1 INTRODUCTION
Field-programmable gate arrays (FPGAs) have gained increasing attention worldwide for safety instrumentation and control (I&C) applications in nuclear power plants (NPPs), particularly for reactor protection systems (RPSs) [1-3]. Compared with conventional microprocessor-based technology, the dedicated hardware-based logic offered by FPGAs can provide improved reliability and reduced complexity [4]. FPGA-based systems have been applied in NPPs in a number of countries such as the USA and the Ukraine [5]. Although FPGAs are a mature technology, RPSs based on FPGAs remain very new in the nuclear power industry. For application as a 1E-level safety system, existing standards such as NUREG/CR-7006 “Review Guidelines for FPGAs in NPP Safety Systems” demand that FPGA-based RPSs undergo further verification and validation (V&V), which is a process designed to ensure that development at all stages is performed correctly, completely, accurately, and consistently [6]. Testing of safety systems is one of the most important and time-consuming efforts in V&V, and all functions are required to be tested by external responses (i.e., black-box testing) in addition to a thorough review and analysis of the source code of the safety software (i.e., white-box testing) [7-9]. However, because FPGA systems conduct signal processing, it is difficult to test the RPS status directly, as is possible for analog systems by examining the relay operations. FPGA halt leads to the loss of signal processing capability due to software or hardware failure. As such, the detection of failures in FPGA design and development may be more difficult and complex. RPS performance, such as the response time and the trigger precision, must also be determined by testing [10]. The insufficient development of more dedicated systems and tools is the greatest challenge to conducting V&V activities for FPGA-based safety systems.
However, computer-based testing technology has been used for various purposes in the field of nuclear reactor engineering, for example, in safety analysis and accident release measurement research [11], nuclear I&C design, and V&V [12]. Presently, a few testing vendors such as CAE [13] and WSC [14] provide large-scale and full-scope NPP test systems, although the cost of these systems is very high. The structure and design principles of a fully digital FPGA-based RPS for a solid fuel (SF) thorium-breeding molten salt pebble bed fluoride salt-cooled reactor (TMSR) differ significantly from a conventional NPP system, and it requires a specialized test system rather than a large-scale and full-scope system. Therefore, a small-scale and small-scope test system was specifically developed for the RPS of the TMSR-SF1 2 MW pilot reactor project conducted by the Chinese Academy of Sciences that allows for the full-range simulation of all protection variables. Moreover, different types of failures can be tested and verified based on an extensive number of accident scenarios. Furthermore, a user-friendly graphic user interface (GUI) has been developed to provide a more intuitive test system, and improve the interaction between the test system and operator. The proposed test system also greatly improves and accelerates the V&V process for RPSs.
2 METHODS
2.1 Principle of test
Generally, a test system generates test signals in a particular order and transmits those signals to the input interface of the tested device. The test system then collects the test signal responses at the output interface of the device or some intermediate point after an appropriate time delay. The collected result is subsequently compared with the expected value to identify inconsistencies. An inconsistent comparison reveals the presence of abnormal states within the device that must be investigated [15-18].
The RPS of the TMSR-SF1 reactor was designed with a triple-modular redundant architecture, as illustrated in Fig. 1. Each channel of the three input modules receives the protection variables and passes the information to the module's respective FPGA processor. The three FPGA processors synchronize and communicate with each other via RS-485 protocol communication. Each FPGA processor executes its logic program and sends the results to its respective output module. The output protection signal results from a 2-out-of-3 voting logic of the triggering signals. The surveillance station collects RPS information via RS-485 protocol communication. The TMSR-SF1 RPS requirements are summarized in Table 1.
| Category | Contents |
|---|---|
| I/O capacity | Meet capacity requirements set by technical specification |
| Response time | Less than 100 ms |
| System reliability | Test time exceeds 1 month |
| Trigger set point | Less than 0.5 percent |
| System logic | Correctness |
| System failure | Correctness |
-201605/1001-8042-27-05-020/media/1001-8042-27-05-020-F001.jpg)
RPS testing is divided into a number of test sequences, each of which corresponds to a protection function. Each sequence is also divided into several test steps, where each test step corresponds to a combination of input of the protection function. The test system sends a test signal to several inputs of the RPS synchronously within a single test step, which can form different kinds of logic configurations. To ensure that the RPS provides a realistic signal response, an appropriate time delay is incorporated between each test step. The overall scope of testing proceeds from the input interface of the RPS to the output interface of the RPS.
