See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/239057279

Proprietary electronics for reactor safety and controls

Article  in  International Journal of Nuclear Energy Science and Technology · January 2007

DOI: 10.1504/IJNEST.2007.017076

CITATIONS READS

3 126

2 authors, including:

Shantanu Das
Bhabha Atomic Research Centre
379 PUBLICATIONS   2,697 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

CIRCUITS & SYSTEMS FOR CONTROL & INSTRUMENTATION View project

Fractional Order Modelling of Super Capacitors View project

All content following this page was uploaded by Shantanu Das on 11 December 2017.

The user has requested enhancement of the downloaded file.

358 Int. J. Nuclear Energy Science and Technology, Vol. 3, No. 4, 2007

Proprietary electronics for reactor safety and controls

Shantanu Das* and

Bibhuranjan Basudeb Biswas
Reactor Control Division
BARC, Mumbai 400085, India
E-mail: shantanu@barc.gov.in
E-mail: bbbiswas@barc.gov.in
*Corresponding author

Abstract: India was one of the first countries in the world to have realised a
computer-based reactor protection system. It was in the late 1980s when fully
fledged microprocessor-based reactor protection units were commissioned for
research and then for power reactors. Since then the proprietary philosophy,
applied to have proprietary electronics in reactor protection and control,
has expanded to include a dozen nuclear power reactors. What we get from
proprietary electronics, as much as reasonably achievable, are online fault
coverage and fail-safe features, which are not available in commercial
electronics. From design to fabrication and then maintainability, the process is
traceable, controllable and sustainable. Therefore the entire modular electronics
is proprietary and not commercial. The record of plant availability for the last
two decades for the dozen reactors speaks for it. Conservation of signal
properties and T-states, along with proprietary fault diagnostic features make
the system truly robust.

Keywords: conservation of signal property; output read-back; minimum logic

energy expenditure; fail-safe; online set point servo; finite impulse testing;
M+N redundancy.

Reference to this paper should be made as follows: Das, S. and Biswas, B.B.
(2007) ‘Proprietary electronics for reactor safety and controls’, Int. J. Nuclear
Energy Science and Technology, Vol. 3, No. 4, pp.358–369.

Biographical notes: Shantanu Das (BS Technology in Electrical and

Electronics, Birla Institute of Technology and Science, Pilani, India) joined
BARC in 1985 after graduating from the BARC Training School. At present he
is working in the field of control systems of nuclear reactors, which includes
instrumentation for specialised systems of research and power reactors as well
as reactor control and other specialised circuits.

Bibhuranjan Basudeb Biswas (BS Technology in Electronics and Electrical

Communication Engineering from the Indian Institute of Technology,
Kharagpur, India) joined the BARC Training School in 1970, where he was
employed as a Scientific Officer. Since then he has worked on various research
and power reactors. Presently, he is a specialist in nuclear reactor safety.

Copyright © 2007 Inderscience Enterprises Ltd.

 Proprietary electronics for reactor safety and controls 359

1 Introduction

India was one of the first countries in the world to have realised a computer-based reactor
protection system. In the late 1980s fully fledged microprocessor-based reactor protection
units were commissioned for research and then for power reactors. Since then the
proprietary philosophy has been applied to have proprietary electronics in reactor
protection and control for a dozen nuclear power reactors. What we get from proprietary
electronics, as much as reasonably achievable, are online fault coverage and fail-safe
features, which are not available in commercial electronics. From design to fabrication
and then maintainability, the process is traceable, controllable and sustainable. Therefore
the entire modular electronics – from microprocessor boards to fail-safe input-output
boards, fail-safe signal conditioning electronics, bus structure with practical terminations,
circuits to detect online card removal, warm and cold start circuits, advance warning
on power failure, isolation, reconfiguration on failure, hot plug gable fault-tolerant
power supplies and cabling – is proprietary and not commercial. Outsourcing and
commercialisation are diametrically opposite to reliability, and the record of plant
availability for the last two decades for dozens of reactors speak for proprietary
electronics. Obsolescence is market driven when the management is forced to change
the electronics by current market-driven standards. In proprietary electronics, basic
components are employed where the Integrated Circuit (IC) is available even today in the
same footprints as in various technologies (as low power, radiation hardened) and from
multiple sources. This is in reality what management must know when the electronics is
made with basic components, which remain far from being obsolete. In this paper salient
schemes are described, and the figures given are not actual circuit diagrams but are made
to explain the descriptions. The circuit boards have gone through rigorous environmental
and EMI/EMC qualifications, and these simple schemes have faithfully controlled the
power plants, with record availability and reliability.

