Title: Qualification Lifecycle and Methods of Obsolescence Management of the Invensys Tricon
1Qualification Lifecycle and Methods of
Obsolescence Management of the Invensys Tricon
- Joseph Murray15 Sept 2005
2Presentation purpose
- To discuss
- Qualification 12/2001 SER issuance
- Post SER items
- Supplier problems with safety system obsolescence
- Invensys Triconex path forward in equipment
qualification - Cross industry standards and tri-lateral
cooperation for obsolescence management
3Triconex Background
- Founded in 1983 with headquarters in Irvine, CA
- Designed to support the need for single train
high reliability emergency shutdown safety
systems and critical control systems. - Developed the high reliability, high availability
Triple Modular Redundant (TMR) Fault Tolerant
Controller based on the NASA concept. - Designed with high percentage of internal
diagnostic coverage and no single point of
failure with full on-line repair capabilities. - Designed for life cycle concerns with full
backward compatibility of all new upgrades.
4Triconex Background
- Shipped first system in 1986
- Still in Service
- Presently more than 6000 systems placed in
service - 240,000,000 hours of cumulative service without a
failure to perform on demand - Number 1 supplier of safety systems worldwide
5Certification-Compliant
- These are examples of the standards with which we
comply - IEC 61508
- Functional Safety of Electrical/ Electronic/
Programmable Electronic Safety Related Systems - IEC 61131-2/2000
- Programmable Controllers, Equipment Requirements
and Tests (Includes all sub test for EMI/RFI and
Environmental - DIN V 19250
- Fundamental Safety Aspects to be Considered for
Measurement and Control Protective Equipment - DIN V VDE 0801
- Principles for Computers in Safety Related
Systems - DIN VDE 0116
- Electrical Equipment of Furnaces
- EN 54
- Fire Protection and Fire Alarm Systems
6Certification-Compliant
- National Fire Protection Association
- NFPA 72/96
- National Fire Alarm Code
- NFPA 8501
- Standard for Single Burner Boiler Operation
- NFPA 8502
- Standard for the Prevention of Furnace
Explosions/Implosions in Multiple Burner Boilers - SEMI 2
- Environmental, Health, and Safety Applications in
Semiconductor Manufacturing Facilities - EPRI TR-107330 1996
- Generic Requirements Specification for
Qualifying A Commercially Available PLC for
Safety-Related Applications in Nuclear Power
Plants - EPRI report 1000799 2001
- Generic Qualification of the Triconex
Corporation TRICON Triple Modular Redundant
Programmable Logic Controller system for
Safety-Related Applications in Nuclear Power
Plants
7Certification-Approvals
- Factory Mutual Research (FM)
- Report 3010681 Hazardous (Class 1, Division 2)
Locations - Canadian Standards Association (CSA)
- European Union - CE Mark
- TÜV Rheinland
- Report No. 968/EZ 105.03/01
- AK1 AK6 (DIN V 19250, DIN V VDE 0801)
- SIL 3 (IEC 61508)
- NRC Safety Evaluation Report
- ADAMS Accession Number ML013470433
8Qualification Project Bases
- EPRI TR-107330 - Generic Requirements
Specification for Qualifying a Commercially
Available PLC for Safety-Related Applications in
Nuclear Power Plants - Quality Assurance
- Detailed Testing Requirements
- Engineering Analyses
- Documentation
- Project Planning
- Quality Assurance Plan
- Master Test Plan
- Software Quality Plan
9SER
- SER issued in 2001
- Accepts suitability of Triconex App. B program
- Acknowledges future software upgrades
- It should be noted, however, that acceptance of
the Tricon PLC system is based to a large degree
on the TÜV-Rheinland independent review, and any
future version of the Tricon PLC system will
require an equivalent level of independent VV in
order to be considered acceptable for
safety-related use in nuclear power plants. - This acceptance by the NRC of the TÜV-Rheinland
independent VV helps unite our U.S. nuclear
program with our international safety systems
program.
10Triconex since SER issuance
- Appendix B supplier
- Numerous client audits H/W S/W RD,
manufacturing, projects. - NUPIC/NIAC based Audits, for which other
utilities are taking credit - Continual TÜV testing certification
- Also a part of our continuous qualification
process of software upgrades (per SER)
11Triconex since SER issuance (cont.)
- SW upgrades for 1E service
- Complete VV
- Added layer of VV independence through TÜV
- All changes per approved proceduralized process
- All changes include full change analysis prior to
inclusion on NQEL (Nuclear Qualified Equipment
List) - HW upgrades for 1E service
- Small grouping by analysis
- Specific function testing
12Obsolescence from the suppliers viewpoint
13Obsolescence Issues The Suppliers Dilemma
- Electronic Circuitry is becoming more complex
The Good - Higher Reliability
- Better self diagnostics
- More complex controls capabilities
- Lowered maintenance costs and less calibrations.