2.2 Structure of the test system
The test system for the TMSR-SF1 RPS employs mobile automatic test equipment that is connected to the RPS by a test cable. Once the test is completed, the test system is immediately disconnected from the RPS. The instrumentation functions on the PCI eXtensions for Instrumentation (PXI) platform. Fig. 2 illustrates the hardware block diagram of the test system, which is comprised primarily of a power supply module, operator station (PXI platform-slot PXI chassis and monitor terminal), five data acquisition cards (DAQs; National Instruments), and five signal conditioning boards (SCBs).
-201605/1001-8042-27-05-020/media/1001-8042-27-05-020-F002.jpg)
The PXI platform provides powerful functions and high reliability that ensure higher precision and better stability than general control hardware [19], [20]. Moreover, the platform can also adapt to the environment of the reactor. With the help of PC client, edited programs can be installed to the internal of PXI automatically without user intervention. A PC monitoring program generated by LabVIEW runs on the PXI platform. The test program provides a human-machine interface (HMI), edits the test cases, manages the configuration files, transforms the program, analyzes and displays the test results, and controls the entire test system by means of the HMI device-keyboard, mouse, and displayer.
Conditioning, collection, and the input and output of analog and digital signals are realized by DAQs [21] and SCBs. The RPS employs industry standard I/O signals, such as standard 4–20 mA direct current and 0–24 V direct voltage signals, which are similar to NPP field signals. To provide universality and compatibility, SCBs were employed to convert DAQ signals to the type of signals required by the RPS. To facilitate operator evaluation of the real-time working condition, the SCBs include a failure indication modular. SCBs and DAQs are connected by standard cable, whereas the SCBs are joined to the RPS by an aviation connector and isolated by an optocoupler.
In addition, a self-detection unit was incorporated into the test system to achieve a self-detection functionality, and promote automatic system correction prior to testing. The results of the process variable transmitters are compared with set point values and logic conforms data of the RPS transfer through the serial communication way by an HUB port. The test system is set in a standard cabinet to protect the components and ensure ease of use. The system also allows for the expansion of the device interface in terms of both the circuit board and the physical design.
2.3 Testing procedure of the RPS test system
During the test procedure, the DAQs and SCBs receive test output and control signals, all of which derive from the primary computer system. The DAQs and SCBs isolate the status signal representative of the protection logic circuit response to the test injection signal, convert it into a test sampling signal that can be identified by a computer, and then send it to the computer for reprocessing.
However, all protection variables cannot be tested simultaneously, but must be tested one by one. For example, in testing the low power range fixed high neutron flux value, only the low power range fixed high neutron flux value disturbance is introduced, and all other variables are held constant. The associated variable is not tested randomly, but is tested according to a linear load change of 5% min−1 and a step load change of 10%.
2.4 Software and GUI
The software employed in the test system is an important factor, and should be the best and most widely used software available. In addition, numerous corresponding I/O models must be created to take into account cooperation with RPS. National Instruments' LabVIEW software and DAQ hardware are applied in the present testing system because, at present, this software [22], [23] and hardware are typically applied in NPPs for signal transfer. LabVIEW based on the graphical G language provides multi-process concurrent execution, and is capable of real-time collection of data, and is therefore convenient for collecting RPS shutdown logic data in real time. The software structure of the test system is illustrated in Fig. 3, which is mainly divided into primary and secondary computer systems. The test signals are entered by an operator, and the order is stored and parsed in the primary computer system. After that, the test signals are transmitted to the acquisition and analysis modules of the secondary computer system. Data acquisition and signal generation are conducted by the acquisition module. Data storage and data analysis of, for example, the real-time responses to operation instructions are all conducted by the analysis module. Data collected from the RPS is recorded and regularly output to a text file.
