westinghouse bwr technologies...as modbus, allen-bradley, ge mark v/vi, rtp i/o, toshiba and mhi are...
TRANSCRIPT
Automation
Westinghouse BWR Technologies
TABLE OF CONTENTS
AutomationNuclear Automation Product Portfolio .....................................................................................................................4Information and Control Systems Platform .............................................................................................................6Data Processing and Monitoring System ...............................................................................................................8Application Server and Application Programs ........................................................................................................10Neutron Monitoring System (NMS) .........................................................................................................................12Traversing In-core Probe (TIP) System ..................................................................................................................14Power Range Monitor (PRM) System ....................................................................................................................16Radiation Monitoring System (RMS) ......................................................................................................................18Seamless Radiation Monitoring ..............................................................................................................................20Portable Radiation Monitoring System ...................................................................................................................22High-Sensitivity Off-Gas Monitor ............................................................................................................................24Digital RMCS & RPIS .............................................................................................................................................26Digital RC&IS for BWR-6 ........................................................................................................................................28Rod Worth Minimizer (RWM) ..................................................................................................................................30Turbine Control and Protection ...............................................................................................................................32Feedwater Control System Upgrades ....................................................................................................................34Triple Redundant Digital FWC ................................................................................................................................36Triple Redundant Digital RFC .................................................................................................................................38Triple Redundant D-EHC ........................................................................................................................................40Main Control Room Modernization .........................................................................................................................42Computerized Procedures System .........................................................................................................................44Alarm Presentation System ....................................................................................................................................46Cyber Security Services .........................................................................................................................................48Cyber Security Services: Event Management and Intrusion Prevention ...............................................................50Cyber Security Services: Specialized Cyber Security Training .............................................................................52Cyber Security Services: Legacy System Security ................................................................................................54Cyber Security Services: Host-based Security Solutions ......................................................................................56Cyber Security Services: Vulnerability Scanning and Virtualized Testing ..............................................................58
Westinghouse BWR Technologies
Continued
Cyber Security Lab .................................................................................................................................................60Cyber Security Services: Assessments .................................................................................................................62Cyber Security Services: Ovation™ Security ........................................................................................................64Turbine Generator technology ................................................................................................................................66
4
October 2012 NF-FE-0018©2014 Westinghouse Electric Company LLC. All Rights Reserved
Nuclear Automation
Nuclear Automation Product Portfolio
BackgroundWestinghouse is a global leader in the supply and support of nuclear plant instrumentation and control (I&C) upgrades, engineering services, plant modernizations and new plant design.
The Westinghouse Nuclear Automation product portfolio covers all areas of system operation over the life of the plant. Products include instrumentation, safety systems, control systems, plant information systems, diagnostics and monitoring systems, engineering services for functional upgrades, control system analysis and optimization, and operating margin recovery.
DescriptionWestinghouse teams with utilities to perform I&C modernization program studies. A summary of the products and services for each phase of the system life cycle include:
• Planning – I&C modernization studies that determine the upgrade approach
• Functional Design – Functional upgrades, fault-tolerant designs, self-test/calibration and automation
• System Design – Open architecture, modular design and communication networks
• System Supply – Integrated platforms for protection, control, information systems and monitoring systems
• Licensing – Licensing services that minimize licensing risk
• Installation – Installation services within scheduled outage windows
• Startup – Startup support that results in flawless system startup and fine tuning
• Operation - Spare parts, software updates, field service, engineering services and training
Building blocks for protection, control and information systems permit easy expandability and system integration.
The building blocks used for single system retrofits, large-scale I&C modernization programs and new plant designs are based on commercial products adapted and enhanced for nuclear applications. This approach allows customers to start with a single system and to expand across the entire plant nuclear steam supply system, balance of plant and turbine.
Control room
5
The building blocks include:
• Redundant communication networks (safety and nonsafety)
• Redundant hardware controllers
- Virtual controllers
- Input/output (I/O) modules
• Specialized I/O modules for turbine and loop modulation
• Native bus modules - FieldBus, ProfiBus
• Variety of workstations - operator, engineer, historian
• Data links - custom, OPC
• Test interfaces
• Complete software application libraries
• Nuclear application programs
• Cyber security products
• Electromechanical solutions for steam turbines and feed pumps
BenefitsWestinghouse has migrated its various products into its current set of standardized platforms for protection and control.
Past designs give the current generation system its verified and validated safety system software, nuclear application programs, functional design, testing methods, cabinet design features and I/O module design. The standardized platforms provide significant benefits in staffing optimization, reduced training, inventory and human-machine interface efficiencies.
Open architecture incorporates advances in digital technology and interfaces with all types of equipment; older systems can readily incorporate new technologies.
The Westinghouse Nuclear Automation product portfolio provides customers with products, services and technologies that help meet their performance needs.
Westinghouse Electric Company1000 Westinghouse DriveCranberry Township, PA 16066
www.westinghousenuclear.com
6
September 2010 NS-NA-0093©2014 Westinghouse Electric Company LLC. All Rights Reserved
Information and Control Systems Platform
Nuclear Automation
BackgroundThe Information and Control (I&C) Systems Platform is a non-safety distributed computer system for Category B and Category C applications. The platform has been applied in numerous nuclear retrofit projects, and is the standard basis for non-safety related nuclear I&C systems in Westinghouse new-build projects worldwide.
The overall platform includes integral resources for both control and plant computer functions, thus eliminating the need for these to be separate systems. The basic architecture is flexible for use with small stand-alone systems to full-scale plant systems, expanding easily for future phased system upgrades.
DescriptionThe platform is based on the Emerson Ovation® product line and also integrates key components developed by Westinghouse for nuclear I&C applications. As a distributed process control, information and data management system, Ovation offers a powerful, flexible and open-system architecture, supported with field-proven, industry-standard hardware, software, networking and communications components. The extended components support plant computer, monitoring and various system-interface applications to meet nuclear industry requirements.
BenefitsThe I&C system platform presents true open computing, allowing users to achieve higher plant availability, reliability, efficiency, safety and environmental compliance.
Extensive system benefits are realized through the key elements of the Ovation product.
• Network – A standards-compliant, fully redundant, high-speed Ethernet network using commercial hardware, and copper or fiber cabling. Each originating drop periodically broadcasts point value and status at the appropriate frequency.
• Controller – Each fully redundant PC-based controller interfaces to the I/O subsystem, performs data acquisition, and executes simple or complex modulating and sequential control strategies (up to 32,000 process points per controller).
Core Ovation product components
7
• Input/output Modules – Modular industrial grade I/O requiring no special handling, user addressing or configuration. Up to 128 modules per controller of analog, discrete, digital bus and special turbine-related I/O is available, including advanced fault diagnostics and channel isolation.
• Workstations – Operator/engineering workstations (Windows® PC-based) feature high-resolution display of control/monitoring graphics, diagnostics, trending, alarms and plant-status information with easy-to-use engineering and configuration tools. The engineering station contains a fully embedded relational database management system storing configuration, process-point information and control algorithm information. System and point data (including user-defined fields) can be imported via user-friendly database tools (e.g. Access or Excel).
• Historian – Scalable mass storage and retrieval of process data, alarms, sequence of events (SOE), logs and operator actions for 5,000 to 100,000 point values. Presentation capabilities include data queries, historical trending and SOE Reports. A bundled reporting package allows for scheduled and triggered reports to operators, engineers and maintenance personnel.
• Connectivity Servers – Open system interfaces (ODBC, NetDDE, OPC) provide innovative technology for securely transporting real-time or historical process data directly to a user desktop for critical analysis of plant performance data. Data link interfaces to third-party devices and protocols such as Modbus, Allen-Bradley, GE Mark V/VI, RTP I/O, Toshiba and MHI are also supported.
Westinghouse has designed and engineered several additional system components that complement and extend the Ovation product line to provide monitoring and plant
computer functionality, enhanced security, and integration of safety and non-safety platforms specifically for the nuclear power industry.
• Application Server – Redundant application servers execute complex calculations and monitoring from a robust Nuclear Applications Programs (NAP) library and data link interfaces with external plant systems. Standard, pre-tested function blocks based on IEC 61499/61131 standards significantly lower development and testing time. Custom sub-applications can also be created.
• Cyber Security – Westinghouse is leading the cyber security assessment and compliance activities in the industry in conjunction with the new AP1000TM plants, advanced boiling water reactor (ABWR) and existing plants worldwide. Using cyber security assessments, communication-isolation techniques, physical security, cyber-secure networks and operating systems, and the Ovation product security, Westinghouse’s cyber security team provides practical, cyber-secure solutions.
• Advant Ovation Interface (AOI) – A Gateway server connects each safety division data network to the non-safety real-time data network, providing strict one-way flow of real-time safety system data for display and control. Data flow is strictly one way from the safety to the non-safety subsystem.
Combining the superior high-speed performance and capacity of the widely used Ovation product line with broad nuclear application experience and system integration components, the Westinghouse I&C platform provides a flexible and upgradeable system that addresses both operating and new plant requirements.
I&C systems platform
Westinghouse Electric Company1000 Westinghouse DriveCranberry Township, PA 16066
www.westinghousenuclear.com
8
Nuclear Automation
Data Processing and Monitoring System
BackgroundThe data processing and monitoring system (DPMS), or plant computer, is a plant-wide information system for new and retrofit plants. The DPMS consists of data acquisition and presentation layer components, with configurable, reusable software programs for performing nuclear plant performance and monitoring applications. DPMS uses a redundant network design with advanced connectivity features that provides high capacity data transmission and reliable external system communications via standard and custom protocols.
The Westinghouse DPMS is a reliable and cost-efficient instrumentation and control (I&C) solution for new and phased modernization programs that provides a well-organized and integrated system solution.
DescriptionThe DPMS includes the following data collection, information processing, calculation, development and maintenance tools, and system integration components.
• Powerful Ovation® distributed information and control system platform implementation using Microsoft Windows® functionality provides operator workstation displays, database repository, historical storage and retrieval, with supporting software development tools to maintain and update the system.
• A PC-compatible, redundant controller executes simple or complex data acquisition and control algorithms. The controller interfaces with a power industry input/output (I/O) module subsystem that accepts a wide range of analog, digital and bus technology I/O.
• Operator and engineering workstations present high resolution process graphics, system and detailed diagnostics, trends, alarms and status displays. These workstations provide access to dynamic system points, a comprehensive alarm management system, historical data, general messages, standard function displays, event logging, and detailed analysis through intuitive navigation tools.
• Powerful redundant-application servers with a standard function library of proven and fully tested performance and monitoring application programs (AP) provide complex calculations and standard or custom data-link interfaces. An extensive function block library with an application builder graphical user interface is included to
allow the customer to program and maintain standard and custom applications.
• Multi-function system servers provide system configuration, I/O and calculation point database, historical storage and retrieval configuration, and control algorithm information, all in an organized and centralized relational database structure. Engineering tools provide process graphic editing, control programming, configuration and maintenance.
• The Ovation Historian provides mass storage and retrieval of process data, alarms, sequence of events (SOE), logs and operator actions. Data analysis tools and applications provide state-of-the-art data retrieval and querying solutions. Data backup and redundancy are available, as well as standard reporting templates for scheduled and triggered reports.
• A fully redundant, fault-tolerant network provides high capacity real-time data transmission without data loss, degradation or delay, even during plant upsets. Custom gateways and interfaces are eliminated through the use of widely available commercial hardware; and full connectivity to corporate LANs, WANs and intranets can be provided. Time synchronization is also available using a network time protocol (NTP) time server.
• Enhanced cyber security uses cutting-edge cyber-security assessment tools and an integrated system approach of domain control, security user- and system-function permission configuration, antivirus software management and system hardening. In addition, the Ovation Security Center provides vulnerability scanning and patch management, malware prevention, security incident and event management.
BenefitsThe DPMS helps users save operation and maintenance costs by achieving higher levels of plant availability, reliability, safety, environmental compliance and efficiency. The DPMS offers the following features and benefits:
• Large suite of proven power-industry I/O and data communication interfaces allowing the system to provide both information and control system functions, and easy integration with existing sensors and systems
• Large, proven library of application programs (APs) and software incorporating the Westinghouse nuclear steam supply system (NSSS) knowledge base, including safety parameter display system (SPDS) applications
December 2010 NA-0029©2014 Westinghouse Electric Company LLC. All Rights Reserved
9
Westinghouse Electric Company1000 Westinghouse DriveCranberry Township, PA 16066
www.westinghousenuclear.com
• Application builder graphical user interface allowing customers to maintain and construct new application programs without the need to learn programming languages such as C or C++
• Presentation, trending and redundant storage of live and historical plant data to plant engineering and information systems via standard, open interfaces
• Comprehensive cyber-secure interface solutions with plant-wide and fleet-wide LAN/WAN
• Ability to integrate DPMS functions with other control and monitoring applications in a single system architecture that supports both small and large systems, offering the capability to interface with safety systems and phased future upgrades
• Large experience base of over fifty pressurized water reactor and boiling water reactor retrofits, and new plant computer implementations
• Platform equipment consistency providing more familiarity among all users, improved operator performance and improved system performance
• Reduced need and subsequent cost of maintenance, spare parts, training, and number of supplier interfaces
Using the powerful Ovation open architecture and innovative control and monitoring system, combined with an application server, user-friendly development tools and standard program libraries, the Westinghouse DPMS provides an unprecedented
level of performance, power and flexibility to solve plant computer and monitoring system needs. The DPMS is an excellent starting point for a plant I&C upgrade program. Providing a clear migration path for future upgrades and control system applications, the Westinghouse DPMS is a true investment that can be leveraged for future applications with savings in spare parts, training, maintenance and infrastructure costs.
Typical data processing and monitoring system architecture
Engineering/Database /DomainDeveloper Station
EDS Server
Reactor Operator Station
Redundant Controller(s)
Remote or Extended I /O
Turbine Operator Station
Redundant Application
ServersAdvant Ovation
Interface Gateway (*4)
Redundant Real Time Data
Network
Redundant Historians
Security (Anti-Virus) Host
Supervisor Operator Station
Data Link Application Server
Enterprise Firewall /VPN/IPS
Data Link I/O
Safety System
Technical Support or Operations
Support Center Operator Stations
Control Room
Control and Monitoring I/O Computer Room
EDS Client
Enterprise Network
PI Server
Router
Optional Router
E S T E S T
Field Network
Ethernet Link
Controller
SYST RPS
STRT DUPLXSPEEDUTIL
MODE
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
Catalyst 2950 SERIES10Base-T/100Base-TX
Color Printer
Field Devices
GPS RECEIVER/NTP
SYST RPS
STRT DUPLXSPEEDUTIL
MODE
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
Catalyst 2950 SERIES10Base-T/100Base-TX
Ovation® is a registered trademark of Emerson Process Management Windows® is a registered trademark of the Microsoft Corporation
10
Nuclear Automation
Application Server and Application Programs
April 2011 NA-0071©2014 Westinghouse Electric Company LLC. All Rights Reserved
BackgroundThe application server provides the platform within the data processing and monitoring system (DPMS) architecture for running complex calculation and monitoring software applications. The server receives data from the DPMS network, performs run-time calculations and transmits the results back to the network. The data can be displayed on plant computer graphics, or as part of the point review or trending features.
