Application of Microprocessor based Technology in CANDU Stations presented at IAEA Technical Meeting

1
Application of Microprocessor based Technology
in CANDU Stationspresentedat IAEA Technical
Meeting held in Toronto, Ontario, Canada
John Froats Ujjal MondalCANDU Owners Group
Inc.
November 1, 2007
2
Issues Faced by CANDU Nuclear Plants

• In early 80s lack of well designed, reliable
  control hardware incorporating complex logic was
  experienced by the industry
• Incorporation of mathematical functions and logic
  needed individual modules and more hardware.
• Reliability and cost of implementation was
  negatively affected
• The technology made it difficult to meet certain
  unavailability targets required by safety systems
  
• The cost of implementation and maintenance
  increased as the hardware complexity grew.

3
Applications of microprocessor-based hardware

• Several instrument companies introduced
  microprocessor based control modules that could
  incorporate complex logic and math functions.
• The impact of microprocessor based hardware was
  not fully assessed by the nuclear industry at the
  time
• However, the potential benefits offered by these
  new technology could not be ignored
• OPG (then Ontario Hydro) decided to use the new
  technology in 1985 for implementation of Incore
  LOCA conditioning signal for ECIS modifications
  in Pickering A Station

4
Microprocessor-based hardware in safety related
ECIS

• The hardware chosen was manufactured by Fischer
  Porter (FP) Chameleon, model 50KM2111. This
  hardware offered an excellent measurement
  platform, accuracy, reliability and functional
  flexibility
• The functional requirements were programmed in
  Chameleon using a menu-driven pre-developed FTRAN
  language. The implementation was simple and
  easily incorporated. The product offered more
  flexibility and features than a safety related
  application would require.

5
Processor Application in safety System
In-core LOCA conditioning signal for ECIS
6
Other microprocessor based Applications in Safety
System

• Demand for better logic modules led other process
  industries (Chemical, paper, mining etc) to use
  more microprocessor based systems. The nuclear
  industry stayed behind due to unproven
  technology.
• However, demand for enhanced performance
  requirements in nuclear safety related
  applications led to use of FP Chameleon
  microprocessor-based hardware in safety related
  applications. Such as
• Dump Arrest Logic modification in Pickering A in
  1986
• P-Trip logic in Bruce A in 1989
• These applications were successful and met the
  reliability and functional safety targets

7
Software Safety Concerns

• In late 80s increased use of microprocessor-based
  hardware and computer systems raised the concern
  of software QA, particularly in safety related
  applications. A number of failures due to
  inadequate rigour and software quality were
  experienced by the industry. Ontario Hydro
  management conducted an assessment of rigour and
  quality used in software developed by FP for
  Chameleon applications.
• The assessment identified a number of
  deficiencies in the hardware platform and
  software configuration

8
Software QA Concerns (1)

• Atomic Energy Control Board (AECB) was informed
  about the findings and the action plans. The
  findings were published in Ontario Hydro DD
  report 88107. It was decided that Ontario Hydro
  would correct all deficiencies in 3 safety
  related applications of Chameleons in Pickering A
  and Bruce A Stations. The following
  deficiencies were identified
• Design deficiencies
• Lack of failure detection and fail-safe output
• Lack of data checking and corrective action
• Lack of self checking
• Lack of Application Watchdog Timer

9
Software QA Concerns (2)

• Lack of Target System Configuration Control
• Lack of inhibition of serial communication of
  data into the system
• Lack of use of custom EPROM
• Lack of controlled use of Chameleon front panel
  (Human factors issue)
• Lack of compliance of system response time to
  lt1.0 sec.