2 Practical terminations and back plane

A component or circuit used for a reactor control and safety system has a special
personality. It may, for example, be a simple buffer IC when used in a commercial back
plane with commercial termination works. But when the same is used for reactor
application one has to see what ideally should be the termination impedance with enough
de-rating for IC. Further elucidating the above example about termination impedances,
the proprietary design matches the driving rating of the IC. The back plane, about 1.5
feet in length, must have terminations towards both ends in order to avoid reflections
of digital signals causing glitches and thus erroneous functioning. The bus is terminated
by 330 ohms at one side to 5 V and 470 ohms placed at the other side connected to the
ground plane. The required dual-termination on both sides is also realised by a SIL pack
of 680 ohms and 1000 ohms placed on both sides of the back plane. This proprietary
scheme of the terminations ensures all the ICs have been derated. The equivalent
impedance is about 195 ohms, and at the frequency of operation 5–10 MHz is thus
matched. Special low impedance high current drivers carry out extension of the bus
signals to a distance of 20 feet, and the scheme also conserves the signal properties.
These drivers have the driving circuit as an open collector and the receiving side as a
360 S. Das and B.B. Biswas

Schmitt trigger. Here also the terminations are put and de-rating is preserved. The
back-plane geometry gives the value of characteristic impedance as 65 ohms, and
with various drivers the ideal realisation for termination is not possible owing to drive
de-rating. The terminator value given above with the worst-case source impedance of
drivers brings down the overshoot to 10%–15% from 100% without termination.
The analogue signals are also terminated at the input of the module. This not
only avoids cross-talks between the adjacent multiplexes but also enables detection
of input cable removal or faults. The termination is also put at the front end of the
signal-conditioning module so as to enable detection of field signal wire faults. These
analogue signal terminations are chosen to retain the signal accuracy as desired. For
three-wire type resistance (RTD) input, the proprietary circuits determine any of the
wire faults.
The back plane is passive in nature and does not have any adjustment or selection
or active component. This point is very important for safety. Also, the back plane is not
slot specific. Any module can be placed anywhere. The experience in the field with
geographical addressing, where the slots of the back plane were card specific, has not
been good. For example, for heating considerations or for a badly abraded slot/connector,
we would like to reconfigure the general arrangement at the instrument site by changing
the CPU slot at the middle. This proprietary scheme gives us this freedom, without
having selection schemes at the back plane.

3 Supply selection scheme

The supply selected for the electronics caters to 5 V as digital supply, ±15 V as analogue
supply, and a field supply of 12–48 V. All these supplies are input into the electronics.
The input supply has an M + N redundancy scheme. This is better than having multiple
supplies of the electronics generated on the card by the use of DC-DC modules, getting
only one input, for instance, 24 V, and then generating 3 V, 5 V, ±15 V, etc. In this
commercial scheme, though the supply looks redundant as given from the M + N scheme
of 24 V, internally the supplies are not redundant and therefore not reliable for reactor
protection and control.
Figure 9 shows the M + N redundant scheme of power supplies. All the power
supplies are current mode-controlled and voltage-controlled current sources. These can
be used in inherent load share mode, where the voltage adjustment required is 1/4 of the
regulation band and is tight for an equal load share, or in forced load share mode with a
wide difference in setting. The diagram also shows the wiring precautions to be followed
for good performance.

