Nuclear Technology

ISSN: 0029-5450 (Print) 1943-7471 (Online) Journal homepage: https://www.tandfonline.com/loi/unct20

Safety Criteria and Dependability Management

Practices: A Case Study with I&C Systems of
Prototype Fast Breeder Reactor

Srikantam Sravanthi, R. Dheenadhayalan, K. Madhusoodanan & K. Devan

To cite this article: Srikantam Sravanthi, R. Dheenadhayalan, K. Madhusoodanan & K.

Devan (2018) Safety Criteria and Dependability Management Practices: A Case Study with
I&C Systems of Prototype Fast Breeder Reactor, Nuclear Technology, 201:2, 180-189, DOI:
10.1080/00295450.2017.1407594

To link to this article: https://doi.org/10.1080/00295450.2017.1407594

Published online: 16 Jan 2018.

Submit your article to this journal

Article views: 80

View related articles

View Crossmark data

Full Terms & Conditions of access and use can be found at

https://www.tandfonline.com/action/journalInformation?journalCode=unct20
 NUCLEAR TECHNOLOGY · VOLUME 201 · 180–189 · FEBRUARY 2018
© American Nuclear Society
DOI: https://doi.org/10.1080/00295450.2017.1407594
Technical Note

Safety Criteria and Dependability Management Practices: A Case

Study with I&C Systems of Prototype Fast Breeder Reactor
Srikantam Sravanthi,a,b* R. Dheenadhayalan,b K. Madhusoodanan,b and K. Devanb
a
Homi Bhabha National Institute, Anushaktinagar, Mumbai, India 400094
b
Indira Gandhi Centre for Atomic Research, Kalpakkam, India 603102

Received May 26, 2017

Accepted for Publication November 13, 2017

Abstract — Dependability management practices in nuclear power plants in India are conventionally
governed by a set of rules known as “safety criteria.” Probabilistic assessments of safety systems are used
in a modern plant to complement such rules. In this technical note, various design provisions provided in
the instrumentation and control (I&C) of prototype fast breeder reactor (PFBR) (a reactor under commis-
sion in India) are detailed. As a precursor, the relationship between safety criteria and the average
probability of failure on demand (PFDAvg) of safety systems is established. Subsequently, various design
provisions provided in the I&C of PFBR to reduce PFDAvg are discussed. Such a review, with a depend-
ability viewpoint, has resulted in identifying areas for further design improvement in future reactors.
Research work carried out in areas of relays toward reducing PFDAvg of safety systems is highlighted.

Keywords — Average probability of failure on demand, dependability practices, nuclear power plant.

Note — Some figures may be in color only in the electronic version.

I. INTRODUCTION
The prototype fast breeder reactor (PFBR) is a
[1250 MW(thermal) 500 MW(electric)] pool-type sodium-
cooled fast reactor under commission in India.
Instrumentation and control (I&C) is provided to facilitate
controlled heat transfer from the core to the turbine and to
ensure safety by timely shutdown (scram) in case of any
anomaly and subsequent decay heat removal. The I&C sys-
tems of PFBR are classified as Safety Class-1 (SC-1), Safety
Class-2 (SC-2), Safety Class-3 (SC-3), and Non-Nuclear
Safety Systems. All systems that monitor scram parameters
like core temperature, neutronic flux, primary sodium pump
speed, and reactor inlet temperature are classified as SC-1.
Additionally, I&C of Safety Grade Decay Heat Removal
(SGDHR) system and reactor containment isolation logic
are classified as SC-1. The I&C of SC-1 systems comes
under the category of Safety Instrumented System (SIS) as
defined in International Electrotechnical Commission (IEC)
*E-mail: sravanthisrikantam.445@gmail.com
61508 (Ref. 1). Each SIS loop is composed of sensor(s), logic
solver(s), and final control element(s) for the purpose of
taking the process to safe state. These systems deploy various
techniques to achieve very high dependability. While the I&C
design for PFBR has been already completed, this author and
her team have undertaken a detailed study of dependability
aspects of SISs aiming at improvements for future reactors.
This technical note presents a review of the practices,
assumptions, and techniques followed in PFBR I&C design
to achieve high reliability in safety systems. Moreover, the
research and development work done for improvements in
the fail-safe behavior of such systems is highlighted.
II. DEPENDABILITY MANAGEMENT PRACTICES IN A
NUCLEAR POWER PLANT
II.A. Safety Criteria: The Fundamental Rules for Design
The IEC technical committee 56 (IEC-TC 56) defines
dependability of an item as the ability to perform as

