With the maturing of Information Technology, Intelligent Instrumentation systems
are increasingly deployed for supervising and controlling Nuclear reactor. Functionally and physically distributed data acquisition systems are used to process the signals. The safety actions such as tripping the reactor, energizing alarm in the control room, varying the position of the control valve etc are carried out in the data acquisition system itself. The information such as the value of the process signals, messages etc are transmitted through fault tolerant optical fiber cables to control room. The information is displayed to shift operator in comfortable format. The safety of the nuclear reactor depends upon the fail-safe operation of the data acquisition and control system. The paper eplains the safety analysis of fault tolerant data acquisition and control system. 1. Introduction Functionally and physically distributed data acquisition systems are used to process the signals. The safety actions for tripping the reactor, energizing alarm in the control room, positioning of control valves etc are carried out by data acquisition system itself. The information regarding value of the process signals and messages regarding safety actions are transmitted to control room through fault tolerant optical fiber cable. The information is displayed to the plant operator in comfortable format. The Intelligent instrumentation systems are classified as safety critical systems, safety related systems and non-safety systems based on the importance of the processed signals. Safety critical systems generate trip order to the plant if the input signal level crosses the threshold. For e!ample, core temperature monitoring system of Fast "reeder Test #eactor $F"T#% is a Safety &ritical Intelligent Instrumentation system. If the actual temperature rise along any fuel subassembly crosses the e!pected temperature rise, action is initiated to shutdo'n the reactor. Safety related systems generate alarm in the control room, conditions for interloc( logic, signals for controlling important process parameters. For e!ample start-up of reactor authorization logic, discordance supervision system for triplicate neutronic signals, fine impulse testing system, process parameter supervision system etc are Safety related Intelligent Instrumentation systems. )s per the )*#" safety guidelines, Safety Intelligent Instrumentation system should generate fail-safe output signals, if any single failure occurs in the system. To ensure fail safe operation, it is necessary to carry out detailed safety analysis of the system. 2. Architecture of Intelligent Instrumentation System +ormally Safety &ritical Intelligent systems are triplicated. The safety actions are routed through t'o out of three voting logic. ) typical configuration of core temperature supervision system of Fast "reeder #eactor is sho'n belo'. , S& - Signal &onditioner #T& - #eal Time &omputer The processed data and messages are transmitted to control room through dual optical fiber plant net'or(. The architecture of safety related system is based on hot-standby principle as sho'n belo'. 3. Safety Analysis of Intelligent Instrumentation System The development of Safety Intelligent system shall be carried out using 'ater- fall model as sho'n belo'. SENSOR SC2 RTC2 SAFETY LOGIC 2/3 VOTING LOGIC SC3 RTC3 SC1 RTC1 Trip Order . To /lant $&ontrol 0 )nnunciation% Safety #elated Safety #elated 1ata 2igh'ay 1ata 2igh'ay )nalog 3utput, )nalog 3utput, 1igital 3utput 1igital 3utput 2ealth /ulse 2ealth /ulse )nalog Input 1igital Input S'itchover )nalog Input 1igital Input )larm 3#I+4 534I& S6ST*7-, S8IT&2 39*# 534I& S6ST*7-. To /lant $&ontrol 0 )nnunciation% Safety #elated Safety #elated 1ata 2igh'ay 1ata 2igh'ay )nalog 3utput, )nalog 3utput, 1igital 3utput 1igital 3utput 2ealth /ulse 2ealth /ulse )nalog Input 1igital Input S'itchover )nalog Input 1igital Input )larm 3#I+4 534I& S6ST*7-, S8IT&2 39*# 534I& S6ST*7-. Safety analysis of the design shall be carried out at different stages as listed belo'. System Requirements Specification (IEEE 1233Std. System Architectural !esign System Integrated "esting "est !ocument (IEEE Std. #2$ %ard&are Requirements Specification %ard&are !esign ' !e(elopment "esting Soft&are Requirement Specifications (IEEE Std. #3) Soft&are !esign ' !e(elopment (IEEE Std. 