4 Required system response of reactor protection and control

The bandwidth required for reactor control and protection can be met easily with
lower-end basic processors of 5–10 MHz. In reality, required response times are 100–500
ms, and complex GHz processors, though impressive, are far from reliable. What is
suited for the mobile phone industry or desktop office computers is not to be confused
with reactor control. Even today, NASA would like to deliver a robust in-flight computer
 Proprietary electronics for reactor safety and controls 361

with classical Intel 8–16 bit processors. To forcefully crunch large size codes with a
gigahertz processor to achieve the real responses for the reactor is inefficient and hardly
provides basic fundamental reliability. Efficient codes of the basic 8–16 bit processors
are sufficient to achieve the basic bandwidth. To carry on everything under programme
control is inefficient; instead, using features like DMA, interrupts, NMI, hardware
semaphore, locking, cycle stealing, and distributing the tasks for specialised processors
has given robustness to the reactor systems, with bit-flow transparency and
thus reliability.

5 Required bus signals

The use of too many signals for a bus in one dense connector creates problems of skewed
cross-talks and field maintainability. In the proprietary design, a total of 64 points of
extreme rows of euro connectors give ease in maintenance, with required bandwidth and
with all properties of the microcomputer conserved. Conservation of signal properties
and T-states throughout main and extended cabinets also gives minimum logic energy
expenditure for interfacing, which is key to getting a reliable reactor control and
protection system. The basic bus signals are Address A0-A19, BHE, NMI, HOLD,
HOLDA, INT1-4, INTA, BUS-ERROR or SYSTEM ALIVE, RESET, LOCK, Data
D0-D15 Memory and I/O access, and acknowledge-handshake data signals. A provision
exists to cascade the four interrupt bus lines to 32.
The signals to control the bus handshake and exceptions with memory or I/O
read-write are all active-low. Apart from that, a functional partition with respect to pin
assignment also enhances the safety of the bus. For many commercial buses this criteria
is not followed and the same pin is used for more than one purpose (say, reading and
writing), which is against the functionally separate philosophy for safety systems.

6 Fault detection and annunciation

Normal functioning of the system is understandable. But in the event of a fault or partial
failure, the speed at which the system reconfigures and takes the plant to fail-safe status,
along with informing the operator about its failure, is quite excellent in these proprietary
designs. Failure of field wires by opening or shorting is reported and actions are taken. In
these proprietary electronics, online finite impulse testing, along with output read-back
selectable fail-safe analogue output, enhances operator confidence in having digital
control protection for reactors. The use of proprietary electronics to have an online set
point servo unit while the system is in operation validates the control/protection functions
and boosts the plants’ reliability.

6.1 Supply monitoring and status management

The monitoring of power supply to the microprocessor and other ICs is essential.
It has been experienced that with an inappropriate voltage, such as 4.7–4.75 V, the
microprocessor functions only partially. This is a hazard when a programme is
consequently only partially executed. Therefore, an extra proprietary scheme is employed
362 S. Das and B.B. Biswas

to have proper functioning (Figure 1). The power-on reset circuit is enabled if and only if
the power is good (greater than 4.8 V). Also, the manual reset action is blocked if the
power level is not correct. In case the power level is bad, the RESET signal shown is
held low to avoid any partial or faulty operation of the microprocessor. The circuit has
the same feature as when the ADVANCE-POWER-FAIL signal is detected to generate
an NMI pulse, and after a set delay taking the RESET line to permanently low, in order to
avoid any spurious state of microprocessors. As shown in Figure 1, the BIT is clocked by
the NMI pulse. At the NMI state the microprocessor reads the BIT as the first instruction
of the NMI routine. If it is found to be LOW by the address PF READ PORT, then the
cause is clear to the processor: the POWER is going to fail. The processor goes into
saving mode so as to store register contents stack values in the nonvolatile store, for
warm-start applications, and also during that time the processor sets the control devices
to fail-safe status. The time taken to do all this saving and make the fail-safe state is 20
ms, as the hold-up time of the power supply employed.

