You are on page 1of 7

Proceedings of the 16th International Conference on Nuclear Engineering

May 11-15, 2008, Orlando, Florida, USA



Drew J. Rankin Jin Jiang

Control and Instrumentation (CIES) Research Group Control and Instrumentation (CIES) Research Group
Department of Electrical and Computer Engineering Department of Electrical and Computer Engineering
University of Western Ontario University of Western Ontario
London, Ontario N6A 5B8 London, Ontario N6A 5B8
Email: Email:

ABSTRACT ters within a given channel. The parameter subsets for each PDC
This paper presents the performance of shutdown system are identical across each of the three channels [1].
one (SDS1) implemented on a programmable logic controller Current CANDU safety critical control systems contain
(PLC) within real-time hardware-in-the-loop (HIL) simulation. components which are becoming increasingly obsolete. Stud-
SDS1 evaluation is focused on steam generator (SG) level low ies have been conducted to deal with control system hardware
trip scenarios. A comparison of the findings with simulated ex- obsolescence [2]. One commonly proposed solution is the re-
pected plant operation is performed. An Invensys Triconex Tri- placement of obsolete systems with PLC technologies. PLC ca-
con v9 safety PLC is interfaced to a real-time nuclear power pabilities include, advanced control logic algorithms, communi-
plant (NPP) simulation suite (DarlSIM), replicating the opera- cation modules, built-in redundancy, self-diagnostics, predictive
tion of the Darlington NPP SDS1. Design basis accidents (DBA) maintenance routines, online remote monitoring and intelligent
associated with SDS1 regulatory standards are developed and control routines.
applied to the two simulation environments. HIL simulation is a To assist with the incorporation of new technologies, sys-
preferred method for testing systems prior to installation and is tem functionality is validated through simulation. Hardware-in-
necessary to ensure proper SDS verification and validation. The the-loop (HIL) simulations focus on the inclusion of the physical
performance of the Tricon v9 PLC, the HIL simulation platform controller in question within a simulation environment. HIL sim-
and the two simulation environments are evaluated. ulation can therefore be used to verify the correct execution of the
logic as replacement digital controllers [3]. Benefits associated
with HIL simulation include:
INTRODUCTION infinite selection of relevant operational scenarios,
In CANDU NPP, 28 neutron absorbing (cadmium) shut- ability to replicate scenarios over multiple iterations,
down rods are suspended above the reactor core by energized reduced cost implication,
clutch mechanisms. The rods drop into the core when de- reduction of on-site configuration,
energized. The primary shutdown system (SDS1)initiates the replication of system operation for hazardous scenarios,
release of shutdown rods into the reactor core stop the nuclear convenience of validating control logic on physical controllers
chain reaction. for inaccessible systems,
CANDU SDS1 includes three redundant trip channels resulting simulations most closely resemble the performance
(D,E,F), each composed of two programmable digital compara- of the prospective controller [4].
tors (PDCs). PDC1 and PDC2 are responsible for decision mak-
ing regarding a subset of the defined shutdown process parame- This paper is intended to evaluate the discrepancies between

1 Copyright 2008 by ASME

Downloaded From: on 06/02/2017 Terms of Use:


the decision-making unit and the return path to the actuating de-
Conversely, Figure 2 presents a fully software simulation
(NI-DarlSIM). In this environment, the NI workstation acts only
as a process variable monitor and does not provide any commu-
nication path between control system components.
DarlSIM includes separate modules for the three SDS chan-
nels (D,E,F). Though each PDC cannot be independently dis-
abled, an entire channel can. During HIL simulation the Ch-D
trip computer module is disabled (Figure 1: SDS1 Ch-D) to al-
low Tricon v9 to take control of the SDS1 process.