Application servers can also be deployed as data link servers or gateways, configured to stand alone or operate as a dual, redundant pair.
DescriptionApplication servers used to run plant calculations are typically configured using a hot standby redundancy.
The redundant application servers consist of two separate and identical sets of server hardware and software. A concurrent redundancy scheme is used to execute applications, with both the primary and the partner running on a continuous basis. The primary server broadcasts its data to the DPMS information and control network. Its partner executes the same functions as the primary, but does not broadcast its data to the DPMS information and control network until the primary server goes offline.
Application Programs
The application programs are constructed from a set of function blocks that perform calculations. Function block-based application programs are generated by the application builder tool. Application programs may also be generated from a custom source code, which interacts with the functions provided by the application server.
Application Builder Displays
Application builder displays provide a visual representation of the calculation logic using the application builder graphical user interface (GUI). These displays are intended to be used for performing detailed checks of the calculation logic, or for testing or debugging purposes.
Applications Library
Westinghouse maintains a comprehensive set of standard function blocks for application program implementation. The base set of function blocks includes basic arithmetic and logic function blocks, as well as more complex function blocks that perform calculations, such as flow corrections and averages of redundant sensors.
Delta Flux – The purpose of the delta flux program is to compute and monitor the delta flux in the reactor core and to alert the operator when the “delta flux” alarm conditions are encountered. This program can also be interfaced to Westinghouse’s BEACON™ core monitoring program to improve the accuracy of the delta flux information.
Radial Flux Tilts – The radial flux tilts program monitors the symmetry of the radial power distribution in the reactor core and informs the reactor operator of undesirable conditions, should they exist.
Application server and application programs
11
Westinghouse Electric Company1000 Westinghouse DriveCranberry Township, PA 16066
www.westinghousenuclear.com
Flow Corrections – The flow corrections application serves other programs, such as the primary plant performance program, by calculating corrected flow rates to account for differences between actual and calibrated sensor conditions.
Level Corrections – The level corrections program corrects level indications for density and measurement elevation to compensate for differences between actual and calibrated conditions.
Plant Mode Determination – The plant mode determination program monitors predefined sets of selected plant parameters to determine the current plant mode of operation.
Primary Plant Performance Calorimetric – The primary plant performance application calculates the reactor thermal power output.
Rate of Change – The rate of change program calculates gradients that indicate the amount and direction of the changes to the measured value per time unit.
Redundant Sensor Algorithm – The redundant sensor algorithm application produces a single average output from input groups of two to 16 signals. The redundant sensor algorithm application compares these signals to each other to obtain an average value and an associated quality.
Time Averaging – The time averaging application provides a running average of an input over a predefined time period to support other application programs.
Balance of Plant Performance Monitoring – The balance of plant performance monitoring application is intended to alert the plant performance and/or system engineering staff of the potential need for equipment maintenance, or of changes in plant operating conditions, which result in reduced electrical output generation.
Sump Level Monitor – The sump level monitor program provides an estimate of the total sump inflow based on sump level measurements over time.
Primary System Leak Rate – The primary system leak rate program calculates the reactor coolant system leakage rate, as defined by U.S. Nuclear Regulatory Commission (NRC) Regulatory Guide 1.45.
Emergency Response Facility Applications – This set of calculations includes applications required by NRC Regulatory Guide 1.97, NUREG-0737 and NUREG-0696.
It is comprised of calculations required to support safety parameter displays and emergency response guidelines.
DPMS Base Application Programs
As part of any base DPMS, the following application programs are typically included. In many cases, some degree of software modification/configuration is required to align the application programs to the customer’s specific plant design. This reconfiguration is simplified using the function block approach to implementing applications.
• Primary plant performance calorimetric calculation
• Redundant sensor algorithm
• Signal smoothing
• Rate of change
• Time averaging
• Plant mode
• DPMS customized applications programs (optional)
BenefitsThe application server provides the stability, power and flexibility needed to support modern information and control systems. Using commercially available workstations and operating systems, the application server offers an unprecedented level of performance and power.
The application server is fully compatible with the data processing and monitoring system’s information and control network.
BEACON is a trademark or registered trademark of Westinghouse Electric Company LLC in the United States and may be registered in other countries throughout the world. All rights reserved. Unauthorized use is strictly prohibited.
©2015 Toshiba Corporation
E2-2015-000265 Rev.0 (1/2)
Benefits
Toshiba has developed Field Programmable Gate Array (FPGA)-based Startup Range Neutron Monitor (SRNM), Power Range Monitor (PRM), Oscillation Power Range Monitor (OPRM), and Traversing In-core Probe (TIP) for BWRs.
The SRNM monitors neutron flux from the source range to about 35% of the rated power. The SRNM system consists of the SRNM detector, pre-amplifier, and SRNM unit. The SRNM system is safety related system.
The PRM monitors neutron flux in the power range. The PRM system consists of the Local Power Range Monitor (LPRM) detector, LPRM/Average Power Range Monitor (APRM) unit, and the Flow unit. The OPRM monitors thermal hydraulic instability by receiving LPRM signals. The OPRM sub-system consists of OPRM unit. The PRM system including OPRM is safety related system.
The Traversing In-core Probe (TIP) system measures axial distribution of neutron/gamma flux in reactor core. The measured flux data is provided to plant process computer for gain calculation of Local Power Range Monitor (LPRM). The TIP system consists of a detector which moves through the reactor core, a driving mechanism which drives the movable detector, indexing mechanism which sends the movable detector to the indexed guide tube, Drive Control Unit (DCU)/Flux Probe Monitor (FPM) which controls the drive and measure the neutron/gamma flux from the detector signal, and a TIP-IF which provide data transfer to plant process computer and Human Machine Interface (HMI) for operator. TIP system is non-safety related system.
High Reliability
Mechanical driving of detector and manual range switching are eliminated from the SRNM system. This improves reliability of operation of the SRNM system.
Mechanical improvement are achieved in the mechanical component of the TIP system. This improves reliability of operation of the TIP system.
Longer Product Lifetime 15 years or more product lifetime by applying FPGA technology to signal processing
unit.
Less Maintenance The signal processing method of FPGA circuit is digital, so there is no drift
Applicable to Conventional BWR designs Toshiba FPGA based SRNM, PRM, and TIP are applicable to conventional BWR designs.
TIP Indexing Mechanism
TIP Driving Mechanism FPGA-based Units
17
12
©2015 Toshiba Corporation
E2-2015-000265 Rev.0 (2/2)
Replacement Technology and Experience
TOSHIBA 47%
Proximity S witch
Vessel Drive Control Unit
Plant Processing Computer Driving
Mechanism
TIP Detector
Flux Probing Monitor
TIP Main Control Room Panel
Indexing Mechanism
Purge Air/N 2
Shield Chamber
Valve Assembly
Penetration
Purge Line Valve
Valve Control Monitor
X - Y Recorder
:Phase 1 : Phase 2 : Phase 3
TIP system phased upgrade (Example)
Counter
Experience Toshiba FPGA-based SRNM has been installed to 2 Japanese BWR plants and FPGA-based PRM has been installed in 4 Japanese BWR plants.
Toshiba TIP system has been applied to 19 Japanese BWRs (4 of 19 are FPGA based TIP) including replacement from original system provided by supplier other than Toshiba. Toshiba FPGA based TIP system has been installed in an European BWR in 2011, and is operating since November 2011. In addition, Toshiba FPGA based TIP system will be installed in two more European BWRs in 2016 and 2017.
Upgrade Features Toshiba FPGA based SRNM, PRM, and TIP are applicable to conventional BWR designs.
In addition, for TIP system, Toshiba has experience of partial upgrade of TIP system as well as full scope system upgrade. Because the interface of Toshiba TIP component is compatible with existing conventional TIP components, partial upgrade can be done for each component without any additional external cables. The partial upgrade capability enables a phased upgrade approach which provides flexibility to the upgrade plan.
Followings are example of typical phased upgrade of TIP system:
In the Phase 1, the existing mechanical counter in the driving mechanism, Drive Control Unit, Flux Probing Monitor, and X-Y recorder are replaced (red colored portion).
In the Phase 2, the existing indexing mechanism, driving mechanism, and the proximity switch are replaced (blue colored portion).
In the Phase 3, the existing valve control monitor and the guide tube are replaced (light green colored portion).
13
©2015 Toshiba Corporation
E2-2015-000257 Rev.0 (1/2)
Benefits
The Traversing In-core Probe (TIP) system measures axial distribution of neutron/gamma flux in reactor core. The measured flux data is provided to plant process computer for gain calculation of Local Power Range Monitor (LPRM). The TIP system consists of a detector which moves through the reactor core, a driving mechanism which drives the movable detector, indexing mechanism which sends the movable detector to the indexed guide tube, Drive Control Unit (DCU)/Flux Probe Monitor (FPM) which controls the drive and measure the neutron/gamma flux from the detector signal, and a TIP-IF which provide data transfer to plant process computer and Human Machine Interface (HMI) for operator. TIP system is non-safety related system.
ProximitySwitch
Vessel
Control Room
TIP IF
DrivingMechanism
Local Control Panel
Plant Processing ComputerDriving
Mechanism
TIPDetector
DCU/FPM
Purge Air
Main Control Room Panel
IndexingMechanism
Local Control Box
Purge Air
Transformer Panel
JunctionBox
AmplifierUnit Box
Shield Chamber
Valve Assembly
PCV
Penetration
Core Bottom
Core Top
High Reliability for Mechanical Components Application of inverter motor to the driving mechanism improves speed control, reduces
mechanical failures. Elimination of chain parts from the driving mechanism reduces mechanical failures The cable limit switch of the indexing mechanism does not receive vibration during detector
driving. This design improves the reliability of the indexing mechanism. The fixture design has been improved not to loosen the position of the cam limit switch of the
indexing mechanism. This design improves the reliability of the indexing mechanism.
Longer Product Lifetime 15 years or more product lifetime by applying FPGA technology to the DCU/FPM
Less Maintenance The signal processing method of FPGA circuit is digital, so there is no drift Electrical components are separated from the driving mechanism and installed in the local
control panel. This improvement reduces radiation exposure during maintenance of electrical components.
Full Automatic Scan Scanning time: 1.5 hours To start a full auto TIP scan, only a simple operator action is required. (No additional operator
action is required during scanning.)
18
14
©2015 Toshiba Corporation
E2-2015-000257 Rev.0 (2/2)
Replacement Technology and Experience
TOSHIBA 47%
Proximity S witch
Vessel Drive Control Unit
Plant Processing Computer Driving
Mechanism
TIP Detector
Flux Probing Monitor
TIP Main Control Room Panel
Indexing Mechanism
Purge Air/N 2
Shield Chamber
Valve Assembly
Penetration
Purge Line Valve
Valve Control Monitor
X - Y Recorder
:Phase 1 : Phase 2 : Phase 3
Counter
Partial Upgrades As well as full scope system upgrade, Toshiba has experience of partial upgrade of TIP system. Because the interface of Toshiba TIP component is compatible with existing conventional TIP components, partial upgrade can be done for each component without any additional external cables. The partial upgrade capability enables a phased upgrade approach which provides flexibility to the upgrade plan.
Followings are example of typical phased upgrade:
In the Phase 1, the existing mechanical counter in the driving mechanism, Drive Control Unit, Flux Probing Monitor, and X-Y recorder are replaced (red colored portion).
In the Phase 2, the existing indexing mechanism, driving mechanism, and the proximity switch are replaced (blue colored portion).
In the Phase 3, the existing valve control monitor and the guide tube are replaced (light green colored portion).
Experience Toshiba TIP system has been applied to 19 Japanese BWRs (4 of 19 are FPGA based TIP) including replacement from original system provided by supplier other than Toshiba.
Toshiba TIP system has been installed in an European BWR in 2011, and is operating since November 2011.
In addition, Toshiba TIP system will be installed in two more European BWRs in 2016 and 2017.
TIP system phased upgrade (Example)
15
©2015 Toshiba Corporation
ABCD
LPRMDetector
Reactor Core
PCV
Cover Tube
.
.
.
.
.
Rec
ircul
atio
n Fl
ow S
igna
l
Flux
Sig
nal
FT
Flow Unit
APRM/LPRM Unit
RBM
PRM Panel
Process C
omputer
DCF
LPRMConnector
PLRPump
FT
FlowTransmitter
OPRMUnit
Main Control RoomReactor Building
E2-2015-000272 Rev.0 (1/2)
Benefits
The Power Range Monitor (PRM) system monitors neutron flux in the power range. The PRM system consists of the Local Power Range Monitor (LPRM) detector, LPRM/Average Power Range Monitor (APRM) unit, the Flow unit, and the Oscillation Power Range Monitor (OPRM). The PRM system is safety-related system.
Toshiba has developed Non-rewritable (NRW) Field Programmable Gate Array (FPGA)-based PRM. Toshiba submitted a licensing topical report including Toshiba NRW-FPGA-based system design and development processes, and qualification result of NRW-FPGA-based PRM system to US-NRC for review and approval. Toshiba expects that the U.S. NRC approval will be provided in a Safety Evaluation Report (SER).
Longer Product Lifetime 15 years or more product lifetime by applying FPGA technology
Less Maintenance The signal processing method of FPGA circuit is digital, so there is no drift
Expecting Safety Evaluation Report (SER) Toshiba submitted a licensing topical report including Toshiba NRW-FPGA-based
system design and development processes, and qualification result of NRW-FPGA-based PRM system to US-NRC for review and approval. Toshiba expects that the U.S. NRC approval will be provided in a Safety Evaluation Report (SER).
19
16
©2015 Toshiba Corporation
E2-2015-000272 Rev.0 (2/2)
Replacement Technology and Experience
Replacement Features To replace the PRM system, existing components are removed from the existing PRM panel, and new PRM components (green colored portion) will be installed in the panel. Toshiba PRM components are designed to fit with conventional PRM panel so that the existing panel can be reused. Also, existing LPRM detector, flow transmitter, or cables can be reused because Toshiba FPGA based PRM is system compatible with conventional PRM design.
