westinghouse bwr technologies...as modbus, allen-bradley, ge mark v/vi, rtp i/o, toshiba and mhi are...

Automation

Westinghouse BWR Technologies

TABLE OF CONTENTS

AutomationNuclear Automation Product Portfolio .....................................................................................................................4Information and Control Systems Platform .............................................................................................................6Data Processing and Monitoring System ...............................................................................................................8Application Server and Application Programs ........................................................................................................10Neutron Monitoring System (NMS) .........................................................................................................................12Traversing In-core Probe (TIP) System ..................................................................................................................14Power Range Monitor (PRM) System ....................................................................................................................16Radiation Monitoring System (RMS) ......................................................................................................................18Seamless Radiation Monitoring ..............................................................................................................................20Portable Radiation Monitoring System ...................................................................................................................22High-Sensitivity Off-Gas Monitor ............................................................................................................................24Digital RMCS & RPIS .............................................................................................................................................26Digital RC&IS for BWR-6 ........................................................................................................................................28Rod Worth Minimizer (RWM) ..................................................................................................................................30Turbine Control and Protection ...............................................................................................................................32Feedwater Control System Upgrades ....................................................................................................................34Triple Redundant Digital FWC ................................................................................................................................36Triple Redundant Digital RFC .................................................................................................................................38Triple Redundant D-EHC ........................................................................................................................................40Main Control Room Modernization .........................................................................................................................42Computerized Procedures System .........................................................................................................................44Alarm Presentation System ....................................................................................................................................46Cyber Security Services .........................................................................................................................................48Cyber Security Services: Event Management and Intrusion Prevention ...............................................................50Cyber Security Services: Specialized Cyber Security Training .............................................................................52Cyber Security Services: Legacy System Security ................................................................................................54Cyber Security Services: Host-based Security Solutions ......................................................................................56Cyber Security Services: Vulnerability Scanning and Virtualized Testing ..............................................................58

Westinghouse BWR Technologies

Continued

Cyber Security Lab .................................................................................................................................................60Cyber Security Services: Assessments .................................................................................................................62Cyber Security Services: Ovation™ Security ........................................................................................................64Turbine Generator technology ................................................................................................................................66

4

October 2012 NF-FE-0018©2014 Westinghouse Electric Company LLC. All Rights Reserved

Nuclear Automation

Nuclear Automation Product Portfolio

BackgroundWestinghouse is a global leader in the supply and support of nuclear plant instrumentation and control (I&C) upgrades, engineering services, plant modernizations and new plant design.

The Westinghouse Nuclear Automation product portfolio covers all areas of system operation over the life of the plant. Products include instrumentation, safety systems, control systems, plant information systems, diagnostics and monitoring systems, engineering services for functional upgrades, control system analysis and optimization, and operating margin recovery.

DescriptionWestinghouse teams with utilities to perform I&C modernization program studies. A summary of the products and services for each phase of the system life cycle include:

• Planning – I&C modernization studies that determine the upgrade approach

• Functional Design – Functional upgrades, fault-tolerant designs, self-test/calibration and automation

• System Design – Open architecture, modular design and communication networks

• System Supply – Integrated platforms for protection, control, information systems and monitoring systems

• Licensing – Licensing services that minimize licensing risk

• Installation – Installation services within scheduled outage windows

• Startup – Startup support that results in flawless system startup and fine tuning

• Operation - Spare parts, software updates, field service, engineering services and training

Building blocks for protection, control and information systems permit easy expandability and system integration.

The building blocks used for single system retrofits, large-scale I&C modernization programs and new plant designs are based on commercial products adapted and enhanced for nuclear applications. This approach allows customers to start with a single system and to expand across the entire plant nuclear steam supply system, balance of plant and turbine.

Control room

5

The building blocks include:

• Redundant communication networks (safety and nonsafety)

• Redundant hardware controllers

- Virtual controllers

- Input/output (I/O) modules

• Specialized I/O modules for turbine and loop modulation

• Native bus modules - FieldBus, ProfiBus

• Variety of workstations - operator, engineer, historian

• Data links - custom, OPC

• Test interfaces

• Complete software application libraries

• Nuclear application programs

• Cyber security products

• Electromechanical solutions for steam turbines and feed pumps

BenefitsWestinghouse has migrated its various products into its current set of standardized platforms for protection and control.

Past designs give the current generation system its verified and validated safety system software, nuclear application programs, functional design, testing methods, cabinet design features and I/O module design. The standardized platforms provide significant benefits in staffing optimization, reduced training, inventory and human-machine interface efficiencies.

Open architecture incorporates advances in digital technology and interfaces with all types of equipment; older systems can readily incorporate new technologies.

The Westinghouse Nuclear Automation product portfolio provides customers with products, services and technologies that help meet their performance needs.

Westinghouse Electric Company1000 Westinghouse DriveCranberry Township, PA 16066

www.westinghousenuclear.com

6

September 2010 NS-NA-0093©2014 Westinghouse Electric Company LLC. All Rights Reserved

Information and Control Systems Platform

Nuclear Automation

BackgroundThe Information and Control (I&C) Systems Platform is a non-safety distributed computer system for Category B and Category C applications. The platform has been applied in numerous nuclear retrofit projects, and is the standard basis for non-safety related nuclear I&C systems in Westinghouse new-build projects worldwide.

The overall platform includes integral resources for both control and plant computer functions, thus eliminating the need for these to be separate systems. The basic architecture is flexible for use with small stand-alone systems to full-scale plant systems, expanding easily for future phased system upgrades.

DescriptionThe platform is based on the Emerson Ovation® product line and also integrates key components developed by Westinghouse for nuclear I&C applications. As a distributed process control, information and data management system, Ovation offers a powerful, flexible and open-system architecture, supported with field-proven, industry-standard hardware, software, networking and communications components. The extended components support plant computer, monitoring and various system-interface applications to meet nuclear industry requirements.

BenefitsThe I&C system platform presents true open computing, allowing users to achieve higher plant availability, reliability, efficiency, safety and environmental compliance.

Extensive system benefits are realized through the key elements of the Ovation product.

• Network – A standards-compliant, fully redundant, high-speed Ethernet network using commercial hardware, and copper or fiber cabling. Each originating drop periodically broadcasts point value and status at the appropriate frequency.

• Controller – Each fully redundant PC-based controller interfaces to the I/O subsystem, performs data acquisition, and executes simple or complex modulating and sequential control strategies (up to 32,000 process points per controller).

Core Ovation product components

7

• Input/output Modules – Modular industrial grade I/O requiring no special handling, user addressing or configuration. Up to 128 modules per controller of analog, discrete, digital bus and special turbine-related I/O is available, including advanced fault diagnostics and channel isolation.

• Workstations – Operator/engineering workstations (Windows® PC-based) feature high-resolution display of control/monitoring graphics, diagnostics, trending, alarms and plant-status information with easy-to-use engineering and configuration tools. The engineering station contains a fully embedded relational database management system storing configuration, process-point information and control algorithm information. System and point data (including user-defined fields) can be imported via user-friendly database tools (e.g. Access or Excel).

• Historian – Scalable mass storage and retrieval of process data, alarms, sequence of events (SOE), logs and operator actions for 5,000 to 100,000 point values. Presentation capabilities include data queries, historical trending and SOE Reports. A bundled reporting package allows for scheduled and triggered reports to operators, engineers and maintenance personnel.

• Connectivity Servers – Open system interfaces (ODBC, NetDDE, OPC) provide innovative technology for securely transporting real-time or historical process data directly to a user desktop for critical analysis of plant performance data. Data link interfaces to third-party devices and protocols such as Modbus, Allen-Bradley, GE Mark V/VI, RTP I/O, Toshiba and MHI are also supported.

Westinghouse has designed and engineered several additional system components that complement and extend the Ovation product line to provide monitoring and plant

computer functionality, enhanced security, and integration of safety and non-safety platforms specifically for the nuclear power industry.

• Application Server – Redundant application servers execute complex calculations and monitoring from a robust Nuclear Applications Programs (NAP) library and data link interfaces with external plant systems. Standard, pre-tested function blocks based on IEC 61499/61131 standards significantly lower development and testing time. Custom sub-applications can also be created.

• Cyber Security – Westinghouse is leading the cyber security assessment and compliance activities in the industry in conjunction with the new AP1000TM plants, advanced boiling water reactor (ABWR) and existing plants worldwide. Using cyber security assessments, communication-isolation techniques, physical security, cyber-secure networks and operating systems, and the Ovation product security, Westinghouse’s cyber security team provides practical, cyber-secure solutions.

• Advant Ovation Interface (AOI) – A Gateway server connects each safety division data network to the non-safety real-time data network, providing strict one-way flow of real-time safety system data for display and control. Data flow is strictly one way from the safety to the non-safety subsystem.

Combining the superior high-speed performance and capacity of the widely used Ovation product line with broad nuclear application experience and system integration components, the Westinghouse I&C platform provides a flexible and upgradeable system that addresses both operating and new plant requirements.

I&C systems platform



8

Nuclear Automation

Data Processing and Monitoring System

BackgroundThe data processing and monitoring system (DPMS), or plant computer, is a plant-wide information system for new and retrofit plants. The DPMS consists of data acquisition and presentation layer components, with configurable, reusable software programs for performing nuclear plant performance and monitoring applications. DPMS uses a redundant network design with advanced connectivity features that provides high capacity data transmission and reliable external system communications via standard and custom protocols.

The Westinghouse DPMS is a reliable and cost-efficient instrumentation and control (I&C) solution for new and phased modernization programs that provides a well-organized and integrated system solution.

DescriptionThe DPMS includes the following data collection, information processing, calculation, development and maintenance tools, and system integration components.

• Powerful Ovation® distributed information and control system platform implementation using Microsoft Windows® functionality provides operator workstation displays, database repository, historical storage and retrieval, with supporting software development tools to maintain and update the system.

• A PC-compatible, redundant controller executes simple or complex data acquisition and control algorithms. The controller interfaces with a power industry input/output (I/O) module subsystem that accepts a wide range of analog, digital and bus technology I/O.

• Operator and engineering workstations present high resolution process graphics, system and detailed diagnostics, trends, alarms and status displays. These workstations provide access to dynamic system points, a comprehensive alarm management system, historical data, general messages, standard function displays, event logging, and detailed analysis through intuitive navigation tools.

• Powerful redundant-application servers with a standard function library of proven and fully tested performance and monitoring application programs (AP) provide complex calculations and standard or custom data-link interfaces. An extensive function block library with an application builder graphical user interface is included to

allow the customer to program and maintain standard and custom applications.

• Multi-function system servers provide system configuration, I/O and calculation point database, historical storage and retrieval configuration, and control algorithm information, all in an organized and centralized relational database structure. Engineering tools provide process graphic editing, control programming, configuration and maintenance.

• The Ovation Historian provides mass storage and retrieval of process data, alarms, sequence of events (SOE), logs and operator actions. Data analysis tools and applications provide state-of-the-art data retrieval and querying solutions. Data backup and redundancy are available, as well as standard reporting templates for scheduled and triggered reports.

• A fully redundant, fault-tolerant network provides high capacity real-time data transmission without data loss, degradation or delay, even during plant upsets. Custom gateways and interfaces are eliminated through the use of widely available commercial hardware; and full connectivity to corporate LANs, WANs and intranets can be provided. Time synchronization is also available using a network time protocol (NTP) time server.

• Enhanced cyber security uses cutting-edge cyber-security assessment tools and an integrated system approach of domain control, security user- and system-function permission configuration, antivirus software management and system hardening. In addition, the Ovation Security Center provides vulnerability scanning and patch management, malware prevention, security incident and event management.

BenefitsThe DPMS helps users save operation and maintenance costs by achieving higher levels of plant availability, reliability, safety, environmental compliance and efficiency. The DPMS offers the following features and benefits:

• Large suite of proven power-industry I/O and data communication interfaces allowing the system to provide both information and control system functions, and easy integration with existing sensors and systems

• Large, proven library of application programs (APs) and software incorporating the Westinghouse nuclear steam supply system (NSSS) knowledge base, including safety parameter display system (SPDS) applications

December 2010 NA-0029©2014 Westinghouse Electric Company LLC. All Rights Reserved

9



• Application builder graphical user interface allowing customers to maintain and construct new application programs without the need to learn programming languages such as C or C++

• Presentation, trending and redundant storage of live and historical plant data to plant engineering and information systems via standard, open interfaces

• Comprehensive cyber-secure interface solutions with plant-wide and fleet-wide LAN/WAN

• Ability to integrate DPMS functions with other control and monitoring applications in a single system architecture that supports both small and large systems, offering the capability to interface with safety systems and phased future upgrades

• Large experience base of over fifty pressurized water reactor and boiling water reactor retrofits, and new plant computer implementations

• Platform equipment consistency providing more familiarity among all users, improved operator performance and improved system performance

• Reduced need and subsequent cost of maintenance, spare parts, training, and number of supplier interfaces

Using the powerful Ovation open architecture and innovative control and monitoring system, combined with an application server, user-friendly development tools and standard program libraries, the Westinghouse DPMS provides an unprecedented

level of performance, power and flexibility to solve plant computer and monitoring system needs. The DPMS is an excellent starting point for a plant I&C upgrade program. Providing a clear migration path for future upgrades and control system applications, the Westinghouse DPMS is a true investment that can be leveraged for future applications with savings in spare parts, training, maintenance and infrastructure costs.

