Development of Field Programmable Gate Array-Based Reactor Trip

NET176_proof ■ 30 March 2016 ■ 1/11

Nuclear Engineering and Technology xxx (2016): 1e11

Available online at ScienceDirect 65 66 1 67 2 Nuclear Engineering and Technology 68 3 69 4 70 5 journal homepage: www.elsevier.com/locate/net 71 6 72 7 73 8 74 9 Technical Note 75 10 76 11 Development of Field Programmable Gate Array-based 77 12 78 13 Reactor Trip Functions Using Systems Engineering Approach 79 14 80 15 81 16 * 82 17 Q20 Jaecheon Jung and Ibrahim Ahmed 83 18 Nuclear Power Plant Engineering, KEPCO International Nuclear Graduate School, 1456-1 Shinam-ri, Seosang-myeon, Ulju-gun, Ulsan 689- 84 19 85 882, Republic of Korea 20 86 21 87 22 article info abstract 88 23 89 24 90 25 Article history: Design engineering process for field programmable gate array (FPGA)-based reactor trip 91 26 Received 13 November 2015 functions are developed in this work. The process discussed in this work is based on the 92 27 Received in revised form systems engineering approach. The overall design process is effectively implemented by 93 28 16 February 2016 combining with design and implementation processes. It transforms its overall develop- 94 29 Accepted 17 February 2016 ment process from traditional V-model to Y-model. This approach gives the benefit of 95 30 Available online xxx concurrent engineering of design work with software implementation. As a result, it re- 96 31 97 32 duces development time and effort. The design engineering process consisted of five ac- Keywords: tivities, which are performed and discussed: needs/systems analysis; requirement 98 33 99 Field Programmable Gate Array analysis; functional analysis; design synthesis; and design verification and validation. 34 100 Finite State Machine with Data Those activities are used to develop FPGA-based reactor bistable trip functions that trigger 35 101 36 Path reactor trip when the process input value exceeds the setpoint. To implement design 102 37 Reactor Trip Functions synthesis effectively, a model-based design technique is implied. The finite-state machine 103 38 Systems Engineering with data path structural modeling technique together with very high speed integrated 104 39 circuit hardware description language and the Aldec Active-HDL tool are used to design, 105 40 model, and verify the reactor bistable trip functions for nuclear power plants. 106 41 Copyright © 2016, Published by Elsevier Korea LLC on behalf of Korean Nuclear Society. 107 42 108 43 109 44 110 45 111 46 112 47 113 48 1. Introduction support, and being easier to qualify. The RPS is the most 114 49 safety-critical instrumentation and control (I&C) system in 115 50 Q1 In the nuclear domain, the field programmable gate array NPPs. It safely trips the reactor whenever one or more of the 116 51 (FPGA) is the most recent electronic device that is being monitored plant processes exceed predefined limits. 117 52 considered by stakeholders to replace the software-based Due to criticality of the RPS, the software used in pro- 118 53 119 54 systems in performing the trip functions of the reactor programmable logic controllers (PLCs) is rated as high-integrity tection system (RPS) of nuclear power plants (NPPs) because of software, and therefore assigned the highest software integ- 120 55 121 its potentials such as simplicity, testability, long-term rity level: 4. The higher the software integrity level the higher 56 122 57 123 58 * Corresponding author. 124 59 E-mail address: [email protected] (J. Jung). 125 60 This is an Open Access article distributed under the terms of the Creative Commons Attribution Non-Commercial License (http:// 126 61 creativecommons.org/licenses/by-nc/3.0) which permits unrestricted non-commercial use, distribution, and reproduction in any me- 127 62 dium, provided the original work is properly cited. 128 63 http://dx.doi.org/10.1016/j.net.2016.02.011 129 64 1738-5733/Copyright © 2016, Published by Elsevier Korea LLC on behalf of Korean Nuclear Society.

Please cite this article in press as: J. Jung, I. Ahmed, Development of Field Programmable Gate Array-based Reactor Trip Functions Using Systems Engineering Approach, Nuclear Engineering and Technology (2016), http://dx.doi.org/10.1016/ j.net.2016.02.011 NET176_proof ■ 30 March 2016 ■ 2/11