Experience FPGA technology has a long history of application in satellites, military equipment, aerospace and aircraft systems, etc.
Toshiba FPGA-based PRM has been applied to 4 Japanese BWR plants.
Scope of Upgrade
ABCD
LPRMDetector
Reactor Core
PCV
Cover Tube
.
.
.
.
.
Rec
ircul
atio
n Fl
ow S
igna
l
Flux
Sig
nal
FT
Flow Unit
APRM/LPRM Unit
RBM
PRMPanel
Process C
omputer
DCF
LPRMConnector
PLRPump
FT
FlowTransmitter
OPRMUnit
Main Control RoomReactor Building
17
©2015 Toshiba Corporation
E2-2015-000279 Rev.0 (1/2)
Longer Product Lifetime / Less Maintenance
• FPGA based Radiation Monitor – 15 years or more product lifetime longer than Conventional CPU based product – The signal processing method of the FPGA circuit is digital, so there is no signal drift. High Reliability application
• Single channel Radiation Monitor – Configured with FPGA module only (not using CPU) – Applicable to Safety and Important to Safety Purpose, due to Verifiable processing. Plant-wide application
• Multi-channel Radiation Monitor with network communication – Core functions (Signal Processing, Trip judgment) are implemented on FPGA
technology – External Communication functions are implemented on CPU – Applicable from small configuration to plant-wide configuration – Seamless Radiation Monitoring & Control by the communication with other system
Benefits
The RMS consists of radiation monitor, detector, and local equipment. Toshiba has developed Radiation Monitor applying Field Programmable Gate Array (FPGA) technology. FPGA-based process is signals by hardware only. Therefore, the signal processing or trip judgments do not use a microprocessor in core functions.
Radiation Monitor line-up includes Single channel and Multi channel type. Single channel Radiation Monitor is processing one signal from one detector.
Multi-channel Radiation Monitor is processes various signals from various detectors. Signal processing provides dose rate, count rate, and pulls count for radioactivity concentration. Parameters are input centrally from the front panel or from network. CPUs are used for non-safety portions (e.g. panel operation and communication interface).
Multi-Channel Radiation Monitor with Network Communication Single Channel
Radiation Monitor
21
18
©2015 Toshiba Corporation
Replacement Plan
RMS consists of detectors, signal cables, Radiation Monitors, and/or local equipment (e.g. sampling rack, gas/liquid sampler). In general, RMS components in an operating nuclear power plant can be reused mechanical components such as local equipment. But electrical components, such as Radiation Monitors, should be replaced periodically, because of product life cycle. Toshiba RMS components can be applying the partial replacement situations.
Followings are examples of typical phased upgrade for partial replacements:
In the phase 1, the existing detectors, cables, and/or local equipment are evaluated to reuse or not (light green colored portion).
In the Phase 2, the existing Radiation Monitor and detectors which can not be reused are replaced (red colored portion).
In the Phase 3, the communication function and customization of Human Machine Interface can be upgrade (blue colored portion).
Replacement Technology and Experience
E2-2015-000279 Rev.0 (2/2)
Experience FPGAs have a long history of application in satellites, military equipment, aerospace, and aircraft systems. Toshiba has a large experience base of installed FPGA-based radiation monitoring systems – over 300 units in 11 Japanese BWR plants.
Control Room Panel
:Phase 1 : Phase 2 : Phase 3
Electrical, Analog (Max 100m) Existing Detector
Electrical, Digital (Max 400m)
Optical (Max 1,500m)
Detector
Detector O/E Converter
ON/OFF signal Integrated HMI
Multi-channel Radiation Monitor
Plant Processing Computer
Three Phases Replacement Example
Existing Detector
Local equipment
PLC
Pla
nt N
etw
ork
Pla
nt N
etw
ork
Local Alarm
ON/OFF signal
Detector
Local Alarm
Multi-channel Radiation Monitor
19
©2015 Toshiba Corporation
Benefits
E2-2015-000280 Rev.0 (1/2)
Sophisticated HMI • Integrating radiation monitoring to plant parameter display • Communicate radiation monitor with controller and HMI computer via network
Synergy to Control Function • Setting parameters and HMI can be modified with the same engineering tool used in control system • The data recording is performed in the same manner of control system • Sampling rack control operation is performed by the communication between sampling rack
controller and control system HMI • Portable radiation monitor (e.g. aerosol monitor) can be added to the same network.
Improvement of Operator Actions • Can provide suggestions of the control actions to be taken by operators using integrated information
from Radiation monitoring and other plant parameters
PRMS with Sampling Configuration
ARM or PRMS Configuration
Portable RMS Configuration CNT
Wireless Unit Wireless communication base
Wireless Unit Wireless communication base
Portable Area Monitor
Portable Dust Monitor
20
20
©2015 Toshiba Corporation
Replacement Technology and Experience
E2-2015-000280 Rev.0 (2/2)
Local Panel
close
purge
RMS Panel
5.00E2cpm
CH2
open
close
recorder
HVAC Control
Panel
Sampling Rack
normal
calib.
2.00E1cpm
detector
CH1
Issues Limited monitoring and operation of field equipment from MCR (need access to field) Limited communication to/from other system (need access to other system) Operation is done manually (need refer to the paper procedures)
Alarm Indicator
RM
ARM Configuration
CNT
Detector
PRMS w/o Sampling
Configuration
RM
PLC
RM
Our Solution Providing integrated plant radiation monitoring and other plant parameters and information on the same
sophisticated display Interaction to/from plant control function and Information Suggestion of necessary action to be taken by operator on HMI
Control room Sampling room
<Before>
<After> Data Server
RM: Radiation Monitor CNT: Network Controller
: CPU based Component : FPGA based Component : multiplexing transmission : discrete transmission
HMI: Human Machine Interface PLC: Programmable Logic Controller
PRMS: Process Radiation Monitoring System ARM: Area Radiation Monitoring System
21
22
© 2014 Toshiba Corporation
E2-2015-000259 Rev.0 (1/2)
Benefits
©2015 Toshiba Corporation
Easy Installation Can be installed by one personnel without any construction work (only connecting to the
power supply). Quick solution of radiation monitoring for temporary work area.
Easy Data Collection Provide remote data monitoring and collection via network (Ethernet port is equipped as
standard). Exposure of personnel with survey can be reduced.
Easy Recognition Provide easy recognition for personnel in work area with large display and alarm.
Easy Maintenance No need to replace dust monitor filter for about 40 days. Frequent access to the equipment for
maintenance is not required.
Adhesion Mechanism
Dust Collection & Measurement Mechanism
Detector
Inlet Outlet
Rolled Continuous Filter
Rolling up Mechanism
Trend Data
Control Room
Portable Area Monitor
Portable Dust Radiation Monitor
4.Easy Maintenance
2.Easy Data Collection
1.Easy Installation 3.Easy Recognition
Measurement Data Collection & Centralized Monitoring
The Portable Radiation Monitors provide quick solution of radiation monitoring for temporary work area. Toshiba Portable Radiation Monitors can be installed by one personnel without any construction work, and can provide remote data monitoring and collection via network.
23
© 2014 Toshiba Corporation
E2-2015-000259 Rev.0 (2/2)
Replacement Technology and Experience
©2015 Toshiba Corporation
Installation Toshiba Portable Radiation Systems can be installed by one personnel without any construction work (only connecting to the power supply).
Line-up Toshiba Portable Radiation Monitoring System line-up includes: Portable Dust Radiation Monitor (for Radiation Aerosol Monitoring) Portable Area Monitor (for Work Area Ambient Dose Rate Monitoring)
Features Portable Dust Radiation Monitor Provide continuous monitoring of volumetric activity of radioactive aerosols in the work area. No need to replace filter for about 40 days. One-year calibration cycle recommended for detector Low bypass leak of sampled air by using filter adhesion mechanism Designed based on Japanese Industrial Standard JIS Z 4316 (Standardized based on IEC 60761-1
and IEC 60761-2)
Portable Area Radiation Monitor Provide continues monitoring of work area ambient dose rate (mSv/h). Large display for easy to read data. Small and light weigh. Lower detectable ambient dose rate One-year calibration cycle recommended for the detector Designed based on Japanese Industrial Standard JIS Z 4324 (Standardized based on IEC 60532)
Specifications
Experience Toshiba has extensive experience in supplying nuclear non-safety and safety-related I&C systems in Japan. Toshiba has a large experience of radiation monitoring systems – over 300 units in 11 Japanese BWR plants. Toshiba portable dust radiation monitor have been installed in Japanese Nuclear power plants.
Portable Dust Radiation Monitor Radiation detected: beta (gamma) ray Detectable limit:1x10-5 Bq/cm3(BG:0.1 μSv/h) Sampling flow: 15ℓ/min Weight:approx.30Kg(dividable) Outer dimensions: approx. 500Wx770Hx430D
(mm) Main power supply: AC100V 10%
Solar power/battery (optional) Communications: Ethernet (wired) Wireless (optional)
Portable Area Monitor Radiation detected: gamma ray, X ray Measurement range: 0.1 – 999 μSv/h Weights: main unit: 2.6kg detector: 0.4kg Outer dimensions: main unit: approx. 350Wx70Dx200H (mm) main unit: detector: approx. 70Wx40Dx160H (mm) Main power supply: AC100V 10%
Solar power/battery (optional) Communications: 0-1VDC(analog) Ethernet (wired)
Wireless (optional)
©2015 Toshiba Corporation
E2-2015-000278 Rev.0 (1/2)
Benefits
In nuclear power plants, detection of fuel failure is important to inhibit release of nuclides and activated products in off-gas. In general, the off-gas is sampled by Vial Sampler, and radio nuclides analysis is periodically conducted or at the time of need. Toshiba has developed the High-Sensitivity Off-Gas Monitor which enables continuous measurement of various nuclides and early detection of fuel failure.
Early Detection of fuel failure
Earlier detection of fuel failure than a manual operation. The standard response time during power suppression test is 10 minutes or less. The measurement time can be change in 1 to 90 minutes according to a customer needs. (The measurement time is the response time except time required for passing the Special Line.)
Continuous measurement
Continuous measurement of nuclides and data backup can be achieved without interrupting measurement.
The time period for the trend display is able to set from 5minutes to 24hours, or select from 1, 7, 15, 30 or, 90 days.
Alarms are outputted when measured values of each nuclide are beyond alarm set points.
Easy Maintenance
No refill of liquid nitrogen is required more than one year in order to cool Liquid nitrogen evaporated and use it again to cool Ge detector. Even if a power source for the Cooling System with Liquid Nitrogen Evaporation Arrester is lost, the measurement can be continually conducted for about one week.
Off-
gas
FIC
to SJAE
to sampling rack of off-gas monitor
D-MCA
to plant network
Ge detector
LN2
Special Line for decreasing 13N
Freezer
22
24
©2015 Toshiba Corporation
E2-2015-000278 Rev.0 (2/2)
Replacement Technology and Experience
Description
High-Sensitivity Off-Gas Monitor measures various nuclides, such as Xe-133, Xe-135, Xe-137, Xe-138, Xe-135m, Kr-87, Kr-88, Kr-89, Kr-85m, N-13, and low concentration noble gases, such as Xe-133 and Xe-135, which are very effective to detect fuel failure.
The monitor consists of a local monitoring equipment and a personal computer in Main Control Room which are connected with Ethernet. The local monitoring equipment consists of a Ge Detector and a digital multichannel analyzer (D-MCA), a Cooling System with Liquid Nitrogen Evaporation Arrester, and personal computers, etc. The Liquid Nitrogen Evaporation Arrester is hermetically sealed, and no refill of liquid nitrogen is required more than one year.
The energy information obtained from signal outputs of the Ge detector is recorded as spectrum data by D-MCA. Past data are analyzed for each expected nuclide, and analysis results are transmitted to the personal computer in the Main Control Room. The analysis results from the local monitoring device are displayed in the Main Control Room as trend for each nuclide, and alarms are outputted when measured values of each nuclide are beyond alarm set points. The time period for the trend display and types of nuclides to be displayed can be selected. The past data are recorded more than one month in the local monitoring device, and more than a year in the Main Control Room.
High-Sensitivity Off-Gas Monitor provides the following features; High resolution: Energy resolution of 750eV or less (for input count rate up to 100kcps) can be
satisfied. High reliability: Energy resolution fluctuation is less than 20% (for input count rate up to
100kcps) Peak-shift is 0.1keV or less (for input count rate up to 100kcps) Count rate error is 10% or less (for input count rate up to 100kcps)
Replacement plan
In general, the off-gas is sampled at some point of the off-gas process line of BWR plant. And for the purpose of detection of fuel failure, the pre–treatment off-gas is usually sampled by sampling system from process line of the off-gas treatment system.
Local monitoring equipment of High-Sensitivity Off-Gas Monitor can be sampled by the branched existing sampling lines.
Return line of the local monitoring equipment of High-Sensitivity Off-Gas Monitor will be connected to the steam jet air ejector (SJAE). Because of the evacuation force of SJAE, there are no sampling pump for High-Sensitivity Off-Gas Monitor.
Experience
Toshiba has extensive experience in supplying nuclear non-safety and safety-related I&C systems in Japan. Toshiba has a large experience of radiation monitoring systems – over 300 units in 11 Japanese BWR plants.
Toshiba has provided this system to Japanese 4 nuclear power plants, and is up to introduce this system to 4 nuclear power plants. In addition, Toshiba High-Sensitivity Off-Gas Monitor will be installed in 4 more BWRs.
25
©2015 Toshiba Corporation
E3-2015-000065 Rev.0 (1/2)
High Reliability When any single failure occurs within the system, the RMCS will stop all control rod movements. RPIS continues to monitor control rods positions. The system has been in operation for over 300 operating reactor years without a critical malfunction.
Improved operability
RMCS continues to move control rods by using a bypass function when a single failure exists in the RMCS. This achieves a good balance between high reliability and improved operability.
Easy Maintenance
Digital controllers are used for RMCS and RPIS, and this makes maintenance for RMCS and RPIS easy.
Compatible to general BWR system design
Toshiba has replaced RMCS and RPIS which were provided originally by suppliers other than Toshiba.
Benefits
The Reactor Manual Control System (RMCS) controls control rod movement using four directional control valves and Rod Position Information System (RPIS) monitors control rod position by receiving signals from position indicate probes.
Toshiba’s RMCS has fully dual configuration and RPIS has duplex configuration.
CPU CPU
SW
PO PO
Directional Control Valves
RMCS: Dual configuration
HMI
CPU CPU
PI
PIP
RPIS: Duplex configuration
CRD
PIP
CR
CR :Control Rod CRD : CR drive PIP : Position Indicator Probe DCV: Directional Control Valve
DCVs
RMCS
RPIS Display
or ANN
SW
By applying these configuration, our RMCS has no unexpected control rod motion due to single failures and our RPIS keeps continuous display of all rods even in case of one controller failure occurs.
23
26
©2015 Toshiba Corporation
Replacement Technology and Experience
E3-2015-000065 Rev.0 (2/2)
Experience
Successful operation in 18 BWRs in Japan. (BWR-2/4/5)
Toshiba digital RMCS and RPIS have operated over 300 operating reactor years with no critical malfunctions.
Turn-key project by Toshiba
Toshiba can provide a turn-key solution that includes design, engineering, manufacturing, software design, installation, modification, commissioning, and training.
Replacement of general BWR system
Toshiba has replaced RMCS and RPIS which were provided originally by suppliers other than Toshiba.
Replacement features
Partial upgrades RMCS/RPIS consists of the cabinets in main control room and equipment located in local area. Toshiba proposes partial upgrade plan which upgrades only components in the cabinets in main control room and reuse existing equipment in local area.
Other features of upgrades
Toshiba digital RMCS and RPIS offers: • Human Machine Interface (HMI) is
selectable: a Video Display Unit (VDU) Type or Conventional Type depending on user preference
• Reusing existing plant components can reduce the amount of new equipment required. (Re-usable components depends on plant type)
– HMI controls and indicators – Cables between PIP and auxiliary RPIS
panel – Control cabinet Example of partial upgrade
Conventional type HMI
Video Display Unit type HMI
Human Machine Interface
(HMI)
RPIS CPU-1
RPIS CPU-2
RPIS PI/O
MCR Local
RMCS Cabinet
RPIS Cabinet
PIP
DCV (HCU)
RMCS CPU-1
RMCS CPU-2
RMCSPI/O
Local Component for rod motion
: upgraded
: reused
Compatible to general BWR system design
Toshiba digital RMCS and RPIS is available for: • Replacement of Solid State type • Replacement of Relay type
27
©2015 Toshiba Corporation
E3-2015-000070 Rev.0 (1/2)
High Reliability
When any single failure occurs within the system, the RC&IS shall stop all control rod movement and shall continue to monitor control rod positions.
Improved operability
RC&IS will continue to move control rods by using bypass function when a single failure exists in the RC&IS. This achieves a good balance between high reliability and improved operability.
Easy Maintenance
Digital controllers are used for RC&IS, and this makes maintenance for RC&IS easy.
Benefits
The Rod Control and Information System (RC&IS) controls control rod movement using four directional control valves and monitors control rod position by receiving signals from position indicate probes.
Toshiba’s RC&IS has fully dual configuration so no unexpected control rod motion due to single failures and continuous display of all rods even in case of one controller failure occurs by applying duplex configuration.
CRD PIPs
CR
CR :Control Rod CRD : CR drive PIP : Position Indicator Probe DCV: Directional Control Valve
RACS-A
RGDS-B HMI
RPC-A
RPC-B
RGDS-A
Local Component for position indication
Local Component for position indication
Local Component for rod action
Local Component for rod action
DCVs
Fully Dual Configuration
RACS-A
RACS :Rod Action Control System RPC : Rod Pattern Controller RGDS : Rod Gang Drive System HMI : Human Machine Interface
:Digital Controller (dual configuration) :Safety-related components
24
28
©2015 Toshiba Corporation
Replacement Technology and Experience
E3-2015-000070 Rev.0 (2/2)
Experience
Successful Operation in 18 BWRs (BWR-2/4/5) and 2 ABWRs in Japan.
Toshiba digital RMCS (Reactor Manual Control System) / RPIS (Rod Position Indication System) and RC&IS have operated over 300 operating reactor years with no critical malfunctions. Toshiba proposes an solution of RC&IS for BWR-6 based on the extensive experience of RMCS/RPIS for BWR-2/4/5 and RC&IS for ABWR.
Turn-key Project by Toshiba
Toshiba can provide a turn-key solution that includes design, engineering, manufacturing, software design, installation, modification, commissioning, and training.
Replacement of OEM RMCS/RPIS System
Toshiba has experience to replace RMCS/RPIS which were provided originally by suppliers other than Toshiba.
Toshiba’s Experience on Safety-Related Application
Toshiba submitted the LTR for FPGA-based I&C system for safety-related application to NRC. In the LTR, it is confirmed that Toshiba’s process complies with codes & standards such as ISG-06.
Replacement features
Phased upgrades
Toshiba digital RC&IS consists of following four portions and Toshiba proposes each portion of RC&IS step by step;
RACS-A
HMI
RPC-A
RPC-B
RGDS-A
Local Component for position indication
Local Component for position indication
Local Component for rod action
Local Component for rod action
RACS-B
• RACS and RGDS (in main control room (MCR) cabinets)
• RPC (same as above) • Local components related to rod
action, and • Local components related to
position indication.
Other features of upgrades
• Reusing existing plant components can reduce the amount of new equipment required. (Re-usable components depends on plant type)
– HMI controls and indicators – Cables between MCR and local – Control cabinet
RGDS-B
Example of phased upgrade
Phase 1
Phase 2
Phase 3
29
©2015 Toshiba Corporation
E4-2015-000032 Rev.0 (1/2)
No critical malfunctions for more than 30 years Toshiba RWM has dual controllers and console Human Machine Interface (HMI) system, and any single failure doesn’t impact the controller functions of the RWM. The system has been in operation for more than 30 reactor operating years without a critical malfunction.
Compatible design to general BWR RWM
Toshiba RWM can be connected with existing facilities, e.g. RMCS/RPIS, Plant Computer Systems (PCS) via Ethernet and/or hard wired cables. Toshiba has lots of experience on replacing / upgrading RWM systems which were originally designed by other suppliers
Benefits
A Rod Worth Minimizer (RWM) monitors the operation of control rods and sends a rod action block signal to Reactor Manual Control System (RMCS) if the operation violates a pre-installed withdrawal sequence when below the Low Power Set Point (LPSP). Our RWM has a dual controller configuration for continuing to control and monitor when a single device failure. The Fail-As-Is design required for a RWM system is retained.
RMCS/ RPIS
Rod Control Panel
Indication/ Operation
CR position information and
control signal
CR position information
RMCS : Reactor Manual Control System RCIS : Rod Position Information System
RWM HMI
RWM Controller
(A)
RWM Controller
(B)
Interface Unit
Display & Console - Sequence edit - Operation guidance - Position information - Operation log - Maintenance tool
Rod action block signal
Rod Worth Minimizer System
Improved operability
Toshiba RWM has an advanced Human Machine Interface (HMI) to set/edit a control rod (CR) withdrawal sequence and to ensure correct CR operations by the operations guidance displayed on the HMI.
MM-DD-YYYY (Fri) HH:MM 824MW
CR OPE GUIDE
SELECT LATCH 44 > LPAP INSERTION ERROR WITHDRAWAL ERROR
START UP
GENERATOR
CORE THERMAL
CORE FLOW
RWM APRM
RBM
NEXT 10-43 16⇒18
ARPM / RWM
Sequence language for behavior accountability
Toshiba can supply the RWM software based on your requirements without obsolete software source code of the existing RWM. Toshiba RWM uses a sequence language so that it makes user’s analysis of the system behavior easy.
25
30
©2015 Toshiba Corporation
Upgrade features Various upgrade methods (1) Full upgrades: A full set of controllers and dedicated HMI (2) Small Scale Solutions: A RWM is generally a part of the PCS. The RWM portion can be replaced separately from the PCS as a partial upgrade strategy to address obsolete or problem components. Reuse of original facilities like cabinets, signal cables, network cables etc. where possible.
Replacement Technology and Experience
E4-2015-000032 Rev.0 (2/2)
Experience
Successful operation in 19 BWRs in Japan. (BWR-3/4/5 and ABWR) Toshiba is the leading supplier of BWR RWM in Japan. Toshiba RWMs have operated over 33 reactor operating years for BWR, and 21 years for ABWR, with
no critical malfunctions.
Turn-key project by Toshiba Toshiba can provide a turn-key solution that includes design, engineering, manufacturing, software
design, installation, modification, commissioning, and training.
Upgrades of general BWR system Toshiba has upgraded RWM which were originally designed by other suppliers. 13 BWR RWMs in
Japan have been upgraded.
RWM Display CR Guidance
CMS (B)
RWM PLC
PIP reed switch
RPIS
CMS (A)
Existing BOP PCS
Existing BOP PCS
Main Control Room
RWM Server (HMI)
CMS HMI Online
TIP PLC
Existing Data
Acquisition
Existing Fieldbus Isolator
Existing I/O
CR Sequence Edit Display
CMS HMI Online
Office IP Network
Plant Computer IP Network
TIP Data
CR Position
Power Range Neutron Monitor
LPRM Data
CR Position
31
32
Background
Westinghouse has developed common turbine control solutions for pressurized water reactors (PWRs) and boiling water reactors (BWRs). The highly reliable Westinghouse turbine control protection system (TCPS) provides redundant control functions such as speed and overspeed control, load control, steam pressure control, valve testing, frequency control and turbine protection. The base control system can easily be expanded to provide additional functionality such as automatic turbine startup (ATS), moisture separator reheat (MSR) and the generator monitoring and turbine protection system (TPS).
The TCPS is based on the Emerson Ovation® product. The Ovation system is designed for the power industry and is flexible, easy to use and reliable, and provides advanced diagnostics. The Ovation system has no single points of failure that could cause disruptions or downtime. The Ovation TCPS can be a standalone application or can be expanded as part of a plant-wide control and information system. The Ovation family of hardware and software can easily be retrofitted to any type of utility plant process equipment, regardless of manufacturer.
The base TCPS system, combined with available electro-mechanical products such as pressure status manifolds, 2/3 trip manifolds, redundant linear-voltage differential transducer (LVDT) assemblies, speed probes and wheels, provides a comprehensive solution to address potential turbine-related problems.
DescriptionThe TCPS communication components consist of two fully redundant fast Ethernet switches that can be configured to allow for fan-out networks or to uplink to an existing Ovation network. The switches can be powered by two separate and independent power sources to provide redundancy and maximum system-fault tolerance. All drops (controllers and workstations) are dual attached to the network for added reliability. The system is designed so that the TCPS controllers
will continue to function, even if both switches fail and network communication becomes unavailable.
A typical TCPS will have two redundant controller cabinets: one used for the turbine control system (TCS) and one for the turbine protection system. Also included are two operation workstations that deploy soft controls using dual displays, an engineer’s workstation for configuring the system and an antivirus workstation. Additional functionality is provided by optional software packages and workstations, as required, to provide historian capability and domain controller redundancy, and to address cyber-security measures.
The base TCPS consists of two major functions: the operator automatic and overspeed protection. These two subsystems perform all required protective and operator auto functions including overspeed protection, speed control, overspeed trip, pressure control (BWR), load control, sequential valve control, valve transfer, valve testing, feedback loop initiation and remote control.
Additional optional functions can be added in separate redundant controllers as required. These include:
Typical system architecture
November 2010 NA-0026©2014 Westinghouse Electric Company LLC. All Rights Reserved
Nuclear Automation
Turbine Control and Protection
33
• TPS - This is a dedicated redundant controller that provides fast and effective protection to avoid damaging the turbine. Features of this option are first-out trip logic, median signal selection logic for critical inputs, and diverse overspeed trip that is testable on line.
• MSR Control - The MSR regulates the main steam flow, thereby controlling the MSR outlet temperature to the low-pressure turbine inlet. This control system can be included in the ATS/RSM or OA/OPC controller, or operate as a standalone.
• ATS and Rotor Stress Monitoring (RSM) - RSM is integrated with ATS functions within one controller. ATS/RSM calculates and utilizes rotor stress information and other monitored turbine parameters, then automatically accelerates or loads the unit and alerts the operator about turbine/generator alarm conditions. An expanded graphics package with turbine, generator and auxiliary-system displays is provided with this option.
Integral components in the TCPS are the speed-detector module and valve-positioner module (RVP), which are special inputs/outputs (I/O) designed exclusively for turbine-control applications. The speed-detector modules offer a unique and independent trip subsystem that allows hardwired overspeed protection to safety trip the turbine within 5 milliseconds from either the control system or the emergency terminal speed (ETS) overspeed, even if the redundant controllers are off line. The RVP modules allow automatic calibration of the LVDTs in cold- and hot-plant conditions to account for thermal growth, and provide a redundant interface to the control valve. These special I/O interface cards are fourth generation, and have 40 years of operating experience in the design.
Median selector logic is performed for all critical-control or protection-input control on individual analog inputs to protect against a single point of failure. Each input is read on separate I/O cards (each on a separate communication branch in the controller) to eliminate a single point of failure in the I/O hardware. This approach is used for all critical-control and protection-input parameters.
Once the vital inputs are scanned, the data is used to perform important functions such as overspeed protection, loss of load, and close-intercept valve or fast-valving closure action. These protective programs are executed approximately once every 50 milliseconds.
Operator automatic (OA) is the normal mode of operation. The operator enters a target and rate, which are validated by the system so that they will not damage the unit. Checks include verification that the speed target is not in a known blade resonance range, and that the rate does not violate the maximum allowable rate dictated by the turbine’s mechanical design. After a rate and target are accepted, the operator can start or stop the speed or load ramp using the display graphic interface. The OA then calculates a valve position demand and passes this setpoint to the valve positioner cards from the OA system.
Benefits• Improved process control, reliability, availability,
capacity and operability
• Minimized field tuning and risk of delays at startup following major turbine and plant modifications (e.g., uprate)
• Proven low-risk standardized design
• Expansion capability to include other plant control and information system functionality. Standard solutions are available with the Ovation platform for the nuclear steam supply system, including advanced steam generator water-level control and balance-of-plant controls, rod control, flux mapping and plant computer calculations
• The TCPS design addresses cyber-security regulations
Typical turbine control system operator graphic
Westinghouse Electric Company1000 Westinghouse DriveCranberry Township, PA 16066
www.westinghousenuclear.com
34
July 2011 NA-0059©2014 Westinghouse Electric Company LLC. All Rights Reserved
Nuclear Automation
Feedwater Control System Upgrades
BackgroundSince the late 1980s, industry data has consistently identified the feedwater system as one of the top two major system contributors to the number of automatic reactor trips, with poor feedwater control as a significant root cause. In response, Westinghouse has provided leading feedwater control upgrade technology as the basis for numerous retrofits currently operating in dozens of nuclear units worldwide, dating back to its first wave of digital upgrades in the late 1980s that initially utilized the WDPF® Instrumentation and Control (I&C) platform.
