neutron Monitor," Rev. 4
- (21) NRW-FPGA-Based I&C System Qualification Project, FC51-3704-1000 "Nuclear Instrumentation & Control Systems Department Software Safety Analysis Report for Safety-Related Oscillation Power Range Monitor (OPRM) (Project Planning and Concept Definition Phase)," Rev. 1
- (22) Unused
- (23) NRW-FPGA-Based I&C System Qualification Project, FC51-3704-1004 "Nuclear Instrumentation & Control Systems Department Project Planning and Concept Definition Phase Requirements Traceability Matrix for Oscillation Power Range Monitor (OPRM)," Rev. 4
- (24) NRW-FPGA-Based I&C System Qualification Project, FC51-3704-1005 "Nuclear Instrumentation & Control Systems Department Project Planning and Concept Definition Phase Requirements Traceability Matrix Review Report for Oscillation Power Range Monitor (OPRM)," Rev. 5
- (25) NRW-FPGA-Based I&C System Qualification Project, FC51-1001-0001 "System Design Description Neutron Monitoring System" Rev. 8
- (26) NRW-FPGA-Based I&C System Qualification Project, FC51-3809-0004 "Nuclear Energy Systems and Services Division Software Safety Analysis Report for Safety-Related Oscillation Power Range Monitor (OPRM)," Rev. 4
- (27) NRW-FPGA-Based I&C System Qualification Project, FC51-3704-0002
   "Project Planning and Concept Definition Phase Requirements Traceability Matrix Oscillation Power Range Monitor (OPRM)," Rev. 5
- (28) Toshiba Nuclear Energy Systems and Service Division AS-200A132 "Digital System Safety and Hazards Analysis Procedure," Rev.0
- (29) NRW-FPGA-Based I&C System Qualification Project, FC51-3702-1000
   "OPRM Unit Detailed Design Specification for Power Range Neutron Monitor," Rev. 4
- (30) NRW-FPGA-Based I&C System Qualification Project, FC51-8001-1000"OPRM Unit User's Manual," Rev. 4
- (31) NRW-FPGA-Based I&C System Qualification Project, FC51-3704-1007
   "Nuclear Instrumentation & Control Systems Department Requirements Definition Phase Requirements Traceability Matrix for Oscillation Power Range Monitor (OPRM)," Rev. 3
- (32) NRW-FPGA-Based I&C System Qualification Project, FC51-3704-1008 "Nuclear Instrumentation & Control Systems Department Requirements Definition Phase Requirements Traceability Matrix Review Report for Oscillation Power Range Monitor (OPRM)," Rev. 4
- (33) NRW-FPGA-Based I&C System Qualification Project, FC51-3704-1002
   "Nuclear Instrumentation & Control Systems Department Software Safety Analysis Report for Safety-Related Oscillation Power Range Monitor (OPRM) (Requirements Definition Phase)," Rev. 2
- (34) NRW-FPGA-Based PRM System Qualification Project, FPG-DRT-C51-0002
   "Preliminary Hazard Analysis Report," Rev. 2

TOSHIBA CORPORATION Nuclear Instrumentation & Control Systems Department

> -11/138 61/188

(35) Unused

(36) Unused

- (37) NRW-FPGA-Based I&C System Qualification Project, FC51-3704-1104 "Nuclear Instrumentation & Control Systems Department Design Phase Requirements Traceability Matrix for Oscillation Power Range Monitor (OPRM)," Rev. 0
- (38) NRW-FPGA-Based I&C System Qualification Project, FC51-3704-1105
   "Nuclear Instrumentation & Control Systems Department Design Phase Requirements Traceability Matrix Review Report for Oscillation Power Range Monitor (OPRM)," Rev. 4
- (39) Unused
- (40) Unused
- (41) NICSD FDS-JHS-000202 Rev.1"Design Rationale for OPRM Trip Determination Algorithm applied to OPRM Unit Design"
- (42) NRW-FPGA-Based I&C System Qualification Project, FC51-3704-1101
   "Nuclear Instrumentation & Control Systems Department Software Safety Analysis Report for Safety-Related Oscillation Power Range Monitor (OPRM) (Design Phase)," Rev. 1
- (43) NRW-FPGA-Based I&C System Qualification Project, FC51-3704-1106 "Nuclear Instrumentation & Control Systems Department Software Safety Analysis Report for Safety-Related Oscillation Power Range Monitor (OPRM) (Implementation and integration Phase)," Rev. 1
- (44) NRW-FPGA-Based PRM System Qualification Project, FPG-DRT-C51-0016"Verification and Validation Final Report," Rev. 1
- (45) Toshiba Power Platform Development Department E-68017"PPDD Procedural Standard for FPGA Device Development," Rev. 10
- (46) Toshiba Nuclear Instrumentation & Control Systems Department 8M8K0000 "Code Review Guide," Rev. 1
- (47) NRW-FPGA-Based I&C System Qualification Project, FC51-3704-1103
   "Source Code Review Sheet for NRW-FPGA-Based I&C System Qualification Project," Rev. 3
- (48) Toshiba Power Platform Development Department E-68019"PPDD Procedural Standard for FPGA Configuration Management," Rev. 7
- (49) Toshiba Power Platform Development Department E-68016"PPDD Procedural Standard for FPGA Products Development," Rev. 12
- (50) Toshiba Power Platform Development Department E-68020
   "PPDD Procedural Standard for Control of Software Tools Used with FPGA Based Systems," Rev. 7
- (51) Toshiba Power Platform Development Department E-68018
   "PPDD Procedural Standard for Functional Element Development," Rev. 8
- (52) Actel datasheet "SX-A Family FPGAs" v5.3 February, 2007
- (53) NRW-FPGA-Based I&C System Qualification Project, FC51-3704-1111 "Nuclear/Instrumentation & Control Systems Department Implementation and Integration Phase Requirements Traceability Matrix Review Report for Oscillation Power Range Monitor (OPRM)," Rev. 2
- (54) NRW-FPGA-Based I&C System Qualification Project, FC51-3704-1113

"Nuclear Instrumentation & Control Systems Department Module Validation Testing Phase Requirements Traceability Matrix Review Report for Oscillation Power Range Monitor (OPRM)," Rev. 2

- (55) Toshiba Nuclear Instrumentation & Control Systems Department NQ-2030 "Procedural Standard for FPGA Products Development," Rev.8
- (56) NRW-FPGA-Based I&C System Qualification Project, FC51-3704-1108 "Nuclear Instrumentation & Control Systems Department Software Safety Analysis Report for Safety-Related Oscillation Power Range Monitor (OPRM) (Module Validation Testing Phase)," Rev. 1
- (57) Toshiba Nuclear Instrumentation & Control Systems Department NQ-2003 "Procedure for Control of Software Tools" Rev.3
- (58) Toshiba Nuclear Instrumentation & Control Systems Department NQ-2024 "Procedure for Document Control" Rev.8
- (59) NRW-FPGA-Based I&C System Qualification Project, FC51-7101-1001 "Nuclear Instrumentation & Control Systems Department System Test Specification for Safety-Related Oscillation Power Range Monitor (OPRM)" Rev.6
- (60) NRW-FPGA-Based I&C System Qualification Project, FC51-7012-1003"Software Validation Test Plan" Rev.3
- (61) NRW-FPGA-Based I&C System Qualification Project, FC51-7101-1000 "System Validation Test Procedure for NRW-FPGA-Based I&C System Qualification Project" Rev.3
- (62) NRW-FPGA-Based I&C System Qualification Project, FC51-7501-1001
   "System Validation Test for NRW-FPGA-Based I&C System Qualification Project"
- (63) NRW-FPGA-Based I&C System Qualification Project, FC51-7513-1002 "Software Validation Test Report" Rev.1
- (64) Toshiba Nuclear Instrumentation & Control Systems Department 5B8K0072"Evaluation Report for OPRM Test Tool" Rev.0
- (65) Toshiba Nuclear Instrumentation & Control Systems Department FDS-JHS-000204 "Evaluation Report for Test Pattern Files" Rev.1
- (66) NRW-FPGA-Based I&C System Qualification Project, FC51-3704-1112
   "Nuclear Instrumentation & Control Systems Department System Validation Testing Phase Requirements Traceability Matrix for Oscillation Power Range Monitor (OPRM)" Rev.2
- (67) NRW-FPGA-Based I&C System Qualification Project, FC51-3704-1116 "Nuclear Instrumentation & Control Systems Department System Validation Testing Phase Requirements Traceability Matrix Review Report for Oscillation Power Range Monitor (OPRM)" Rev.2
- (68) NRW-FPGA-Based I&C System Qualification Project, FC51-3704-1114 "Nuclear Instrumentation & Control Systems Department Software Safety Analysis Report for Safety-Related Oscillation Power Range Monitor (OPRM) (System Validation Testing Phase)" Rev.2
- (69) NRW-FPGA-Based I&C System Qualification Project, FC51-3601-0001
   "Procurement Specification for Equipment Qualification and EMC Qualification of Components of Oscillation Power Range Monitor (OPRM)," Rev. 11

Notice: this reference section referred to the final revision of each document. The text sections

refer to an older revision when necessary. In such case, the referenced revision is indicated in the text section, like "Revision N of XXX."

# 4. Verification and Validation Overviews

## 4.1 Organizations and Responsibilities

Figure 4-1 shows the organizations for the FPGA-based Safety-Related Instrumentation and Control (I&C) Systems development. The Monitoring System Engineering Group of the Instrumentation & Control Systems Design & Engineering Department (ICDD) of the Nuclear Energy Systems and Services Division (NED) ordered the OPRM from NICSD of the Fuchu-Complex. The Nuclear Instrumentation Systems Development & Designing Group (NISD) of NICSD designed the OPRM, and ordered the OPRM major components or the modules from the Power Platform Development Department (PPDD).



\*) A Job Order is issued from each group in ICDD to the Nuclear Instrumentation Systems Development & Designing Group.

Oversight of IV&V team
 Submittal of Design Documents
 Report of V&V Results

# Figure 4-1 Toshiba Organizations for FPGA-based Safety-Related I&C Systems Development

Engineers from ICDD and NICSD organized Independent Verification and Validation (IV&V) Teams for the V&V of the FPGA logic. In this VVR, the word "ICDD IV&V Team" or "NICSD IV&V Team" is used when two IV&V Teams need to be distinguished. Otherwise, the remark

applies to the both IV&V Teams. The NICSD IV&V Team performed the NICSD V&V activities defined in FA32-3709-1000 "Nuclear Instrumentation & Control Systems Department Verification and Validation Plan for FPGA-based Safety-Related Systems" (NICSD VVP) (Reference (17)).

# 4.2 Tools, Techniques, and Methodologies

#### 4.2.1 Document Reviews

Document review is a method of V&V, and was performed in accordance with NED AS-200A002 (Reference (3)), AS-200A130 (Reference (4)), and NQ-2036 (Reference (9)). AS-200A002 requires to prepare a Design Verification Report (DVR). The NICSD IV&V Team used IEEE Std 1012 (Reference (1)), and IEEE Std 1028 (Reference (2)) as guidance for the reviews.

#### 4.2.2 Requirements Traceability Activities

Requirements Traceability Matrices (RTMs) were generated by the NICSD SD Team and PPDD design engineers, and reviewed by the IV&V Team to ensure the software addressed the requirements completely, accurately, correctly, and consistently. The NICSD SD Team and PPDD design engineers used the IBM<sup>®</sup> Rational<sup>®</sup> DOORS<sup>®</sup> requirement management tool in these activities.

# 5. Project Planning and Concept Definition Phase V&V Activities

The NICSD IV&V Team performed the Project Planning and Concept Definition Phase V&V activities in accordance with the NICSD VVP (Reference (17)).

# 5.1 Preparation of NICSD VVP

The NICSD IV&V Team prepared the NICSD VVP (Reference (17)) in accordance with Section 4 of the Software Program Plan (SPP) (Reference (13)) and NICSD NQ-2013 "Preparation Guide for Verification and Validation Plan" (Reference (5)). The NICSD IV&V Lead reviewed the NICSD VVP and the NICSD Project Manager (PM) approved the NICSD VVP. The NICSD IV&V Team delivered the NICSD VVP to the Instrumentation & Control Systems Design and Engineering Department (ICDD) IV&V Team, and got approval.

## 5.2 Preparation of Software Test Plan

The NICSD IV&V Team prepared the Software Test Plan (Reference (19)) in accordance with FA32-3702-1000 "Nuclear Instrumentation & Control Systems Department Software Management Plan for FPGA-based Safety-Related Systems" (NICSD SMP) (Reference (14)).

The Software Test Plan defined the scope, approach, resources, and required test documents, for the FPGA Testing, Module Validation Testing, and System Validation Testing.

## 5.3 Documents Reviews

Table-A of the NICSD SMP (Reference (14)) defines the outputs of the Project Planning and Concept Definition Phase, and the documents that shall be reviewed by the NICSD IV&V Team.

Table 5-1 lists the documents that have been reviewed. The reviews were performed in accordance with Section 4.6.1 of the NICSD VVP (Reference (17)) that requires document review be performed in accordance with NED AS-200A002 "Design Verification Procedure" (Reference (3)). Table 5-1 refers to the Design Verification Report (DVR) and the Verification Follow Sheets (VFS). NED AS-200A002 defines the use of the DVR as a design verification report, and the VFS as a method to follow the unverified portions in the review.

| Project Document<br>No. | Rev. | Document Name<br>(Abbreviated<br>document title) | Preparer | Independent<br>Reviewer | DVR No.<br>(VFS No.)               |
|-------------------------|------|--------------------------------------------------|----------|-------------------------|------------------------------------|
| FC51-3002-1000          | 0    | Equipment Design<br>Specification for            | H. Ito   | K. Kasai                | FC51-0904-1000<br>(VFS-JHS-000064) |
| 1001-5002-1000          |      | H. Ito                                           | K. Kasai | FC51-0904-1011          |                                    |
| FA32-3701- 1001         | 0    | Software Quality<br>Assurance Plan<br>(SQAP)     | S. Kono  | T. Yonaha               | FA32-0904-1004                     |

 Table 5-1 Documents Reviewed

| Project Document<br>No.      | Rev. | Document Name<br>(Abbreviated<br>document title)        | Prenarer        | Independent<br>Reviewer | DVR No.<br>(VFS No.) |
|------------------------------|------|---------------------------------------------------------|-----------------|-------------------------|----------------------|
| TA 22 2700 1000              | 0    | Verification and                                        | K. Kasai        | H. Kitazono             | FA32-0904-1006       |
| FA32-3709-1000               | 1    | Validation Plan<br>(VVP)                                | M.<br>Shirasaki | H. Kitazono             | FA32-0904-1007       |
| FA32-3708-1000               | 0    | Software<br>Configuration<br>Management Plan<br>(SCMP)  | T. Furusawa     | T. Yonaha               | FA32-0904-1000       |
| FC51-3704-1000               | 0    | Software Safety<br>Analysis Report<br>(SSAR)            | M.<br>Tomitaka  | T. Yonaha               | FC51-0904-1001       |
| FC51-150 <sub>,</sub> 5-1000 | 0    | Preliminary<br>Technical<br>Evaluation Report<br>(PTER) | T. Furusawa     | M. Shirasaki            | FC51-0904-1002       |
| FC51-7021-1000               | 0    | Master Test Plan<br>(MTP)                               | T. Furusawa     | M. Shirasaki            | FC51-0904-1005       |

Table 5-1 Documents Reviewed (Cont'd)

### 5.3.1 Equipment Design Specification (EDS) Review

The NICSD IV&V Team reviewed the Revision 0 of FC51-3002-1000 "Equipment Design Specification for Power Range Neutron Monitor" (EDS) (Reference (20)). The EDS specifies the equipment design for the Power Range Neutron Monitor (PRNM) and the requirements for the following units contained in the PRNM:

- Local Power Range Monitor (LPRM) unit
- Average Power Range Monitor (APRM) unit, and
- Oscillation Power Range Monitor (OPRM) unit.

Based on the safety requirements in Revision 1 of FC51-1001-0001 "System Design Description Neutron Monitoring System" (SDD) (Reference (25)) given by ICDD, Section 4 of the EDS summarized the configuration and the functions. The EDS specified that the PRNM system consisted of four equivalent divisions, and each division received 52 separate current signals from the 52 LPRM detectors in the reactor core. The LPRM units converted the 52 current signals into 52 LPRM levels, and provided the LPRM levels to the APRM and OPRM units in the same division.

The functions of the PRNM system included the following safety-related functions of the OPRM:

- Generate the neutron flux oscillation signals
- Generate the following trip signals, as OPRM functions and provide to the Reactor Protection

a.c

] ]a,c

System (RPS):

- Amplitude-Based Maximum Trip (ABA Trip)
- Growth Rate-Based Trip (GRA Trip)
- Period-Based Trip (PBDA Trip)
- > OPRM Inoperative

Section 5 of the EDS described the design specifications for the PRNM system, decomposing the functions described in Section 4. Section 5 of the EDS assigned the OPRM functions to the OPRM unit.

Section 5 of the EDS specified the OPRM unit as follows:

• OPRM Cell Configuration

The assignment of the 52 LPRM levels to the 44 OPRM cells was specified. The reviewer confirmed that the assignment was the same as that given in the SDD.

• OPRM Cell Signal Processing

The signal processing requirements to generate the Normalized Oscillation Signals from the LPRM levels were specified. The Normalized Oscillation Signal represents the neutron flux of each OPRM cell. The requirements included filtering, averaging, and normalizing.

• Inoperative Trip Conditions

\_Conditions for an inoperative trip and were provided. The conditions included a

• ABA, GRA, and PBDA Trips.

Flow charts of ABA, GRA, and PBD algorithms were provided.

Alarm Conditions

Conditions for alarming minor failures were provided. The conditions included a \_\_\_\_\_a,c

• Interface Requirements

The interface requirements included discrete input and outputs, and optical inputs and outputs. The discrete input was the APRM bypass signal, and the discrete outputs included trips and alarms. The optical inputs defined the discrete outputs included trips and the optical outputs defined the discrete outputs and APRM units, and the optical outputs defined the discrete outputs defined the discrete outputs and APRM units, and the optical outputs defined the discrete outputs defined the discrete outputs defined the discrete outputs and APRM units, and the optical outputs defined the discrete outputs defined the discrete outputs defined the discrete outputs and other external equipment.

Through the review of the EDS, the NICSD IV&V Team found some inconsistency between the requirements in the SDD and the EDS. For example, SDD used a word "RPS," which stands for Reactor Protection System, but EDS used "RTIS," which stands for Reactor Trip and Isolation System. Actually, RPS is a part of RTIS. The NICSD IV&V Team issued the VFS to documents those issues and required the NICSD SD Team to resolve those issues. The NICSD SD Team resolved those issues in Revision 1 of the EDS (Reference (20)) and Revision 1 of the RTM (Reference (23)).

The NICSD IV&V Team confirmed that the safety requirements in the SDD were adequately addressed in the EDS, and the EDS provided the necessary functional requirements for the OPRM unit design.

#### 5.3.2 Other Documents

For the review of Software Safety Analysis Report (SSAR) (Reference (21)), refer to Sections 4.4 and 4.6, respectively.

Table 5-1 shows all the documents that the NICSD IV&V Team reviewed. The NICSD IV&V Team confirmed that each project document satisfied the applicable standards and procedures.

# 5.4 **Project Planning and Concept Definition Phase RTM Efforts**

(1)Preparation of RTM

The NICSD Software Development (SD) Team developed an RTM tracing Revision 0 of FC51-3704-0002 "Project Planning and Concept Definition Phase Requirements Traceability Matrix Oscillation Power Range Monitor (OPRM)" (NED RTM) (Reference (27)) to Revision 0 of the EDS (Reference (20)) in accordance with NICSD NQ-2015 "Preparation Procedure for RTM and RTM Report" (Reference (7)). The NED RTM identified SDD requirements based on Revision 1 of the SDD (Reference (25)). The NICSD SD Team issued a snapshot of the developed RTM as Revision 0 of FC51-3704-1004 "Nuclear Instrumentation & Control Systems Department Project Planning and Concept Definition Phase Requirements Traceability Matrix for Oscillation Power Range Monitor (OPRM)" (NICSD RTM (Project Planning and Concept Definition Phase)) (Reference (23)). See Appendix A for an example of the NICSD RTM (Project Planning and Concept Definition Phase).

(2) Compilation of the Project Planning and Concept Definition Phase RTM Report

The NICSD SD Team summarized comments made through the RTM efforts in the "Comments" column of the NICSD RTM (Project Planning and Concept Definition Phase)

For Revision 0 of the NICSD RTM, the number of the comments was in total.

There were two types of comments. One was about the NED RTM. The SD Team found that some requirements identified by a single identification number in the NED RTM actually included more than one requirement. For example, the SDD requirement numbered R02 included a setpoint of OPRM trip determination and a bypass condition.

The other comments were on the EDS. For example, the SDD requirement numbered R58 stated use of connectors to metal wires and optical fiber cables, but the EDS did not explicitly specified use of metal wires for the discrete signals.

The NICSD IV&V Team reviewed the Revision 0 of the NICSD RTM, and found []additional comments. The NICSD IV&V Team documented the result of the RTM review in Revision 0 of FC51-3704-1005 "Nuclear Instrumentation & Control Systems Department Project Planning and Concept Definition Phase Requirements Traceability Matrix Review Report for Oscillation Power Range Monitor (OPRM)" (RTM Report (Project Planning and Concept Definition Phase Requirements)) (Reference (24)).

The NICSD IV&V Team requested resolution of these [] comments before proceeding to the Requirements Definition Phase. Responding to the request, ICDD updated the SDD; the NICSD SD Team updated the EDS and RTMs. However, the new revisions of the documents still left the following two issues:

• A sentence in the SDD "The combined Growth Rate-Based Trip, Amplitude-Based Trip,

were

<sup>g</sup> The

Period-Based Trip, and Inoperative (in negative logic) signals shall be combined by "AND" logic, and the combined trip signal shall be transmitted to all division of the RPS" had more than one requirement, and was divided into two separate requirements in the RTM.

• The difference between two requirements in the NED RTM regarding OPRM inoperative trip could not be distinguished.

The NICSD IV&V Team considered that these two comments were minor and had minimal impact on the design activities in the next phase.

## 5.5 Result of Security Review

The NICSD IV&V Team carried out a security review in accordance with Section 5.2.5 of the NICSD VVP (Reference (17)) and NICSD NQ-2037 "Cyber Security Procedure of Safety Related Digital System" (Reference (10)). The NICSD IV&V Team checked the EDS, NICSD SSAR, and security control implemented in NICSD. The NICSD IV&V Team held a security assessment meeting as a part of this security review, and confirmed that the following security requirements in NQ-2037 were satisfied:

(1) Access control to design deliverables

NQ-2037 requires access control of the design documents, codes, records, and any other design g deliverables. NICSD stores their deliverables in the

The NICSD IV&V Team confirmed that

, and concluded that appropriate access controls to [ implemented.

(2) Security control of personal computers

Personal computers (PCs) used for design works were controlled in accordance with D-81018 "Information security criteria of control for Toshiba Fuchu Complex Power Systems Segment" (Reference (12)). Besides

NICSD IV&V Team confirmed that security measures for those PCs were in place conforming to D-81018.

The NICSD IV&V Team concluded that appropriate controls for NICSD PCs were implemented.

(3) Identification of digital safety system's weakness and vulnerability

The NICSD IV&V Team performed a security assessment to identify weakness and vulnerability of the OPRM as required by NQ-2037. The NICSD IV&V Team reviewed the EDS and identified that:

- The OPRM uses non-rewritable FPGA that prevents any logic changes in the field, and
- The OPRM specification requires that parameters of the OPRM are protected with key-lock switches.

The NICSD IV&V Team concluded that the OPRM design in the EDS would protect the logic and parameters determining the safety functions appropriately.

#### (4) Remote-access control to digital safety system

NQ-2037 requires that no remote access to the digital safety system shall be provided. The NICSD IV&V Team reviewed the EDS and identified that there was no remote-access to the OPRM, and that all data transfers from the OPRM to any non-safety systems were made through unidirectional communication paths.

The NICSD IV&V Team concluded that the OPRM design includes no remote access to the OPRM.

(5) Control of development environment

The NICSD IV&V Team confirmed that:

The NICSD IV&V Team concluded that development environment was controlled appropriately from a security point of view.

## 5.6 Software Safety Analysis Report (SSAR) Review

The NICSD Software Safety Team performed a software safety analysis succeeding FC51-3809-0004 "Nuclear Energy Systems and Services Division Software Safety Analysis Report for Safety-Related Oscillation Power Range Monitor (OPRM)" (NED SSAR (Project Planning and Concept Definition Phase)) (Reference (26)), and prepared FC51-3704-1000 "Nuclear Instrumentation & Control Systems Department Software Safety Analysis Report for Safety-Related Oscillation Power Range Monitor (OPRM) (Project Planning and Concept Definition Phase)" (NICSD SSAR (Project Planning and Concept Definition Phase)" (NICSD SSAR (Project Planning and Concept Definition Phase)" (NICSD SSAR (Project Planning and Concept Definition Phase), and confirmed that the NICSD SSAR was prepared in accordance with Section 14 of NICSD SMP (Reference (14)) and NED AS-200A132 "Digital System Safety and Hazards Analysis Procedure" (Reference (28)).

The NICSD IV&V Team evaluated the NICSD SSAR as follows:

- The NICSD SSAR identified the software safety requirements from the EDS and confirmed that all the software safety requirements of the OPRM defined in the SDD were adequately addressed in the EDS.
- The NICSD SSAR concluded that there were concerns on software tool errors and timing errors in an FPGA. They were hazards that might cause common cause failure (CCF), and should be documented, evaluated and addressed in software safety analyses in the later phases. They were the same hazards identified in the past NRW-FPGA-Based PRM System Qualification Project. Section 6 of the Preliminary Hazard Analysis Report (Reference (34)) for the NRW-FPGA-Based PRM System Qualification Project described these hazards. The NICSD IV&V Team agreed with the conclusion.

The NICSD IV&V Team concluded that the NICSD SSAR for the Project Planning and Concept definition Phase was acceptable.