Typical data processing and monitoring system architecture

Engineering/Database /DomainDeveloper Station

EDS Server

Reactor Operator Station

Redundant Controller(s)

Remote or Extended I /O

Turbine Operator Station

Redundant Application

ServersAdvant Ovation

Interface Gateway (*4)

Redundant Real Time Data

Network

Redundant Historians

Security (Anti-Virus) Host

Supervisor Operator Station

Data Link Application Server

Enterprise Firewall /VPN/IPS

Data Link I/O

Safety System

Technical Support or Operations

Support Center Operator Stations

Control Room

Control and Monitoring I/O Computer Room

EDS Client

Enterprise Network

PI Server

Router

Optional Router

E S T E S T

Field Network

Ethernet Link

Controller

SYST RPS

STRT DUPLXSPEEDUTIL

MODE

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

Catalyst 2950 SERIES10Base-T/100Base-TX

Color Printer

Field Devices

GPS RECEIVER/NTP

SYST RPS

STRT DUPLXSPEEDUTIL

MODE

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

Catalyst 2950 SERIES10Base-T/100Base-TX

Ovation® is a registered trademark of Emerson Process Management Windows® is a registered trademark of the Microsoft Corporation

10

Nuclear Automation

Application Server and Application Programs

April 2011 NA-0071©2014 Westinghouse Electric Company LLC. All Rights Reserved

BackgroundThe application server provides the platform within the data processing and monitoring system (DPMS) architecture for running complex calculation and monitoring software applications. The server receives data from the DPMS network, performs run-time calculations and transmits the results back to the network. The data can be displayed on plant computer graphics, or as part of the point review or trending features.

Application servers can also be deployed as data link servers or gateways, configured to stand alone or operate as a dual, redundant pair.

DescriptionApplication servers used to run plant calculations are typically configured using a hot standby redundancy.

The redundant application servers consist of two separate and identical sets of server hardware and software. A concurrent redundancy scheme is used to execute applications, with both the primary and the partner running on a continuous basis. The primary server broadcasts its data to the DPMS information and control network. Its partner executes the same functions as the primary, but does not broadcast its data to the DPMS information and control network until the primary server goes offline.

Application Programs

The application programs are constructed from a set of function blocks that perform calculations. Function block-based application programs are generated by the application builder tool. Application programs may also be generated from a custom source code, which interacts with the functions provided by the application server.

Application Builder Displays

Application builder displays provide a visual representation of the calculation logic using the application builder graphical user interface (GUI). These displays are intended to be used for performing detailed checks of the calculation logic, or for testing or debugging purposes.

Applications Library

Westinghouse maintains a comprehensive set of standard function blocks for application program implementation. The base set of function blocks includes basic arithmetic and logic function blocks, as well as more complex function blocks that perform calculations, such as flow corrections and averages of redundant sensors.

Delta Flux – The purpose of the delta flux program is to compute and monitor the delta flux in the reactor core and to alert the operator when the “delta flux” alarm conditions are encountered. This program can also be interfaced to Westinghouse’s BEACON™ core monitoring program to improve the accuracy of the delta flux information.

Radial Flux Tilts – The radial flux tilts program monitors the symmetry of the radial power distribution in the reactor core and informs the reactor operator of undesirable conditions, should they exist.

Application server and application programs

11



Flow Corrections – The flow corrections application serves other programs, such as the primary plant performance program, by calculating corrected flow rates to account for differences between actual and calibrated sensor conditions.

Level Corrections – The level corrections program corrects level indications for density and measurement elevation to compensate for differences between actual and calibrated conditions.

Plant Mode Determination – The plant mode determination program monitors predefined sets of selected plant parameters to determine the current plant mode of operation.

Primary Plant Performance Calorimetric – The primary plant performance application calculates the reactor thermal power output.

Rate of Change – The rate of change program calculates gradients that indicate the amount and direction of the changes to the measured value per time unit.

Redundant Sensor Algorithm – The redundant sensor algorithm application produces a single average output from input groups of two to 16 signals. The redundant sensor algorithm application compares these signals to each other to obtain an average value and an associated quality.

Time Averaging – The time averaging application provides a running average of an input over a predefined time period to support other application programs.

Balance of Plant Performance Monitoring – The balance of plant performance monitoring application is intended to alert the plant performance and/or system engineering staff of the potential need for equipment maintenance, or of changes in plant operating conditions, which result in reduced electrical output generation.

Sump Level Monitor – The sump level monitor program provides an estimate of the total sump inflow based on sump level measurements over time.

Primary System Leak Rate – The primary system leak rate program calculates the reactor coolant system leakage rate, as defined by U.S. Nuclear Regulatory Commission (NRC) Regulatory Guide 1.45.

Emergency Response Facility Applications – This set of calculations includes applications required by NRC Regulatory Guide 1.97, NUREG-0737 and NUREG-0696.

It is comprised of calculations required to support safety parameter displays and emergency response guidelines.

DPMS Base Application Programs

As part of any base DPMS, the following application programs are typically included. In many cases, some degree of software modification/configuration is required to align the application programs to the customer’s specific plant design. This reconfiguration is simplified using the function block approach to implementing applications.

• Primary plant performance calorimetric calculation

• Redundant sensor algorithm

• Signal smoothing

• Rate of change

• Time averaging

• Plant mode

• DPMS customized applications programs (optional)

BenefitsThe application server provides the stability, power and flexibility needed to support modern information and control systems. Using commercially available workstations and operating systems, the application server offers an unprecedented level of performance and power.

The application server is fully compatible with the data processing and monitoring system’s information and control network.

BEACON is a trademark or registered trademark of Westinghouse Electric Company LLC in the United States and may be registered in other countries throughout the world. All rights reserved. Unauthorized use is strictly prohibited.

©2015 Toshiba Corporation

E2-2015-000265 Rev.0 (1/2)

Benefits

Toshiba has developed Field Programmable Gate Array (FPGA)-based Startup Range Neutron Monitor (SRNM), Power Range Monitor (PRM), Oscillation Power Range Monitor (OPRM), and Traversing In-core Probe (TIP) for BWRs.

The SRNM monitors neutron flux from the source range to about 35% of the rated power. The SRNM system consists of the SRNM detector, pre-amplifier, and SRNM unit. The SRNM system is safety related system.

The PRM monitors neutron flux in the power range. The PRM system consists of the Local Power Range Monitor (LPRM) detector, LPRM/Average Power Range Monitor (APRM) unit, and the Flow unit. The OPRM monitors thermal hydraulic instability by receiving LPRM signals. The OPRM sub-system consists of OPRM unit. The PRM system including OPRM is safety related system.

The Traversing In-core Probe (TIP) system measures axial distribution of neutron/gamma flux in reactor core. The measured flux data is provided to plant process computer for gain calculation of Local Power Range Monitor (LPRM). The TIP system consists of a detector which moves through the reactor core, a driving mechanism which drives the movable detector, indexing mechanism which sends the movable detector to the indexed guide tube, Drive Control Unit (DCU)/Flux Probe Monitor (FPM) which controls the drive and measure the neutron/gamma flux from the detector signal, and a TIP-IF which provide data transfer to plant process computer and Human Machine Interface (HMI) for operator. TIP system is non-safety related system.

High Reliability

Mechanical driving of detector and manual range switching are eliminated from the SRNM system. This improves reliability of operation of the SRNM system.

Mechanical improvement are achieved in the mechanical component of the TIP system. This improves reliability of operation of the TIP system.

Longer Product Lifetime 15 years or more product lifetime by applying FPGA technology to signal processing

unit.

Less Maintenance The signal processing method of FPGA circuit is digital, so there is no drift

Applicable to Conventional BWR designs Toshiba FPGA based SRNM, PRM, and TIP are applicable to conventional BWR designs.

TIP Indexing Mechanism

TIP Driving Mechanism FPGA-based Units

17

12


E2-2015-000265 Rev.0 (2/2)

Replacement Technology and Experience

TOSHIBA 47%

Proximity S witch

Vessel Drive Control Unit

Plant Processing Computer Driving

Mechanism

TIP Detector

Flux Probing Monitor

TIP Main Control Room Panel

Indexing Mechanism

Purge Air/N 2

Shield Chamber

Valve Assembly

Penetration

Purge Line Valve

Valve Control Monitor

X - Y Recorder

：Phase 1 : Phase 2 : Phase 3

TIP system phased upgrade (Example)

Counter

Experience Toshiba FPGA-based SRNM has been installed to 2 Japanese BWR plants and FPGA-based PRM has been installed in 4 Japanese BWR plants.

Toshiba TIP system has been applied to 19 Japanese BWRs (4 of 19 are FPGA based TIP) including replacement from original system provided by supplier other than Toshiba. Toshiba FPGA based TIP system has been installed in an European BWR in 2011, and is operating since November 2011. In addition, Toshiba FPGA based TIP system will be installed in two more European BWRs in 2016 and 2017.

Upgrade Features Toshiba FPGA based SRNM, PRM, and TIP are applicable to conventional BWR designs.

In addition, for TIP system, Toshiba has experience of partial upgrade of TIP system as well as full scope system upgrade. Because the interface of Toshiba TIP component is compatible with existing conventional TIP components, partial upgrade can be done for each component without any additional external cables. The partial upgrade capability enables a phased upgrade approach which provides flexibility to the upgrade plan.

Followings are example of typical phased upgrade of TIP system:

In the Phase 1, the existing mechanical counter in the driving mechanism, Drive Control Unit, Flux Probing Monitor, and X-Y recorder are replaced (red colored portion).

In the Phase 2, the existing indexing mechanism, driving mechanism, and the proximity switch are replaced (blue colored portion).

In the Phase 3, the existing valve control monitor and the guide tube are replaced (light green colored portion).

13


E2-2015-000257 Rev.0 (1/2)

Benefits

The Traversing In-core Probe (TIP) system measures axial distribution of neutron/gamma flux in reactor core. The measured flux data is provided to plant process computer for gain calculation of Local Power Range Monitor (LPRM). The TIP system consists of a detector which moves through the reactor core, a driving mechanism which drives the movable detector, indexing mechanism which sends the movable detector to the indexed guide tube, Drive Control Unit (DCU)/Flux Probe Monitor (FPM) which controls the drive and measure the neutron/gamma flux from the detector signal, and a TIP-IF which provide data transfer to plant process computer and Human Machine Interface (HMI) for operator. TIP system is non-safety related system.

ProximitySwitch

Vessel

Control Room

TIP IF

DrivingMechanism

Local Control Panel

Plant Processing ComputerDriving

Mechanism

TIPDetector

DCU/FPM

Purge Air

Main Control Room Panel

IndexingMechanism

Local Control Box

Purge Air

Transformer Panel

JunctionBox

AmplifierUnit Box

Shield Chamber

Valve Assembly

PCV

Penetration

Core Bottom

Core Top

High Reliability for Mechanical Components Application of inverter motor to the driving mechanism improves speed control, reduces

mechanical failures. Elimination of chain parts from the driving mechanism reduces mechanical failures The cable limit switch of the indexing mechanism does not receive vibration during detector

driving. This design improves the reliability of the indexing mechanism. The fixture design has been improved not to loosen the position of the cam limit switch of the

indexing mechanism. This design improves the reliability of the indexing mechanism.

Longer Product Lifetime 15 years or more product lifetime by applying FPGA technology to the DCU/FPM

Less Maintenance The signal processing method of FPGA circuit is digital, so there is no drift Electrical components are separated from the driving mechanism and installed in the local

control panel. This improvement reduces radiation exposure during maintenance of electrical components.

Full Automatic Scan Scanning time: 1.5 hours To start a full auto TIP scan, only a simple operator action is required. (No additional operator

action is required during scanning.)

18

14


E2-2015-000257 Rev.0 (2/2)


TOSHIBA 47%

Proximity S witch

Vessel Drive Control Unit

Plant Processing Computer Driving

Mechanism

TIP Detector

Flux Probing Monitor

TIP Main Control Room Panel

Indexing Mechanism

Purge Air/N 2

Shield Chamber

Valve Assembly

Penetration

Purge Line Valve

Valve Control Monitor

X - Y Recorder


Counter

Partial Upgrades As well as full scope system upgrade, Toshiba has experience of partial upgrade of TIP system. Because the interface of Toshiba TIP component is compatible with existing conventional TIP components, partial upgrade can be done for each component without any additional external cables. The partial upgrade capability enables a phased upgrade approach which provides flexibility to the upgrade plan.

Followings are example of typical phased upgrade:

In the Phase 1, the existing mechanical counter in the driving mechanism, Drive Control Unit, Flux Probing Monitor, and X-Y recorder are replaced (red colored portion).

In the Phase 2, the existing indexing mechanism, driving mechanism, and the proximity switch are replaced (blue colored portion).

In the Phase 3, the existing valve control monitor and the guide tube are replaced (light green colored portion).

Experience Toshiba TIP system has been applied to 19 Japanese BWRs (4 of 19 are FPGA based TIP) including replacement from original system provided by supplier other than Toshiba.

Toshiba TIP system has been installed in an European BWR in 2011, and is operating since November 2011.

In addition, Toshiba TIP system will be installed in two more European BWRs in 2016 and 2017.

TIP system phased upgrade (Example)

15


ABCD

LPRMDetector

Reactor Core

PCV

Cover Tube

.

.

.

.

.

Rec

ircul

atio

n Fl

ow S

igna

l

Flux

Sig

nal

FT

Flow Unit

APRM/LPRM Unit

RBM

PRM Panel

Process C

omputer

DCF

LPRMConnector

PLRPump

FT

FlowTransmitter

OPRMUnit

Main Control RoomReactor Building

E2-2015-000272 Rev.0 (1/2)

Benefits

The Power Range Monitor (PRM) system monitors neutron flux in the power range. The PRM system consists of the Local Power Range Monitor (LPRM) detector, LPRM/Average Power Range Monitor (APRM) unit, the Flow unit, and the Oscillation Power Range Monitor (OPRM). The PRM system is safety-related system.

Toshiba has developed Non-rewritable (NRW) Field Programmable Gate Array (FPGA)-based PRM. Toshiba submitted a licensing topical report including Toshiba NRW-FPGA-based system design and development processes, and qualification result of NRW-FPGA-based PRM system to US-NRC for review and approval. Toshiba expects that the U.S. NRC approval will be provided in a Safety Evaluation Report (SER).

