# **9**<sup>th</sup> International Workshop on Application of FPGA in NPP, hosted by EDF SEPTEN in cooperation with the IAEA and SunPort SA



# Schedule for the 10<sup>th</sup> International Workshop on Application of FPGA in NPP 2018, November 22~24, Gyeongju in Korea



DOOSA







#### **Doosan Heavy Industries & Construction**

DI&C Technology to upgrade the Analog System with the Digital equipment in Operating NPPs

> Nam Chae Ho Lyon, France Oct 3, 2016



**9th International Workshop on Application of FPGA in NPP,** hosted by EDF SEPTEN in cooperation with the IAEA and SunPort SA.

# **Table of Contents**

#### 1. Introduction

. Background

### 2. DI&C Solution

- . CCF different person, organization & platform...
- . SPV redundancy & combination architecture
- . Cyber security critical vulnerability, combining
  - White & Black list technology, etc.
- . Class 1E FPGA based Platform V&V, EQ

#### 3. Additional suggestion

. Code Simulator is good for validation of newly developed system



## **I. Introduction** - Background - CCF

- CCF Requirements are continuously being increased to make sure safety & reliability of NPP
  - ✓ As the Regulatory body requires the Safety analysis of CCF under LBLOCA
  - ✓ DPS design change requested to add the function of PPS.





### I. Introduction - Background - SPV

- SPVs are continuously being removed to enhance the reliability of NPP
  - SSPS have still more than 80 SPVs

#### **Good Practice - Zero SPV CEDMCS**

♦ After analyzing SPV of CEDMCS, finding 297 SPVs.

#### ♦ Finally, CEDMCS renovated to '0' SPV Systems

- Step 1 : Identify Define the single point vulnerability
- Step 2 : Evaluate Scrutinize all items
- Step 3 : Design : Eliminate or mitigate SPVs.
- Step 4 : Test Verify & Validation of all items

#### Enhance the Maintain & Test Ability

• On-line replacement of PCM or Electronic Cards



Test by CRCS(3-Coil Type) & CEDMCS(4-Coil Type) MMI



**Doosan Heavy Industries & Construction** 

SPV: Single Point Vulnerability

### **I. Introduction** - Background – Cyber security

- The Issue of cyber security features & safety functions
- Conflict between safety functions & cyber security features: Implementation of cybersecurity features shall not adversely impact safety functions.



Reference Documents: IEEE Std. 7-4.3.2-2016 5.9.3 Interaction between cyber security features and safety functions



- Countermeasure for CCF Issues
  - Different Platform of PPS will resolve the CCF Issues without DPS
  - ✓ As is Class 1E Protection System and Non-Class 1E DPS
  - ✓ To be Class 1E independent Protection System using different platform
  - ✓ For example) FPGA based PPS and PLC based PPS are using the same time.





- Countermeasure for SPV Issues

- Redundancy & Combination IC eliminate the SPVs of Protection System
  - ✓ As is Single two train trip logic
- ✓ To be Redundant & Combination Trip Initiation Circuit



Section 1.9 of BTP 7-19 Revision 6 ..... CCF mentioned by Sergio Russomanno today morning^

# You can see the real solution of CCF in 10<sup>th</sup> FPGA W/S at Gyeongju



## Redundant with independent platform architecture for Protection Systems





- Countermeasure for CCF & SPVs
  - Redundancy & Combination IC remove the SPV and address the CCF
  - ✓ Both independent Platforms & combination trip circuits address both Issues.
  - ✓ Combination Trip Initiate Logic consists of parallel and/or series hardwired with
    - NC and/or NC contact)

| Fail<br>Mode | Operation<br>Mode | Normal<br>Operation<br>(Operability) | Safety Function<br>(Reliability) |
|--------------|-------------------|--------------------------------------|----------------------------------|
| CCF          | Open Fail         | 0                                    | Ο                                |
|              | Close Fail        | 0                                    | 0                                |
|              | Toggle Fail       | Х                                    | 0                                |
| SPV          | Trip Component    | 0                                    | 0                                |
|              | Vital Bus Fail    | 0                                    | 0                                |



#### Independent Monitoring/Diagnosis of Cyber Attack

must continuously monitor for signs of attack and compromise on all covered devices. Ex) Monitoring unknown(or un-designed) data packets, unauthorized clients or MAC.





## **II. DI&C Solution** - Countermeasure for Cyber Security

Blacklist vs. Whitelist technology

|                     | Traditional Anti-Malware Solution            | Harmonized whitelist technology<br>Solution |
|---------------------|----------------------------------------------|---------------------------------------------|
| Application control | Blacklist (known malicious applications)     | Whitelist (authorized applications only)    |
| Security Level      | Low                                          | High                                        |
| Response            | Reactive                                     | Proactive defense                           |
| Environment         | Internet-access<br>environments              | Closed network                              |
| Engine Size         | Continually requires<br>additional resources | Constant                                    |
| Resource usage      | High                                         | Low                                         |
| Maintenance         | Frequent updates required                    | Minimal updating and patching               |



## **II. DI&C Solution** - Countermeasure for Cyber Security

Harmonization(compromise, negotiation,....) between safety and security is needed.