## 5.7 Monitoring of Metrics

Section 4.6.6 of the NICSD VVP (Reference (17)) defines metrics to be monitored. The NICSD IV&V Team monitored these metrics as follows:

#### (1) Number of changes applied to the design documents

The NICSD IV&V Team examined the changes that had been applied to revision of the EDS, and classified them into the following types:

- **Corrections:** This type of changes is made to correct any incorrect requirements, incorrect descriptions or errors.
- Additions: This type of changes is made to add new design requirements or new information to the document.
- **Others:** This type of changes is made to improve readability, and does not change any requirements nor add new information. Adding new sentences for clarification or explanation belongs to this type of changes, as long as it does not add new information.

Table 5-2 lists the number of changes applied to Revision 1 of EDS.

#### Table 5-2 Numbers of Changes applied to Revision 1 of EDS

| Document Name | Revision | Corrections | Additions | Others | Total |     |
|---------------|----------|-------------|-----------|--------|-------|-----|
| EDS           |          |             |           |        |       | a,c |

#### (2) Number of open items carried to the next phase

The number of open items to be carried to the next phase is \_\_\_\_\_\_ These open items are related to the Revision 2 of the NED RTM (Project Planning and Concept Definition Phase) (Reference (27)) as reported in Section 4.4. The NICSD IV&V Team evaluated that these [\_\_\_\_\_]<sup>a,c</sup> open items were minor and had minimal impact on the design activities in the next phase.

#### (3) Number of open items closed in the current phase

Not applicable, because this is the first phase.

#### (4) Number of Site Corrective Action Requests (SCARs)

[]SCAR,[] ] a,c was issued during this phase was one. This SCAR pointed out that the Project Design Plan (PDP) was late after the completion of the Process Review Meeting - B1 (PRM-B1). In response to the SCAR, the NICSD SD Team issued the PDP and the SCAR was closed.

#### (5) Number of Site Nonconformance Notice Reports (SNNRs)

No SNNR was issued in this phase.

#### (6) Number of problems found during V&V testing

No V&V testing was executed. Therefore, no SNNR was issued in this phase.

# 5.8 Findings, recommendations, and suggestions to reduce any risk identified in the V&V activities

Through the V&V activities of this phase, the NICSD IV&V Team did not identify any risk related to design and safety analysis activities. There were no recommendations, or suggestions to the NICSD SD Team and the NICSD Software Safety Team.

# 5.9 Conclusions of Project Planning and Concept Definition Phase V&V Activities

The NICSD IV&V Team confirmed that NICSD V&V activities had been performed in accordance with the NICSD VVP, and concluded that the NICSD V&V activities for the Project Planning and Concept Definition Phase were completed in an acceptable manner.

The NICSD IV&V Team confirmed that there were open items regarding the Revision 2 of the NED RTM (FC51-3704-0002) (Reference (27)) remained in the reviews of the EDS and its RTM for the Project Planning and Concept Definition Phase. The NICSD IV&V Team evaluated that these open items were minor and had minimal impact on the design activities in the next phase, because these comments were only concerned with the method in which the RTM was developed. These open items identified by the NICSD SD Team and the NICSD IV&V Team were not considered to have negative effect in the next phase as long as these open items were notified to the engineers, and could be resolved by correcting the documents.

There was a concern, however, that the NICSD V&V activities would involve reviews of a considerable number of deliverables from PPDD in the Design and later phases. The review would cause shortage of NICSD IV&V Team members, and delays the V&V activities. It is necessary to consider practical measures to address this concern.

# 5.10 Updating of Project Planning and Concept Definition Phase V&V Activities

This subsection describes updating of the Project Planning and Concept Definition Phase activities.

### 5.10.1 Updated Documents Reviews

Some documents were updated after the Project Planning and Concept Definition Phase was completed. Table 5-3 lists the updated documents. The reasons for the updating are:

(1) Resolve open items in the Project Planning and Concept Definition Phase,

(2) Resolve new issues that were found in the subsequent phases, and

(3) Clarify description or give additional information to improve readability.

These updated documents were reviewed and approved in the same manner which was taken in Section 5.3.

In the reviews, the NCISD IV&V Team did not find any problem that could change the conclusion of the Project Planning and Concept Definition Phase.

Revision 2 of the EDS was issued responding to a requirement change in Revision 6 of the SDD (Reference (25)). Revision 6 of the SDD extended the scope of communication error detection, which had been applied to only to the internal communication, to the communication from external equipment. NICSD treated this change in accordance with the NICSD's design change

procedure NQ-2035 "Procedure for Design Change Control" (Reference (8)).

Revision 3 of the EDS was issued responding to a new requirement in Revision 7 of the SDD, which included a response time requirement additionally.

Revision 4 of the EDS was issued responding to Revision 8 of the SDD, which corrected typographical errors found in the figures explaining the ABA, GRA, and PBD algorithms. The NICSD IV&V Team evaluates that this corrections do not affect the downstream design documents.

| Project Document<br>No. | Rev. | Document Name<br>(Abbreviated<br>document title)       | Preparer     | Independent<br>Reviewer | DVR No.        |
|-------------------------|------|--------------------------------------------------------|--------------|-------------------------|----------------|
|                         | 2    |                                                        | M. Shirasaki | H. Kitazono             | FA32-0904-1008 |
|                         | 3    |                                                        | K. Kasai     | T. Yonaha               | FA32-0904-1011 |
| FA32-3709-1000          | 4    | Verification and<br>Validation Plan                    | K. Kasai     | T. Yonaha               | FA32-0904-1012 |
| TA32-3709-1000          | 5    | (VVP)                                                  | K. Kasai     | T. Yonaha               | FA32-0904-1013 |
|                         | 6    |                                                        | K. Kasai     | H. Kitazono             | FA32-0904-1014 |
|                         | 7_   |                                                        | K. Kasai     | H. Kitazono             | FA32-0904-1015 |
| FA32-3708-1000          | 1    | Software<br>Configuration<br>Management<br>Plan (SCMP) | T. Furusawa  | T. Yonaha               | FC51-0904-1009 |
| FA32-3701- 1001         | 1    | Software Quality<br>Assurance Plan<br>(SQAP)           | S. Kono      | T. Yonaha               | FC51-0904-1010 |
| FC51-7021-1000          | 1    | Master Test Plan<br>(MTP)                              | T. Furusawa  | H. Kitazono             | FC51-0904-1371 |
|                         | 2    |                                                        | H. Ito       | K. Kasai                | FC51-0904-1373 |
| FC51-3002-1000          | 3    | Equipment Design<br>Specification for                  | H. Ito       | K. Kasai                | FC51-0904-1417 |
|                         | 4    | PRNM (EDS)                                             | H. Ito       | K. Kasai                | FC51-0904-1450 |
| FC51-3704-1000          | 1    | Software Safety<br>Analysis Report<br>(SSAR)           | M. Tomitaka  | K. Kasai                | FC51-0904-1420 |

#### Table 5-3 Updated Documents

## 5.10.2 RTM Efforts

The SD Team and the IV&V Team performed additional RTM efforts for revisions of the EDS when necessary, updating the NICSD RTM (Project Planning and Concept Definition Phase)) (Reference (23)) and the RTM report (Project Planning and Concept Definition Phase) (Reference (24)).

TOSHIBA CORPORATION Nuclear Instrumentation & Control Systems Department

> 25/138 75/188

## 5.10.3 Conclusion of Update

The NICSD IV&V Team confirmed the update activities of the Project Planning and Concept Definition Phase was performed in accordance with the NICSD VVP (Reference (17)).

The NICSD IV&V Team concluded that the Project Planning and Concept Phase V&V activities were completed.

# 6. Requirements Definition Phase V&V Activities

The NICSD IV&V Team performed the Requirements Definition Phase V&V activities in accordance with the NICSD VVP (Reference (17)).

# 6.1 Documents Reviews

The NICSD IV&V Team reviewed documents listed in Table 6-1 in the same manner described as Section 5.3.

| Project Document<br>No. | Rev. | Document Name<br>(Abbreviated<br>document title) | Prepared<br>by | Independent<br>Reviewer | DVR No.        |
|-------------------------|------|--------------------------------------------------|----------------|-------------------------|----------------|
| FC51-3702-1000          | 0    | OPRM Unit Detailed<br>Design Specification       | H. Ito         | H. Kitazono             | FC51-0904-1007 |
| rC51-5702-1000          | 1    | (Unit DDS)                                       | H. Ito         | K. Kasai                | FC51-0904-1063 |
| FC51-3102-1000          | 0    | OPRM Unit Outline<br>Drawing                     | M. Hayashi     | H. Kitazono             | FC51-0904-1008 |
| FC51-8001-1000          | 0    | OPRM Unit User's<br>Manual                       | T. Furusawa    | K. Kasai                | FC51-0904-1009 |
| FC51-3704-1002          | 0    | Software Safety<br>Analysis Report<br>(SSAR)     | M.<br>Tomitaka | T. Yonaha               | FC51-0904-1095 |

**Table 6-1 Documents Reviewed** 

# 6.1.1 Unit Detailed Design Review

The NICSD IV&V Team reviewed FC51-3702-1000 "OPRM Unit Detailed Design Specification for Power Range Neutron Monitor" (Unit DDS) (Reference (29)).

The OPRM Unit DDS specified the functional requirements for the OPRM unit, and defined the configuration of the OPRM unit. The OPRM unit is comprised of a unit chassis and the following modules inserted into the front and back sides of the unit chassis:

## (1) <u>RCV Modules</u>

The RCV modules receive optical data from external devices. Two RCV modules are inserted into the unit chassis. One RCV module receives optical data of the LPRM levels from the LPRM units. The other RCV module receives optical data of the APRM Level and Core Flow Level from the APRM unit. Both RCV modules send the received data to the CELL module.

## (2) <u>CELL Module</u>

The CELL module calculates a Normalized Oscillation Signal for each OPRM cell from the LPRM levels assigned to the cell, and sends the Normalized Oscillation Signals to the AGRD, PBD and DAT/ST modules. The Unit DDS defined a calculation method of the Normalized Oscillation Signals.

(3) <u>AGRD Module</u>

The AGRD module determines a trip for each OPRM cell using the Amplitude-Based algorithm (ABA) and Growth Rate-Based algorithm (GRA) on the Normalized Oscillation Signals. The AGRD module sends the trip signal to the DAT/ST module with internal calculation data. The AGRD module sends the trip signal also to the DIO module.

#### (4) <u>PBD Module</u>

The PBD module determines a trip for each OPRM cell using the Period-Based algorithm (PBA) on the Normalized Oscillation Signals. The PBD module sends the trip signal to the DAT/ST module with internal calculation data. The PBD module also sends the trip signal also to the DIO module.

### (5) <u>DIO Module</u>

The DIO module has discrete input interfaces and output interfaces. The DIO module sends the trip signal to the Relay unit external to the OPRM unit.

### (6) <u>DAT/ST Module</u>

The DAT/ST module multiplexes the received data, and provides the multiplexed data to the TRN module.

#### (7) <u>TRN Modules</u>

The TRN modules transmit optical data to external devices. Two TRN modules are inserted into the unit chassis.

(8) <u>LVPS Module</u>

Two redundant Low Voltage Power Supply (LVPS) modules supply +5VDC and  $\pm15$ VDC power to the other modules in the OPRM unit.

The NICSD IV&V Team confirmed that the OPRM Inoperative function and self-diagnosis functions of the OPRM unit were well defined in the Unit DDS.

The NICSD IV&V Team also reviewed the OPRM Unit DDS considering the following viewpoints.

- The OPRM Unit DDS does not describe design or implementation details that should be described in the design phase documents such as Module Design Specifications (MDSs) or FPGA Design Specifications.
- The OPRM Unit DDS does not impose unnecessary constraints on the module and FPGA design.
- The requirements in the OPRM Unit DDS are correct, unambiguous, complete, consistent, verifiable, and traceable.

### 6.1.2 Other Document Reviews

The NICSD IV&V Team reviewed the OPRM Unit Chassis Outline Drawing and FC51-8001-1000 "OPRM Unit User's Manual" (Reference (30)) listed in Table 6-1 and found the following two issues in the OPRM Unit User's Manual.

- Though the OPRM Unit User's Manual was required to describe necessary instructions for security issues based on a security assessment, they were not addressed (to be determined by the System Validation Testing Phase, if any).
- Some instructions in the manual cannot be validated until the System Validation Testing Phase, in which the OPRM unit would be operated.

The NICSD IV&V Team evaluated that these two issues had minimal impact on the design activities in the next phases, because the issued could be resolved by revising the user's manual.

For the review result of the NICSD SSAR (Reference (33)), refer to Sections 5.2 and 5.4,

#### respectively.

Note that the NICSD SMP requires review of Elementary Control Wiring Diagrams (ECWDs), no ECWD was prepared in this project.

## 6.2 Requirements Definition Phase RTM efforts

(1) Preparation of RTM

The NICSD SD Team developed the RTM based on the NICSD RTM (Project Planning and Concept Definition Phase) (Reference (22)), tracing the requirements in the EDS (Reference (20)) to the OPRM Unit DDS (Reference (29)).

A snapshot of the developed RTM was issued as FC51-3704-1007 "Nuclear Instrumentation & Control Systems Department Requirements Definition Phase Requirements Traceability Matrix for Oscillation Power Range Monitor (OPRM)" (NICSD RTM (Requirements Definition Phase) (Reference (31)). See Appendix B for an example of the NICSD RTM (Requirements Definition Phase).

(2) Compilation of the Requirements Definition Phase RTM Report

The NICSD IV&V Team checked whether all requirements in the EDS were traced to the Unit DDS, and the specifications in the Unit DDS were traced back to the EDS.

The NICSD IV&V Team found the following three comments.

- A) There were differences between the flow chart in the EDS and descriptions in the Unit DDS for the ABA and GRA algorithms.
- B) There were differences between the flow chart in the EDS and descriptions in the Unit DDS for the PBDA algorithm.
- C) Wording of remarks in the NICSD RTM was not appropriate.

The NICSD IV&V Team considered that the comments A) and B) would become a risk, and would need some design changes of the modules and FPGAs if these issues were not resolved in the Design Phase. The NICSD IV&V Team recommended the NICSD SD Team to clarify and report whether the ABA, GRA and PBDA algorithms in the OPRM Unit DDS are practical implementation of the conceptual algorithms described in the EDS. The NICSD SD Team agreed to address the recommendation in the Design Phase.

The NICSD IV&V Team concluded as follows:

- Except comments A and B above, the requirements for the OPRM unit in the EDS have been adequately incorporated in the OPRM Unit DDS.
- These comments should be controlled as open items to be resolved in the Design Phase.
- The NICSD IV&V Team accepted that the project could move forward to the Design Phase. The NICSD IV&V Team would review resolution of these open items.

The NICSD IV&V Team documented the RTM review result in FC51-3704-1008 "Nuclear Instrumentation & Control Systems Department Requirements Definition Phase Requirements Traceability Matrix Review Report for Oscillation Power Range Monitor (OPRM)" (RTM Report (Requirements Definition Phase)) (Reference (32)).

The NICSD IV&V Team concluded that except three comments, the requirements for the OPRM unit in the EDS have been adequately incorporated in the OPRM Unit DDS.

# 6.3 Result of Security Review

The NICSD IV&V Team carried out a security review in accordance with Section 5.3.3 of the NICSD VVP (Reference (17)) and NICSD NQ-2037 (Reference (10)). The NICSD IV&V Team held a security assessment meeting as a part of this security review, confirmed that the security requirements in NQ-2037 were satisfied. The NICSD IV&V Team checked the Unit DDS and NICSD SSAR, and security control implemented in NICSD through the review.

The NICSD IV&V Team confirmed that the security environment reviewed in Section 5.5 (1), (2) and (5) was appropriately maintained.

The NICSD IV&V Team confirmed that the security measures identified in Section 5.5 (3) and (4) were incorporated in the unit design. Through the review of the OPRM Unit DDS and the RTM described in Section 6.2, the NICSD IV&V Team confirmed that the OPRM unit design did not have remote access methods ensuring the interface requirements in the EDS.

# 6.4 Software Safety Analysis Report (SSAR) Review

The NICSD Software Safety Team prepared FC51-3704-1002 "Nuclear Instrumentation & Control Systems Department Software Safety Analysis Report for Safety-Related Oscillation Power Range Monitor (OPRM) (Requirements Definition Phase)" (NICSD SSAR (Requirements Definition Phase)) (Reference (33)). The NICSD IV&V Team reviewed the NICSD SSAR, and confirmed that the NICSD SSAR was prepared in accordance with Section 14 of the NICSD SMP (Reference (14)) and NED AS-200A132 (Reference (28)).

The NICSD IV&V Team evaluated the NICSD SSAR as follows:

- The NICSD SSAR concluded that all the software safety requirements of the OPRM defined in the EDS (Reference (20)) were adequately addressed in the OPRM Unit DDS (Reference (29)) except a concern on the ABA, GRA, and PBDA algorithms. The concern was the same as the comments A and B identified in the RTM efforts in Section 6.2. The NICSD IV&V Team agreed this conclusion.
- To resolve the concern, the NICSD SD Team issued the "Design Rationale for OPRM Trip Determination Algorithm applied to OPRM Unit Design" (Reference (39)). The NICSD Software Safety Team reviewed the Design Rational Report, and concluded that the OPRM unit design did not affect the safety functions of the OPRM system adversely, and that the OPRM unit would perform the safety functions as intended in the EDS. The NICSD IV&V Team agreed this conclusion.
- The NICSD Software Safety Team performed a Fault Tree Analysis (FTA) to identify hazards in the unit design. Based on the FTA, the SSAR drew the following conclusions, which the NICSD IV&V Team agreed:
  - Appropriate functional partitioning has been provided so that a failure in the OPRM unit is traceable to a single module failure;
  - The module for the PBD trip and the module for the ABA and GRA algorithms were separated to ensure that a failure in either of the modules does not affect trip determinations by the other algorithms;
  - A possible failure considered as a basic event in the FTA, which can make an OPRM unit to fail in issuing a trip signal when required, does not lead the plant to a fail to scram, because the PRNM consists of four independent divisions, and the RPS determines a scram using 2 out-of 4 logic;
  - Although the four OPRMs make trip determination based on different input signals, all four independent OPRMs have the same design. Hence, there may be a potential design

error that can become a CCF ruining the independence of those OPRMs. Any potential CCFs shall be accordingly identified and evaluated per module using FMEA in the Design Phase.

• The NICSD SSAR concluded that the concern of software tool errors and timing errors in an FPGA exist in the FPGA-based system development process as the hazards associated with common cause failure (CCF), and be documented, evaluated and addressed in software analysis in the later phases. This conclusion is the same conclusion as that of the Project Planning and Concept definition Phase. The NICSD IV&V Team agreed this conclusion.

The NICSD IV&V Team concluded that the NICSD SSAR for the Requirements Definition Phase was acceptable.

# 6.5 Monitoring of Metrics

The NICSD IV&V Team monitored the same metrics as Section 5.7.

#### (1) Number of changes applied to the design documents

The NICSD IV&V Team counted the changes that had been applied to Revision 1 of the Unit DDS for the types of changes defined in Section 5.7. Table 6-2 summarizes the result.

#### Table 6-2 Numbers of Changes applied to Revision 1 of Unit DDS

| Document name | Revision | Corrections | Additions | Others | Total |     |
|---------------|----------|-------------|-----------|--------|-------|-----|
| Unit DDS      | 1        |             |           | 1      | a     | i,c |

Correction of the Unit DDS was made through RTM efforts.

### (2) Number of open items carried to the next phase

A total of  $\begin{bmatrix} a,c \\ open \\ begin{subarray}{c} a,c \\ open \\ be$ 

- [ ]open items identified in the Project Planning and Concept Definition Phase RTM Efforts described in Section 6.7.
- [ ]<sup>a,c</sup>open items related to the OPRM Unit User's Manual (Reference (30)) as reported in Section 6.1.2.
- [ ]<sup>a,c</sup> ]open items related to the Requirements Definition Phase RTM Efforts as reported in Section 6.2.
- [ ]<sup>a,c</sup>open item notified by a Vendor generated Document Check List (VDCL-IM-0014) from the ICDD IV&V Team.

### (3) Number of open items closed in the current phase

None

### (4) Number of Site Corrective Action Requests (SCARs)

No SCAR was issued in this phase.

#### (5) Number of Site Nonconformance Notice Reports (SNNRs)

No SNNR was issued in this phase.



#### (6) Number of problems found during V&V testing

No V&V testing was executed. Therefore, no SNNR was issued in this phase.

# 6.6 Findings, recommendations, and suggestions to reduce any risk identified in the V&V activities

The NICSD IV&V Team considered that the following two issues had a risk that would need changes of the modules and FPGAs design if these issues were not resolved in the Design Phase.

- Differences between the flow chart in the EDS and descriptions in the Unit DDS for the ABA and GRA algorithms
- Differences between the flow chart in the EDS and descriptions in the Unit DDS for the PBDA algorithm.

The NICSD IV&V Team recommended that the NICSD SD Team should clarify and report that the ABA, GRA and PBDA algorithms in the OPRM Unit DDS.

## 6.7 Conclusions of Requirements Definition Phase V&V Activities

The NICSD IV&V Team confirmed that NICSD V&V activities had been performed in accordance with the NICSD VVP, and concluded that the NICSD V&V activities for the Requirements Definition Phase were completed in an acceptable manner.

The NICSD IV&V Team confirmed that there were  $\begin{bmatrix} \\ \end{bmatrix}^{a,c}_{open}$  items remained in the Requirements Definition Phase V&V activities as reported in Section 6.5.

Except the  $\begin{bmatrix} a,c \\ open \end{bmatrix}$  dentified in Section 6.2, these open items were not considered to have negative effect in the next phase as long as these open items are notified to the engineers, and are able to be resolved by correcting documents.

To address the concern raised in the conclusion of the Project Planning and Concept Definition Phase V&V activities, the NICSD IV&V Lead assigned three additional engineers as the NICSD IV&V Team members for V&V activities of later phases.

## 6.8 Updating of Requirements Definition Phase V&V Activities

This subsection describes updating of the Requirements Definition Phase activities.

#### 6.8.1 Updated Documents Reviews

Documents listed in Table 6-3 were updated after the Requirements Definition Phase was completed.

These updated documents were reviewed and approved in the same manner which was taken in the Requirements Definition Phase.

Revision 3 of the OPRM Unit DDS was prepared to adjust to Revision 2 of the EDS (Reference (20)). Revision 4 of the OPRM Unit DDS were prepared to adjust to Revision 3 of the EDS.

The Software Safety Team revised the SSAR (Requirements Definition Phase) (Reference (33)) to Revision 2.

The NCISD IV&V Team did not find any problem that could change the conclusion of the Requirements Definition Phase.

FC51-3704-0001 Rev.9 FC51-3704-1001 Rev.12

|                         | Table 6-3 Updated Documents |                                                  |             |                         |                |  |  |  |
|-------------------------|-----------------------------|--------------------------------------------------|-------------|-------------------------|----------------|--|--|--|
| Project Document<br>No. | Rev                         | Document Name<br>(Abbreviated<br>document title) | Preparer    | Independent<br>Reviewer | DVR No.        |  |  |  |
|                         | 2                           | OPRM Unit Detail                                 | H. Ito      | H. Kitazono             | FC51-0904-1268 |  |  |  |
| FC51-3702-1000          | 3                           | Design Specification<br>(Unit DDS)               | H. Ito      | T. Yonaha               | FC51-0904-1374 |  |  |  |
|                         | 4                           |                                                  | H. Ito      | K. Kasai                | FC51-0904-1418 |  |  |  |
|                         | 1                           | OPRM Unit User's<br>Manual                       | T. Furusawa | H. Kitazono             | FC51-0904-1279 |  |  |  |
| FC51-8001-1000          | 2                           |                                                  | K. Tamura   | H. Kitazono             | FC51-0904-1357 |  |  |  |
| 1.001-1000              | 3                           |                                                  | H. Ito      | H. Kitazono             | FC51-0904-1411 |  |  |  |
|                         | 4                           |                                                  | H. Ito      | K. Kasai                | FC51-0904-1445 |  |  |  |
| FC51-3704- 1002         | 1                           | Software Safety<br>Analysis Report               | M. Tomitaka | T. Yonaha               | FC51-0904-1364 |  |  |  |
|                         | 2                           | (SSAR)                                           | M. Tomitaka | K. Kasai                | FC51-0904-1421 |  |  |  |

## 6.8.2 RTM Efforts

The SD Team and the IV&V Team performed additional RTM efforts for revisions of the Unit DDS, updating the NICSD RTM (Requirements Definition Phase) (Reference (31)) and the RTM report (Requirements Definition Phase) (Reference (32)).

## 6.8.3 Conclusion of Update

The NICSD IV&V Team confirmed the update activities of the Requirements Definition Phase was performed in accordance with the NICSD VVP (Reference (17)).

The NICSD IV&V Team concluded that the Requirements Phase V&V activities were completed.

# 7. Design Phase V&V Activities

The NICSD IV&V Team performed the Design Phase V&V activities in accordance with the NICSD VVP (Reference (17)).

# 7.1 **Preparation of SVTP**

In the Design Phase, the NICSD IV&V Team has started preparing the Software Validation Test Plan (SVTP) to be used in the System Validation Testing Phase. The SVTP will include test plans, test items, and procedures therein to validate the requirements from the EDS (Reference (20)) and the OPRM Unit DDS (Reference (29)).

# 7.2 Documents Reviews

The NICSD IV&V Team reviewed the PPDD documents in the same manner described as Section 5.3.