Figure 1 Supply monitoring scheme

5V
VCC SETPOINT
2.5V
DELAY

SETPOINT RESET
4.8V
MANUAL
5V RESET
VCC
DELAY
ADVANCE
POWER
FAIL

NMI

CLK Q BIT
D

PF-READ
PORT

6.2 Quick detection of board removal

The NMI signal generated previously is from an external event. The event is noticed by
the status of the BIT as described previously. If on NMI the status of the BIT is HIGH,
then the processor moves to the routine of NMI, where the stack is read and which board
is removed online is reported immediately. Thereby the processor reconfigures the
system to take care of the missing board. We detect this through NMI as this process is
independent of program control, is not able to be masked and is the quickest. Figure 2
describes the proprietary mechanism of this fault detection. On power-up reset, the NMI
 Proprietary electronics for reactor safety and controls 363

is masked by hardware flip-flop as shown. This is done to avoid spurious actuation of the
NMI state at the start-up. The software program initialises through the UNMI port and
the gate is thus enabled, and now the system is ready for NMI recognition. This masking
of NMI at the start is done to avoid spurious actuation at the start, but at the initialisation,
when it is unmasked through the UNMI bit, NMI remains activated throughout. In
Figure 2 the HDW denotes a signal called hardware timeout. This gets activated when, on
an OFF-BOARD access of memory or I/O, the timeout occurs or Figure 1 generates NMI
from the back plane. The timeout selection is kept at more than the maximum bus idle
time due to the HOLD state. The main triggering of the HDW resetting is from regular
ticks of ALE. This HDW is then passed through a shift register and after selectable-delay
a false acknowledgement gets generated. If the addressed board is present, then the
XACK signal will make the microprocessor READY for the next instruction. In the
absence of the addressed board, the XACK will fail, which will generate HDW and
thereby NMI. Also after selectable-delay the FACK will take the processor out of the
indefinite wait state, and the NMI routine will be executed. In the NMI routine the stack
reading gives the absence of the board, and therefore the program executes with that
caution. This proprietary circuit is made as it is observed that processors in the wait
states do not notice NMI though the NMI gets latched inside. Only after the wait state is
the NMI recognised and thus a false acknowledgement scheme is implemented.

Figure 2 Board removal detection

RESET
CLR
SD Q
UNMI PR NMI
CP

CLK SEL FXAC

CP A-B y1
Shift Register y2
CLR y3
y4 READY

HDW
OFFBRD
ALE
XACK

7 Circuit for output control during live insertion

Figure 3 describes a proprietary scheme to protect a spurious state change of output

latches, which controls output relays or drives DAC or controls drive transistors. This is
very important as during live insertion, in spite of using long power pins and bus buffers,
the output latches may misbehave. The long power pins are employed so that the stray
capacitors at the input of each signal pin get precharged and therefore, when inserted live,
do not load the source. There is on board a timeout circuit to state that the board access is
properly and regularly done by software; this gets retriggered cyclically by the BRDEN
364 S. Das and B.B. Biswas

signal. When the BRDEN signal appears for the first time after, say, a live insertion of
the board, it activates the EO signal. The qualification of SYS-ALIVE with EO along
with the LOCAL SYS-ALIVE controls the Output Enable of the latch (OE). This circuit
thus ensures that only when a valid SEL is generated are the D inputs of the latch
transferred to the Q output of the latch. Here, during the failure of the bus, for example by
SYS-ALIVE or through local timeout, the Q of the latch thus remains tri-stated and
output devices are in the fail-safe state.