-201605/1001-8042-27-05-020/media/1001-8042-27-05-020-F003.jpg)
The software algorithm was designed according to the producer/consumer model shown in Fig. 4. In the algorithm, the secondary computer system receives data or orders from the primary computer system in the first while cycle, and then performs data acquisition or generates signals according to the instruction execution, and finally stores the data in the queue awaiting processing. In the second while cycle, the algorithm successively performs a series of operations on the data such as remove, analysis, store, and display. The elements in the queue are assembled according to a first in, first out order.
-201605/1001-8042-27-05-020/media/1001-8042-27-05-020-F004.jpg)
All monitoring and controlling in the proposed test system is supported by the GUI. The GUI monitors the test process and control parameters, for example, the manual/automatic control switch, set point adjustment, and configuration changes. According to requirements, additional special functions are provided in the GUI, such as signal processing and data display. The testing GUI for the low power range fixed high neutron flux value is shown in Fig. 5. In addition, the physical configuration of the I/O channels and its check are also performed in the GUI.
-201605/1001-8042-27-05-020/media/1001-8042-27-05-020-F005.jpg)
3 TESTING RESULTS AND DISCUSSION
The testing of the TMSR-SF1 RPS was conducted in full accordance with GB/T 5204-2008 “Periodic tests and monitoring of the safety system of nuclear power plant”. In addition, the V&V process was conducted for the RPS test system according to guidelines or standards such as the IEEE7-4.3.2 (1993), IEC880 (1986), and JEAG4609 (1989) standards.
3.1 Reliability demonstration
According to the testing defined in the V&V plan and GB/T 5204-2008, and as a mandatory testing item required and witnessed by the research team, a long period reliability demonstration testing of the RPS was performed. The RPS was operated continuously over a period of one month, and the protection signal was repeatedly triggered by the test system. During this process, the correctness of the triggering and the stability of triggering precision was recorded and verified by the test system for a number of triggering actions and corresponding overturns of the output modules approaching 105. This testing very convincingly demonstrated the reliability of the RPS in a manner more credible than other system reliability analyses that can be performed.
3.2 Function testing
In addition to white-box testing of the safety software source code, such as review, audit, analysis, unit testing, and simulations, black-box testing (function testing) was performed on the RPS in a laboratory setting. These functions cover all protection variables, their combinations, as well as the combination of these variables based on the guidance provided by simulated signals derived from the test system. The aim of function testing is to verify the following RPS functionality.
(a) Whether the sampling of signals and calculation of the protection variables are correct.
(b) Whether the RPS can accommodate the full ranges of all input signals.
(c) Whether all protection logics are implemented correctly and the precision of the trigger set point is within the required range for each protection variable.
(d) Whether all interlock logics and fail-safe mechanisms for internal and external failures, such as the opening of a circuit, the cutting of a circuit, and a failure of any components or processors, function correctly.
This is one part of the testing required for factory acceptance testing and site acceptance testing, as defined in the IEEE Std 7-4.3.2 standard. All of above RPS functionalities were verified to be properly implemented.
3.3 Performance testing
The performance of the RPS, such as the precision of the trigger set points, the stability of the sampling modules, and the response times, were tested.
The test results verified that the precision of the trigger set point for each protection variable was within the designed range, and the stability of the sampling modules was very high. This demonstrates the advantages of high precision and high stability in the information processing and information transmission of the RPS.