## 7.2.1 Module Design Specification Reviews

The NICSD IV&V Team reviewed the Module Design Specifications (MDSs) listed in Table 7-1. Since MDSs were PPDD documents, the IV&V Team performed the reviews for the revisions that PPDD submitted to NICSD.

| Document No. | Rev. | Document Name<br>(Type)                  | Preparer      | Independent<br>Reviewer | DVR No.        |
|--------------|------|------------------------------------------|---------------|-------------------------|----------------|
|              | 0    | CELL module Design                       | T. Nishiguchi | M. Shirasaki            | FC51-0904-1012 |
| 5G8HC104     |      | Specification                            | T. Nishiguchi | T. Yonaha               | FC51-0904-1141 |
|              | 2    | (HNS0400 Series)                         | T. Nishiguchi | H. Kitazono             | FC51-0904-1317 |
|              | 0    | AGRD module                              | T. Nishiguchi | T. Yonaha               | FC51-0904-1013 |
| 5G8HC105     | 1    | Design Specification<br>(HNS0420 Series) | T. Nishiguchi | T. Yonaha               | FC51-0904-1142 |
|              | 0    | PBD module Design                        | Y. Haraguchi  | K. Kasai                | FC51-0904-1014 |
| 5G8HC106     |      | Specification                            | Y. Haraguchi  | K. Kasai                | FC51-0904-1143 |
|              | 2    |                                          | Y. Haraguchi  | K. Kasai                | FC51-0904-1356 |
|              | 0    | Design Specification                     | Y. Haraguchi  | K. Kasai                | FC51-0904-1015 |
| 5G8HC107     |      |                                          | Y. Haraguchi  | K. Kasai                | FC51-0904-1146 |
|              | 2    |                                          | Y. Haraguchi  | K. Kasai                | FC51-0904-1184 |
|              | 0    | 0                                        | N. Umemura    | K. Kasai                | FC51-0904-1016 |
| 5G8HC108     | 1    | Specification<br>(HNS0531 Series)        | N. Umemura    | K. Kasai                | FC51-0904-1145 |
|              |      | 0                                        | N. Umemura    | T. Yonaha               | FC51-0904-1017 |
| 5G8HC109     | 1    | Specification<br>(HNS0541 Series)        | N. Umemura    | T. Yonaha               | FC51-0904-1144 |

 Table 7-1 Module Design Specifications Reviewed

TOSHIBA CORPORATION

Nuclear Instrumentation & Control Systems Department

а с

| Document No. | Rev. | Document Name<br>(Type)                                  | Preparer   | Independent<br>Reviewer | DVR No.        |
|--------------|------|----------------------------------------------------------|------------|-------------------------|----------------|
| 5G8HC110     |      | Specification                                            | N. Umemura | T. Yonaha               | FC51-0904-1018 |
|              | 1    |                                                          | N. Umemura | T. Yonaha               | FC51-0904-1249 |
|              |      | LVPS module Design<br>Specification<br>(HNS0500 Series ) | N. Umemura | T. Yonaha               | FC51-0904-1019 |
| 5G8HC111     | 1    |                                                          | N. Umemura | T. Yonaha               | FC51-0904-1250 |

| Table 7-1 Module Design Specifications | Reviewed (Cont'd) |
|----------------------------------------|-------------------|
|----------------------------------------|-------------------|

The NICSD IV&V Team reviewed whether the MDSs documented the detailed design in a complete, accurate, and consistent manner.

This subsection provides brief details of the PBDA Module Design Specification as an example, and summaries of the other module specifications.

#### 7.2.1.1 PBD Module Design Specifications

Figure 7-1 and Figure 7-2 are a remake of the flow chart of the PBD algorithm of the PBDA module. The flow chart was slightly modified for better understanding. For each OPRM cell, the PBD algorithm defines



Figure 7-1 PBDA Algorithm Flow Chart (Part 1)

TOSHIBA CORPORATION Nuclear Instrumentation & Control Systems Department

> 36/138 86/188

## FC51-3704-0001 Rev.9 FC51-3704-1001 Rev.12

] a,c

a,c

Figure 7-2 PBD Algorithm Flow Char (Part 2)

FC51-3704-0001 Rev.9 FC51-3704-1001 Rev.12

a,c

]<sup>a,c</sup> ] and

Section

The PBD module design implements the PBD algorithm using the FPGAs. In addition, the PBD MDS describes the fifthe 
The PBD module design used the same PC boards as the AGRD module, and the AGCELIF FPGA is used in the AGRD module.

#### 7.2.1.2 Summaries of Other Module Design Specifications

(1) CELL Module Design Specification

The CELL module receives 52 LPRM levels from the four LPRM unit every milliseconds, and applies a first 2-pole Butterworth filter to each LPRM level to reduce high frequency noises. The CELL module assigns the 52 LPRM levels to the 44 OPRM cell. To most OPRM cells, four LPRM levels are assigned. The CELL module calculates an average flux for each OPRM cell, and applies a second Butterworth filter on each average flux to calculate a time averaged flux. A Normalized Oscillation signal is obtained by dividing the average flux by the time averaged flux for each OPRM cell.

The CELL module sends the Normalized Oscillation Signals to the AGRD, PBD, and DAT/ST modules. In addition, the CELL module determines whether the rated power and the core flow satisfy the OPRM automatic bypass condition using the APRM and FLOW levels received from the APRM unit.

The CELL MDS assigned FPGAs for the functions. The FPGAs used in the CELL module were called like "CELxxxx."

#### (2) AGRD Module Design Specification

The AGRD module receives the 44 Normalized Oscillation Signals from the CELL module, and monitors the power oscillation for each cell using the ABA and GRA algorithms. If one or more cells fulfill specific conditions based on the algorithms, the AGRD module generates an ABA trip signal or a GRA trip signal. The AGRD module also transmits the intermediate AGRD calculation data to the DAT/ST module.

The AGRD MDS assigned FPGAs for the functions. The FPGAs used in the AGRD module were called like "AGxxxx."

#### (3) DAT/ST Module Design Specification

The DAT/ST module multiplexes the received data from the CELL, AGRD, and PBD modules and sends them to the TRN module. The DAT/ST module also displays the OPRM Minor Failure, Input Data Failure, LVPS Module Power Supply Failure, and APRM Unit Data Selection status signals on the front panel.

The DAT/ST MDS assigned FPGAs for the functions. The FPGAs used in the DAT/ST module were called like "DTxxxx."

#### (4) TRN Module Design Specification

The TRN module sends the data from other modules in the OPRM unit to external equipment through fiber optic links. For the OPRM qualification, the TRN module has modified from the TRN module qualified in the NRW-FPGA-Based PRM System Qualification Project.

The TRN MDS assigned FPGAs for the functions. The FPGAs used in the TRN module were called like "TRNxxxx."

#### (5) RCV Module Design Specification

The RCV module receives data from external equipment through fiber optic links, and provides the data to other modules in the unit. For the OPRM qualification, the RCV module has modified from the RCV module qualified in the NRW-FPGA-Based PRM System Qualification Project.

The RCV MDS assigned FPGAs for the functions. The FPGAs used in the RCV module were called like "RCVxxxx."

#### (6) DIO Module Design Specification

The DIO module has 16 relay contact outputs and 4 channel voltage inputs. The DIO module was qualified in the NRW-FPGA-Based PRM System Qualification Project.

#### (7) LVPS Module Design Specification

The LVPS module is a plug-in type unit power supply that receives AC or DC power and supplies DC power to the other modules in the unit. The LVPS module was qualified in the NRW-FPGA-Based PRM System Qualification Project.

#### 7.2.1.3 Result of Module Design Specification Reviews

After reviewing the first revisions of those MDSs, the NICSD IV&V Team considered that the MDS documented the module design in a complete, accurate, and consistent manner except some typos and unclear descriptions. The IV&V Team did not find any significant issues that required any design change. The NICSD IV&V Team made \_\_\_\_\_\_\_ comments in total, requesting PPDD to revise the MDSs. PPDD revised the MDSs. The NICSD IV&V Team confirmed that all the comments were resolved in the revised MDSs. The NICSD IV&V Team concluded that all MDSs were acceptable.

#### 7.2.2 FPGA Design Specification Reviews

The NICSD IV&V Team reviewed the FPGA Design Specifications listed in Table 7-2. Since FPGA Design Specifications were PPDD documents, the IV&V Team performed the reviews for the revisions that PPDD submitted to NICSD.

| Document<br>No. | Rev. | Document Name | Prepared by | Independent<br>Reviewer | DVR No. |  |
|-----------------|------|---------------|-------------|-------------------------|---------|--|
|                 | 1    |               | •           | •                       |         |  |
|                 |      |               |             |                         |         |  |
|                 |      |               |             |                         |         |  |

#### **Table 7-2 FPGA Design Specifications Reviewed**

i

| Document<br>No. | Rev. | Document Name                      | Prepared by | Independent<br>Reviewer                      | DVR No. |
|-----------------|------|------------------------------------|-------------|----------------------------------------------|---------|
|                 |      |                                    |             |                                              |         |
|                 |      |                                    |             |                                              |         |
|                 |      |                                    |             |                                              |         |
|                 |      |                                    |             |                                              |         |
|                 |      |                                    |             |                                              |         |
|                 |      |                                    |             |                                              |         |
|                 |      |                                    |             |                                              |         |
|                 |      |                                    |             |                                              |         |
|                 |      |                                    |             |                                              |         |
|                 |      |                                    |             |                                              |         |
|                 |      |                                    |             |                                              |         |
|                 |      |                                    |             |                                              |         |
|                 |      |                                    |             |                                              |         |
|                 |      |                                    |             |                                              |         |
|                 |      |                                    |             |                                              |         |
|                 |      |                                    |             |                                              |         |
|                 |      |                                    |             |                                              |         |
|                 |      |                                    |             |                                              |         |
|                 |      |                                    |             |                                              |         |
|                 |      |                                    |             |                                              |         |
|                 |      |                                    |             |                                              |         |
|                 |      | ATION<br>ontrol Systems Department |             | <u>.                                    </u> |         |

# Table 7-2 FPGA Design Specifications Reviewed (Cont'd)

.

\

| Document<br>No.      | Rev.                            | Document Name                                                                                                        | Prepared by                                             | Independent<br>Reviewer                        | DVR No.                                        |
|----------------------|---------------------------------|----------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|------------------------------------------------|------------------------------------------------|
|                      |                                 |                                                                                                                      |                                                         | . –                                            |                                                |
|                      |                                 |                                                                                                                      |                                                         |                                                |                                                |
|                      |                                 |                                                                                                                      |                                                         |                                                |                                                |
|                      |                                 |                                                                                                                      |                                                         |                                                |                                                |
|                      |                                 |                                                                                                                      |                                                         |                                                |                                                |
|                      |                                 |                                                                                                                      |                                                         |                                                |                                                |
|                      | <b>.</b>                        |                                                                                                                      |                                                         |                                                |                                                |
|                      |                                 |                                                                                                                      |                                                         |                                                |                                                |
|                      |                                 |                                                                                                                      |                                                         |                                                |                                                |
|                      |                                 |                                                                                                                      |                                                         |                                                |                                                |
|                      |                                 |                                                                                                                      |                                                         |                                                |                                                |
|                      |                                 |                                                                                                                      |                                                         |                                                |                                                |
|                      |                                 |                                                                                                                      |                                                         |                                                |                                                |
| ,                    |                                 |                                                                                                                      |                                                         |                                                |                                                |
|                      |                                 |                                                                                                                      |                                                         |                                                |                                                |
|                      |                                 |                                                                                                                      |                                                         |                                                |                                                |
|                      |                                 |                                                                                                                      |                                                         |                                                |                                                |
|                      |                                 |                                                                                                                      |                                                         |                                                |                                                |
|                      |                                 |                                                                                                                      |                                                         |                                                |                                                |
|                      |                                 |                                                                                                                      |                                                         |                                                |                                                |
|                      |                                 |                                                                                                                      |                                                         |                                                |                                                |
| etailed desig<br>JFP | n in a c<br>GAs we<br>for these | eam reviewed whethe<br>omplete, accurate, and<br>re already qualified f<br>three FPGA to add th<br>ICSD IV&V Team co | d consistent man<br>for the PRM system references to ne | ner. The<br>stems. PPDD up<br>w documents in t | and<br>dated the design<br>his project, and to |
|                      | subsecti                        | ons describe summarie                                                                                                | es of the FPGA D                                        | esign Specification                            | ns that the NICSD                              |

# Table 7-2 FPGA Design Specifications Reviewed (Cont'd)



Nuclear Instrumentation & Control Systems Department

42/138 92/188



43/138 93/188



44/138 94/188



(6) **JFPGA Design Specification** FPGA The (7) FPGA Design Specification ]FPGA[ The The OPRM design uses the same fix data frame format to transmit data frames between the FPGAs as the format to transmit data frames between the modules or units. Each data frame contains bits data or channels of data, and is transmitted on megahertz frequency. Because one set of the OPRM Calculation Data is too large to be contained in one data frame, the FPGA divides one set of the OPRM Calculation Data into sequential data frames. FPGA uses the accompanying DP-SRAM to save the collected data temporarily. The (8) FPGA Design Specification a,c FPGA The a,c a,c FPGA The TOSHIBA CORPORATION

Nuclear Instrumentation & Control Systems Department





#### 7.2.2.7 Result of FPGA Design Specification Reviews

# 7.3 Results of FE Document and Software Tool Control Checks

The NICSD IV&V Team checked the FE documents and the software tool control of PPDD in accordance with Section 5.8 of the NICSD VVP (Reference (17)).

(1) Documentation for the FEs including FE test reports

This project uses the FEs that have already been qualified in the NRW-FPGA-Based PRM System Qualification Project. FE document check was carried out, and the NICSD confirmed that no changes had been made to those FEs. The NICSD IV&V Team confirmed that FE Control Sheet numbers and revisions in the FPGA Design Specifications were the same as those in the PPDD control FE Library. The FE Control Sheets referred to the FE Specifications, FE Test Procedures, FE Test Reports, and FE source code. The NICSD IV&V Team confirmed that those documents were controlled in accordance with the PPDD procedure E-68019 "PPDD Procedural Standard for FPGA Configuration Management" (Reference (48)).

(2) Control of FE library and software tools

• Control of FE library

Through the FE document review, the NICSD IV&V Team confirmed that no change had been made to the PPDD's FE Library. PPDD appropriately performed FE development and configuration control in accordance with the PPDD procedure E-68018 "PPDD Procedural Standard for Functional Element Development" (Reference (51)) and E-68019, and these documents were registered in the

The NICSD IV&V Team confirmed that PPDD had prepared the FE Control Sheets, and appropriately performed configuration control of the FE library.

• Control of Software tools

Through documents reviews, the NICSD IV&V team confirmed that PPDD appropriately controlled software development tools in accordance with PPDD procedure E-68020 "PPDD Procedural Standard for Control of Software Tools Used with FPGA Based Systems" (Reference (50)). The NICSD IV&V Team confirmed that tools with the same version as those used in the NRW-FPGA-Based PRM System Qualification Project except Silicon Sculptor. The Silicon Sculptor software tool was upgraded to v5.14.2 from v4.55, which was used in the

a,c

NRW-FPGA-Based PRM System Qualification Project. The NICSD and the PPDD determined to upgrade the tool, after evaluating the information from Microsemi, and judging that the upgrade would improve the reliability of FPGAs. The NICSD IV&V Team reviewed the evaluation result and judged acceptable.

Table 7-3 lists the Software Tool Information Sheets that identified the software tool names, tool numbers, and their licenses. Table 7-4 lists the Installation Verification Sheets that records the software tool installations to the PCs.

The NICSD IV&V Team confirmed that the installation information was appropriate.

| No | Software Tool                 | lool    |                |      |
|----|-------------------------------|---------|----------------|------|
|    | Name                          | Version | Sheet No.      | Rev. |
| 1  | Libero IDE                    | V6.3    | FDTC-05-0013-M | 3    |
| 2  | Silicon Sculptor              | V5.14.2 | FDTC-12-0001-M | 1    |
| 3  | ModelSim <sup>®</sup> SE PLUS | 6.0b    | FDTC-05-0015-M | 2    |
| 4  | PinPort192                    | V2      | FDTC-05-0016-M | 3    |

#### **Table 7-3 Software Tool Information Sheets**

#### **Table 7-4 Installation Verification Sheets**

|    | PC                       |    | Software Tool |         | Installation Verification | Sheet |
|----|--------------------------|----|---------------|---------|---------------------------|-------|
| No | Equipment<br>Control No. | OS | Name          | Version | Sheet No                  | Rev.  |
|    |                          |    |               |         |                           |       |
|    |                          |    |               |         |                           |       |
|    |                          |    |               |         |                           |       |
|    |                          |    |               |         |                           |       |
|    |                          |    |               |         |                           |       |
|    |                          |    |               |         |                           |       |
|    |                          |    |               |         |                           |       |
|    |                          |    |               |         |                           |       |
|    |                          |    |               |         |                           |       |
|    |                          |    | · -           |         |                           |       |
|    |                          |    |               |         |                           |       |
|    |                          |    | •             |         |                           |       |
|    |                          |    |               |         |                           |       |
|    |                          |    |               |         |                           |       |
|    |                          |    |               |         |                           |       |
|    |                          |    |               |         |                           |       |
|    |                          |    |               |         |                           |       |

50/138 100/188

| NoEquipment<br>Control No.OSNameVersionSheet NoRev. |
|-----------------------------------------------------|

#### Table 7-4 Installation Verification Sheets (Cont'd)

# 7.4 Design Phase RTM Efforts

(1) Preparation of RTM

PPDD developed the RTM based on the previous phase RTM (Reference (31)), tracing the requirements from the OPRM Unit DDS (Reference (29)) to the MDSs, and from the MDSs to the FPGA Design Specifications. The NICSD SD Team issued a snapshot of the developed RTM as FC51-3704-1104 "Nuclear Instrumentation & Control Systems Department Design Phase Requirements Traceability Matrix for Oscillation Power Range Monitor (OPRM)" (NICSD RTM (Design Phase)) (Reference (37)). See Appendix C for an example of the Design Phase RTM.

(2) Compilation of the Design Phase RTM Report

The NICSD IV&V Team documented the RTM review result in FC51-3704-1105 "Nuclear Instrumentation & Control Systems Department Design Phase Requirements Traceability Matrix Review Report for Oscillation Power Range Monitor (OPRM)" (RTM Report (Design Phase)) (Reference (38)).

Through the review of the RTM for this phase, the NICSD IV&V Team checked whether all the requirements in the Unit DDS were traced to the MDS, and the specifications in the MDS were traced back to the Unit DDS; all the requirements in the MDSs were traced to the FPGA Design Specifications, and the specifications in the FPGA Design Specifications were traced back to the MDSs.

The NICSD IV&V Team made four comments, noting that traceability of some requirements were not clear enough. However, the NICSD IV&V Team evaluated these comments to the RTM were minor and would have minimal impact on design specifications and design activities in the next phase.

Through the review of the RTM for this phase, the NICSD IV&V Team concluded as follows:

- Except above four comments, the requirements for the Unit DDS have been adequately incorporated in each MDS, and the requirements for each MDS have been adequately incorporated in each FPGA Design Specification.
- These comments should be controlled as open items to be resolved in the next Phase.

#### 7.5 **Result of Security Review**

The NICSD IV&V Team carried out a security review as planned in Section 5.4.4 of the NICSD VVP (Reference (17)) as a V&V activity in the Design Phase. The security review was

performed in accordance with the "Cyber Security Procedure of Safety Related Digital System" NQ-2037 (Reference (10)) and the NICSD VVP. The NICSD IV&V Team checked the MDSs, FPGA Design Specifications, and security control implemented in PPDD through the review.

The NICSD IV&V Team held a security assessment meeting as a part of this security review, and confirmed that the following security requirements in NQ-2037 were satisfied:

(1) Access control to design deliverables

NQ-2037 requires access control of the design documents, codes, records, and any other design deliverables. PPDD stored their deliverables in the which are reported in Section 5.5.

The IV&V Team confirmed that PPDD designers were registered as authorized users of the

(2) Security control of personal computers

The NICSD IV&V Team checked whether the security of the PPDD's PCs was controlled in the same manner as the NICSD's PCs, as described in Section 5.5. The NICSD IV&V Team concluded that appropriate controls for PPDD PCs were implemented.

(3) Identification of digital safety system's weakness and vulnerability

The NICSD IV&V Team performed security assessment to identify weakness and vulnerability of the OPRM as required by NQ-2037. The NICSD IV&V Team reviewed the MDSs and identified that:

- The OPRM uses non-rewritable FPGA that prevents any logic change in the field;
- The OPRM MDSs require that all parameters of the OPRM are protected with key-lock switches.

Thus, the NICSD IV&V Team concluded that the OPRM design in the MDSs would appropriately protect the logic and parameters determining the safety functions.

(4) Remote-access control to digital safety system

NQ-2037 requires that no remote access to the digital safety system shall be provided. The NICSD IV&V Team reviewed the MDSs and identified that there was no remote-access to the modules for the OPRM unit, and that all the data transfers from the modules for the OPRM unit to external equipment systems were made through unidirectional communication paths.

(5) Control of development environment

The NICSD IV&V Team confirmed that:

Thus, the NICSD IV&V Team concluded that development environment was controlled appropriately from a security point of view.

# 7.6 Software Safety Analysis Report (SSAR) Review

The Design Phase SSAR was provided in an updating activity of the Design Phase, because the preparation of the SSAR was delayed. See Section 7.10.2.

# 7.7 Monitoring of Metrics

The NICSD IV&V Team monitored same metrics as Section 5.7 for the MDSs and the FPGA Design Specifications.

#### (1) Number of changes applied for the design documents

The NICSD IV&V Team counted the changes that had been applied to each revision of the MDSs and the FPGA Design Specifications for the types of changes defined in Section 5.7. Table 7-5 summarizes the metrics relating to the MDSs reviews.

Not small numbers of changes were applied to the MDSs on which the NICSD IV&V Team performed first review.

| Document Name          | Correction | as Additions | Others | Total | ]<br>a,c |
|------------------------|------------|--------------|--------|-------|----------|
| 1 <sup>st</sup> Review | Γ          |              |        |       |          |
| 2 <sup>nd</sup> Review |            |              |        |       |          |
| Total                  |            |              |        |       |          |

 Table 7-5 Numbers of Changes applied to the MDS

Table 7-6 summarizes the metrics relating to the FPGA Design Specifications reviews. All FPGA Design Specifications were reviewed twice, and the FPGA Design Specifications for the description description of the subject to third review. Table 7-6 lists the numbers of changes applied to the FPGA Design Specifications for each type of changes. Because the revisions getting second review reflected the comments made in the first review, it is reasonable that the numbers of changes to these revisions were large.

#### Table 7-6 Numbers of Changes Applied to FPGA Design Specifications

| Changes                | Corrections | Additions | Others | Total |
|------------------------|-------------|-----------|--------|-------|
| 1 <sup>st</sup> Review |             |           |        |       |
| 2 <sup>nd</sup> Review |             |           |        |       |
| 3 <sup>rd</sup> Review |             |           |        |       |
| Total                  |             |           |        |       |

#### (2) Number of open items carried to the next phase

- open items were carried to the next phase. The items were:
- [ ]open items related to the OPRM Unit User's Manual (Reference (30)), which had been carried from the previous phase.
- [ ]item regarding absence of the SSAR describe in Section 7.6.
- [ ]items related to the Design Phase RTM efforts described in Section 7.4.

For the items related to the OPRM Unit User's Manual, the NICSD IV&V team considered that

they could not be resolved until the System Validation Testing Phase as described in 6.1.2.

#### (3) Number of open items closed in the current phase

Six of the \_\_\_\_\_\_open items carried from the previous phase were closed. The closed open items were:

- [ ]open items identified in the Project Planning and Concept Definition Phase RTM efforts.
- [ ] open items related to the Requirements Definition Phase RTM efforts.
- [ ]open item notified by a Vendor generated Document Check List (VDCL-IM-0014).

#### (4) Number of Site Corrective Action Requests (SCARs)

SCARs were issued in this phase as follows:

#### (5) Number of Site Nonconformance Notice Reports (SNNRs)

SNNRs,

were issued in this phase.

They were about methods of measuring the components mass.

# (6) Number of problems found during V&V testing

No V&V testing was executed.

# 7.8 Findings, recommendations, and suggestions to reduce any risk identified in the V&V activities

The NICSD IV&V Team has not reviewed the SSAR, since it has not been prepared yet; the NICSD IV&V Team considers that there may be latent risks and they may affect the design of modules and FPGAs.

# 7.9 Conclusions of Design Phase V&V Activities

The NICSD IV&V Team confirmed that NICSD V&V activities had been performed in accordance with the NICSD VVP, and concluded that the NICSD V&V activities for the Design Phase were completed in an acceptable manner except the review of the SSAR.

The NICSD IV&V Team confirmed that there were open items remained in the Design Phase V&V activities as reported in Section 7.7.

For the open items other than the one regarding the SSAR, the NICSD IV&V Team considered that they would have minimal effect in the next phase as long as these open items are notified to the engineers.

## 7.10 Updating of Design Phase V&V Activities

This subsection describes updating of the Design Phase activities.

#### 7.10.1 Updated Documents Reviews

Some documents were updated or newly prepared after the Design Phase was completed. Table 7-7 lists the reviewed documents including the SSAR. PPDD newly prepared the FPGA Specifications for these three new FPGAs to ac implement a Cyclic Redundancy Check (CRC) of transmitting data. The FPGAs would replace the FPGAs would replace the in the previous design. The CRC achieves higher level of data checking.

For SSAR, see Section 7.10.3. These documents were reviewed and approved in the same manner which was taken in the Design Phase.

