PSNN-201 5-0053 IZ--USSaetyelaedZ- - NRC: Home Page · IZ--USSaetyelaedZ-PSNN-201 5-0053 The use of the information contained in this document by anyone for any purpose other than

PSNN-201 5-0053

IZ--USSaetyelaedZ-

The use of the information contained in this document byanyone for any purpose other than that for which it is intended isnot authorized. In the event the information is used withoutauthorization from TOSHIBA CORPORATION, TOSHIBACORPORATION makes no representation or warranty andassumes no liability as to the completeness, accuracy, orusefulness of the information contained in this document.

TOSHIBA CORPORATIONNUCLEAR ENERGY SYSTEMS & SERVICES DIV.

T oshiba Project Document No. Rev. No.FC51-1505-1000 0

NRW-FPGA-Based I&C System Qualification Project

STechnical Evaluation Report

Title: Preliminary_ Technical Evaluation Reportfor FPGA-based Safety-Related Systems

Customer Name !None TOSHIBA NICSD verified this Document;

Project Name NRW-FPGA-Based I&C Method : , P-zie•,_________System Qualification Project Verifieation Reo6rt No. : f)vg- .•H S-o:&o6/• ....

VerificaitiOn Results- -- t• .........Item Name OPRM Equipment ?Verified by !: -' ..

Item Number C5 1 •GroiiName A-itS ' V?!- ........Date ,4• .. 2•':• l. .2 . .......

Job Number 9P04482

Applicable Plant None

Initial Issue Date Issued by Approved by Reviewed by Prepared by Document filing No.

Systems Development & ....... .......5B8K0034--- DesigningGomup-.... o €.•-i .i-. d••.2.O7,oI, .. '9-•O;

TrOSHIEBA CORPORATIONNuclear Instrumentation & Control Systems Department

1,30

FC5I-1505-1000 Rev.0

Record of Revisions

Approved Reviewed PreparedRev No. Date Description

________ _______ _________________________ by by by

See cover See cover See cover See cover0 ~~~~Initial issue pg ae pgpage p g a ep g

+ + -4-

+ -I- -4-

+ + 4- 4 .1.

+ + 4- -I- .4-

TOSH-IBA CORPORATIONNuclear Instrumentation & Control Systems Department

2i30

FC51-1505-lOOO Rev.OTable of Contents

1 Introduction.................................................................................... 5

1.1 Purpose............................................................................................. 5

1.2 Scope ............................................................................................... 5

2 Definitions and Abbreviations............................................................... 5

2.1 Definitions ......................................................................................... 5

2.2 Abbreviations...................................................................................... 7

3 References...................................................................................... 8

4 Safety Functions and Design Requirements .............................................. 9

4.1 Safety Functions and Safety Classification of System.......................................... 9

4.2 Design Requirements for System ............................................................... 11

4.3 Environmental Considerations .................................................................. 11

5 Identification of OGIs and CGSs .......................................................... 11

5.1 System Configuration............................................................................ 11

5.2 Functional Classification of Items .............................................................. 11

5.3 Functional Classification of Services ........................................................... 14

5.4 Identification of CGI ............................................................................. 14

5.5 Identification of CGS.......................•....................................... •.............. 15

6 Determination of Critical Characteristics for Design .................................. 16

6.1 Determination Process of Critical Characteristics for Design ................................ 16

6.2 Critical Characteristics for Design of COIs.................................................... 16

7 Technical and Quality Requirements for OGI and OGS ............................... 16

7.1 Technical Requirements......................................................................... 17

7.2 Quality Requirements............................................................................ 17

8 Identification and Verification of Critical Characteristics for Acceptance .......... 17

8.1 Identification of CCA and Verification Method for COI ..................................... 17

8.2 Identification of CCA and Verification Method for CUS..................................... 19

8.3 Environmental Conditions Qualification....................................................... 20

9 Vendor Evaluation........................................................................... 20

9.1 Evaluation of FPGA Logic...................................................................... 21

9.1.1 Preliminary Evaluation........................................................................... 21

9.2 Evaluation of FEs ........................................................ 26TOSHIBA CORPORATION 3i30Nuclear Instrumentation & Control Systems Department

PC51-15O5-1000 Rev.O


9.3 Evaluation of Software Development Tools Control Process ................................ 27


9.4 Soft ware Coding Conventions and Guidelines Document Review .......................... 27

TOSHIBA• CORPORATIONNuclear Instrumentation & Control Systems Department

4,30

FC51-1505-1000 Rev.0

1 Introduction

1.1 Purpose

The purpose of this report is to document a result of technical evaluation and acceptanceactivities by Nuclear Instrumentation & Control Systems Department (NIC SD) for theCommercial Grade Items (CGIs) and Commercial Grade Services (CGSs) used forNon-Rewritable (NRW)-Field Programmable Gate Array (FPGA)-based Instrumentation andControl (I&C) Qualification Project.

1.2 Scope

Scope of the equipment for this evaluation is Oscillation Power Range Monitor (OPRM) for theNRW-FPGA-based I&C Qualification Project.

In accordance with the methods specified in the Commercial Grade Dedication (CGD) Plan(Reference (16)) and AS-200A1 10 (Reference (4)), this report documents safety classification ofsystem, and identifies Critical Characteristics for Design (CCD) typically applicable tocomponents comprising system (i.e. whole component). This report also identifies CriticalCharacteristics for Acceptance (CCA) and acceptance methods as an acceptance plan thatprovides acceptance process typically applicable to components comprising system. Thisreport is first issued as a Preliminary Technical Evaluation Report (PTER). This report isrevised as needed to reflect results of dedication activities performed as a project progresses.This report is revised upon project completion summarizing all the dedication activities of theproject and issued as a Final Technical Evaluation Report (FTER).

2 Definitions and Abbreviations

2.1 Definitions

Basic component: (1)(i) When applied to nuclear power plants licensed under 10 CFR part 50or part 52 of this chapter, basic component means a structure, system, or component, or partthereof that affects its safety function necessary to assure:

(A) The integrity of the reactor coolant pressure boundary;

(B) The capability to shut down the reactor and maintain it in a safe shutdown condition; or

(C) The capability to prevent or mitigate the consequences of accidents which could result inpotential offsite exposures comparable to those referred to in § 50.34(a)(1), § 50.67(b)(2), or §100.11 of this chapter, as applicable.

(ii) Basic components are items designed and manufactured under a quality assurance programcomplying with appendix B to part 50 of this chapter, or commercial grade items which havesuccessfully completed the dedication process.

(Definitions (2) and (3) are omitted.)

(4) In all cases, basic component includes safety-related design, analysis, inspection, testing,fabrication, replacement of parts, or consulting services that are associated with the componenthardware, design certification, design approval, or information in support of an early site permitapplication under part 52 of this chapter, whether these services are performed by the component

TOSHIBA CORPORATION 5i30Nuclear Instrumentation & Control Systems Department

FC51-1505-1000 Rev.O

supplier or others.[This definition is extracted from 10 CFR 21 (Reference (1)).]

Commercial grade item: (1) When applied to nuclear power plants licensed pursuant to 10 CFRPart 30, 40, 50, 60, commercial grade item means a structure, system, or component, or partthereof that affects its safety function, that was not designed and manufactured as a basiccomponent. Commercial grade items do not include items where the design and manufacturingprocess require in-process inspections and verifications to ensure that defects or failures tocomply are identified and corrected (i.e., one or more critical characteristics of the item cannotbe verified). (Definition (2) is omitted.)[This definition is extracted from 10 CFR 21 (Reference (1)).]

(3) For the purpose of this procedure, commercial grade item also means a commercial servicethat was not intended to be relied upon as an activity affecting quality, or was not considered partof a basic component (e.g., safety-related design, analysis, inspection, testing, or fabrication thatis associated with a basic component). (This is a definition of commercial grade service)

[This definition is extracted from NQ-4001 (Reference (9)).]

