by Wang Ying, Vice Chief Engineer Digital I&C Equipment Qualification Practice by Wang Ying, Vice Chief Engineer National Energy Nuclear Power Plant Instrumentation R&D (Testing) Center Shanghai Institute of Process Automation Instrumentation Research & Development 14th Oct., 2013

EQ Significance To ensure the safety and stable operation of nuclear power plants. To verify nuclear power plant safety equipments to perform their intended functions through lifetime. To reveal defects in design, manufacture, installation and operation. To find the potential common cause failures in environmental and operating conditions. To improve the commercial devices as the nuclear safety equipments. Mainly follow IEEE and IEC series standards. Including environmental qualification and seismic qualification. AECL - OFFICIAL USE ONLY / À USAGE EXCLUSIF - EACL 2

IEC/IEEE 60780-323 EQ Key Points EQ Key points : Range and description of equipments to be qualified; Selection of typical equipment for qualification; Establish EQ methods, procedures and acceptance criteria; Choose a qualified laboratory to conduct equipment qualification; Check and review the qualification documentation, to determine whether qualified equipment is capable to maintain its safety function during plant-life (eg, 40 years) and withstand the .harsh environmental conditions AECL - OFFICIAL USE ONLY / À USAGE EXCLUSIF - EACL 3

Electrical characteristic Equipment operating time EQ Key Points Parameter Margin Temperature +8°C Pressure +10% Radiation Electrical characteristic ±10% ±5% Equipment operating time Seismic Vibration AECL - OFFICIAL USE ONLY / À USAGE EXCLUSIF - EACL 4

1E Equipment Qualification The qualification should be performed according to EQ program to certify the environmental endurance. EQ program should ensure that the equipment reliability does not degrade to below the designed requirements under the influence of aging and conditions of operation. Test Item K1 K2 K3 Baseline performance tests ▲ Extreme limit tests under normal and abnormal operation conditions Aging tests △ Seismic Tests Accident condition tests Post-accident condition tests Quality Insurance Level Q1 Q1 or Q2

I&C EQ Requirements Aging EMI/RFI Seismic Software V&V

Aging Condition and Failure Rate

EMI/RFI Frequency Spectrum RG1.180 IEC/MIL Standards

Nuclear Class? Commercial Class? EMI/RFI Test Items Nuclear Class? Commercial Class?

IEC?MIL EMI/RFI Tests No. EMC Test Items Test Standards Test Level 1 Low-Freq. Conducted Emission MIL-STD-461E CE101 30 Hz ~ 10 kHz 2 High-Freq. Conducted Emission MIL-STD-461E CE102 10 kHz ~ 2 MHz 3 Magnetic-field Radiated Emission MIL-STD-461E RE101 30 Hz ~ 100 kHz 4 Electric-field Radiated Emission MIL-STD-461E RE102 2 MHz ~ 10 GHz 5 Power leads conducted susceptibility MIL-STD-461 CS101 30 Hz ~ 150 kHz 6 Bulk cable injection conducted susceptibility MIL-STD 461CS114 10 kHz ~ 30 MHz 7 Magnetic field radiated susceptibility MIL-STD-461 RS101 8 Electric field radiated susceptibility MIL-STD-461 RS103 30MHz~10GHz 9 Impulse excitation conducted susceptibility MIL-STD-461CS115 Impulse Excitation 10 Damped sinusoidal transients conducted susceptibility MIL-STD-461 CS116 IEC?MIL

Seismic Qualification Qualification method: Qualification Procedure: Frequency Amplitude

Seismic Test Configuration accelerometer Strain gauge

Software V&V Technology Computers are more widely used in occasions where its failure could cause very serious damage to property or personal injury or death To reduce such operating risk of I&C systems based on computer, the hardware and software require high reliability According to Safety Integrity Level (SIL), the appropriate techniques and methods should be used. The verification and validation (V & V) technology has to be used to ensure that software achieves the intended safety functions. Verification defines a confirmation by examination and by provision of objective evidence that the results of an activity meet the objectives and requirements defined for this activity. Validation is a confirmation by examination and provision of the other evidence that a system fulfils in its entirety the requirement specification as intended (functionality, response time, fault tolerance robustness). AECL - OFFICIAL USE ONLY / À USAGE EXCLUSIF - EACL 13

V&V Standards

Independence of Software V&V Technical , Financial , Managerial independence Project Organization Structure Three independent teams: Design, V&V and Quality Each team has independently supervised V&V team manager reports to project manager, not software design manager System Design Diversity A software designer should not undertake two system software design A system software designer should not be another system’s verifier Objective Minimize the probability of making the same or similar mistakes in software development, verification and validation Verification and validation process can be performed effectively and objectively

V&V Activities in Software Lifecycle DID SRS SDD CODE Legend: DID = Design Input Documentation (System DR, DD) SRS = Software Requirements Specification SDD = Software Design Description System designers’ responsibility Software designers’ and verifiers’ responsibility Unit Testing Integration Testing Validation SRS Review SDD Review Code Review Mathematical Verification Software Hazards Analysis 16

Software V&V Activity – Code Verification Task activity Input files Basis documents Activities Method Output 3.2 Software code verification Software program software design spec. module spec. detail design system develop quality plan formal coding inspect record if possible, unit test result if possible, code analysis result source code module analysis inspect(necessary) walkthrough(necessary) Formal (optional) descript(optional) Symbolic (optional) execution(optional) Program prove(optional) Quality manage by measuring(optional) source code validation report source code verify list error report 2. inspection on standard, actual and conventional use inspect(forced) walkthrough(forced) 3.inspect on maintainability Walkthrough(forced) Quality management by measuring(option) 4.inspect on test result Walkthrough(option) 5.inspect on traceability Traceability(option)

Software Code Tests

Software Credibility and Reliability Can software reliability be quantified? It is difficult to meet the reliability requirements of software, verify it is even more difficult. In the aspect of definition of software failure or quantifying software reliability, the industrial sector has not yet reached a consensus. As a quantifying software reliability method, statistical random test (SRT) has aroused controversy in experts. Using statistical random test (SRT) to supply rigorous software life-cycle is an acceptable way, but using it to prove quality or reliability of software has not been accepted. Up to now, the members of IEC TC65 still have some differences in the application of statistical random test (SRT) in safety software.

Thinking after Fukushima Accident

Conclusion Equipment qualification is an important guaranty of nuclear power plant’s safety system maintaining its safety function. Qualification technology is gradually improved, but there’s still some problems to be researched. Standard terms are principles, lack of operability, lack of systematic data accumulation. In equipment qualification practice, there is a lack of experience in handling specific issues. Establish a set of qualification guidance documents which has operable, complete and correct. There are a lot problems in equipment aging evaluation model and choice of aging factor, etc. The V&V of safety software is a huge challenge that digital I&C system faces. The New EQ Technology Trends after Fukushima Accident

EQ Centre for I&C Q&T Capability Reliability SIL V&V For I&CS Climate Ability extended for NI&CS according to AP1000, NRC and RCC-E: Reliability SIL V&V For I&CS Climate Mechanical Chemical Explosive EMC Regular Temp. Flow Pres. Level Rev Vibra Display Actuator I&CS Safety & Reliability Assessment In-plant Equipment Inspection Q&T Capability Regular Function Test Environment Adaptability Test Nuclear Specialized Testing Event T-O ageing; Seismic; Irradiation; LOCA

Thanks! Wang Ying Shanghai Institute of Process Automation Instrumentation Phone：021 64847452 Cell：18121251106 E-MAIL: wangying@sipai.com