180
 SAFETY CRITERIA AND DEPENDABILITY MANAGEMENT PRACTICES · SRAVANTHI et al.
and when required. It includes availability, reliability,
recoverability, maintainability, and maintenance support
performance, and, in some cases, other characteristics
such as durability, safety, and security. Conventionally,
qualitative rules are stated in the form of “safety criteria”
in various international and national standards to achieve
systems with high dependability in a nuclear power plant
(NPP). Typical safety criteria that have a direct relation
with dependability are as follows:
1. Redundancy: “The principle of redundancy is
applied as a fundamental design principle for improving
the reliability of systems important to safety. The design
ensures that no single failure could result in a loss of the
capability of a system to perform its intended safety
function.”2 Shutdown systems typically use triple mod-
ular redundancy (TMR) or quadruple redundancy to mea-
sure the same process variable.
2. Fail-safe design: Systems and components
important to safety are designed for fail-safe behavior
so that their failure does not prevent the performance of
the intended safety function.3 For an example, reactor
protection systems are designed with passive features to
the extent possible, and any loss of power to shutdown
systems results in drop of rods by gravity, which assures
fail-safe shutdown.
3. Diversity: “The principle of diversity is applied
to enhance reliability and to reduce the potential for
common cause failures.”2 “Several types of diversity
should typically exist such as functional diversity and
signal diversity.”4
4. Independence: “The principle of independence is
applied, as appropriate, to enhance the reliability of systems,
in particular with respect to common cause failures (CCFs).”2
In any NPP, at least two shutdown systems are used, and
these are functionally different and physically separate.
5. Periodic surveillance: Safety systems are
designed to permit periodic testing of their functionality
when the plant is in operation, including the possibility of
testing channels independently for the detection of fail-
ures and loss of redundancy. Protection system designs
have all aspects of functionality testing from the sensor to
the final actuator.3
II.B. Effect of Safety Criteria on Probability of Failure
upon Demand
Rausand5 has discussed reliability measures for a
safety instrumented function such as average probabil-
ity of failure on demand (PFDAvg), probability of
NUCLEAR TECHNOLOGY · VOLUME 201 · FEBRUARY 2018
181
failure per hour (PFH), safe failure fraction, hazar-
dous event frequency, risk-reducing factor, and spur-
ious trip rate. IEC 61511 (Ref. 6) indicates that
PFDAvg is the measure to be used for low-demand
mode and PFH for high-demand mode. PFDAvg indi-
cates the probability of a system failing to respond
upon a demand in a specified time interval. It is the
parameter of interest in safety systems like shutdown
systems and decay heat removal systems. In process
industries like petrochemical plants, safety integrity
level (SIL) is used to refer the dependability of a
system, and the levels are listed in Table I (Ref. 6).
However, in NPPs, the systems deployed for shut-
down action and decay heat removal action are to be
demonstrated to be much more dependable than SIL-4
levels used in process industries.7
Though principles suggested in Sec. II.A are qualita-
tive, their relation with quantitative dependability mea-
sure is discussed below.
The total failure rate is λ = λD + λS, where λD and λS
are the dangerous and safe failure rates, respectively.
The dangerous detected and dangerous undetected fail-
ure rates are λDD and λDU, respectively. The test interval
is the interval between two subsequent diagnostic tests.
The mean time to restoration is the sum of the time to
detect a fault by a diagnostic system and the mean
downtime until the system is restored. The proof test is
the test performed to reveal undetected faults by diag-
nostics. The mean repair time is the time to restore the
system after a fault is detected with proof test. The proof
test interval τ is the interval between subsequent proof
tests.
IEC 61508 provides a set of expressions for
PFDAvg for 1oo1, 1oo2, 1oo2D, 2oo2, and 2oo3 archi-
tectures. Studies have been made on IEC 61508
PFDAvg formulae and generalized expressions for
koon (k out of n) architecture. Jahanian proposed gen-
eralized PFD formulae for koon architecture8 and has
proven that it matches with IEC 61508 by applying
various values to k and n.
TABLE I
SIL Levels
SIL PFD
1 10–1 to 10–2
2 10–2 to 10–3
3 10–3 to 10–4
4 10–4 to 10–5
182 SRAVANTHI et al. · SAFETY CRITERIA AND DEPENDABILITY MANAGEMENT PRACTICES

