Abstract

With the maturing of Information Technology, Intelligent Instrumentation systems

are increasingly deployed for supervising and controlling Nuclear reactor. Functionally
and physically distributed data acquisition systems are used to process the signals. The
safety actions such as tripping the reactor, energizing alarm in the control room,
varying the position of the control valve etc are carried out in the data acquisition system
itself. The information such as the value of the process signals, messages etc are
transmitted through fault tolerant optical fiber cables to control room. The information
is displayed to shift operator in comfortable format. The safety of the nuclear reactor
depends upon the fail-safe operation of the data acquisition and control system. The
paper eplains the safety analysis of fault tolerant data acquisition and control system.
1. Introduction
Functionally and physically distributed data acquisition systems are used to
process the signals. The safety actions for tripping the reactor, energizing alarm in
the control room, positioning of control valves etc are carried out by data acquisition
system itself. The information regarding value of the process signals and messages
regarding safety actions are transmitted to control room through fault tolerant optical
fiber cable. The information is displayed to the plant operator in comfortable format.
The Intelligent instrumentation systems are classified as safety critical systems, safety
related systems and non-safety systems based on the importance of the processed
signals. Safety critical systems generate trip order to the plant if the input signal
level crosses the threshold. For e!ample, core temperature monitoring system of Fast
"reeder Test #eactor $F"T#% is a Safety &ritical Intelligent Instrumentation system.
If the actual temperature rise along any fuel subassembly crosses the e!pected
temperature rise, action is initiated to shutdo'n the reactor. Safety related systems
generate alarm in the control room, conditions for interloc( logic, signals for
controlling important process parameters. For e!ample start-up of reactor
authorization logic, discordance supervision system for triplicate neutronic signals,
fine impulse testing system, process parameter supervision system etc are Safety
related Intelligent Instrumentation systems. )s per the )*#" safety guidelines,
Safety Intelligent Instrumentation system should generate fail-safe output signals, if
any single failure occurs in the system. To ensure fail safe operation, it is necessary to
carry out detailed safety analysis of the system.
2. Architecture of Intelligent Instrumentation System
+ormally Safety &ritical Intelligent systems are triplicated. The safety actions
are routed through t'o out of three voting logic. ) typical configuration of core
temperature supervision system of Fast "reeder #eactor is sho'n belo'.
,
S& - Signal &onditioner #T& - #eal Time &omputer
The processed data and messages are transmitted to control room through dual optical
fiber plant net'or(.
The architecture of safety related system is based on hot-standby principle as
sho'n belo'.
3. Safety Analysis of Intelligent Instrumentation System
The development of Safety Intelligent system shall be carried out using 'ater-
fall model as sho'n belo'.
SENSOR
SC2 RTC2
SAFETY
LOGIC
2/3
VOTING
LOGIC
SC3
RTC3
SC1
RTC1
Trip
Order
.
To /lant $&ontrol 0 )nnunciation%
Safety #elated Safety #elated
1ata 2igh'ay 1ata 2igh'ay
)nalog 3utput, )nalog 3utput,
1igital 3utput 1igital 3utput
2ealth /ulse 2ealth /ulse
)nalog Input 1igital Input S'itchover )nalog Input 1igital Input
)larm
3#I+4
534I&
S6ST*7-,
S8IT&2
39*#
534I&
S6ST*7-.
To /lant $&ontrol 0 )nnunciation%
Safety #elated Safety #elated
1ata 2igh'ay 1ata 2igh'ay
)nalog 3utput, )nalog 3utput,
1igital 3utput 1igital 3utput
2ealth /ulse 2ealth /ulse
)nalog Input 1igital Input S'itchover )nalog Input 1igital Input
)larm
3#I+4
534I&
S6ST*7-,
S8IT&2
39*#
534I&
S6ST*7-.
Safety analysis of the design shall be carried out at different stages as listed
belo'.
System Requirements Specification (IEEE 1233Std.