Darlington NPP simulator

software and HIL simulation of a safety critical application. The DarlSIM emulates the operation of the Darlington NPP. Ex-
paper is organized as follows; description of the developed simu- ecution of DarlSIM is scheduled by a list of modules (module
lation platform; introduction to the Tricon v9 PLC; description of table). The module table consists of module name, execution in-
the simulated DBA scenarios; and analysis of the HIL platform, terval and execution phase. Execution phase specifies that mod-
the HIL simulations, and the NPP software simulation suite. Fi- ule does not execute until the specified time within the execution
nally, concluding remarks and recommendations for real-time interval and will continue over one execution interval. For exam-
control system simulation and acknowledgments are provided. ple, SDS1 Ch-D, E and F trip computers are scheduled to execute
during the 100ms phase of the 200ms execution interval. More
specifically the execution begins 100ms after the 0ms phase mod-
HARDWARE AND SOFTWARE SIMULATION ENVIRON- ules begin and continues for 100ms following the completion of
MENTS the 0ms phase modules, for a total interval of 200ms. The min-
The investigated HIL simulations are composed of six ma- imum execution interval available is 50ms and phase positions
jor components; DarlSIM, Tricon v9 PLC, NI workstation, SDS1 are therefore available in multiples of 50ms.
control logic, a communication script and a process variable con- There are two configurations for this evaluation, one corre-
version (signal conditioning) and data collection virtual instru- sponding to software simulation and the other for HIL simula-
ment (VI). Bench-mark for system evaluation is provided by an tion. Each configuration corresponds to a unique module table.
entirely software driven (NI-DarlSIM) simulation. The state of the NPP is stored in restore points. Restore points
provide access to common reactor operation modes and common
scenario related instances. For the purpose of this evaluation,
HIL vs bench-mark software simulation platform a single restore point is created. This restore point reflects full
The methods of communication between each of the com- power operation of the plant.
ponents within the HIL loop is illustrated in Figure 1. The ar- Software and HIL simulations require communication
rows represent signal transmission from the sensing devices to scripts for different purposes. In the HIL simulation, the com-

2 Copyright 2008 by ASME

Downloaded From: on 06/02/2017 Terms of Use:

munication script is used to transmit process variables through
ethernet via UDP/IP to the VI on the NI Workstation. During
NI-DarlSIM, the communication script is used as a tool for mon-
itoring process variables.
A generalized communication script is used for both sim-
ulation environments. It includes four modules, 1) open UDP
connection, 2) send data, 3) receive data, and 4) close UDP/IP
connection. The open and close UDP/IP connection modules are
placed in the initialization (INIT) and termination (TERM) ex-
ecution intervals of the module tables. In the case of HIL, the
send data (process variables) module is placed prior to the dis-
abled SDS1 Ch-D trip module and the receive data module is
placed immediately following the SDS1 Ch-D trip module. Al-
ternatively, receiving data is not necessary for NI-DarlSIM and
this module is removed. Send and receive data modules provide
access to the common database (CDB) of DarlSIM. The CDB is
a memory bank where runtime process variables are stored.

NI workstation and VI
An NI PCI-6704 is used within the HIL simulation platform DARLSIM.
to provide hardware connection between the external hardware
and the LabVIEW VI. This card provides 16 voltage outputs,
16 current outputs and eight (5V TTL/CMOS) digital I/O lines.
An ethernet port is used to communicate with DarlSIM through Tricon v9 PLC
UDP/IP. Tricon v9 triple modular redundant (TMR) PLC has been
The process of the VI in the two simulation environments IEEE Class 1E and 603-1991 certified by the US Nuclear Regu-
is illustrated in Figure 3. The connection to DarlSIM to receive latory Commission (USNRC) [5], and was recently selected for
and transmit UDP/IP packets remains the same between HIL and the replacement of SDS1 controllers at Point Lepreau NPP in
NI-DarlSIM. However, the NI-DarlSIM method does not inter- New Brunswick. Tricon v9 provides complete triple redundancy
face to the PCI-6704 DAQ card. Further, data collection of the from input to output terminal.
trip signal is modified according to the active simulation as log-
The Tricon v9 PLC included within the HIL simulation en-
ical definitions (TRUE/FALSE) of Tricon v9 and DarlSIM are
vironment includes; triplicated 3008 Tricon enhanced main pro-
cessors; a 4351 Tricon communication module; 32 points 3503/E
UDP/IP packets are extracted to a string using standard Lab-
discrete input 24V; 32 points 3604/E discrete output 24V; 32
VIEW communication blocks. The string is segmented into pro-
points 3700/A analog input 5V; and 8 points 3805/E analog out-
cess variable; identifying integer, multiplier, and signal value.
put 4-20mA [6].
A steam generator (SG) level is transmitted within the UDP/IP
packet as 2.43m, not an analog current or voltage. The signal
values are converted using the accompanying multiplier (Figure
3: Signal conversion) and inserted into the correct index within Assumptions for HIL simulation
either the process variable array or process monitoring array. DarlSIM has a minimum execution interval of 50ms, where
The monitoring array is stored into a database (CSV) for post- the SDS1 execution interval is 200ms. Therefore, it is assumed
processing. The process variable array is output to the PCI-6704 that the required process variable dynamics do not vary during
DAQ card. Tricon v9 receives these signals (4-20mA) accord- this interval. Also, execution within Tricon v9 is assumed to be
ingly. instantaneous upon receipt of the process variables. However, the
The same process occurs in the opposite direction. Follow- two systems are not synchronized. Transmission of the process
ing the decision-making unit execution, signals from Tricon v9 variables through the NI workstation to the external hardware is
enter the PCI-6703 DAQ card and are converted to SI unit pro- assumed to be sufficiently fast for HIL simulation. This aspect of
cess variables or DarlSIM expected logical values. These process the simulation will not be evaluated in this paper. However, de-
variables are then transmitted through UDP/IP to DarlSIM where lays associated with the HIL simulation are monitored to assure
they are inserted into the CDB. proper transmission.

