CANDU Owners Group Inc. Strength Through Cooperation 2 Issues Faced by CANDU Nuclear Plants In early 80s lack of well designed, reliable control hardware incorporating complex logic was experienced by the industry Incorporation of mathematical functions and logic needed individual modules and more hardware. Reliability and cost of implementation was negatively affected The technology made it difficult to meet certain unavailability targets required by safety systems The cost of implementation and maintenance increased as the hardware complexity grew.
CANDU Owners Group Inc. Strength Through Cooperation 3 Applications of microprocessor- based hardware Several instrument companies introduced microprocessor based control modules that could incorporate complex logic and math functions. The impact of microprocessor based hardware was not fully assessed by the nuclear industry at the time However, the potential benefits offered by these new technology could not be ignored OPG (then Ontario Hydro) decided to use the new technology in 1985 for implementation of Incore LOCA conditioning signal for ECIS modifications in Pickering A Station
CANDU Owners Group Inc. Strength Through Cooperation 4 Microprocessor-based hardware in safety related ECIS The hardware chosen was manufactured by Fischer & Porter (F&P) Chameleon, model# 50KM2111. This hardware offered an excellent measurement platform, accuracy, reliability and functional flexibility The functional requirements were programmed in Chameleon using a menu-driven pre-developed FTRAN language. The implementation was simple and easily incorporated. The product offered more flexibility and features than a safety related application would require.
CANDU Owners Group Inc. Strength Through Cooperation 5 Processor Application in safety System In-core LOCA conditioning signal for ECIS CANDU Owners Group Inc. Strength Through Cooperation 6 Other microprocessor based Applications in Safety System Demand for better logic modules led other process industries (Chemical, paper, mining etc) to use more microprocessor based systems. The nuclear industry stayed behind due to unproven technology. However, demand for enhanced performance requirements in nuclear safety related applications led to use of F&P Chameleon microprocessor-based hardware in safety related applications. Such as Dump Arrest Logic modification in Pickering A in 1986 P-Trip logic in Bruce A in 1989 These applications were successful and met the reliability and functional safety targets
CANDU Owners Group Inc. Strength Through Cooperation 7 Software Safety Concerns In late 80s increased use of microprocessor- based hardware and computer systems raised the concern of software QA, particularly in safety related applications. A number of failures due to inadequate rigour and software quality were experienced by the industry. Ontario Hydro management conducted an assessment of rigour and quality used in software developed by F&P for Chameleon applications. The assessment identified a number of deficiencies in the hardware platform and software configuration
CANDU Owners Group Inc. Strength Through Cooperation 8 Software QA Concerns (1) Atomic Energy Control Board (AECB) was informed about the findings and the action plans. The findings were published in Ontario Hydro D&D report # 88107. It was decided that Ontario Hydro would correct all deficiencies in 3 safety related applications of Chameleons in Pickering A and Bruce A Stations. The following deficiencies were identified: Design deficiencies: Lack of failure detection and fail-safe output Lack of data checking and corrective action Lack of self checking Lack of Application Watchdog Timer CANDU Owners Group Inc. Strength Through Cooperation 9 Software QA Concerns (2) Lack of Target System Configuration Control Lack of inhibition of serial communication of data into the system Lack of use of custom EPROM Lack of controlled use of Chameleon front panel (Human factors issue) Lack of compliance of system response time to <1.0 sec. CANDU Owners Group Inc. Strength Through Cooperation 10 Software QA Concerns (3) Lack of Application Software Development Guidelines Lack of development of Software Designers Handbook containing Guidelines for High level design Software design logistics Coding Testing Configuration management Lack of revision to application software CANDU Owners Group Inc. Strength Through Cooperation 11 Power House Emergency Venting (PHEV) About 1988-1991, Ontario Hydro embarked on the design and retrofit of Power House Emergency Venting (PHEV) system for Pickering A & B Stations to protect the environment of the Control Rooms upon a steam