Commercial-Off-The-Shelf (COTS): This term (COTS) is defined to be software purchasedfrom a vendor, which is not modified to support plant requirements, but may be configured tosupport plant requirements. This definition does not vary for safety or nonsafety life cycles.[This definition is extracted from the NICSD Software Management Plan (SMiP) (Reference(15))]

In this plan, the Functional Elements (FEs) are treated as previously developed COTS software.

Functional Element (FE): A Functional Element is a Component of digital logic that iscompletely verified and validated through full pattern testing, i.e. tests that are performed for allpossible input combinations. An FE is written in Very High Speed Integrated Circuit HardwareDescription Language (VHDJL). All VHDL source codes for the NRW-FPGA-based Systemsolely consist of FEs and interconnect between FEs.[This definition is extracted from the NICSD SMIP (Reference (15))]

Module: A part of a unit. Each module consists of one or more printed circuit boards, onwhich the FPGAs and other circuitry are mounted, and a front panel.[This definition is extracted from the NICSD SMIP (Reference (15))]

Previously Developed Software (PDS): This term (PDS) is defined to be software that a vendorwrote, or purchased from another vendor, at an earlier date, which might be used as-is, or morelikely will be modified to support plant requirements. This definition does not vary for safetyor nonsafety life cycles.,[This definition is extracted from the NICSD SMIP (Reference (15))]

In this plan, FPGA logic is treated as PDS.

Unit: A major component of FPGA-based equipment. A unit is a chassis that has front slotsand back slots to mount modules. Each unit consists of several modules. There is a verticalmiddle plane between the front and back slots in each unit. This plane consists of two circuitboards. These circuit boards provide backplanes for the front and rear modules. Modulesplug into the backplanes using connectors. Once a module is plugged into the appropriateconnector, it exchanges data with other modules in the unit, connects to other units and anyexternal field equipment, and is powered.[This definition is extracted from the NICSD SMIP (Reference (15))]


FC>S1-15O5)-1000 Rev A)

2.2 Abbreviations

ADS Automatic Depressurization SystemAPRM Average Power Range MonitorATWS Anticipated Transient Without ScramCC Critical CharacteristicCCA Critical Characteristics for AcceptanceCCD Critical Characteristics for DesignCDI Commercial Dedication InstructionCDR Critical Digital ReviewCFR Code of Federal RegulationsCG Commercial GradeCGD Commercial Grade DedicationCGI Commercial Grade ItemCGS Commercial Grade ServiceC of C Certificate of ConformanceCOTS Commercial-Off-The-ShelfDDS Detailed Design SpecificationEDS Equipment Design SpecificationEMC Electromagnetic CompatibilityEMvI Electromagnetic InterferenceEPRI Electrical Power Research InstituteEQ Equipment QualificationELCS Engineered Safety Features (ESF) Logic and Control SystemESF Engineered Safety FeaturesFD Flat DisplayFE Functional ElementFPGA Field Programmable Gate ArrayFTER Final Technical Evaluation ReportI&C Instrumentation and Control1V&V Independent Verification and ValidationLPRM Local Power Range MonitorM&TE Measuring and Test EquipmentNED Nuclear Energy Systems & Services DivisionNICSD Nuclear Instrumentation & Control Systems DepartmentNICS-QA Quality Assurance Group for Nuclear Instrumentation & Control SystemsNMS Neutron Monitoring SystemNQ Nuclear QualityNRW Non-RewritableOPRM Oscillation Power Range MonitorPCB Printed Circuit BoardPDS Previously Developed SoftwarePFC Power Factor Correction modulePPD Poe ltom eeomn

PPDD Powe Pltfor DeelopentDepartmentPRNM Power Range Neutron MonitorPTER Preliminary Technical Evaluation ReportQA Quality AssuranceQVL Qualified Vendor ListRFI Radio Frequency InterferenceRPS Reactor Protection SystemRTIS Reactor Trip and Isolation System


FC51-1505-1000 Rev.0RTM Requirements Traceability MatrixSDD System Design DescriptionSD Team Software Development TeamSMP Software Management PlanSOE Sequence of EventSQA Software Quality AssuranceSRNM Startup Range Neutron MonitorSS Team Software Safety TeamTDR Transient Data RecorderTDMS Toshiba Design and Manufacturing Service CorporationUSNRC United States Nuclear Regulatory CommissionV&V Verification and ValidationVHDL Very High Speed Integrated Circuit Hardware Definition LanguageVNNR Vendor Nonconformance Notice Report

3 References(1) USNRC 10CFR21

"Reporting of Defects and Noncompliance."

(2) EPRI TR-107330"Generic Requirements Specification for Qualifying a Commercially Available PLC forSafety-Related Applications in Nuclear Power Plants," December 1996

(3) USNRC Regulatory Guide 1.180"Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference inSafety-Related Instrumentation and Control Systems," Rev. 1, October 2003

(4) Toshiba Nuclear Energy Systems and Service Division AS-200A1 10"Procedure for commercial grade items and services"

(5) Toshiba Nuclear Instrumentation & Control Systems Department NQ-20 15"Preparation Procedure for RTM and RTM Report"

(6) Toshiba Nuclear Instrumentation & Control Systems Department NQ-2025"Preparation Procedure for Procurement Document for CG Items & Services"

(7) Toshiba Nuclear Instrumentation & Control Systems Department NQ-203 7"Cyber Security Procedure of Safety Related Digital System"

(8) Toshiba Nuclear Instrumentation & Control Systems Department NQ-3 017"Measuring and Test Equipment Control Standard"

(9) Toshiba Nuclear Instrumentation & Control Systems Department NQ-4001"Commercial Grade Dedication"

(10)Toshiba Power Platform Development Department E-68016"PPDD Procedural Standard for FPGA Products Development"

(1 1)Toshiba Power Platform Development Department E-68017"PPDD Procedural Standard for FPGA Device Development"

(12) Toshiba Power Platform Development Department E-6801 8"PPDD Procedural Standard for Functional Element Development"

(13) Toshiba Power Platform Development Department E-68019"PPDD Procedural Standard for FPGA Configuration Management"


FC5I-1505-1000 Rev.0(14) Toshiba Power Platform Development Department E-68020

"PPDD Procedural Standard for Control of Software Tools for FPGA-based Systems"(15) Toshiba Project Document Number FA32-3 702-1000

"Nuclear Instrumentation & Control Systems Department Software Management Plan forFPGA-based Safety-Related Systems" Rev.0

(16) Toshiba Project Document Number FA32-702 1-1000"Commercial Grade Dedication Plan for FPGA-based Safety-Related Systems" Rev. 1

(17) Toshiba Project Document Number FC51-3002-1000"System Design Description Neutron Monitoring System" Rev. 1

(18) Toshiba Project Document Number FC5 51-1001-1000"Equipment Design Specification for Power Range Neutron Monitor" Rev.0

(19) "Survey/Audit Report," (SE09SR-00 1 R0)

(20) "Survey/Audit Report," (SE09SR-002 R0)

(21) "Survey/Audit Report," (SE09SR-004 R0)

(22) "Survey/Audit Report," (SE10OSR-00 1 R0)

(23)"Survey/Audit Report," (SE 10SR-001la R0)(24) "Evaluation Report," (SAER1 0-002)

(25) "Evaluation Report," (SAER1 0-004)

(26) "Evaluation Report," (SAER1 1-002)

(27) "Commercial Grade Survey Checklist," (SE 10SC-001la Rev. 1)

(28) Toshiba Power Platform Development Department"Input/Output document list 5B8H7065, Rev.6"

(29) Toshiba Power Platform Development Department"Input/Output document list 5B8117200, Rev.7"

(30) Toshiba Power Platform Development Department"Input/Output document list 5B8H7200, Rev. 11"

(31) "Vendor Nonconformance Notice Report," (SVNNR- 11-001)

(32) "Vendor Nonconformance Notice Report," (SVNNR- 11-002)

(33) Toshiba FPG-DRT-C5 1-0006"Actel's CDR Report" Rev. 0

(34) Toshiba 7A32-3613-000 1"Updated Critical Digital Review of Actel FPGA Software Tools" Rev. 0

Notice: When NED, NICSD and other Toshiba internal standards listed above that has nospecific revision are applied, the latest revision of them shall be used.