For safety systems of a NPP designed as per criteria where MRT is Mean Repair Time and MTTR is Mean
mentioned in Sec. II.A, the suitable generalized PFDAvg Time to Restoration,
of a k out of n architecture would be that given by
Jahanian.8 However, PFDAvg of voting logic is not con- whereas PFDAvg ðvoting logicÞ
 
sidered. By considering PFDAvg of voting logic, λ1DU  τ  λ
1DD
¼ ðλ1DU þ λ1DD Þ þ MRT þ MTTR ;
λ1D 2 λ1D
Y
nkþ1
PFDAvg ¼ ðn  i þ 1Þ½ð1  βÞλDU
i¼1 where β is the fraction of undetected failures that have a
   common cause and βD is those failures that are detected by
λDU τ
þ ð1  βD ÞλDD  þ MRT the diagnostic tests. A perfect proof testing is assumed since
λD i þ 1
 τ  testing would typically involve exercising all parts of the
λDD
þ MTTR þ βλDU þ MRT safety channel from sensor to final control element. The
λD 2
way in which the parameters in Eq. (1) are linked to qualita-
þ βD λDD MTTR þ PFDAvg ðvoting logicÞ; ð1Þ tive safety criteria described in Sec. II.A is shown in Table II.

TABLE II
Relation Between Qualitative Safety Criteria and PFDAvg

Safety Criteria Relevant Parameter in PFDAvg

Redundancy Coefficient term (n – i + 1) and power term to ðð1  βD ÞλDD þ ð1  βÞλDU Þ are the predominant factors in
PFDAvg influenced by the chosen redundancy level and type of voting.
TMR with 2oo3 voting is often chosen in a reactor safety system since it offers a balance between safety
and spurious actions. PFDAvg for a triple modular redundancy and 2oo3 voting logic is given by

ð1  βD ÞλDD þ ð1  βÞλDU 2
PFDAvg ¼ 6½  
λDU  τ  λ
DD λDU  τ  λ
DD
 þ MRT þ MTTR þ MRT þ MTTR
λD  2  λD λD 3 λD
τ
þ βλDU þ MRT þ βD λDD MTTR þ PFDAvg ðvoting logicÞ:
2
Independence CCFs defeat redundancy. Independence and diversity leads to reduction in CCF fraction. It is apparent from
Eq. (1) that β and βD have a strong potential to nullify the benefits from redundancy.
Providing dedicated sensors for redundant channels, independent power supply, redundant signal
processing electronics in separate rooms, and different cable routing paths are typical “independence”
features in a NPP safety system (i.e., electrical, physical, and communications independence).
Diversity Sensors with diverse working principles, different technologies in signal processing electronics, and
different methods for final actuation are followed for diversity in a NPP (i.e., functional diversity).
Periodic λDU on PFDAvg is reduced by improved diagnostic coverage during periodic self-diagnostics.
surveillance
λDU on PFDAvg is reduced with frequent proof tests.
λDD on PFDAvg is reduced with frequent self-diagnostics.
Diagnostic coverage is one of the most important design parameters to measure the effectiveness of safety
protection systems. The influence of diagnostic coverage, proof test coverage, proof test interval, and
common cause failures on PFDAvg is studied in literature.9–12
Fail-safe design There are two aspects of fail-safe design. First, λD is minimized by appropriate component selection and
configuration. For example, consider in a shutdown system, the EM relay used to communicate scram is
kept energized normally and can be de-energized to communicate a scram demand. This configuration
depends on the fact that the failure rate of relays in “fail-closed” mode is low compared to “fail-open”
mode.
The second aspect is to ensure by design that the system is always taken to safe state wherever a dangerous
failure is detected. This allows for the assumption made in Eq. (1) that all detected failures result in safe
state of the system.