Westinghouse’s current standard design, an evolutionary “lessons learned” design now in its third generation, includes an enhanced control algorithm/logic implemented upon the widely-used Ovation® digital I&C platform (successor to WDPF). It is capable of fitting into existing plant process control cabinets either as a stand-alone upgrade, or in combination with broader nuclear steam supply system (NSSS) retrofit applications. This common reference design is provided for both pressurized water reactor and boiling water reactor retrofit applications, and also for AP1000® nuclear reactor new-build, thereby maintaining and extending this well-established user base.
Description The Westinghouse digital feedwater control system upgrade’s primary function is to regulate the flow of feedwater during normal at-power operations, and optionally during plant heat up/cooldown.
The control algorithm/logic features:
• Automatic input signal validation (one to four inputs)
• Low-power (single-element with feed forward) and high-power mode (three-element) with auto transition
• Gain scheduling to address process response variations over range of operation
• Compensation to offset limit-cycle behavior near steady-state due to field device non-linearities
• Automatic staging of feed regulator control valve and pump operation
• Integrated main feedwater pump speed control demand (variable speed pumps only)
The I&C platform features:
• Controller anti-windup
• Bumpless transfer
• Complementary contact input checking
• Alarming of system and process faults
• Manual control backup to redundant processors from manual/automatic station interface
• Degraded backup modes for fault tolerance driven by signal validation
• Redundant architecture with automatic fail-over (controllers, input/output, power supply)
• Continuous online self-diagnostics and alarming
35
Benefits• Fault tolerance within control algorithm logic and I&C
platform
• Automatic control over the complete range of normal power operation (1 – 100 percent) and optionally during plant heat up/cooldown
• Operational flexibility through support of split range and mixed-mode operation (auto/manual) with seamless transition between feedwater regulation control devices
• Automatic integrated control of variable-speed main feedwater pump demand (as applicable) to maintain feedwater regulator valves within a reasonable operating range
• Ability to handle operational maneuvers with reduced water level deviation from reference:
- Transition from auxiliary/startup feedwater to main feedwater system
- Flow disturbances due to transitioning pumps into/out of service, changes in feedwater system recirculation, etc.
- Turbine synchronization
- Rapid ramp load increases/decreases
• Ability to address demands of process characteristics with reduced impact to control stability and performance due to:
- Shrink/swell water level behavior, particularly for low-power operation
- Process and control device non-linearities (e.g., pump/valve characteristics)
• Plant-specific dynamic analysis prior to operation to minimize field tuning at startup
ExperienceFeedback from industry forums confirms a growing recognition of the value of original equipment manufacturer experience in support of digital nuclear I&C upgrade projects. Numerous lessons-learned reflect the need for vendor cognizance of plant operational performance demands, and design considerations unique to the nuclear industry. These highlight values of characteristic importance: risk aversion, reliability and confidence based upon demonstrated, evolutionary advancement. These values are firmly reflected in the standardized Westinghouse I&C upgrade product offerings, and the standardized design and test process employed for Westinghouse’s digital I&C upgrades.
Ovation and WDPF are trademarks or registered trademarks of Emerson Electric Company. Other names may be trademarks of their respective owners.
AP1000 is a trademark or registered trademark of Westinghouse Electric Company LLC in the United States and may be registered in other countries throughout the world. All rights reserved. Unauthorized use is strictly
prohibited.
Westinghouse Electric Company1000 Westinghouse DriveCranberry Township, PA 16066
www.westinghousenuclear.com
©2015 Toshiba Corporation
E3-2015-000071 Rev.0 (1/2)
High Reliability
The triple redundant FWC can continue to monitor reactor water level and control the flow of feedwater without any interruption when any single failure occurs within the system. The system has been in operation for over 350 operating reactor years without a plant trip.
Improved operability
High controllability is realized by adopting proven control techniques based on Toshiba’s extensive experience in Japan.
Easy Maintenance
Thanks to applying digital controllers and triple redundant configuration, online maintenance can be applied to the FWC and failed parts can be replaced without system outage.
Compatible to general BWR system design
Toshiba has replaced FWC which were provided originally by suppliers other than Toshiba.
Benefits
The Feedwater Control System (FWC) monitors reactor water level and controls the flow of feedwater into the reactor to maintain the water level during plant operation.
Toshiba digital FWC applies a triple redundant configuration. It consists of three controllers that run independently.
By applying these configuration, our FWC can continue to control the feedwater flow and failed parts can be replaced without any interruption.
Triple redundant configuration
FWC (triple redundant
configuration)
Display or ANN
SW
RFPs
FCV
•Reactor water level •Main steam flow •Feedwater flow
RFP: Reactor Feedwater Pump FCV: Flow Control Valve FWC
(triple redundant configuration)
FWC (triple redundant
configuration)
CPU CPU
SW
PO PO
To actuator
CPU
PO
FTV (Passive Fault Tolerant Voter)
26
36
©2015 Toshiba Corporation
Replacement Technology and Experience
E3-2015-000071 Rev.0 (2/2)
Experience
Successful operation in 20 BWRs in Japan. (BWR-2/4/5 and ABWR)
Toshiba digital FWC have operated over 350 operating reactor years with no critical malfunctions.
Turn-key project by Toshiba
Toshiba can provide a turn-key solution that includes design, engineering, manufacturing, software design, installation, modification, commissioning, and training.
Replacement of OEM FWC system
Toshiba has replaced FWC which were provided originally by suppliers other than Toshiba.
Successful replacement
Toshiba has replaced FWC in 18 BWR plants successfully based on Toshiba’s extensive experience in Japan.
Replacement features
Various upgrades
Toshiba digital FWC offers: • Human Machine Interface (HMI) is
selectable: a Video Display Unit (VDU) Type or Conventional Type depending on user preference
• Reusing existing plant components can reduce the amount of new equipment required. (Re-usable components depends on plant type) – HMI controls and indicators – Cables between control cabinet and
local equipment – Control cabinet
Additional Options
Automatic pump switching function reduces plant startup time and operator’s burden.
Video Display Unit type HMI
Conventional type HMI
37
©2015 Toshiba Corporation
E3-2015-000073 Rev.0 (1/2)
High Reliability
The triple redundant RFC can continue to control the recirculation flow without any interruption when any single failure occurs within the system. The system has been in operation for over 350 operating reactor years without a plant trip.
Improved operability
High controllability is realized by adopting proven control techniques based on Toshiba’s extensive experience in Japan.
Easy Maintenance
Thanks to applying digital controllers and triple redundant configuration, online maintenance can be applied to the RFC and failed parts can be replaced without system outage.
Compatible to general BWR system design
Toshiba has replaced RFC which were provided originally by suppliers other than Toshiba.
Benefits
Recirculation Flow Control System (RFC) controls reactor power level by controlling the flow rate of the reactor core coolant.
Toshiba digital RFC applies a triple redundant configuration. It consists of three controllers that run independently.
By applying these configuration, our RFC continue to control the recirculation flow without any interruption.
Triple redundant configuration
CPU CPU
SW
PO PO
To actuator
CPU
PO
FTV (Passive Fault Tolerant Voter)
RFC (triple redundant
configuration)
Display or ANN
SW
RFC (triple redundant
configuration)
RFC (triple redundant
configuration)
PLR pump
PLR: Primary Loop Recirculation
Scoop Tube Controller
Motor Generator Fluid
Coupling
PLR M/G set
27
38
©2015 Toshiba Corporation
Replacement Technology and Experience
E3-2015-000073 Rev.0 (2/2)
Experience
Successful operation in 20 BWRs in Japan. (BWR-2/4/5 and ABWR)
Toshiba digital RFC have operated over 350 operating reactor years with no critical malfunctions.
Turn-key project by Toshiba
Toshiba can provide a turn-key solution that includes design, engineering, manufacturing, software design, installation, modification, commissioning, and training.
Replacement of OEM RFC system
Toshiba has replaced RFC which were provided originally by suppliers other than Toshiba.
Successful replacement
Toshiba has replaced RFC in 18 BWR plants successfully based on Toshiba’s extensive experience in Japan.
Replacement features
Various upgrades
Toshiba digital RFC offers: • Human Machine Interface (HMI) is
selectable: a Video Display Unit (VDU) Type or Conventional Type depending on user preference
• Reusing existing plant components can reduce the amount of new equipment required. (Re-usable components depends on plant type) – HMI controls and indicators – Cables between control cabinet and
local equipment – Control cabinet
Additional Options
Toshiba can also provide scoop tube controller for plant using PLR M/G set to control pump speed.
Conventional type HMI
Video Display Unit type HMI
39
©2015 Toshiba Corporation
E3-2015-000080 Rev.0 (1/2)
High Reliability • Triplicated Control Processors • Fully Digitalized Control Circuits • Medium Value Gate (MVG) Voting Logic • Distributed Power Supplies
Improved operability
• Pressure/ Load Set Automatic Tracking Function • Automatic Line Speed Matching Function • Steam Control Valves Test Flow Compensation
Function • Reactor Dome Pressure Control • RFC Master Controller Function
Benefits
The triple redundant D-EHC(Digital Electro-Hydraulic Control system) is a key control component for nuclear power plants to keep electricity generation secure and protect the steam turbine in any situation from plant start up through plant shut down. The D-EHC system is designed with a highly reliable system configuration which consists of triple redundant Master Controllers, dual redundant System Controllers and triple redundant Turbine Protection Devices. By applying these configuration, Toshiba D-EHC can continue to control the main steam flow to turbine and failed parts can be replaced without any interruption.
D-EHC Hardware Configuration
D-EHC Cubicle
D-EHC CUBICLE
Turbine Protection
Device 2 out of 3 logic
Control Panel
LCD
Monitor Panel
LCD
Test Panel
LCD
Primary Feedback Sensors
Valve Interface
Master Controller
System Controller
HMI System, Plant Computer
Easy Maintenance
• Driftless and reduced adjustment • Self-diagnosis for fault identification • System-diagnosis for fault identification • On-line maintenance • Maintenance tools provided
28
40
©2015 Toshiba Corporation
Replacement Technology and Experience
E3-2015-000080 Rev.0 (2/2)
Experience
Toshiba has substantial experience in applying D-EHC to BWRs in Japan. Since Toshiba D-
EHC also can be applied to any type of turbine control such as conventional thermal power
plants, combined cycle power plants, co-generation power plants and geothermal power
plants, Toshiba D-EHC is a proven product that has a wealth of experience in more than 350
applications world wide.
Successful operation in 13 BWRs in Japan. (BWR-4/5 and ABWR)
Toshiba D-EHC have operated over 250 operating reactor years with no critical malfunctions.
Turn-key project by Toshiba
Toshiba can provide a turn-key solution that includes design, engineering, manufacturing, software design, installation, modification, commissioning, and training
Replacement features
Various upgrades
Toshiba digital EHC offers: • Human Machine Interface (HMI) is
selectable: a Video Display Unit (VDU) Type or Conventional Type depending on user preference
• Reusing existing plant components can reduce the amount of new equipment required. (Re-usable components depends on plant type) – HMI controls and indicators – Cables between control cabinet
and local equipment – Control cabinet
Additional Options
Automatic turbine start-up function reduces plant startup time and operator’s burden.
MSV
TBV
TCV
IV
HMI station for D-EHC
41
42
Nuclear Services/Repair, Replacement and Automation Services
Main Control Room Modernization
January 2007 Ns-RRAS-0044©2014 Westinghouse Electric Company LLC. All Rights Reserved
•AnLDPdrivenbytheDCSinstalledinfrontofallMCRoperatorconsoles,consistingof50-to67-inchFPDs
•AllMCRnonsafety-relatedbuildingblocksseismiccategoryIIdevices,whichprovideforstructuralintegrityduringseismicevents
Safety-relatedHSIbuildingblocks:
•ACommonQFPDsystem,qualifiedtoU.S.NuclearRegulatoryCommission(NRC)Class1Ecriteriaforequipmentandsoftware,utilizingchannelizedoperators’modulesfortheprotectionsystem,multi-channelcontrol,monitoring;andchannelizedmaintenanceandtestforuseoutsidetheMCR
•SoftcontrolconfirmationswitchesusedwithsoftcontrolcommandsissuedtosafetycomponentsfromtheDCSorCommonQFPDs
BackgroundWestinghouse has developed a modular approach to designing custom main control rooms (MCRs) as part of an instrumentation and control (I&C) system modernization program for new plant designs. The MCR modernization program comprises the human systems interface (HSI) building blocks to modernize an MCR, as well as the integration of standard, software-based HSI resources using the building-block approach. Examples of MCR configurations are based on this approach, which supports new plant construction and existing plant modernizations.
DescriptionMCRhardwarebuildingblocks:
•Operatorcontrolconsoles
•Largedisplaypanel(LDP)
•Safety-relatedHSI(integratedintheoperator’sconsoleorinaseparatesafetyconsole)
Nonsafety-relatedHSIbuildingblocks:
•Distributedcontrolsystem(DCS)workstations,featuringtwofull-functionalflatpaneldisplays(FPDs),usuallymeasuring20inchesdiagonally
Exampleofamodern,primarilysoftMCR
43
Westinghouse Electric Company1000 Westinghouse DriveCranberry Township, PA 16066
www.westinghousenuclear.com
•Asafetypanel,consistingoftwoClass1E,multi-channelCommonQFPDsfordisplay;safetycontrolswithone-stepaccesstoNRCRegulatoryGuide1.97,Category1parameters;onesetofsoftcontrolconfirmationswitches;andtwochannelized,fixed-positionpushbuttonsforreactortripandtheactuationofeachengineeredsafetyfeature(ESF)
•A“Position4”paneltoaddressNUREG-0800HCIBBTP-19providesswitchesfordiversesystem-levelESFactuationanditsaccompanyingdisplayintegrationofHSIresourcesandbuildingblocks.HSIbuildingblocksareeffectivewhenintegratedthroughsoftwarewiththefunctionaldesignsofHSIresources.TherearefourprincipalHSIresources:softcontrols,computerizedproceduressystem(CPS),displaysandalarms.
Benefits•ModularHMIapproachaccommodatesadiversesetofpotentialMCRcustomers.
•Differentlicensingcriteria,philosophiesandoperatingstandardsareaddressed,aswellasplantdesignsandvintages.
•Thefocusisonre-usingHSIbuildingblocksandonlycustomizingsoftwarewhenitnecessary.
•ThemodularapproachallowsthesamesetofHSIequipmenttobeusedfornewconstructionaswellasplantmodernizations.