2 Nuclear Engineering and Technology xxx (2016): 1e11

1 66 2 67 3 68 4 69 5 70 6 71 7 72 8 73 9 74 10 75 11 76 12 77 13 78 14 79 15 80 16 81 Fig. 1 e Design process (DOD MIL-STD-499B [4]). FPGA, field programmable gate array. Q17 17 82 18 83 19 84 20 the demand for verification and validation (V&V) activities. As the FPGA design life cycle. The Y-model is known for a hard- 85 21 indicated by IEEE Std. 1012 [1], the high-integrity software wareesoftware codesign. The suitability of Y-cycle for safety 86 22 requires a larger set of V&V processes and a more rigorous critical software for I&C system in NPP was demonstrated by 87 23 application of V&V tasks. Jung et al. [6] using the 3-Step software development process, 88 24 By replacing the PLC-based system with the FPGA-based and concluded that around 50% of development time savings 89 25 system, the use of OS and complex software applications is expected to be achieved by adopting Y-Cycle. This indicates 90 26 91 during plant operation can be minimized if not completely Y-model transformed from the traditional V-model for FPGA- 27 92 eliminated. An FPGA is a digital semiconductor device that can based trip function design (Fig. 2). 28 93 be used as a replacement for the current microprocessor- In the design and development of an FPGA system, the 29 94 30 based software systems. It is a digital programmable inte- code is compiled and mapped on the target architecture. The 95 31 grated circuit (IC) that contains thousands or millions of logic resulting intermediate implementation is then tested and 96 32 gates and interconnections that can be configured to imple- evaluated with respect to timing, power consumption, cost, 97 33 ment desired functionality. Even though FPGA design process etc., using simulation and analysis. Based on these metrics, 98 34 involves the use of configuration/programing software, the the designer decides about architecture and/or code adapta- 99 35 end product of the design can be regarded as a hardware- tions. This process is iteratively repeated until a satisfactory 100 36 based system [2,3]. design is found. Therefore, according to Hamann [7], the risk 101 37 However, to replace PLC functionalities with FPGA to that is linked to the design flow due to the Y-model is rela- 102 38 103 perform the trip functions, the development of FPGA-based tively small, since the designer can react in each iterations to 39 104 bistable trip algorithms is essential. Without the develop- performance problem and solve them. 40 105 41 ment of proper algorithms for FPGA, the replacement is The design synthesis phase, which comprises design and 106 42 completely impossible. implementation stages of FPGA-based RPS functions, is 107 43 Applying an FPGA to perform RPS functions requires 108 44 proper and accurate RPS bistable algorithms development. If a 109 45 proper and well-defined design process is applied to FPGA- 110 46 based RPS design, the V&V tasks can easily be achieved and 111 47 design error can be minimized. Therefore, the main focus area 112 48 of this work is to make the V&V of FPGA-based RPS functions 113 49 114 simpler using systems engineering approach in combination 50 115 with finite-state machine with data path (FSMD) structural 51 116 modeling techniques. 52 117 53 In order to develop an FPGA-based reactor trip functions, 118 54 the systems engineering approach defined by DOD MIL-STD- 119 55 499B [4] is applied (Fig. 1). The rectangular boxes represent 120 56 the stages for the development process. There are also inputs 121 57 to and outputs from the design process. The inputs are needs 122 58 from need/system analysis to the requirement analysis phase, 123 59 and the output is the final design outcome from design 124 60 synthesis. 125 61 126 Q2 The development life cycles recommended by IEC 62566 [5] 62 127 and EPRI TR1019181 [3] for FPGA development in NPP are based 63 128 64 on the traditional software V-model. The design of FPGA in- 129 e 65 volves both hardware and software design process. However, Fig. 2 Y-model transformed from traditional V-model for 130 the classical software development life cycle is not suitable for field programmable gate array based trip function design.

Nuclear Engineering and Technology xxx (2016): 1e11 3

1 66 2 67 3 68 4 69 5 70 6 71 7 72 8 73 9 74 10 75 11 76 12 77 13 78 14 79 15 80 16 81 17 82 18 83 19 84 20 Fig. 3 e Trend of reactor trip events in Korea since 2000. I&C, instrumentation and control. 85 21 86 22 87 23 88 24 89 25 developed using FSMD architectural modeling techniques. 2. Need and system analysis 90 26 An FSMD is a structural design method used for designing 91 27 92 the digital circuits. It is a suitable architectural model for a Fig. 3 depicts 249 reactor trip events reported since 2000 in 28 93 general purpose algorithm, especially the complex algo- Korean NPP. Among those events, I&C failures take 25% which 29 94 rithms. Using the FSMD approach appropriately can lead to & 30 is the highest source of events [11]. This means that the I C 95 design optimization and reduction in device power con- 31 system induces around 25% of reactor trip events in Korean 96 & 32 sumption [8,9]. This can also make V V quickly and easily NPPs for the past 16 years. Among 63 of 249 events, the digital 97 33 achievable. system takes around half, while the analog system takes 98 34 A data path performs all computational operations such as about one third of the total events. 99 35 data manipulations, calculations, comparison, data transfer, I&C failure increases unavailability and causes either 100 36 and data storage, while the finite-state machine (FSM) unplanned trip or technical specification violation. The most 101 37 controller controls the operation of the data path. A typical serious problem is a trend that I&C-induced reactor trip 102 38 data path composes of three basic elements: (1) Communi- events is increasing. As shown in Fig. 3,I&C-induced events 103 39 104 cation: buses, multiplexers, de-multiplexers, and functional have been increasing since 2004 and there were nine reactor 40 105 units; (2) Operators: adder, comparator, multiplier, shifter, trip events in 2012 from 20 NPPs. This is the year when the 41 106 etc.; and (3) Storage: flip-flops, registers, etc. & 42 first digital safety critical I C system (PLC-based) were in 107 43 An FSM is used to model a system that transits among a operation. The statistics indicates that there are issues 108 44 finite number of internal states. The block diagram of FSM regarding the introduction of the digital systems into the 109 45 Q3 controller and its corresponding state transition diagram. The NPPs. Therefore, to analyze those issues, we performed the 110 46 transitions depend on the current state and external input. An SWOT (strength, weakness, opportunity, and threat) anal- 111 47 FSM consists of a state register (current-state logic), next-state ysis of the main I&C platform that is used in the current 112 48 logic, and output logic. In practice, the main application of an systems. 113 49 FSM is to act as the controller of a large digital system, which Table 1 shows the SWOT analysis results of PLC-based and 114 50 115 examines the external commands and status and activates FPGA-based systems. As indicated, complete verification and 51 116 proper control signals to control operation of a data path, validation is difficult in PLC-based systems. Since the 52 117 which is usually composed of regular sequential components 53 microprocessor-based software systems are safety-related, 118 [10]. & 54 they are required to be subjected to rigorous V V in regula- 119 55 After modeling of the algorithms, with the aid of Aldec tions and standards. However, abundant functions and 120 56 Active-HDL design tool, the register transfer level (RTL) for the resulting complexity of software make the V&Vof 121 57 model is developed using very high speed integrated circuit microprocessor-based software systems time-consuming and 122 58 hardware description language (VHDL). The design is then expensive (see Table 2). Q4 123 59 verified to test for the functionality of the developed algo- In addition, software systems implemented on PLC, use 124 60 rithms using test bench and simulation. microprocessors, which have shorter product life cycle 125 61 In summary, the following steps are followed in designing, compared to some components in nuclear industry. The most 126 62 127 modeling, implementing, and verifying of RPS trip algorithms: challenging aspect of all these problems in microprocessor- 63 128 (1) FSMD interface definition for trip algorithm; (2) Data path based software systems is the potential for common cause 64 129 design; (3) FSM design; (4) FSM state transition design; (5) 65 failure due to software errors. This is a condition that all the 130 VHDL coding, and (6) Test-bench design and simulation. redundant systems in safety-critical system failed to work

