Qualification Lifecycle and Methods of Obsolescence Management of the Invensys Tricon

1
Qualification Lifecycle and Methods of
Obsolescence Management of the Invensys Tricon

• Joseph Murray15 Sept 2005

2
Presentation purpose

• To discuss
• Qualification 12/2001 SER issuance
• Post SER items
• Supplier problems with safety system obsolescence
• Invensys Triconex path forward in equipment
  qualification
• Cross industry standards and tri-lateral
  cooperation for obsolescence management

3
Triconex Background

• Founded in 1983 with headquarters in Irvine, CA
• Designed to support the need for single train
  high reliability emergency shutdown safety
  systems and critical control systems.
• Developed the high reliability, high availability
  Triple Modular Redundant (TMR) Fault Tolerant
  Controller based on the NASA concept.
• Designed with high percentage of internal
  diagnostic coverage and no single point of
  failure with full on-line repair capabilities.
• Designed for life cycle concerns with full
  backward compatibility of all new upgrades.

4
Triconex Background

• Shipped first system in 1986
• Still in Service
• Presently more than 6000 systems placed in
  service
• 240,000,000 hours of cumulative service without a
  failure to perform on demand
• Number 1 supplier of safety systems worldwide

5
Certification-Compliant

• These are examples of the standards with which we
  comply
• IEC 61508
• Functional Safety of Electrical/ Electronic/
  Programmable Electronic Safety Related Systems
• IEC 61131-2/2000
• Programmable Controllers, Equipment Requirements
  and Tests (Includes all sub test for EMI/RFI and
  Environmental
• DIN V 19250
• Fundamental Safety Aspects to be Considered for
  Measurement and Control Protective Equipment
• DIN V VDE 0801
• Principles for Computers in Safety Related
  Systems
• DIN VDE 0116
• Electrical Equipment of Furnaces
• EN 54
• Fire Protection and Fire Alarm Systems

6
Certification-Compliant

• National Fire Protection Association
• NFPA 72/96
• National Fire Alarm Code
• NFPA 8501
• Standard for Single Burner Boiler Operation
• NFPA 8502
• Standard for the Prevention of Furnace
  Explosions/Implosions in Multiple Burner Boilers
• SEMI 2
• Environmental, Health, and Safety Applications in
  Semiconductor Manufacturing Facilities
• EPRI TR-107330 1996
• Generic Requirements Specification for
  Qualifying A Commercially Available PLC for
  Safety-Related Applications in Nuclear Power
  Plants
• EPRI report 1000799 2001
• Generic Qualification of the Triconex
  Corporation TRICON Triple Modular Redundant
  Programmable Logic Controller system for
  Safety-Related Applications in Nuclear Power
  Plants

7
Certification-Approvals

• Factory Mutual Research (FM)
• Report 3010681 Hazardous (Class 1, Division 2)
  Locations
• Canadian Standards Association (CSA)
• European Union - CE Mark
• TÜV Rheinland
• Report No. 968/EZ 105.03/01
• AK1 AK6 (DIN V 19250, DIN V VDE 0801)
• SIL 3 (IEC 61508)
• NRC Safety Evaluation Report
• ADAMS Accession Number ML013470433

8
Qualification Project Bases

• EPRI TR-107330 - Generic Requirements
  Specification for Qualifying a Commercially
  Available PLC for Safety-Related Applications in
  Nuclear Power Plants
• Quality Assurance
• Detailed Testing Requirements
• Engineering Analyses
• Documentation
• Project Planning
• Quality Assurance Plan
• Master Test Plan
• Software Quality Plan

9
SER

• SER issued in 2001
• Accepts suitability of Triconex App. B program
• Acknowledges future software upgrades
• It should be noted, however, that acceptance of
  the Tricon PLC system is based to a large degree
  on the TÜV-Rheinland independent review, and any
  future version of the Tricon PLC system will
  require an equivalent level of independent VV in
  order to be considered acceptable for
  safety-related use in nuclear power plants.
• This acceptance by the NRC of the TÜV-Rheinland
  independent VV helps unite our U.S. nuclear
  program with our international safety systems
  program.

10
Triconex since SER issuance

• Appendix B supplier
• Numerous client audits H/W S/W RD,
  manufacturing, projects.
• NUPIC/NIAC based Audits, for which other
  utilities are taking credit
• Continual TÜV testing certification
• Also a part of our continuous qualification
  process of software upgrades (per SER)

11
Triconex since SER issuance (cont.)

• SW upgrades for 1E service
• Complete VV
• Added layer of VV independence through TÜV
• All changes per approved proceduralized process
• All changes include full change analysis prior to
  inclusion on NQEL (Nuclear Qualified Equipment
  List)
• HW upgrades for 1E service
• Small grouping by analysis
• Specific function testing

12
Obsolescence from the suppliers viewpoint
13
Obsolescence Issues The Suppliers Dilemma

• Electronic Circuitry is becoming more complex
  The Good
• Higher Reliability
• Better self diagnostics
• More complex controls capabilities
• Lowered maintenance costs and less calibrations.
• Electronic Circuitry is becoming more complex
  The Bad
• Greater VV expenses for any circuit upgrade
• Greater RD expenses for any circuit upgrade
• Individual component life cycle time is
  decreasing causing shortened time between
  upgrades for end product version.
• 25 Years ago a complex electronic component could
  have a life cycle of 10 years. Now, it can be as
  low as 2-3 years!