•EconomicbenefitsarerealizedviaminimizationoftheamountofHSIequipmentintheMCR,standardizationofequipmentused,andreductionofinitialcapitalinvestment.
•Othereconomicbenefitsresultfromreducedlong-termequipmentmaintenancecostsoverthedurationofplantlife.
ExperienceWestinghousehasconstructedacompactcontrolroomdevelopmentandtestfacilitytoenhanceexistingHSIresourcedesignsandintegratetheHSIresourcesintoaprimarilysoftenvironment.Westinghousehascompletedninemaincontrolroommodernizationprojects.
44
Nuclear Automation
Computerized Procedures System
August 2011 NA-0056©2014 Westinghouse Electric Company LLC. All Rights Reserved
BackgroundComputerized procedures were developed to help operators execute normal and emergency operating procedures. Westinghouse has designed, developed and implemented a data-driven, software-based computerized procedures system (CPS) that guides operators through plant operating procedures. It monitors plant data, processes the data and then, based on this processing, presents the status of the procedure steps to the operator. The system can be used for normal operating procedures, abnormal operating procedures and emergency operating procedures. Computerized procedures allow the operator and computer to complement each other for more accurate and efficient procedural execution.
DescriptionThe CPS:
• Guides the user step-by-step through the procedures by monitoring the appropriate plant data, processing the data and by identifying the recommended course of action
• Provides the necessary parallel information, which allows the operator to assess other plant conditions that may require attention
The Westinghouse CPS accomplishes its purpose by executing the concurrent and independent functions of procedure processing, parallel information monitoring and conditions logging. The conditions logger generates a permanent chronological record of parameter and component state and actions taken. The CPS online software will run on operator workstations in the main and/or emergency control room. The system is embodied in a user interface that supports diverse procedure views: a graphical flowchart view, a textual view and a dynamic logic view.
45
Westinghouse Electric Company1000 Westinghouse DriveCranberry Township, PA 16066
www.westinghousenuclear.com
AP1000 is a registered trademark of Westinghouse Electric Company LLC in the United States and may be registered in other countries throughout the world. All rights reserved. Unauthorized use is strictly prohibited.
The CPS provides a consistent structure within which plant operating procedures are created, maintained and utilized. It can reduce cycle time needed to implement changes in the operating procedures, because the procedures will reside within the computerized system. The CPS is not designed to perform any plant safety protection functions, and no Category B functions rely on the CPS equipment to perform those essential functions. The CPS equipment is functionally categorized as Category C, or as a non-safety system, according to U.S. Nuclear Regulatory Commission (NRC) guidance.
BenefitsThe CPS provides:
• More accurate and timely implementation of the procedures
• Enhanced situation assessment by the operator
• All procedural information at one location
• Detailed recordkeeping of the procedure execution
• Reduced operator mental workload
• Integrated information needed for procedure execution, such as direct access to graphical displays
ExperienceThe Westinghouse CPS has been installed in nuclear power plants around the world, and has been approved by the NRC for use in the Westinghouse AP1000® nuclear reactor.
46
BackgroundAnnunciator replacement is often part of plant computer upgrades or control room modernization projects as the existing system becomes increasingly difficult to maintain. Westinghouse offers an alarm presentation system (APS) as a replacement for aging annunciator systems. Our APS is a software-based alarm system built on technology from the Westinghouse AP1000® nuclear power plant.
DescriptionThe APS is a modular, highly configurable software-based alarm system that consists of redundant alarm servers, large LCD monitors or lamp boxes, and alarm management software that runs on operator workstations. The system also includes a graphical configuration tool.The APS uses client-server architecture. Redundant alarm servers are connected to APS clients via redundant Ethernet networks. For Ovation™-based upgrades, the APS uses the Ovation data highway.The APS interfaces with existing silence and acknowledge buttons on the control board via digital input/output (I/O). The APS can interface to the existing alarm horn system or replace it.The APS server monitors the plant for changes in alarm state and provides centralized alarm processing. The APS server gets alarm data from the control system (via Ovation or OPC), digital I/O, or a combination of sources.Each LCD monitor is driven by a small PC that runs the APS wall panel client software. The wall panel client requests alarm updates from the APS server and displays the alarm tiles. If desired, the APS can drive lamp boxes in lieu of LCD monitors using digital I/O.
The APS workstation client provides alarm management functions at operator workstations. The software can be installed on existing workstations or on small standalone PCs. The workstation client requests alarm updates from the APS server and displays alarms using a combination of alarm tiles and alarm lists.The workstation client provides a dynamic overview of all alarm tiles that exactly matches the large LCD monitors and lets the operator navigate to any monitor to view the individual alarm tiles on that monitor. Additional alarm management features are accessed from the alarm tiles or associated alarm lists.
BenefitsThe Westinghouse APS offers the following benefits:• Flexible architecture for custom solutions• Simple, cost-effective replacement for lamp
boxes and associated hardware/cabling• Improved readability of alarm tiles• Workstation clients that provide redundant
backups to the large monitors• Workstation client that can extend the alarm
system outside the main control room (remote shutdown room, technical support center, etc.)
• Workstation client that provides easy access to electronic alarm response procedures
• Manual suppression of long-standing alarms and nuisance alarms to reduce workload
• Programmed suppression of consequence alarms during large transients/events
• Operator experience log that allows operators to record and review notes about alarms
• Alarm tile layouts that are easily developed using the graphical configuration tool
Alarm Presentation System
Nuclear Automation
47
Westinghouse Electric Company1000 Westinghouse DriveCranberry Township, PA 16066
www.westinghousenuclear.comJuly 2015 NA-0057
©2015 Westinghouse Electric Company LLC. All Rights Reserved
AP1000 is a registered trademark of Westinghouse Electric Company LLC, its affiliates and/or its subsidiaries in the United States of America and may be registered in other countries throughout the world. All rights reserved. Unauthorized use is strictly prohibited.
Ovation is a trademark or registered trademark of its respective owner. Other names may be trademarks of their respective owners.
ExperienceThe APS software is the basis of several successful alarm system upgrade projects including the Westinghouse Standardized Nuclear Unit Power Plant System (SNUPPS) training simulator (see SNUPPS photo).
SNUPPS simulator upgrade
APS workstation client
48
BackgroundDigital systems in nuclear power plants are the focus of increased scrutiny by global regulatory and legislative bodies. Westinghouse customers are now facing a challenging and changing landscape of regulation and legislation regarding the protection of their critical digital assets. Westinghouse is uniquely qualified to provide cyber security products and services to meet today’s regulations.
DescriptionWestinghouse has developed a cyber security program to encompass the establishment, implementation and maintenance of products and systems for nuclear facilities. The program enforces the use of secure development environments, assessments of security controls, and the implementation of cutting-edge cyber security tools and techniques throughout the development life cycle. The program was designed to provide high assurance that Westinghouse products and services are compliant with current cyber security requirements, such as Nuclear Energy Institute (NEI) Cyber Security Plan for Nuclear Power Reactors (NEI 08-09) and Regulatory Guide 5.71.Westinghouse’s team of cyber security experts are experienced in designing and assessing nuclear systems and assets. They possess cyber security certifications and are available to provide cyber security support for nuclear utilities worldwide. Westinghouse is able to provide a specialized nuclear-specific approach to cyber security, and has experience assisting customers worldwide with the implementation of cyber security programs.The following products and services are offered to Westinghouse customers, and in most cases, product sheets are available that provide additional detail.
Cyber Security Program Development• Cyber security plan/program development and
training• Cyber security policy and procedure drafting• Cyber security defensive strategy design,
documentation and implementationEvent Management and Intrusion Prevention• Network monitoring, intrusion prevention and
log correlation• Specially configured content developed by
Westinghouse for the nuclear industry• Configuration, hardware and software support,
and on-site training Specialized Cyber Security Training• Specialized training provided by Westinghouse
designed to satisfy regulatory requirements• Hands-on and classroom instruction with
current security technologies on a wide range of nuclear cyber security concepts
• Four different one-week classes of up to 10 students each
Host-based Security Solutions• Provide nuclear expertise and configuration
to top industry security products to verify that host-based critical digital assets are secure
• Solutions are based upon the individual needs of the customer, and may be tested for compatibility prior to installation
Vulnerability Scanning and Virtualized Testing• Provide the ability to perform vulnerability
scanning and penetration testing on a virtualized environment, eliminating the risk of adverse impacts on plant systems
• Westinghouse’s cyber security team is certified in conducting vulnerability scanning and virtualized testing by both the vendor and other security institutes
Cyber Security Services
Nuclear Automation
49
Westinghouse Electric Company1000 Westinghouse DriveCranberry Township, PA 16066
www.westinghousenuclear.comFebruary 2015 NA-0091
©2015 Westinghouse Electric Company LLC. All Rights Reserved
AP1000 is a registered trademark of Westinghouse Electric Company LLC, its affiliates and/or its subsidiaries in the United States of America and in other countries throughout the world. All rights reserved. Unauthorized use is strictly prohibited. Other names may be trademarks of their respective owners.
Ovation is a trademark or registered trademark of Emerson Process Management.
McAfee is a trademark or registered trademark of McAfee, Inc.
Assessments• Provide training, consulting, and assessment team
resources to deliver high-quality and accurate assessment results
• Utilizes a specialized assessment methodology that may provide up to a 66-percent reduction in the time to complete assessments
Ovation Security• Provide solutions based upon customer needs,
including Ovation® Security Center, and additional features through McAfee®
• New Ovation systems can be built in the Westinghouse Secure Development and Operating Environment, protecting the system from tampering
Legacy System Security• Addresses the issue of securing older, unsupported
systems through the use of alternate controls and technologies
• Provides testing and assessment services to secure legacy systems and confirm the original threat vector has been neutralized
Cyber Security Labs• Testing environment for solution validation, Ovation
control system testing, legacy systems testing and to develop new products and services
• Can be utilized to find solutions to remediation issues following assessments, and verify alternate control security
Recurring Cyber Security Program Maintenance and Reviews• Cyber security program audits, and re-assessments of
controls, incorporating new critical digital assets• Create and implement risk-based remediation
strategies for vulnerabilities identified• Provide ongoing cyber security consulting for new
plants and plant upgrade projects
BenefitsRegulations – Westinghouse can help customers meet the demanding cyber security requirements of today’s regulations. Westinghouse maintains integrated relationships with NEI, the U.S. Nuclear Regulatory Commission, the Instrument Society of America, the Institute of Electrical and Electronics Engineers and many nuclear customers and security vendors worldwide, allowing for global collaboration.Tools – Westinghouse uses cutting-edge tools for the plant-wide implementation of cyber security protective strategies, conducting cyber security assessments, and supporting the ongoing review and monitoring of a plant cyber security program.Expertise – Westinghouse has a highly qualified technical team that is both professionally certified and experienced in cyber security with the ability to apply nuclear-specific configuration, value and advice to customer projects.
ExperienceThe Westinghouse cyber security team is currently performing assessments and providing cyber security technologies and services for existing pressurized water reactors and boiling water reactors worldwide. Westinghouse is also developing cyber security systems for complete integration in new plants such as the Westinghouse AP1000® nuclear power plant.
50
Cyber Security Services: Event Management and Intrusion PreventionBackgroundWestinghouse Electric Company LLC and McAfee, Inc., an Intel Company, have entered into a partner agreement where Westinghouse may resell the following list of McAfee® licensed products:• Enterprise Security Manager (ESM)• Enterprise Log Manager (ELM)• Event Receiver (REC)• Nitro Intrusion Prevention System (IPS)• Gold Level Support and Maintenance• Services and Training
Regulatory bodies and industry groups around the world now require nuclear utilities to introduce new hardware and software into the plant architecture to prevent cyber attacks and to collect, monitor and analyze data for cyber vulnerabilities, threats and unwarranted activities. Westinghouse is currently partnered with McAfee to provide a scalable, comprehensive solution to the nuclear market.
DescriptionThe McAfee high-performance, powerful Security Information and Event Management (SIEM) brings event, threat and risk data together to provide strong security intelligence, rapid incident response, seamless log management and extensible compliance reporting. At the core of the SIEM offering, ESM consolidates, correlates, assesses and prioritizes security events for both third-party and McAfee solutions.
The SIEM provides the ability for Westinghouse customers to meet monitoring and log correlation requirements stemming from 10 CFR 73.54 (Nuclear Regulatory Commission Regulatory Guide [RG] 5.71, Nuclear Energy Institute [NEI] 08-09). This solution collects security event logs from plant systems (critical digital assets) and stores the event in a central location. The solution provides the customer with event sorting and automated alerting rules.McAfee Nitroguard is an IPS that actively detects, analyzes and protects the network from an array of security attacks, including viruses, worms, spyware, denial-of-service attacks and other forms of malware, as well as unknown or zero-day attacks. It allows the customer to take control of the network with the ability to maintain multiple simultaneous intrusion detection system (IDS) and IPS policies from a single appliance, facilitate policy tuning with “what if” scenario alerting, correlate events to network and session activity usingbuilt-innetworkflowcollectorandfirewalls,and utilize exploit-, vulnerability- and anomaly-based detection.
RG 5.71 NEI 08-09 Title
C.3 E.3 System and Information Integrity
B.2 D.2 Audit and Accountability
Nuclear Automation
51
Westinghouse Electric Company1000 Westinghouse DriveCranberry Township, PA 16066
www.westinghousenuclear.comJuly 2013 NA-0125
©2015 Westinghouse Electric Company LLC. All Rights Reserved
BenefitsWestinghouse offers a basic SIEM solution, single security level SIEM solution, multiple security level SIEM solution, integrated IPS solution, basic and nuclear content configurationsupport,extendedhardwareandsoftwaresupport and on-site training services.Westinghouse Basic McAfee Configuration:Westinghousecanperformon-siteconfigurationandconsulting for the McAfee event management and intrusion prevention products. The Westinghouse basic configurationfortheMcAfeeapplianceincludesansweringinstallation questions and/or performing installation troubleshooting.Basicconfigurationincludeselementssuch as:• ConfigureMcAfeeESMnetworkconnectivity• Configureloginsecurity• Configureauthentication• Configureusers,groupsandprivileges• Definedatasources
• Configurereceiver(s)• Configurestoragepooldefinitions,whereapplicable• ConfigureMcAfeeEventLogManager(s)• ConfigureMcAfeeIPS,whereapplicable
Westinghouse Nuclear Content Configuration:Westinghousecanperformon-siteconfigurationontheMcAfee appliance and from the management workstation to add the Westinghouse Nuclear Content. The Westinghousecontentincludesadditionalconfigurationsettings, including views and reports to show compliance withNEI08-09.Additionalconfigurationincludeselementssuch as:• Variables (provide logical grouping of assets)• Hosts (used for name resolution) • Zones (for multiple level deployments only)• Alerts (notify staff of events that require attention)• Views (provide a dashboard view of live event data)• Report (provide customized point-in-time event data)
SIEM solution over multiple security levels
SIEM Considerations
1. Logs and SIEM within plant
a. May have one SIEM to address secure levels (3 and 4)
b. Events may forward to site or corporate network SIEM
2. Logs on site network
3. Non-nuclear sites
4. Corporate network with both nuclear and non-nuclear generation
McAfee is a trademark or registered trademark of McAfee, Inc. Other names may be trademarks of their respective owners.