3 Copyright 2008 by ASME

Downloaded From: on 06/02/2017 Terms of Use:

SDS1 control logic
SDS1 reference logic is an emulation of the currently used
code within the PDCs at Darlington NPP. Identical FORTRAN
code is executing within DarlSIM. The logic is translated from
FORTRAN source to block schematic diagrams and English de-
scription to enable replication in the new programming environ-
SDS1 logic implementation on Tricon v9 is performed using
function block diagrams and Tristation 1131 Developers Work-
bench (1131DW). The logic is configured to execute on a 200ms
interval. Though Tricon v9 supports; ladder logic diagrams;
structured text; and cause and effect programming language ed-
itor (CEMPLE); function block diagrams (FBDs) are preferred
for the following reasons: Figure 4. CANDU SDS1 PARAMETERS AND PROCESS FLOW.
Tricon v9 SDS1 logic at Point Lepreau NPP will incorporate
this method;
proven performance of Wolsong 2, 3 and 4 and Qinshan 1 and
2 NPPs which utilize a similar graphical engineering soft-
ware approach (Integrated Approach (IA)) and;
similarities in concepts and functions between existing IA
function block language and the available IEC61131-3
FBDs [7].
Execution of the SDS1 logic on the HIL platform, as in Figure 1,
requires a path for input and output variables. In actual SDS, the
decision-making unit is directly wired to sensors and actuators.
The analog and digital input signals that are received by Tricon
v9 analog and digital input modules are conditioned to be similar
analog and digital signals that would be present within the actual
Simplified SDS1 logic is implemented on Tricon v9 for this to the North-West SG (Figure 5: NW BOILER) from the feed-
evaluation. Logic does not include compensated average power water heat exchanger (Figure 5: HX5A). When a single spurious
conditioning, manual SG level low conditioning or log N rate closure is detected, the SG level controller (SGLC) opens the par-
neutronic power conditioning. The process of determining SG allel LCV103. If this redundant valve (LCV103) fails, the NPP
level low trip is otherwise identical, with modified thresholds for will enter the DBA. This is performed by restricting LCV103 to
observational purposes. fail partially opened. With the SG feed-water flow below sustain-
able level, LCV102 could be opened. However, the redundancy
of the system has been compromised therefore repair procedures
DENTS Restriction of feed-water flow to any SG is a significant
Design basis accident scenario safety risk. Feed-water (light water) is heated up in the SG and
The design basis accident scenario selected for the current produces steam. Low water level in any of the SG can cause sig-
study is the spurious closure of feed-water valves. SDS1 DBA nificant damage to the SG unit. If SG levels were allowed to drop
scenario are developed according to the trip parameters in Figure too low the pressurized heavy water tubes within the SG could
4. The spurious closure of feed-water valves (SCFW) initiates be compromised.
a loss of secondary side heat removal [8]. This directly affects
the SG level. Upon instantiating SCFW within the feed-water
system of any of the 4 SGs, SG level will decrease to an unsafe Simulation scenario
level. Execution of the DBA is performed over ten instances for
For this investigation, the sole cause of SDS1 CH-D trip is NI-DarlSIM and HIL environments. For each of the simulations,
the spurious closure of level control valve 101 (LCV101) as illus- the appropriate configuration is loaded into DarlSIM and the sim-
trated in Figure 5. LCV101, 102 and 103 control flow of coolant ulator is restored to full power operation. During the HIL simu-

4 Copyright 2008 by ASME

Downloaded From: on 06/02/2017 Terms of Use:

lation the Tricon v9 controller is placed in RUN mode, this is
not the case for NI-DarlSIM analysis. With DarlSIM in RUN
mode and the Tricon v9 controller in RUN mode the NI-VI is
executed. DarlSIM remains at full power operation for up to two
minutes before the two initiating events are performed. The NI-
VI captures the dynamics of the system process variables and
stores the data for post processing in CSV format.