- Electronic Circuitry is becoming more complex
The Bad - Greater VV expenses for any circuit upgrade
- Greater RD expenses for any circuit upgrade
- Individual component life cycle time is
decreasing causing shortened time between
upgrades for end product version. - 25 Years ago a complex electronic component could
have a life cycle of 10 years. Now, it can be as
low as 2-3 years!
14Obsolescence Issues The Suppliers Dilemma
(cont.)
- How do we handle our obsolescence issues?
- Buy stock of spare components based on forecasted
usage. - Age concerns
- New unknown age related failure modes
- Drive suppliers
- Not unless we buy millions of chips
- Focus RD on using components driven by other
industries - Worked well for us with new microprocessors
- The methods chosen help to minimize the high
costs associated with changes to safety
circuitry.
15Internal Testing Concerns
- Numerous testing standards to meet
- TUV
- IEC
- FM
- NRC
- EPRI
- IEEE
- DNV
- Becoming Overwhelming!
DNV
IEC
TUV
Triconex testing (two separate programs)
IEEE-323
NRC (TR-107330)
EPRI TR-102323
IEEE-344
16Triconex Direction
- Triconex is committed to remain in the nuclear
business, and continue to produce qualified
product. - Milestone in forming future qualification testing
plans was the issuance of RG 1.180, Rev. 1,
October, 2003, EMI/RFI guidelines - Allows for the use of IEC standards
- Same standards used in our recurring TUV testing.
- Triconex will embrace RG 1.180, Rev 1 for all
future testing in place of EPRI TR-102323 and
will continue testing IAW EPRI-TR-107330 as
endorsed and performed in the Triconex SER.
17Triconex Recurring Test Plan
- Cover all governing bodies in one recurring test
- Allows continuous adding of product to NQEL, and
increases cost-benefits, enhancing future
viability in all Safety markets. - Allows for a simplified testing regimen
TUV
DNV
Triconex combined testing
IEC
IEEE-323
NRC (TR-107330)
IEEE-344
18Maintaining Safety Equipment Offerings
- Suppliers of safety equipment are tied to cycles
of the industry served. - Equipment built and tested to support only
nuclear safety systems can not justify long term
investments in upgrading safety offerings with no
forecast for long term sales! - Other industries also use qualified safety
equipment. - Nuclear must look beyond their own industry for
the sake of allowing sustainable progression of
modernized safety related equipment. - Suppliers who can supply cross industries can
survive. - Peaks and Valleys smooth
- Dependant upon the costs of varied standards.
(varied standards?)
19The Heart of the issue from three sides -
COOPERATION
- Obsolescence Management will take cooperation and
effort by these three groups - Regulators
- End-Users (Nuclear Plant Engineering Groups)
- Manufacturers / Suppliers
20The Heart of the issue from three sides (cont.)
- Regulators
- Are equipment requirements for safety related
digital systems the same in all countries? - Recent business with five Nuclear countries
showed variations in qualification testing and
documentation requirements. - Do the regulators understand the impact that they
have on obsolescence issues? - Unique rules for equipment qualification places
suppliers in a non-tenable business position. - Non-viable product lines become obsolete quickly
- Obsolete equipment in power plants causes well
known commercial and quality problems
21The Heart of the issue from three sides (cont.)
- End-Users
- Equipment upgrade specifications -
- Are they written to fulfill your dream system?
- Are they written without the knowledge of
industry standards in use elsewhere? - Equipment upgrade specifications -
- Should be written to satisfy the safety and
reliability needs of your plant while supporting
long term maintainability (or you will be doing
this again very soon!) - Should not require or request custom circuitry of
any kind. - Guaranteed immediate obsolescence.
22The Heart of the issue from three sides (cont.)
- Manufacturer/Suppliers
- We must learn to say NO and push
- Many companies want the business to support
today's profit margins, and are willing to sell
anything with either - No thought to the clients future obsolescence
issues or - Thoughts of being there to take advantage of
obsolete, unsupported equipment.
23SUMMARY
- Triconex Tricon is designed and built to meet
numerous domestic and international safety
standards. - Invensys Triconex is committed to long term
support of the nuclear industry by providing
continuously qualified upgrades to resolve
obsolescence issues - Invensys Triconex plans to combine our varied
testing programs to one all encompassing test on
a recurring basis based on the merging U.S. and
IEC standards.
24SUMMARY (cont)
- Invensys Triconex to suggest to clients that
they work towards using standard offerings, and
not custom equipment. - Invensys Triconex urges closer cooperation of
individual country governing bodies on adoption
of universal standards to allow companies a cost
effective path to maintain current qualified
offerings. (IAEA and EPRI) - Requires cooperation by licensees, regulatory
bodies, and vendors for the mutual benefit of
all.