In the reviews, the NCISD IV&V Team did not find any problem that could change the conclusion of the Design Phase.

| (Project)<br>Document No. | Rev. | Document Name                                          | Preparer    | Independent<br>Reviewer | DVR No.        |
|---------------------------|------|--------------------------------------------------------|-------------|-------------------------|----------------|
|                           | 0    |                                                        | M. Tomitaka | T. Yonaha               | FC51-0904-1100 |
| FC51-3704-1101            | 1    | 4-1101 1 Software Safety<br>Analysis Report            | M. Tomitaka | H. Kitazono             | FC51-0904-1422 |
|                           | 2    |                                                        | M. Tomitaka | K. Kasai                | FC51-0904-1448 |
| 509110100                 | 2    | TRN module Design<br>Specification<br>(HNS0531 Series) | N. Umemura  | K. Kasai                | FC51-0904-1369 |
| 5G8HC108                  | 3    |                                                        | N. Umemura  | T. Yonaha               | FC51-0904-1380 |
| 500110100                 | 2    | RCV module Design                                      | N. Umemura  | K. Kasai                | FC51-0904-1381 |
| 5G8HC109                  | 3    | Specification<br>(HNS0541 Series)                      | N. Umemura  | K. Kasai                | FC51-0904-1388 |
| 5G8HC110                  | 2    | DIO module Design<br>Specification<br>(HNS0520 Series) | N. Umemura  | K. Kasai                | FC51-0904-1447 |

#### Table 7-7 Documents Reviewed

| (Project)<br>Document No. | Rev. | Document Name | Preparer | Independent<br>Reviewer | DVR No. |  |
|---------------------------|------|---------------|----------|-------------------------|---------|--|
|                           | •    |               |          |                         |         |  |
|                           |      |               |          |                         |         |  |
|                           |      |               |          |                         |         |  |

# Table 7-7 Documents Reviewed (Cont'd)

# 7.10.2 RTM Efforts

PPDD revised the RTMs, after revising the design documents. The NICSD IV&V Team reviewed the RTMs, and issued Revision 4 of RTM Report (Design Phase) (Reference (38)). The NICSD IV&V Team concluded in the report that there was no open item in the RTM efforts for this Design Phase.

# 7.10.3 Software Safety Analysis Report (SSAR) Review

The NICSD IV&V Team reviewed FC51-3704-1101 "Nuclear Instrumentation & Control Systems Department Software Safety Analysis Report for Safety-Related Oscillation Power Range Monitor (OPRM) (Design Phase)" (NICSD SSAR (Design Phase)) (Reference (42)).

The NICSD IV&V Team reviewed and evaluated the NICSD SSAR. The NICSD SSAR was summarized as follows:

• The NICSD Software Safety Team performed an FMEA based on the design information in the Module Design Specifications and the FPGA Design Specifications. The NICSD Software Safety Team revealed possible CCFs which may cause the top event "OPRM does not generate a trip signal to RPS when required." Through the examination and analysis on FPGA logic, the NICSD Software Safety Team determined that following FPGAs and their failure modes were hazards to be addressed in the later phases.

- Though some risks due to the failure modes remained in this phase, the NICSD Software Safety Team expected that evaluation of the FPGA implementation process including, coding, logic synthesis, place and route, and appropriate test activities would make these failure modes unlikely, and reduce the risks to acceptable level.
- The CELL module has EPROMs containing the constants of the Butterworth filters, see Section 7.2.1.2. An failure in the EPROMs can cause incorrect Normalized Oscillation Signal that may lead to loss of one division trip function. Though the CELL module is not equipped with any error detection measure, it is unlikely that the EPROMs in more than two

CELL modules in the three or four trip channels fail simultaneously. In addition, this EPROM failure will be detected in a surveillance, which enters appropriate test inputs to the OPRM unit and checks the response. The NICSD SD Team should revise the OPRM Unit User's Manual to include a method to check the soundness of Normalized Oscillation Signal calculation function. Further analysis on this EPROM failure is not necessary.

The NICSD IV&V Team agreed with the conclusions of the NICSD SSAR, and concluded that the NICSD SSAR for the Design Phase was acceptable, and concluded that all activities planned for the Design Phase were completed.

#### 7.10.4 Conclusion of Update

The NICSD IV&V Team confirmed the update activities of the Design Phase was performed in accordance with the NICSD VVP (Reference (17)).

The NICSD IV&V Team concluded that the Design Phase V&V activities were completed.

# 8. Implementation and Integration Phase V&V Activities

The Implementation and Integration Phase activities were performed in the same manner described in Attachment-4 of the NRW-FPGA-Based PRM System Qualification Project Verification and Validation Final Report (Reference (44)) (PRM VVR). The Implementation and Integration Phase activities are divided into the following steps.

Step (1): VHDL Source Coding

PPDD design engineers coded the FPGA design into VHDL source code.

Step (2): FPGA Implementation

The VHDL source codes were compiled into gate-level Netlists by the Synplify<sup>®</sup> tool. Step (3): FPGA Testing

PPDD design engineers tested the design using simulation tools, and then tested the logic in FPGA chips using the PinPort device and ModelSim<sup>®</sup> tool.

The NICSD IV&V Team performed the Implementation and Integration Phase V&V activities in accordance with the NICSD VVP (Reference (17)).

# 8.1 VHDL Source Code Reviews

PPDD generated VHDL source code that implemented the functional requirements written in the FPGA Design Specifications in accordance with E-68017 "PPDD Procedural Standard for FPGA Device Development" (Reference (45)). The NICSD IV&V Team performed source code reviews for the FPGAs described in Section 7.2.2 except the

FPGAs, which had been qualified in the NRW-FPGA-Based PRM System Qualification Project. In accordance with the Code Review Guide (Reference (46)), the NICSD IV&V Team checked for the following items:

• Use of FE Design (Maintenance of Hierarchical Structure)

The NICSD IV&V Team checked that the option of the Synplify<sup> $\circ$ </sup> tool was set so as to maintain the hierarchical structures in which the FEs were connected. This is a requirement in Appendix A of E-68017.

• Synchronous Design

Synchronous design is applied to all FPGA designs. To check the adequacy of the synchronous design applied to each FPGA design, the NICSD IV&V Team checked the static timing analysis report files of the Microsemi Designer tool, and confirmed that the maximum possible operating frequency calculated by the Designer tool satisfied the timing constraints specified in Appendix A of E-68017. Dynamic timing simulation was performed in the FPGA Testing as reported in Section 8.6.

• Interface check between FPGAs

The NICSD IV&V Team checked that the interface requirements described in the FPGA Design Specification were adequately implemented in the FPGA design. The interface check included the following items as specified in Form 2 of E-68017:

(1) All the input pins were connected on a Printed Circuit Board (PCB) where an FPGA was to be used, i.e., those pins shall not be open.

- (2) The slew rate of all the output pins was set to low by reviewing FPGA pin report.
- (3) Unused I/O pins were set as zero output pins, or set as designer's intent.
- Warnings of Software Tools

The NICSD IV&V Team checked that warning messages recorded in log files of the Synplify<sup>®</sup> and Designer tools. The detailed check result was reported in Section 8.2.

• Equations, algorithms, and control logic

The NICSD IV&V Team checked that the equations, algorithms, and control logic defined in the FPGA Design Specifications were correctly implemented in the VHDL using FEs through the review of netlist viewer check result. The NICSD IV&V Team verified that the each block diagram in the FPGA Design Specifications corresponded to a block diagram generated by the Netlist Viewer from the netlist.

• Constraint

Section 14.5.1 of the NICSD SMP required to check that any restrictions imposed by the FPGA Design Specifications were adequately addressed in the design output code for the FPGA. The NICSD IV&V Team did not find any specific restrictions on the FPGA logic in the FPGA Design Specifications.

• Software operation within requirement constraints

Section 14.5.1 of the NICSD SMP required to check that any constraints described in the FPGA Design Specifications were adequately addressed in the design output code in the FPGA. The NICSD IV&V Team did not find any specific constraints for the FPGA logic in the FPGA Design Specifications.

• Conformance to Coding Guideline

The NICSD IV&V Team checked that VHDL source code conformed to Appendix A.4 Naming of VHDL, Appendix A.5 Grammar of VHDL, and Appendix A.6 Construction of Functional Block by the Connection of FEs of E-68017.

The NICSD IV&V Team assembled the results of the code reviews performed for the FPGAs in the Source Code Review Sheet (Reference (47)), and concluded that the source code files were acceptable.

# 8.2 Logic Synthesis and Layout Verification

The PPDD engineers used the Synplify<sup>®</sup> tool in synthesis of the netlist from VHDL source code. Each netlist was stored in an Electric Design Interchange Format (EDIF) file. For each FPGA, the Designer tool compiled a number of netlist files, determined a circuit design by placing and routing logic elements in the FPGA, and produced a fusemap including the circuit design. The fusemap can be directly embedded in the FPGA. The FEs and macros were merged in the fusemap by the Designer tool.

The NICSD IV&V team checked the log files produced by the software tools. These checks were performed to confirm that the PPDD design engineers used the software tools in an appropriate manner, and did not ignore any warnings reported by the software tools without thinking.

(1) Log files produced by Synplify<sup>®</sup> tool

The Synplify<sup>®</sup> tool converts the VHDL source code to the gate-level netlist by synthesizing the logic. The Synplify<sup>®</sup> tool makes a log file including coded errors and warnings each time it synthesizes the logic. The log file recorded the error messages beginning with "@E," the warning messages beginning with "@W," and the notice messages beginning with "@N." The notice messages only inform the progress of internal processing, and can be ignored. The

59/138 109/188 NICSD IV&V team did not find any error message.

Table 8-1 summarizes the listed warning messages. All warning messages other than appeared in PRM VVR. All warning messages including for a second se

# Table 8-1 Summary of Synplify<sup>®</sup> Warning Messages

| Warning<br>Message<br>Code | Messages | FPGAs for which the message was generated | Evaluation | a, |
|----------------------------|----------|-------------------------------------------|------------|----|
|                            |          |                                           |            |    |
|                            |          |                                           |            |    |
|                            |          |                                           |            |    |
|                            |          |                                           |            |    |
|                            |          |                                           |            | r  |
|                            |          |                                           |            |    |
|                            |          |                                           |            |    |
|                            |          |                                           |            |    |
|                            |          |                                           |            |    |
|                            |          |                                           |            |    |
|                            |          |                                           |            |    |

| Warning<br>Message<br>Code | Messages | FPGAs for which the message was generated | Evaluation |  |
|----------------------------|----------|-------------------------------------------|------------|--|
|                            |          |                                           |            |  |
|                            |          |                                           |            |  |
|                            |          |                                           |            |  |
|                            |          |                                           |            |  |
|                            |          |                                           |            |  |
|                            |          |                                           |            |  |
|                            |          |                                           |            |  |
|                            |          |                                           |            |  |
|                            |          |                                           |            |  |
|                            |          |                                           |            |  |
|                            |          |                                           |            |  |
|                            | ·        |                                           |            |  |
|                            |          |                                           |            |  |
| ,                          |          |                                           |            |  |
|                            |          |                                           |            |  |
|                            |          |                                           |            |  |
|                            |          |                                           |            |  |
|                            |          |                                           |            |  |
|                            |          |                                           |            |  |
|                            |          |                                           |            |  |
|                            |          |                                           |            |  |

# Table 8-1 Summary of Synplify<sup>®</sup> Warning Messages (Cont'd)

<sup>&</sup>lt;sup>1</sup> GND : Ground

| Messages | FPGAs for which the message was generated | Evaluation            |
|----------|-------------------------------------------|-----------------------|
|          |                                           |                       |
|          |                                           | ,<br>,                |
|          |                                           |                       |
|          |                                           |                       |
|          |                                           |                       |
|          |                                           |                       |
|          |                                           |                       |
|          |                                           |                       |
|          |                                           |                       |
|          |                                           |                       |
|          |                                           |                       |
|          |                                           |                       |
|          |                                           |                       |
|          | Messages                                  | message was generated |

Table 8-1 Summary of Synplify<sup>®</sup> Warning Messages (Cont'd)

Note: Refer to Section 7.2.2 for FPGA names.

### (2) Log files produced by Designer tool

The Designer tool places and routes the logic in the netlists, and produces a fusemap file for each FPGA. The Designer tool produces a log file including errors and warning messages each time it produces the fusemap. Table 8-2 summarizes the warning messages. The NICSD IV&V team reviewed the warning messages to verify whether the tool was used in an appropriate manner. The NICSD IV&V Team concluded that all the messages were justified and had no effect on the place and route process.

| <b>Table 8-2 Summary</b> | of Designer | Warning Messages |
|--------------------------|-------------|------------------|
|--------------------------|-------------|------------------|

| Warning | Messages | FPGA | Evaluation |   |
|---------|----------|------|------------|---|
|         |          |      |            |   |
|         |          |      |            |   |
|         |          |      |            |   |
|         |          |      |            |   |
|         |          |      |            |   |
|         |          |      |            |   |
|         |          |      |            |   |
|         |          |      |            |   |
|         |          |      |            |   |
|         |          |      |            |   |
|         |          |      |            | - |

| Warning | Messages | FPGA | Evaluation |  |
|---------|----------|------|------------|--|
|         |          |      |            |  |
|         |          |      |            |  |
|         |          |      |            |  |
|         |          |      | ,          |  |
|         |          |      |            |  |
|         |          |      |            |  |
|         |          |      |            |  |
|         |          |      |            |  |
|         |          |      |            |  |
|         |          |      | . 4        |  |
|         |          |      |            |  |
|         |          |      | ·          |  |
|         |          |      |            |  |
|         |          |      |            |  |
|         | · .      |      |            |  |
|         |          |      |            |  |
|         |          |      |            |  |
|         |          |      | · ·        |  |
|         |          |      |            |  |
|         |          |      |            |  |

#### Table 8-2 Summary of Designer Warning Messages (Cont'd)

# 8.3 Signal Timing

Appendix A of the PPDD procedure E-68017 requires synchronous design, and that each output signal from a synchronous FE arrives at the next synchronous FE before the next clock signal with a percent margin of its minimum operation period. Table 8-3 lists the maximum operating frequencies and the minimum operating periods of A54SX32A and A54 SX72A FPGAs used in the OPRM. The values in Table 8-3 were excerpted from "SX-A Family FPGAs Data Sheet" (Reference (52)).

| Device Type           | Maximum Operating<br>Frequency | Minimum Operating<br>Period | Referenced Table in<br>Datasheet |
|-----------------------|--------------------------------|-----------------------------|----------------------------------|
| A54SX32A (Std. Speed) | 238MHz                         | 4.2ns                       | Table 2-28                       |
| A54SX72A (Std. Speed) | 217MHz                         | 4.6ns                       | Table 2-35                       |

| Table | 8-3 | Timing | Characteristics |
|-------|-----|--------|-----------------|
|-------|-----|--------|-----------------|

TOSHIBA CORPORATION

Nuclear Instrumentation & Control Systems Department

For example, signals in A54SX32A FPGA must arrive at each synchronous FE 4.2 × [ac]<sup>ac</sup> nanoseconds before the clock signal. PPDD performed timing analyses for the FPGAs. The NICSD IV&V Team evaluated the result of the analyses for each FPGA against this criterion. Table 8-4 summarized the result of the analyses.

| Table 8-4 Result of Timing An | alysis |
|-------------------------------|--------|
|-------------------------------|--------|

| FPGA Name | Device<br>Type* | Minimum<br>Operating<br>Period (ns) | Actual clock<br>frequency<br>(MHz) | Permissible<br>propagation<br>delay (ns) | Reciprocal<br>of<br>permissible<br>propagation<br>delay (MHz) | Maximum<br>possible<br>operating<br>frequency<br>(MHz) | Acceptable?<br>Yes/No<br>(Yes=✓) | <b>7</b> a,c |
|-----------|-----------------|-------------------------------------|------------------------------------|------------------------------------------|---------------------------------------------------------------|--------------------------------------------------------|----------------------------------|--------------|
|           |                 |                                     |                                    |                                          |                                                               |                                                        |                                  |              |
|           |                 |                                     |                                    |                                          |                                                               |                                                        |                                  |              |
|           |                 |                                     |                                    |                                          |                                                               |                                                        |                                  |              |
|           |                 |                                     |                                    |                                          |                                                               |                                                        |                                  |              |
|           |                 |                                     |                                    |                                          |                                                               |                                                        |                                  |              |
|           |                 |                                     |                                    |                                          |                                                               |                                                        |                                  |              |
|           |                 |                                     |                                    |                                          |                                                               |                                                        |                                  |              |

\* Microsemi FPGA Device Type: 72 means SXA-72, 32 means SXA-32

\*\* Further timing analysis determined the FPGA operated correctly.

The evaluation was performed as follows:

(1) Calculate the permissible propagation delay from the minimum operating period and the actual clock frequency.

(2) Compare the reciprocal of the permissible propagation delay with the maximum possible operating frequency obtained from the Design tool's static timing analysis reports.

The second type was further categorized, such as a case in which

The NICSD IV&V concluded that those paths of the FPGAs would operate correctly with a sufficient timing margin.

# 8.4 Netlist Inspection

The NICSD IV&V Team inspected the netlists by comparing the original VHDL files with the logic diagrams generated from the netlists by the Netlist Viewer tool, to verify the correctness of the conversion. In the comparison, the FE interfaces were checked.

The NICSD IV&V Team performed the netlist inspections for the FPGAs in the same manner as reported in Section 3.1.3 of the Attachment 4 of PRM VVR (Reference (44)) of the NRW-FPGA-Based PRM System Qualification Project.

For each FPGA, the NICSD IV&V Team prepared VHDL source code, and logic diagrams produced by the Netlist Viewer tool. The source code and the logic diagrams were organized in the same hierarchical structure. The reviewers went down the hierarchy comparing the VHDL source code with the corresponding logic diagram from the top-level to the bottom-level, where the FE were placed.

At each level of the hierarchy, the reviewers compared the following items between the VHDL source code and the logic diagrams:

Like the NRW-FPGA-Based PRM System Qualification Project, the NICSD IV&V Team found cases in which no obvious correspondence between the VHDL source code and the logic diagrams was identified. The cases were (a) insertion of buffers to the input and output signals, and (b) use of Microsemi's CM8 macro. The NICSD IV&V Team examined above two cases, and concluded that there were appropriate correspondences in these cases.

The results of the netlist inspections were recorded in the Source Code Review Sheet (Reference (47)). The NICSD IV&V Team concluded that the VHDL source code for the FPGAs developed for the OPRM were converted correctly to the netlists.

# 8.5 Document Reviews

#### 8.5.1 FPGA Test Procedures Reviews

The NICSD IV&V Team reviewed the FPGA Test Procedures listed in Table 8-5, which were prepared by PPDD, in the same manner described in Section 5.3.

### Table 8-5 FPGA Test Procedures Reviewed

| Document<br>No. | Rev. | Document Name<br>(Type) | Preparer | Independent<br>Reviewer | DVR No.  |
|-----------------|------|-------------------------|----------|-------------------------|----------|
|                 |      |                         |          |                         | <b>_</b> |
|                 |      |                         |          |                         |          |
|                 |      |                         |          |                         |          |
|                 |      |                         |          |                         |          |
|                 |      |                         |          |                         |          |
|                 |      |                         |          |                         |          |
|                 |      |                         |          |                         |          |
|                 |      |                         |          |                         |          |
|                 |      |                         |          |                         |          |
|                 |      |                         |          |                         |          |
|                 |      |                         |          |                         |          |
|                 |      |                         |          |                         |          |
|                 |      |                         |          |                         |          |
|                 |      |                         |          |                         |          |
|                 |      |                         |          |                         |          |
|                 |      |                         |          |                         |          |
|                 |      |                         |          |                         |          |
|                 |      |                         |          |                         |          |
|                 |      | -                       |          |                         |          |
|                 |      |                         |          |                         |          |
|                 |      |                         |          |                         |          |
|                 |      |                         |          |                         |          |
|                 |      |                         |          |                         |          |
|                 |      |                         |          |                         |          |
|                 |      |                         |          |                         |          |
|                 |      |                         |          |                         |          |
|                 |      |                         |          |                         |          |
|                 |      |                         |          |                         |          |
|                 |      |                         |          |                         |          |
|                 |      |                         |          |                         |          |

| Document<br>No. | Rev. | Document Name<br>(Type) | Preparer | Independent<br>Reviewer | DVR No. |
|-----------------|------|-------------------------|----------|-------------------------|---------|
|                 | . ,  | - 1                     |          | · ·                     |         |
|                 |      |                         |          |                         |         |
|                 |      |                         |          |                         |         |
|                 |      |                         |          |                         |         |
|                 |      |                         |          |                         |         |
|                 |      |                         |          |                         |         |
|                 |      |                         |          |                         |         |
|                 |      |                         |          |                         |         |
|                 |      |                         |          |                         |         |
|                 |      |                         |          |                         |         |
|                 |      |                         |          |                         |         |
|                 |      |                         |          |                         |         |
|                 |      |                         |          |                         |         |
|                 |      |                         |          |                         |         |
|                 |      |                         |          |                         |         |
|                 |      |                         |          |                         |         |
|                 |      |                         |          |                         |         |
|                 |      |                         |          |                         |         |
|                 |      |                         |          |                         |         |
|                 |      |                         |          |                         |         |
|                 |      |                         |          |                         |         |
|                 |      |                         |          |                         |         |
|                 |      |                         |          |                         |         |
|                 |      |                         |          |                         |         |
|                 |      |                         |          |                         |         |
|                 |      |                         |          |                         |         |
|                 |      | •                       |          |                         |         |
|                 |      |                         |          |                         |         |
|                 |      |                         |          |                         |         |
|                 |      |                         |          |                         |         |
|                 |      |                         |          |                         |         |
|                 |      |                         |          |                         |         |

Table 8-5 FPGA Test Procedures Reviewed (Cont'd)

\_

| Document<br>No. | Rev. | Document Name<br>(Type) | Preparer | Independent<br>Reviewer | DVR No. |     |
|-----------------|------|-------------------------|----------|-------------------------|---------|-----|
|                 |      |                         |          | · · · · · · · · ·       |         | a,c |

# Table 8-5 FPGA Test Procedures Reviewed (Cont'd)

### 8.5.2 FPGA Test Report Reviews

The NICSD IV&V Team reviewed the FPGA Test Reports listed in Table 8-6, which were prepared by PPDD.

The NICSD IV&V Team reviewed the FPGA Test Reports confirming:

- The tests have been appropriately performed according to the test procedures.
- The tests results are acceptable including the toggle coverage.

#### Table 8-6 FPGA Test Reports Reviewed

|   | Document<br>No. | Rev. | Document Name<br>(Type) | Preparer | Independent<br>Reviewer | DVR No. |     |
|---|-----------------|------|-------------------------|----------|-------------------------|---------|-----|
| Γ | ·               |      |                         |          |                         |         | a,c |
|   |                 |      |                         |          |                         |         |     |
|   |                 |      |                         |          |                         | ·       |     |
|   |                 |      |                         |          |                         |         |     |
|   |                 |      |                         |          |                         |         |     |
|   |                 |      |                         |          |                         |         |     |
|   |                 |      |                         |          |                         |         |     |
|   |                 |      |                         |          | ·                       |         |     |
|   |                 |      | <i>i</i> .              |          |                         |         |     |
|   |                 | ,    |                         |          |                         |         |     |
|   |                 |      |                         |          |                         |         | ,   |

| ocument<br>No. | Rev. | Document Name<br>(Type) | Preparer | Independent<br>Reviewer | DVR No. |
|----------------|------|-------------------------|----------|-------------------------|---------|
|                |      |                         |          | 1                       |         |
|                |      |                         |          |                         |         |
|                |      |                         |          |                         |         |
|                |      |                         |          |                         |         |
|                |      |                         |          |                         |         |
|                |      |                         |          |                         |         |
|                |      |                         |          |                         |         |
|                |      |                         |          |                         |         |
|                |      |                         |          |                         |         |
|                |      |                         |          |                         |         |
|                |      |                         |          |                         |         |
|                |      |                         |          |                         |         |
|                |      |                         |          |                         |         |
|                |      |                         |          |                         |         |
|                |      |                         |          |                         |         |
|                |      |                         |          |                         |         |
|                |      |                         |          |                         |         |
|                |      |                         |          |                         |         |
|                |      |                         |          |                         |         |
|                |      |                         |          |                         |         |
|                |      |                         |          |                         |         |
|                |      |                         |          |                         |         |
|                |      |                         |          |                         |         |
|                |      |                         |          |                         |         |
|                |      |                         |          |                         |         |
|                |      |                         |          |                         |         |

Table 8-6 FPGA Test Reports Reviewed (Cont'd)

#### 8.5.3 Module Test Procedure Reviews

The NICSD IV&V Team reviewed the Module Test Procedures listed in Table 8-7, which were prepared by PPDD, in the same manner described in Section 5.3.

| Document<br>No. | Rev. | Document Name<br>(Type)         | Preparer      | Independent<br>Reviewer | DVR No.        |
|-----------------|------|---------------------------------|---------------|-------------------------|----------------|
|                 | 0    |                                 | Y. Haraguchi  | T. Yonaha               | FC51-0904-1251 |
| 5T8H7620        | 1    | CELL module Test                | Y. Haraguchi  | T. Yonaha               | FC51-0904-1263 |
| 5160/020        | 2    | Procedure                       | Y. Haraguchi  | H. Kitazono             | FC51-0904-1270 |
|                 | 3    |                                 | Y. Haraguchi  | T. Yonaha               | FC51-0904-1333 |
|                 | 0    |                                 | Y. Haraguchi  | T. Yonaha               | FC51-0904-1252 |
| 5T8H7621        | 1    | AGRD module Test<br>Procedure   | Y. Haraguchi  | T. Yonaha               | FC51-0904-1264 |
|                 | 2    |                                 | Y. Haraguchi  | T. Yonaha               | FC51-0904-1271 |
| 579117(22       | 0    | PBD module Test                 | Y. Haraguchi  | H. Kitazono             | FC51-0904-1253 |
| 5T8H7622        | 1    | Procedure                       | M. Yanagisawa | T. Yonaha               | FC51-0904-1272 |
|                 | 0    |                                 | M. Yanagisawa | T. Yonaha               | FC51-0904-1248 |
| 5T8H7623        | 1    | DAT/ST module<br>Test Procedure | M. Yanagisawa | T. Yonaha               | FC51-0904-1265 |
|                 | 2    |                                 | M. Yanagisawa | T. Yonaha               | FC51-0904-1273 |
| 5779117021      | 8    | TRN module Test                 | M. Yanagisawa | T. Yonaha               | FC51-0904-1246 |
| 5T8H7021        | 9    | Procedure                       | M. Yanagisawa | T. Yonaha               | FC51-0904-1274 |
| 5T8H7022        | 11   | RCV module Test                 | Y. Haraguchi  | T. Yonaha               | FC51-0904-1247 |
| 51607022        | 12   | Procedure                       | Y. Haraguchi  | H. Kitazono             | FC51-0904-1275 |

#### Table 8-7 Module Test Procedures Reviewed

## 8.5.4 Other Documents

ζ

The NICSD IV&V Team reviewed the SSAR listed in Table 8-8 in the same manner described as Section 5.3. For the SSAR, see Section 8.10.

| Project<br>Document No. | Rev. | Document Name<br>(Abbreviated<br>document title) | Preparer    | Independent<br>Reviewer | DVR No.        |
|-------------------------|------|--------------------------------------------------|-------------|-------------------------|----------------|
| FC51-3704-1106          | 0    | Software Safety<br>Analysis Report               | M. Tomitaka | T. Yonaha               | FC51-0904-1256 |

#### Table 8-8 SSAR Reviewed

# 8.6 FPGA Testing

The FPGA Testing was performed in accordance with approved FPGA Test Procedures, which had been prepared by the engineers who did not contribute the FPGA design in accordance with the PPDD procedure E-68017 (Reference (45)). The FPGA Test Procedures included:

- (1) Test Environment
- (2) Test Setup
- (3) Test Cases
- (4) Testing

The following sections explain above items.