Expected response of SDS1

The failure of the two valves will not immediately trigger
shutdown. The NW-SG level begins decreasing at an increasing
rate. Once the SG level drops below the SG level low threshold,
Ch-D will trip on NW-SG level low. At this time, on the con-
dition that neither Channel E nor F (Ch-E, Ch-F) have tripped,
the reactor remains at full power and the shutdown rods remain
outside of the reactor core. Once any of the other two channels
meet the trip condition, the shutdown rods will be dropped into Figure 6. SPURIOUS CLOSURE OF FEED-WATER VALVE PROCESS
the reactor core effectively shutdown the nuclear fission and keep (NI-DarlSIM).
the reactor at a safe level.


Process evaluation
The DBA is first performed in the NI-DarlSIM environment
as a bench-mark. Figure 6 reflects the dynamics of the entire
SCFW DBA process. Prior to the simulation Ch-D, E and F SG
level low thresholds are configured to (2.05m). The spontaneous
closure of LCV101 (~18sec) causes the SG level to begin de-
creasing as the feed-water flow has been reduced from ~308kg/s
to 0kg/s. After 20-30 seconds the redundant valve (LCV103)
opens. The backup valve fails at 2.43%, representing a 97.57%
blockage or a defective valve (~60sec). As feed-water require-
ments cannot be achieved, the SG level continues decreasing.
Auxiliary systems respond to the reduction in feed-water sup-
ply as indicated by the slowly decreasing reactor thermal power.
The SG level continues decreasing towards the pre-set thresh-
old where the thermal power begins decreasing at a linear rate Figure 7. SPURIOUS CLOSURE OF FEED-WATER VALVE PROCESS
(90-110sec). When the SG level drops below the Ch-D SG level (HIL).
threshold Ch-D, E, and F trip simultaneously. After a brief delay,
the reactor thermal power decreases rapidly, indicating proper
shutdown operation. The brief delay following the trip corre- produce the exact same dynamics as observed in NI-DarlSIM.
sponds to the shutdown rod insertion process. Though the rods However, upon Ch-E DarlSIM trip, the reactor thermal power re-
are released very quickly following trip conditioning, the process duction rate remains constant. The Ch-E trip mechanism has not
of insertion and the absorption require additional time. failed, as it is clear that the channel tripped properly given the in-
An overview of the HIL response to the SCFW DBA is illus- dicated threshold (2.20m), the SG level, and the Ch-E trip signal.
trated in Figure 7. For proper identification of Ch-D HIL trip, the The SG level continues decreasing and drops below the Ch-D
Ch-F SG level low threshold has been modified with an add-bias SG level threshold. When Tricon v9 receives the SG level at the
override within DarlSIM. The Ch-F SG level low trip condition analog input card, the SDS1 logic executes and the trip signal
does not occur during the investigation as the included bias adds is returned to DarlSIM. The response of DarlSIM following the
1m to the detected Ch-F SG level. The spontaneous closure of Tricon v9 induced HIL signal resembles exactly the shutdown
LCV101 (~18sec) and a partial blockage at LCV103 (~225sec) process following the bench-mark evaluation.

5 Copyright 2008 by ASME

Downloaded From: on 06/02/2017 Terms of Use:

Figure 9. HIL SIGNALS.