4 Nuclear Engineering and Technology xxx (2016): 1e11

1 when strongly demanded to safely shutdown the reactor. The 66 2 analysis performed by EPRI [12] on reactor trip system 67 3 68 concluded that the probability of digital failures and digital 4 69 -based common cause failures is driven by the likelihood of func- 5 70 tional specification faults in the application software. Also, 6 71 7 experience indicates that the independence of failure modes 72 8 may not be achieved in cases in which multiple versions of 73 9 software are developed from the same software requirements 74 10 [1,13,14]. 75 complexity, cyber-attack vulnerability 11 SRAM-based FPGA is applied) Although the advantages of FPGA over PLC are 76 CCF due to software error, Vulnerability to radiation (if 12 overwhelming, it also has some drawbacks. Limited expe- 77 13 rience of the nuclear industry is one of the disadvantages of 78 14 FPGA. Although FPGA has been used in some NPPs, its ap- 79 15 80 plications in RPS to perform the trip functions are still very 16 81 new. It is only recently that most NPP industries have paid 17 82 18 attention to the use of FPGA in safety-critical systems such 83 19 as RPS. 84 20 Another drawback of FPGA is the need for specialized 85 21 expertise on design team. Although a flat hardware logic so- 86 22 lution in an FPGA is relatively simple, the design process used 87 23 to create it is not. The design process of FPGA is quite similar 88 24 to the software design processes, including associated V&V 89 computational capability with large data handling 25 availability and reliability, resistance to cyber-attack activities performed at successive stages of design develop- 90 Performance and 26 Less complex, increase plant 91 ment. Therefore, the design team needs to have knowledge 27 92 about the electronic circuitry of FPGA, hardware description 28 93 language (HDL) coding expertise, and an understanding of 29 94 & 30 software-like development and V V processes to ensure that 95 31 the design meets the application requirements. Limited 96 32 availability of products can also be seen as a drawback 97 33 because, due to little experience in the nuclear industry, there 98 34 are only a limited number of FPGA-based I&C platforms and 99 35 products that are available and ready to be used in NPP 100 36 applications. 101 37 Another disadvantage of FPGA in NPPs is its vulnerability to 102 38 103 radiation. Static RAM-based FPGA is vulnerable to radiation. 39 104 obsolescence new in nuclear industries) Such devices in NPPs, being in a radiation environment, Verification difficulty, quick 40 Inexperienced (it is relatively 105 41 cannot survive. However, antifuse FPGA is more robust in 106 42 terms of radiation resistance, and therefore should be used for 107 43 NPP applications. 108 44 109 45 110 46 3. Requirements analysis 111 47 112 48 Analyzing the specific requirements for proper conversion of 113 V, verification and validation.

49 & the identiﬁed needs into the requirements for the design is 114 50 paramount. However, to avoid ambiguous and conﬂicting 115 51 requirements during the conversion process, reference was 116

52 V load, long-term 117 & made to the regulatory requirements. The specific regulatory 53 118 requirements for the design of FPGA applications for safety used for the past 3 decades) 54 supportability 119 critical systems of NPP have not been developed yet. How- 55 120 ever, to develop the FPGA-based bistable trip functions, we 56 121 57 referred to the existing regulatory requirements and 122 58 endorsed standards that are specifically applicable to PLC, 123 59 because the FPGA design process also involves software 124 60 development even though the final design output is 125 61 described as hardware. In addition to the existing regulatory 126 SWOT (strength, weakness, opportunity, and threat) analysis of programmable logic controller (PLC)-based and field programmable gate array (FPGA) 62 127 e requirements, for the purpose of this work we made refer- 63 ence to the one and only existing specific standard, IEC 62566, 128 64 129

C Technology Strengthfor the application Weakness of FPGA to perform Opportunity safety functions in Threat

65 & 130 Table 1 systems. I PLC-based system Experienced (it has been in CCF, common cause failure; SRAM, static RAM; V FPGA-based system Less V NPP.