Figure 3 Output circuit interlock for live insertion precaution

RESET FROM BRDEN SEL

CONNECTOR
CP
Dn
PR CLR Qn

LATCH
D Q EO
OE
CP

OR
OR

SYS-ALIVE
FROM
CONNECTOR

RD

A
Q/ LOCAL
B SYS-ALIVE

8 Circuit for output read-back and fail-safe status and finite impulse
testing (digital and analogue)

Figure 4 indicates the scheme for read-back employed to check the validity of the
desired state in every control scan. The output latch drives the relay coil or the
OPTO-ISOLATOR to drive the output transistor; the status of the coil or the transistor is
read back via the input port. This enhances the online diagnostic feature and boosts the
operator confidence. A very fine pulse output is also given to aim at read-back features
without disturbing the final device. The inductor or coil takes this time off and owing to
magnetic inertia holds the state while this finite impulse is given. In the scheme given in
Figure 4, galvanic isolation is also retained.
 Proprietary electronics for reactor safety and controls 365

Figure 4 Digital/relay output read-back scheme

RLY - SUPPLY

OPSEL

CP Qn

OUT-LATCH
Dn

DRIVER

IPSEL
CP
In

IN - PORT
Dn
TRANSLATOR

VCC
FLD SUPPLY

OPSEL

Qn
CP
Dn OUT-LATCH
FLD GND
VCC

FLD
SUPPLY
IP-SEL

CP In

IN - PORT
Dn

In Figure 5 the latch output is given to the DAC for converting the same into an isolated
4–20 mA current output. The diagram shows the facility for selecting digital 0 or 1 to
make the required current output in the event of a failure. The figure also shows the
scheme where the final output current is sensed and is digitally read. Here, too, galvanic
isolation is maintained.
366 S. Das and B.B. Biswas

Figure 5 Fail-safe analogue output read-back

VCC
OUTPUT
OPSEL CURRENT

CP
1 4 –20 mA
OUT-
Dn DAC
LATCH
2
OE

QUALIFIED
SYS-ALIVE
GND

TO ADC

READ-BACK AMPLIFIER

Figure 6 is the scheme employed for Finite Impulse Testing (FIT) for validating the
input-observing elements. The degradation of the Current Transfer Ratio (CTR) of
the OPTO-ISOLATOR in reality forces a proprietary circuit aimed at toggling the
status of the input to verify the sensing validity. For example, the Log-rate signal for a
running reactor is logic ‘low’, and in case of abnormal conditions, the signal becomes
logic ‘high’. The FIT is performed on this sensing element when the field signal is
normal (low) to discern if the high reading will be observed when Log-rate actually
becomes abnormal (high). This validates the input to the output functionality of the
microprocessor-based system for reactor protection and control.

Figure 6 Finite impulse testing for input-sensing element

FLD -SUPPLY
5V VCC 5 V Vce

IN -PORT

Dn

IN SEL
5V GND
CONTACT

OUT -PORT

Dn

FIT SEL
 Proprietary electronics for reactor safety and controls 367

The online set point servo system is a proprietary circuit,1 shown in Figure 7. Here the
circuit, as a floating current pump and sink, is attached to the field current terminating
resistor. This scheme does the job of a current calibrator when the injected or the
subtracted current does not alter the field transmitter current and also is independent of
the field. The value from 0–25 mA is dialled by DAC and the entire 4–20 mA input span
is thus checked. The accuracy of the comparator digital or analogue set point is thus
validated online. This is also called analogue finite impulse testing.