4 Safety Functions and Design Requirements

4.1 Safety Functions and Safety Classification of System

The parent component of OPRM is the Neutron Monitoring System (NMS).


FC51-1505-1000 Rev.0The purpose of the Neutron Monitoring System (NMS) is ".....to monitor power generation and,for the safety function part of the NMS, to provide trip signals to the Reactor Protection System(RPS5) to initiate reactor scram under excessive neutron flux (and power) increase condition (highlevel) or neutron flux fast rising (short period) condition. The NMS also provides powerinforma~tion of operation and control of the reactor to( )a'c

( )," as described in Section 3.2 of the System Design Description (SDD) (Reference (17))provided by Nuclear Energy Systems & Services Division (NED).

The NMS consists of three safety-related subsystems: Startup Range Neutron Monitor (SRNM),Local Power Range Monitor (LPRM), and Average Power Range Monitor (APRM) whichincludes Oscillation Power Range Monitor (OPRM). The LPRM, OPRM, and APRM arecollectively called the Power Range Neutron Monitor (PRNM).

Section 3.1.1 of the SDD specifies safety-related functions of the NMS. Based on therequirements in Section 3.1.1 of the SDD, NICSD identified the safety-related functions of thePRNM system in Section 4.1.1 of the Equipment Design Specification (EDS) (Reference (18)).The followings are the safety-related functions of the PRNM system.

The item (3) shows the safety-related functions of the OPRM.

(1) Generate the following signals:

- LPRM Level, which represents a local neutron flux- APRM Level, which represents an average neutron flux- Simulated Thermal Power- Core Flow Level- Neutron flux oscillation

(2) Generate the following trip signals, as the APRM and Core Flow measurementfunctions and provide to the Reactor Trip and Isolation System (RTIS):

- APRM Upscale Flux Trip- Simulated Thermal Power Upscale Trip- APRM Inoperative- Core Flow Rapid Coastdown Trip (bypassed when thermal power is less than

specific value)

(3) Generate the following trip signals, as OPRM functions and provide to the Reactor Tripand Isolation System (RTIS):

- Growth Rate-Based Trip- Amplitude-Based Maximum Trip- Period-Based Trip- OPRM Inoperative

(4) Generate the Anticipated Transient Without Scram (ATWS) Permissive signals andprovide to the Engineered Safety Features (ESF) Logic and Control System (ELCS) forAutomatic Depressurization System (ADS) inhibit.

(5) Provide the data signals, bypass state, trip state, annunciator and operation state to theELCS Flat Display (FD).

As described in Section 3.,2.1 of the SDD (Reference (17)), the safety-related NMS subsystems(i.e. LPRM, APRM and OPRM comprising the PRNM system) are classified as safety class 3(class 1E) and seismic category I.

TOSE-IIA CORPORATION 10i3 0Nuclear Instrumentation & Control Systems Department

FC51-1505-1000 Rev.04.2 Design Requirements for System

Design requirements for PRNM System including OPRM are specified in the SDD (Reference(17)). NICSD specified the equipment design for PRNM System, and documented the designin the EDS for PRNM (Reference (18)). The EDS provides design requirements for lower levelequipment called as a unit comprising the system that includes design requirements for OPRM.

4.3 Environmental Considerations

As described in Section 3.3.6 of the SDD (Reference (17)), "The equipments constituting NMSshall satisfy the functions specified by this specification for use in the Reactor Building andControl Building under normal, abnormal, accident, and post accident condition. Post accidentcondition is not applied to equipments used in Control Building. NMS equipments shall bedesigned and qualified in accordance with EPRI TR-107330 (Reference (2)). All safety-relatedsubsystems of NMS are qualified to minimize both susceptibility to, and generation of,electromagnetic interference (EMI) and radio frequency interference (RFI). The NMScomponents shall be subjected to test for EMI, RFI, and surge conditions that conform toguideline given in R.G. 1.180 (Reference (3))."

Based on the requirements in Section 3.3.6 of the SDD, NICSD identified the environmentalconditions applied to the PRNM system including OPRM in Section 5.5 of the EDS (Reference(18)).

5 Identification of CGIs and CGSsThis section describes the functional classification of each component comprising target systemand relevant services using the methods described in Section 6 of the CGD Plan (Reference (16)).This section also identifies the CGIs and CGSs used for the project.

5.1 System Configuration

This section describes system configuration of the PRNM system that is parent component ofOPRM. The PRNM consists of four divisions with the same configuration. Figure 4-1 ofEDS (Reference (18)) shows a configuration diagram for one PRNM division and relatedperipheral systems. One division of the PRNM consists of four Local Power Range Monitor(LPRM) units, one Average Power Range Monitor (APRM) unit, one Oscillation Power RangeMonitor (OPRM) unit, and relay unit. As described in Section 4. 1-(3), the PRNM that is parentcomponent of OPRM performs safety-related functions.

5.2 Functional Classification of ItemsThis section describes functional classification of items comprising OPRM. The OPRM unitconsists of modules and unit chassis. Detailed module configuration of the OPRM unit isshown in Figure 5-1.

TOSH-IBA CORPORATION 1 1i30Nuclear Instrumentation & Control Systems Department

FC51-1505-1000 Rev.0

CD

CD

FSLI FSL2 FSL3 FSL4 FSL5 lFSL6 FSL7 FSL8 FSL9 FSL1U FSLIl1 FSLl2 FSLI3 FSL14

Front View

LVPS)

-)

PSSL2

PFC

Power Input Connector

TRN

0000

0R

000_J

RCV

0000

RCV

0000

-J

DIO

El

(Blank (nlank (BlankPanel) Panel) Panel)

LVPS around Terminal

D]

-- ____ r ____ ____ PSSL1

PC Power Input ConnectorBSL8 IBSL7 BSL6 IBSL5 BSL4

Optical OutputConnectors

Optical InputConnectors

B 3 BSL2 BSL1

Discrete Input!OutputCable Connector

Rear ViewFSL: Front SlotPFC: Power Factor Correction modulePSSL: Power Supply SlotBSL: Back Slot

Figure 5-1 Module Configuration of OPRM Unit

The PRNM safety functions are accomplished by a combination of these modules, unit chassisand interconnecting cables between the units in PRNM system. The components comprisingOPRM are classified into the following classes.

(1) Having a safety function

(2) Having an effect on performance of the system safety function

(3) Other than (1) and (2) (non-safety)

Table 5-1 shows the functional classification of items associated with this project.

TOSHIBA CORPORATIONNuclear Instrumentation & Control Systems Department

12,3 0

FC51-1505-1000 Rev.0

Table 5-1 Functional Classification of Items

Slot ID Item Name Functional Description Functional ClassificationThis module converts LPRM Levels to Normalized Oscillation

FSL5-7 CELL module Level (safety signal), and provides the data to AGRD and PBD Having a safety functionmodule for trip judgments.This module performs Amplitude-Based Detection Algorithm

FSL8, 9 AGRD module judgment and Growth Rate-Based Detection Algorithm Having a safety functionjudgment (safety functions).

FSL 1, 11 PBD mdule This module performs Period-Based Detection Algorithm Hvn aeyfntoFSL10,11 PBDmodule judgment (safety function). Hvn aeyfnto

This module indicates a power status and input data status onFL4 DAT/ST the front panel. This module multiplexes the serial data fr'om HainasfeyuctoF 14 module modules in OPRM unit, and transmits the multiplexed datavgasfeyunto

(safety related data) to TRN module.This module supplies DC+5V, + i5V power to each module(LVPS 1). This component comprises redundant power supplylines to OPRM unit, and serves as key components to maintain Having an effect on

PSSL 1 LVPS module the Electromagnetic Compatibility (EMC) capability, performance of the systemMultiple failures of the component may cause loss of OPRM safety functionunit power, and lead to loss of one division OPRM safetyfunction, or loss of EMC capability.This module receives discrete input from trip auxiliary unit.

BSL 4 DIO module This module provides trip signal (safety function) to trip Having a safety functionauxiliary unit.This module receives LPRM unit data from LPRM unit, and

BSL 5 RCV module provide to CELL module for processing Normalized Having a safety function_________ ~~~Oscillation Levels (safety signal).______________

This module receives APRM level and core flow data from Having an effect onBSL 6 RCV module APRIM unit to be used for determination auto bypass judgment performance of the system

in CELL module. safety functionBS R oue This module transmits OPRM unit data to ELCS-FD (safety Hvn aeyfnto

function). Hvn aeyfnto

This module receives OPRM unit data from DAT/ST module Having an effect onBSL 8 TRN module that has safety functions, and provides the data to Transient performance of the system

_____Data Recorder (TDR) and Sequence of Event (SOE). safety functionThis module supplies DC+5V, -- 15V power to each module(LVPS2). This component comprises redundant power supply Having an effect on

PSSL 2 LVPS module lines to OPRM unit, and serves as key components to maintain pefracoftestmthe EMC capability. Multiple failures of the component may safety functioncause loss of OPRM unit power, and lead to loss of one

________division OPRM safety function, or loss of EMC capability.

Unit chassis is used to connect module interfaces forN/A Unit chassis exchanging safety signals between modules in the unit. Having a safety function

Having an effect onFSL1-4, Blan panels serve as a par of uni chassis maintaiing seismic performance of the system12, 13, (Blan panels) and EMC integrty, safety function (blank panelsB SL 1-3 are procured from unit chassis

supplier with unit chassis)Input line filter for LVPS module.

Power Factor This component comprises redundant power supply lines to Having an effect onN/A Correction OPRM unit, and serves as key components to maintain the performance of the system

module EMC capability. Multiple failures of the component may safety function(PFC) cause loss of OPRM unit power, and lead to loss of one

division OPRM safety function, or loss of EMC capability.Test equipment Test equipment such as panel to mount test specimen unit and

NA for cables connecting Measuring and Test Equipment (M&TE) N aeyfntoNA qualification used for Equipment Qualification (EQ) testing and EMC N aeyfnto

______tests qualification testing do not perform any safety functions. ______________


13,30

FC51-1505-1000 Rev.0

5.3 Functional Classification of Services

Table 5-2 shows the functional classification of services associated with this project.

The services "Equipment qualification and EMC qualification testing service" and "CalibrationService of Measuring and Test Equipment (M&TE)" affect the performance of system safetyfunction, and are subject to CGD when procured from commercial suppliers.

Table 5-2 Functional Classification of Services

Service Evaluation of service function FunctionalName Classification

Equipment The equipment qualification and EMC qualification testing services is Having an effect onqualification and regarded as a service which has an impact on safety functions, performance of systemEMC qualification safety functiontesting service

Calibration Service The verification of traceability and calibration of M&TE used in the testing Having an effect onof M&TE which complies with 10CFR50 Appendix B becomes a quality record performance of system

guaranteeing safety functions. Therefore, the calibration services of safety functionM&TE have an effect on the performance of system safety function. Thecalibration of M&TE shall comply with NQ-3017 (Reference (8)).

Transportation The transportation (to the testing facility) quality for the qualification Having an effect onService testing of the test specimen may cause physical damage or deterioration of performance of system

the test specimen, and have an impact on the results of the qualification safety functiontesting. Because transportation service suppliers who hold Appendix-BQuality Assurance (QA) program are not available and it is considered thatCommercial Grade (CG) Survey on commercial transportation servicesuppliers may not guarantee the transportation quality, the transportationservices are not subject to CGD.

Instead, the item quality before and after shipment is secured by controllingthe pre-shipment inspection and the field acceptance inspection usingAppendix-B QA program of NICSD. The inspectors from theAppendix-B QA program holder inspect items in accordance with thepre-shipment inspection specification, packing instruction and acceptanceinspection specification.

5.4 Identification of OGI

This section identifies whether the items comprising OPRM that has safety functions conform tothe definition of CGI or not, in accordance with the definition of CGI (Refer to Section 2.1Commercial grade item (1)). Table 5-3 shows the result of CGI identification. Thecomponents comprising the units (modules, chassis), and power supply line components areidentified as CGIs.


14,30

FC51-1505-1000 Rev.0Table 5-3 Identification of CGI

Item Name Evaluations of Item CGI?

/uper Was the item designed and Does the item include item where the henal bothiofsar(Potential Supplier, manufactured as a basic component? design and manufacturing process "No", the item is

if any) requires in-process inspections and identified as CGI)verifications to ensure that defects orfailures to comply are identified andcorrected?

Modules! No N__o CGI

CPommerca sP plieorm The modules and unit chassis used for Defects and failures to comply in the(PoervPlatormen this project are not designed and modules and unit chassis are detectableDevelopment (PDmanufactured as a basic component. by reviewing the results of supplierDu-teprtmuplent (PD, PPDD who designs and tests the testing, and by checking the operation

(Toshiba Design andit chassis, and TDMS in the unit testing, system testing andMaufctrig and[ ( wh manufactures them, are EQ testing performed by NICSD.SericeCororaion not Appendix-B QA program holders.

(TDMS)) The item specifications are availablefrom the suppliers.

Unit chassis CGIincluding blankpanels!/Commercial

Power Supply Line N__o N~oo CGIComponents (LVPSmodule, PFC)/ These components can be procured from Defects and failures to comply in these

C mecasupirthe comeea upliers, components are detectable by reviewing,lac the results of supplier testing, and by( checking the operation in the unait

testing, system testing and EQ testingperformed by NICSD.

5.5 Identification of CGS

This section identifies whether the services having safety functions, classified in Section 5.3,conform to the definition of commercial grade service (Refer to Section 2.1 Commercial gradeitem (3)). Table 5-4 shows the result of CGS identification. The Calibration Service ofM&TE is identified as CGS.

Table 5-4 Identification of CGS

Service Name Supplier Evaluations of Service CGS? (Whene valuation is

(Potential (Is the service intended to be relied upon as an activity affecting "No", the item isSupplier, if any) quality, or considered part of a basic component?) identified as CGS)

Equipment Appendix B QA Yes Not CGS

ECqualification anpora ole Testing services are not identified as CGS because the servicesteMCs uaifgsricatin will be performed by Appendix-B QA program holders.

tesingsevic J Appendix-B QA program holders have responsibility for

controlling and maintaining the qualification test equipment andfacilities in accordance with their Appendix-B QA program andspecial requirements provided in the procurement document fromNICSD.

TOSHIBA C•ORPODRATIONNuclear Instrumentation & Control Systems Department

15,3 0

FC51-1505-1000 Rev.0

Service Name Supplier Evaluations of Service COS? (Whenevaluation is

(Potential (Is the service intended to be relied upon as an activity affecting "No", the item isSupplier, if any) quality, or considered part of a basic component?) identified as CGS)

Calibration Service Commercial N.oo CGS

of M&TE supplier =NICSD plans to procure the calibration service of M&TE from[ the commercial suppliers. This service is identified as CGS.

6 Determination of Critical Characteristics for DesignThis section determines typical CCDs applied to commercial grade items.

6.1 Determination Process of Critical Characteristics for Design

Safety related functions for parent component that are specified in EDS (Reference (18)) shall beconsidered when determining CCDs for each CGI. The PRNM system is installed in 'a mildenvironment, and seismically qualified. The PRNM shall meet performance requirementsduring and after exposure to seismic event specified in the EDS. Equipment Qualification (EQ)requirements and Electromagnetic Compatibility (EMC) qualification requirements are designconditions to be considered, since those requirements are necessary to determine CCs, which arederived for satisfying them. Those qualification requirements are, however, not CCs inthemselves.

6.2 Critical Characteristics for Design of CGIs

Typical CCDs applicable to CGIs are as follows

* Physical Characteristics (Dimension, Mass, Mounting, General configuration and shape)* Performance (Safety related function, Response time, Fault management and diagnostics)

Detailed CCDs for each* item and reason for selecting the CCD shall be documented inCommercial Dedication Instruction (CDI).

As described in Section 7.2 of the CGD Plan (Reference (16)), FPGA-based modules needspecial attention when indentifying CCDs. Dependability becomes significantly moreimportant when dedicating digital equipment. The "Dependability" is a CCD of FPGA-basedmodule. The acceptance activities for verification of the dependability of FPGA-based systemare described in Section 8.

7 Technical and Quality Requirements for CGI and CGSThis section describes methods to determine technical requirements and quality requirements foreach CGIs and CGSs. NICSD ensures the technical requirements and quality requirementsindicated in this section are correctly translated into procurement documents for each CGIs andCGSs.


FC51-1505-1000 Rev.07.1 Technical RequirementsThe EDS (Reference (1 8)) specifies the technical requirements and environmental condition forthe PRNM system, and NICSD employs the EDS as a source of specifications required for eachitem. Based on the information in EDS, NICSD establishes technical requirements for OPRMUnit, and documents a Unit Detailed Design Specification (Unit DDS) that specifies technicalrequirements for modules and unit chassis. The supplier module specifications described inModule Design Specification shall be traceable to the module requirements described in a UnitDDS. NICSD and module supplier (i.e. Power Platform Development Department (PPDD))shall confirm the traceability of requirements using a Requirements Traceability Matrix (RTM).The technical specifications of the connectors and cables are defined based on the interfacespecifications of the module and unit chassis, and the specifications of the commercial supplier.

NICSD shall define technical requirements for each CGI and CGS in procurement documents.

7.2 Quality Requirements

The general quality requirements to be described in the procurement document of each item andservice are given in NQ-2025 (Reference (6)). The specific Quality Assurance (QA)requirements for FPGA development are described in subsections of Section 9. Section 6.2 ofNQ-3 017 (Reference (8)) provides the quality requirements to be described in the procurementdocument for calibration service of M&TE.

NJCSD shall define quality requirements for each CGI and CGS in procurement documents.

8 Identification and Verification of Critical Characteristicsfor Acceptance

This section determines typical CCAs applied to items and services, and provides guides forverification method and acceptance activities.

8.1 Identification of CCA and Verification Method for CGIThis section determines typical CCAa applied to the CGI, the basic concept of applyingacceptance methods, acceptance criteria and fr'equency. Detailed CCAs for each item andacceptance method shall be documented in Commercial Dedication Instruction (CDI).

(1) Verification of Simple Characteristics

The relatively simple CCDs such as "Dimension" and "Mass" are be able to be verified as CCAsSby measurement at receiving inspection or testing after receipt (Method 1). Special test andinspection (Method 1) are recurring activity.

(2) Verification of CC Depending on Supplier Testing

If some CCDs are able to be measured as CCAs by the supplier testing and NICSD intends toreceive Certificate of Conformance (C of C) and the supplier's test record during the receivinginspection, the following supplier's process to control CC shall be verified through CommercialGrade (CG) survey (Method 2). CG Survey is periodic activity.

* Document Control


FC5I-1505-1000 Rev.O

* Inspection and Test Control* Measuring and Test Equipment (M&TE) Control:

(3) Verification of "Dependability" of FPGA modules

To verify the dependability of FPGA modules, the following CCAs related to supplier's controlcapability of CC shall be verified through CG Survey (Method 2). CG Survey is periodicactivity.

* "Built-in Quality" through structured and controlled quality assurance processes for: design,testing, manufacturing, error tracking, problem reporting, and failure management. Thefollowing supplier's process to control CC shall be verified through CG survey (Method 2).

)• Design Control

)" Manufacturing and Processes

)• Inspection and Test Control

SMeasuring and Test Equipment Control:

>• Software Control

FE Development Process

Software Development Tool Control

To support the verification of "Built-in Quality," the following activities are performed asnecessary.

SOversight of design review meeting)• Review of supplier documents

SOversight of supplier testing

>• Critical Digital Review (CDR) to PPDD and Actel (Microsemi)

* "Configuration Control and Traceability of Software and Hardware"The following supplier's process to control CC shall be verified through CG survey (Method2).

>} Design Control

)• Procurement Control (for verification of hardware configuration)

>Material Identification and Control (for verification of hardware configuration)

SInspection and Test Control

SSoftware Control

FE Development Process

Software Development Tool Control

To support the verification of "Configuration Control and Traceability of Software andHardware," the following activity is performed as recurring activities.

>Witness of FPGA implementation at Toshiba Design and Manufacturing Service

Corporation (TDMS)

TOSHIBA CORPORATION 1 8i30Nuclear Instrumentation & Control Systems Department

FC5I-1505-1000 Rev.0

As described in Section 7.2 of the CGD Plan (Reference (16)), in order to supplement theverification of FPGA-based module dependability, the supply chain of FPGA devices, which arecritical parts to implement safety functions, shall be thoroughly evaluated. FPGAs to be usedfor Toshiba FPGA-based systems are from Microsemi (Actel)'s SX-A series. These FPGAdevices' supply chain (going backward) is as stated below:

* NICSD purchases FPGA-based modules comprising safety-related I&C systems fromPPDD.

* The FPGA logics embedded in FPGA on module printed circuit board are designed andtested by PPDD. PPDD procures a service for manufacturing modules designed by PPDDfrom Toshiba Design and Manufacturing Service Corporation (TDMS).

* TDMS procures parts including FPGA chips for module assembly from Microsemi, acommercial supplier.

* Microsemi supplies FPGA chips to TDMS via Tachibana Eletech, a distribution agent inJapan.

NICSD does not deal with TDMS and Microsemi directly. NICSD shall, however, considerevaluation of the supply chain that exists beyond the point of purchase order to PPDD as a partof evaluation of PPDD, in order to assure the quality and reliability of modules to be purchasedfrom PPDD. Evaluation items for the supply chain include the followings:

* Design control and configuration control that are implemented by PPDD to ensure thatPPDD supplies the modules specified in NICSD's procurement documents

* Quality control and manufacturing control that are implemented by TDMS to ensure thatTDMS procures the parts specified by PPDD, assembles modules using those parts andsupplies those modules to PPDD

* Control of orders received and inventory, and distribution management that are implementedby Tachibana Eletech, which is Microsemi's distribution agent in Japan

• Material procurement control, manufacturing control and 'test control that are implementedby Microsemi (Actel) to assure that Microsemi always supplies FPGAs specified by PPDDwith a high and consistent quality

8.2 Identification of CCA and Verification Method for CGS

This section determines CCAs and acceptance activity applied to CGS.

(1) Types of CGS

Calibration service of M&TE is specified as CGS in Section 5.5.

(2) Potential failures in the performance of services

The potential failures in the performance of "Calibration service of M&TE" are as follows

* Technician inadequacies in calibrating equipment* Calibration standards are not traceable to national standards.* Improper calibration procedure

(3) CCA, Verification Method and Acceptance Activity applicable to CGS

The CCAs applied to CGS are as follows.


FC51-1505-1000 Rev.0* Controls over the service

Suppliers are required to have the following capabilities to control potential failures.

SAdequacy of Measurement Standards

SCalibration Procedures

SEnvironmental Controls

SIntervals of Calibration

SCalibration Status

SCalibration Sources

> Subcontractor Calibration> Storage and Handling

>Out-of-Tolerance & Corrective Actions

SAdequacy of the Calibration System

SRecords

The CG Survey (Method 2) verifies the CCA concerning the control capability of this supplier.CG Survey is periodic activity.

8.3 Environmental Conditions QualificationEquipment qualification testing and EMC qualification testing are performed in a type test usingtest specimen. Successful completion and continued application of qualification testing verifiesthat the item is capable of performing its intended safety function. Any time a design change ismade to the item or item is used in another application, impact on all previous qualificationprograms shall be evaluated to determine if re-qualification is required.

The NICSD Software Development (SD) Team or responsible deign engineers shall identify atest report in the CDI after qualification test, which shows successful compliance withqualification test requirements. If any changes are made to a configuration as the result ofqualification test, the NICSD SD Team or responsible deign engineers shall identify a baselineafter change in the CDI. The NICSD SD Team or responsible deign engineers evaluates anychanges to an item that are made after baseline establishment, determines the need for anadditional qualification test, and documents the evaluation result in the CDI. In order tocontinuously purchase items with same configuration, the configuration management of suppliershall be verified as a CC.

9 Vendor EvaluationThe NICSD SD Team conducts a vendor evaluation with support from the NICSD IndependentVerification and Validation (IV&V) Team, Software Quality Assurance (SQA) Team, SoftwareSafety (SS) Team, and Quality Assurance Group for Nuclear Instrumentation & Control Systems(NICS-QA). This section reports the result of vendor evaluation conducted regarding PPDDdevelopment activities including, FPGA development, FE development, and softwaredevelopment tool control.

Vendor evaluation results for non-digital component suppliers other than PPDD are documented

TOSI-IEA• CORPORATION 20i30Nuclear Instrumentation & Control Systems Department

FC51-1505-1000 Rev.0in CGD Reports.

9.1 Evaluation of FPGA LogicResults of a vendor evaluation are documented in this section as per the policy for evaluation ofFPGA logic described in Section 11.2.1 of NICSD SMP (Reference (15)), and the policy forverification of CC related to "Dependability" of an FPGA-based module which is identified inSection 8.1.

9.1.1 Preliminary Evaluation

(1) Audit for Vendor Qualification of PPDD(Conducted in July 2009, Survey/Audit Report No. SE09SR-00 1 R0 (Reference (19)))

In this audit NICSD reviewed PPDD's QA program and development procedures pertaining toPPDD's FPGA products. During this audit the audit team confirmed that PPDD created a RTMfor design documents as a design practice. PPDD, however, did not have any specificprocedures to perform RTM activities. Thus NICSD recommended that PPDD perform RTMactivities during their development activities in accordance with NQ-20 15, which is an NICSDstandard, and PPDD accepted this recommendation.

As the result of this audit NICSD registered PPDD in the Qualified Vendor List (QVL).

(2) CG Survey of PPDD J(Conducted in July 2010, Survey/Audit Report No.SE 10SR-001 R0 (Reference (22)))

Since NJCSD depends on PPDD's testing process in performing a module validation test,NICSD evaluated capabilities of PPDD to control the CCs shown below:

* Design Control (including document control)* Inspection and Test Control* M&TE Control* Problem Reporting

In this survey there were one finding and three recommendations. PPDD took a correctiveaction against this finding, accepted those recommendations and improved their process.

As the result of this survey NICSD evaluated PPDD and determined that PPDD controlled thoseCCs appropriately in accordance with defined procedures.

During this survey NICSD reviewed the implementation status of problem reporting in PPDD.NICSD evaluated PPDD and determined that PPDD used the VNNR to report problems toNICSD and took appropriate actions against those problems.

(3) CG Survey of PPDD(Conducted in January 2011, Survey/Audit Report No. SE 10SR-001a RO (Reference (23)))

Since NICSD depends on PPDD's development process in performing an FPGA logic and FEdevelopment, NICSD evaluated capabilities of PPDD to control the CCs shown below:

* Software Development Tool Control* FE Development Process

Evaluation results are detailed in Sections 9.2 and 9.3 herein.TOSHIBA CORPORATION 21i30Nuclear Instrumentation & Control Systems Department

FC51-1505-1000 Rev.0

As stated above items (1), (2) and (3), NTCSD evaluated PPDD through surveys and determinedthat PPDD had and maintained appropriate development and testing processes. For applicationof this OPRM as well, NICSD oversees that PPDD implements an appropriate development andtesting according to those processes. NICSD conducts an additional CG Survey as needed.

(4) Review of Operating History of PPDD Products

NICSD and PPDD have extensive experiences in their operating history of products for domesticnuclear power plant application but not for the US safety-related application. Therefore theoperating history is not evaluated in this technical report. Experiences of NICSD and PPDD intheir operating history of products for the US safety-related application will be accumulated fromnow on and evaluated on an ongoing basis.

(5) Vendor Design Package Identification and Additional Requirements for PPDD

The NICSD SD Team will purchase components (i.e. modules) shown in Table 9-1 below as perthe CGD process. The information in Table 9-1 is collected from the following PPDD designpackage information submitted by PPDD as requested by NICSD SD Team.

• Input/Output document list 5B8H7065, Rev.6 (Reference (28))* Input/Output document list 5B8H7200, Rev.7 (Reference (29))• Input/Output document list 5B8H7200, Rev. 11 (Reference (30))

The NICSD SD Team shall evaluate if PPDD's design of each module has a potential to meetmodule requirements in OPRM Unit DDS that is prepared in the Requirements Definition Phase,and document evaluation result in CDI for each module.


FC5I-1505-1000 Rev.0

Table 9-1 Design Package Identification at Preliminary Technical Evaluation

Module Name Module Type FPGA Code Name ]FPGA Control Sheet [RevisionRCV module HNSO541A10000

•.a,C

FDFG-06-0069-M Rev. 1

TRN module HNS053 1A10000

CELL module HNS0400A00000

AGRD module HNS0420A00000

PBD module HNS0430A00000

FDFG- 10-0027-M Rev. 1

FDFG-06-0065-M Rev.2


FDFG- 10-0028-M Rev. 1

FDFG- 10-0 00 1-M Rev.0

FDFG-1I0-0002-M Rev.0

FDFG- 10-0003-M Rev.0

FDFG- 10-0004-M Rev.0

FDFG-1l0-0005-M Rev.0

_FDFG- 10-0006-M Rev.0


FDFG- 10-0008-M Rev.0


FDFG- 10-0010-M Rev.0

FDFG- 10-001 1-M Rev.0

FDFG- 10-00 12-M Rev.0

FDFG- 10-00 13-M Rev. 0

FDFG- 10-00 14-M Rev.0


FDFG- 10-00 16-M Rev.0

FDFG- 10-001 7-M Rev.0

FDFG- 10-001 8-M Rev.0

FDFG- 10-001 9-M Rev.0

FDFG- 1 0-0020-M Rev.0


FDFG- 10-0022-M Rev.0

FDFG- 10-0023 -M Rev.0

FDFG- 1 0-0024-M Rev.0

FDFG-10-0025-M Rev.0DAT/ST module HNS04 10A00000

J FDFG- 1 0-0026-M Rev. 1

LVPS module H-NS0500A00000 N/A N/A N/A

DIO module HNS0520A 10000 jN/A N/A N/A


23,30

FC5I-1505-1000 RevO

These modules were developed under the ISO-9001 QA process but not verified with the IV&Vprocess under the NICSD Appendix-B QA program. For applying CGD to these modules,NICSD requires PPDD to apply the following procedures evaluated in the CG Survey:

* E-680 16 "PPDD Procedural Standard for FPGA Products Development" Rev. 10(Reference (10))

* E-6801 7 "PPDD Procedural Standard for FPGA Device Development" Rev.7(Reference (11))

* E-6801 8 "PPDD Procedural Standard for Functional Element Development" Rev.7(Reference (12))

* E-68019 "PPDD Procedural Standard for FPGA Configuration Management" Rev.6(Reference (13))

* E-68020 "PPDD Procedural Standard for Control of Software Tools for FPGA-basedSystems" Rev.6 (Reference (14))

The procedure E-680 16 was revised in August 2011 after a corrective action was taken toaddress results of the CG Survey conducted in January 2011. By this revision procedures forcode review and walkthrough were better clarified. The NLCSD SD Team evaluated thisrevision and determined that this change would improve the quality of FPGA productdevelopment, and accepted that PPDD used this revised procedure.

PPDD may revise these procedures for improvement. NICSD requires PPDD to report anevaluation of differences between the original and revised versions when PPDD applies a revisedversion. This requirement shall be documented in a procurement document.