NUCLEAR TECHNOLOGY · VOLUME 201 · FEBRUARY 2018

 SAFETY CRITERIA AND DEPENDABILITY MANAGEMENT PRACTICES · SRAVANTHI et al.
With this dependability viewpoint, the design fea-
tures in safety systems of PFBR I&C that help in redu-
cing PFDAvg are detailed in subsequent sections.
III. DEPENDABILITY FEATURES IN PFBR
In PFBR, I&C systems are provided to facilitate con-
trolled heat transfer from the core to the turbine and to ensure
safety by timely shutdown in case of an anomaly. This
technical note briefs about the salient features in I&C to
achieve high dependability of shutdown systems and decay
heat removal systems. Chetal et al. have given design features
of PFBR like reactor core, reactor assembly, and I&C
(Ref. 13). A flow sheet of PFBR is shown in Fig. 1 (Ref. 13).
III.A. Shutdown System
The purpose of the shutdown system (SDS) is to
terminate the fission reaction and thereby ensure safety
upon any design basis event. Senthil Kumar et al. have
detailed the design of reactor protection systems.14 The
failure frequency requirement for such systems is typi-
cally in the range of 10–6 per reactor year.14 The PFBR is
provided with two redundant, independent, diverse, and
fast-acting shutdown systems (SDS-1 and SDS-2). Each
SDS consists of a reactor protection system (RPS) and an
actuation system (AS). The RPS consists of sensors,
scram generation electronics (SGE), and a voting logic.
Signals from sensors are processed by SGE, which does
Fig. 1. Flow sheet of PFBR.
NUCLEAR TECHNOLOGY · VOLUME 201 · FEBRUARY 2018
183
signal conditioning and generates a scram signal in case
the measured parameter crosses a configured set point.
Triplicated SGEs are provided with each connected to a
dedicated sensor. The resulting scram signal is processed
by a voting logic that produces “effective scram.” An AS
consists of absorber rods, electromagnets, and drive
mechanisms to raise or drop the neutron absorber rods
into the core. A schematic of SDS is shown in Fig. 2.
SDS-1 consists of nine neutron absorber rods known as
control and safety rods (CSRs). SDS-2 consists of three
neutron absorber rods known as diverse safety rods
(DSRs). CSRs are used for shutdown as well as power
control. DSRs are used only for shutdown.
III.A.1. Sensors
Sensors such as high-temperature fission chambers,
thermocouples, eddy current flow meters, magnetic pump
speed sensors, and delayed neutron detectors are provided
for reactor protection as follows:
1. Signal validation: For any signal, apart from
process range, there is a range out of which there is a
large probability that sensors are at fault. For instance,
though the range for coolant (liquid sodium) channel
temperature measurement is 0°C to 800°C, the tempera-
ture reading cannot be below melting point of sodium.
Moreover, the coolant temperature at the outlet of a fuel
assembly cannot be lesser than that measured at the inlet.
Such rules are used to validate signal measurements, and
184 SRAVANTHI et al. · SAFETY CRITERIA AND DEPENDABILITY MANAGEMENT PRACTICES
scram
Sensor SGE
Effective
scram 2oo3 scram
Sensor SGE voting
logic
Sensor SGE
scram
Fig. 2. Schematic of shutdown system.
invalid signals are treated as “crossed the scram set
point.” This provision results in reducing λDU.
2. Open sensor detection: Signal conditioning units
are designed to pull HIGH for open sensors. This will result
in an invalid reading. This provision results in reducing λDU.
3. Discordance monitoring system: Each scram
parameter is measured using three independent and
redundant sensors. A separate discordance monitoring
system is provided to compare measurements from redun-
dant channels and alert the operator in case of discre-
pancy between the redundant measurements. This
provision helps in reducing λDU.
4. Diverse scram parameters: For each postulated
failure in the plant known as design basis event, two
diverse scram parameters are provided, one connected
to SDS-1 and the other to SDS-2. They are processed
by independent sensors. The sensors used in SDS-1 and
SDS-2 use diverse principles. Such features help in redu-
cing common cause failure fraction.
III.A.2. Signal Processing
III.A.2.a. Scram Generation Electronics
Signals from each sensor are processed with suitable
analog signal processing circuits. Salient design features
which help in achieving a low PFDAvg are given below:
1. Provision for signal superimposition, check
back, and good operation trip (GOT): An online testing
provision is provided in each SGE. When triggered, an
internally generated signal will superimpose on the actual
signal, thus imitating a scram condition. The result of
such a test is reported to the operator. Since the voting
logic generates effective scram with two out of three
voting, reactor operation is not hindered during such
tests. A GOT is generated in case such a test fails.
Since this test exercises all parts of the SGE from sensor
Electromagnet
Electromagnet Absorber
Coil drive
Coil rods
mechanisms
terminal to output stage, this can be treated as a proof test
with a near 100% coverage.
2. Automation of periodic testing and logging:
Scram parameters are to be tested in a sequential fashion.
To avoid operator fatigue and errors, a separate test inter-
face unit (TIU) is provided in the plant to automate the
test. The TIU takes care of sequencing, logging, and
reporting of results. In every shift, one of the three
redundant channels is tested for all scram parameters.
3. Discordance monitoring in set points: The set
points registered in each scram generation circuit are digi-
tized and sent to the plant central computer periodically. An
alarm is raised in case of discordance between redundant
units. This provision helps in diagnostic coverage on SGEs.
III.A.2.b. Voting Logic (Also Known as Safety Logic)
Design features to reduce PFDAvg in voting logic is
described below:
1. The voting logic for SDS-1 is known as Safety
Logic with Finite Impulse Test. It is built using solid-state
devices. It consists of two functional blocks, namely,
safety logic and Fine Impulse Test (FIT) Logic. To main-
tain fail-safe behavior, logic HIGH is treated as
“NORMAL” and logic LOW is treated as “SCRAM,”
and two out of three voting is performed with reverse
logic. To detect failures in the safety logic system, an
online test facility known as FIT Logic is provided. FIT
Logic monitors the healthiness of the safety logic system
online by injecting short-duration pulses (1 ms). All
combinations of redundant channels are superimposed at
the input side and expected outputs are measured at the
output (input to electromagnet) to detect both safe and
unsafe faults. The pulses are too short for electromagnet to
respond to de-energization signal but long enough to detect
the failures. Self-diagnostics ensure the healthiness of FIT
Logic. Tests are repeated cyclically in all scram channels.
NUCLEAR TECHNOLOGY · VOLUME 201 · FEBRUARY 2018
 SAFETY CRITERIA AND DEPENDABILITY MANAGEMENT PRACTICES · SRAVANTHI et al.
Since the superimposition pulses are fed at the input stage
and the feedback is taken at input line to the electromagnet,
the test can be considered as a proof test. Because of the
short test pulses, a proof test interval in the order of minutes
could be achieved leading to very low PFDAvg. The remain-
ing PFDAvg is then decided by the inability to automatically
put the system to a safe state for certain failures. FIT
unavailability also contributes to PFDAvg.
2. The voting logic for SDS-2 is known as pulse coded
safety logic (PCSL). In this, logic state HIGH is encoded as a
sequence of pulses. The presence of pulse train at the logic
output stage keeps the EM energized, and if logic is stuck at
LOW or HIGH anywhere in the chain, it results in scram.
Two crystal oscillators are used to provide redundancy. This
technique is inherently fail-safe, and hence there is no need
for separate online testing. Provision of an inherently fail-safe
circuit also serves as a completely diverse method of per-
forming two out of three voting thus resulting in a low β. The
PFDAvg of PCSL is limited to those limited failures which
will not result in automatic scram.
III.A.3. Actuators
Absorber rods are held by electromagnets. Upon
scram demand, the current to electromagnet is cut off
and absorber rods are inserted into the reactor core
under gravity. Reliable operation of electromagnet has a
direct implication on the safety of the reactor. Actuators
are electro-mechanical systems whose PFDAvg is not dic-
tated by Eq. (1). Rod insertion probability depends on
complex mechanical factors and is not under the scope of
I&C failures. Salient features that help in achieving a low
PFDAvg are as follows:
1. Rod drop in case of loss of power and cable cut:
Since all absorber rods are kept energized under normal
operation, loss of power to electromagnet or voting logic or
signal processing electronics or a cable cut in any of the
interconnectivities will lead to rod drop. Since a “negative”
reactivity scram parameter exists, one spurious rod drop will
result in all rods getting dropped subsequently. This has a
major effect on reducing λD.
2. Automatic and simultaneous drive down of all
CSRs (upon scram): Rod drop is independent of drive
status and position of electromagnet. However, all elec-
tromagnets are driven down by drive mechanism motors
upon a scram. This feature is provided to give a push to
the detached absorber rod in the remote event of rod
getting stuck and failing to drop. This provision has the
effect of reducing λD.
NUCLEAR TECHNOLOGY · VOLUME 201 · FEBRUARY 2018
185
3. Periodic surveillance on CSR (rod exercis-
ing): To check that the friction in the mobile assem-
blies is within limits, a set of two rods are exercised
when reactor is on power. One rod is raised and the
other rod is simultaneously lowered so that reactor
power is unaffected. The friction values are elucidated
from load cell provisions on the mechanisms. All rods
are covered cyclically. This operation is called rod
exercising.
4. Response time monitoring: The response time of
electromagnet is in the order of 100 ms. It is measured
during every scram. This helps in verifying the assump-
tion that system is fully healthy upon start-up.
5. Drop time measurement: The time taken for
the CSRs to reach the bottom is measured by actua-
tion of a microswitch provided for this purpose. In
case of DSRs, Kalman filter–based reactivity mea-
surement is used to ensure that rods have reached
the intended positions. This helps in verifying the
assumption that system is fully healthy upon start-up.
III.B. Computer-Based Systems Used for Shutdown
All systems that form part of the shutdown system
are hardwired analog or digital electronic systems
(without software) except for core temperature moni-
toring system (CTMS). This option is preferred to
avoid complications related to quantifying software
reliability. However, CTMS is computer based since
arithmetic operations on around 423 thermocouple
channels are to be performed.15 These signals are mon-
itored and processed by triple redundant real-time com-
puters (RTCs). RTCs are modular with CPU, analog
input card (AIC), digital input card (DIC), analog out-
put card (AOC), and relay output card (ROC) on Versa
Module Europa (VME) bus backplane. Table III lists
the diagnostic features incorporated in these cards
aimed at reducing λDU. Each RTC generates scram
signals upon detecting a failure. “Software hang” con-
ditions will lead to generation of scram. Power supply
failures will lead to generation of scram. Apart from
this, a periodic test input (manually triggered) provi-
sion is given to exercise the watchdog timer and the
electromagnetic (EM) relays used to generate scram.
III.C. Decay Heat Removal System
During normal operation, the heat generated from the
core is removed with dedicated heat exchangers. After the
reactor is shut down, the decay heat is removed with
186 SRAVANTHI et al. · SAFETY CRITERIA AND DEPENDABILITY MANAGEMENT PRACTICES
Operation Grade Decay Heat Removal (OGDHR) system
predominantly using normal heat removal path. During the
unavailability of OGDHR, the decay heat is removed with the
SGDHR system. SGDHR consists of four sodium loops each
with 8 MW(thermal) capacity. In each loop, the heat transfer
TABLE III
Diagnostic Features for VME-Based Computer Systems
Brief Description
AIC Number of channels: 30
1. 16-bit successive approximation analog-to-digital con-
verter (ADC).
2. Multiplexer is used to time share ADC for multiple
channels.
3. FPGA-based sequencer issues control signals for
selecting a particular channel. Functional blocks of
sequencer are sequencing logic, VME bus interface
logic, and static random access memory (SRAM).
DIC Number of channels: 30