Figure 7 Online set point servo system (analogue finite impulse testing)

FLD-SUPPLY
TRANSMITTER

SYSTEM-1

4 –20 mA

PUMP
Vc
FB AND
SINK FB
SYSTEM-2

SET
CURRENT

SYSTEM-3

FLD-GND

9 Dual arbitration scheme

Figure 8 gives the scheme for dual arbitration for resolving contention while using dual
processors. An arbitration clock and an inverted clock resolve the selection of shared
resources and co-incidence in the time domain. The probability of getting access to
shared resources is thus 50%. However, this is the single-stage arbitration generally
followed in commercial circuits. The fact is that the flip-flop output sometimes can go
into a meta-stable ringing stage, as the events are asynchronous, and may violate the
368 S. Das and B.B. Biswas

set-up/hold time for DATA input. In order to tackle this, the second stage is also used
so that we do not get such ringing owing to meta-stability. In this circuit the output of
the second stage blocks the access of the first stage of the complementary part. The
figure also shows the locking arrangements for semaphore control. This circuit has been
widely used for various multiprocessor configurations in several reactor sites for control
and protection.

Figure 8 Dual arbitration scheme

RESET TO
SELECTION
CIRCUIT -1

LOCK1
PR
PR CLR
Q
OR D Q D
TO
XACK
Q\ CIRCUIT-1
SELECTION CLK CLK
DEMAND -1

LOCK2

TO
SELECTION
CIRCUIT-2

PR PR CLR
Q
D Q D
OR

Q/ TO XACK
CLK CLK CIRCUIT-2

ARBITRATION
CLOCK

Figure 9 M + N load share power supply: (A) Feeder conductor pair, preferably of flat conductor
pairs of equal length; (B) Sense conductor pair twisted; (C) Tie conductor pair twisted
(optional for forced sharing)
AC- INPUT

1 2 M 1 N

V S V S V S V S V S

A B
LOAD
BUS
TIE-BUS
 Proprietary electronics for reactor safety and controls 369

10 Conclusion

These few concepts have been in use for the last two decades for various nuclear reactor
protection and regulating systems. About 20 000 boards have been fabricated by ECIL
for various projects. The sustainability is guaranteed by ECIL, as these are very basic
designs based on components available from multiple sources and various technologies
of the same footprint. Owing to the large number already in use, the circuit concepts have
been proven and effort is made to port the logics into ASICS, and to have import
substitutions for special components. After its wide usage, the DAE IPR cell has obtained
a trademark in the name of ECIL. Recently for TAPP, these circuits have been used to
make the first fuel-efficient reactor controller based on transcendental controls, and for
the first time full automode of online fuelling was done.

Acknowledgements

The authors acknowledge the guidance and encouragement received from

Sri G. Govindarajan (former Director of E&I Group BARC), Sri K. Natarajan (former
Director of Engineering NPCIL) and Sri G.P. Srivastava of CMD ECIL.

Bibliography
Biswas, B.B. (2005) Reactor Regulating System for PHWR 540MW, IAEA-TM-EDF-France.
Das, S., et al. (2000) ‘Microcomputer boards for safety and safety related systems for nuclear
power plants’, BARC News Letter, November.
Das, S., et al. (2005) ‘Nuclear power plant safety significant digital instrumentation and controls’,
(INVITED TALK) Third International Conference on Reliability and Safety Hazards, Mumbai.
Das, S., et al. (2006) ‘Fault tolerant power supply for safety significant nuclear I&C’, BARC
News Letter.
Das, S., Maity, M.M., et al. (2005) ‘Complex integrated circuits for nuclear reactor applications
developed at BARC: a step forward in import substitution’, BARC News Letter, September.
Das, S., Maity, M.M., et al. (2005) ‘Test and monitoring system for plant control and
instrumentation (C&I)’, BARC News Letter, January.
Patil, G.N., et al. (1994) A Multi-nodal Digital Control System for 500MW PHWR,
SACI-94 Mumbai.
Sueshbabu, R.M., Sen, G., et al. (1990) ‘Microprocessor based protection system for KAMINI
reactor’, National Power Systems Conference IIT Bombay.

Note
1 Patent No: 197-786, online process instrument loop calibrator. Government of India Patent
Office dated 17-1-2006.

View publication stats