10
Software QA Concerns (3)

• Lack of Application Software Development
  Guidelines
• Lack of development of Software Designers
  Handbook containing
• Guidelines for High level design
• Software design logistics
• Coding
• Testing
• Configuration management
• Lack of revision to application software

11
Power House Emergency Venting (PHEV)

• About 1988-1991, Ontario Hydro embarked on the
  design and retrofit of Power House Emergency
  Venting (PHEV) system for Pickering A B
  Stations to protect the environment of the
  Control Rooms upon a steam break. This system
  required a very fast action which would initiate
  the opening of Power House Emergency Venting upon
  a steam break in the Powerhouse. A design
  analysis of using relay logic versus
  microprocessor-based system was carried out and
  it was decided that use of a microprocessor-
  based hardware would be necessary to comply with
  the safety mission

12
Power House Emergency Venting (PHEV)

• Pickering Design undertook the responsibility of
  developing a technical specification that would
  meet the timing requirements of vent opening and
  compliance of software QA as found in DD report
  88107. In addition software standards IEC880
  and CSA Q396.1.1 was used to ensure the software
  quality. An application watchdog timer was
  designed so that any hardware or software related
  failures are promptly detected and force the
  outputs to a fail-safe mode.

13
Power House Emergency Venting (PHEV)

• Pickering A B PHEV used 22 chameleons to
  implement the functionalities of the new safety
  related system. AECB Staff members scrutinized
  the whole process and were satisfied. To date
  the system has been performing very well and MTBF
  has exceed well over 200,000 hours. The original
  design analysis used MTBF to be less than 40,000
  hours.

14
Development of Software Standards (1)

• In late 80s, Ontario Hydro felt the need for a
  well designed software engineering standard for
  application of microprocessor based hardware in
  safety related applications. Ontario Hydro and
  AECL developed a software engineering standard
  that would define
• A minimum set of software engineering processes
  to be followed in creating and revising the
  software
• The minimum set of outputs to be produced by the
  processes
• Requirements for the content of the outputs

15
Development of Software Standards (2)

• The standard was developed based on the standards
  available at that time and experience gained from
  Darlington shutdown system software developments
• IEC 880 Software for computers in the safety
  system of Nuclear Power Stations
• CAN/CSA-Q396.1.1-89 Quality Assurance Program
  for the Development of Software Used in Critical
  Applications
• Experience gained from licensing the Darlington
  Shutdown System Trip Computers

16
Development of Digital Trip Meter (1)

• Development of the digital trip meter played a
  pivotal role in checking out the feasibility of
  the newly developed software standards in real
  time applications.
• A digital trip meter without microprocessors
  would not satisfy instrument performance
  requirements, e.g., stability, accuracy,
  flexibility etc. Hence, using microprocessor-base
  d technology using a bargraph design with digital
  indication was thought to be the best option.

17
Development of Digital Trip Meter (2)

• The digital trip meter development was targeted
  to fulfil the requirements of Heat Transport High
  Temperature Trip (HTHTT) parameter.
• The hardware development contract was awarded to
  Ametek Dixson, who were well experienced in
  developing digital/bargraph meters.
• Ontario Hydro provided software expertise. The
  design used a 16-bit trip processor, (Intel
  87C654), EPROM, bargraph (tri colour), two
  digital read-outs for process value and set point
  and option to view margin to trip. The software
  development followed Ontario Hydro/AECL Standard
  for Safety Critical Software, 982C-H69002-0001.

18
Development of Digital Trip Meter
19
Digital Trip Meter
20
Conclusion

• The development of Digital Trip Meter
  demonstrated successful use of software
  engineering standards for safety related
  applications. The success of the process
  provided additional confidence for use of the
  software engineering standard on redesign of more
  complex application of software for Darlington
  Shutdown System 1 2.
• The progressive experience gained on software QA
  has helped the CANDU Industry to undertake more
  challenging projects.

21
Acknowledgement

• The authors wish to acknowledge the support
  received from Messrs. Mike Viola and Rick
  Hohendorf of Ontario Power Generation (OPG) for
  review of the paper and for the permission to COG
  for use of some of the information in preparation
  of this document.

22
Questions

• ??