(0th execution interval), DarlSIM should have Ch-D tripped if

Detailed simulator response
the Ch-D trip computer werent disabled. However, the SGlevel
The information for monitoring of DarlSIM by the NI-VI is
signals are not received by Tricon v9 until the 0th execution in-
investigated more closely. The dynamics at the Ch-D trip are pre-
terval has passed. SDS1 logic within Tricon v9 only detects the
sented in Figure 8. The identification of any inconsistencies in
SG level low condition during the 1st execution interval. The
the simulation are significant for further development of the sim-
Ch-D trip signal is therefore realized following the 1st execution
ulation platforms. It is apparent in Figure 8 that the Ch-D,E,F trip
interval. The delays observed in the Ch-D trip signal could result
signal is actuated within the 0th execution interval (<200ms). In
in significant variances in real-time (<200ms execution interval)
fact, in the second test (Level Trip:2), the indicated Ch-D,E,F
DarlSIM module execution.
trip signal appears to occur before the SG level drops below the
SG level threshold. NI-DarlSIM trip is a reference trip signal
produced by the NI-VI when a SG level below the threshold is
transmitted from DarlSIM. The discrepancy between the two trip CONCLUSIONS AND RECOMMENDATIONS
signals likely occurs during the transmission of process variables In summary, two simulation roles have been observed; the
between DarlSIM and the NI-VI. role of the NI-VI to monitor the entirely software DarlSIM sim-
As a bench-mark, the 0th interval execution does not provide ulator during a DBA and the role of the NI-VI to provide HIL
adequate detailed information regarding the execution time of simulation capabilities between the DarlSIM simulator and Tri-
SDS1 logic in detail. However, to utilize DarlSIM at its present con v9 controller during a DBA.
capability, achieving HIL SDS1 trip within the first execution The bench-mark NI-DarlSIM simulation provides an accu-
interval is suitable. rate illustration of the proper operation of SDS1 during SCFW.
Upon further investigation, discrepancies between DarlSIM and
NI-VI process variables are identified. These discrepancies are
Detailed HIL simulation response likely cause by one of the two situations. A possible cause is that
A closer investigation of the HIL response is also presented NI-VI calculations are producing variances in the recorded steam
in Figure 9. It is observed that the Ch-D trip signal induced by generator levels. Another possible cause is delayed transmission
Tricon v9 is not realized by DarlSIM in the same execution as or receipt of the process variables between DarlSIM and the NI-
in NI-DarlSIM. The NI-DarlSIM trip signal is reported upon re- VI. As mentioned previously, the transmission of a variable to
ceiving a signal for SG level below the threshold. At this time assure proper updating frequency was performed. However, a

6 Copyright 2008 by ASME

Downloaded From: on 06/02/2017 Terms of Use:

more elaborate communication scheme should be considered. [7] N. Ichiyen, D. Chan, P. Thompson. Computer Refurbish-
The integration of Tricon v9 into the Ch-D HIL simulation ment 24th Annual Canadian Nuclear Society Conference,
environment can be considered a success. A NPP shutdown June 8-11, 2003, Toronto, Ontario, Canada.
scenario was illustrated where Ch-D SG level low trip was in- [8] Atomic Energy Control Board. R-8 Requirements for Shut-
duced by the Tricon v9 controller. The HIL simulation environ- down Systems for CANDU Nuclear Power Plants. AECB,
ment is therefore integrated appropriately for evaluation of NPP 1991.
processes that do not require real-time HIL simulation capabil-
ities. Upon closer inspection the Ch-D trip signal acquired by
DarlSIM occurs after DarlSIM would normally realize an inter-
nal trip. The delay associated with the Tricon v9 integration is
200ms (1 time-step) for the SDS1 process. Reducing or elim-
inating this delay will require modification to the placement of
modules within the module table and possibly the reduction of
the execution interval for transmitting variables from DarlSIM
to the NI-VI. Further, specific identification of the release is not
recorded in this investigation. Though the trip signal produced by
Tricon v9 is transmitted to DarlSIM, it is imperative that the sig-
nal be received prior to the execution of the shutdown rod clutch
de-energization module.

Thanks go to Dr. Qingfeng Li and Mr. Polad Zahedi for
their assistance in developing the simulation platform and es-
sential tools which were utilized within the study. Further, we
would like to acknowledge Ontario Power Generation (OPG) for
providing the real-time NPP simulation suite.Financial support
from UNENE and NSERC for this study is greatly appreciated.
This study would not have been possible without these contribu-

[1] J. Koclas. Shutdown Systems: SDS1 & SDS2 Reactor Con-
trol and Simulation, 1996, pp.75-78.
[2] J.P. Rooney. Aging in Electronic Systems Reliability and
Maintainability Symposium, 1999, pp.293-299.
[3] X. Wu, H. Figueroa, A. Monti. Testing of Digital Con-
trollers Using Real-Time Hardware in the Loop Simula-
tion. 2004 3Srh Annual IEEE Power Elecrronics Specialisrs
Conference, Aachen, Germany, 2004.
[4] M. Schlager, W. Elmenreich, I. Wenzel. Interface Design
for Hardware-in-the-Loop Simulation. IEEE ISIE 2006,
July 9-12, 2006, Montreal, Quebec, Canada.
[5] S.A. Richards. Review of Triconex Corporation Topical Re-
ports 7286-545, Qualification Summary Report and 7286-
546, Amendment 1 to Qualification Summary Report, Re-
vision 1 (TAC NO. MA8283). USNRC, December 12, 2001,
Washington, D.C., U.S.A.
[6] Invensys System Inc. Field Terminations Guide for Tricon
v9-v10 systems Invensys Systems Inc., June 2005

7 Copyright 2008 by ASME

Downloaded From: on 06/02/2017 Terms of Use: