Qualification Lifecycle and Methods of Obsolescence Management of the Invensys Tricon

1. Qualification Lifecycle and Methods of Obsolescence Management of the Invensys Tricon Joseph Murray15 Sept 2005

2. Presentation purpose To discuss: Qualification 12/2001 SER issuance Post SER items Supplier problems with safety system obsolescence Invensys Triconex path forward in equipment qualification Cross industry standards and tri-lateral cooperation for obsolescence management

3. Triconex Background Founded in 1983 with headquarters in Irvine, CA Designed to support the need for single train high reliability emergency shutdown safety systems and critical control systems. Developed the high reliability, high availability Triple Modular Redundant (TMR) Fault Tolerant Controller based on the NASA concept. Designed with high percentage of internal diagnostic coverage and no single point of failure with full on-line repair capabilities. Designed for life cycle concerns with full backward compatibility of all new upgrades.

4. Triconex Background Shipped first system in 1986 Still in Service Presently more than 6000 systems placed in service 240,000,000 hours of cumulative service without a failure to perform on demand Number 1 supplier of safety systems worldwide

5. Certification-Compliant These are examples of the standards with which we comply: IEC 61508 Functional Safety of Electrical/ Electronic/ Programmable Electronic Safety Related Systems IEC 61131-2/2000 Programmable Controllers, Equipment Requirements and Tests (Includes all sub test for EMI/RFI and Environmental DIN V 19250 Fundamental Safety Aspects to be Considered for Measurement and Control Protective Equipment DIN V VDE 0801 Principles for Computers in Safety Related Systems DIN VDE 0116 Electrical Equipment of Furnaces EN 54 Fire Protection and Fire Alarm Systems

6. Certification-Compliant National Fire Protection Association NFPA 72/96 National Fire Alarm Code NFPA 8501 Standard for Single Burner Boiler Operation NFPA 8502 Standard for the Prevention of Furnace Explosions/Implosions in Multiple Burner Boilers SEMI 2 Environmental, Health, and Safety Applications in Semiconductor Manufacturing Facilities EPRI TR-107330 [1996] �Generic Requirements Specification for Qualifying A Commercially Available PLC for Safety-Related Applications in Nuclear Power Plants� EPRI report 1000799 [2001] �Generic Qualification of the Triconex Corporation TRICON Triple Modular Redundant Programmable Logic Controller system for Safety-Related Applications in Nuclear Power Plants�

7. Certification-Approvals Factory Mutual Research (FM) Report 3010681 � �Hazardous (Class 1, Division 2) Locations� Canadian Standards Association (CSA) European Union - CE Mark T�V Rheinland Report No. 968/EZ 105.03/01 AK1 � AK6 (DIN V 19250, DIN V VDE 0801) SIL 3 (IEC 61508) NRC Safety Evaluation Report ADAMS Accession Number ML013470433

8. Qualification Project Bases EPRI TR-107330 - �Generic Requirements Specification for Qualifying a Commercially Available PLC for Safety-Related Applications in Nuclear Power Plants� Quality Assurance Detailed Testing Requirements Engineering Analyses Documentation Project Planning Quality Assurance Plan Master Test Plan Software Quality Plan

9. SER SER issued in 2001 Accepts suitability of Triconex App. B program Acknowledges future software upgrades �It should be noted, however, that acceptance of the Tricon PLC system is based to a large degree on the T�V-Rheinland independent review, and any future version of the Tricon PLC system will require an equivalent level of independent V&V in order to be considered acceptable for safety-related use in nuclear power plants.� This acceptance by the NRC of the T�V-Rheinland independent V&V helps unite our U.S. nuclear program with our international safety systems program.