Nuclear Engineering and Technology xxx (2016): 1e11 5

1 66 e 2 Table 2 Comparison between software-based and field programmable gate array (FPGA) systems. 67 3 Feature Microprocessor-based (software), e.g., PLC FPGA 68 4 69 Program execution Sequential Parallel 5 70 Memory access Required Not required 6 71 Interrupts Required Not required 7 72 Context switching Required Not required 8 Operating system Required Not required 73 9 Supportability Short-term support Long-term support 74 10 Radiation susceptibility Resistance (if the aging mechanisms are defined) Resistance (if antifuse solution is applied) 75 11 76 PLC, programmable logic controller. 12 77 13 78 14 79 15 3.1. Regulatory requirements 80 16 81 17 USNRC 10 CFR 50 Appendix A (general design criteria and 82 18 regulatory guides) are used since the Korean NPP safety crit- 83 19 ical and safety related I&C systems are designed to satisfy 84 20 USNRC regulations. Therefore, it is required that the system 85 21 86 shall be designed in conformance with the requirements of 22 87 regulatory guides 1.152 and 1.153, and their endorsed IEEE 23 88 24 standards, respectively IEEE 7-4.3.2 [15] and IEEE 603 [16]. Also, 89 25 for the implementation of the bypass algorithm required for 90 26 variable setpoint parameters with manual reset, regulatory 91 27 guide 1.47 [17] is analyzed and complied with. 92 28 93 e 29 3.2. Performance requirements Fig. 4 Bistable with variable manual reset setpoint. Trip 94 30 on decreasing process (low pressurizer pressure trip 95 Q18 31 During the requirement analysis, it is paramount to identify algorithm configurations). 96 32 measures of the performance of the system. Under this, the 97 33 98 technical, operation, and response time of the selected RPS automatic rate-limited variable setpoint, while low pressur- 34 99 parameters are specified. The specific measures of perfor- izer pressure trip (LPPT) and low steam generator pressure trip 35 100 functions use a manual reset variable setpoint. The utilized 36 mance set for the RPS design in this work are tabulated as 101 37 shown in Table 3. The measures are picked from the Korean type shall be determined by the desired setpoint control 102 38 APR1400 (Advanced Power Reactor 1400 Mwe) design specifi- method and shall provide both pretrip and trip setpoints. All 103 39 cation for plant protection system. the trip logics shall have hysteresis capability for both trip and 104 40 pretrip setpoints. The logics shall generate both trip and pre- 105 41 trip signal when the monitored process parameter deviates 106 42 from setpoint. Fig. 4 indicates bistable with variable manual 107 43 4. Functional analysis reset setpoint of the LPPT algorithm. Q5 108 44 109 45 In this section, there is no further study to define and develop 110 46 111 the functional allocation. Instead, the functional re- 47 112 quirements are the baseline for FPGA-based hardware and 5. Design synthesis 48 113 49 software allocation. The description below is identical to the 114 As stated above, there are three types of setpoint in APR1400. 50 function already developed for APR1400. 115 51 It is required that the setpoint algorithm shall generate one Upon this assumption, the design synthesis phase is 116 52 of three types of setpoints by its setpoint handling methods; explained centering around VOPT trip function because it is 117 53 automatic rate limited variable, fixed, and manual reset vari- the most complex algorithm to be establish the reactor trip 118 54 able. The variable over power trip (VOPT) function uses an function. 119 55 120 56 121 57 Table 3 e Performance requirement measures. 122 58 123 59 Requirements Value Applicability 124 60 Uncertainty < 0.2% < 0.2% of the selected full range value for a period of 39 d across the range of 125 61 environmental conditions 126 62 Variable over power trip 225 ms PPS cabinet response time from the input of the BP 127 63 Low pressurizer pressure trip 225 ms PPS cabinet response time from the input of the BP 128 64 High steam generator water level trip 225 ms PPS cabinet response time from the input of the BP 129 65 BP; PPS. Q19 130