=> For applying 'protection system(Anti-malware), combining whitelist and Blacklist technologies to meet the two contents.



Multilayered Anti-malware Concept combining whitelist technologies



- Countermeasure for Cyber Security
  - **Cyber Security Elicitation of cybersecurity controls**
  - Categorize and prioritize vulnerabilities as critical and non-critical vulnerabilities



- Threat-oriented elicitation of security controls
  - Focuses on critical vulnerability directly related to a threat
- > APR-1400 with elicited cybersecurity controls
  - Checked by white hackers (AhnLab) through the penetrating test (more than 2,000 test cases), and failed to achieve attack goal



Protected from the state-of-the-art (known and similar) attack techniques (e.g. STUXNET)

## II. DI&C Solution - Class 1E FPGA Platform – V&V

#### > FPGA V&V is hard to be achieved with IEEE Std. 1012 (a basis for NPP software V&V)

- [NUREG/CR-7006] IEEE-1002-2004 is a software-only standard, and it can not be directly applied to V&V process for FPGA-based systems. Even though the top level V&V processes and underlying activities are generic and can be used for FPGAs, the low level tasks are software specific, and not directly applicable to FPGAs.
- But, FPGA has mixed characteristics of hardware and software
- → Harmonized existing FGPA standards and technologies into IEEE Std. 1012-based SDLC (Software Development Life Cycle)
  - **IEEE Std. 1012 :** Standard for Software Verification and Validation
  - NUREG/CR-7006 : Review Guidelines for Field-Programmable Gate Arrays in Nuclear Power Plant Safety Systems
  - IEC 62566 Nuclear power plants Instrumentation and control important to safety – Development of HDL-programmed integrated circuits for systems performing category A functions





#### - Class 1E FPGA Platform – V&V

| IEC 62566 Section 9<br>HPD Verification                                      | Application Notes                                                                                                                                      | IEC 62566 : Development life-cycle of HPD               |
|------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| 9.1 General                                                                  | <ul> <li>Independent V&amp;V team</li> </ul>                                                                                                           | HPD requirement HPD aspects of                          |
| 9.2 Verification plan                                                        | <ul> <li>Software V&amp;V plan in the<br/>concept phase</li> </ul>                                                                                     | specification system validation<br>Verification         |
| 9.3 Verification of the use of the pre-developed items                       | <ul> <li>Original software</li> </ul>                                                                                                                  |                                                         |
| 9.4 Verification of the design and implementation                            | <ul> <li>SRS, SDD document evaluation</li> </ul>                                                                                                       | HPD designHPD aspects ofspecificationsystem integration |
| 9.5 Test-benches                                                             | <ul> <li>Test-benches to fulfil requirement<br/>and path coverage</li> </ul>                                                                           | Verification                                            |
| 9.6 Test Coverage                                                            | <ul> <li>Path/Branch coverage for<br/>Component Test</li> <li>Requirement coverage for<br/>Integration Test</li> <li>HPD<br/>implementation</li> </ul> |                                                         |
| 9.7 Test Execution                                                           | <ul> <li>Behavioral simulation using test<br/>benches</li> <li>Timing simulation</li> </ul>                                                            | Verification                                            |
| 9.8 Static verification       • NUREG/CR-7006 based type and syntax checking |                                                                                                                                                        |                                                         |
|                                                                              | ļ ļ                                                                                                                                                    |                                                         |
| Requirement<br>Verification                                                  | Design<br>Verification                                                                                                                                 |                                                         |
|                                                                              |                                                                                                                                                        |                                                         |

**Doosan Heavy Industries & Construction** 

DOOSAN

*※ HPD : HDL-Programmed Device* 



Doosan Heavy Industries & Construction

DOOSAN

## II. DI&C Solution - Class 1E FPGA Platform – V&V







#### - Class 1E FPGA Platform – EQ

All EQ Testing Passed.

DOOSAN

For example) Seismic (IEEE Std. 344 - 2004, Reg. Guide 1.29)



Seismic testing equipment Configuration

## **II. DI&C Solution** - Class 1E FPGA Platform – EQ

#### OBE 5 times & SSE 1 time (Demo)



Accelerometers and displacement meter installation location

#### Allowed during seismic testing standards

| No | Signal type     | Tolerance                | Etc.      |
|----|-----------------|--------------------------|-----------|
| 1  | Analog Voltage  | $5 \text{ V} \pm 0.14\%$ | 4 Channel |
| 2  | Analog Current  | 12 mA $\pm$ 0.14%        | 1 channel |
| 3  | Digital Voltage | 22 ~ 24 VDC              | 5 channel |





# Hardware in the loop test facility including code simulator





# **III. Additional suggestions**

- Code Simulator is good for validation of newly developed system

Integrity confirm test using code simulator with malfunction scenario.





# Thank you for listening

✓ Q&A by E-mail, to feel Lyon

chaeho.nam@doosan.com