10. Triconex since SER issuance Appendix B supplier Numerous client audits; H/W & S/W R&D, manufacturing, projects. NUPIC/NIAC based Audits, for which other utilities are taking credit Continual T�V testing & certification Also a part of our continuous qualification process of software upgrades (per SER)

11. Triconex since SER issuance (cont.) SW upgrades for 1E service Complete V&V Added layer of V&V independence through T�V All changes per approved proceduralized process All changes include full change analysis prior to inclusion on NQEL (Nuclear Qualified Equipment List) HW upgrades for 1E service Small grouping by analysis Specific function testing

13. Obsolescence Issues; The Supplier�s Dilemma Electronic Circuitry is becoming more complex � The Good Higher Reliability Better self diagnostics More complex controls capabilities Lowered maintenance costs and less calibrations. Electronic Circuitry is becoming more complex � The Bad Greater V&V expenses for any circuit upgrade Greater R&D expenses for any circuit upgrade Individual component life cycle time is decreasing causing shortened time between upgrades for end product version. 25 Years ago a complex electronic component could have a life cycle of 10 years. Now, it can be as low as 2-3 years!

14. Obsolescence Issues; The Supplier�s Dilemma (cont.) How do we handle our obsolescence issues? Buy stock of spare components based on forecasted usage. Age concerns New unknown age related failure modes Drive suppliers Not unless we buy millions of chips Focus R&D on using components driven by other industries Worked well for us with new microprocessors The methods chosen help to minimize the high costs associated with changes to safety circuitry.

15. Internal Testing Concerns Numerous testing standards to meet TUV IEC FM NRC EPRI IEEE DNV Becoming Overwhelming!

16. Triconex Direction Triconex is committed to remain in the nuclear business, and continue to produce qualified product. Milestone in forming future qualification testing plans was the issuance of RG 1.180, Rev. 1, October, 2003, EMI/RFI guidelines Allows for the use of IEC standards Same standards used in our recurring TUV testing. Triconex will embrace RG 1.180, Rev 1 for all future testing in place of EPRI TR-102323 and will continue testing IAW EPRI-TR-107330 as endorsed and performed in the Triconex SER.

17. Triconex Recurring Test Plan Cover all governing bodies in one recurring test Allows continuous adding of product to NQEL, and increases cost-benefits, enhancing future viability in all Safety markets. Allows for a simplified testing regimen

18. Maintaining Safety Equipment Offerings Suppliers of safety equipment are tied to cycles of the industry served. Equipment built and tested to support only nuclear safety systems can not justify long term investments in upgrading safety offerings with no forecast for long term sales! Other industries also use qualified safety equipment. Nuclear must look beyond their own industry for the sake of allowing sustainable progression of modernized safety related equipment. Suppliers who can supply cross industries can survive. Peaks and Valleys smooth Dependant upon the costs of varied standards. (varied standards?)

19. The Heart of the issue from three sides - COOPERATION

20. The Heart of the issue from three sides (cont.) Regulators Are equipment requirements for safety related digital systems the same in all countries? Recent business with five Nuclear countries showed variations in qualification testing and documentation requirements. Do the regulators understand the impact that they have on obsolescence issues? Unique rules for equipment qualification places suppliers in a non-tenable business position. Non-viable product lines become obsolete quickly Obsolete equipment in power plants causes well known commercial and quality problems

21. The Heart of the issue from three sides (cont.) End-Users Equipment upgrade specifications - Are they written to fulfill your dream system? Are they written without the knowledge of industry standards in use elsewhere? Equipment upgrade specifications - Should be written to satisfy the safety and reliability needs of your plant while supporting long term maintainability (or you will be doing this again very soon!) Should not require or request custom circuitry of any kind. Guaranteed immediate obsolescence.

22. The Heart of the issue from three sides (cont.) Manufacturer/Suppliers We must learn to say �NO� and push Many companies want the business to support today's profit margins, and are willing to sell anything with either: No thought to the clients future obsolescence issues or: Thoughts of being there to take advantage of obsolete, unsupported equipment.

23. SUMMARY Triconex Tricon is designed and built to meet numerous domestic and international safety standards. Invensys Triconex is committed to long term support of the nuclear industry by providing continuously qualified upgrades to resolve obsolescence issues Invensys Triconex plans to combine our varied testing programs to one all encompassing test on a recurring basis based on the merging U.S. and IEC standards.

24. SUMMARY (cont) Invensys Triconex to �suggest� to clients that they work towards using standard offerings, and not custom equipment. Invensys Triconex urges closer cooperation of individual country governing bodies on adoption of universal standards to allow companies a cost effective path to maintain current qualified offerings. (IAEA and EPRI) Requires cooperation by licensees, regulatory bodies, and vendors for the mutual benefit of all.