1)1* Soft&are Implementation +odule le(el "esting (IEEE Std. 1))# 9*#IFI&)TI3+ 9*#IFI&)TI3+ 9*#IFI&)TI3+ :) 9*#IFI&)TI3+ :) %ard&are Implementation 9*#IFI&)TI3+ :) 9*#IFI&)TI3+ :) 9*#IFI&)TI3+ :) 9*#IFI&)TI3+ :) 9*#IFI&)TI3+ System ,alidation System in -peration ; Safety )nalysis of System )rchitectural 1esign Safety )nalysis of System )rchitectural 1esign Safety )nalysis of System )rchitectural 1esign Safety analysis of Soft'are #equirements specification Safety )nalysis of Soft'are 1esign and Implementation Safety )nalysis of 2ard'are #equirements Specification Safety )nalysis of 2ard'are 1esign and Implementation Safety Testing Safety )udit #eport Safety )nalysis of System )rchitectural 1esign System architectural design shall be analysed in detail to establish that all system level safety requirements are carried into the system design and allocated to soft'are or hard'are or a combination of them. The system level hazards shall be traced through the system architecture to sho' that hazardous states cannot occur. The design shall be sho'n to be fail-safe ta(ing into account the various failure modes of hard'are and soft'are. Safety )nalysis of Soft'are #equirements Specification )nalysis of soft'are requirements specification shall be carried out to establish that it incorporates all system level safety requirements allocated to soft'are and they are clearly described, and are testable. These should include the on-line $in service% safety test requirements, mandated by the technical specifications of the plant and to be implemented in soft'are. Safety )nalysis of 2ard'are #equirements Specification )nalysis of hard'are requirements specification shall be carried out to establish that it incorporates all system level safety requirements allocated to hard'are and they are clearly described, and are testable. These should include the on-line $in service% safety test requirements, mandated by the technical specifications of the plant and to be implemented in hard'are. Safety analysis of Soft'are 1esign and Implementation Soft'are design and implementation shall be analysed in detail to establish that soft'are design and implementation incorporates all safety requirements given in Soft'are #equirements Specifications. )nalysis should establish that soft'are satisfies all safety requirements, does not cause any unsafe action under any operating < condition and allo's on-line tests to be carried out 'ithout compromising the performance of safety functions. The design of the soft'are shall be sho'n to handle hard'are failures gracefully 'ithout causing unsafe conditions in the plant. &atastrophic failure of the soft'are $i.e. 8hen it is not able to perform the intended function% should be sho'n to lead to fail safe outputs from the &omputer-based System$i.e safe conditions in the plant%. Safety )nalysis of 2ard'are 1esign 2ard'are design shall be analysed in detail to establish that hard'are incorporates all safety requirements given in 2ard'are #equirements Specifications. )nalysis should establish that hard'are satisfies all safety requirements, does not cause any unsafe action under any operating condition and allo's on-line tests to be carried out 'ithout compromising the performance of safety functions. Failure of the hard'are should be sho'n to lead to fail safe outputs from the &omputer-based System$i.e. safe conditions in the plant%. Safety Testing The system shall be sub=ected to tests that 'ill confirm its overall safe behavior. This is the final demonstration safety. The testing shall be done to chec( that ,. )ll safety requirements are correctly implemented .. System behavior is failsafe. ;. )ll on-line tests can be conducted 'ithout compromising the performance of safety functions. Safety )udit The Safety )udit shall be carried out to verify the safety analysis and establish that safety requirements have been implemented. The Safety )udit shall cover the follo'ing phases of safety life cycle- System )rchitectural 1esign Soft'are #equirements 2ard'are #equirements Soft'are 1esign and Implementation 2ard'are 1esign Safety Testing .. Safety Analysis of !ata Acquisition System The data acquisition system is normally developed around non-synchronous bus li(e 97*. The architecture is sho'n belo'. > 42 1 1 42 CPU, ROM, & ECC Memory An!o" In#$% & '( )*"*%! O$%#$% )*"*%! In#$% To P!n% )%+,e ,er-er A!rm Re.