System Architectural !esign
System Integrated "esting
"est !ocument (IEEE Std. #2$
%ard&are Requirements
Specification
%ard&are
!esign ' !e(elopment
"esting
Soft&are Requirement
Specifications (IEEE Std. #3)
Soft&are !esign '
!e(elopment
(IEEE Std. 1)1*
Soft&are Implementation
+odule le(el "esting
(IEEE Std. 1))#
9*#IFI&)TI3+
9*#IFI&)TI3+
9*#IFI&)TI3+ :)
9*#IFI&)TI3+ :)
%ard&are
Implementation
9*#IFI&)TI3+ :)
9*#IFI&)TI3+ :)
9*#IFI&)TI3+ :)
9*#IFI&)TI3+ :)
9*#IFI&)TI3+
System
,alidation
System in -peration
;
Safety )nalysis of System
)rchitectural 1esign
Safety )nalysis of System
)rchitectural 1esign
Safety )nalysis of System
)rchitectural 1esign
Safety analysis of Soft'are
#equirements specification
Safety )nalysis of Soft'are
1esign and Implementation
Safety )nalysis of 2ard'are
#equirements Specification
Safety )nalysis of 2ard'are
1esign and Implementation
Safety Testing
Safety )udit #eport
Safety )nalysis of System )rchitectural 1esign
System architectural design shall be analysed in detail to establish that all system
level safety requirements are carried into the system design and allocated to soft'are
or hard'are or a combination of them. The system level hazards shall be traced
through the system architecture to sho' that hazardous states cannot occur. The
design shall be sho'n to be fail-safe ta(ing into account the various failure modes of
hard'are and soft'are.
Safety )nalysis of Soft'are #equirements Specification
)nalysis of soft'are requirements specification shall be carried out to establish
that it incorporates all system level safety requirements allocated to soft'are and they
are clearly described, and are testable. These should include the on-line $in service%
safety test requirements, mandated by the technical specifications of the plant and to
be implemented in soft'are.
Safety )nalysis of 2ard'are #equirements Specification
)nalysis of hard'are requirements specification shall be carried out to establish
that it incorporates all system level safety requirements allocated to hard'are and
they are clearly described, and are testable. These should include the on-line $in
service% safety test requirements, mandated by the technical specifications of the plant
and to be implemented in hard'are.
Safety analysis of Soft'are 1esign and Implementation
Soft'are design and implementation shall be analysed in detail to establish that
soft'are design and implementation incorporates all safety requirements given in
Soft'are #equirements Specifications. )nalysis should establish that soft'are
satisfies all safety requirements, does not cause any unsafe action under any operating
<
condition and allo's on-line tests to be carried out 'ithout compromising the
performance of safety functions. The design of the soft'are shall be sho'n to handle
hard'are failures gracefully 'ithout causing unsafe conditions in the plant.
&atastrophic failure of the soft'are $i.e. 8hen it is not able to perform the intended
function% should be sho'n to lead to fail safe outputs from the &omputer-based
System$i.e safe conditions in the plant%.
Safety )nalysis of 2ard'are 1esign
2ard'are design shall be analysed in detail to establish that hard'are
incorporates all safety requirements given in 2ard'are #equirements Specifications.
)nalysis should establish that hard'are satisfies all safety requirements, does not
cause any unsafe action under any operating condition and allo's on-line tests to be
carried out 'ithout compromising the performance of safety functions. Failure of the
hard'are should be sho'n to lead to fail safe outputs from the &omputer-based
System$i.e. safe conditions in the plant%.
Safety Testing
The system shall be sub=ected to tests that 'ill confirm its overall safe behavior.
This is the final demonstration safety. The testing shall be done to chec( that
,. )ll safety requirements are correctly implemented
.. System behavior is failsafe.
;. )ll on-line tests can be conducted 'ithout compromising the performance of
safety functions.
Safety )udit
The Safety )udit shall be carried out to verify the safety analysis and establish
that safety requirements have been implemented. The Safety )udit shall cover the
follo'ing phases of safety life cycle-
System )rchitectural 1esign
Soft'are #equirements
2ard'are #equirements
Soft'are 1esign and Implementation
2ard'are 1esign
Safety Testing
.. Safety Analysis of !ata Acquisition System
The data acquisition system is normally developed around non-synchronous bus
li(e 97*. The architecture is sho'n belo'.
>
42
1
1
42
CPU, ROM,
&
ECC Memory
An!o"
In#$%
& '(
)*"*%!
O$%#$%
)*"*%!
In#$%
To
P!n%
)%+,e
,er-er
A!rm
Re.%or
S%%$,
An!o"
In#$%
&1(
Comm$n*.%*on
Con%ro!!er
V
M
E
S
Y
S
T
E
M
/
U
S
FAULT TOLERANT )C PO0ER
SUPPLY
A!rm
SUR
ROP
SUF
RFH
RSD
SOLC
0%.12o" o$%#$%
,
-o!%"e 3ree .on%.%
)*"*%!
O$%#$%
OR
ORING
LOGIC
LOR
LOR
OR
SCRAM
SCRAM
SPCS & PDSR
operational
SG safe configuration
status
ORING
LOGIC
)*"*%!
O$%#$%
/0S A
/0S /
01S
S01123
(23),
45, 412, 612,
42
1
1
42
CPU, ROM,
&
ECC Memory
An!o"
In#$%
& '(
)*"*%!
O$%#$%
)*"*%!