Longer Product Lifetime 15 years or more product lifetime by applying FPGA technology

Less Maintenance The signal processing method of FPGA circuit is digital, so there is no drift

Expecting Safety Evaluation Report (SER) Toshiba submitted a licensing topical report including Toshiba NRW-FPGA-based

system design and development processes, and qualification result of NRW-FPGA-based PRM system to US-NRC for review and approval. Toshiba expects that the U.S. NRC approval will be provided in a Safety Evaluation Report (SER).

19

16


E2-2015-000272 Rev.0 (2/2)


Replacement Features To replace the PRM system, existing components are removed from the existing PRM panel, and new PRM components (green colored portion) will be installed in the panel. Toshiba PRM components are designed to fit with conventional PRM panel so that the existing panel can be reused. Also, existing LPRM detector, flow transmitter, or cables can be reused because Toshiba FPGA based PRM is system compatible with conventional PRM design.

Experience FPGA technology has a long history of application in satellites, military equipment, aerospace and aircraft systems, etc.

Toshiba FPGA-based PRM has been applied to 4 Japanese BWR plants.

Scope of Upgrade

ABCD

LPRMDetector

Reactor Core

PCV

Cover Tube

.

.

.

.

.

Rec

ircul

atio

n Fl

ow S

igna

l

Flux

Sig

nal

FT

Flow Unit

APRM/LPRM Unit

RBM

PRMPanel

Process C

omputer

DCF

LPRMConnector

PLRPump

FT

FlowTransmitter

OPRMUnit

Main Control RoomReactor Building

17


E2-2015-000279 Rev.0 (1/2)

Longer Product Lifetime / Less Maintenance

• FPGA based Radiation Monitor – 15 years or more product lifetime longer than Conventional CPU based product – The signal processing method of the FPGA circuit is digital, so there is no signal drift. High Reliability application

• Single channel Radiation Monitor – Configured with FPGA module only (not using CPU) – Applicable to Safety and Important to Safety Purpose, due to Verifiable processing. Plant-wide application

• Multi-channel Radiation Monitor with network communication – Core functions (Signal Processing, Trip judgment) are implemented on FPGA

technology – External Communication functions are implemented on CPU – Applicable from small configuration to plant-wide configuration – Seamless Radiation Monitoring & Control by the communication with other system

Benefits

The RMS consists of radiation monitor, detector, and local equipment. Toshiba has developed Radiation Monitor applying Field Programmable Gate Array (FPGA) technology. FPGA-based process is signals by hardware only. Therefore, the signal processing or trip judgments do not use a microprocessor in core functions.

Radiation Monitor line-up includes Single channel and Multi channel type. Single channel Radiation Monitor is processing one signal from one detector.

Multi-channel Radiation Monitor is processes various signals from various detectors. Signal processing provides dose rate, count rate, and pulls count for radioactivity concentration. Parameters are input centrally from the front panel or from network. CPUs are used for non-safety portions (e.g. panel operation and communication interface).

Multi-Channel Radiation Monitor with Network Communication Single Channel

Radiation Monitor

21

18


Replacement Plan

RMS consists of detectors, signal cables, Radiation Monitors, and/or local equipment (e.g. sampling rack, gas/liquid sampler). In general, RMS components in an operating nuclear power plant can be reused mechanical components such as local equipment. But electrical components, such as Radiation Monitors, should be replaced periodically, because of product life cycle. Toshiba RMS components can be applying the partial replacement situations.

Followings are examples of typical phased upgrade for partial replacements:

In the phase 1, the existing detectors, cables, and/or local equipment are evaluated to reuse or not (light green colored portion).

In the Phase 2, the existing Radiation Monitor and detectors which can not be reused are replaced (red colored portion).

In the Phase 3, the communication function and customization of Human Machine Interface can be upgrade (blue colored portion).


E2-2015-000279 Rev.0 (2/2)

Experience FPGAs have a long history of application in satellites, military equipment, aerospace, and aircraft systems. Toshiba has a large experience base of installed FPGA-based radiation monitoring systems – over 300 units in 11 Japanese BWR plants.

Control Room Panel


Electrical, Analog (Max 100m) Existing Detector

Electrical, Digital (Max 400m)

Optical (Max 1,500m)

Detector

Detector O/E Converter

ON/OFF signal Integrated HMI

Multi-channel Radiation Monitor

Plant Processing Computer

Three Phases Replacement Example

Existing Detector

Local equipment

PLC

Pla

nt N

etw

ork

Pla

nt N

etw

ork

Local Alarm

ON/OFF signal

Detector

Local Alarm

Multi-channel Radiation Monitor

19


Benefits

E2-2015-000280 Rev.0 (1/2)

Sophisticated HMI • Integrating radiation monitoring to plant parameter display • Communicate radiation monitor with controller and HMI computer via network

Synergy to Control Function • Setting parameters and HMI can be modified with the same engineering tool used in control system • The data recording is performed in the same manner of control system • Sampling rack control operation is performed by the communication between sampling rack

controller and control system HMI • Portable radiation monitor (e.g. aerosol monitor) can be added to the same network.

Improvement of Operator Actions • Can provide suggestions of the control actions to be taken by operators using integrated information

from Radiation monitoring and other plant parameters

PRMS with Sampling Configuration

ARM or PRMS Configuration

Portable RMS Configuration CNT

Wireless Unit Wireless communication base

Wireless Unit Wireless communication base

Portable Area Monitor

Portable Dust Monitor

20

20



E2-2015-000280 Rev.0 (2/2)

Local Panel

close

purge

RMS Panel

5.00E2cpm

CH2

open

close

recorder

HVAC Control

Panel

Sampling Rack

normal

calib.

2.00E1cpm

detector

CH1

Issues Limited monitoring and operation of field equipment from MCR (need access to field) Limited communication to/from other system (need access to other system) Operation is done manually (need refer to the paper procedures)

Alarm Indicator

RM

ARM Configuration

CNT

Detector

PRMS w/o Sampling

Configuration

RM

PLC

RM

Our Solution Providing integrated plant radiation monitoring and other plant parameters and information on the same

sophisticated display Interaction to/from plant control function and Information Suggestion of necessary action to be taken by operator on HMI

Control room Sampling room

<Before>

<After> Data Server

RM: Radiation Monitor CNT: Network Controller

: CPU based Component : FPGA based Component : multiplexing transmission : discrete transmission

HMI: Human Machine Interface PLC: Programmable Logic Controller

PRMS: Process Radiation Monitoring System ARM: Area Radiation Monitoring System

21

22

© 2014 Toshiba Corporation

E2-2015-000259 Rev.0 (1/2)

Benefits


Easy Installation Can be installed by one personnel without any construction work (only connecting to the

power supply). Quick solution of radiation monitoring for temporary work area.

Easy Data Collection Provide remote data monitoring and collection via network (Ethernet port is equipped as

standard). Exposure of personnel with survey can be reduced.

Easy Recognition Provide easy recognition for personnel in work area with large display and alarm.

Easy Maintenance No need to replace dust monitor filter for about 40 days. Frequent access to the equipment for

maintenance is not required.

Adhesion Mechanism

Dust Collection & Measurement Mechanism

Detector

Inlet Outlet

Rolled Continuous Filter

Rolling up Mechanism

Trend Data

Control Room

Portable Area Monitor

Portable Dust Radiation Monitor

4.Easy Maintenance

2.Easy Data Collection

1.Easy Installation 3.Easy Recognition

Measurement Data Collection & Centralized Monitoring

The Portable Radiation Monitors provide quick solution of radiation monitoring for temporary work area. Toshiba Portable Radiation Monitors can be installed by one personnel without any construction work, and can provide remote data monitoring and collection via network.

23

© 2014 Toshiba Corporation

E2-2015-000259 Rev.0 (2/2)



Installation Toshiba Portable Radiation Systems can be installed by one personnel without any construction work (only connecting to the power supply).

Line-up Toshiba Portable Radiation Monitoring System line-up includes: Portable Dust Radiation Monitor (for Radiation Aerosol Monitoring) Portable Area Monitor (for Work Area Ambient Dose Rate Monitoring)

Features Portable Dust Radiation Monitor Provide continuous monitoring of volumetric activity of radioactive aerosols in the work area. No need to replace filter for about 40 days. One-year calibration cycle recommended for detector Low bypass leak of sampled air by using filter adhesion mechanism Designed based on Japanese Industrial Standard JIS Z 4316 (Standardized based on IEC 60761-1

and IEC 60761-2)

Portable Area Radiation Monitor Provide continues monitoring of work area ambient dose rate (mSv/h). Large display for easy to read data. Small and light weigh. Lower detectable ambient dose rate One-year calibration cycle recommended for the detector Designed based on Japanese Industrial Standard JIS Z 4324 (Standardized based on IEC 60532)

Specifications

Experience Toshiba has extensive experience in supplying nuclear non-safety and safety-related I&C systems in Japan. Toshiba has a large experience of radiation monitoring systems – over 300 units in 11 Japanese BWR plants. Toshiba portable dust radiation monitor have been installed in Japanese Nuclear power plants.

Portable Dust Radiation Monitor Radiation detected: beta (gamma) ray Detectable limit:1x10-5 Bq/cm3(BG:0.1 μSv/h) Sampling flow: 15ℓ／min Weight:approx.30Kg(dividable) Outer dimensions: approx. 500Wx770Hx430D

(mm) Main power supply: AC100V 10%

Solar power/battery (optional) Communications: Ethernet (wired) Wireless (optional)

Portable Area Monitor Radiation detected: gamma ray, X ray Measurement range: 0.1 – 999 μSv/h Weights: main unit: 2.6kg detector: 0.4kg Outer dimensions: main unit: approx. 350Wx70Dx200H (mm) main unit: detector: approx. 70Wx40Dx160H (mm) Main power supply: AC100V 10%

Solar power/battery (optional) Communications: 0-1VDC(analog) Ethernet (wired)

Wireless (optional)


E2-2015-000278 Rev.0 (1/2)

Benefits

In nuclear power plants, detection of fuel failure is important to inhibit release of nuclides and activated products in off-gas. In general, the off-gas is sampled by Vial Sampler, and radio nuclides analysis is periodically conducted or at the time of need. Toshiba has developed the High-Sensitivity Off-Gas Monitor which enables continuous measurement of various nuclides and early detection of fuel failure.

Early Detection of fuel failure

Earlier detection of fuel failure than a manual operation. The standard response time during power suppression test is 10 minutes or less. The measurement time can be change in 1 to 90 minutes according to a customer needs. (The measurement time is the response time except time required for passing the Special Line.)

Continuous measurement

Continuous measurement of nuclides and data backup can be achieved without interrupting measurement.

The time period for the trend display is able to set from 5minutes to 24hours, or select from 1, 7, 15, 30 or, 90 days.

Alarms are outputted when measured values of each nuclide are beyond alarm set points.

Easy Maintenance

No refill of liquid nitrogen is required more than one year in order to cool Liquid nitrogen evaporated and use it again to cool Ge detector. Even if a power source for the Cooling System with Liquid Nitrogen Evaporation Arrester is lost, the measurement can be continually conducted for about one week.

Off-

gas

FIC

to SJAE

to sampling rack of off-gas monitor

D-MCA

to plant network

Ge detector

LN2

Special Line for decreasing 13N

Freezer

22

24


E2-2015-000278 Rev.0 (2/2)


Description

High-Sensitivity Off-Gas Monitor measures various nuclides, such as Xe-133, Xe-135, Xe-137, Xe-138, Xe-135m, Kr-87, Kr-88, Kr-89, Kr-85m, N-13, and low concentration noble gases, such as Xe-133 and Xe-135, which are very effective to detect fuel failure.

The monitor consists of a local monitoring equipment and a personal computer in Main Control Room which are connected with Ethernet. The local monitoring equipment consists of a Ge Detector and a digital multichannel analyzer (D-MCA), a Cooling System with Liquid Nitrogen Evaporation Arrester, and personal computers, etc. The Liquid Nitrogen Evaporation Arrester is hermetically sealed, and no refill of liquid nitrogen is required more than one year.

The energy information obtained from signal outputs of the Ge detector is recorded as spectrum data by D-MCA. Past data are analyzed for each expected nuclide, and analysis results are transmitted to the personal computer in the Main Control Room. The analysis results from the local monitoring device are displayed in the Main Control Room as trend for each nuclide, and alarms are outputted when measured values of each nuclide are beyond alarm set points. The time period for the trend display and types of nuclides to be displayed can be selected. The past data are recorded more than one month in the local monitoring device, and more than a year in the Main Control Room.

High-Sensitivity Off-Gas Monitor provides the following features; High resolution: Energy resolution of 750eV or less (for input count rate up to 100kcps) can be

satisfied. High reliability: Energy resolution fluctuation is less than 20% (for input count rate up to

100kcps) Peak-shift is 0.1keV or less (for input count rate up to 100kcps) Count rate error is 10% or less (for input count rate up to 100kcps)

Replacement plan

In general, the off-gas is sampled at some point of the off-gas process line of BWR plant. And for the purpose of detection of fuel failure, the pre–treatment off-gas is usually sampled by sampling system from process line of the off-gas treatment system.

Local monitoring equipment of High-Sensitivity Off-Gas Monitor can be sampled by the branched existing sampling lines.

Return line of the local monitoring equipment of High-Sensitivity Off-Gas Monitor will be connected to the steam jet air ejector (SJAE). Because of the evacuation force of SJAE, there are no sampling pump for High-Sensitivity Off-Gas Monitor.

Experience

Toshiba has extensive experience in supplying nuclear non-safety and safety-related I&C systems in Japan. Toshiba has a large experience of radiation monitoring systems – over 300 units in 11 Japanese BWR plants.

Toshiba has provided this system to Japanese 4 nuclear power plants, and is up to introduce this system to 4 nuclear power plants. In addition, Toshiba High-Sensitivity Off-Gas Monitor will be installed in 4 more BWRs.