%or S%%$, An!o" In#$% &1( Comm$n*.%*on Con%ro!!er V M E S Y S T E M / U S FAULT TOLERANT )C PO0ER SUPPLY A!rm SUR ROP SUF RFH RSD SOLC 0%.12o" o$%#$% , -o!%"e 3ree .on%.% )*"*%! O$%#$% OR ORING LOGIC LOR LOR OR SCRAM SCRAM SPCS & PDSR operational SG safe configuration status ORING LOGIC )*"*%! O$%#$% /0S A /0S / 01S S01123 (23), 45, 412, 612, 42 1 1 42 CPU, ROM, & ECC Memory An!o" In#$% & '( )*"*%! O$%#$% )*"*%! In#$% To P!n% )%+,e ,er-er A!rm Re.%or S%%$, An!o" In#$% &1( Comm$n*.%*on Con%ro!!er V M E S Y S T E M / U S FAULT TOLERANT )C PO0ER SUPPLY A!rm SUR ROP SUF RFH RSD SOLC 0%.12o" o$%#$% , -o!%"e 3ree .on%.% )*"*%! O$%#$% OR ORING LOGIC LOR LOR OR SCRAM SCRAM SPCS & PDSR operational SG safe configuration status ORING LOGIC )*"*%! O$%#$% /0S A /0S / 01S S01123 (23), 45, 412, 612,
+on- +on-synchronous bus is chosen such that if any input?output system does not send ac( signal 'ithin specified time, bus-error trap is generated. )s per I*&-@@A guidelines, operating system is not used. Specific monitor program is developed. 8hen the system is po'ered-on, then po'er-on interrupt starts diagnostics program. If any error is detected, corresponding error message is displayed. If the system is normal then control is given to application program. The general architecture is sho'n belo'. B 01S S01123 (23), START PROCESS SCAN Digital nputs POST alar! LOR SCRAM START flag Analog nputs Analog nputs Digital nputs alar! LOR SCRAM "ait for set # sec$ Flag )IAG "atc% dog pulses COMM Data Messages MONITOR "ait for # sec$ "atc% dog pulses Data Messages User nterruption for a i & t%res%old c%ange User nterruption for a i & t%res%old c%ange User nterface for a i & t%res%old c%ange User nterface for a i & t%res%old c%ange START PROCESS SCAN Digital nputs POST alar! LOR SCRAM START flag Analog nputs Analog nputs Analog nputs Analog nputs Digital nputs alar! LOR SCRAM "ait for set # sec$ Flag set # sec$ Flag )IAG "atc% dog pulses COMM Data Messages MONITOR "ait for # sec$ "atc% dog pulses Data Messages User nterruption for a i & t%res%old c%ange User nterruption for a i & t%res%old c%ange User nterruption for a i & t%res%old c%ange User nterruption for a i & t%res%old c%ange User nterface for a i & t%res%old c%ange User nterface for a i & t%res%old c%ange User nterface for a i & t%res%old c%ange User nterface for a i & t%res%old c%ange
The application soft'are consists of follo'ing modules- Scanning the process signal /rocessing the scanned signal 1elivering analog?digital output Transmitting data and messages 1iagnosing of Input?3utput systems /rocessing the command for changing soft'are data The design of the soft'are shall ensure that scanning and processing of data are completed 'ithin the specified time. The safety analysis of overall architecture shall address the follo'ing failure of subsystems. +on availability of po'er supply Sensor fault Sensor over range +oise in input signal /rocess signal fluctuation Failure of 7icroprocessor Failure of memory Failure of ac(no'ledgement signal in the bus Failure of multiple!er, )mplifier, )nalog to digital converter and sequencer in )nalog input card Failure of optical isolator in digital input card Failure of latch and relay in digital output card *ndless loop in application soft'are Irrational data entry for changing soft'are threshold C Failure of data server and message sensor and graphic user terminals ) general fault tree shall be constructed as sho'n belo'. The design shall ensure that any postulated fault 'ill result in ordering digital output, 'hich in turn ensures safe state of the nuclear reactor. 5. 7onclusion 1etailed Safety )nalysis of System architecture design, soft'are design and hard'are design shall ensure safe state of the process plant in the event of postulated any single hard'are or soft'are failure. Safety analysis report shall be revie'ed by independent e!perts committee. Test data shall be designed to demonstrate the safe behavior of the system in the event of postulated failure. @ %ard&are Soft&are I8- card failure !8I !8- Sequencer failure Opto_coupler failure Zero Reference !rift A8I 2.5V Reference ADC Error 24V supply failure Read ac! "#2V supply failure C$% failure 1o&er Supply &'S failure 5V DC supply failure C'& failure (&S failure )e*ory failure Di+ide y ,ero scan failure Endless loopin- Dia-nostic failure .i*eout "RI1 -R!ER