break. This system required a very fast action which would initiate the opening of Power House Emergency Venting upon a steam break in the Powerhouse. A design analysis of using relay logic versus microprocessor-based system was carried out and it was decided that use of a microprocessor- based hardware would be necessary to comply with the safety mission CANDU Owners Group Inc. Strength Through Cooperation 12 Power House Emergency Venting (PHEV) Pickering Design undertook the responsibility of developing a technical specification that would meet the timing requirements of vent opening and compliance of software QA as found in D&D report # 88107. In addition software standards IEC880 and CSA Q396.1.1 was used to ensure the software quality. An application watchdog timer was designed so that any hardware or software related failures are promptly detected and force the outputs to a fail-safe mode. CANDU Owners Group Inc. Strength Through Cooperation 13 Power House Emergency Venting (PHEV) Pickering A & B PHEV used 22 chameleons to implement the functionalities of the new safety related system. AECB Staff members scrutinized the whole process and were satisfied. To date the system has been performing very well and MTBF has exceed well over 200,000 hours. The original design analysis used MTBF to be less than 40,000 hours. CANDU Owners Group Inc. Strength Through Cooperation 14 Development of Software Standards (1) In late 80s, Ontario Hydro felt the need for a well designed software engineering standard for application of microprocessor based hardware in safety related applications. Ontario Hydro and AECL developed a software engineering standard that would define A minimum set of software engineering processes to be followed in creating and revising the software The minimum set of outputs to be produced by the processes Requirements for the content of the outputs CANDU Owners Group Inc. Strength Through Cooperation 15 Development of Software Standards (2) The standard was developed based on the standards available at that time and experience gained from Darlington shutdown system software developments: IEC 880 Software for computers in the safety system of Nuclear Power Stations CAN/CSA-Q396.1.1-89 Quality Assurance Program for the Development of Software Used in Critical Applications Experience gained from licensing the Darlington Shutdown System Trip Computers CANDU Owners Group Inc. Strength Through Cooperation 16 Development of Digital Trip Meter (1) Development of the digital trip meter played a pivotal role in checking out the feasibility of the newly developed software standards in real time applications. A digital trip meter without microprocessors would not satisfy instrument performance requirements, e.g., stability, accuracy, flexibility etc. Hence, using microprocessor- based technology using a bargraph design with digital indication was thought to be the best option. CANDU Owners Group Inc. Strength Through Cooperation 17 Development of Digital Trip Meter (2) The digital trip meter development was targeted to fulfil the requirements of Heat Transport High Temperature Trip (HTHTT) parameter. The hardware development contract was awarded to Ametek Dixson, who were well experienced in developing digital/bargraph meters. Ontario Hydro provided software expertise. The design used a 16-bit trip processor, (Intel 87C654), EPROM, bargraph (tri colour), two digital read-outs for process value and set point and option to view margin to trip. The software development followed Ontario Hydro/AECL Standard for Safety Critical Software, 982C-H69002-0001. CANDU Owners Group Inc. Strength Through Cooperation 18 Development of Digital Trip Meter CANDU Owners Group Inc. Strength Through Cooperation 19 Digital Trip Meter CANDU Owners Group Inc. Strength Through Cooperation 20 Conclusion The development of Digital Trip Meter demonstrated successful use of software engineering standards for safety related applications. The success of the process provided additional confidence for use of the software engineering standard on redesign of more complex application of software for Darlington Shutdown System 1 & 2. The progressive experience gained on software QA has helped the CANDU Industry to undertake more challenging projects. CANDU Owners Group Inc. Strength Through Cooperation 21 Acknowledgement
The authors wish to acknowledge the support received from Messrs. Mike Viola and Rick Hohendorf of Ontario Power Generation (OPG) for review of the paper and for the permission to COG for use of some of the information in preparation of this document. CANDU Owners Group Inc. Strength Through Cooperation 22 Questions