14
Obsolescence Issues The Suppliers Dilemma
(cont.)

• How do we handle our obsolescence issues?
• Buy stock of spare components based on forecasted
  usage.
• Age concerns
• New unknown age related failure modes
• Drive suppliers
• Not unless we buy millions of chips
• Focus RD on using components driven by other
  industries
• Worked well for us with new microprocessors
• The methods chosen help to minimize the high
  costs associated with changes to safety
  circuitry.

15
Internal Testing Concerns

• Numerous testing standards to meet
• TUV
• IEC
• FM
• NRC
• EPRI
• IEEE
• DNV
• Becoming Overwhelming!

DNV
IEC
TUV
Triconex testing (two separate programs)
IEEE-323
NRC (TR-107330)
EPRI TR-102323
IEEE-344
16
Triconex Direction

• Triconex is committed to remain in the nuclear
  business, and continue to produce qualified
  product.
• Milestone in forming future qualification testing
  plans was the issuance of RG 1.180, Rev. 1,
  October, 2003, EMI/RFI guidelines
• Allows for the use of IEC standards
• Same standards used in our recurring TUV testing.
• Triconex will embrace RG 1.180, Rev 1 for all
  future testing in place of EPRI TR-102323 and
  will continue testing IAW EPRI-TR-107330 as
  endorsed and performed in the Triconex SER.

17
Triconex Recurring Test Plan

• Cover all governing bodies in one recurring test
• Allows continuous adding of product to NQEL, and
  increases cost-benefits, enhancing future
  viability in all Safety markets.
• Allows for a simplified testing regimen

TUV
DNV
Triconex combined testing
IEC
IEEE-323
NRC (TR-107330)
IEEE-344
18
Maintaining Safety Equipment Offerings

• Suppliers of safety equipment are tied to cycles
  of the industry served.
• Equipment built and tested to support only
  nuclear safety systems can not justify long term
  investments in upgrading safety offerings with no
  forecast for long term sales!
• Other industries also use qualified safety
  equipment.
• Nuclear must look beyond their own industry for
  the sake of allowing sustainable progression of
  modernized safety related equipment.
• Suppliers who can supply cross industries can
  survive.
• Peaks and Valleys smooth
• Dependant upon the costs of varied standards.
  (varied standards?)

19
The Heart of the issue from three sides -
COOPERATION

• Obsolescence Management will take cooperation and
  effort by these three groups
• Regulators
• End-Users (Nuclear Plant Engineering Groups)
• Manufacturers / Suppliers

20
The Heart of the issue from three sides (cont.)

• Regulators
• Are equipment requirements for safety related
  digital systems the same in all countries?
• Recent business with five Nuclear countries
  showed variations in qualification testing and
  documentation requirements.
• Do the regulators understand the impact that they
  have on obsolescence issues?
• Unique rules for equipment qualification places
  suppliers in a non-tenable business position.
• Non-viable product lines become obsolete quickly
• Obsolete equipment in power plants causes well
  known commercial and quality problems

21
The Heart of the issue from three sides (cont.)

• End-Users
• Equipment upgrade specifications -
• Are they written to fulfill your dream system?
• Are they written without the knowledge of
  industry standards in use elsewhere?
• Equipment upgrade specifications -
• Should be written to satisfy the safety and
  reliability needs of your plant while supporting
  long term maintainability (or you will be doing
  this again very soon!)
• Should not require or request custom circuitry of
  any kind.
• Guaranteed immediate obsolescence.

22
The Heart of the issue from three sides (cont.)

• Manufacturer/Suppliers
• We must learn to say NO and push
• Many companies want the business to support
  today's profit margins, and are willing to sell
  anything with either
• No thought to the clients future obsolescence
  issues or
• Thoughts of being there to take advantage of
  obsolete, unsupported equipment.

23
SUMMARY

• Triconex Tricon is designed and built to meet
  numerous domestic and international safety
  standards.
• Invensys Triconex is committed to long term
  support of the nuclear industry by providing
  continuously qualified upgrades to resolve
  obsolescence issues
• Invensys Triconex plans to combine our varied
  testing programs to one all encompassing test on
  a recurring basis based on the merging U.S. and
  IEC standards.

24
SUMMARY (cont)

• Invensys Triconex to suggest to clients that
  they work towards using standard offerings, and
  not custom equipment.
• Invensys Triconex urges closer cooperation of
  individual country governing bodies on adoption
  of universal standards to allow companies a cost
  effective path to maintain current qualified
  offerings. (IAEA and EPRI)
• Requires cooperation by licensees, regulatory
  bodies, and vendors for the mutual benefit of
  all.