#### 8.6.1 Test Environment

A similar test environment was used for this project as those described in Sections 3.2.1 and 3.2.2 of the Attachment-4 of PRM VVR (Reference (44)). The FPGA validation testing was divided into VHDL testing and FPGA testing.

The VHDL testing validates the fusemaps to be embedded in the product FPGAs by simulation using ModelSim<sup>®</sup> tool. The ModelSim<sup>®</sup> tool simulated the FPGA behaviors using the back-annotated timing information and the corresponding VHDL source codes, which were generated by the Designer tool in the place and route process. Three sets of timing information data were prepared for

The FPGA testing used FPGA chips embedding the fusemaps. Each FPGA chip was mounted at the socket of the PinPort 192 connected to the PC containing the ModelSim<sup>®</sup> tool. The ModelSim<sup>®</sup> tool generated input signals for the same test cases as the VHDL testing, fed them into the FPGA through the PinPort device, and received the output signals from the FPGA. The received signals were recorded by the PC, and the tester compared them with their desired values to confirm whether the FPGA provided the required functions, by verifying each input to output against a predefined test pattern.

#### 8.6.2 Test Setup

The test equipment had been set up following the FPGA Test Procedures. The version numbers of the test equipment hardware and software were confirmed before testing.

#### 8.6.3 Test Cases and Procedures

PPDD developed test cases in the same approach used in the NRW-FPGA-Based PRM System Qualification Project, i.e., the test cases were developed so as to satisfy the following two conditions:

- All functional requirements for each FPGA are tested, and
- All non-static connections between FEs are toggled.

Prior to the FPGA testing by PPDD, the NICSD IV&V Team reviewed the FPGA Test Procedures listed in Table 8-5 to check the adequacy of the test cases.

|                                                 |                  | r        |          |          |                                              |       |
|-------------------------------------------------|------------------|----------|----------|----------|----------------------------------------------|-------|
| L                                               | Table 8-9 Exa    | ample of | ]FPGA Te | st Cases |                                              | L<br> |
|                                                 |                  |          |          |          | - I                                          |       |
| Input Signals                                   |                  |          |          |          |                                              |       |
|                                                 |                  |          |          |          |                                              |       |
|                                                 |                  |          |          |          |                                              |       |
|                                                 |                  |          |          |          |                                              |       |
|                                                 |                  |          |          |          |                                              |       |
|                                                 |                  |          |          |          |                                              |       |
|                                                 |                  | ·        |          |          |                                              |       |
|                                                 |                  |          |          |          |                                              |       |
|                                                 |                  |          |          |          |                                              |       |
|                                                 |                  |          |          |          |                                              |       |
|                                                 |                  |          |          |          |                                              |       |
| The last row of Tabl explained in Section       |                  |          |          |          | ] <sup>a,c</sup><br>FPGA lo<br>e test cases. | ogic  |
| The other test cases f<br>logic in the same man | for the PBSEQ FI |          |          | -        |                                              | GA    |

#### 8.6.4 Testing

#### (1) Test Methods

The FPGA testing was performed in accordance with the approved FPGA Test Procedures. The testers were assigned to the tests in the manner that each individual tester tests the FPGA that the tester had not contributed its design. The testers performed the VHDL testing first, and then performed the FPGA testing.

#### VHDL Testing

The testers performed the VHDL testing in the following order:

- Check the test configuration items; prepare the VHDL source code generated by the Designer tool during place and route.
- Check the test equipment, specifically, the test hardware serial numbers and test software version numbers.
- Perform the VHDL testing for the prepared test cases.
- Confirm the test results, the toggle coverage ratio, and fill in the test report.

### **FPGA** Testing

The testers performed the FPGA testing in the following order:

- Check the test configuration items; prepare the VHDL source code generated by the Designer tool during the place and route.
- Check the test equipment, specifically, the test hardware serial numbers and the test software version numbers.
- Prepare the FPGA embedding the fusemap for testing.
- Perform the FPGA testing for the prepared test cases.
- Confirm the results of the tests, and fill in the test procedure that would be issued as a test report.

#### (2) Oversight of FPGA Testing

The NICSD IV&V Team performed an oversight of the FPGA Testing performed by PPDD to check that the testing including test report preparation process was appropriately conducted in accordance with E-68016 "PPDD Procedural Standard for FPGA Products Development" (Reference (49)) and E-68017. The items checked in the oversight and results were as follows:

- The testers were qualified in accordance with E-68016.
- The software tools listed in Table 7-3 were used for the testing.
- PPDD took appropriate security measures (i.e., firewall on the PCs used for simulation) for FPGA Testing in accordance with NQ-2037 (Reference (10)) attached to the procurement documents to PPDD.
- The testers used the approved FPGA Test Procedures, and performed the testing in the correct manner.
- The testers prepared the FPGA Test Reports in accordance with E-68017.

As a result, the NICSD IV&V Team determined that PPDD performed the FPGA testing in an acceptable manner.

# 8.7 Software Tool Control Review

The NICSD IV&V Team reviewed the software tools. In the Implementation and Integration Phase, PPDD used the software tools listed in Table 7-3 for the FPGA implementation process and FPGA testing.

# 8.8 Implementation and Integration Phase RTM efforts

#### (1) Preparation of RTM

The PPDD traced the requirements in the FPGA Design Specifications to the FPGA Test Procedures developing RTMs for the Implementation and Integration Phase. A separate RTM was prepared for each FPGA Test Procedure, and its snapshot was issued as a document. Table 8-10 lists all the RTMs. See Appendix D for an example of the Implementation and Integration Phase RTM.

| Document No.   | Rev. | Document Name | FPGA    |     |
|----------------|------|---------------|---------|-----|
| RTM-JH8-000021 | 2    |               |         | a,c |
| RTM-JH8-000022 | 5    |               |         |     |
| RTM-JH8-000023 | 3    |               |         |     |
| RTM-JH8-000024 | 2    |               | . [     |     |
| RTM-JH8-000025 | 3    |               |         |     |
| RTM-JH8-000026 | 3    |               |         |     |
| RTM-JH8-000027 | 2    |               |         |     |
| RTM-JH8-000028 | 3    |               |         |     |
| RTM-JH8-000029 | 2    |               |         |     |
| RTM-JH8-000030 | 2    |               |         |     |
| RTM-JH8-000031 | 3    |               |         |     |
| RTM-JH8-000032 | 2    | · · · · ·     |         |     |
| RTM-JH8-000033 | 4    |               |         |     |
| RTM-JH8-000034 | 2    |               |         |     |
| RTM-JH8-000035 | 2    |               |         |     |
| RTM-JH8-000036 | 3    | _             | <i></i> |     |
| RTM-JH8-000037 | 2    | <u> </u>      |         |     |
| RTM-JH8-000038 | 2    |               | .'      |     |

#### **Table 8-10 RTMs for FPGAs**

| Document No.   | Rev. | Document Name | · · · · · | FPGA   |
|----------------|------|---------------|-----------|--------|
| Document INO.  | Rev. |               | ·         |        |
| RTM-JH8-000039 | 4    |               |           |        |
| RTM-JH8-000040 | 3    |               |           |        |
| RTM-JH8-000041 | 2    |               |           |        |
| RTM-JH8-000042 | 3    |               |           |        |
| RTM-JH8-000043 | 2    |               | · .       |        |
| RTM-JH8-000044 | 2    |               |           |        |
| RTM-JH8-000045 | 2    |               |           |        |
| RTM-JH8-000046 | 2    |               |           |        |
| RTM-JH8-000047 | 2    |               |           | -<br>- |
| RTM-JH8-000048 | 3    |               |           |        |

 Table 8-10 RTMs for FPGAs (Cont'd)

(2) Compilation of the Implementation and Integration Phase RTM Report

The NICSD IV&V Team documented the RTM review result in FC51-3704-1111"Nuclear Instrumentation & Control Systems Department Implementation and Integration Phase Requirements Traceability Matrix Review Report for Oscillation Power Range Monitor (OPRM)" (RTM Report (Implementation and Integration Phase)) (Reference (53)).

Through the review of the NICSD RTM (Implementation and Integration Phase), the NICSD IV&V Team confirmed the followings:

- All the requirements for each FPGA Design Specification are traced to each FPGA Test Procedure, and
- The specifications in the FPGA Test Procedure are traced back to each FPGA Design Specification.

No open item remains in the NICSD RTM (Implementation and Integration Phase).

# 8.9 Result of Security Review

The NICSD IV&V Team carried out a security review as planned in Section 5.5.9 of the NICSD VVP (Reference (17)) as a V&V activity in the Implementation and Integration Phase.

(1) Access control to design deliverables

The NICSD IV&V Team confirmed that the security environment reviewed in Sections 7.5 (1) was appropriately maintained.

(2) Security control of personal computers

The NICSD IV&V Team confirmed that the control of the PCs reviewed in Sections 7.5 (2) was appropriately maintained.

#### TOSHIBA CORPORATION

Nuclear Instrumentation & Control Systems Department

(3) Identification of digital safety system's weakness and vulnerability

Through the code reviews, netlist inspections, document reviews, and RTM efforts of the Implementation and Integration Phase, the NICSD IV&V Team has confirmed that the functional requirements specified in each FPGA Design Specification have been incorporated into the logic correctly, appropriately, and completely. The NICSD IV&V Team had also confirmed that there was no hidden function or unnecessary logic that was not specified in the specifications. In FPGA testing, the NICSD IV&V Team confirmed that there was no behavior other than those specified in the specifications.

(4) Remote-access control to digital safety system

The NICSD IV&V Team confirmed that the TRN and RCV modules related to communication had one-way communication only, and their external communication was limited.

(5) Control of development environment

The NICSD IV&V Team performed an oversight of PPDD's development office during the FPGA Testing. The development system was connected to the []<sup>9</sup>

and accessed to the verification system was controlled. For the PCs for development,

Several recommendations raised during the oversight have all been addressed.

## 8.10 Software Safety Analysis Report (SSAR) Review

The NICSD Software Safety Team prepared FC51-3704-1106 "Nuclear Instrumentation & Control Systems Department Software Safety Analysis Report for Safety-Related Oscillation Power Range Monitor (OPRM) (Implementation and integration Phase)" (NICSD SSAR (Implementation and integration Phase)) (Reference (43)). The NICSD IV&V Team reviewed the NICSD SSAR.

The NICSD SSAR concluded as follows.

- The results of safety analysis of this phase are as follows.
  - The FPGA implementation by PPDD was performed in a correct manner in accordance with the PPDD Standards E-68017, E-68018, E-68019, and E-68020 (References (45), (51), (48), and (50)) as required in the procurement documents to PPDD.
  - PPDD used the specific versions of software tools reviewed in Section 7.3, and appropriately implemented configuration control of the software tools in accordance with E-68020.
  - The static timing analysis results satisfied the timing constraints specified in E-68017. PPDD performed dynamic timing simulations in the FPGA testing, and the test results were acceptable.
  - Only the logic specified in the FPGA Design Specifications was implemented. Unintended code or unused code that was not specified in the FPGA Design Specifications was not implemented in the FPGAs.
- As a result of safety analysis of the FPGA implementation process and FPGA testing stated above, the failure modes of the FPGAs identified in the Design Phase induced by errors in the software tools or timing errors in a FPGA were unlikely. Thus, the risks due to the failures of the FPGAs were acceptable. The NICSD Software Safety Team did not find any additional hazard.
- The remaining risks are whether the FPGAs operate at their intended clock frequency, and perform the safety functions specified in the Module Design Specifications as intended.

• The NICSD Software Safety Team reviewed the Module Validation Testing and confirmed that the testing ensured the implementation of the software safety requirements into the modules.

The NICSD IV&V Team agreed with these conclusions. The NICSD IV&V Team concluded that the NICSD SSAR for the Implementation and Integration Phase was acceptable.

## 8.11 Control of Configuration Items

The NICSD IV&V Team confirmed that PPDD performed their FPGA implementation work in accordance with requirements in the procurement documents listed in Table 8-11.

| Document No. | Rev. | Document Name                            | Module Type   |
|--------------|------|------------------------------------------|---------------|
| 5Q8K0015     | 3    | Purchase Specification for RCV module    | HNS0541B00000 |
| 5Q8K0016     | 3    | Purchase Specification for TRN module    | HNS0531B00000 |
| 5Q8K0019     | 3    | Purchase Specification for CELL module   | HNS0400B00000 |
| 5Q8K0020     | 3    | Purchase Specification for AGRD module   | HNS0420B00000 |
| 5Q8K0021     | 3    | Purchase Specification for PBD module    | HNS0430B00000 |
| 5Q8K0022     | 3    | Purchase Specification for DAT/ST module | HNS0410B00000 |

#### Table 8-11 Procurement Documents for Modules

The NICSD IV&V Team confirmed that PPDD appropriately controlled the configuration items for each FPGA in accordance with E-68019 "PPDD Procedural Standard for FPGA Configuration Management" (Reference (48)) through reviews of the FPGA Control Sheets listed in Table 8-12. The FPGA Control Sheets referenced the configuration items for each FPGA.

| Module Name                           | Module Type   | FPGA Code Name | FPGA Control Sheet | Rev. |
|---------------------------------------|---------------|----------------|--------------------|------|
| DOV madrila                           |               | Γ              | FDFG-06-0069-M     | 4    |
| RCV module                            | HNS0541B00000 |                | FDFG-10-0027-M     | 2    |
|                                       |               | · ·            | FDFG-06-0065-M     | 4    |
| TRN module                            | HNS0531B00000 |                | FDFG-06-0066-M     | 3    |
|                                       |               |                | FDFG-10-0028-M     | 2    |
| · · · · · · · · · · · · · · · · · · · |               |                | FDFG-10-0001-M     | 1    |
|                                       |               |                | FDFG-10-0002-M     | 1    |
|                                       |               |                | FDFG-10-0003-M     | 2    |
| CELL module                           | HNS0400B00000 |                | FDFG-10-0004-M     | 1    |
|                                       |               |                | FDFG-10-0005-M     | 2    |
| ,                                     | r.            |                | FDFG-10-0006-M     | 1    |
| 1                                     |               |                | FDFG-10-0007-M     | 1    |

#### **Table 8-12 Modules and FPGA Control Sheets**

TOSHIBA CORPORATION Nuclear Instrumentation & Control Systems Department

> 77/138 127/188

| Module Name             | Module Type     | FPGA Code Name | FPGA Control Sheet          | Rev. |
|-------------------------|-----------------|----------------|-----------------------------|------|
|                         |                 |                | <sup>*</sup> FDFG-10-0008-M | 1    |
| CELL module<br>(Cont'd) | HNS0400B00000   |                | FDFG-10-0009-M              | 1    |
| (Cont a)                |                 |                | FDFG-10-0010-M              | 1    |
|                         |                 |                | FDFG-10-0011-M              | 2    |
|                         |                 |                | FDFG-10-0012-M              | 2    |
|                         |                 |                | FDFG-10-0013-M              | 2    |
| AGRD module             | HNS0420B00000   |                | FDFG-10-0014-M              | 2    |
|                         | 111130420800000 |                | FDFG-10-0015-M              | 2    |
|                         |                 |                | FDFG-10-0016-M              | 2    |
|                         |                 |                | FDFG-10-0017-M              | 2    |
|                         |                 |                | FDFG-10-0018-M              | 2    |
|                         |                 |                | FDFG-10-0011-M              | 2    |
|                         |                 |                | FDFG-10-0019-M              | 3    |
|                         |                 |                | FDFG-10-0020-M              | 2    |
| PBD module              | HNS0430B00000   |                | FDFG-10-0021-M              | 2    |
|                         |                 |                | FDFG-10-0022-M              | 2    |
|                         |                 |                | FDFG-10-0023-M              | 2    |
|                         |                 |                | FDFG-10-0024-M              | 2    |
| DAT/ST                  |                 |                | FDFG-10-0025-M              | 2    |
| module                  | HNS0410B00000   |                | FDFG-10-0026-M              | 2    |

## Table 8-12 Modules and FPGA Control Sheets (Cont'd)

## 8.12 Monitoring of Metrics

The NICSD IV&V Team monitored the same metrics as Section 5.7 for the FPGA Test Procedures and the Module Test Procedures.

## (1) Number of changes applied to the design documents

No design was changed until the baseline review in this phase.

## (2) Number of open items carried to the next phase

]open items were carried to the next phase as follows.

• [ ]open items related to the OPRM Unit User's Manual carried from the previous phase.

#### TOSHIBA CORPORATION Nuclear Instrumentation & Control Systems Department

78/138 128/188

- L ]<sup>ac</sup>open items are related to the comments on the RTM of the Design Phase carried from the previous phase.
- [ ]<sup>a,c</sup> new item was a recommendation in FC51-3704-1103 "Source Code Review Sheet for NRW-FPGA-Based I&C System Qualification Project." The code reviewers found some typos in the FPGA Design Specifications and recommended the PPDD to correct them. Those typos do not affect the design of the FPGAs.

#### (3) Number of open items closed in the current phase

open item from the previous phase, preparing the NICSD SSAR for the Design Phase, was closed in this phase.

## (4) Number of Site Corrective Action Requests (SCARs)

[]SCARs,[]] issued in the Design Phase were closed in this phase.

[ ]new SCARs were issued as a result of CG Survey of TDMS (module printed circuit board fabricator).

## (5) Number of Site Nonconformance Notice Reports (SNNRs)

were closed in this phase.

ς,

a.c

new SVNNRs were issued for this phase activities.

This SVNNR was closed in this phase.

SNNRs,

## (6) Number of problems found during V&V testing

The FPGA testers reported 24 problems. Those problems were clerical errors of the FPGA Test Procedures. PPDD revised the FPGA Test Procedures to correct the errors.

a,c

a,c

# 8.13 Findings, recommendations, and suggestions to reduce any risk identified in the V&V activities

The NICSD IV&V Team found that VHDL source code of several FPGAs did not conform to a coding rule specified in E-68017, requiring only one signal definition be written in one source code line. Though this rule is for readability of VHDL source code, E-68017 stated this rule was mandatory. However, for the VHDL source code, PPDD thought writing more than one signal in one line did not spoil source code readability. Rather it kept the source code compact, and contributed to readability, because each signal was written in a short description in these VHDL sources.

PPDD determined to revise E-68017 to relax this rule, and keep the source code as is.

Through the V&V activities of this phase, the NICSD IV&V Team did not identify a risk related to design and safety analysis activities. There was no recommendation, or suggestion to the NICSD SD Team and the NICSD Software Safety Team.

## 8.14 Conclusions of Implementation and Integration Phase V&V Activities

The NICSD IV&V Team confirmed that NICSD V&V activities had been performed in accordance with the NICSD VVP (Reference (17)), and concluded that the NICSD V&V activities for the Implementation and Integration Phase were completed in an acceptable manner.

The NICSD IV&V Team confirmed that there were [ ]<sup>ac</sup> open items remained in the Implementation and Integration Phase V&V activities as reported in Section 8.12.

Those open items are not considered to have negative effect in the next phase as long as these open items are notified to the engineers, and are able to be resolved by reviewing the revised documents.

## 8.15 Updating of Implementation and Integration Phase V&V Activities

After the Implementation and Integration Phase V&V activities were completed, however, the following issues were found:

A) Tests cases for the some FPGAs did not meet the toggle coverage criteria

The NED IV&V Team pointed out that the test cases for some FPGA seemed not to meet the toggle coverage criteria, as a result of a spot check of the test procedures. The NICSD IV&V Team with help of PPDD performed rechecking of the test procedures, and confirmed the NED IV&V Team's concern.

B) The

]FPGAs were revised ]FPGAs to the[

PPDD revised the FPGAs to add the CRC function. These changes were made according to the upstream design change in Section 7.10. The implementation of these FPGAs did not required any new FE.

## 8.15.1 Logic Synthesis and Layout Verification

The PPDD engineers performed logic synthesis and layout of the

FPGAs. The NICSD IV&V team checked the log files produced by the software tools. These checks were performed to confirm that the PPDD design engineers used the software tools in an appropriate manner, and did not ignore any warnings reported by the software

tools without thinking.

(1) Log files produced by Synplify<sup>®</sup> tool

The NICSD IV&V team did not find any error message.

Table 8-13 listed warning messages for the]FPGAs.These warning messages were included in those listed in Table 8-1, and considered acceptable.

## Table 8-13 Summary of Synplify<sup>®</sup> Warning Messages

| _ | Warning<br>Message<br>Code | Messages | FPGA Code Name for<br>which the message was<br>generated | Evaluation | a,c |
|---|----------------------------|----------|----------------------------------------------------------|------------|-----|
|   |                            |          |                                                          |            |     |
|   |                            |          |                                                          |            |     |
|   |                            |          |                                                          |            |     |
|   |                            |          |                                                          |            |     |
|   |                            |          |                                                          |            |     |
|   |                            |          |                                                          |            |     |
|   |                            |          |                                                          |            |     |
|   |                            |          |                                                          |            |     |
|   |                            |          |                                                          |            |     |
|   |                            |          |                                                          |            |     |
| L |                            |          |                                                          |            | L   |

Note: Refer to Section 7.2.2 for FPGA names.

<sup>2</sup> GND : Ground

]<sup>a,c</sup>

(2) Log files produced by Designer tool

Table 8-14 listed the warning messages for the These warning messages were included in those listed in Table 8-2, and considered acceptable.

| Warning<br>Message<br>Code | Messages | FPGA for which<br>the message was<br>generated | Evaluation |   |
|----------------------------|----------|------------------------------------------------|------------|---|
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            |   |
|                            |          |                                                |            | - |

## Table 8-14 Summary of Designer Warning Messages

## 8.15.2 Signal Timing

PPDD performed timing analyses for the FPGAs, and the NICSD IV&V Team evaluated the result as in Section 8.3. Table 8-15 summarized the result of the analyses. The three FPGAs satisfied the timing criteria, and were determined acceptable.

## Table 8-15 Result of Timing Analysis

| FPGA NameDerive<br>Type*Operating<br>Period (ns)frequency<br>(MHz)propagation<br>delay (ns)permissible<br>propagation<br>delay (MHz)operating<br>frequency<br>(Yes=✓) | EPGA Name | Device Ope | rating frequency | ck Permissible<br>propagation<br>delay (ns) | 1 1 0 |  | Acceptable?<br>Yes/No<br>(Yes=✔) |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------|------------|------------------|---------------------------------------------|-------|--|----------------------------------|
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------|------------|------------------|---------------------------------------------|-------|--|----------------------------------|

\* Microsemi FPGA Device Type: 72 means SXA-72, 32 means SXA-32

## 8.15.3 Netlist Inspection

The NICSD<sub>a</sub> V&V Team performed the netlist inspections for the FPGAs in the same manner as Section 8.4.

## 8.15.4 Document Reviews

Table 8-16 lists the reviewed documents. The NICSD IV&V Team reviewed these documents in the same manner described in Section 5.3. The test procedures and reports for the [\_\_\_\_\_]<sup>a,c</sup> ] FPGAs were revised to meet the toggle coverage criteria. The NICSD IV&V Team paid special attention in the review of these documents to confirm that the toggle coverage criteria were met.

In the reviews, the NCISD IV&V Team did not find any problem that could change the conclusion of the Implementation and Integration Phase.

# (Project) Document Name Independent Preparer Rev. DVR No. Document No. (Type) Reviewer a.c

## Table 8-16 Document Reviewed

| ····-                     |      |                         |          |                         |         |
|---------------------------|------|-------------------------|----------|-------------------------|---------|
| (Project)<br>Document No. | Rev. | Document Name<br>(Type) | Preparer | Independent<br>Reviewer | DVR No. |
|                           |      |                         |          |                         |         |
|                           |      |                         |          |                         |         |
|                           |      |                         |          |                         |         |
|                           |      |                         |          |                         |         |
|                           |      |                         |          |                         |         |
|                           |      |                         |          |                         |         |
|                           |      | ~                       |          |                         |         |
|                           |      |                         |          |                         |         |
|                           |      |                         |          |                         |         |
|                           |      |                         |          |                         |         |
|                           |      |                         |          |                         |         |
|                           |      |                         |          |                         |         |

## Table 8-16 Document Reviewed (Cont'd)

## 8.15.5 FPGA Testing

PPDD performed the FPGA testing for the revised parts of the test procedures in Table 8-16.

## 8.15.6 Software Tool Control Review

The NICSD IV&V Team confirmed that PPDD used the same versions of the software tools as described in Section 8.7.

## 8.15.7 RTM Efforts

PPDD revised the [ ]<sup>a,c</sup> [ ]<sup>FP</sup>GA design to the [ ]<sup>a,c</sup> ]<sup>FP</sup>GAs. After PPDD issued the FPGA Design Specifications and the FPGA Test Procedures for these FPGAs, PPDD prepared RTMs in Table 8-17, tracing the design changes from the FPGA Design Specifications to the FPGA Test Procedures.