25


E3-2015-000065 Rev.0 (1/2)

High Reliability When any single failure occurs within the system, the RMCS will stop all control rod movements. RPIS continues to monitor control rods positions. The system has been in operation for over 300 operating reactor years without a critical malfunction.

Improved operability

RMCS continues to move control rods by using a bypass function when a single failure exists in the RMCS. This achieves a good balance between high reliability and improved operability.

Easy Maintenance

Digital controllers are used for RMCS and RPIS, and this makes maintenance for RMCS and RPIS easy.

Compatible to general BWR system design

Toshiba has replaced RMCS and RPIS which were provided originally by suppliers other than Toshiba.

Benefits

The Reactor Manual Control System (RMCS) controls control rod movement using four directional control valves and Rod Position Information System (RPIS) monitors control rod position by receiving signals from position indicate probes.

Toshiba’s RMCS has fully dual configuration and RPIS has duplex configuration.

CPU CPU

SW

PO PO

Directional Control Valves

RMCS: Dual configuration

HMI

CPU CPU

PI

PIP

RPIS: Duplex configuration

CRD

PIP

CR

CR :Control Rod CRD : CR drive PIP : Position Indicator Probe DCV: Directional Control Valve

DCVs

RMCS

RPIS Display

or ANN

SW

By applying these configuration, our RMCS has no unexpected control rod motion due to single failures and our RPIS keeps continuous display of all rods even in case of one controller failure occurs.

23

26



E3-2015-000065 Rev.0 (2/2)

Experience

Successful operation in 18 BWRs in Japan. (BWR-2/4/5)

Toshiba digital RMCS and RPIS have operated over 300 operating reactor years with no critical malfunctions.

Turn-key project by Toshiba

Toshiba can provide a turn-key solution that includes design, engineering, manufacturing, software design, installation, modification, commissioning, and training.

Replacement of general BWR system

Toshiba has replaced RMCS and RPIS which were provided originally by suppliers other than Toshiba.

Replacement features

Partial upgrades RMCS/RPIS consists of the cabinets in main control room and equipment located in local area. Toshiba proposes partial upgrade plan which upgrades only components in the cabinets in main control room and reuse existing equipment in local area.

Other features of upgrades

Toshiba digital RMCS and RPIS offers: • Human Machine Interface (HMI) is

selectable: a Video Display Unit (VDU) Type or Conventional Type depending on user preference

• Reusing existing plant components can reduce the amount of new equipment required. (Re-usable components depends on plant type)

– HMI controls and indicators – Cables between PIP and auxiliary RPIS

panel – Control cabinet Example of partial upgrade

Conventional type HMI

Video Display Unit type HMI

Human Machine Interface

(HMI)

RPIS CPU-1

RPIS CPU-2

RPIS PI/O

MCR Local

RMCS Cabinet

RPIS Cabinet

PIP

DCV (HCU)

RMCS CPU-1

RMCS CPU-2

RMCSPI/O

Local Component for rod motion

: upgraded

: reused


Toshiba digital RMCS and RPIS is available for: • Replacement of Solid State type • Replacement of Relay type

27


E3-2015-000070 Rev.0 (1/2)

High Reliability

When any single failure occurs within the system, the RC&IS shall stop all control rod movement and shall continue to monitor control rod positions.


RC&IS will continue to move control rods by using bypass function when a single failure exists in the RC&IS. This achieves a good balance between high reliability and improved operability.

Easy Maintenance

Digital controllers are used for RC&IS, and this makes maintenance for RC&IS easy.

Benefits

The Rod Control and Information System (RC&IS) controls control rod movement using four directional control valves and monitors control rod position by receiving signals from position indicate probes.

Toshiba’s RC&IS has fully dual configuration so no unexpected control rod motion due to single failures and continuous display of all rods even in case of one controller failure occurs by applying duplex configuration.

CRD PIPs

CR

CR :Control Rod CRD : CR drive PIP : Position Indicator Probe DCV: Directional Control Valve

RACS-A

RGDS-B HMI

RPC-A

RPC-B

RGDS-A

Local Component for position indication


Local Component for rod action


DCVs

Fully Dual Configuration

RACS-A

RACS :Rod Action Control System RPC : Rod Pattern Controller RGDS : Rod Gang Drive System HMI : Human Machine Interface

:Digital Controller (dual configuration) :Safety-related components

24

28



E3-2015-000070 Rev.0 (2/2)

Experience

Successful Operation in 18 BWRs (BWR-2/4/5) and 2 ABWRs in Japan.

Toshiba digital RMCS (Reactor Manual Control System) / RPIS (Rod Position Indication System) and RC&IS have operated over 300 operating reactor years with no critical malfunctions. Toshiba proposes an solution of RC&IS for BWR-6 based on the extensive experience of RMCS/RPIS for BWR-2/4/5 and RC&IS for ABWR.

Turn-key Project by Toshiba


Replacement of OEM RMCS/RPIS System

Toshiba has experience to replace RMCS/RPIS which were provided originally by suppliers other than Toshiba.

Toshiba’s Experience on Safety-Related Application

Toshiba submitted the LTR for FPGA-based I&C system for safety-related application to NRC. In the LTR, it is confirmed that Toshiba’s process complies with codes & standards such as ISG-06.


Phased upgrades

Toshiba digital RC&IS consists of following four portions and Toshiba proposes each portion of RC&IS step by step;

RACS-A

HMI

RPC-A

RPC-B

RGDS-A





RACS-B

• RACS and RGDS (in main control room (MCR) cabinets)

• RPC (same as above) • Local components related to rod

action, and • Local components related to

position indication.

Other features of upgrades

• Reusing existing plant components can reduce the amount of new equipment required. (Re-usable components depends on plant type)

– HMI controls and indicators – Cables between MCR and local – Control cabinet

RGDS-B

Example of phased upgrade

Phase 1

Phase 2

Phase 3

29


E4-2015-000032 Rev.0 (1/2)

No critical malfunctions for more than 30 years Toshiba RWM has dual controllers and console Human Machine Interface (HMI) system, and any single failure doesn’t impact the controller functions of the RWM. The system has been in operation for more than 30 reactor operating years without a critical malfunction.

Compatible design to general BWR RWM

Toshiba RWM can be connected with existing facilities, e.g. RMCS/RPIS, Plant Computer Systems (PCS) via Ethernet and/or hard wired cables. Toshiba has lots of experience on replacing / upgrading RWM systems which were originally designed by other suppliers

Benefits

A Rod Worth Minimizer (RWM) monitors the operation of control rods and sends a rod action block signal to Reactor Manual Control System (RMCS) if the operation violates a pre-installed withdrawal sequence when below the Low Power Set Point (LPSP). Our RWM has a dual controller configuration for continuing to control and monitor when a single device failure. The Fail-As-Is design required for a RWM system is retained.

RMCS/ RPIS

Rod Control Panel

Indication/ Operation

CR position information and

control signal

CR position information

RMCS : Reactor Manual Control System RCIS : Rod Position Information System

RWM HMI

RWM Controller

(A)

RWM Controller

(B)

Interface Unit

Display & Console - Sequence edit - Operation guidance - Position information - Operation log - Maintenance tool

Rod action block signal

Rod Worth Minimizer System


Toshiba RWM has an advanced Human Machine Interface (HMI) to set/edit a control rod (CR) withdrawal sequence and to ensure correct CR operations by the operations guidance displayed on the HMI.

MM-DD-YYYY (Fri) HH:MM 824MW

CR OPE GUIDE

SELECT LATCH 44 > LPAP INSERTION ERROR WITHDRAWAL ERROR

START UP

GENERATOR

CORE THERMAL

CORE FLOW

RWM APRM

RBM

NEXT 10-43 16⇒18

ARPM / RWM

Sequence language for behavior accountability

Toshiba can supply the RWM software based on your requirements without obsolete software source code of the existing RWM. Toshiba RWM uses a sequence language so that it makes user’s analysis of the system behavior easy.

25

30


Upgrade features Various upgrade methods (1) Full upgrades: A full set of controllers and dedicated HMI (2) Small Scale Solutions: A RWM is generally a part of the PCS. The RWM portion can be replaced separately from the PCS as a partial upgrade strategy to address obsolete or problem components. Reuse of original facilities like cabinets, signal cables, network cables etc. where possible.


E4-2015-000032 Rev.0 (2/2)

Experience

Successful operation in 19 BWRs in Japan. (BWR-3/4/5 and ABWR) Toshiba is the leading supplier of BWR RWM in Japan. Toshiba RWMs have operated over 33 reactor operating years for BWR, and 21 years for ABWR, with

no critical malfunctions.

Turn-key project by Toshiba Toshiba can provide a turn-key solution that includes design, engineering, manufacturing, software

design, installation, modification, commissioning, and training.

Upgrades of general BWR system Toshiba has upgraded RWM which were originally designed by other suppliers. 13 BWR RWMs in

Japan have been upgraded.

RWM Display CR Guidance

CMS (B)

RWM PLC

PIP reed switch

RPIS

CMS (A)

Existing BOP PCS

Existing BOP PCS

Main Control Room

RWM Server (HMI)

CMS HMI Online

TIP PLC

Existing Data

Acquisition

Existing Fieldbus Isolator

Existing I/O

CR Sequence Edit Display

CMS HMI Online

Office IP Network

Plant Computer IP Network

TIP Data

CR Position

Power Range Neutron Monitor

LPRM Data

CR Position

31

32

Background

Westinghouse has developed common turbine control solutions for pressurized water reactors (PWRs) and boiling water reactors (BWRs). The highly reliable Westinghouse turbine control protection system (TCPS) provides redundant control functions such as speed and overspeed control, load control, steam pressure control, valve testing, frequency control and turbine protection. The base control system can easily be expanded to provide additional functionality such as automatic turbine startup (ATS), moisture separator reheat (MSR) and the generator monitoring and turbine protection system (TPS).

The TCPS is based on the Emerson Ovation® product. The Ovation system is designed for the power industry and is flexible, easy to use and reliable, and provides advanced diagnostics. The Ovation system has no single points of failure that could cause disruptions or downtime. The Ovation TCPS can be a standalone application or can be expanded as part of a plant-wide control and information system. The Ovation family of hardware and software can easily be retrofitted to any type of utility plant process equipment, regardless of manufacturer.

The base TCPS system, combined with available electro-mechanical products such as pressure status manifolds, 2/3 trip manifolds, redundant linear-voltage differential transducer (LVDT) assemblies, speed probes and wheels, provides a comprehensive solution to address potential turbine-related problems.

DescriptionThe TCPS communication components consist of two fully redundant fast Ethernet switches that can be configured to allow for fan-out networks or to uplink to an existing Ovation network. The switches can be powered by two separate and independent power sources to provide redundancy and maximum system-fault tolerance. All drops (controllers and workstations) are dual attached to the network for added reliability. The system is designed so that the TCPS controllers

will continue to function, even if both switches fail and network communication becomes unavailable.

A typical TCPS will have two redundant controller cabinets: one used for the turbine control system (TCS) and one for the turbine protection system. Also included are two operation workstations that deploy soft controls using dual displays, an engineer’s workstation for configuring the system and an antivirus workstation. Additional functionality is provided by optional software packages and workstations, as required, to provide historian capability and domain controller redundancy, and to address cyber-security measures.

The base TCPS consists of two major functions: the operator automatic and overspeed protection. These two subsystems perform all required protective and operator auto functions including overspeed protection, speed control, overspeed trip, pressure control (BWR), load control, sequential valve control, valve transfer, valve testing, feedback loop initiation and remote control.

Additional optional functions can be added in separate redundant controllers as required. These include:

Typical system architecture

November 2010 NA-0026©2014 Westinghouse Electric Company LLC. All Rights Reserved

Nuclear Automation

Turbine Control and Protection

33

• TPS - This is a dedicated redundant controller that provides fast and effective protection to avoid damaging the turbine. Features of this option are first-out trip logic, median signal selection logic for critical inputs, and diverse overspeed trip that is testable on line.

• MSR Control - The MSR regulates the main steam flow, thereby controlling the MSR outlet temperature to the low-pressure turbine inlet. This control system can be included in the ATS/RSM or OA/OPC controller, or operate as a standalone.

• ATS and Rotor Stress Monitoring (RSM) - RSM is integrated with ATS functions within one controller. ATS/RSM calculates and utilizes rotor stress information and other monitored turbine parameters, then automatically accelerates or loads the unit and alerts the operator about turbine/generator alarm conditions. An expanded graphics package with turbine, generator and auxiliary-system displays is provided with this option.

Integral components in the TCPS are the speed-detector module and valve-positioner module (RVP), which are special inputs/outputs (I/O) designed exclusively for turbine-control applications. The speed-detector modules offer a unique and independent trip subsystem that allows hardwired overspeed protection to safety trip the turbine within 5 milliseconds from either the control system or the emergency terminal speed (ETS) overspeed, even if the redundant controllers are off line. The RVP modules allow automatic calibration of the LVDTs in cold- and hot-plant conditions to account for thermal growth, and provide a redundant interface to the control valve. These special I/O interface cards are fourth generation, and have 40 years of operating experience in the design.

Median selector logic is performed for all critical-control or protection-input control on individual analog inputs to protect against a single point of failure. Each input is read on separate I/O cards (each on a separate communication branch in the controller) to eliminate a single point of failure in the I/O hardware. This approach is used for all critical-control and protection-input parameters.

Once the vital inputs are scanned, the data is used to perform important functions such as overspeed protection, loss of load, and close-intercept valve or fast-valving closure action. These protective programs are executed approximately once every 50 milliseconds.

Operator automatic (OA) is the normal mode of operation. The operator enters a target and rate, which are validated by the system so that they will not damage the unit. Checks include verification that the speed target is not in a known blade resonance range, and that the rate does not violate the maximum allowable rate dictated by the turbine’s mechanical design. After a rate and target are accepted, the operator can start or stop the speed or load ramp using the display graphic interface. The OA then calculates a valve position demand and passes this setpoint to the valve positioner cards from the OA system.

Benefits• Improved process control, reliability, availability,

capacity and operability

• Minimized field tuning and risk of delays at startup following major turbine and plant modifications (e.g., uprate)

• Proven low-risk standardized design

• Expansion capability to include other plant control and information system functionality. Standard solutions are available with the Ovation platform for the nuclear steam supply system, including advanced steam generator water-level control and balance-of-plant controls, rod control, flux mapping and plant computer calculations

• The TCPS design addresses cyber-security regulations

Typical turbine control system operator graphic



34

July 2011 NA-0059©2014 Westinghouse Electric Company LLC. All Rights Reserved

Nuclear Automation

Feedwater Control System Upgrades

BackgroundSince the late 1980s, industry data has consistently identified the feedwater system as one of the top two major system contributors to the number of automatic reactor trips, with poor feedwater control as a significant root cause. In response, Westinghouse has provided leading feedwater control upgrade technology as the basis for numerous retrofits currently operating in dozens of nuclear units worldwide, dating back to its first wave of digital upgrades in the late 1980s that initially utilized the WDPF® Instrumentation and Control (I&C) platform.

Westinghouse’s current standard design, an evolutionary “lessons learned” design now in its third generation, includes an enhanced control algorithm/logic implemented upon the widely-used Ovation® digital I&C platform (successor to WDPF). It is capable of fitting into existing plant process control cabinets either as a stand-alone upgrade, or in combination with broader nuclear steam supply system (NSSS) retrofit applications. This common reference design is provided for both pressurized water reactor and boiling water reactor retrofit applications, and also for AP1000® nuclear reactor new-build, thereby maintaining and extending this well-established user base.

Description The Westinghouse digital feedwater control system upgrade’s primary function is to regulate the flow of feedwater during normal at-power operations, and optionally during plant heat up/cooldown.

The control algorithm/logic features:

• Automatic input signal validation (one to four inputs)

• Low-power (single-element with feed forward) and high-power mode (three-element) with auto transition

• Gain scheduling to address process response variations over range of operation

• Compensation to offset limit-cycle behavior near steady-state due to field device non-linearities

• Automatic staging of feed regulator control valve and pump operation

• Integrated main feedwater pump speed control demand (variable speed pumps only)

The I&C platform features:

• Controller anti-windup

• Bumpless transfer

• Complementary contact input checking

• Alarming of system and process faults

• Manual control backup to redundant processors from manual/automatic station interface

• Degraded backup modes for fault tolerance driven by signal validation

• Redundant architecture with automatic fail-over (controllers, input/output, power supply)

• Continuous online self-diagnostics and alarming

35

Benefits• Fault tolerance within control algorithm logic and I&C

platform

• Automatic control over the complete range of normal power operation (1 – 100 percent) and optionally during plant heat up/cooldown

• Operational flexibility through support of split range and mixed-mode operation (auto/manual) with seamless transition between feedwater regulation control devices

• Automatic integrated control of variable-speed main feedwater pump demand (as applicable) to maintain feedwater regulator valves within a reasonable operating range

• Ability to handle operational maneuvers with reduced water level deviation from reference:

- Transition from auxiliary/startup feedwater to main feedwater system

- Flow disturbances due to transitioning pumps into/out of service, changes in feedwater system recirculation, etc.

- Turbine synchronization

- Rapid ramp load increases/decreases

• Ability to address demands of process characteristics with reduced impact to control stability and performance due to:

- Shrink/swell water level behavior, particularly for low-power operation

- Process and control device non-linearities (e.g., pump/valve characteristics)

• Plant-specific dynamic analysis prior to operation to minimize field tuning at startup

ExperienceFeedback from industry forums confirms a growing recognition of the value of original equipment manufacturer experience in support of digital nuclear I&C upgrade projects. Numerous lessons-learned reflect the need for vendor cognizance of plant operational performance demands, and design considerations unique to the nuclear industry. These highlight values of characteristic importance: risk aversion, reliability and confidence based upon demonstrated, evolutionary advancement. These values are firmly reflected in the standardized Westinghouse I&C upgrade product offerings, and the standardized design and test process employed for Westinghouse’s digital I&C upgrades.

Ovation and WDPF are trademarks or registered trademarks of Emerson Electric Company. Other names may be trademarks of their respective owners.

AP1000 is a trademark or registered trademark of Westinghouse Electric Company LLC in the United States and may be registered in other countries throughout the world. All rights reserved. Unauthorized use is strictly

prohibited.




E3-2015-000071 Rev.0 (1/2)

High Reliability

The triple redundant FWC can continue to monitor reactor water level and control the flow of feedwater without any interruption when any single failure occurs within the system. The system has been in operation for over 350 operating reactor years without a plant trip.


High controllability is realized by adopting proven control techniques based on Toshiba’s extensive experience in Japan.

Easy Maintenance

Thanks to applying digital controllers and triple redundant configuration, online maintenance can be applied to the FWC and failed parts can be replaced without system outage.


Toshiba has replaced FWC which were provided originally by suppliers other than Toshiba.

Benefits

The Feedwater Control System (FWC) monitors reactor water level and controls the flow of feedwater into the reactor to maintain the water level during plant operation.

Toshiba digital FWC applies a triple redundant configuration. It consists of three controllers that run independently.

By applying these configuration, our FWC can continue to control the feedwater flow and failed parts can be replaced without any interruption.

Triple redundant configuration

FWC (triple redundant

configuration)

Display or ANN

SW

RFPs

FCV

•Reactor water level •Main steam flow •Feedwater flow

RFP: Reactor Feedwater Pump FCV: Flow Control Valve FWC

(triple redundant configuration)

FWC (triple redundant

configuration)

CPU CPU

SW

PO PO

To actuator

CPU

PO

FTV (Passive Fault Tolerant Voter)

26

36



E3-2015-000071 Rev.0 (2/2)

Experience

Successful operation in 20 BWRs in Japan. (BWR-2/4/5 and ABWR)

Toshiba digital FWC have operated over 350 operating reactor years with no critical malfunctions.



Replacement of OEM FWC system

Toshiba has replaced FWC which were provided originally by suppliers other than Toshiba.

Successful replacement

Toshiba has replaced FWC in 18 BWR plants successfully based on Toshiba’s extensive experience in Japan.


Various upgrades

Toshiba digital FWC offers: • Human Machine Interface (HMI) is


• Reusing existing plant components can reduce the amount of new equipment required. (Re-usable components depends on plant type) – HMI controls and indicators – Cables between control cabinet and

local equipment – Control cabinet

Additional Options

Automatic pump switching function reduces plant startup time and operator’s burden.



37


E3-2015-000073 Rev.0 (1/2)

High Reliability

The triple redundant RFC can continue to control the recirculation flow without any interruption when any single failure occurs within the system. The system has been in operation for over 350 operating reactor years without a plant trip.


High controllability is realized by adopting proven control techniques based on Toshiba’s extensive experience in Japan.

Easy Maintenance

Thanks to applying digital controllers and triple redundant configuration, online maintenance can be applied to the RFC and failed parts can be replaced without system outage.


Toshiba has replaced RFC which were provided originally by suppliers other than Toshiba.

Benefits

Recirculation Flow Control System (RFC) controls reactor power level by controlling the flow rate of the reactor core coolant.

Toshiba digital RFC applies a triple redundant configuration. It consists of three controllers that run independently.

By applying these configuration, our RFC continue to control the recirculation flow without any interruption.

Triple redundant configuration

CPU CPU

SW

PO PO

To actuator

CPU

PO

FTV (Passive Fault Tolerant Voter)

RFC (triple redundant

configuration)

Display or ANN

SW


configuration)


configuration)

PLR pump

PLR: Primary Loop Recirculation

Scoop Tube Controller

Motor Generator Fluid

Coupling

PLR M/G set

27

38



E3-2015-000073 Rev.0 (2/2)

Experience

Successful operation in 20 BWRs in Japan. (BWR-2/4/5 and ABWR)

Toshiba digital RFC have operated over 350 operating reactor years with no critical malfunctions.



Replacement of OEM RFC system

Toshiba has replaced RFC which were provided originally by suppliers other than Toshiba.

Successful replacement

Toshiba has replaced RFC in 18 BWR plants successfully based on Toshiba’s extensive experience in Japan.


Various upgrades

Toshiba digital RFC offers: • Human Machine Interface (HMI) is


• Reusing existing plant components can reduce the amount of new equipment required. (Re-usable components depends on plant type) – HMI controls and indicators – Cables between control cabinet and

local equipment – Control cabinet

Additional Options

Toshiba can also provide scoop tube controller for plant using PLR M/G set to control pump speed.



39


E3-2015-000080 Rev.0 (1/2)

High Reliability • Triplicated Control Processors • Fully Digitalized Control Circuits • Medium Value Gate (MVG) Voting Logic • Distributed Power Supplies


• Pressure/ Load Set Automatic Tracking Function • Automatic Line Speed Matching Function • Steam Control Valves Test Flow Compensation

Function • Reactor Dome Pressure Control • RFC Master Controller Function

Benefits

The triple redundant D-EHC(Digital Electro-Hydraulic Control system) is a key control component for nuclear power plants to keep electricity generation secure and protect the steam turbine in any situation from plant start up through plant shut down. The D-EHC system is designed with a highly reliable system configuration which consists of triple redundant Master Controllers, dual redundant System Controllers and triple redundant Turbine Protection Devices. By applying these configuration, Toshiba D-EHC can continue to control the main steam flow to turbine and failed parts can be replaced without any interruption.

D-EHC Hardware Configuration

D-EHC Cubicle

D-EHC CUBICLE

Turbine Protection

Device 2 out of 3 logic

Control Panel

LCD

Monitor Panel

LCD

Test Panel

LCD

Primary Feedback Sensors

Valve Interface

Master Controller

System Controller

HMI System, Plant Computer

Easy Maintenance

• Driftless and reduced adjustment • Self-diagnosis for fault identification • System-diagnosis for fault identification • On-line maintenance • Maintenance tools provided

28

40



E3-2015-000080 Rev.0 (2/2)

Experience

Toshiba has substantial experience in applying D-EHC to BWRs in Japan. Since Toshiba D-

EHC also can be applied to any type of turbine control such as conventional thermal power

plants, combined cycle power plants, co-generation power plants and geothermal power

plants, Toshiba D-EHC is a proven product that has a wealth of experience in more than 350

applications world wide.

Successful operation in 13 BWRs in Japan. (BWR-4/5 and ABWR)

Toshiba D-EHC have operated over 250 operating reactor years with no critical malfunctions.


Toshiba can provide a turn-key solution that includes design, engineering, manufacturing, software design, installation, modification, commissioning, and training


Various upgrades

Toshiba digital EHC offers: • Human Machine Interface (HMI) is


• Reusing existing plant components can reduce the amount of new equipment required. (Re-usable components depends on plant type) – HMI controls and indicators – Cables between control cabinet

and local equipment – Control cabinet

Additional Options

Automatic turbine start-up function reduces plant startup time and operator’s burden.

MSV

TBV

TCV

IV

HMI station for D-EHC

41

42

Nuclear Services/Repair, Replacement and Automation Services

Main Control Room Modernization

January 2007 Ns-RRAS-0044©2014 Westinghouse Electric Company LLC. All Rights Reserved

•AnLDPdrivenbytheDCSinstalledinfrontofallMCRoperatorconsoles,consistingof50-to67-inchFPDs

•AllMCRnonsafety-relatedbuildingblocksseismiccategoryIIdevices,whichprovideforstructuralintegrityduringseismicevents

Safety-relatedHSIbuildingblocks:

•ACommonQFPDsystem,qualifiedtoU.S.NuclearRegulatoryCommission(NRC)Class1Ecriteriaforequipmentandsoftware,utilizingchannelizedoperators’modulesfortheprotectionsystem,multi-channelcontrol,monitoring;andchannelizedmaintenanceandtestforuseoutsidetheMCR

•SoftcontrolconfirmationswitchesusedwithsoftcontrolcommandsissuedtosafetycomponentsfromtheDCSorCommonQFPDs

BackgroundWestinghouse has developed a modular approach to designing custom main control rooms (MCRs) as part of an instrumentation and control (I&C) system modernization program for new plant designs. The MCR modernization program comprises the human systems interface (HSI) building blocks to modernize an MCR, as well as the integration of standard, software-based HSI resources using the building-block approach. Examples of MCR configurations are based on this approach, which supports new plant construction and existing plant modernizations.

DescriptionMCRhardwarebuildingblocks:

•Operatorcontrolconsoles

•Largedisplaypanel(LDP)

•Safety-relatedHSI(integratedintheoperator’sconsoleorinaseparatesafetyconsole)

Nonsafety-relatedHSIbuildingblocks:

•Distributedcontrolsystem(DCS)workstations,featuringtwofull-functionalflatpaneldisplays(FPDs),usuallymeasuring20inchesdiagonally

Exampleofamodern,primarilysoftMCR

43



•Asafetypanel,consistingoftwoClass1E,multi-channelCommonQFPDsfordisplay;safetycontrolswithone-stepaccesstoNRCRegulatoryGuide1.97,Category1parameters;onesetofsoftcontrolconfirmationswitches;andtwochannelized,fixed-positionpushbuttonsforreactortripandtheactuationofeachengineeredsafetyfeature(ESF)

•A“Position4”paneltoaddressNUREG-0800HCIBBTP-19providesswitchesfordiversesystem-levelESFactuationanditsaccompanyingdisplayintegrationofHSIresourcesandbuildingblocks.HSIbuildingblocksareeffectivewhenintegratedthroughsoftwarewiththefunctionaldesignsofHSIresources.TherearefourprincipalHSIresources:softcontrols,computerizedproceduressystem(CPS),displaysandalarms.

Benefits•ModularHMIapproachaccommodatesadiversesetofpotentialMCRcustomers.

•Differentlicensingcriteria,philosophiesandoperatingstandardsareaddressed,aswellasplantdesignsandvintages.

•Thefocusisonre-usingHSIbuildingblocksandonlycustomizingsoftwarewhenitnecessary.

•ThemodularapproachallowsthesamesetofHSIequipmenttobeusedfornewconstructionaswellasplantmodernizations.

•EconomicbenefitsarerealizedviaminimizationoftheamountofHSIequipmentintheMCR,standardizationofequipmentused,andreductionofinitialcapitalinvestment.

•Othereconomicbenefitsresultfromreducedlong-termequipmentmaintenancecostsoverthedurationofplantlife.

ExperienceWestinghousehasconstructedacompactcontrolroomdevelopmentandtestfacilitytoenhanceexistingHSIresourcedesignsandintegratetheHSIresourcesintoaprimarilysoftenvironment.Westinghousehascompletedninemaincontrolroommodernizationprojects.

44

Nuclear Automation

Computerized Procedures System

August 2011 NA-0056©2014 Westinghouse Electric Company LLC. All Rights Reserved

BackgroundComputerized procedures were developed to help operators execute normal and emergency operating procedures. Westinghouse has designed, developed and implemented a data-driven, software-based computerized procedures system (CPS) that guides operators through plant operating procedures. It monitors plant data, processes the data and then, based on this processing, presents the status of the procedure steps to the operator. The system can be used for normal operating procedures, abnormal operating procedures and emergency operating procedures. Computerized procedures allow the operator and computer to complement each other for more accurate and efficient procedural execution.

DescriptionThe CPS:

• Guides the user step-by-step through the procedures by monitoring the appropriate plant data, processing the data and by identifying the recommended course of action

• Provides the necessary parallel information, which allows the operator to assess other plant conditions that may require attention

The Westinghouse CPS accomplishes its purpose by executing the concurrent and independent functions of procedure processing, parallel information monitoring and conditions logging. The conditions logger generates a permanent chronological record of parameter and component state and actions taken. The CPS online software will run on operator workstations in the main and/or emergency control room. The system is embodied in a user interface that supports diverse procedure views: a graphical flowchart view, a textual view and a dynamic logic view.

45



AP1000 is a registered trademark of Westinghouse Electric Company LLC in the United States and may be registered in other countries throughout the world. All rights reserved. Unauthorized use is strictly prohibited.

The CPS provides a consistent structure within which plant operating procedures are created, maintained and utilized. It can reduce cycle time needed to implement changes in the operating procedures, because the procedures will reside within the computerized system. The CPS is not designed to perform any plant safety protection functions, and no Category B functions rely on the CPS equipment to perform those essential functions. The CPS equipment is functionally categorized as Category C, or as a non-safety system, according to U.S. Nuclear Regulatory Commission (NRC) guidance.

BenefitsThe CPS provides:

• More accurate and timely implementation of the procedures

• Enhanced situation assessment by the operator

• All procedural information at one location

• Detailed recordkeeping of the procedure execution

• Reduced operator mental workload

• Integrated information needed for procedure execution, such as direct access to graphical displays

ExperienceThe Westinghouse CPS has been installed in nuclear power plants around the world, and has been approved by the NRC for use in the Westinghouse AP1000® nuclear reactor.

46

BackgroundAnnunciator replacement is often part of plant computer upgrades or control room modernization projects as the existing system becomes increasingly difficult to maintain. Westinghouse offers an alarm presentation system (APS) as a replacement for aging annunciator systems. Our APS is a software-based alarm system built on technology from the Westinghouse AP1000® nuclear power plant.

DescriptionThe APS is a modular, highly configurable software-based alarm system that consists of redundant alarm servers, large LCD monitors or lamp boxes, and alarm management software that runs on operator workstations. The system also includes a graphical configuration tool.The APS uses client-server architecture. Redundant alarm servers are connected to APS clients via redundant Ethernet networks. For Ovation™-based upgrades, the APS uses the Ovation data highway.The APS interfaces with existing silence and acknowledge buttons on the control board via digital input/output (I/O). The APS can interface to the existing alarm horn system or replace it.The APS server monitors the plant for changes in alarm state and provides centralized alarm processing. The APS server gets alarm data from the control system (via Ovation or OPC), digital I/O, or a combination of sources.Each LCD monitor is driven by a small PC that runs the APS wall panel client software. The wall panel client requests alarm updates from the APS server and displays the alarm tiles. If desired, the APS can drive lamp boxes in lieu of LCD monitors using digital I/O.

The APS workstation client provides alarm management functions at operator workstations. The software can be installed on existing workstations or on small standalone PCs. The workstation client requests alarm updates from the APS server and displays alarms using a combination of alarm tiles and alarm lists.The workstation client provides a dynamic overview of all alarm tiles that exactly matches the large LCD monitors and lets the operator navigate to any monitor to view the individual alarm tiles on that monitor. Additional alarm management features are accessed from the alarm tiles or associated alarm lists.

BenefitsThe Westinghouse APS offers the following benefits:• Flexible architecture for custom solutions• Simple, cost-effective replacement for lamp

boxes and associated hardware/cabling• Improved readability of alarm tiles• Workstation clients that provide redundant

backups to the large monitors• Workstation client that can extend the alarm

system outside the main control room (remote shutdown room, technical support center, etc.)

• Workstation client that provides easy access to electronic alarm response procedures

• Manual suppression of long-standing alarms and nuisance alarms to reduce workload

• Programmed suppression of consequence alarms during large transients/events

• Operator experience log that allows operators to record and review notes about alarms

• Alarm tile layouts that are easily developed using the graphical configuration tool

Alarm Presentation System

Nuclear Automation

47


www.westinghousenuclear.comJuly 2015 NA-0057

©2015 Westinghouse Electric Company LLC. All Rights Reserved

AP1000 is a registered trademark of Westinghouse Electric Company LLC, its affiliates and/or its subsidiaries in the United States of America and may be registered in other countries throughout the world. All rights reserved. Unauthorized use is strictly prohibited.

Ovation is a trademark or registered trademark of its respective owner. Other names may be trademarks of their respective owners.

ExperienceThe APS software is the basis of several successful alarm system upgrade projects including the Westinghouse Standardized Nuclear Unit Power Plant System (SNUPPS) training simulator (see SNUPPS photo).

SNUPPS simulator upgrade

APS workstation client

48

BackgroundDigital systems in nuclear power plants are the focus of increased scrutiny by global regulatory and legislative bodies. Westinghouse customers are now facing a challenging and changing landscape of regulation and legislation regarding the protection of their critical digital assets. Westinghouse is uniquely qualified to provide cyber security products and services to meet today’s regulations.

DescriptionWestinghouse has developed a cyber security program to encompass the establishment, implementation and maintenance of products and systems for nuclear facilities. The program enforces the use of secure development environments, assessments of security controls, and the implementation of cutting-edge cyber security tools and techniques throughout the development life cycle. The program was designed to provide high assurance that Westinghouse products and services are compliant with current cyber security requirements, such as Nuclear Energy Institute (NEI) Cyber Security Plan for Nuclear Power Reactors (NEI 08-09) and Regulatory Guide 5.71.Westinghouse’s team of cyber security experts are experienced in designing and assessing nuclear systems and assets. They possess cyber security certifications and are available to provide cyber security support for nuclear utilities worldwide. Westinghouse is able to provide a specialized nuclear-specific approach to cyber security, and has experience assisting customers worldwide with the implementation of cyber security programs.The following products and services are offered to Westinghouse customers, and in most cases, product sheets are available that provide additional detail.

Cyber Security Program Development• Cyber security plan/program development and

training• Cyber security policy and procedure drafting• Cyber security defensive strategy design,

documentation and implementationEvent Management and Intrusion Prevention• Network monitoring, intrusion prevention and

log correlation• Specially configured content developed by

Westinghouse for the nuclear industry• Configuration, hardware and software support,

and on-site training Specialized Cyber Security Training• Specialized training provided by Westinghouse

designed to satisfy regulatory requirements• Hands-on and classroom instruction with

current security technologies on a wide range of nuclear cyber security concepts

• Four different one-week classes of up to 10 students each

Host-based Security Solutions• Provide nuclear expertise and configuration

to top industry security products to verify that host-based critical digital assets are secure

• Solutions are based upon the individual needs of the customer, and may be tested for compatibility prior to installation

Vulnerability Scanning and Virtualized Testing• Provide the ability to perform vulnerability

scanning and penetration testing on a virtualized environment, eliminating the risk of adverse impacts on plant systems

• Westinghouse’s cyber security team is certified in conducting vulnerability scanning and virtualized testing by both the vendor and other security institutes

Cyber Security Services

Nuclear Automation

49


www.westinghousenuclear.comFebruary 2015 NA-0091


AP1000 is a registered trademark of Westinghouse Electric Company LLC, its affiliates and/or its subsidiaries in the United States of America and in other countries throughout the world. All rights reserved. Unauthorized use is strictly prohibited. Other names may be trademarks of their respective owners.

Ovation is a trademark or registered trademark of Emerson Process Management.

McAfee is a trademark or registered trademark of McAfee, Inc.

Assessments• Provide training, consulting, and assessment team

resources to deliver high-quality and accurate assessment results

• Utilizes a specialized assessment methodology that may provide up to a 66-percent reduction in the time to complete assessments

Ovation Security• Provide solutions based upon customer needs,

including Ovation® Security Center, and additional features through McAfee®

• New Ovation systems can be built in the Westinghouse Secure Development and Operating Environment, protecting the system from tampering

Legacy System Security• Addresses the issue of securing older, unsupported

systems through the use of alternate controls and technologies

• Provides testing and assessment services to secure legacy systems and confirm the original threat vector has been neutralized

Cyber Security Labs• Testing environment for solution validation, Ovation

control system testing, legacy systems testing and to develop new products and services

• Can be utilized to find solutions to remediation issues following assessments, and verify alternate control security

Recurring Cyber Security Program Maintenance and Reviews• Cyber security program audits, and re-assessments of

controls, incorporating new critical digital assets• Create and implement risk-based remediation

strategies for vulnerabilities identified• Provide ongoing cyber security consulting for new

plants and plant upgrade projects

BenefitsRegulations – Westinghouse can help customers meet the demanding cyber security requirements of today’s regulations. Westinghouse maintains integrated relationships with NEI, the U.S. Nuclear Regulatory Commission, the Instrument Society of America, the Institute of Electrical and Electronics Engineers and many nuclear customers and security vendors worldwide, allowing for global collaboration.Tools – Westinghouse uses cutting-edge tools for the plant-wide implementation of cyber security protective strategies, conducting cyber security assessments, and supporting the ongoing review and monitoring of a plant cyber security program.Expertise – Westinghouse has a highly qualified technical team that is both professionally certified and experienced in cyber security with the ability to apply nuclear-specific configuration, value and advice to customer projects.

ExperienceThe Westinghouse cyber security team is currently performing assessments and providing cyber security technologies and services for existing pressurized water reactors and boiling water reactors worldwide. Westinghouse is also developing cyber security systems for complete integration in new plants such as the Westinghouse AP1000® nuclear power plant.

50

Cyber Security Services: Event Management and Intrusion PreventionBackgroundWestinghouse Electric Company LLC and McAfee, Inc., an Intel Company, have entered into a partner agreement where Westinghouse may resell the following list of McAfee® licensed products:• Enterprise Security Manager (ESM)• Enterprise Log Manager (ELM)• Event Receiver (REC)• Nitro Intrusion Prevention System (IPS)• Gold Level Support and Maintenance• Services and Training

Regulatory bodies and industry groups around the world now require nuclear utilities to introduce new hardware and software into the plant architecture to prevent cyber attacks and to collect, monitor and analyze data for cyber vulnerabilities, threats and unwarranted activities. Westinghouse is currently partnered with McAfee to provide a scalable, comprehensive solution to the nuclear market.

DescriptionThe McAfee high-performance, powerful Security Information and Event Management (SIEM) brings event, threat and risk data together to provide strong security intelligence, rapid incident response, seamless log management and extensible compliance reporting. At the core of the SIEM offering, ESM consolidates, correlates, assesses and prioritizes security events for both third-party and McAfee solutions.

The SIEM provides the ability for Westinghouse customers to meet monitoring and log correlation requirements stemming from 10 CFR 73.54 (Nuclear Regulatory Commission Regulatory Guide [RG] 5.71, Nuclear Energy Institute [NEI] 08-09). This solution collects security event logs from plant systems (critical digital assets) and stores the event in a central location. The solution provides the customer with event sorting and automated alerting rules.McAfee Nitroguard is an IPS that actively detects, analyzes and protects the network from an array of security attacks, including viruses, worms, spyware, denial-of-service attacks and other forms of malware, as well as unknown or zero-day attacks. It allows the customer to take control of the network with the ability to maintain multiple simultaneous intrusion detection system (IDS) and IPS policies from a single appliance, facilitate policy tuning with “what if” scenario alerting, correlate events to network and session activity usingbuilt-innetworkflowcollectorandfirewalls,and utilize exploit-, vulnerability- and anomaly-based detection.

RG 5.71 NEI 08-09 Title

C.3 E.3 System and Information Integrity

B.2 D.2 Audit and Accountability

Nuclear Automation

51




BenefitsWestinghouse offers a basic SIEM solution, single security level SIEM solution, multiple security level SIEM solution, integrated IPS solution, basic and nuclear content configurationsupport,extendedhardwareandsoftwaresupport and on-site training services.Westinghouse Basic McAfee Configuration:Westinghousecanperformon-siteconfigurationandconsulting for the McAfee event management and intrusion prevention products. The Westinghouse basic configurationfortheMcAfeeapplianceincludesansweringinstallation questions and/or performing installation troubleshooting.Basicconfigurationincludeselementssuch as:• ConfigureMcAfeeESMnetworkconnectivity• Configureloginsecurity• Configureauthentication• Configureusers,groupsandprivileges• Definedatasources

• Configurereceiver(s)• Configurestoragepooldefinitions,whereapplicable• ConfigureMcAfeeEventLogManager(s)• ConfigureMcAfeeIPS,whereapplicable

Westinghouse Nuclear Content Configuration:Westinghousecanperformon-siteconfigurationontheMcAfee appliance and from the management workstation to add the Westinghouse Nuclear Content. The Westinghousecontentincludesadditionalconfigurationsettings, including views and reports to show compliance withNEI08-09.Additionalconfigurationincludeselementssuch as:• Variables (provide logical grouping of assets)• Hosts (used for name resolution) • Zones (for multiple level deployments only)• Alerts (notify staff of events that require attention)• Views (provide a dashboard view of live event data)• Report (provide customized point-in-time event data)

SIEM solution over multiple security levels

SIEM Considerations

1. Logs and SIEM within plant

a. May have one SIEM to address secure levels (3 and 4)

b. Events may forward to site or corporate network SIEM

2. Logs on site network

3. Non-nuclear sites

4. Corporate network with both nuclear and non-nuclear generation

McAfee is a trademark or registered trademark of McAfee, Inc. Other names may be trademarks of their respective owners.

52

BackgroundThe U.S. Nuclear Regulatory Commission has produced Regulatory Guide (RG) 5.71 and the Nuclear Energy Institute (NEI) has produced NEI 08-09 to assist in meeting 10 CFR 73.54, “Protection of digital computer and communication systems and networks.” These two regulatory guides specify requirements for cyber security training. While many different forms of specialized cyber security training exist, most apply to corporate information technology with no consideration for the special requirements of the nuclear industry.

DescriptionWestinghouse has designed cyber security training classes to address the unique needs and use cases required in the nuclear industry. These four, week-long classes provide information needed to develop effective cyber security programs within both nuclear facilities and the corporate network, covering a wide range of topics necessary to become compliant with 10 CFR 73.54. Each class consists of both presentation and hands-on components. Threat vectors, security concepts, controls and the associated risks are presented, and students gain operational experience with commonly used security products. Students are also provided the tools and instruction to learn how systems are manipulated when the security controls are not in place. This training is provided at a Westinghouse location so that Westinghouse Cyber Security Services resources can be prepared and used to aid in instruction. Each class is limited to 10 students so that each student receives individual instruction and is filled on a first-come, first-serve basis.

The following classes are offered:Operating System and Application Security – Focuses on securing the endpoint and teaches the concepts of securing common desktop and server operating systems. Desktop administrators or cyber security team members will benefit from this class. Key concepts include:• Securing operating system configurations

through system hardening• Monitoring of key files and settings • Maintaining security through change

management and patching• User access controls• Change management and patching• Administering security controls

Network Security – Focuses on controlling and monitoring network traffic by teaching the concepts of supporting firewall rules, access control lists and traffic signatures. Network administrators and cyber security team members will benefit from this class. Key concepts include:• Designing secure networks• Maintaining secure network configurations• Administering network security controls• Using secure network protocols• Monitoring functional networks

Cyber Security Services: Specialized Cyber Security Training

Nuclear Automation

53




Monitoring and Incident Response – Focuses on information gathering and analysis, and teaches the concepts of log correlation, digital forensics and incident response procedures. Incident response team members, staff responsible for log monitoring, or cyber security team members will benefit from this class. Key concepts include:• Intrusion analysis and digital forensics• Designing an intrusion analysis and digital forensics

program• Acquiring intrusion analysis and digital forensics tool kit• Installing intrusion analysis and digital forensics

technologies• Operating intrusion analysis and digital forensics

functions• Event correlation and log management

Vulnerability Scanning and Virtualized Testing – Focuses on finding vulnerabilities that may be exploited, and teaches the concepts of vulnerability detection and verification. Cyber security team members will benefit from this class. Key concepts include:• Designing a penetration testing program• Vulnerability scanning and verification• Penetration testing tools• Installing an offline testing environment• Common hacking techniques • Remediation

BenefitsThis training provides the information needed to meet the controls found in RG 5.71 and NEI 08-09. Upon completion of these classes, students will understand the associated controls of the regulatory guides, and be able to use the knowledge and tools covered to address these controls. Additionally, these trainings allow students to take credit for the following controls:

RG 5.71 NEI 08-09 Title

C10.3 E9.3 Specialized Cyber Security Training

C10.4 E9.4 Technical Training

Westinghouse offers cyber security training to utilities several times per year, focused on the topics of: Operating Systems and Application Security, Network Security, Monitoring and Incident Response and Vulnerability Scanning and Virtualized Testing. If you would like to attend this training, contact your Westinghouse representative, or contact us directly at westinghousenuclear.com/Contact_Us/contact_us.asp.

54

DescriptionLegacy systems are systems that are no longer supported by their vendors, and can include older Linux® or Windows® operating systems, Ovation® version 2.3 and older, and similar systems. The unsupported nature of these systems means that it may not be technically feasible to implement the regulatory guide’s controls as they are currently written.The regulatory guides allow alternate controls for unsupported systems to be used in place of the original controls in cases where it is not technically feasible or safe to implement the original control due to the nature of the system. Any alternate controls must provide at least the same amount of protection against the intended threat vector as the original control. Westinghouse cyber security professionals are experienced with implementing alternate controls to meet the guidance of RG 5.71 and NEI 08-09. Such alternate controls may include system hardening, patching, firewalls, implementing data diodes or other physical security measures.Using the Westinghouse lab environment, legacy systems can be tested and assessed to verify compliance with NEI 08-09 or RG 5.71 controls, test patch updates and determine other alternate solutions, which may include additional cyber security devices and services. Additionally, customized policies and procedures can be written that support implementing and maintaining the alternate controls for legacy systems to provide ongoing compliance once an alternate control has been implemented.

BackgroundAs technology continuously develops and changes, vendor companies typically phase out support for the older versions of software, even though they are still widely used. In nuclear power plants, those unsupported systems are still required to comply with the regulations that stem from 10 CFR 73.54, “Protection of digital computer and communication systems and networks.” Guidelines for meeting this regulation can be found in the Nuclear Regulatory Commission Regulatory Guide (RG) 5.71 and the Nuclear Energy Institute (NEI) 08-09 documents. While it is not recommended that legacy systems are maintained, due to the security implications of unsupported systems, many nuclear facilities still operate while using older systems. These systems may be more vulnerable than current systems due to the termination of vendor support. Since these older systems may not be able to implement the controls in RG 5.71 or NEI 08-09, but are still required to be secured, alternate controls must be implemented to become compliant with 10 CFR 73.54.

Cyber Security Services: Legacy System Security

Nuclear Automation

55




BenefitsExperience – Westinghouse has experience implementing alternate controls for legacy systems and can assess legacy systems to implement appropriate and fully compensating alternate controls.Knowledge of Older Systems – Through its long-term association with Emerson Process Management, Westinghouse is the industry Ovation expert, capable of investigating the use of, and implementing alternate controls on, legacy Ovation and Westinghouse Distributed Processing Family systems (Ovation 2.3 and older).Solution Verification – Beyond implementation, Westinghouse can verify that the original intent of the control is met, that the alternate provides at least the same level of protection as the original control, and that the policies and procedures are in place to maintain the alternate control.

Linux, Ovation and Windows are trademarks or registered trademarks of their respective owners. Other names may be trademarks of their respective owners.

56

BackgroundWhile measures such as system hardening and intrusion detection provide cyber security, a higher level of security is achieved by including host-based security in a security strategy. Because these are measures on each individual system or host, they are better able to detect and sometimes prevent malicious attacks. Industry regulations also require this level of security. The Nuclear Regulatory Commission (NRC) has produced Regulatory Guide (RG) 5.71 and the Nuclear Energy Institute (NEI) has produced NEI 08-09 to assist plants in meeting 10 CFR 73.54, “Protection of digital computer and communication systems and networks.” These regulatory guides require licensees to secure their critical digital assets, and some host-based security applications can be leveraged to provide additional protection. With a large variety of host-based products on the market today, selecting the appropriate solution for a particular control system may be difficult.

DescriptionWestinghouse cyber security experts are experienced with the top solutions for securing critical digital assets using host-based security systems, and work so that the control requirements outlined in the regulatory guides are met.

The Westinghouse solutions are based on the individual needs of the customer and include:• Antivirus Software – System files are

quarantined if they match signatures of known malware. Westinghouse provides monthly signature updates.

• Patch Management – Operating system and some application patches are managed and installed from a central server. Patches are provided monthly.

• Application Control (Application White Listing) – A software agent on each client permits only white-listed applications to execute.

• File Integrity Monitoring (Host Intrusion Detection System) – Certain system files, folders and configuration settings are monitored for changes.

• Device Control – The use of devices such as removable media is monitored. Permission to use devices can be restricted, based on user or computer.

• Host Intrusion Prevention System – It provides behavioral analysis and a dynamic stateful firewall at the host level.

• Backup and Restore – Each client host is backed up to a file server so the machine can be restored in the event of a system failure.

• Vulnerability Management – System assets are scanned to detect vulnerabilities and configuration changes. Authenticated scans can be used to avoid conflicts caused by probing network ports.

Cyber Security Services: Host-based Security Solutions

Nuclear Automation

57




BenefitsWestinghouse applies nuclear expertise to top industry security products so that host-based critical digital assets are secured in a way that shows compliance with the regulatory guides. Westinghouse’s cyber security services team has experience securing plant control systems, as well as internal operating environments, including the Westinghouse Secure Development and Operating Environment. Westinghouse has performed both NEI 08-09 and 5.71 cyber security assessments on many different kind of critical digital assets in the plants. We also are familiar with the requirements of the regulatory guide in relation to the threat vectors concerning existing plant systems. While not all solutions will work with every nuclear facility’s operating environment, this experience gives Westinghouse insight into which solutions work best for an individual plant.If a customer wishes to test host-based solutions prior to purchase and installation to provide safe integration with existing control systems, Westinghouse can provide this service through cyber security labs.By implementing host-based security solutions, the

following controls may be addressed in whole or in part:

RG 5.71 NEI 08-09 Control Title

B3.21 D3.20 Heterogeneity

B5.1 D5.1 Removal of Unnecessary Services and Programs

B5.2 D5.2 Host Intrusion Detection System

B5.3 D5.3 Changes to File System and Operating System Permissions

B5.4 D5.4 Hardware Configuration

B5.5 D5.5 Installing Operating Systems, Applications, and Third Party Software Updates

C3.2 E3.2 Flaw Remediation

C3.3 E3.3 Malicious Code Protection

C3.4 E3.4 Monitoring Tools and Techniques

C3.7 E3.7 Software and Information Integrity

C.9.6 E.8.5 CDA Backups

C.9.7 E.8.6 Recovery and Reconstitution

C11.3 E10.3 Baseline Configuration

C11.4 E10.4 Configuration Change Control

C11.6 E10.6 Access Restrictions for Change

C11.7 E10.7 Configuration Settings

C11.8 E10.8 Least Functionality

C11.9 E10.9 Component Inventory

58

Cyber Security Services: Vulnerability Scanning and Virtualized Testing

BackgroundThe U.S. Nuclear Regulatory Commission has produced Regulatory Guide (RG) 5.71, and the Nuclear Energy Institute (NEI) has produced NEI 08-09 to assist plants in meeting 10 CFR 73.54, “Protection of digital computer and communication systems and networks.” These regulatory guides require licensees to perform vulnerability scanning and testing, as described in RG 5.71, Appendix C, Section 4.1.3, “Vulnerability Scans and Assessments” and NEI 08-09, Appendix A, Section 4.4.3.2, “Vulnerability Scans.” These requirements, which address the establishment, implementation and maintenance of a cyber security program, present challenges to ensure that safety, security and emergency preparedness functions of nuclear facilities are not negatively impacted by the vulnerability scanning and testing process.

DescriptionWestinghouse and CORE Security® have entered into an agreement in which Westinghouse may resell CORE Insight® and CORE Impact®. CORE Security is a leading provider of predictive security intelligence solutions. With these products, Westinghouse will assist customers in meeting the remediation, monitoring, verification and cyber threat evaluation and management requirements found in RG 5.71 and NEI 08-09.

CORE Insight EnterpriseCORE Insight allows Westinghouse cyber security experts to perform: • Exploit Validation and Simulation

– High-risk vulnerabilities identified by scanners alone do not provide the information required to effectively target systems for patching or reconfiguration. CORE Insight provides the ability to model multi-tiered networks by importing topology information from network devices, automate the vulnerability validation process by continuously validating exploits with the known threats, prioritize real exposures and visualize all possible attack paths. With these attack paths identified, security resources can focus on updating systems that add risk to critical digital assets.

• Categorize Assets – CORE Insight identifies the importance and value of network assets through direct integration with common asset management (including spreadsheets), network configuration and vulnerability management tools. This automated classification, along with the ability to perform custom labeling during the implementation process, allows organizations to grade assets based on data sensitivity, location, user and other important operational characteristics. Identifying each asset’s value, and its context within the business, greatly improves risk intelligence and threat prioritization.

Nuclear Automation

59




CORE Insight, CORE Impact and CORE Security are trademarks or registered trademarks of CORE SDI, Inc. Other names may be trademarks of their respective owners.

CORE Impact ProCORE Impact Pro provides the capability to replicate multi-staged cyber attacks that leverage compromised end-user systems to target backend resources, revealing how chains of exploitable vulnerabilities can open paths to critical systems and data. By safely replicating real-world attacks against network systems, customers can determine the real threats to their networks.

BenefitsNo Harm to Systems – Using the virtualization of a target network topography with CORE Insight and the cyber attack replication capabilities of CORE Impact, the vulnerability testing requirements can be met without minimizing the risk of damaging nuclear facility systems. These CORE solutions partnered with Westinghouse nuclear cyber security expertise provide a powerful and safe resource to handle the requirements and challenges that are unique to the nuclear industry. Knowledgeable Professionals – The Westinghouse cyber security team is professionally certified in performing these vulnerability tests. Some of these certifications include:• Certified Penetration Testing Specialist (CPTS)• GIAC Certified Incident Handler (GCIH)• GIAC Assessing and Auditing Wireless Networks

(GAWN)• GIAC Systems and Network Auditor (GSNA)• Core Impact Certified Professional (CICP)• Core Impact Certified Advanced Professional (CICAP)

Testing Environment – NEI 08-09 allows test beds and vendor-maintained test environments to be used for performing vulnerability scans. Westinghouse provides testing services either onsite or in the Westinghouse laboratory environment, thus minimizing risk to production systems and verifying compliance with NEI Appendix E controls. The controls that are addressed by these vulnerability tests include:

RG 5.71 NEI 08-09 Control TitleC3.2 E3.2 Flaw RemediationC3.4 E3.4 Monitoring Tools and TechniquesC3.6 E3.6 Security Functionality VerificationC13 E12 Evaluate and Manage Cyber Risk

60

BackgroundInvestigating and implementing security solutions such as antivirus software and logging or intrusion detection requires resources including hardware, software, experience and time to test. Westinghouse’s cyber security lab provides these resources to select the appropriate products and to test product functionality.

DescriptionWestinghouse provides experienced cyber security personnel and an environment in which hardware and software solutions can be evaluated, and combinations of software solutions can be verified and validated. For example, Westinghouse’s cyber security lab has:• Evaluated non-Microsoft directory service

solutions• Verified unidirectional gateway rules • Validated antivirus solutions on legacy hosts• Demonstrated host-based configuration change

control clients Services offered through Westinghouse’s cyber security lab include:Solution Validation – Testing that can validate whether or not security solutions will work with plant control systems, and whether or not they will interfere with system functions. Solution validation can include:• New product testing• System hardening• Security product integration• Host-based client integration• Active directory configuration management

Ovation™ Control Systems Testing – Westinghouse, a recognized source of Ovation expertise, can perform the verification and validation of a variety of solutions with most versions of Ovation. These solutions may be additional requests to the standard Ovation Security Center suite, or alternate products from the standard Ovation Security Center. (See the “Ovation Security” product sheet for more information.)Legacy Systems Testing and Assessment – The Westinghouse lab provides the ability to test technical solutions on older, unsupported systems. This service verifies compliance with Nuclear Energy Institute (NEI) 08-09 or U.S. Nuclear Regulatory Commission Regulatory Guide 5.71 controls, tests patch updates, and determines alternate solutions when the required controls are not technically feasible. (See the “Legacy System Security” product sheet for more information.)Solution Provider – Westinghouse regularly tests new products and services to determine the validity and applicability to the nuclear industry. Westinghouse works to provide additional and specific nuclear industry value and support to commercial, off-the-shelf solutions. This value-added content assists utilities in addressing the regulatory guide’s cyber security controls.

Cyber Security Lab

Nuclear Automation

61




Ovation is a trademark or registered of Emerson Process Management. Other names may be trademarks of their respective owners.

BenefitsWestinghouse has the expertise, investment in hardware and software, space and time to test and validate the best solutions, providing plants with the following benefits:• Advance knowledge of how solutions under

consideration will actually integrate with plant control systems so that the correct solution will be chosen

• As NEI 08-09 allows test beds and vendor-maintained test environments to be used for performing vulnerability scans, testing services either on-site or in the Westinghouse labs, thus minimizing risk to production systems (see the “Vulnerability Scanning and Virtualized Testing” product sheet for more information)

• Cyber security expertise and a fully equipped lab that evaluates software to give plants access to other resources within Westinghouse. For example, using Westinghouse plant knowledge, a topology of the test system can be built

• Solutions to a number of the cyber security controls in the regulatory guides, as well as verify alternate controls

• Access to results from solutions that have already been tested in the lab

While regulatory compliance depends on each individual situation, Westinghouse’s cyber security lab aids in compliance with such controls as:


B5.3 D5.3Changes to File System and Operating System Permissions


B5.5 D5.5Installing Operating Systems, Applications, and Third Party Software Updates



C6 E6 Defense-in-Depth




62

Cyber Security Services: AssessmentsBackgroundAs technology use increases in the nuclear industry, so does the need to secure the critical digital assets (CDAs) from cyber attack. The U.S. Nuclear Regulatory Commission recognized this fact and issued Regulatory Guide (RG) 5.71, and the Nuclear Energy Institute (NEI) followed with NEI 08-09. Both documents assist plants in meeting the requirements of 10 CFR 73.54, “Protection of digital computer and communication systems and networks.” These regulatory guides require licensees to secure their CDAs within a timeframe specified within their Cyber Security Plans.With 547 controls to be evaluated for every CDA in the plant (according to the Westinghouse breakdown of NEI 08-09), this will be a large commitment. The additional work necessary to complete this effort stretches operating resources. Westinghouse has the expertise and technology to conduct these assessments with the right nuclear mindset.

DescriptionThe Westinghouse Cyber Security Assessment team provides a solution to licensees, with options that include consulting with plant personnel, conducting assessment training, or performing the full assessment. This team has conducted NEI 08-09 and RG 5.71 assessments for several plants and has developed an efficient assessment methodology. Westinghouse has customized Lumension® Risk Manager (LRM) with nuclear content and, along with the assessment methodology, is able to expedite the assessment process. The assessment methodology uses the commonalities among CDAs, devices and plants, and uses LRM to eliminate redundant work and automate parts of the assessment process. The Cyber Security Assessment team classifies CDAs into 16 common control groupings and determines the complexity level for each. This information is implemented in LRM, which allows every control to be assessed for every CDA with a detailed and specific score and observation.With experience, a proven methodology and a customized tool, Westinghouse is well-positioned to perform plant assessments in a fraction of the time that it typically takes for plants to complete them.

Nuclear Automation

63




Lumension is a trademark or registered trademark of Lumension Security, Inc. Other names may be trademarks of their respective owners.

BenefitsThe Cyber Security Assessment service provides numerous benefits:Time Savings – Westinghouse expertise, methodology and custom tools can save plants significant time assessing each control to determine and document compliance with NEI 08-09. The following table shows the effort required for plant personnel to assess the 547 controls for an estimated 500 CDAs at an average of 6 minutes for each control, compared to the estimated Westinghouse effort.

Straight Assessment Effort for 500 CDAs: 27,350 (hr)

Westinghouse Methodology:

Control Scope Controls Effort (hr)

Fleet/Site Specific Controls 285 29

Network Specific Controls 81 8

Device Type Specific Controls 145 15

Location Specific Controls 27 3

Average CDA Specific Controls 180 9,000

Total Westinghouse Effort* 9,055

*Further efficiencies can be achieved depending on device commonality and complexity. This information is provided for illustrative purposes only.

Remediation – The Cyber Security Assessment team can identify the CDAs that are not compliant and recommend remediation for them. Remediation may include applying a technology or an alternate control to become compliant with the control’s requirements.Experience – The Cyber Security Assessment team has unparalleled experience assessing the CDAs within plants, and the cyber security knowledge and expertise to quickly determine compliance with the control requirements.Flexible Options – The Cyber Security Assessment team works with the plant to provide the level of service desired, from full assessment, to training, to consulting with plant staff.

64

BackgroundU.S. Nuclear Regulatory Commission (NRC) requirements for cyber security create a challenge for existing plant control systems. NRC Regulatory Guide 5.71 and Nuclear Energy Institute (NEI) document NEI 08-09 detail the requirements to comply with 10 CFR 73.54, “Protection of digital computer and communication systems and networks.”Plants that use Ovation™ control systems have tools available to secure their control systems and comply with current cyber security regulations.

DescriptionAs a long-time supplier of Ovation products and custom content for nuclear plant instrumentation and control systems, Westinghouse is well equipped to maintain the security of Ovation systems and to meet the regulatory requirements for controls. Westinghouse uses a standard configuration to harden new Ovation systems. This framework can be adapted to existing systems, based on custom settings and legacy versions of Ovation. Westinghouse also can build new Ovation systems in a secure development and operating environment (SDOE) to maintain the integrity of the system and protect it from tampering. New Ovation systems can be built on the Westinghouse Isolated Development Infrastructure (IDI) to meet the need for an SDOE. In addition, Westinghouse has partnered with McAfee® to provide antivirus solutions, making Westinghouse an excellent choice for securing Ovation systems.Solutions are based on customer needs. The Ovation Security Center (OSC) contains third-party products configured and validated to run with Ovation. Westinghouse offers additional security functions through McAfee. These solutions allow plants to choose the options that meet their needs. Westinghouse cyber security experts customize and install the selected solution.

Cyber Security Services: Ovation™ Security

Nuclear Automation

65




Ovation is a trademark or registered trademark of Emerson Process Management.

McAfee is a trademark or registered trademark of McAfee, Inc. Other names may be trademarks of their respective owners.

BenefitsWith Westinghouse, there are multiple resources for solving Ovation security issues – OSC and McAfee – and the expertise to implement them. These solutions can include:• Security Incident and Event Management (SIEM)* –

Collects, stores and correlates system and security asset event logs. The Westinghouse SIEM product includes incident handling and replicates logs across a data diode.

• Application control* – A software agent on each client permits only white-listed applications to execute.

• Antivirus software*– Quarantines system files if they match signatures of known malware.

• Patch management* – Manages and installs operating system and some application patches from a central server.

• Backup and restore* – Backs up each client host to a file server so the machine can be restored in the event of a system failure.

• Network and attached storage* – Provides high-performance storage to share and protect critical data.

• Vulnerability management* – Scans system assets to detect vulnerabilities and configuration changes. Authenticated scans can be used to avoid conflicts caused by probing network ports.

• Device control – Monitors the use of devices such as removable media. Restricts permission to devices based on user, computer or device type.

• Network Intrusion Detection System (NIDS) – Monitors and analyzes system network traffic for indications of malicious activity.

• File integrity monitoring or Host Intrusion Detection System (HIDS) – Monitors certain system files, folders and configuration settings for changes.

• Host Intrusion Prevention System (HIPS) – Provides behavioral analysis, and a dynamic, stateful firewall at the host level.

*OSC Features

While regulatory compliance depends on the Ovation security products that are implemented, the controls that may be addressed include, but are not limited to, the following:


B.2 D.2 Audit and Accountability

B3.21 D3.20 Heterogeneity

B5.1 D5.1 Removal of Unnecessary Services and Programs

B5.2 D5.2 Host Intrusion Detection System

B5.3 D5.3 Changes to File System and Operating System Permissions


B5.5 D5.5 Installing Operating Systems, Applications, and Third Party Software Updates

C.3 E.3 System and Information Integrity

C3.2 E3.2 Flaw Remediation



C3.7 E3.7 Software and Information Integrity

C.9.6 E.8.5 CDA Backups

C.9.7 E.8.6 Recovery and Reconstitution



C11.6 E10.6 Access Restrictions for Change


C11.8 E10.8 Least Functionality

C11.9 E10.9 Component Inventory


ES-2012-000096 Rev.1 (1/2)

16

・Generator life extension by replacement or stator rewind ・Coolant leak proof design ・Reduction of armature electrical loss

History and experience

Toshiba has extensive experience in supplying nuclear power plant and thermal power station in domestic (Japan) and overseas markets. The growth in maximum generator unit capacity is shown below. Toshiba has experience of 1,690MVA class generator manufacturing and completed shop test.

Technology - Stator coil water tightness

In water cooled generators, sometimes, water leakage at stator coil ends has been experienced. Toshiba has adopted improved brazing technology to prevent water leakage since 1994 and has excellent operation record. Toshiba has studied on the topic of water leakage for water-cooled generators since 1990. Extensive research had been conducted to improve clip and strand brazing from 1992 to 1994. The developed clip-strands braze technology attains the remarkable void reduction at brazed area and keeps longer watertight life time than conventional. All the generators installed or rewound after 1995 have adopted this brazing technology.

Technology – Detecting wet bars

Toshiba has developed water leakage detection technology for both of our manufactured and non-OEM units. Early detection can reduce the risk of unexpected outage.

Potential Mapping Test (non OEM)

Description

Toshiba is a leader in the electrical power generation equipment market with some of the world’s largest and most reliable, superior generators by applying advanced cooling technology; minimizing water leak risk by improved stator bar clip; and providing long-term thermal stability with class F Insulation.

66


Replacement Technology and Experience Generator Stator Coil Rewind Technology and Experience

Toshiba has stator coil rewinding experience of 106 units as of 2011 including non-OEM. Toshiba generator rewinds provide high-reliability coil insulation with class F insulation in thermal resistivity which excels in mechanical properties, especially in fatigue characteristics, as to electrical properties compared to conventional B class insulation. This insulation is superior not only initially but also in the long term. In addition, stator coils which apply a brazing method to minimize coolant leaks by clip-to-strand and life extension of stator insulation.

Service Menu

Generator replacement - Renewal - Up rating/efficiency improvement - Accident Spare rotor/stator coil Stator rewind/repair - Deterioration - Water leak/flow restriction - Vibration at coil end - Up rating/efficiency improvement

Rotor rewind/repair - Re-insulation - Fatigue, creep, SCC - Shaft vibration - Shorted turns Test, inspection, monitoring, diagnosis - Stator/ Rotor insulation - Shaft forging Troubleshooting - Failure analysis - Corrective actions

ES-2012-000096 Rev.1 (2/2)

67

westinghouse bwr technologies...as modbus, allen-bradley, ge mark v/vi, rtp i/o, toshiba and mhi are...

Documents