Both analog and digital protection variables were chosen to trigger the RPS repeatedly and periodically. The test system transmits the input signal to the RPS, and records the state of the protection signal. The response time is determined by comparing the time between when the protection variable rose and when the state of the output module changed. For a digital RPS component, the duration of each execution cycle will not be constant because of communication between sampling modules and the RPS and between different components of the RPS, and all functions, such as sampling, calculation, comparison with the set point, trigger logic, and output of protection signals, will be executed only once during each cycle. After recording the protection variable signals and the triggered status over a long period, providing, for example, 100 triggering events, the maximum and the minimum values of the response time can be determined, which are listed in Table 2.
| Response time | Analog (ms) | Digital (ms) |
|---|---|---|
| Maximum | 7.19 | 0.56 |
| Minimum | 1.01 | 0.22 |
| Average | 3.86 | 0.41 |
According to statistical theory, the individual response time results follow a normal distribution. Therefore, the recorded response time data was evaluated according to the normal distribution fitting procedure in MATLAB software. Data histograms and the normal distribution curves were obtained, as shown in Fig. 6. According to the probability density function
-201605/1001-8042-27-05-020/media/1001-8042-27-05-020-F006.jpg)
the mean response time and standard deviation were respectively μ = 3.86 and σ = 1.27 for analog protection variables, and μ = 0.41 and σ = 0.06 for digital protection variables. As such, the analog response time within the 95% credibility range was 3.61 ms to 4.11 ms, and the digital response time within the 95% credibility range was 0.39 ms to 0.42 ms.
3.4 V&V of the test system
Guidelines or standards such as the IEEE7-4.3.2 (1993), IEC880 (1986), and JEAG4609 (1989) standards address issues involving the reliability of safety systems, and define various requirements such as for hardware/software design, manufacturing, V&V procedure documentation, and maintenance. The test system, as a non-nuclear safety system, must also undergo the V&V process according to the various regulatory standards and guidelines to verify that the test system responds correctly. To meet these standards and/or guidelines, the V&V procedure was well organized, as illustrated in Fig. 7. Accordingly, the following steps were taken.
-201605/1001-8042-27-05-020/media/1001-8042-27-05-020-F007.jpg)
Step 1: Quality assurance and software configuration were verified according to national and international standards. As such, an independent V&V team responsible for all V&V activities was established. An original version of documents related to requirements and specifications were formed at the beginning of the test system development. Refined and ameliorated versions of these documents were formed after review by the V&V team. The updated documents were also evaluated by all engineers engaged in developing the test system.
Step 2: The hardware and software design specifications, that is, the logic design specifications were verified. The logic designs were verified by confirming that the logic described in the interlock block diagram meets the system specification requirements.
Step 3: PXI and LabVIEW are widely employed in numerous applications, and fulfill the requirements of a test system, for example, system lifetime and environmental adaptability with respect to temperature. For verification of the LabVIEW system components, one component of the process involved reviewing the design documentation and design scheme, and to analyze and test the source code. These tests can be classified as white-box testing. Another component of the process involved black-box testing, where the software and the test system were analyzed and tested as a whole based on external responses. The assessment of the source code employed by the test system software was conducted manually, and testing concluded that the source code was verifiable, its behavior deterministic, its performance predictable, and the development process reviewable.
Step 4: The V&V team tested the system independently using standard testing instruments, and the results are summarized in Table 3. For example, the implementation of a 4–20 mA input in the test system by the GUI resulted in an equivalent value at the output interface of the system, which can be compared with the analog signal by means of a standard calibration instrument. Also, the standard signal source simulation was tested to calibrate the interval between two signals, and the test results matched well with the simulated interval of 40 ms.
| Description | Data types | V&V result |
|---|---|---|
| Output signals | 4–20 mA | Good |
| Receive signals | TTL communication signals | Good |
| Response time | 1–100 ms | Good |
The V&V results demonstrated the advantages of the high precision and high stability of the test system.