## **Table 8-17 RTMs for FPGAs**

| Document No.           | Rev. | Document Name | FPGA |       |
|------------------------|------|---------------|------|-------|
| RTM-JH8-000060         | 3    | ſ             |      | , a,c |
| RTM-JH8-000062         | 3    |               |      |       |
| <b>RTM-JH8-00006</b> 1 | 2    |               |      |       |

The NICSD IV&V Team reviewed the RTMs and found no issue on the traceability between the FPGA Design Specifications and FPGA Test Procedures. The NICSD IV&V Team issued Revision 2 of the RTM Report (Implementation and Integration Phase)) (Reference (53)), concluding that the reviewed RTMs were acceptable.

## 8.15.8 Result of Security Review

The NICSD IV&V Team carried out a security review, and confirmed that the secure development environment was maintained.

## 8.15.9 Software Safety Analysis Report (SSAR) Review

The revised SSAR evaluated the design changes of the [ ] FPGAs, and concluded there was no new hazard. The NICSD IV&V Team reviewed the revised SSAR, and agreed with the conclusion.

## 8.15.10 Control of Configuration Items

The procurements documents in Table 8-18 were revised for the TRN and RCV modules having the CRC function.

| Document No. | Rev. | Document Name                         | Module Type   |
|--------------|------|---------------------------------------|---------------|
| 5Q8K0015     | 5    | Purchase Specification for RCV module | HNS0541B00001 |
| 5Q8K0016     | 5    | Purchase Specification for TRN module | HNS0531B00001 |

#### Table 8-18 Procurement Documents for Modules

The FPGA Control Sheets in Table 8-19 were revised due to the addition of the CRC functions to the TRN and RCV modules and the additional FPGA tests in Section 8.15.5.

| Module Name | Module Type    | FPGA Code Name | FPGA Control Sheet | Rev. |
|-------------|----------------|----------------|--------------------|------|
| DOV 1-1-    | IDIG0541D00001 | ]a,c           | FDFG-13-0002-M     | 0    |
| RCV module  | HNS0541B00001  |                | FDFG-13-0003-M     | 1    |
| TRN module  | HNS0531B00001  |                | FDFG-13-0001-M     | 0    |
| CELL module | HNS0400B00000  |                | FDFG-10-0002-M     | 2    |
|             |                |                | FDFG-10-0011-M     | 3    |
| AGRD module | HNS0420B00000  |                | FDFG-10-0016-M     | 3    |

## **Table 8-19 Modules and FPGA Control Sheets**

TOSHIBA CORPORATION

Nuclear Instrumentation & Control Systems Department

a,c

| Module Name   | Module Type   | FPGA Code Nar | ne FPGA Control Sheet | Rev. |
|---------------|---------------|---------------|-----------------------|------|
| PBD module    | HNS0430B00000 | a,c           | FDFG-10-0019-M        | 4    |
| r dd lliodule | П130430600000 |               | FDFG-10-0022-M        | 3    |

## Table 8-19 Modules and FPGA Control Sheets (Cont'd)

## 8.15.11 Conclusion of Update

NICSD performed additional V&V activities for the Implementation and Integration Phase to resolve the following issues:

A) Tests cases for the some FPGAs did not meet the toggle coverage criteria;
 B) The [ ]<sup>ac</sup> ]<sup>FPGAs were revised to the [ ]<sup>FPGAs to add the CRC function.
</sup></sup>

The NICSD IV&V Team confirmed that the additional V&V activities were performed in accordance with the NICSD VVP (Reference (17)). The NICSD IV&V Team concluded that the Implementation and Integration Phase V&V activities had completed without any remaining issue.

It should be noted that the additional testing to achieve the toggle coverage criteria had no effect on the subsequent phases except additional confidence that the FPGAs operates correctly.

## 9. Module Validation Testing Phase V&V activities

PPDD performed the Module Validation Testing in accordance with the approved Module Test Procedures to demonstrate that the modules perform all intended functions within the predetermined design.

The NICSD IV&V Team performed the Module Validation Testing Phase V&V activities in accordance with the NICSD VVP (Reference (17)).

## 9.1 Module Validation Testing

PPDD assigned the module testers, who were independent of the design group of PPDD, to perform the Module Validation Testing. The module testers performed the Module Validation Testing of each module following individual Module Test Procedures listed in Table 8-7. The NICSD IV&V Team reviewed these Module Test Procedures in the Implementation and Integration Phase. Table 9-1 lists the modules, module types, and module serial numbers.

| Module Name   | Model Type    | Module Serial Number |
|---------------|---------------|----------------------|
| CELL Module   | HNS0400B00000 | 1206818335           |
| AGRD Module   | HNS0420B00000 | 1206818331           |
| PBD Module    | HNS0430B00000 | 1206818312           |
| DAT/ST Module | HNS0410B00000 | 1206818322           |
|               | HNS0531B00000 | 1206818325           |
| TRN Module    | HNS0531B00000 | 1206818326           |
| DOUM- 1-1-    | HNS0541B00000 | 1206818316           |
| RCV Module    | HNS0541B00000 | 1206818317           |

## Table 9-1 Modules used in the Module Validation Testing

The following subsections explain the Module Validation Testing, taking the PBD module as an example, and provide summaries of the testing for the other modules.

## 9.1.1 Test Environment and Setup

Figure 9-1 shows the test setup for the PBD module testing. The test equipment consisted of the following components.

## Figure 9-1 Test Setup for PBD Module Testing

## 9.1.2 Test Cases and Procedures

## 9.1.2.1 PBD Module Validation Testing

The PBD module has the safety functions to generate a PBDA Trip signal, OPRM Trip signal, and OPRM Inoperative signal. This subsection explains the tests and procedures applied to the Module Validation Testing for the PBD module.

## (1) Appearance, Structure, Power Supply, Frequency, and Power Consumption

Prior to functional testing, PPDD checked for the following:

- Check the visual appearance and structure of the PBD module.
- Measure the height, width and depth size of the PBD module.
- Measure the mass of the PBD module.
- Measure the voltages of the +5VDC module power supplies and the +2.5VDC converted power.
- Measure the frequency of the crystal oscillator in the PBD module.

- Measure the current consumption from the +5VDC power supplies.
- Measure the time when the power-on reset signal changes from "L" to "H" after the +5VDC power is activated.
- Check the voltage at which the power-on reset signal changes from "H" to "L", by gradually lowering the power supply voltage down from +5VDC.

## (2) Functional Testing

The functional testing checked the output signals and the behaviors of the front panel displays of the PBD module by varying the input signals into the PBD module in accordance with the requirements in the PBD Module Design Specification.

|                |                |              | 1              |
|----------------|----------------|--------------|----------------|
|                |                |              | 1              |
|                |                |              |                |
|                |                |              |                |
|                |                |              |                |
|                |                |              |                |
|                |                |              |                |
|                |                |              |                |
|                |                |              |                |
|                |                |              |                |
|                |                |              | 1              |
|                |                |              |                |
|                |                |              |                |
|                |                |              |                |
|                |                |              |                |
|                |                |              |                |
|                |                |              |                |
|                |                |              |                |
|                |                |              | 1              |
|                |                |              | - 1            |
|                |                |              |                |
|                |                |              | 1              |
|                |                |              |                |
|                |                |              | 1              |
|                |                |              |                |
|                |                |              |                |
|                |                |              |                |
|                |                |              |                |
|                |                |              | 1              |
|                |                |              |                |
|                |                |              |                |
|                |                |              |                |
|                |                |              |                |
|                |                |              |                |
|                |                |              |                |
|                |                |              |                |
|                |                |              | ]              |
| Tmin (seconds) | Tmax (seconds) | Te (seconds) | ]              |
| Tmin (seconds) | Tmax (seconds) | Te (seconds) |                |
| Tmin (seconds) | Tmax (seconds) | Te (seconds) |                |
| Tmin (seconds) | Tmax (seconds) | Te (seconds) |                |
| Tmin (seconds) | Tmax (seconds) | Te (seconds) | ]<br>]_a,<br>] |
| Tmin (seconds) | Tmax (seconds) | Te (seconds) |                |
| Tmin (seconds) | Tmax (seconds) | Te (seconds) |                |
| Tmin (seconds) | Tmax (seconds) | Te (seconds) |                |
| Tmin (seconds) | Tmax (seconds) | Te (seconds) |                |
| Tmin (seconds) | Tmax (seconds) | Te (seconds) |                |
| Tmin (seconds) | Tmax (seconds) | Te (seconds) |                |
| Tmin (seconds) | Tmax (seconds) | Te (seconds) |                |
| Tmin (seconds) | Tmax (seconds) | Te (seconds) |                |
| Tmin (seconds) | Tmax (seconds) | Te (seconds) |                |
| Tmin (seconds) | Tmax (seconds) | Te (seconds) |                |
| Tmin (seconds) | Tmax (seconds) | Te (seconds) |                |
| Tmin (seconds) | Tmax (seconds) | Te (seconds) |                |
| Tmin (seconds) | Tmax (seconds) | Te (seconds) |                |
| Tmin (seconds) | Tmax (seconds) | Te (seconds) |                |
| Tmin (seconds) | Tmax (seconds) | Te (seconds) |                |
| Tmin (seconds) | Tmax (seconds) | Te (seconds) |                |
| Tmin (seconds) | Tmax (seconds) | Te (seconds) |                |
| Tmin (seconds) | Tmax (seconds) | Te (seconds) |                |
| Tmin (seconds) | Tmax (seconds) | Te (seconds) |                |
| Tmin (seconds) | Tmax (seconds) | Te (seconds) |                |
| Tmin (seconds) | Tmax (seconds) | Te (seconds) |                |
| Tmin (seconds) | Tmax (seconds) | Te (seconds) |                |
| Tmin (seconds) | Tmax (seconds) | Te (seconds) |                |
| Tmin (seconds) | Tmax (seconds) | Te (seconds) |                |
| Tmin (seconds) | Tmax (seconds) | Te (seconds) |                |
| Tmin (seconds) | Tmax (seconds) | Te (seconds) |                |

.

\_\_\_\_ -- -- ---

a,c

a,c

.

## Figure 9-2 Confirmation Count Check Test

| Case | Tmin (seconds) | Tmax (seconds) | Period (seconds) | Condition is met? |
|------|----------------|----------------|------------------|-------------------|
| 1    |                |                |                  |                   |
| 2    | +              |                |                  |                   |
| 3    |                |                |                  |                   |
| 4    |                |                |                  |                   |
|      |                |                |                  |                   |

a,c

a,c

The table below summarizes the test condition. Note that Tref was the period between the  $1^{st}$  and  $2^{nd}$  peaks in the test signals.

| Case | Te (seconds) | Tref (seconds) | Period<br>(seconds) | Last Period<br>(seconds) | Condition is met? |  |
|------|--------------|----------------|---------------------|--------------------------|-------------------|--|
| 1    |              | • •            |                     | •                        |                   |  |
| 2    |              |                |                     |                          |                   |  |
| 3    |              |                |                     |                          |                   |  |
| 4    |              |                |                     |                          |                   |  |

Figure 9-3 shows the Normalized Oscillation Signals used for the cases 1 through 4.



PBDA Trip Test

a,c

| Case | Tmin<br>(seconds) | Tmax<br>(seconds) | Te<br>(seconds) | Sp | Np | Issue of Trip |                     |
|------|-------------------|-------------------|-----------------|----|----|---------------|---------------------|
| 1    |                   |                   | <b>;</b>        |    |    |               | <sup>1</sup> , a, c |
| 2    |                   |                   |                 |    |    | ,             |                     |



The NICSD IV&V Team confirmed that the test cases tested all states of the PBD algorithm explained in Section 7.2.1, and the results were satisfactory.

TOSHIBA CORPORATION Nuclear Instrumentation & Control Systems Department

> 93/138 143/188

## 9.1.2.2 Other Module Validation Testing

For the other modules, PPDD performed the testing in a similar manner as the PBD module validation testing. The following paragraphs describe the overview of the testing applied to the other modules.

## (1) CELL module

The module validation testing for the CELL module was performed in a similar manner as the testing for the PBD module using a similar test setup that was described in Section 9.1.1. The module validation testing included [\_\_\_\_\_\_\_]<sup>a,c</sup>

The [\_\_\_\_\_]simulated 52 LPRM signals from four LPRM units and two redundant input signals from the APRM unit by the commands from the [\_\_\_\_]and entered the signals to the CELL module. Responding to the signals, the CELL module generated Normalized Oscillation Signals and alarm signals such as the OPRM Minor Failure and OPRM Inoperative signals, and sends back to the CELL module. The [\_\_\_\_\_\_]

The test cases were developed to demonstrate that the module performed the safety functions specified in the Module Design Specification including the validation of bypassing and of each step of the Normalized Oscillation Signal calculation such as filtering, averaging, and normalizing steps.

The test cases included:

**OPRM Automatic Bypass Test** 

This test checked whether the bypass signal was generated when the APRM level or the Core Flow value was within the nominal setpoints. The OPRM is bypassed when the APRM level is below 30 percent of the rated power or the Core Flow value is above 60 percent of the rated flow.

Table 9-2, which was reproduced from information in the 5T8H7620 "CELL Module Test Procedure" listed in Table 8-7, provides the test cases.

| No | APRM Level (%) | Core Flow Value (%) | OPRM Automatic Bypass |
|----|----------------|---------------------|-----------------------|
| 1  |                |                     |                       |
| 2  |                |                     |                       |
| 3  |                |                     |                       |
| 4  |                |                     |                       |
| 5  |                |                     |                       |
| 6  |                |                     |                       |
| 7  |                |                     |                       |
| 8  |                |                     |                       |
| 9  |                |                     |                       |
| 10 |                |                     |                       |
| 11 |                |                     |                       |

## Table 9-2 OPRM Automatic Bypass Test

<sup>[a,c</sup>The NICSD IV&V Team confirmed that the test cases covered all functions of the CELL module.

## (2) AGRD module

The module validation testing for the AGRD module was performed in a similar manner as the testing for the PBD module using a similar test setup that was described in Section 9.1.1. The module validation testing included the power-on operation test, mode-switch test, and rotary switch test.

For ABA and GRA trip testing, the test PC controlled the testing by sending the test data simulating the Normalized Oscillation Signals to the AGRD module through the

[ ] and by receiving the OPRM Inoperative, OPRM Minor Failure, and OPRM Trip signals from the AGRD module through the multifunctional board. The[ ]<sup>a,c</sup>



## Figure 9-5 An Example of Test Signals for AGRD Module Testing.

The test cases and patterns were developed to demonstrate that the module performed the safety functions specified in the Module Design Specification, in particular the ABA and GRA algorithm.

Briefly, the ABA and GRA algorithm repeats the following steps:

The NICSD IV&V Team confirmed the test cases covered all functions of the AGRD module.

#### (3) DAT/ST module

The module validation testing for the DAT/ST module was performed in a similar manner as the testing for the PBD module. [\_\_\_\_\_\_\_]<sup>a</sup>

<sup>a</sup>. The test cases and patterns were developed to demonstrate that the module functions.

The NICSD IV&V Team confirmed that the test cases covered all functions of the DAT/ST module.

#### (4) TRN and RCV modules

The same test setup was used for this project as those described in Section 3.1.1.2 of the Attachment-5 to the PRM VVR (Reference (44)), and the same test cases and procedures were used.

The NICSD IV&V Team confirmed that the tests covered all functions of the TRN and RCV modules.

#### 9.1.3 Performing Testing

#### (1) Test Methods

The module testers of PPDD, who were qualified in accordance with the vender QA procedures, performed the Module Validation Testing.

Each Module Test Procedure provided a record form for data recording during testing. Each form specified the input signal values with the expected output signal values, and areas for the tester to record the test results. The module testers compared the actual output signal values from the modules with the expected output signal values, and filled in the forms.

#### (2) Oversight of Module Validation Testing

The NICSD IV&V Team performed oversight of the Module Validation Testing by PPDD to check whether the testing including test report preparation process was appropriately conducted in accordance with E-68016 (Reference (49)). The following items were checked:

- Tester qualification status,
- Tool control status,
- Security environment,

- Conformance of testing activities to test procedures, and
- Test report preparation.

The NICSD IV&V Team concluded that PPDD performed the Module Validation Testing in an acceptable manner.

## (3) Test Report Review

After the testing, PPDD submitted the Module Test Reports listed in Table 9-3 to NICSD. See Section 9.2.1 for the test report reviews.

## 9.2 Document Reviews

## 9.2.1 Module Test Report Reviews

The NICSD IV&V Team reviewed the Module Test Reports listed in Table 9-3, which were prepared by PPDD.

| Document<br>No. | Document<br>Name (Type)      | Module<br>Serial No. | Preparer    | Independent<br>Reviewer | DVR No.        |
|-----------------|------------------------------|----------------------|-------------|-------------------------|----------------|
| ATC-103653      | CELL module<br>Test Record   | 1206818335           | K. Tamura   | T. Yonaha               | FC51-0904-1335 |
| ATC-103666      | AGRD module<br>Test Record   | 1206818331           | M. Komatsu  | T. Yonaha               | FC51-0904-1336 |
| ATC-103676      | PBD module<br>Test Record    | 1206818312           | R. Oda      | H. Kitazono             | FC51-0904-1337 |
| ATC-103685      | DAT/ST module<br>Test Record | 1206818322           | S. Tomimoto | H. Kitazono             | FC51-0904-1327 |
| ATC 102(00      | TRN module                   | 1206818325           | A. Namiki   | H. Kitazono             | FC51-0904-1328 |
| ATC-103690      | Test Record                  | 1206818326           |             | 11. IXII. 120110        | 1001-0704-1528 |
| ATC 102(00      | RCV module                   | 1206818316           | A. Namiki   | T. Yonaha               | FC51-0904-1329 |
| ATC-103699      | Test Record                  | 1206818317           |             | 1. 10nana               | 1031-0904-1329 |

## Table 9-3 Module Test Reports Reviewed

The NICSD IV&V Team reviewed the Module Test Reports for the following perspectives.

- The test personnel performed the testing following the test procedure.
- All test items described in the test procedure were tested.
- The test personnel made pass/fail judgments based on the criteria in the test procedure.

The NICSD IV&V Team confirmed the test results were satisfactory, and concluded that the Module Test Reports were acceptable.

## 9.2.2 Module User's Manual Reviews

The NICSD IV&V Team reviewed the module user's manual in Table 9-4 from the following perspectives.

- Each module user's manual was consistent with the module design specification.
- The manuals provided sufficient information to users for installation, operation, and maintenance

Through the review of the manuals, the NICSD IV&V Team made some minor comments on clerical errors and wording of the manuals. PPDD revised the manuals to resolve the comments.

The NICSD IV&V Team concluded that the revised user's manuals were acceptable.

| Document<br>No.   | Rev. | Document Name<br>(Type) | Prepared by | Independent<br>Reviewer | DVR No.        |
|-------------------|------|-------------------------|-------------|-------------------------|----------------|
|                   | 0    | CELL module             | N. Umemura  | T. Yonaha               | FC51-0904-1284 |
| 6F8H3088          | 1    | User's Manual           | N. Umemura  | T. Yonaha               | FC51-0904-1348 |
|                   | 0    | AGRD module             | N. Umemura  | T. Yonaha               | FC51-0904-1285 |
| 6F8H3089          | 1    | User's Manual           | N. Umemura  | T. Yonaha               | FC51-0904-1349 |
|                   | 0    | PBD module User's       | N. Umemura  | H. Kitazono             | FC51-0904-1286 |
| 6F8H3090          | 1    | Manual                  | N. Umemura  | H. Kitazono             | FC51-0904-1350 |
| (7) 0 7 7 0 0 0 1 | 0    | DAT/ST module           | N. Umemura  | H. Kitazono             | FC51-0904-1287 |
| 6F8H3091          | 1    | User's Manual           | N. Umemura  | H. Kitazono             | FC51-0904-1351 |
|                   | 0    | TRN module              | N. Umemura  | T. Yonaha               | FC51-0904-1281 |
| 6F8H3062          | 1    | User's Manual           | N. Umemura  | T. Yonaha               | FC51-0904-1352 |
|                   | 0    | RCV module              | N. Umemura  | T. Yonaha               | FC51-0904-1282 |
| 6F8H3063          | 1    | User's Manual           | N. Umemura  | T. Yonaha               | FC51-0904-1353 |
| (70110.071        | 0    | DIO module User's       | N. Umemura  | H. Kitazono             | FC51-0904-1280 |
| 6F8H3061          | 1    | Manual                  | N. Umemura  | H. Kitazono             | FC51-0904-1354 |
| 60017450          | 2    | LVPS module             | N. Umemura  | H. Kitazono             | FC51-0904-1283 |
| 6F8H7452          | 3    | User's Manual           | N. Umemura  | H. Kitazono             | FC51-0904-1355 |

 Table 9-4 Module User's Manual Reviewed

## 9.3 Module Validation Testing Phase RTM effort

(1) Preparation of RTM

The PPDD traced the requirements in the Module Design Specifications to the Module Test Procedures. PPDD prepared the RTMs for the Module Validation Testing Phase. See Appendix E for an example of the Module Validation Testing Phase RTM.

(2) Compilation of the Module Validation Testing Phase RTM Report

The NICSD IV&V Team documented the RTM review result in FC51-3704-1113 "Nuclear Instrumentation & Control Systems Department Module Validation Testing Phase Requirements

Traceability Matrix Review Report for Oscillation Power Range Monitor (OPRM)" (Reference (54)).

The NICSD IV&V Team checked the snapshot of the RTMs to review the forward traceability, i.e., that the test cases documented in the test procedures covered all functions documented in the MDSs.

The NICSD IV&V Team confirmed traceability. An exception was that the method of tracing design item was different for the RTM of the PBD Module Test Procedure and the RTM of AGRD module.

The NICSD IV&V Team evaluated the exception was minor and had minimal impact on the module testing.

## 9.4 Test Equipment Software Reviews

The NICSD IV&V Team assessed the test equipment software used in the Module Validation Testing. PPDD had tested each piece of the test equipment and test equipment software prepared for the CELL, AGRD, PBD, DAT/ST, TRN and RCV modules.

The NICSD IV&V Team confirmed that PPDD appropriately performed the configuration control of the test equipment software in accordance with PPDD procedure E-68020 "PPDD Procedural Standard for Control of Software Tools Used with FPGA Based Systems" (Reference (50)) using the Software Tool Information Sheets.

PPDD tested the test equipment and test equipment software using the test procedures prepared for each piece of test equipment software, and recorded their results in test reports. PPDD performed the test outside this project scope. The NICSD IV&V Team reviewed the test documents for test equipment software, and confirmed that test of the test equipment software was performed in accordance with the test procedures, and all test results were acceptable.

The NICSD IV&V Team confirmed that PPDD appropriately controlled test equipment software in accordance with PPDD procedure E-68020 "PPDD Procedural Standard for Control of Software Tools Used with FPGA Based Systems" (Reference (50)).

## 9.5 Result of Security Review

The NICSD IV&V Team carried out a security review as planned in Section 5.6.5 of the NICSD VVP (Reference (17)) as a V&V activity in the Module Validation Testing Phase. The security review was performed in accordance with NICSD NQ-2037 "Cyber Security Procedure of Safety Related Digital System" (Reference (10)) and the NICSD VVP. The NICSD IV&V Team held a security assessment meeting as a part of this security review, and confirmed that the security requirements in NQ-2037 were satisfied.

(1) Access control to design deliverables

The NICSD IV&V Team confirmed that the security environment reviewed in Section 7.5 (1) was appropriately maintained.

(2) Security control of personal computers

The NICSD IV&V Team confirmed that the security environment reviewed in Section 7.5 (2) was appropriately maintained.

(3) Identification of digital safety system's weakness and vulnerability

The NICSD IV&V Team did not find any weakness and vulnerability of the modules in this phase.

#### (4) Remote-access control to digital safety system

As reported in Section 8.9 (4), the NICSD IV&V Team had already confirmed that the TRN and RCV modules related to communication had one-way communication only and their external communication was limited.

#### (5) Control of development environment

The NICSD IV&V Team performed an oversight of the Module Validation Testing, and checked the security measures taken by PPDD at the test area. The test PCs used for the Module | Validation Testing were standalone, and isolated from external networks. Use of portable memory devices was strictly controlled. Thus, the NICSD IV&V Team confirmed the security of the test PCs was appropriately controlled.

(6) Security measures taken in the module manufacturing process.

In this phase, the NICSD IV&V Team assessed the security measures taken in the module manufacturing process as follows.

## Delivery of the fuse map

NICSD handed the write once media which stored the fuse map files to PPDD with an FPGA Logic Implementation Request/Record Sheet. The FPGA Logic Implementation Request/Record Sheet was used to instruct the FPGA implementation work and to record implementation result with a form specified in NQ-2030 "Procedural Standard for FPGA Products Development" (Reference (55)). PPDD handed the media and the sheet to TDMS for the FPGA implementation work. After the FPGA implementation work was finished, TDMS returned the media and the sheet to PPDD. PPDD returned the media and sheet to NICSD.

## Embedment of logic into FPGAs

TDMS embedded the fuse map files into FPGA chips in a dedicated room for the FPGA implementation work. The dedicated room was locked with a key when TDMS workers were absent during the implementation work, or the FPGA implementation work was not performed. TDMS used the Silicon Sculptor tool installed in the PCs listed in Table 6-3 for their work. PPDD controlled the Silicon Sculptor tool and the PCs as described in Section 6.3. TDMS rented those tool sets from PPDD. The PCs controlling the Silicon Sculptor tool were standalone, and not connected to any network. Use of portable memory devices was strictly controlled. The QC inspector of NICSD witnessed the FPGA implementation work, and checked that the work was performed correctly, and the checksum generated by the tool was the same as expected after the implementation work. A label, which uniquely identified the FPGA, was attached on to the FPGA chip after the implantation work.

#### Storage of logic embedded FPGAs

The logic embedded FPGAs were kept in desiccators placed in the dedicated room until being mounted on the printed circuit boards. The dedicated room was locked with the key when TDMS workers were absent.

#### Module assembly

The identification of the FPGA, which had the label showing unique identification on it, were traced and recorded throughout the module assembling process.

## Transportation and storage of modules

TDMS sent the modules to PPDD. After the receiving inspection by PPDD was finished the

TOSHIBA CORPORATION

modules were sent to the test area of PPDD. After the Module Validation Testing was finished, PPDD sent the modules to NICSD. Then, the receiving inspector of NICSD performed the receiving inspection of the modules. During the transportation and storage of the modules were packed in static shielding bag. At the Module Validation Testing and the receiving inspection by NICSD, the identification of the FPGA, which had the label showing unique identification on it, were checked and recorded to ensure that the FPGAs, in which the logic specified by the NICSD was embedded, were surely supplied to NICSD.

Through the security review for this phase, the NICSD IV&V Team concluded that security measures taken in this phase were acceptable.

## 9.6 Software Safety Analysis Report (SSAR) Review

The NICSD Software Safety Team prepared FC51-3704-1108 "Nuclear Instrumentation & Control Systems Department Software Safety Analysis Report for Safety-Related Oscillation Power Range Monitor (OPRM) (Module Validation Testing Phase)" (Reference (56)). The NICSD IV&V Team reviewed the NICSD SSAR.

The NICSD SSAR concluded as follows.

- As a result of safety analysis of this phase, the NICSD Software Safety Team concluded that the test results demonstrated that the modules performed the safety functions specified in the Module Design Specifications as expected in the Module Test Procedures. Thus, the remaining risk identified in the Implementation and Integration Phase is considered to be less than acceptable level. The NICSD Software Safety Team did not find any additional hazards through the review of the Module Validation Testing.
- The remaining issue is whether the OPRM unit operates as a unit, and performs the safety functions defined in the EDS (Reference (20)) and the OPRM Unit DDS (Reference (29)) after the OPRM unit is integrated.
- The NICSD Software Safety Team performs an analysis by reviewing the System Validation Testing to ensure that software safety requirements has been implemented and that demonstrates required levels of system safety have been successfully maintained in the System Validation Testing Phase.

The NICSD IV&V Team agreed with these conclusions of the NICSD Software Safety Team. The NICSD IV&V Team concluded that the NICSD SSAR for the Module Validation Testing Phase was acceptable.

## 9.7 Monitoring of Metrics

The NICSD IV&V Team monitored the same metrics as Section 5.7 for the FPGA Test Procedures and the Module Test Procedures.

## (1) Number of changes applied for the design documents

No design document was changed.

## (2) Number of open items carried to the next phase

open items were carried from the previous phase.

One open item related to the RTMs for the Module Validation Testing Phase was identified thorough the RTM effort as reported in Section 9.3.

Thus, total [bpen items were carried over to the next phase.

#### (3) Number of open items closed in the current phase

No open item from the previous phase was closed in this phase.

## (4) Number of Site Corrective Action Requests (SCARs)

[Section 8.13.] was issued regarding the VHDL Source Code Review activities mentioned in

#### (5) Number of Site Nonconformance Notice Reports (SNNRs)

No SNNR was issued in this phase.

## (6) Number of problems found during V&V testing

[ ]problems were found by the module testers during the Module Validation Testing, such as deviations of the test results from the expected outputs or deviations from the test procedures during the module tests. The module testers reported those problems using Problem Report Sheets in accordance with E-68016. PPDD disposed of all problems.

## 9.8 Findings, recommendations, and suggestions to reduce any risk identified in the V&V activities

Through the V&V activities of this phase, the NICSD IV&V Team did not identify a risk related to design and safety analysis activities. There were no recommendations, or suggestions to the NICSD SD Team and the NICSD Software Safety Team.

## 9.9 Conclusions of Module Validation Testing Phase V&V Activities

The NICSD IV&V Team confirmed that NICSD V&V activities had been performed in accordance with the NICSD VVP, and concluded that the NICSD V&V activities for the Module Validation Testing Phase were completed in an acceptable manner. The NICSD IV&V Team confirmed all the modules of the OPRM unit performed the safety functions required in the MDSs.

The NICSD IV&V Team identified that there were [ ]open items remained in the Module Validation Testing Phase V&V activities as reported in Section 8.7 (3). Those open items are not considered to have negative effect in the System Validation Testing Phase as long as these open items are notified to the engineers, and are able to be resolved by reviewing the revised documents.

## 9.10 Updating of Module Validation Testing Phase V&V Activities

## 9.10.1 Additional Module Validation Testing

PPDD performed additional module testing for the new TRN and RCV modules implementing CRC using the same test procedures for the older TRN and RCV modules. Table 9-5 lists the modules, module types, and module serial numbers.

| Module Name | Model Type    | Module Serial Number |  |
|-------------|---------------|----------------------|--|
| TDN Medule  | HNS0531B00001 | 1212828256           |  |
| TRN Module  | HNS0531B00001 | 1212828257           |  |
| DOVM-1-1-   | HNS0541B00001 | 1212828262           |  |
| RCV Module  | HNS0541B00001 | 1212828263           |  |

## 9.10.2 Document Reviews

The NICSD IV&V Team reviewed the test reports for the new TRN and RCV modules listed in Table 9-6. The NICSD IV&V Team determined that the testing were performed in accordance with the test procedures, and the test result was acceptable.

| Document<br>No. | Rev. | Document Name<br>(Type)                                                          | Preparer      | Independent<br>Reviewer | DVR No.        |
|-----------------|------|----------------------------------------------------------------------------------|---------------|-------------------------|----------------|
| ATC-104085      |      | TRN module Test<br>Record (Module<br>Serial No.<br>1212828256 and<br>1212828257) | H. Kai        | H. Kitazono             | FC51-0904-1414 |
| ATC-104087      |      | RCV module Test<br>Record (Module<br>Serial No.<br>1212828262 and<br>1212828263) | H. Kai        | K. Kasai                | FC51-0904-1415 |
| (791120/0       | 2    | TRN module User's                                                                | M. Yanagisawa | H. Kitazono             | FC51-0904-1406 |
| 6F8H3062        | 3    | Manual                                                                           | M. Yanagisawa | H. Kitazono             | FC51-0904-1412 |
|                 | 2    | RCV module User's                                                                | T. Nishiguchi | K. Kasai                | FC51-0904-1407 |
| 6F8H3063        | 3    | Manual                                                                           | T. Nishiguchi | K. Kasai                | FC51-0904-1413 |
| FC51-3704-      | 0    | Software Safety                                                                  | M. Tomitaka   | T. Yonaha               | FC51-0904-1257 |
| 1108            | 1    | Analysis Report                                                                  | M. Tomitaka   | K. Kasai                | FC51-0904-1424 |

## **Table 9-6 Document Reviewed**

## 9.10.3 Conclusion of Update

The NICSD IV&V Team confirmed that the V&V activities for the new TRN and RCV modules were performed in accordance with the NICSD VVP (Reference (17)). The NICSD IV&V Team concluded that the new TRN and RCV modules were acceptable.

## **10.** System Validation Testing Phase V&V Activities

After the modules were validated in the Module Validation Testing, the modules and the unit chassis were integrated into the OPRM unit. Test personnel from the Quality Control Group for Nuclear Instrumentation & Control Section (NICS-QC) performed the System Validation Testing under the NICSD IV&V team. Since the OPRM unit is the only constituent of the OPRM system except hardware such as a rack and cables, NICSD does not distinguish the unit validation testing and the system validation testing.

The NICSD IV&V Team performed the System Validation Testing Phase V&V activities in accordance with the NICSD VVP (Reference (17)).

## **10.1** System Validation Testing

The System Test Specification (Reference (59)) specified all test items performed in the factory. The System Validation Testing was performed as part of this testing The System Validation Test Specification included the following test items.

## (1) Hardware Test

Hardware test included visual inspection, dimensional inspection, measurement of insulation resistance, withstand voltage test, burn-in test, power supply voltage adjustment, measurement of consumption current, measurement of inrush current, and power supply voltage/frequency fluctuation test. The acceptance criteria were determined by the NICSD SD Team, and documented in Section 11 of the System Test Specification. The Test Personnel performed the hardware test in accordance with the Section 7.1 of the System Test Procedure, and documented the test result in the System Validation Test Record (Reference (62)).

## (2) Software Validation Test

The functions of the OPRM unit was tested to demonstrate that the OPRM unit performs the safety functions specified in the EDS (Reference (20)) and the OPRM Unit Detailed Design Specification (Reference (29)). In the following subsections, the detailed results of the software validation test were reported.

## (3) Prudency Test

Prudency test was performed to check the acceptability of the OPRM unit before the EQ and EMC qualification testing. The acceptance criteria were determined by the NICSD SD Team, and documented in Section 13 of the System Test Specification. The Test Personnel performed the prudency test in accordance with the Section 7.4 of the System Test Procedure, and documented the test result in the System Validation Test Record (Reference (62)).

## (4) Operability Test

Operability test was performed to check the acceptability of the OPRM unit before the EQ and EMC qualification testing. The acceptance criteria were determined by the NICSD SD Team, and documented in Section 14 of the System Test Specification. The Test Personnel performed the operability test in accordance with the Section 7.5 of the System Test Procedure, and documented the test result in the System Validation Test Record.

The NICSD IV&V Team focused on the software validation testing. The following subsections report the details of the software validation testing.

## **10.1.1** Software Validation Test Planning

For the software validation testing, the NICSD IV&V Team prepared the Software Validation Test Plan (SVTP) (Reference (60)) to prescribe the test requirements, test conditions, and test methodologies. The Test Personnel of the NICS-QC as the test engineers of the NICSD IV&V Team prepared the System Validation Test Procedure (Reference (61)) based on the SVTP. The Test Personnel executed the software validation test in accordance with the System Validation Test Procedure.

## 10.1.2 Test System

The test system consists of test specimen and test equipment. Figure 10-1 shows the test system configuration.

#### 10.1.2.1 Test Specimen

The modules listed in Table 9-1 and the components listed in Table 10-1 constituted the test specimen except for the CRC and Response Time Tests in Section 10.1.7.5, where the newer TRN and RCV modules listed Table 9-5 were used instead of the TRN and RCV modules in Table 9-1. NICSD will use these new TRN and RCV modules with CRC for future systems.

The other components in Table 10-1 were an OPRM chassis, two LVPS modules, a DIO module, and two Power Factor Correction modules (PFCs).

The OPRM chassis and the modules in Table 9-1 and Table 10-1 constitutes a OPRM unit.

The test specimen is mounted on a test specimen rack.

| Item Name    | Туре          | Serial Number | Remark                                                                          |
|--------------|---------------|---------------|---------------------------------------------------------------------------------|
|              | HNU1200B00000 |               | Used in other testing than<br>the response time test in<br>Section 10.1.7.5.    |
| OPRM unit    | HNU1200B00001 |               | Included TRN and RCV<br>modules with CRC.<br>Used in the response time<br>test. |
| OPRM chassis | 22890-375     | 5312101000/AA |                                                                                 |
| LVPS module* | HNS0500B00000 | 1282858       |                                                                                 |
| LVPS module. | HNS0500B00000 | 1282859       |                                                                                 |
| DIO module*  | HNS0520B00000 | 1202803706    |                                                                                 |
| PFC**        | BPC-10        | 1252373       |                                                                                 |
| rru          | BPC-10        | 1252374       |                                                                                 |

#### Table 10-1 Components of Test Specimen

\*The LVPS and DIO modules were qualified in the NRW-FPGA-Based PRM System Qualification Project.

\*\* The Power Factor Correction modules (PFCs) did not include any FPGA, and were not subject to the software V&V activities.

\*\*\* The OPRM unit type HNU1200B00000 was upgraded to type HNU1200B00001 by replacing the TRN and RCV modules. NICSD did not change the serial number.

a,c

## 10.1.2.2 Test Equipment

The test equipment consists of:

i t

a,c

Figure 10-1 Test System Configuration

1

## **10.1.3** Test Personnel

The Test Personnel performed the software validation testing in accordance with the System Validation Test Procedure (Reference (61)).

## **10.1.4** Standard Settings

The EDS (Reference (20)) specified the nominal setpoints for the OPRM unit parameters. The test personnel performed each test using the setpoints as the standard settings, unless special setpoints were required. One exception of the standard settings was the Confirmation Count setpoint Np. The EDS defined the setpoint as a number of peaks, and specified the setpoint to 10. Since the PBD module counts the number of peaks and valleys, the setpoint Np should be 20 to be consistent with the EDS or SDD (Reference (25)). However, Np = 10 was chosen in the standard setting. Because the module validation testing ensured that the PBD module operated correctly for Np meeting the condition  $1 < Np \le 99$ , use of Np = 10 was justified.

Table 10-3 lists the nominal setpoints of the OPRM unit.

| Parameter                                         | Setpoint |
|---------------------------------------------------|----------|
| Rated power setpoint under which OPRM is bypassed | 30.0%    |
| Core flow setpoint over which OPRM is bypassed    | 60.0%    |
| S1 in ABA & GRA algorithm                         | 1.10     |
| S2 in ABA & GRA algorithm                         | 0.92     |
| DR3 in ABA & GRA algorithm                        | 1.30     |
| Smax in ABA & GRA algorithm                       | 1.30     |
| Tl in ABA & GRA algorithm                         | 0.31 s   |
| Th in ABA & GRA algorithm                         | 2.20 s   |
| Tmin in PBD algorithm                             | 1.0 s    |
| Tmax in PBD algorithm                             | 3.5 s    |
| Te in PBD algorithm                               | 0.15 s   |
| Confirmation Count Np*                            | 10       |
| Sp in PBD algorithm                               | 1.1      |

#### Table 10-2 Nominal Setpoints of OPRM

\* Number of the peaks and valleys in the Normalized Oscillation Signals. Setting Np to 20 is equivalent with the SDD setpoint 10.

## **10.1.5** Input Signals

]<sup>a,c</sup>

The variables[ ]<sup>a,c</sup> ]<sup>were</sup> parameters that characterize the test LPRM level. The values of those parameters were appropriately selected for each LPRM level in the testing. NICSD prepared test pattern data files defining the input signal prior to the system validation

## 10.1.6 Test Items

testing.

NICSD performed Software validation testing for the OPRM to ensure that the integrated software meets the requirements stated in the Equipment Design Specification (EDS) (Reference (20)) and OPRM Unit Detailed Design Specification (OPRM Unit DDS) (Reference (29)).

NICSD configured test items based on these safety functions of OPRM. The NICSD IV&V Team determined features to be tested and test items by reviewing the EDS and Unit DDS. Table 9-3 shows a list of test items.

The NICSD IV&V Team noticed that some of the test items of the System Validation Testing overlapped with test items in the Module Validation Testing. The NICSD IV&V Team focused on the safety-related functions that should be validated as an integrated OPRM system, and that could not been validated until the System Validation Testing.

The following test items were selected:

- Normalized Oscillation Signal Processing
- OPRM automatic bypass condition
- Trip determination function including ABA, GRA, and PBDA trips
- Failure detection and self diagnostics

The functionality of the OPRM unit specified in the EDS and the Unit DDS is verified as features to be tested through the software validation test.

The NICSD IV&V Team has determined in principle that those default values specified in the EDS and the Unit DDS are used as "Standard Settings" for parameters of each test case, and that test patterns are to be set so that OPRM functions for those default values can be evaluated.

As delineated in Section 7.2, the modules in the OPRM unit allow setting of a variety of setpoints, including the setpoints determined in the SDD as system requirements. For setpoints of particular significance which are related to safety functions and may not be adjusted by users according to plant-specific setpoint analyses and operating experiences, the NICSD IV&V Team has considered to include a test item to check those parameters by changing them as needed in the software validation test. For example, the NICSD IV&V Team has considered variations of parameters and test patterns that allows users to increase or decrease the value of a parameter (e.g., "Smax" of the ABA algorithm and "Np" of the PBDA algorithm) from its default value, and to check whether the algorithm operates to output an expected value as intended in accordance with

110/138 160/188 the setpoint variation.

The NICSD IV&V Team has performed reviews, and has considered whether there is a certain parameter whose functionality should be verified at the unit level as well for operation purpose. The "Peak and Valley Detection Width Setpoint" used in the peak detection and valley detection functions in the PBDA Trip algorithm prevents the Confirmation Count from unnecessarily counting up or being reset due to LPRM noise. The NICSD IV&V Team has determined that it is important to verify the response of the OPRM unit after making a change to this parameter and thus incorporated this verification in the test item of the PBDA trip.

The OPRM unit has optical inputs from other safety systems, and optical outputs to other safety systems and non-safety systems. Each test item in this SVTP includes checking correct operations of optical communication signals under normal state.

## **10.1.7** System Validation Testing

## **10.1.7.1 Normalized Oscillation Signal Processing**

This test checked the Normalized Oscillation Signals, by entering the LPRM levels into the OPRM unit. The entered LPRM levels were the sine curve or a constant to check the signal processing.

This test checked the calculated Normalized Oscillation Signals in the optical output data, and confirmed that the signals were correctly calculated from the LPRM levels. This test included the cases which simulate:

- the LPRM level is less than its lower-limit;
- the LPRM unit is bypassed;
- An error occurs in the optical data from an LPRM unit.

## 10.1.7.2 OPRM Cell Bypass Test

This test checked whether OPRM cells were bypassed, by making the LPRM levels included in an OPRM cell inoperative. The tester checked the display on the CELL module front panel, and confirmed that the OPRM cells were bypassed when the number of the inoperative OPRM included became less than two.

The NICSD IV&V Team checked the result of the OPRM cell bypass test, and confirmed the result was satisfactory.

## **10.1.7.3 OPRM Automatic Bypass**

This test checked whether the OPRM automatic bypass logic operated correctly, by entering two sets of APRM levels and core flow values. The test confirmed the OPRM automatic bypass signal on the discrete outputs and optical output data from the OPRM unit.

The NICSD IV&V Team checked the result of the OPRM automatic bypass test, and confirmed the result was satisfactory.

## 10.1.7.4 OPRM Trip Test

actual LPRM level signals. The test LPRM level signals were filtered, assigned to each OPRM cell, and converted into Normalized Oscillation Signals every [] milliseconds in the OPRM.

### (1) ABA Trip Test

NICSD performed the ABA trip test for several patterns of test LPRM levels.

The first test pattern checked a generation of the ABA trip, entering test LPRM levels, which were prepared using the following values for the parameters described in Section 10.1.5:

Figure 10-2 shows the graphs of the test LPRM level (thick line) and a simulated Normalized Oscillation Signal (thin line), which was calculated from the LPRM level using an office productivity tool, for the ABA trip test. The test LPRM level was flat until it began an oscillation at 10 seconds.

The AGRD module generates an ABA trip using the ABA algorithm, which is explained briefly in Section 9.1.2.2 (2) as a three-step procedure. A peak in the LPRM level appeared around 10.6 seconds, but this peak did not meet the condition of Step 1 of the algorithm. At point "A" around 13.1 seconds, another peak appeared, and around 13.4 seconds the simulated Normalized Oscillation Signal was expected to reach a peak exceeding the setpoint S1=1.1. The ABA algorithm identified this peak and the valley around 14.6 seconds at point "B." The period between the peak and valley was about 1.2 seconds, which met the period condition of Step 1. The ABA algorithm proceeds to Step 2, searching point "C," where the Normalized Oscillation Signal became larger than Smax = 1.30. In this step, if the algorithm fails to identify the point, the algorithm repeats from Step 1. This test pattern was designed so that the ABA algorithm identify point "C" around 23.1, where the LPRM level approached 63. Though the value 63 was smaller than  $50 \times \text{Smax} = 65$ , the Normalized Oscillation Signal was expected to exceed 1.30, because the Normalized Oscillation Signal is the ratio of the filtered flux against the time averaged flux with six second time constant. While the filtered flux has a small delay from the LPRM level, the time averaged flux is calculated from the filtered flux with the larger delay, and becomes less than 50 around 23.1 seconds, making the Normalized Oscillation Signal larger. Appendix G provides further explanation.

a,c

a,c

### Figure 10-2 Example of LPRM level for ABA Trip Test

The NICSD IV&V Team reviewed the result of this ABA trip test, and confirmed that the OPRM unit generated ABA trips. The NICSD IV&V Team concluded that the ABA trip test was satisfactory.

### (9) GRA Trip Test

NICSD performed the GRA trip test for several patterns of test LPRM levels. The first GRA trip test checked a generation of GRA trips, entering test LPRM levels prepared using the following values for the parameters described in Section 10.1.5:

Figure 10-3 shows the graphs of the test LPRM level (thick line) and a simulated Normalized Oscillation Signal (thin line), which was calculated from the LPRM level using an office productivity tool, for the GRA trip test. The test LPRM level was flat until it began an oscillation at ]seconds.

The AGRD module generates a GRA trip using the GRA algorithm, which is explained briefly in Section 9.1.2.2 (2) as a three-step procedure. At point "A" around [] seconds the LPRM level reached [] the algorithm identified the peak in Step 1. The algorithm identified a valley at

a,c

point "B." At point "C" around []seconds, the LPRM level became []and the Normalized Oscillation Signal was expected to exceed S3 in Step 2. The algorithm was expected to generate a trip.



### Figure 10-3 Example of LPRM level for GRA Trip Test

[ ]entered the test LPRM levels into the OPRM unit and checked a generation of GRA trips for each OPRM cell in the same manner as for the ABA trip test.

NICSD performed a GRA trip test using a total of  $\begin{bmatrix} 1 \\ 1 \end{bmatrix}_{test}^{ac}$  patterns, by changing the parameters of the test LPRM levels, and some setpoints in Table 10-2.

The NICSD IV&V Team reviewed the result of this GRA trip test, and confirmed that the OPRM unit generated GRA trips. The NICSD IV&V Team concluded that the result of the GRA trip test was satisfactory.

### (10) PBDA Trip Test

The test LPRM levels were generated by setting the parameters as bellow:

Figure 10-4 shows the test LPRM level used as the first pattern to check a generation of a PBDA trip for each OPRM cell.

The PBD algorithm is explained in Section 7.2.

An oscillation began around []seconds. At point "A" around []seconds, the Confirmation Count N or the sum of the peaks and valleys reached 10.

There was one difference in the test setting from the SDD requirement. In the SDD, the PBD algorithm determines a trip when the sum of peaks of the oscillation reaches 10. NICSD made a slight modification to this PBD algorithm to count the sum of peaks and valleys, and implemented in the PBD module. Therefore, the PBD module should determine a trip when the sum of the peaks and valleys reaches 20, in order to meet the SDD requirement. The trip determination

TOSHIBA CORPORATION Nuclear Instrumentation & Control Systems Department made when the sum of the peaks and valleys reaches the setpoint is just comparing the Normalized Oscillation Signal ST with Sp as explained in Section 7.2.1, not depending on the sum of the peaks and valleys. In this trip test, the OPRM was expected to generate a PBDA trip at point "B." Though this setpoint is different from the SDD requirement, this test demonstrated that the OPRM detected oscillation of the OPRM levels for all OPRM cells.



### Figure 10-4 Example of LPRM level for PBDA Trip Test

NICSD performed a PBDA trip test using a total of []test patterns, by changing the parameters of the test LPRM levels, and some setpoints in Table 10-2. In one test pattern, the Confirmation Count N was set to 20, and the []entered this test LPRM level into LPRMs assigned to a selected OPRM cell.

The NICSD IV&V Team reviewed the test procedures and test reports, and concluded that the OPRM trip tests ensured the OPRM trip function required in the SDD.

### 10.1.7.5 Response Time Test

This test checked response time of the OPRM trip, entering  $\] \vec{LPRM} \]$  levels of different phases constituting an OPRM cell in accordance with a requirement in FC51-3601-0001 "Procurement Specification for Equipment Qualification and EMC Qualification of Components of Oscillation Power Range Monitor (OPRM)" (Reference (69)).

The NICSD IV&V Team determined the test patterns of the test LPRM levels characterized by the parameters [ ] in Section 10.1.5. The following parameters were commonly used for all test patterns:

TOSHIBA CORPORATION Nuclear Instrumentation & Control Systems Department

]<sup>a,c</sup>

Table 10-3 lists the other parameters for the test patterns, including bf the LPRM levels A, B, C, and D.



**Table 10-3 Test Patterns** 

ac

Note:

] for the test LPRM levels A, B, C, and D.

The NICSD IV&V Team defined the acceptance criterion for the response time verification as follows:

 $\mathbf{R} = \mathbf{A} - \mathbf{B} - \mathbf{L}$ 

where,

R: response time

A: the time when the PBDA trip is generated

B: the time when the LPRM A reaches the peak right before the PBDA trip is generated

L: the theoretical time lag between the peak of the ideal Normalized Oscillation Signal.

NICSD defined the ideal Normalized Oscillation Signal as the follows:

- A) Ignore the first Butterworth filter, because this filter is for noise reduction;
- B) Calculate the ideal average flux by averaging the four LPRM levels that passed the first Butterworth filter;
- C) Calculate the ideal time average flux by removing all alternating portion of the ideal average flux as effect of the second Butterworth filter; and
- D) Calculate the ideal Normalized Oscillation Signal by (ideal average flux)/(ideal time average flux).

The theoretical time lag was calculated using an office productivity tool, and was verified by comparing with values, which were calculated independently using a numerical computation tool GNU Octave. The ideal Normalized Oscillation Signal does not include any signal processing delay. As is the case of the ABA trip test in Section 10.1.7.4 and explained in Appendix G, delays in the time averaged fluxes amplify the Normalized Oscillation Signal for the LPRM levels oscillates in a certain range of frequencies, and lead to an earlier trip than the theoretical OPRM system without any delay. The test patterns in Table 10-3 were evaluated not to generate an

### earlier trip.

a.c

The OPRM system was expected to generate a trip within milliseconds compared with the theoretical OPRM system that would generate trips based on the ideal Normalized Oscillation Signal. The response time test confirmed that the OPRM met this criterion for the test pattern in Table 10-3.

The NICSD IV&V Team concluded the test result was satisfactory.

### **10.1.8** Software Validation Test Reporting

The Test Personnel documented the system validation test result in FC51-7501-1001 "System Validation Test for NRW-FPGA-Based I&C System Qualification Project" (Reference (62)).

The NICSD IV&V Team reviewed and evaluated the System Validation Test Record, and documented the result in FC51-7513-1002 "Software Validation Test Report" (Reference (63)). The System Validation Test Report included test configurations, as well as the result of the tests.