6 Nuclear Engineering and Technology xxx (2016): 1e11

1 66 2 67 3 68 4 69 5 70 6 71 7 72 8 73 9 74 10 75 11 76 e 12 Fig. 5 Finite state machine with data path (FSMD) block diagram for variable over power trip (VOPT) setpoint bistable trip 77 13 function. FPGA, ﬁeld programmable gate array. 78 14 79 15 80 16 81 17 82 18 5.1. VOPT algorithm design Mathematically, if the reactor power at unit time t1 (min) is 83 19 x1%, and the rector power at next unit time t2 (min) is x2% then 84 20 5.1.1. Rate implementation analysis for VOPT the rate at which the reactor power increases is given by: 85 21 For effective implementation of VOPT rate limiting require- 86 ð = Þ¼x2 x1 ð = Þ < = 22 ment on the design of FPGA-based system, we performed the Rate % min % m 11% min (1) 87 t2 t1 23 following analysis. 88 24 From the functional requirement analysis, the rate of This implies that 89 25 90 change of reactor power increase should be < 11%/min. This D 26 ð = Þ¼ x < = 91 means that for every 1 minute, the increase in reactor power Rate % min D 11% min (2) 27 t 92 should be < 11%. One may conclude that the system should be 28 where, Dx ¼ x x is the change in reactor power (%) and 93 designed with a time delay of 1 minute and then the change in 2 1 29 Dt ¼ t t is the corresponding change in time (min). 94 reactor power after the time delay should be checked. How- 2 1 30 Assuming the change in time is 1 minute (that is, Dt ¼ 1), 95 31 ever, this approach may not give the effective design outcome. 96 then Eq. (2) can be reduced to: 32 For optimized design of FPGA-based system, the system 97 33 should be designed such that the reactor power increase is 98 Dx < 11% or ðx2 x1Þ < 11% (3) 34 constantly checked. 99 35 100 36 101 37 102 38 103 39 104 40 105 41 106 42 107 43 108 44 109 45 110 46 111 47 112 48 113 49 114 50 115 51 116 52 117 53 118 54 119 55 120 56 121 57 122 58 123 59 124 60 125 61 126 62 127 63 128 64 129 65 130 Fig. 6 e Data path for variable over power trip (VOPT) algorithm.

Nuclear Engineering and Technology xxx (2016): 1e11 7

1 66 2 67 3 68 4 69 5 70 6 71 7 72 8 73 9 74 10 75 11 76 12 77 13 78 14 79 15 80 16 81 Fig. 7 e Finite state machine (FSM) controller block diagram for variable over power trip (VOPT) algorithm. 17 82 18 83 19 Eq. (3) simply means that, at any point in time the increase 5.3. VOPT FSM controller design 84 20 85 in reactor power is < 11%. Therefore, the requirement of 21 86 power increase rate can be expressed as: the trip setpoint at The FSM controller block diagram for both trip and pretrip 22 87 any given time shall be equal to reactor power plus 15% if the showing the signal interfaces is depicted in Fig. 7. The diagram 23 88 < 24 increase in reactor power is 11%, or else the trip setpoint is a Moore type FSM in which the output is only the function of 89 25 shall be equal to the previous trip setpoint plus 11%. the current state of the machine. 90 26 Utilizing this analysis result, the VOPT is designed in such a In designing the state transition diagram for VOPT, it is 91 27 way that the system monitored the changes in reactor power important to take note of the point within the setpoint limits 92 28 at any time and updates the trip setpoint as appropriate where the trip is expected to be asserted. Therefore, there are 93 29 without using timer or counter which might leads to any un- two conditions in which the trip signal will be provided to trip 94 30 necessary delay. This gives a more efficient, fast, and effective the reactor: (1) if the power increase rate is greater than the 95 31 design output than checking every minute. predetermined value (11%/min) and the reactor power value is 96 32 97 greater than or equal to trip setpoint, the logic provides a trip 33 98 5.1.2. Interface definition of FSMD for VOPT algorithm signal and (2) if the reactor power is equal to the ceiling of 34 99 35 Fig. 5 shows the interfacing definition of the VOPT algorithm 110% (the maximum allowable power setpoint increase), the 100 36 that indicates the inputs and outputs expected of the final trip signal is provided. 101 37 design to have. In this case, the setpoint is not fixed; it is The FSM controller transition diagram for VOPT algorithm 102 38 determined by the reactor power input. However, there is has three state transition diagrams. One of the transition di- 103 39 need to input the setpoint range limit (floor and ceiling) as well agrams is to control the VOPT pretrip setpoint and pretrip 104 40 as hysteresis value. signal generation. 105 41 106 42 107 43 5.2. VOPT data path design 108 44 109 45 The VOPT data path (Fig. 6) consists of the components of the 110 46 fixed setpoint algorithm. There are comparators ( 95%) and 111 47 ( 5%), which are active high, used to determine the ceiling and 112 48 floor conditions, respectively. There are also some additional 113 49 114 adders (þ15%), (þ11%), and (6%) whose outputs go to 4-to-1 50 115 multiplexer, which are used to determine the value of trip 51 116 setpoint at the rate of process input < 11%/min, trip setpoint at 52 117 53 rate of process input 11%/min, and pretrip setpoint 118 54 respectively. The addition of 4-to-1 multiplexer is to select the 119 55 trip setpoint at a particular point in time depending on the 120 56 signal value of the multiplexer select line (t_SPmSel) from FSM 121 57 controller. For example, from the data path diagram (Fig. 6), if 122 58 the t_SPmSel ¼ 00 command is received from the FSM 123 59 controller; the 4-to-1 MUX select t_SPþ11% value for trip set- 124 60 point. The pretrip setpoint is calculated from trip setpoint 125 61 126 value at every value of trip setpoint by the addition of 6% to 62 127 the trip sepoint value. 63 128 64 To control the rate of change of reactor power effectively, 129 e 65 Eq. (3) is used to design the data path inside the red-dotted Fig. 8 Variable over power trip maximum rate 130 rectangular box shown in Fig. 6. determination state transition diagram.