52
BackgroundThe U.S. Nuclear Regulatory Commission has produced Regulatory Guide (RG) 5.71 and the Nuclear Energy Institute (NEI) has produced NEI 08-09 to assist in meeting 10 CFR 73.54, “Protection of digital computer and communication systems and networks.” These two regulatory guides specify requirements for cyber security training. While many different forms of specialized cyber security training exist, most apply to corporate information technology with no consideration for the special requirements of the nuclear industry.
DescriptionWestinghouse has designed cyber security training classes to address the unique needs and use cases required in the nuclear industry. These four, week-long classes provide information needed to develop effective cyber security programs within both nuclear facilities and the corporate network, covering a wide range of topics necessary to become compliant with 10 CFR 73.54. Each class consists of both presentation and hands-on components. Threat vectors, security concepts, controls and the associated risks are presented, and students gain operational experience with commonly used security products. Students are also provided the tools and instruction to learn how systems are manipulated when the security controls are not in place. This training is provided at a Westinghouse location so that Westinghouse Cyber Security Services resources can be prepared and used to aid in instruction. Each class is limited to 10 students so that each student receives individual instruction and is filled on a first-come, first-serve basis.
The following classes are offered:Operating System and Application Security – Focuses on securing the endpoint and teaches the concepts of securing common desktop and server operating systems. Desktop administrators or cyber security team members will benefit from this class. Key concepts include:• Securing operating system configurations
through system hardening• Monitoring of key files and settings • Maintaining security through change
management and patching• User access controls• Change management and patching• Administering security controls
Network Security – Focuses on controlling and monitoring network traffic by teaching the concepts of supporting firewall rules, access control lists and traffic signatures. Network administrators and cyber security team members will benefit from this class. Key concepts include:• Designing secure networks• Maintaining secure network configurations• Administering network security controls• Using secure network protocols• Monitoring functional networks
Cyber Security Services: Specialized Cyber Security Training
Nuclear Automation
53
Westinghouse Electric Company1000 Westinghouse DriveCranberry Township, PA 16066
www.westinghousenuclear.comJuly 2013 NA-0136
©2015 Westinghouse Electric Company LLC. All Rights Reserved
Monitoring and Incident Response – Focuses on information gathering and analysis, and teaches the concepts of log correlation, digital forensics and incident response procedures. Incident response team members, staff responsible for log monitoring, or cyber security team members will benefit from this class. Key concepts include:• Intrusion analysis and digital forensics• Designing an intrusion analysis and digital forensics
program• Acquiring intrusion analysis and digital forensics tool kit• Installing intrusion analysis and digital forensics
technologies• Operating intrusion analysis and digital forensics
functions• Event correlation and log management
Vulnerability Scanning and Virtualized Testing – Focuses on finding vulnerabilities that may be exploited, and teaches the concepts of vulnerability detection and verification. Cyber security team members will benefit from this class. Key concepts include:• Designing a penetration testing program• Vulnerability scanning and verification• Penetration testing tools• Installing an offline testing environment• Common hacking techniques • Remediation
BenefitsThis training provides the information needed to meet the controls found in RG 5.71 and NEI 08-09. Upon completion of these classes, students will understand the associated controls of the regulatory guides, and be able to use the knowledge and tools covered to address these controls. Additionally, these trainings allow students to take credit for the following controls:
RG 5.71 NEI 08-09 Title
C10.3 E9.3 Specialized Cyber Security Training
C10.4 E9.4 Technical Training
Westinghouse offers cyber security training to utilities several times per year, focused on the topics of: Operating Systems and Application Security, Network Security, Monitoring and Incident Response and Vulnerability Scanning and Virtualized Testing. If you would like to attend this training, contact your Westinghouse representative, or contact us directly at westinghousenuclear.com/Contact_Us/contact_us.asp.
54
DescriptionLegacy systems are systems that are no longer supported by their vendors, and can include older Linux® or Windows® operating systems, Ovation® version 2.3 and older, and similar systems. The unsupported nature of these systems means that it may not be technically feasible to implement the regulatory guide’s controls as they are currently written.The regulatory guides allow alternate controls for unsupported systems to be used in place of the original controls in cases where it is not technically feasible or safe to implement the original control due to the nature of the system. Any alternate controls must provide at least the same amount of protection against the intended threat vector as the original control. Westinghouse cyber security professionals are experienced with implementing alternate controls to meet the guidance of RG 5.71 and NEI 08-09. Such alternate controls may include system hardening, patching, firewalls, implementing data diodes or other physical security measures.Using the Westinghouse lab environment, legacy systems can be tested and assessed to verify compliance with NEI 08-09 or RG 5.71 controls, test patch updates and determine other alternate solutions, which may include additional cyber security devices and services. Additionally, customized policies and procedures can be written that support implementing and maintaining the alternate controls for legacy systems to provide ongoing compliance once an alternate control has been implemented.
BackgroundAs technology continuously develops and changes, vendor companies typically phase out support for the older versions of software, even though they are still widely used. In nuclear power plants, those unsupported systems are still required to comply with the regulations that stem from 10 CFR 73.54, “Protection of digital computer and communication systems and networks.” Guidelines for meeting this regulation can be found in the Nuclear Regulatory Commission Regulatory Guide (RG) 5.71 and the Nuclear Energy Institute (NEI) 08-09 documents. While it is not recommended that legacy systems are maintained, due to the security implications of unsupported systems, many nuclear facilities still operate while using older systems. These systems may be more vulnerable than current systems due to the termination of vendor support. Since these older systems may not be able to implement the controls in RG 5.71 or NEI 08-09, but are still required to be secured, alternate controls must be implemented to become compliant with 10 CFR 73.54.
Cyber Security Services: Legacy System Security
Nuclear Automation
55
Westinghouse Electric Company1000 Westinghouse DriveCranberry Township, PA 16066
www.westinghousenuclear.comJuly 2013 NA-0137
©2015 Westinghouse Electric Company LLC. All Rights Reserved
BenefitsExperience – Westinghouse has experience implementing alternate controls for legacy systems and can assess legacy systems to implement appropriate and fully compensating alternate controls.Knowledge of Older Systems – Through its long-term association with Emerson Process Management, Westinghouse is the industry Ovation expert, capable of investigating the use of, and implementing alternate controls on, legacy Ovation and Westinghouse Distributed Processing Family systems (Ovation 2.3 and older).Solution Verification – Beyond implementation, Westinghouse can verify that the original intent of the control is met, that the alternate provides at least the same level of protection as the original control, and that the policies and procedures are in place to maintain the alternate control.
Linux, Ovation and Windows are trademarks or registered trademarks of their respective owners. Other names may be trademarks of their respective owners.
56
BackgroundWhile measures such as system hardening and intrusion detection provide cyber security, a higher level of security is achieved by including host-based security in a security strategy. Because these are measures on each individual system or host, they are better able to detect and sometimes prevent malicious attacks. Industry regulations also require this level of security. The Nuclear Regulatory Commission (NRC) has produced Regulatory Guide (RG) 5.71 and the Nuclear Energy Institute (NEI) has produced NEI 08-09 to assist plants in meeting 10 CFR 73.54, “Protection of digital computer and communication systems and networks.” These regulatory guides require licensees to secure their critical digital assets, and some host-based security applications can be leveraged to provide additional protection. With a large variety of host-based products on the market today, selecting the appropriate solution for a particular control system may be difficult.
DescriptionWestinghouse cyber security experts are experienced with the top solutions for securing critical digital assets using host-based security systems, and work so that the control requirements outlined in the regulatory guides are met.
The Westinghouse solutions are based on the individual needs of the customer and include:• Antivirus Software – System files are
quarantined if they match signatures of known malware. Westinghouse provides monthly signature updates.
• Patch Management – Operating system and some application patches are managed and installed from a central server. Patches are provided monthly.
• Application Control (Application White Listing) – A software agent on each client permits only white-listed applications to execute.
• File Integrity Monitoring (Host Intrusion Detection System) – Certain system files, folders and configuration settings are monitored for changes.
• Device Control – The use of devices such as removable media is monitored. Permission to use devices can be restricted, based on user or computer.
• Host Intrusion Prevention System – It provides behavioral analysis and a dynamic stateful firewall at the host level.
• Backup and Restore – Each client host is backed up to a file server so the machine can be restored in the event of a system failure.
• Vulnerability Management – System assets are scanned to detect vulnerabilities and configuration changes. Authenticated scans can be used to avoid conflicts caused by probing network ports.
Cyber Security Services: Host-based Security Solutions
Nuclear Automation
57
Westinghouse Electric Company1000 Westinghouse DriveCranberry Township, PA 16066
www.westinghousenuclear.comJuly 2013 NA-0139
©2015 Westinghouse Electric Company LLC. All Rights Reserved
BenefitsWestinghouse applies nuclear expertise to top industry security products so that host-based critical digital assets are secured in a way that shows compliance with the regulatory guides. Westinghouse’s cyber security services team has experience securing plant control systems, as well as internal operating environments, including the Westinghouse Secure Development and Operating Environment. Westinghouse has performed both NEI 08-09 and 5.71 cyber security assessments on many different kind of critical digital assets in the plants. We also are familiar with the requirements of the regulatory guide in relation to the threat vectors concerning existing plant systems. While not all solutions will work with every nuclear facility’s operating environment, this experience gives Westinghouse insight into which solutions work best for an individual plant.If a customer wishes to test host-based solutions prior to purchase and installation to provide safe integration with existing control systems, Westinghouse can provide this service through cyber security labs.By implementing host-based security solutions, the
following controls may be addressed in whole or in part:
RG 5.71 NEI 08-09 Control Title
B3.21 D3.20 Heterogeneity
B5.1 D5.1 Removal of Unnecessary Services and Programs
B5.2 D5.2 Host Intrusion Detection System
B5.3 D5.3 Changes to File System and Operating System Permissions
B5.4 D5.4 Hardware Configuration
B5.5 D5.5 Installing Operating Systems, Applications, and Third Party Software Updates
C3.2 E3.2 Flaw Remediation
C3.3 E3.3 Malicious Code Protection
C3.4 E3.4 Monitoring Tools and Techniques
C3.7 E3.7 Software and Information Integrity
C.9.6 E.8.5 CDA Backups
C.9.7 E.8.6 Recovery and Reconstitution
C11.3 E10.3 Baseline Configuration
C11.4 E10.4 Configuration Change Control
C11.6 E10.6 Access Restrictions for Change
C11.7 E10.7 Configuration Settings
C11.8 E10.8 Least Functionality
C11.9 E10.9 Component Inventory
58
Cyber Security Services: Vulnerability Scanning and Virtualized Testing
BackgroundThe U.S. Nuclear Regulatory Commission has produced Regulatory Guide (RG) 5.71, and the Nuclear Energy Institute (NEI) has produced NEI 08-09 to assist plants in meeting 10 CFR 73.54, “Protection of digital computer and communication systems and networks.” These regulatory guides require licensees to perform vulnerability scanning and testing, as described in RG 5.71, Appendix C, Section 4.1.3, “Vulnerability Scans and Assessments” and NEI 08-09, Appendix A, Section 4.4.3.2, “Vulnerability Scans.” These requirements, which address the establishment, implementation and maintenance of a cyber security program, present challenges to ensure that safety, security and emergency preparedness functions of nuclear facilities are not negatively impacted by the vulnerability scanning and testing process.
DescriptionWestinghouse and CORE Security® have entered into an agreement in which Westinghouse may resell CORE Insight® and CORE Impact®. CORE Security is a leading provider of predictive security intelligence solutions. With these products, Westinghouse will assist customers in meeting the remediation, monitoring, verification and cyber threat evaluation and management requirements found in RG 5.71 and NEI 08-09.
CORE Insight EnterpriseCORE Insight allows Westinghouse cyber security experts to perform: • Exploit Validation and Simulation
– High-risk vulnerabilities identified by scanners alone do not provide the information required to effectively target systems for patching or reconfiguration. CORE Insight provides the ability to model multi-tiered networks by importing topology information from network devices, automate the vulnerability validation process by continuously validating exploits with the known threats, prioritize real exposures and visualize all possible attack paths. With these attack paths identified, security resources can focus on updating systems that add risk to critical digital assets.
• Categorize Assets – CORE Insight identifies the importance and value of network assets through direct integration with common asset management (including spreadsheets), network configuration and vulnerability management tools. This automated classification, along with the ability to perform custom labeling during the implementation process, allows organizations to grade assets based on data sensitivity, location, user and other important operational characteristics. Identifying each asset’s value, and its context within the business, greatly improves risk intelligence and threat prioritization.
Nuclear Automation
59
Westinghouse Electric Company1000 Westinghouse DriveCranberry Township, PA 16066
www.westinghousenuclear.comJuly 2013 NA-0140
©2015 Westinghouse Electric Company LLC. All Rights Reserved
CORE Insight, CORE Impact and CORE Security are trademarks or registered trademarks of CORE SDI, Inc. Other names may be trademarks of their respective owners.
CORE Impact ProCORE Impact Pro provides the capability to replicate multi-staged cyber attacks that leverage compromised end-user systems to target backend resources, revealing how chains of exploitable vulnerabilities can open paths to critical systems and data. By safely replicating real-world attacks against network systems, customers can determine the real threats to their networks.