In#$%
To
P!n%
)%+,e
,er-er
A!rm
Re.%or
S%%$,
An!o"
In#$%
&1(
Comm$n*.%*on
Con%ro!!er
V
M
E
S
Y
S
T
E
M
/
U
S
FAULT TOLERANT )C PO0ER
SUPPLY
A!rm
SUR
ROP
SUF
RFH
RSD
SOLC
0%.12o" o$%#$%
,
-o!%"e 3ree .on%.%
)*"*%!
O$%#$%
OR
ORING
LOGIC
LOR
LOR
OR
SCRAM
SCRAM
SPCS & PDSR
operational
SG safe configuration
status
ORING
LOGIC
)*"*%!
O$%#$%
/0S A
/0S /
01S
S01123
(23),
45, 412, 612,

+on-
+on-synchronous bus is chosen such that if any input?output system does not
send ac( signal 'ithin specified time, bus-error trap is generated. )s per I*&-@@A
guidelines, operating system is not used. Specific monitor program is developed.
8hen the system is po'ered-on, then po'er-on interrupt starts diagnostics program.
If any error is detected, corresponding error message is displayed. If the system is
normal then control is given to application program.
The general architecture is sho'n belo'.
B
01S
S01123
(23),
START
PROCESS
SCAN
Digital
nputs
POST
alar!
LOR
SCRAM
START
flag
Analog
nputs
Analog
nputs
Digital
nputs
alar!
LOR
SCRAM
"ait for
set
# sec$ Flag
)IAG
"atc% dog
pulses
COMM
Data
Messages
MONITOR
"ait for
# sec$
"atc% dog
pulses
Data
Messages User nterruption
for a
i
& t%res%old
c%ange
User nterruption
for a
i
& t%res%old
c%ange
User nterface
for a
i
& t%res%old
c%ange
User nterface
for a
i
& t%res%old
c%ange
START
PROCESS
SCAN
Digital
nputs
POST
alar!
LOR
SCRAM
START
flag
Analog
nputs
Analog
nputs
Analog
nputs
Analog
nputs
Digital
nputs
alar!
LOR
SCRAM
"ait for
set
# sec$ Flag
set
# sec$ Flag
)IAG
"atc% dog
pulses
COMM
Data
Messages
MONITOR
"ait for
# sec$
"atc% dog
pulses
Data
Messages User nterruption
for a
i
& t%res%old
c%ange
User nterruption
for a
i
& t%res%old
c%ange
User nterruption
for a
i
& t%res%old
c%ange
User nterruption
for a
i
& t%res%old
c%ange
User nterface
for a
i
& t%res%old
c%ange
User nterface
for a
i
& t%res%old
c%ange
User nterface
for a
i
& t%res%old
c%ange
User nterface
for a
i
& t%res%old
c%ange

The application soft'are consists of follo'ing modules-
Scanning the process signal
/rocessing the scanned signal
1elivering analog?digital output
Transmitting data and messages
1iagnosing of Input?3utput systems
/rocessing the command for changing soft'are data
The design of the soft'are shall ensure that scanning and processing of data are
completed 'ithin the specified time.
The safety analysis of overall architecture shall address the follo'ing failure of
subsystems.
+on availability of po'er supply
Sensor fault
Sensor over range
+oise in input signal
/rocess signal fluctuation
Failure of 7icroprocessor
Failure of memory
Failure of ac(no'ledgement signal in the bus
Failure of multiple!er, )mplifier, )nalog to digital converter and sequencer
in
)nalog input card
Failure of optical isolator in digital input card
Failure of latch and relay in digital output card
*ndless loop in application soft'are
Irrational data entry for changing soft'are threshold
C
Failure of data server and message sensor and graphic user terminals
) general fault tree shall be constructed as sho'n belo'. The design shall ensure that
any postulated fault 'ill result in ordering digital output, 'hich in turn ensures safe state
of the nuclear reactor.
5. 7onclusion
1etailed Safety )nalysis of System architecture design, soft'are design and
hard'are design shall ensure safe state of the process plant in the event of postulated
any single hard'are or soft'are failure. Safety analysis report shall be revie'ed by
independent e!perts committee. Test data shall be designed to demonstrate the safe
behavior of the system in the event of postulated failure.
@
%ard&are Soft&are
I8- card
failure
!8I
!8-
Sequencer
failure
Opto_coupler
failure
Zero
Reference
!rift
A8I
2.5V
Reference
ADC
Error
24V supply
failure
Read ac!
"#2V supply
failure
C$%
failure
1o&er
Supply
&'S
failure
5V DC supply
failure
C'&
failure
(&S
failure
)e*ory
failure
Di+ide y
,ero
scan
failure
Endless
loopin-
Dia-nostic
failure
.i*eout
"RI1 -R!ER