8 Nuclear Engineering and Technology xxx (2016): 1e11

1 developing HDL code for all the three types of algorithms. This 66 2 involves writing the RTL that will be implemented on FPGA 67 3 68 using any of the HDLs. The widely used HDL languages are 4 69 VHDL and Verilog. In this work, VHDL is used because of its 5 70 flexibility and unique features. 6 71 7 VHDL is a language widely used to model and design digital 72 8 hardware. Among its unique features is design reusability [34], Q6 73 9 which allows procedures and functions to be placed in a 74 10 package so that they are available to any design unit that uses 75 11 them. This is impossible in Verilog because there is no concept 76 12 of packages in Verilog. VHDL also has some features, such as 77 13 configuration, generate and package statements, together 78 14 with the generic clause, which help the designer to manage 79 15 80 large designs; Verilog, there are no such statements. 16 81 The Active-HDL software tool developed by Aldec is used 17 82 18 for writing, simulating, and synthesizing of the VHDL code. 83 ' 19 Active-HDL s Integrated Design Environment includes a full 84 20 HDL and graphical design tool suite and RTL/gate-level mixed- 85 21 language simulator for rapid deployment and verification of 86 22 FPGA designs [18]. Fig. 10 shows a section of VHDL code. 87 23 Fig. 9 e Variable over power trip setpoint calculation state 88 24 transition diagram. 89 25 90 26 6. Design verification and validation 91 27 The second transition diagram (Fig. 8) is used to control the 92 28 operation of the design in the red-dotted rectangular box in- 93 In this section, the developed VHDL code for the trip algo- 29 side the data path for the determination of the rector power 94 rithms are verified and synthesized into Xilinx Spartan 3E 30 increase rate, and it has six states: Start, Check1, Diff, Check2, 95 FPGA. The functional correctness of the design and timing 31 Rate_S, and Adjust. Start is the state at which the PI1 register 96 response of the FPGA is verified using VHDL simulator from 32 (PI1_reg) in the data path is initialized to store the reactor 97 33 Active-HDL tool. 98 power called PI1 when the reset signal is active high, and then 34 To do this, a re-useable test bench is developed and written 99 transits to Check1 state when the reset signal is active low. 35 in VHDL to verify the design using VHDL simulators. VHDL 100 Check1 is the state in which the state machine checks for the 36 simulators normally offer some interactive stimuli capture 101 change in reactor power input called PI2. At this state, the 37 feature. In this work, the Active-HDL tool simulator environ- 102 state machine can transit to either Diff state or Adjust state if 38 ment is used to write the test-bench code for design 103 PI2 > PI1 or PI2 < PI1 respectively. Diff is the state in which the 39 verification. 104 40 PI11 register (PI11_reg) is enabled (PI11_en ¼ ‘1’) in order to 105 The test-bench configuration is setup with several steps 41 allow the data path to compute the different (named diff_PI) 106 needed to verify the design. Fig. 11 contains three major test 42 between PI2 and PI1, and then transits to Check2 state. Check2 107 bench components to fulfill the test tasks: the generator, 43 is the state where the state machine checks if diff_PI is 11% 108 44 power. At this state, the state machine can transit to either 109 45 110 Rate_S state or Start state if diff_PI 11% or diff_PI < 11% 46 111 respectively. Rate_S is the state in which the maximum rate 47 112 ¼ ’ 48 condition is energized (Rate ‘1 ) and PI1_reg (the value of PI1) 113 49 is updated to the current reactor power input PI2, and then 114 50 transits to the Check1 state. Adjust is the state where the state 115 51 machine de-energized the maximum rate condition 116 52 (Rate ¼ ‘0’) and PI1_reg (the value of PI1) is updated to the 117 53 current reactor power input PI2, and then transit back to the 118 54 Check1 state. 119 55 The third transition diagram shown in Fig. 9 is used to 120 56 121 control the calculation of the trip setpoint as well as trip signal 57 122 determination, and it has seven states: Follow, Floor, MaxRate, 58 123 Update, Ceiling, trip_S, and Untrip_S states. The transition con- 59 124 60 ditions and the state outputs are shown in diagram. 125 61 126 62 127 5.4. VHDL coding 63 128 64 129 e 65 Having developed the trip function models using the FSMD Fig. 10 A section of very high speed integrated circuit 130 technique, it is time to implement the developed FSMDs by hardware description language code.

Nuclear Engineering and Technology xxx (2016): 1e11 9

1 shutdown of the plant without unnecessarily initiating the 66 2 emergency support functions. This manual reset leads to the 67 3 68 step reduction of the trip setpoint. As the trip setpoint ap- 4 69 proaches the minimum value, the logic issues the permission 5 70 of the operating bypass, which allows the operator to request 6 71 7 for the operating bypass condition by pressing a button from 72 8 Fig. 11 e Test-bench setup configuration. the control room or maintenance and test panel. By doing this, 73 9 the pressurizer pressure can be brought down to zero without 74 10 initiating the trip signal. During plant startup, the system 75 11 design under test (DUT), and the monitor. The generator/ automatically removes the operating bypass condition and 76 12 stimuli generator generates the stimuli/test vectors signals for then follows the pressurizer pressure with a constant value. 77 13 DUT. The DUT is the developed VHDL code to be verified; it From the results, it is discovered that the FPGA can effectively 78 14 responds to the stimuli and provides the output to the implement the algorithms. However, careful attention should 79 15 80 monitor. The monitor is the response analyzer that is used to be given to the timing of the RTL value from one register to the 16 81 observe the output of DUT. Thus the test bench wraps around other within the data path. 17 82 18 the design, sending in stimulus generated and capturing the The synthesized result of timing analysis during synthesis 83 ' 19 design s response. In writing the test-bench, we ensured that of verified design for HSGWLT into Xilinx Spartan 3E FPGA is 84 20 the setup and hold times of the registers are respected to avoid shown in Table 4. During code synthesis, the design is opti- 85 21 metastability issues. Subsequently, after setting up the test- mized for processing speed of FPGA. The total delay is found to 86 22 bench, each of the three algorithms is verified. be 13.023 ns, which shows that Xilinx Spartan 3E, being the 87 23 For fixed setpoint algorithm developed, which is general- low-end FPGA, has demonstrated that the trip algorithms can 88 24 ized for all the trip process parameters that uses the fixed be implemented with fast enough rate. This is because of the 89 25 setpoint, the high steam generator water level trip (HSGWLT), concurrent operation advantages of FPGA that allows it to 90 26 91 which is one of the parameters chosen for verification of the process many operations at same time as regards to PLC that 27 92 Q7 designed fixed setpoint algorithm. executes instructions sequentially. Fig. 12 shows the config- 28 93 Finally, to validate the design, the verified algorithm is uration of the practical implantation of the verified HSGWLT 29 94 30 synthesized and mapped into a Xilinx Spartan3E-100 CP132 bistable logic for validation. It also indicates the applicability 95 31 FPGA on Digilent Basys2 Board for testing. of the hysteresis shown in the simulated results. 96 32 Subsequently, the verified FPGA-based RPS trip function is 97 33 validated using a Xilinx Spartan3E-100 CP132 FPGA on Digilent 98 34 Basys2 Board as shown in Fig. 14, which indicates FPGA-board 99 35 7. Results showing pretrip and trip signals with input (80) and trip set- 100 36 point (85) of HSGWLT by hexa-indicator. Q8 101 37 In VOPT simulation, the verification is performed for both the 102 38 rating trip and ceiling trip and the result is shown Fig. 12. The 103 39 104 rating trip is the trip that occurs when reactor power rate rises 40 105 beyond the allowable rate limit. It gets to a point that the 8. Conclusions 41 106 reactor power value overtakes the setpoint that exist at that 42 107 43 point and results in the trip. The ceiling trip is the trip that The reactor bistable trip functions are developed in this work 108 44 occurs when the reactor power rises to the maximum allow- using the systems engineering approach. In this work, the 109 45 able trip setpoint. DOD MIL-STD-499B design process is modified and consistent 110 46 The LPPT algorithm simulation result is shown in Fig. 13. with the V-model to Y-model transformation. This simplifies 111 47 The result shows the operator's action in resetting the set- and speeds up the design process for FPGA-based system as 112 48 point. During plant shutdown, the pressurizer pressure well as making V&V simpler and easily achievable. The design 113 49 decreasing and when it is equal to or less than the pretrip process stagesdneeds analysis, requirements analysis, func- 114 50 setpoint that exist at that point, the logic generates the pretrip tional analysis, design synthesis, and design V&Vdare 115 51 116 signal and the operator resets the setpoint in order not to developed for reactor trip functions. The needs and system 52 117 allow the generation of the trip signal. This allows the orderly analysis is first performed followed by the requirement 53 118 54 119 55 120 56 121 57 122 58 123 59 124 60 125 61 126 62 127 63 128 64 129 65 130 Fig. 12 e Variable over power trip combined rate and ceiling trip simulation result.