BenefitsNo Harm to Systems – Using the virtualization of a target network topography with CORE Insight and the cyber attack replication capabilities of CORE Impact, the vulnerability testing requirements can be met without minimizing the risk of damaging nuclear facility systems. These CORE solutions partnered with Westinghouse nuclear cyber security expertise provide a powerful and safe resource to handle the requirements and challenges that are unique to the nuclear industry. Knowledgeable Professionals – The Westinghouse cyber security team is professionally certified in performing these vulnerability tests. Some of these certifications include:• Certified Penetration Testing Specialist (CPTS)• GIAC Certified Incident Handler (GCIH)• GIAC Assessing and Auditing Wireless Networks
(GAWN)• GIAC Systems and Network Auditor (GSNA)• Core Impact Certified Professional (CICP)• Core Impact Certified Advanced Professional (CICAP)
Testing Environment – NEI 08-09 allows test beds and vendor-maintained test environments to be used for performing vulnerability scans. Westinghouse provides testing services either onsite or in the Westinghouse laboratory environment, thus minimizing risk to production systems and verifying compliance with NEI Appendix E controls. The controls that are addressed by these vulnerability tests include:
RG 5.71 NEI 08-09 Control TitleC3.2 E3.2 Flaw RemediationC3.4 E3.4 Monitoring Tools and TechniquesC3.6 E3.6 Security Functionality VerificationC13 E12 Evaluate and Manage Cyber Risk
60
BackgroundInvestigating and implementing security solutions such as antivirus software and logging or intrusion detection requires resources including hardware, software, experience and time to test. Westinghouse’s cyber security lab provides these resources to select the appropriate products and to test product functionality.
DescriptionWestinghouse provides experienced cyber security personnel and an environment in which hardware and software solutions can be evaluated, and combinations of software solutions can be verified and validated. For example, Westinghouse’s cyber security lab has:• Evaluated non-Microsoft directory service
solutions• Verified unidirectional gateway rules • Validated antivirus solutions on legacy hosts• Demonstrated host-based configuration change
control clients Services offered through Westinghouse’s cyber security lab include:Solution Validation – Testing that can validate whether or not security solutions will work with plant control systems, and whether or not they will interfere with system functions. Solution validation can include:• New product testing• System hardening• Security product integration• Host-based client integration• Active directory configuration management
Ovation™ Control Systems Testing – Westinghouse, a recognized source of Ovation expertise, can perform the verification and validation of a variety of solutions with most versions of Ovation. These solutions may be additional requests to the standard Ovation Security Center suite, or alternate products from the standard Ovation Security Center. (See the “Ovation Security” product sheet for more information.)Legacy Systems Testing and Assessment – The Westinghouse lab provides the ability to test technical solutions on older, unsupported systems. This service verifies compliance with Nuclear Energy Institute (NEI) 08-09 or U.S. Nuclear Regulatory Commission Regulatory Guide 5.71 controls, tests patch updates, and determines alternate solutions when the required controls are not technically feasible. (See the “Legacy System Security” product sheet for more information.)Solution Provider – Westinghouse regularly tests new products and services to determine the validity and applicability to the nuclear industry. Westinghouse works to provide additional and specific nuclear industry value and support to commercial, off-the-shelf solutions. This value-added content assists utilities in addressing the regulatory guide’s cyber security controls.
Cyber Security Lab
Nuclear Automation
61
Westinghouse Electric Company1000 Westinghouse DriveCranberry Township, PA 16066
www.westinghousenuclear.comJuly 2013 NA-0141
©2015 Westinghouse Electric Company LLC. All Rights Reserved
Ovation is a trademark or registered of Emerson Process Management. Other names may be trademarks of their respective owners.
BenefitsWestinghouse has the expertise, investment in hardware and software, space and time to test and validate the best solutions, providing plants with the following benefits:• Advance knowledge of how solutions under
consideration will actually integrate with plant control systems so that the correct solution will be chosen
• As NEI 08-09 allows test beds and vendor-maintained test environments to be used for performing vulnerability scans, testing services either on-site or in the Westinghouse labs, thus minimizing risk to production systems (see the “Vulnerability Scanning and Virtualized Testing” product sheet for more information)
• Cyber security expertise and a fully equipped lab that evaluates software to give plants access to other resources within Westinghouse. For example, using Westinghouse plant knowledge, a topology of the test system can be built
• Solutions to a number of the cyber security controls in the regulatory guides, as well as verify alternate controls
• Access to results from solutions that have already been tested in the lab
While regulatory compliance depends on each individual situation, Westinghouse’s cyber security lab aids in compliance with such controls as:
RG 5.71 NEI 08-09 Control Title
B5.3 D5.3Changes to File System and Operating System Permissions
B5.4 D5.4 Hardware Configuration
B5.5 D5.5Installing Operating Systems, Applications, and Third Party Software Updates
C3.3 E3.3 Malicious Code Protection
C3.4 E3.4 Monitoring Tools and Techniques
C6 E6 Defense-in-Depth
C11.3 E10.3 Baseline Configuration
C11.4 E10.4 Configuration Change Control
C11.7 E10.7 Configuration Settings
62
Cyber Security Services: AssessmentsBackgroundAs technology use increases in the nuclear industry, so does the need to secure the critical digital assets (CDAs) from cyber attack. The U.S. Nuclear Regulatory Commission recognized this fact and issued Regulatory Guide (RG) 5.71, and the Nuclear Energy Institute (NEI) followed with NEI 08-09. Both documents assist plants in meeting the requirements of 10 CFR 73.54, “Protection of digital computer and communication systems and networks.” These regulatory guides require licensees to secure their CDAs within a timeframe specified within their Cyber Security Plans.With 547 controls to be evaluated for every CDA in the plant (according to the Westinghouse breakdown of NEI 08-09), this will be a large commitment. The additional work necessary to complete this effort stretches operating resources. Westinghouse has the expertise and technology to conduct these assessments with the right nuclear mindset.
DescriptionThe Westinghouse Cyber Security Assessment team provides a solution to licensees, with options that include consulting with plant personnel, conducting assessment training, or performing the full assessment. This team has conducted NEI 08-09 and RG 5.71 assessments for several plants and has developed an efficient assessment methodology. Westinghouse has customized Lumension® Risk Manager (LRM) with nuclear content and, along with the assessment methodology, is able to expedite the assessment process. The assessment methodology uses the commonalities among CDAs, devices and plants, and uses LRM to eliminate redundant work and automate parts of the assessment process. The Cyber Security Assessment team classifies CDAs into 16 common control groupings and determines the complexity level for each. This information is implemented in LRM, which allows every control to be assessed for every CDA with a detailed and specific score and observation.With experience, a proven methodology and a customized tool, Westinghouse is well-positioned to perform plant assessments in a fraction of the time that it typically takes for plants to complete them.
Nuclear Automation
63
Westinghouse Electric Company1000 Westinghouse DriveCranberry Township, PA 16066
www.westinghousenuclear.comJuly 2013 NA-0142
©2015 Westinghouse Electric Company LLC. All Rights Reserved
Lumension is a trademark or registered trademark of Lumension Security, Inc. Other names may be trademarks of their respective owners.
BenefitsThe Cyber Security Assessment service provides numerous benefits:Time Savings – Westinghouse expertise, methodology and custom tools can save plants significant time assessing each control to determine and document compliance with NEI 08-09. The following table shows the effort required for plant personnel to assess the 547 controls for an estimated 500 CDAs at an average of 6 minutes for each control, compared to the estimated Westinghouse effort.
Straight Assessment Effort for 500 CDAs: 27,350 (hr)
Westinghouse Methodology:
Control Scope Controls Effort (hr)
Fleet/Site Specific Controls 285 29
Network Specific Controls 81 8
Device Type Specific Controls 145 15
Location Specific Controls 27 3
Average CDA Specific Controls 180 9,000
Total Westinghouse Effort* 9,055
*Further efficiencies can be achieved depending on device commonality and complexity. This information is provided for illustrative purposes only.
Remediation – The Cyber Security Assessment team can identify the CDAs that are not compliant and recommend remediation for them. Remediation may include applying a technology or an alternate control to become compliant with the control’s requirements.Experience – The Cyber Security Assessment team has unparalleled experience assessing the CDAs within plants, and the cyber security knowledge and expertise to quickly determine compliance with the control requirements.Flexible Options – The Cyber Security Assessment team works with the plant to provide the level of service desired, from full assessment, to training, to consulting with plant staff.
64
BackgroundU.S. Nuclear Regulatory Commission (NRC) requirements for cyber security create a challenge for existing plant control systems. NRC Regulatory Guide 5.71 and Nuclear Energy Institute (NEI) document NEI 08-09 detail the requirements to comply with 10 CFR 73.54, “Protection of digital computer and communication systems and networks.”Plants that use Ovation™ control systems have tools available to secure their control systems and comply with current cyber security regulations.
DescriptionAs a long-time supplier of Ovation products and custom content for nuclear plant instrumentation and control systems, Westinghouse is well equipped to maintain the security of Ovation systems and to meet the regulatory requirements for controls. Westinghouse uses a standard configuration to harden new Ovation systems. This framework can be adapted to existing systems, based on custom settings and legacy versions of Ovation. Westinghouse also can build new Ovation systems in a secure development and operating environment (SDOE) to maintain the integrity of the system and protect it from tampering. New Ovation systems can be built on the Westinghouse Isolated Development Infrastructure (IDI) to meet the need for an SDOE. In addition, Westinghouse has partnered with McAfee® to provide antivirus solutions, making Westinghouse an excellent choice for securing Ovation systems.Solutions are based on customer needs. The Ovation Security Center (OSC) contains third-party products configured and validated to run with Ovation. Westinghouse offers additional security functions through McAfee. These solutions allow plants to choose the options that meet their needs. Westinghouse cyber security experts customize and install the selected solution.
Cyber Security Services: Ovation™ Security
Nuclear Automation
65
Westinghouse Electric Company1000 Westinghouse DriveCranberry Township, PA 16066
www.westinghousenuclear.comJuly 2013 NA-0144
©2015 Westinghouse Electric Company LLC. All Rights Reserved
Ovation is a trademark or registered trademark of Emerson Process Management.
McAfee is a trademark or registered trademark of McAfee, Inc. Other names may be trademarks of their respective owners.
BenefitsWith Westinghouse, there are multiple resources for solving Ovation security issues – OSC and McAfee – and the expertise to implement them. These solutions can include:• Security Incident and Event Management (SIEM)* –
Collects, stores and correlates system and security asset event logs. The Westinghouse SIEM product includes incident handling and replicates logs across a data diode.
• Application control* – A software agent on each client permits only white-listed applications to execute.
• Antivirus software*– Quarantines system files if they match signatures of known malware.
• Patch management* – Manages and installs operating system and some application patches from a central server.
• Backup and restore* – Backs up each client host to a file server so the machine can be restored in the event of a system failure.
• Network and attached storage* – Provides high-performance storage to share and protect critical data.
• Vulnerability management* – Scans system assets to detect vulnerabilities and configuration changes. Authenticated scans can be used to avoid conflicts caused by probing network ports.
• Device control – Monitors the use of devices such as removable media. Restricts permission to devices based on user, computer or device type.
• Network Intrusion Detection System (NIDS) – Monitors and analyzes system network traffic for indications of malicious activity.
• File integrity monitoring or Host Intrusion Detection System (HIDS) – Monitors certain system files, folders and configuration settings for changes.
• Host Intrusion Prevention System (HIPS) – Provides behavioral analysis, and a dynamic, stateful firewall at the host level.
*OSC Features
While regulatory compliance depends on the Ovation security products that are implemented, the controls that may be addressed include, but are not limited to, the following:
RG 5.71 NEI 08-09 Control Title
B.2 D.2 Audit and Accountability
B3.21 D3.20 Heterogeneity
B5.1 D5.1 Removal of Unnecessary Services and Programs
B5.2 D5.2 Host Intrusion Detection System
B5.3 D5.3 Changes to File System and Operating System Permissions
B5.4 D5.4 Hardware Configuration
B5.5 D5.5 Installing Operating Systems, Applications, and Third Party Software Updates
C.3 E.3 System and Information Integrity
C3.2 E3.2 Flaw Remediation
C3.3 E3.3 Malicious Code Protection
C3.4 E3.4 Monitoring Tools and Techniques
C3.7 E3.7 Software and Information Integrity
C.9.6 E.8.5 CDA Backups
C.9.7 E.8.6 Recovery and Reconstitution
C11.3 E10.3 Baseline Configuration
C11.4 E10.4 Configuration Change Control
C11.6 E10.6 Access Restrictions for Change
C11.7 E10.7 Configuration Settings
C11.8 E10.8 Least Functionality
C11.9 E10.9 Component Inventory
©2015 Toshiba Corporation
ES-2012-000096 Rev.1 (1/2)
16
・Generator life extension by replacement or stator rewind ・Coolant leak proof design ・Reduction of armature electrical loss
History and experience
Toshiba has extensive experience in supplying nuclear power plant and thermal power station in domestic (Japan) and overseas markets. The growth in maximum generator unit capacity is shown below. Toshiba has experience of 1,690MVA class generator manufacturing and completed shop test.
Technology - Stator coil water tightness
In water cooled generators, sometimes, water leakage at stator coil ends has been experienced. Toshiba has adopted improved brazing technology to prevent water leakage since 1994 and has excellent operation record. Toshiba has studied on the topic of water leakage for water-cooled generators since 1990. Extensive research had been conducted to improve clip and strand brazing from 1992 to 1994. The developed clip-strands braze technology attains the remarkable void reduction at brazed area and keeps longer watertight life time than conventional. All the generators installed or rewound after 1995 have adopted this brazing technology.
Technology – Detecting wet bars
Toshiba has developed water leakage detection technology for both of our manufactured and non-OEM units. Early detection can reduce the risk of unexpected outage.
Potential Mapping Test (non OEM)
Description
Toshiba is a leader in the electrical power generation equipment market with some of the world’s largest and most reliable, superior generators by applying advanced cooling technology; minimizing water leak risk by improved stator bar clip; and providing long-term thermal stability with class F Insulation.
66
©2015 Toshiba Corporation
Replacement Technology and Experience Generator Stator Coil Rewind Technology and Experience
Toshiba has stator coil rewinding experience of 106 units as of 2011 including non-OEM. Toshiba generator rewinds provide high-reliability coil insulation with class F insulation in thermal resistivity which excels in mechanical properties, especially in fatigue characteristics, as to electrical properties compared to conventional B class insulation. This insulation is superior not only initially but also in the long term. In addition, stator coils which apply a brazing method to minimize coolant leaks by clip-to-strand and life extension of stator insulation.
Service Menu
Generator replacement - Renewal - Up rating/efficiency improvement - Accident Spare rotor/stator coil Stator rewind/repair - Deterioration - Water leak/flow restriction - Vibration at coil end - Up rating/efficiency improvement
Rotor rewind/repair - Re-insulation - Fatigue, creep, SCC - Shaft vibration - Shorted turns Test, inspection, monitoring, diagnosis - Stator/ Rotor insulation - Shaft forging Troubleshooting - Failure analysis - Corrective actions
ES-2012-000096 Rev.1 (2/2)
67