### **10.2** Document Reviews

The NICSD IV&V Team reviewed the NICSD SSAR (Reference (68)) in Table 10-4.

| Document No.   | Rev. | Document Name<br>(Type)            | Preparer    | Independent<br>Reviewer | DVR No.        |
|----------------|------|------------------------------------|-------------|-------------------------|----------------|
|                | 0    |                                    | M. Tomitaka | T. Yonaha               | FC51-0904 1343 |
| FC51-3704-1114 | 1    | Software Safety<br>Analysis Report | M. Tomitaka | K. Kasai                | FC51-0904-1425 |
|                | 2    |                                    | M. Tomitaka | K. Kasai                | FC51-0904-1452 |

#### **Table 10-4 Documents Reviewed**

Section 10.1 describes the System Validation Testing; for the NICSD SSAR, see Section 10.6.

### **10.3** Test Equipment Software Review

The NICSD IV&V Team reviewed the test equipment software used for the System Validation Testing.

Test personnel from the NICS-QC tested the OPRM test tool in accordance with a test specification prepared by NISD, and recorded their results in a test record. The NICSD IV&V Team reviewed the test specification and the test record, and confirmed that test equipment software was acceptable.

NISD controlled the two types of test equipment software. The NICSD IV&V Team confirmed that NISD appropriately performed the configuration control of the test equipment software in accordance with NQ-2003 "Procedure for Control of Software Tools" (Reference (57)).

### **10.4** System Validation Testing Phase RTM efforts

(1) Preparation of RTM

The NICSD SD Team traced the requirements in the EDS (Reference (20)) and the OPRM Unit DDS (Reference (29)) to the System Test Specification (Reference (59)) and Software Validation Test Plan (SVTP) (Reference (60)). The NICSD SD Team prepared the RTM for the System

Validation Testing Phase (Reference (66)). See Appendix F for an example of the System Validation Testing Phase RTM.

(2) Compilation of the System Validation Testing Phase RTM Report

The NICSD IV&V Team documented the RTM review result in the RTM report (FC51-3704-1116) (Reference (67)).

The NICSD IV&V Team visually checked those snapshots of the RTM to review the forward traceability.

Through the review of the RTM for this phase, the NICSD IV&V Team confirmed that all the OPRM unit requirements specified in the EDS and the OPRM Unit DDS were traced to the System Test Specification and SVTP.

No open item remained on the RTM for the System Validation Testing Phase.

### **10.5** Result of Security Review

The NICSD IV&V Team carried out a security review as planned in Section 5.7.6 of the NICSD VVP (Reference (17)) in accordance with NICSD NQ-2037 (Reference 10). The NICSD IV&V Team held a security assessment meeting as a part of this security review, and confirmed that the security requirements in NQ-2037 were satisfied.

(1) Access control to System Validation test deliverables

The NICSD IV&V Team confirmed that the access control to the System Validation test deliverables was maintained in the same manner as reviewed in Section 5.5.

(2) Security control of personal computers

The NICSD IV&V Team confirmed that the Security control of personal computers was maintained in the same manner as reviewed in Section 5.5.

(3) Identification of digital safety system's weakness and vulnerability

The NICSD IV&V Team checked that the System Validation Testing tested the key switch operation, which was identified as the security measure of the OPRM unit identified in the EDS (Reference (20)), and the parameter setting functions of the OPRM unit.

The NICSD IV&V Team did not find any weakness and vulnerability of the OPRM unit in this phase.

(4) Remote-access control to digital safety system

As reported in Section 8.9 (4), the NICSD IV&V Team had already confirmed that the TRN and RCV modules related to communication had one-way communication only and their external communication was limited.

(5) Control of development environment

The NICSD IV&V Team checked the security measures taken by NICS-QC at test area. The test PCs used for the System Validation Testing were standalone, and isolated from external networks. Use of portable memory devices was strictly controlled. The NICSD IV&V Team confirmed that the security of the test PCs was appropriately controlled.

### 10.6 Software Safety Analysis Report (SSAR) Review

The NICSD Software Safety Team prepared FC51-3704-1114 "Nuclear Instrumentation & Control Systems Department Software Safety Analysis Report for Safety-Related Oscillation

Power Range Monitor (OPRM) (System Validation Testing Phase)" (NICSD SSAR (System Validation Testing Phase)) (Reference (68)). The NICSD IV&V Team reviewed the NICSD SSAR.

The NICSD SSAR described that software safety activities discovered several hazards during the lifecycle phases; however, the use of correct design and implementation process combined with the V&V activities and testing mitigated and minimized the risks caused by the hazards. The NICSD SSAR concluded the risk of using this OPRM in ABWR plants was minimal.

The NICSD IV&V Team agreed with the conclusion. The NICSD IV&V Team concluded that the NICSD SSAR for the System Validation Testing Phase was acceptable as the final safety analysis report for the OPRM equipment.

### 10.7 Hardware V&V

The NICSD IV&V Team performed independent reviews of the OPRM Unit DDS (Reference (29)), which included the unit hardware design, and the MDSs listed in Table 7-1 in accordance with NQ-2030 (Reference (55)).

### **10.8** Monitoring of Metrics

### (1) Number of changes applied for the design documents

The NICSD IV&V Team examined the changes applied to revisions of the EDS through the development, and classified them into the three types as described in Section 5.7.

Table 10-5 lists the number of changes applied to Revision 1 of EDS.

| Document Name | Revision | Corrections | Additions | Others | Total |     |
|---------------|----------|-------------|-----------|--------|-------|-----|
| EDS           |          | 1           | <b></b>   |        |       | a,c |
| EDS           |          |             |           |        |       |     |
| EDS           |          |             |           |        |       |     |
| EDS           |          | 1           | 1         |        |       |     |

 Table 10-5 Numbers of Changes applied to Revisions of EDS

The trend showed that the number of the changes decreased in the later revisions. The NICSD IV&V Team considered the EDS became stable.

### (2) Number of open items closed in the current phase

All [] open items from the previous phases were closed in this phase. The close open items include:

- [ ]open items related to the OPRM Unit User's Manual carried from the Requirements Definition Phase reported in Section 5.5 (2) were closed in this phase.
- [ ]open items, which were related to the comments on the RTM of the Design Phase carried from the Design Phase, were closed in this phase.
- [ ]open item related to the comments on the FPGA Design Specifications found in the code review carried from the Implementation and Integration Phase was closed in this phase.

• [ ]open item related to the RTMs for the Module Validation Testing Phase was closed in this phase.

(3) Number of open items

No open item left.

### (4) Number of Site Corrective Action Requests (SCARs)

The following SCARs were closed.

(5) Number of Site Nonconformance Notice Reports (SNNRs)

No SNNR was issued in this phase.

### (6) Number of problems found during V&V testing

were issued to correct errors of the SVTP (Reference (60)). Those anomalies were disposed of by revision of the SVTP prior to the completion of the test activities.

# **10.9** Findings, recommendations, and suggestions to reduce any risk identified in the V&V activities

The NICSD IV&V Team reviewed the System Validation Testing documents, and noticed that some of the tests overlapped with the Module Validation Testing for what the tests validated. The OPRM trip tests included cases in which the values of one or more setpoints were selected other than the nominal setpoint values in Table 10-2. These test cases provided additional confidence to the OPRM functions. However, the NICSD IV&V Team considered that the FPGA testing and the Module Validation testing had already validated that each module operates correctly within any setpoints values allowed in their design. The System Validation testing using the nominal setpoint values validated the OPRM functions as a system. The NICSD IV&V Team considers that the System Validation Testing together with the Module Validation Testing ensured the functions of other OPRM systems, which are of different configuration or of different setpoints from the OPRM system tested in this Validation Testing.

### **10.10** Conclusions of System Validation Testing Phase V&V Activities

The NICSD IV&V Team confirmed that the System Validation Testing had been performed in accordance with the SVTP (Reference (60)), and the result of the testing was acceptable.

The NICSD IV&V Team concluded the completion of the System Validation Testing.

### 11. Conclusions

The NICSD IV&V Team confirmed all V&V activities for the OPRM system had completed in accordance with the NICSD VVP (Reference (17)). The V&V activities had been performed through the following phases:

- (1) Project Planning and Concept Definition Phase
- (2) Requirements Definition Phase
- (3) Design Phase
- (4) Implementation and Integration Phase
- (5) Module Validation Testing Phase
- (6) System Validation Testing phase.

Among these phases, the Design Phase through Module Validation Testing Phase were mainly performed by PPDD, a commercial vendor. The NICSD IV&V Team verified the all planned activities through the phases including the phases performed by PPDD. The V&V activities included document reviews, requirements traceability efforts, security reviews, FPGA testing, module validation testing, and system validation testing.

In the performance of the V&V activities, the following issues were raised:

- Tests cases for the some FPGAs did not meet the toggle coverage criteria
- Design was changed to add the CRC function to the communication modules

The NICSD IV&V Team repeated necessary V&V activities to resolve the issues in accordance with the NICSD VVP and the applicable QA procedures.

Some of the project specific planning documents, such as NICSD SMP and VVP, were updated in the project. The NICSD IV&V Team confirmed that all V&V activities complied to the latest revisions of the planning documents.

Some QA procedures were updated during the project period. The NICSD IV&V Team confirmed that each activity was completed using the revision applicable at the date of its completion. For some cases, to which appropriate corrections were needed, SCARs were issued. Those SCARs were closed in accordance with the QA procedures.

The NICSD IV&V Team confirmed that the V&V activities provided sufficient confidence that the OPRM met the requirements in the SDD and the intensions for use. The NICSD IV&V Team concluded that the OPRM system was appropriate for safety-related use for ABWR plants.

### Appendix A Project Planning and Concept Definition Phase RTM

Figure A-1 shows an example of the Project Planning and Concept Definition Phase RTM.

| -                              |   |      | <br>٦ |
|--------------------------------|---|------|-------|
|                                |   |      |       |
|                                |   |      |       |
|                                |   |      |       |
|                                | , |      | ļ     |
|                                |   |      |       |
| <u>s</u> ]                     |   |      |       |
|                                |   |      |       |
|                                |   |      |       |
| 1                              |   |      |       |
|                                |   |      |       |
| 1                              |   |      |       |
|                                |   |      |       |
|                                |   |      | 1     |
| g                              |   |      | l     |
| 2000                           |   |      |       |
| Equipment Design Speetfination |   |      | 1     |
|                                |   |      |       |
| Hend                           |   |      |       |
| ž                              |   |      |       |
|                                |   |      |       |
|                                |   |      |       |
|                                |   |      |       |
|                                |   |      |       |
|                                |   |      |       |
|                                |   |      |       |
| ]                              |   |      |       |
| ]                              |   |      |       |
|                                |   |      |       |
|                                |   |      |       |
|                                |   |      |       |
|                                |   |      |       |
|                                |   |      |       |
| }                              |   |      |       |
|                                |   |      |       |
| 8                              |   |      |       |
|                                |   |      |       |
| 6   <br>[1]                    |   |      |       |
| System Decin Detaintion        |   |      |       |
| Syste                          |   |      |       |
|                                |   |      |       |
| J20<br>Pervirent ()            |   |      |       |
| Previo                         |   |      |       |
| 61 003                         |   |      |       |
| <u></u>                        |   | <br> | <br>  |

### Figure A-1 Example of Project Planning and Concept Definition Phase RTM

Figures A-2 and A-3 were remade to enhance Parts A-I and A-II of Figure A-1, so that it can be read.

TOSHIBA CORPORATION Nuclear Instrumentation & Control Systems Department

. .....

| SDD ID | SDD            | System Design Description |      |
|--------|----------------|---------------------------|------|
|        | Requirement ID |                           | Ja,c |
| -      |                |                           | 4,0  |
| -      |                |                           | 1    |
|        |                |                           |      |
|        |                |                           |      |
|        |                |                           |      |
|        |                |                           |      |
|        |                |                           |      |

### Figure A-2 Part A-I of Figure A-1

| EDS ID | Equipment Design Specification |     |
|--------|--------------------------------|-----|
|        |                                | ]a, |
|        |                                |     |
|        |                                |     |
|        |                                |     |
|        |                                |     |
|        |                                |     |
|        |                                |     |
|        |                                |     |
|        |                                |     |
|        |                                |     |

### Figure A-3 Part A-II of Figure A-1

Figure A-2 includes an OPRM trip requirement in the SDD Section 4.2.4.3.1, and Figure A-3 includes part of the decomposed requirements in the EDS Section 5.2.2.3.5. The Project Planning and Concept Definition Phase RTM traced each SDD requirement in the left hand side to one or more decomposed EDS requirements in the right hand side. One SDD requirement was sometimes traced to not a small number of EDS requirements. Actually the total EDS requirements tracing the SDD requirement R02-YYY was more than written in Figure A-1, and the remaining EDS requirements were listed in the subsequent sheets of the RTM.

In Figures A-2 and A-3, a set of numbers like "FC51-1001-0001-1460" mean the project document number "FC51-1001-0001" and a serial number "1460" used in the Doors<sup>®</sup> requirement management tool.

#### TOSHIBA CORPORATION Nuclear Instrumentation & Control Systems Department

### **Appendix B Requirements Definition Phase RTM**

Figure B-1shows an example of the Requirements Definition Phase RTM.



Figure B-1 Example of Requirements Definition Phase RTM Figure B-2 was remade to enhance Parts B-I and B-II of Figure B-1; Figure B-3 was remade to

### enhance Parts B-III and B-IV of Figure B-1

| EDS ID | EDS Section | Equipment Design Specification |  |
|--------|-------------|--------------------------------|--|
|        |             |                                |  |
|        |             |                                |  |
|        |             |                                |  |
|        |             |                                |  |
|        |             |                                |  |
|        |             |                                |  |

### Figure B-2 Part B-I and B-II in Figure B-1

|   | OPRM Unit DDS ID | OPRM       | OPRM Unit Detailed Design Specification |     |
|---|------------------|------------|-----------------------------------------|-----|
|   |                  | Unit DDS   |                                         |     |
|   |                  | Section    |                                         |     |
| [ |                  | -          |                                         | a,c |
|   |                  |            |                                         |     |
|   |                  |            |                                         |     |
|   |                  |            |                                         |     |
|   |                  |            |                                         |     |
|   |                  |            |                                         |     |
|   |                  |            |                                         |     |
|   |                  |            |                                         |     |
|   |                  |            |                                         |     |
|   |                  |            |                                         |     |
|   |                  |            |                                         |     |
|   |                  |            |                                         |     |
|   |                  |            |                                         |     |
|   |                  |            |                                         |     |
|   |                  |            |                                         |     |
|   |                  |            |                                         |     |
|   |                  |            |                                         |     |
|   |                  |            |                                         |     |
| L |                  |            |                                         | ل   |
|   |                  | Figure B-3 | Part B-III and B-IV of Figure B-1       |     |

Figure B-2 includes the two EDS requirements identified as 5.2.2.3.5.0-21 and 5.2.2.3.5.0-24, which are traced from the SDD as described in Appendix A. Figure B-3 shows Unit DDS

specifications that partly succeed the EDS requirements. The EDS requirement 5.2.2.3.5.0-21 is traced to Unit DDS requirements identified as 5.2.2.0-27 and 5.2.2.0-32; the EDS requirement 5.2.2.3.5.0-24 is traced to in part Unit DDS requirement identified as 5.2.2.0-29.

## Appendix C Design Phase RTM

Figure C-1 shows an example of the Module Design RTM, the portion that succeed the Unit DDS specification FC51-3702-1000-424.





### FC51-3704-0001 Rev.9 FC51-3704-1001 Rev.12

| Unit | DDS | OPRM Unit   | OPRM Unit     | Detailed | Design | Object         | MDS (Module Design Specification) | 1   |
|------|-----|-------------|---------------|----------|--------|----------------|-----------------------------------|-----|
| ID   |     | DDS Section | Specification |          | Ū      | Identification |                                   |     |
|      |     |             | I             |          |        | l              |                                   | ∫ ∎ |
|      |     |             |               |          |        |                |                                   |     |
|      |     |             |               |          |        |                |                                   |     |
|      |     |             |               |          |        |                |                                   |     |
|      |     |             |               |          |        |                |                                   |     |
|      |     |             |               |          |        |                |                                   |     |
|      |     |             |               |          |        |                |                                   |     |
|      |     |             |               |          |        |                |                                   |     |
|      |     |             |               |          |        |                |                                   |     |
|      |     |             |               |          |        |                |                                   |     |
|      |     |             |               |          |        |                |                                   |     |
|      |     |             |               |          |        |                |                                   |     |
|      |     |             |               |          |        |                |                                   |     |
|      |     |             |               |          |        |                |                                   |     |
|      |     |             |               |          |        |                |                                   |     |
|      |     |             |               |          |        |                |                                   | 1   |
|      |     |             |               |          |        |                |                                   |     |
|      |     |             |               |          |        |                |                                   |     |
|      |     |             |               |          |        |                |                                   |     |
|      |     |             |               |          |        |                |                                   |     |
|      |     |             |               |          |        |                |                                   |     |
|      |     |             |               |          |        |                |                                   |     |
|      |     |             |               |          |        |                |                                   |     |
|      |     |             |               |          |        |                |                                   |     |
|      |     |             |               |          |        |                |                                   |     |
|      |     |             |               |          |        |                |                                   |     |
|      |     |             |               |          |        |                |                                   | ٦   |

### Figure C-2 Part C-I of Figure C-1

Figure C-2 was remade to enhance Part C-I of Figure C-1, showing how the Unit DDS specifications in Section 5.2.2.0-29 (ID FC51-3702-1000-421) and 5.2.2.0-32 (ID FC51-3702-1000-424) in Figure B-3 are decomposed and traced into the AGRD MDS (PPDD document number 5G8HC105). The Unit DDS specification identified as FC51-3702-1000-421 is traced to a specification identified by a set of the MDS document number and a serial number 5G8HC105-4244, which is written in Section 5.2.3. Similarly the Unit DDS specification identified by 5G8HC105-4244, 5G8HC105-4244, 5G8HC105-4351, 5G8HC105-4385, and 5G8HC105-4404, written in respective Sections 6.1.1, 6.1.2, 6.1.3, 6.1.4, and 6.1.6.

The MDS specification 5G8HC105-4244 is an output specification, and requires the AGRD module to provide a trip signal determined in the AGRD module including the Amplitude-Based Detection Algorithm trip, which is identified by MDS specifications 5G8HC105-4289, 5G8HC105-4304, 5G8HC105-4351, 5G8HC105-4385, and 5G8HC105-4404. Since MDS specification 5G8HC105-4244 is an output specification, it is validated in the Module Validation Testing. The MDS specifications 5G8HC105-4289, 5G8HC105-4385, and 5G8HC105-4364, 5G8HC105-4351, 5G8HC105-4289, 5G8HC105-4304, 5G8HC105-4351, 5G8HC105-4385, and 5G8HC105-4244 are data processing specifications, and are validated with the MDS specification 5G8HC105-4244 simultaneously in the Module Validation Testing.

The MDS specification 5G8HC105-4351 marked as Part C-II of Figure C-2 is decomposed into FPGAs specifications. Figure C-3 shows an example of the FPGA Design RTM developed by

FC51-3704-0001 Rev.9 FC51-3704-1001 Rev.12

 PPDD. Figure C-3 partially corresponds to Part C-II of Figure C-2. The AGRD MDS specifications are decomposed and allocated to []FPGAs. Part C-III of Figure C-3 shows the titles of columns corresponding to these []FPGAs, i.e., []FPGAs. The MDS specification in Section 6.1.3 is a comparator specification, and is decomposed into the []FPGA.

Figure C-4 was remade to enhance and translate Part C-IV of Figure C-3 and a part of the subsequent RTM sheet, showing how the MDS specification in Section 6.1.3 of the AGRD MDS is decomposed into  $\begin{bmatrix} & a_{a,c} & & \\ & & FPGA & specifications. \end{bmatrix}_{a,c}^{a,c}$ 

| Figure C-3 shows an example of the FPGA Design RTM. | Figure C-3 | shows an | example | of the F | FPGA | Design | RTM. |
|-----------------------------------------------------|------------|----------|---------|----------|------|--------|------|
|-----------------------------------------------------|------------|----------|---------|----------|------|--------|------|

a,c

Figure C-3 Example of FPGA Design RTM

TOSHIBA CORPORATION Nuclear Instrumentation & Control Systems Department

> 130/138 180/188

> > - - - -

### FC51-3704-0001 Rev.9 FC51-3704-1001 Rev.12

a,c

Figure C-4 Part C-IV of Figure C-3

(

TOSHIBA CORPORATION Nuclear Instrumentation & Control Systems Department

> 131/138 181/188

# **Appendix D Implementation and Integration Phase RTM**

Figure D-1 shows an example of the FPGA Test Procedure RTM.



### Figure D-1 Example of FPGA Test Procedure RTM

TOSHIBA CORPORATION Nuclear Instrumentation & Control Systems Department

> 132/138 182/188

a,c

### Figure D-2 Part D-I of Figure D-1

Figure D-2 was remade to enhance and translate Part D-I of Figure D-1 and a part of the subsequent RTM sheet, showing how the FPGA Test Procedure covers Section 3.12 of the FPGA Design Specification describing the peak detection.

The [ ]<sup>a,c</sup> FPGA Test Procedure describes the following test items to check the peak detection function.

a,c

## **Appendix E Module Validation Testing Phase RTM**

Figure E-1 shows an example of the Module Validation Testing Phase RTM.



Figure E-1 Example of Module Test Phase RTM

TOSHIBA CORPORATION Nuclear Instrumentation & Control Systems Department

### FC51-3704-0001 Rev.9 FC51-3704-1001 Rev.12

|        |                    |                 |                                       | _ |
|--------|--------------------|-----------------|---------------------------------------|---|
| MDS ID | AGRD Module Design | Object          | AGRD Test Procedure                   | ٦ |
|        | Specification      | Identification  |                                       |   |
|        |                    | 140111110401011 | · · · · · · · · · · · · · · · · · · · | - |
|        |                    |                 |                                       |   |
|        |                    |                 |                                       |   |
|        |                    |                 |                                       |   |
|        |                    |                 |                                       |   |
|        |                    |                 |                                       |   |
|        |                    |                 |                                       |   |
|        |                    |                 |                                       |   |
|        |                    |                 |                                       |   |
|        |                    |                 |                                       |   |
|        |                    |                 |                                       |   |
|        |                    |                 |                                       |   |
|        |                    |                 |                                       |   |
|        |                    |                 |                                       |   |
|        |                    |                 |                                       |   |
|        |                    |                 |                                       |   |
|        |                    |                 |                                       |   |
|        |                    |                 |                                       |   |
|        |                    |                 |                                       |   |
|        |                    |                 |                                       |   |
|        |                    |                 |                                       |   |
|        |                    |                 |                                       |   |

Figure E-2 was remade to enhance Part E-I of Figure E-1. The MDS ID 5G8HC105-4244 in Section 5.2.3, which is explained in Appendix C-1, is traced to four test cases in the [] Test Procedure: identified by 5T8H7621-51, 5T8H7621-52, 5T8H7621-56, and 5T8H7621-57. These test cases checked the output of the ABA and GRA trip signals.

### Figure E-2 Part E-I of Figure E-1

### **Appendix F System Validation Testing Phase RTM**

Figure F-1 shows an exmaple of the System Validation Testing Phase RTM.



Figure F-1 Example of System Validation Testing Phase RTM

The RTM shows the traceability between the SDD requirements, the EDS specification and requirements (labeled "EDS ID"), the unit detailed design specifications and requirements (labeled "Unit DDS ID"), and the validation testing. Figure F-1 takes SDD requirements R01-132 and

TOSHIBA CORPORATION Nuclear Instrumentation & Control Systems Department R02-YYY as examples, which are as follows:

### R01-132

Continuously monitors the OPRM cell value and detects thermal hydraulic instability by the Amplitude Based detection Algorithm (ABA), Growth Rate detection Algorithm (GRA), and Period Based Detection Algorithm (PBDA) (generate signals that represents neutron flux oscillation).

### R02-YYY

The OPRM unit shall generate Amplitude-Based Maximum Trip and Growth Rate-Based Trip signals for each cell as negative logic signals using the algorithm drawn on the upper half of figure 4.1.

SDD Requirement R01-132 was decomposed into two EDS requirements FC51-3002-1000-744 and FC51-3002-1000-748; FC51-3002-1000-744 was traced to an item in FC51-7012-1003 "Software Validation Test Plan," identified by FC51-7012-1003-24; FC51-3002-748 was validated in the Module Validation Testing. SDD Requirements R02-YYY was decomposed into six EDS resquirements, and all these requirements were validated in the Module Validation Testing Phase.

### **Appendix G ABA Trip Testing**

Section 10.1.7.4 explained the ABA trip testing, in which the test LPRM level entered in to the OPRM seem not so high that triggered an ABA trip. This appendix provides additional explanation on the ABA trip testing

Figure G-1 shows the filtered flux (thin line) and the time averaged flux (thick line) calculated from the test LPRM level shown in Figure 10-2. An office productivity tool was used to calculate the filtered flux and the time averaged flux, because these two fluxes were calculated internally in the CELL module, and not available outside.



The filtered flux was obtained from the LPRM level by applying the first Butterworth filter of a cutoff frequency 1.0 hertz. This first filter introduces a slight delay to the filtered flux from the original LPRM level. The time averaged flux is calculated by sampling the four filtered fluxes belong to the OPRM cell at milliseconds cycle, and applying the second Butterworth filter with 6.0 seconds time constant, or a cutoff frequency of 0.167 hertz. For this test LPRM levels, the four filtered fluxes were the same, so that one filtered flux is enough. As can be seen in Figure G-1, this second filter introduces a relatively large delay to the time averaged flux, as almost inverting its phase against the filtered flux. As a result, when the filtered flux approaches a peak, the time averaged flux approaches a valley. The Normalized Oscillation Signal is calculated as follows:

# Normalized Oscillation Signal = $\frac{Filtered \ Flux}{Time \ Averaged \ Flux}$

The smaller values of the time averaged flux around its valleys amplified the peaks of the Normalized Oscillation Signal in the ABA trip test, and triggered a trip.

TOSHIBA CORPORATION Nuclear Instrumentation & Control Systems Department

> 138/138 188/188