10 Nuclear Engineering and Technology xxx (2016): 1e11

1 66 2 67 3 68 4 69 5 70 6 71 7 72 8 73 9 74 10 Fig. 13 e Low pressurizer pressure trip simulation result. 75 11 76 12 77 13 78 14 79 15 FPGA and the total delay is found to be 13.023 ns, which is 80 Table 4 e Synthesis result showing timing response of 16 small enough compared to the required response time. 81 Xilinx Spartan 3E field programmable gate array (FPGA). 17 Conclusively, the transformation of the systems engi- 82 Synthesized parameters Time (ns) 18 neering V-model into Y-model in consistence with process 83 19 84 Delay (within FPGA) 4.009 defined in DOD MIL-STD-499B, as well as the structural step- 20 85 Minimum input arrival time before clock 1.731 by-step design modeling techniques utilized in this work 21 Maximum output required time after clock 7.283 86 have shown how FPGA-based trip functions can be simply 22 Total processing delay 13.023 87 23 designed and verified. Therefore, if this design approach is 88 24 employed in designing an FPGA-based I&C system, the design 89 25 can be verified easily and both the utility and regulator can 90 26 analysis. After requirement analysis, the functional analysis easily understand the system. With this, the development 91 27 is performed. During functional analysis, the functional re- time and effort can be minimized. 92 28 quirements of trip functions are summarized and presented 93 29 graphically. 94 30 95 In design synthesis, based on the functional requirements, 31 96 the reactor trip functions are designed, modeled, and devel- Conflicts of interest 32 97 33 oped using FSMD design techniques. Fixed setpoint, variable 98 All authors have no conflicts of interest to declare. Q9 34 over power trip, and pressurizer pressure trip algorithms are 99 35 developed. The data path is designed to perform all the 100 36 mathematical computations, data movement, data storage, Acknowledgments Q10 101 37 and data comparisons of the algorithms, while FSM controls 102 38 the activities of the data path. After the design and modeling, This work was supported by the 2015 Research Fund of the 103 39 the VHDL code is developed for each algorithm and the KEPCO International Nuclear Graduate School (KINGS), Re- 104 40 developed VHDL codes are verified and tested using the public of Korea. 105 41 106 Active-HDL tool. To perform this verification, a VHDL test- 42 107 bench with test cases is developed, and the designed algo- 43 108 rithms are verified to satisfy the requirements. 44 references 109 45 Finally, the verified design is synthesized and mapped into 110 46 with Xilinx Spartan 3E FPGA for testing and validation. During 111 47 synthesis, the design is optimized for processing speed of 112 48 [1] IEEE Std. 1012, IEEE Standard for Software Verification and 113 49 Validation, IEEE, 2004. Q11 114 50 [2] EPRI, Recommended Approaches and Design Criteria for 115 Application of Field Programmable Gate Arrays in Nuclear 51 116 Power Plant Instrumentation and Control Systems, EPRI, Palo 52 117 Alto (CA), 1022983, 2011. Q12 53 118 [3] EPRI, Guidelines on the Use of Field Programmable Gate 54 119 Arrays (FPGAs) in Nuclear Power Plant I&C Systems, EPRI, 55 Palo Alto (CA) 1019181, 2009. 120 56 [4] US DOD MIL-STD-499B, Military Standard Systems 121 57 Engineering, 1993. Q13 122 58 [5] IEC Std. 62566, Nuclear Power Plants e Instrumentation and 123 59 Control Important to Safetyddevelopment of HDL- 124 60 programmed Integrated Circuits for Systems Performing 125 61 Category a Functions, IEC, 2012. 126 62 [6] J.C. Jung, H.S. Chang, H.B. Kim, “3þ3 process” for safety 127 63 critical software for I&C system in nuclear power plants, 128 e 64 Fig. 14 Field programmable gate array board showing Nucl. Eng. Technol. 41 (2009) 91e98. 129 65 pretrip and trip signals with input (80) and trip setpoint (85) [7] A. Hamann, Iterative Design Space Exploration and 130 of high steam generator water level trip. Robustness Optimization for Embedded Systems, 2008. Q14

Nuclear Engineering and Technology xxx (2016): 1e11 11

1 [8] E. Hwang, F. Vahid, Y.C. Hsu, FSMD functional partitioning [13] US NRC, Regulatory Guide 1.152dCriteria for the Use of 18 2 for low power, Des. Autom. Test Eur. Conf. Exhib. (1999) Computers in Safety Systems of Nuclear Power Plants, 2011. 19 3 22e28. [14] US NRC, Digital Instrumentation and Control Systems in 20 4 [9] A. Sudnitson, Finite state machines with datapath Nuclear Power Plants: Safety and Reliability Issues, National 21 5 partitioning for low power synthesis [Internet]. [cited] Academies Press, 1997. Q16 22 6 Available from: http://www.pld.ttu.ee/decomposition/ [15] IEEE Std. 7-4.3.2, IEEE Standard Criteria for Digital Computers 23 7 Q15 publications/Sudnitson_MIXDES_01.pdf. in Safety Systems of Nuclear Power Generating Stations, 24 8 [10] P.C. Pong, FPGA Prototyping by VHDL Examples, John Wiley & IEEE, 2010. 25 9 Sons, Inc., Hoboken (NJ), 2008. [16] IEEE Std. 603, IEEE Standard Criteria for Safety Systems for 26 10 [11] KINS-OPIS, Nuclear event evaluation database: recent Nuclear Power Generating Stations, IEEE, 2009. 27 d 11 nuclear events [Internet]. [cited 2015 Sep 13] Available from: [17] US NRC, Regulatory Guide 1.47 Bypassed and Inoperable 28 ¼ 12 http://opis.kins.re.kr/opis?act KEOBA3100R. Status Indication for Nuclear Power Plant Safety Systems, 29 13 [12] EPRI, Guideline for Performing Defense-in-depth and 2010. 30 Diversity Assessments for Digital Upgrades: Applying Risk- [18] Aldec, Active-HDLdFPGA simulationdproducts [Internet]. 14 31 informed and Deterministic Methods, EPRI, Palo Alto (CA) Aldec [cited 2015 Sep 13] Available from: https://www.aldec. 15 32 1002835, 2004. com/en/products/fpga_simulation/. 16 33 17 34