Saturday, July 22, 2017

NuScale HIPS FPGA

NuScale SMR
Amici, Americani, Compatriotae,

Nota Bene: links to various references cited in this blog post are embedded in the applicable document title or alphanumeric identifier. All references are in the public domain, usually in the Agencywide Document Access Management System (ADAMS) at the web site of the US NRC. No reference is cited and no statement is made with intention to be derogatory towards or demeaning of any governmental agency or of any nuclear energy company or corporation. Lastly, no special insider knowledge is held by the writer of this post regarding the inner workings of any governmental agency or of any nuclear energy company or corporation.

Every nuclear power plant licensed for operation in the West has a variety of safety systems controlled or actuated by safety-related instrumentation and controls. Current pressurized and boiling water reactors in the US have:

  1. A reactor protection system which monitors certain parameters and trips the reactor (rapidly inserts neutron absorbing control rods) off line on sensing unsafe conditions. 
  2. An engineered safeguards system which monitors the same or similar parameters and initiates emergency core cooling on sensing unsafe conditions.

These systems, designed in the 1960s, are often analog electronics, though some have been upgraded to digital in recent years as license extensions have been pursued and originally installed equipment becomes obsolete. Newly designed reactors like GE-Hiatchi's ESBWR, Westinghouse's AP-1000 and Areva's EPR have advanced digital electonics, either run-time software systems or Boolean logic systems, or a mixture of both. Sometimes these systems may be integrated together and other times they may be kept separate.

The specification, design, development, testing, installation, configuration management, safety analysis, verification and validation, and security vulnerability assessment of such systems are subject to rigorous requirements given in a series of industry standards from the Institute of Electrical and Electronics Engineers (IEEE) and the Electric Power Research Institute (EPRI). Certain regulatory documents from the US Nuclear Regulatory Commission (NRC) endorse or otherwise invoke compliance with these standards:

  • Regulatory Guide 1.152, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants
  • Regulatory Guide 1.168, Verification, Validation, Reviews, and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants
  • Regulatory Guide 1.169, Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants
  • Regulatory Guide 1.170, Test Documentation for Digital Computer Software Used in Safety Systems of Nuclear Power Plants
  • Regulatory Guide 1.171, Software Unit Testing for Digital Computer Software Used in Safety Systems of Nuclear Power Plants
  • Regulatory Guide 1.172, Software Requirement Specifications for Digital Computer Software and Complex Electronics Used in Safety Systems of Nuclear Power Plants
  • Regulatory Guide 1.173, Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants
  • Regulatory Guide 1.180, Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference in Safety-Related Instrumentation and Control Systems
  • Regulatory Guide 1.209, Guidelines for Environmental Qualification of Safety-Related Computer-Based Instrumentation and Control Systems in Nuclear Power Plants
  • Regulatory Guide 5.71, Cyber Security Programs for Nuclear Facilities

And such compliance is inspected via chapter 7 on Instrumentation and Controls in what the US NRC calls "The Standard Review Plan" in NUREG-0800, or in the case of small modular reactors from companies like B&W mPower, NuScale, etc., via that same chapter in what is called a Design Specific Review Standard (DSRS):


The means by which a company shows compliance with all the various regulatory documents and industry standards required to obtain a license is given in what is called a Design Certification Application (DCA). Each series of systems has its own chapter in this massive document and that document is submitted for a 40+ month review by the US NRC. Chapter 7 on Instrumentation and Controls in NuScale's DCA is provided below.

Chapter 7 in the NuScale Design Certification Application

Using applicable industry standards, it literally takes years to design, build and test a complete reactor protection and engineered safeguards system. If the review of the DCA is successful, then at the end the US NRC will issue a Final Safety Evaluation Report (FSER) which authorizes the next step forward to initiate construction of the facility, and that is an entire multi-year process by itself.

In the case of NuScale, a supplementary topical report on its integrated reactor protection and engineered safeguards system was also submitted to the US NRC:

 TR-1015-18653, “Design of Highly Integrated Protection System Platform” 

This design according to publicly available information will use Boolean logic (develop from Hardware Description Language or HDL programming) in what is called Field Programmable Gate Arrays (FPGAs) instead of run time software within EEPROM or UVPROM chips or on hard drives to run its integrated protection and safeguards system. Such FPGA systems have greater immunity to security threats, and unlike the sequential serial step-by-step operation of run time software systems, can do logic processing in parallel, On Monday, July 17, 2017 there was a press release entitled, "NuScale Power, LLC Announces Highly Integrated Protection System (HIPS) Platform." This press stated:

NuScale Power, LLC announced today that the U.S. Nuclear Regulatory Commission recently concluded the Highly Integrated Protection System [HIPS] Platform is acceptable for use in plant safety-related instrumentation and control (I&C) systems.

The truth however is a bit more nuanced than a marketing news announcement. This is what the last paragraph on page 1 of the US NRC's Safety Evaluation Report (SER) actually says:

The scope of the review excludes the quality of the HIPS platform standardized circuit boards and their instruments chassis, the quality of the design process, and its equipment qualification. These activities are application specific, dependent on the equipment vendor to be used to implement the HIPS platform.

That means that the work required by the aforementioned regulatory guides and industry standards has yet to be done, and all that the US NRC has accepted in a 133 page SER is a technical description of a proposed technology platform and architecture. All the software engineering and software quality assurance work required for actually building such a system remains to be done.

Everyone who is pro-nuclear wishes the designers and developers of new nuclear reactors well. The bankruptcy of Westinghouse Electric is regrettable, and the fate of its AP-1000 reactors being built at Vogtle and VC Summer is problematic. GE-Hitachi's on-again, off-again involvement in a new ESBWR for Virginia's North Anna Site and for Detroit Edison out in the Great Lakes area is disheartening. Areva's virtual exit from the US new construction market is depressing and B&W mPower's abandonment of pursuing its small modular reactor design was another depressing blow. So all hopes are on NuScale to succeed and prove that the United States has what it takes to design and build advanced nuclear reactors, and we all are rooting for NuScale's success. However, that said, issuing marketing announcements that skew the actual facts is at best misleading. The public should never be misled, even by marketing trying to put a positive spin on things. NuScale has YEARS of work to perform in mechanical, electrical, I&C, nuclear and radiological areas so that it will complete everything that it committed to do in its DCA. Submission of the DCA is merely the first step in a decade plus long process. Indeed, if fossil fuel companies were subject to this same level of safety and environmental scrutiny, then there would not be a single coal, oil or gas electric plant left operating. And if solar and wind were subject to equivalent safety and environmental scrutiny, then purveyors of those so-called green energy sources would likewise be out of business.

No comments:

Post a Comment