PPDD issued two Vendor Nonconformance Notice Reports (VNNRs) (SVNNR- 11-001 andSVNNR- 11-002 (References (31) and (32))) in November 2011. In accordance with thoseVNNRs, PPDD is taking corrective actions to improve PPDD's development process and torevise the procedure E-68017 at this point of preliminary evaluation. The NICSD SD Team hasevaluated PPDD's problem reporting process and determined that the process is wellimplemented. The NMCSD SD Team is providing oversight on PPDD's corrective actions andnecessary supports at this point of preliminary evaluation. The N[CSD SD Team shalldocument results of those corrective actions in this report.

Modules for OPRM are commercial grade item developed under the ISO-9000 program. Atthis stage of preliminary evaluation before order placement, traceability to the OPRM Unit DDSthat is issued for this project has not been confirmed yet. NICSD requires PPDD to confirmtraceability between requirements specified in the OPRM Unit DDS and PPDD design, and tocreate a RTM. This requirement shall be documented in a procurement document.

NICSD also requires PPDD to apply the following NICSD procedures, since PPDD has nospecific PPDD procedures:

* NQ-20 15 "Preparation Procedure for RTM and RTM Report" (Reference (5))

* NQ-2037 "Cyber Security Procedure of Safety Related Digital System" (Reference (7))

When creating a RTM, it is allowed that PPDD arranges a composition of sections in PPDDdocuments to organize the traceability with higher and lower-level documents, unless intendedrequirements in original documents are not changed. It is also allowed that PPDD deletesredundant requirements included in PPDD documents and clarifies ambiguous requirements toensure the traceability with higher and lower-level documents, unless intended requirements inoriginal documents are not changed.

Design and test documents for respective modules and FPGA logics created through theprocedures as stated above shall undergo a detailed evaluation thereafter in the IV&V process as

TOSHIBA CORPORATION 24130Nuclear Instrumentation & Control Systems Department

FC51-1505-1000 Rev.0well as during RTM efforts. The NICSD TV&V Team shall review these documents.

(6) Survey of TDMS

Toshiba Design and Manufacturing Service Corporation (TDMS) is a manufacturer of printedcircuit boards (PCBs), and supplies PCBs for FPGA-based modules in accordance with thepurchase order issued by PPDD. Since NICSD recognized that TDMS is a sub-tier supplierimportant for quality of FPGA modules, NICSD surveyed TDMS in June 2009.

The results of the survey were documented in "Survey/Audit Report," (SE09SR-002 R0)(Reference (20)). TDMS was registered in NICSD's QVL.

NICSD evaluated the following supplier capabilities to assure that the supplier ensure thatTDMS procures the parts specified by PPDD, assembles modules using those parts and suppliesthose modules to PPDD.

* Design Control (document control and change control)* Procurement Control* Material identification and control* Manufacturing and process control• Inspection and test control

During the survey, one issue was identified and has been subsequently resolved.

NICSD performed the annual evaluation of TUDMS in 2010 and 2011. At both of these annualevaluations, no issues were identified. The results of these annual evaluations weredocumented in "Evaluation Report," (SAER1 0-002 (Reference (24)), and SAER1 1-002(Reference (26)). Next survey will be conducted in 2012 prior to manufacturing ofFPGA-based modules for this project.

(7) Survey of Microsemi SoC (formerly Actel)

Actel is Toshiba's sole acceptable FPGA device and related tool supplier for safety-relatedequipment. Even though NICSD does not purchase these products directly, NICSD performeda survey of Actel in November 2009. Next survey will be conducted in 2012.

The results of this survey of Actel were documented in the "Survey/Audit Report,"(SE09SR-004 R0) (Reference (21)). NICSD evaluated the following supplier capabilities toassure that the supplier always supplies FPGAs specified by PPDD with a high and consistentquality.

* Order entry* Product design* Procurement* Material identification and control* Document control* Manufacturing control* Inspection and testing

The survey report stated that the survey team recognized the Actel quality system is established,documented and effectively implemented. One new finding and three new recommendationswere identified, and all of them were closed on June 10, 2010.

In December 2010, NICSD sent the annual evaluation inquiry to Microsemi SoC Products Group(formerly Actel), who replied in February 2011. The results of the annual evaluation wereacceptable and documented in the "Evaluation Report," (SAER1 0-004) (Reference (24)). The


FC51-1505-1000 Rev.0NICSD SD Team confirmed the evaluation report and concluded that the supplier has maintainedthe capability to provide items or services since the merger with Microsemi SoC. The NICSDSD Team also concluded that a supplemental survey and CDR to Microsemi SoC (formerlyActel) is not necessary at this point of preliminary evaluation.

9.2 Evaluation of FEs

Since NICSD depends on PPDD's development process in performing an FPGA logicdevelopment using FEs, NICSD evaluated capabilities of PPDD to control their FE developmentprocess.

Results of a vendor evaluation are documented in this section as per the policy for evaluation ofFEs described in Section 11.2.1 of NICSD SMP (Reference (15)), and the policy for verificationof CC related to "Dependability" of an FPGA-based module which is identified in Section 8.1.


(1) CG Survey of PPDD(Conducted in January 2011, Survey/Audit Report No.SE 10SR-001la (Reference (23)))

On the survey the following reviews were conducted using Section 10.1 of SE 10SC-00 1a(Reference (27)) to verify that the supplier controls over "FE Control." The number ofrecommendation and finding are shown in parenthesis.

* Review of development process (1 recommendation)* Review of documentation (3 recommendations)* Review of qualification and experience of personnel involved in FE design and testing (No

findings)* Review of software QA activity in accordance with supplier procedures (No findings)* Review of configuration control (1 recommendation)* Review of operating history (1 recommendation)* Review of reported problems (No findings)

In addition, the verification of the corrective action reported in Section 8.1 of SE10SC-001arevealed the ambiguousness of supplier configuration management (2 recommendations).PPDD accepted these recommendations and improved their processes. As the result of thissurvey NICSD evaluated PPDD and determined that PPDD controlled CCs appropriately inaccordance with defined procedures.

(2) Identification of FEs

The list of FEs used for each FPGA and intended application of the FEs within the FPGA designare described in FPGA Design Specification that is included in design package shown in Table9-1. A function of respective FEs is described in the FE Specification identified in the FEControl Sheet that is identified in the FPGA Deign Specification. NICSD checked that PPDDcontrolled those FEs as a PPDD FE library. The NICSD LV&V Team shall review FEdocuments before those documents are incorporated into design. After reviewing FEdocuments, NICSD controls those FEs as an NICSD FE library.


FC51-1505-1000 Rev.09.3 Evaluation of Software Development Tools Control Process

Results of a vendor evaluation are documented in this section as per the policy for evaluation ofsoftware development tools described in Section 8.1.2 of NICSD SMiP (Reference (15)), and thepolicy for verification of CC related to "Dependability" of an FPGA-based module which isidentified in Section 8.1.


(1) CG Survey of PPDD(Conducted in January 2011, Survey/Audit Report No.SE10SR-00 la R0 (Reference (23)))

On the survey the following reviews were conducted using Section 10.1 of SE10SC-001a(Reference (27)) to verify that the supplier controls over "Software Development Tool Control."The number of recommendation and finding are shown in parenthesis.

* Review of software development tool control process (5 recommendations)* Review of documentation:

Software Tool Information Sheet (1 recommendation)

Installation Verification Sheet (1 recommendation)

Installation Verification Test Specification (1 recommendation)

Installation Verification Test Report (1 recommendation)

* Review of reported problems (2 recommendations)

PPDD accepted those recommendations and improved their process. As the result of thissurvey NICSD evaluated PPDD and determined that PPDD controlled CCs appropriately inaccordance with def'med procedures.

(2) Identification of Software Development Tool

Table 9-2 shows a list of tools that PPDD possesses to develop and implement FPGA logics atthis point of preliminary evaluation. NICSD confirmed that PPDD controlled these tools inaccordance with E-6 8020 (Reference (14)).