4 CONCLUSION
A test system for the RPS of the TMSR-SF1 project was designed, and its functionality fully verified. The test system can simulate all sensor parameters of the TMSR-SF1 RPS to realize all test functions, such as adding the simulation signals through the input/output interface equipment, collecting protection trigger signals, and collecting communication signals in real-time. The test system was designed specifically to assess the RPS features of high reliability, high redundancy, and rapid response. In addition, the test system is able to monitor the RPS equipment status, track the location of faults, and estimate the faults after RPS failure. The I/O capacity of the test system satisfies the RPS performance testing requirements. Moreover, the test system demonstrated good performance with a response time in milliseconds, analog signal output precision of one over one thousand, and long-term reliability and stability. The test system developed herein will be applied to the T2 and T3 periodic experiments for the protection system of the TMSR-SF1 project through an expansion. This test system has also greatly improved the efficiency and speed of the V&V process, improved economy, and maintained safety during the development of the RPS.
Integrated software safety analysis method for digital I&C systems
. Annals of Nuclear Energy, 2008, 35:1471-1483. DOI: 10.1016/j.anucene.2008.01.009Key Characteristic Analysis of Reactor Protection System for Nuclear Power Plant Based on NuPAC
. Atom Energy Sci Technol, 2014, 48(3): 492-499. (in Chinese) DOI: 10.7538/yzk.2014.48.03.0492Design and implementation of FPGA-based digital and logical signal processing functions of reactor protection system for TMSR
[J]. Nucl Tech, 2015, 38:040404. (in Chinese) DOI: 10.11889/j.0253-3219.2015.hjs.38.040404On the speed of response of an FPGA-based shutdown system in CANDU nuclear power plants
. Nuclear Engineering and Design, 2011, 241: 2280-2287. DOI: 10.1016/j.nucengdes.2011.03.050System assessment of an FPGA-based RPS for ABWR nuclear power plant
. Progress in Nuclear Energy, 2015, 85: 44-55. DOI: 10.1016/j.pnucene.2015.05.010Optimization of periodic testing frequency of a reactor protection system based on a risk-cost model and public risk perception
. Nuclear Engineering and Design, 2011, 241: 1538-1547. DOI: 10.1016/j.nucengdes.2011.02.003A verification and validation method and its application to digital safety system in ABWR nuclear power plants
. Nuclear Engineering and Design. 1998, 183: 117-132. DOI: 10.1016/S0029-5493(98)00186-1Development and application of a dual RELAP5-3D-based engineering simulator for ABWR
. Nuclear Engineering and Design, 2009, 239:1847-1856. DOI: 10.1016/j.nucengdes.2009.05.004Plant modeling as a key tool for nuclear I&C design and V&V
.Development of COTS ADC SEE test system for the ATLAS Lar calorimenter upgrade
. Nucl Sci Tech, 2014, 25: 060403 DOI: 10.13538/j.1001-8042/nst.25.060403Radiation hardness assurance testing of microelectronic devices and integrated circuits: test guideline for proton and heavy ion single event effects
. IEEE T Nucl Sci, 2013, 60: 2101-2118. DOI: 10.1109/TNS.2013.2261317Hardness assurance test guideline for qualifying devices for use in proton environments
. IEEE T Nucl Sci, 2009, 56: 2171-2178. DOI: 10.1109/TNS.2009.2013239Readout electronics for CSR-ETF silicon strip array detector system
. Nucl. Sci. Tech., 2014, 25:040402 DOI: 10.13538/j.1001-8042/nst.25.040402PXI-1 (PCI eXtensions for Instrumentation) hardware specification revision 2.2
, 2004, http://www.pxisa.org.PCI bus data transmission system based on LabVIEW language
[J]. Nuclear Techniques, 2013, 36(7):070401 DOI: 10.11889/j.0253-3219.2013.hjs.36.070401Design of data transmission for a portable DAQ system
. Nucl. Sci. Tech., 2014, 25:010404 DOI: 10.13538/j.1001-8042/nst.25.010404