Table 9-2 List of Software Development ToolSystem/Tool Name Version Software Tool No. Intended Equipment Control No.

(Software Tool Application (Installation VerificationInformation Sheet Sheet No.)

No.)

Libero IDE v6.3 FPTM-05-0006-M FPGA logic 6200025335(Synplify®, Tool (FDTC-05-0013-M design, logic (FDTV-05-0009-M Rev.0)Designer tool, Netlist Rev. 1) synthesis, placeViewer tool) & route.

ModelSim® SE PLUS 6.0b FPTD-05-0001-M FPGA logic 6200025335(FDTC-05-00 15-M simulation (FDTV-05-00 10-M Rev.0)Rev. 1)

TOSHIBIA CORPORATION 27i30Nuclear Instrumentation & Control Systems Department

FC5I-1505-1000 Rev.0

System/Tool Name Version Software Tool No. Intended Equipment Control No.(Software Tool Application (Installation Verification

Information Sheet Sheet No.)No.)

Silicon Sculptor v4.55 FPTM-05-0010-M FPGA logic 6200025335(FDTC-05-0014-M implementation (FDTV-05-001 1-M Rev.0)Rev. 1) 6200009835

(FDTV-09-00 17-M Rev.0)

6200009481(FDTV-06-00 15-M Rev.0)

6200009833

(FDTV-06-00 14-M Rev.0)

6200018596

(FDTV-06-0013-M Rev.0)

PinPort 192 v2 FPTD-05-0002-M FPGA chip 6200025335(FDTC-05 -00 16-M simulation (FDTV-05-00 12-M Rev.0)Rev. 1)

The following tool evaluation documents shall be reviewed by the NLCSD IV&V Team duringthe Design Phase.

* Software Tool Information Sheet* Installation Verification Sheet* Installation Verification Test Specification* Installation Verification Test Report* Error Notice Evaluation Sheet (if any)

(3) Software Development Tool Vendor Evaluation

* CDR of Microsemi SoC (formerly Actel)

Because software tools used in FPGA development are critical to the quality of the FPGA-basedsystems, NED and NICSD perform CDR of the supplier of these tools, the Microsemi SoC(formerly Actel). The first CDR was conducted on July 2005. The second CDR wasperformed as a follow-up CDR to evaluate revisions to the Actel toolset on November 2009.The CDR results are documented in CDR Reports (References (33) and (34))

The CDR reviewers concluded that the programmed FPGAs generated by these tools areappropriate for safety-related use. The CDR reviewers concluded that the Actel tools, usedwith the Toshiba processes, are acceptable for use in transforming human-readable source codeinto digital logic embedded into FPGAs.

As described in Section 9.1.1 (7), the survey of Actel was performed in November 2009. InDecember 2010, NICSD sent the annual evaluation inquiry to Microsemi SoC Products Group(formerly Actel), who replied in February 2011. The results of the annual evaluation wereacceptable and documented in the "Evaluation Report," (SAER1 0-004) (Reference (25)). TheNICSD SD Team confirmed the evaluation report and concluded that the supplier has maintainedthe capability to provide items or services since the merger with Microsemi SoC. The NICSDSD Team also concluded that a supplemental CDR to Microsemi SoC (formerly Actel) is notnecessary at this point of preliminary evaluation.


FC51-1505-1000 Rev.0(4) Notes on Application of Upgraded Software Development Tool

According to Section 2.4 of Actel's follow-up CDR report (Reference (34)), the followingrecommendations were provided to NICSD and PPDD to assure that the Actel toolset does notadversely affect the quality of their safety related systems.

"'NICSD and PPDD should use the newest Silicon Sculptor algorithms, which furtherenhance the reliability of United Micro Electronics Corp (UMC) FPGAs by betterannealing of the antifuses programming, and by better detection of failed FPGAs."

"MPR recommends updating tool versions when appropriate. The tool set should bevalidated by NICSD and PPDD prior to use. The tool set does not have to be the latestversion, but should be reasonably current, to simplify' the process of migration to thecurrent tool version."

Based on the above recommendations, PPDD now plans to update the version of SiliconSculptor at this point of preliminary evaluation. PPDD shall evaluate a new version of the toolbefore applying to FPGA testing and FPGA implementation works, and report evaluation resultsto NICSD. NICSD shall review the evaluation results reported by PPDD.

9.4 Software Coding Conventions and Guidelines Document Review

The NICSD SD Team performed a review of E-68017 (Reference (11)) that PPDD uses assoftware coding guideline. The review points and review results are shown in Table 9-3.

Table 9-3 Coding Guidelines Review Result

Review Points Review Result1 Code formatting Appendix A.5 ofE-68017 specifies the description rule of VHIDL.

2 Commenting The procedure E-68017 neither prohibits designers from writing comments in2 guidelines source codes nor includes specific commenting rules, because:

SAppendix A.4 of E-68017 specifies the naming rule for VHDL files (i.e.entity name), signal, constant, and architecture used for VHDL coding, andsupports readability and maintainability of VHDL source code.

SA hierarchical design is adopted taking an FE as component for FPGA logicdesign. Functions of respective FEs are detailed in FE specifications.Connections between FEs are well defined in FPGA design specifications.It is hard to express functionality of an FPGA logic, which is acombinational circuit, with using a generalized commenting rule, and thus isnot practical.

S Techniques for Appendix A.4 of E-68017 specifies a naming rule for VHDL files (i.e. entitydeclaration and name), signal, constant, and architecture used for VHDL coding. Appendix A.5naming of variables ofE-68017 specifies declaration and statement rules for component, constant and

signal.4 Technology specific Appendix A.5 of E-68017 shows good examples to be applied and wrong

coding practices to examples to be avoided.be applied as wellas practices to beavoided

S Coding practices to Maintainability and readability:include By conforming to the naming and style rule in Appendices A4 and 5 of E-680 17,maintainability, maintainability and readability of VHDL source code is ensured.readability, Robustness:robustness, Appendix A.4 ofE-68017 recommends not using state machine.

TOSH-IBA CORPORATIONNuclear Instrumentation & Control Systems Department

29,30

FC51-1505-1000 Rev.0

Review Points Review Resultcalculations, timing Appendix A.4 ofE-68017 requires the use of anti fuse type FPGA that is immunedependability, and to Single Event Upset (SEU).traceability Calculations:

An operational function is implemented by FEs. Full pattern testing isperformed for FEs.Timing dependabilityAppendix A.2 of E-680 17 describes a practice for synchronous design.Traceability:Traceability between FPGA Design Specification and Netlist is confirmed usingNetlist Viewer through V&V activities.

In-code comment See the review result of Item 2.6 documentation

formatting andrequired contentCode version In accordance with Section 5.4.3 of E-680 17, configuration items comprising antracking practices, FPGA baseline including source codes are controlled with an FPGA Controlincluding change Sheet. Change control for configuration items is prescribed in E-680 19. Inidentification within E-68019 it is not required to identify' changes within a code but it is required tothe code document changes to configuration items including a source code in a change

control sheet.8 Architectural In Appendix A.1 ofE-68017 it is required to perform a hierarchical design taking

practices to be an FE as component. In Appendix A of E-68017 it is prohibited to performavoided logic optimization at the time of logic synthesis. These design practices ensure

that a hierarchical structure intended by designer is kept maintained after logicsynthesis as well as place and route.

Other coding PPDD design engineer defined coding rules in E-68017 based on informationguidance specific to from RTL deign style guide issued by Semiconductor Technology Academicthe FPGA Research Center.

___technology ___________________________________

As stated above, N[CSD evaluated PPDD and determined that PPDD had an appropriate codingguideline. NICSD performs a coding review during IV&V activities to evaluate compliance ofVHDL source codes with the coding guideline.


30,30

Documents

PSNN-201 5-0053 IZ--USSaetyelaedZ- - NRC: Home Page · IZ--USSaetyelaedZ-PSNN-201 5-0053 The use of the information contained in this document by anyone for any purpose other than