1. Signal conditioner block provides isolation from field
inputs and converts it to transistor-transistor logic
compatible input.
2. Debounce logic takes input signals from signal condi-
tioners and removes the bounce.
3. Read register reads debounced field input signals.
ROC Number of channels: 15
1. Latch block is used to latch the data on VME bus data
lines and drive the relays.
2. On-board relays with two contacts are provided.
Primary contact is routed to field and secondary con-
tact (mirror contact) is used for diagnostic purpose.
3. A built-in watchdog timer is provided on the card.
AOC Number of channels: 4
1. Digital-to-analog converter (DAC) and a voltage to cur-
rent converter are used to drive 4 to 20 mA to the field.
2. Read back section consists of isolators, analog multi-
plexer, amplifier, and ADC.
CPU 1. Some 68020-based controllers with hardwired TCP/IP
stack and RS-232 interface are provided.
2. Erasable programmable read-only memory (EPROM)
is used to store program. Electrically erasable pro-
grammable read-only memory (EEPROM) is provided
for storing set points. SRAM is provided for data.
3. An inbuilt watchdog timer is provided in the card.
from sodium pool to the SGDHR loop takes place through a
sodium-to-sodium heat exchanger dipped into the pool. This
heat will be dissipated to the atmosphere (ultimate heat sink)
through sodium-to-air exchangers (AHX). To achieve very
high reliability, the sodium flow in the SGDHR loop and air
Diagnostic Feature
1. Multiplexer fault detection is done by connecting
reference voltage to a particular input channel and
comparing against expected pattern.
2. ADC health is monitored with end of conversion signal
in stipulated time.
3. Sequencer maintains trigger count as self-health check.
The counter increments on every trigger. If counts
from two consecutive readings match, then the
sequencer is assumed to be faulty.
1. Diagnosis of DIC is done by feeding the input with 0
or 1 through opto-coupler with “force 0” or “force 1”
logic block at the input stage and checking the read
digital values. When these inputs are given field inputs
are masked.
2. Healthiness of registers is checked by writing and
reading test data periodically.
1. Relays are kept energized under normal condition and
de-energized upon scram. Particular data pattern is
written in relay latch register to energize or de-energize
the relay. Relay contact output are read back and
compared with the written data pattern. If any contact
gets welded, it is interpreted from the read-back pattern
and an alarm is raised.
2. The contacts are exercised during periodic proof
testing.
3. If CPU does not refresh watchdog timers, relays are
de-energized automatically.
1. In read back section, the current output that is given to
the field is converted to voltage and fed to analog
multiplexer, which gives single output to an ADC.
ADC output is compared with the derived pattern.
1. The watchdog timer is loaded with an initial count.
Upon a software hang, clock count goes to zero.
2. Error detection and correction on SRAM data.
3. Cyclic redundancy check is done on EPROM and
EEPROM memory to guard against memory
corruption.
NUCLEAR TECHNOLOGY · VOLUME 201 · FEBRUARY 2018
 SAFETY CRITERIA AND DEPENDABILITY MANAGEMENT PRACTICES · SRAVANTHI et al.
flow through AHX are designed to be driven by natural
circulation. Both the inlet and outlet air flow paths have two
sections of dampers each controlling one half of the available
flow area. The damper in one section is pneumatically driven,
and the damper in second section is electrically driven (motor
operated). This arrangement is provided for diversity in
design. Both the damper systems deploy relay logic to control
opening and closing of the dampers. John Arul et al. have
given design details of the system.16 The system is passive,
and I&C is limited to control of dampers that restrict air flow
through AHX. Apart from this, I&C is provided for monitor-
ing sodium flow, sodium temperature, and air temperature in
the loops. The important safety function of the system is to
automatically “drive open” the dampers in case of reactor
scram, and in case OGDHR is not operational. Salient fea-
tures in SGDHR to reduce PFDAvg are:
1. The control of dampers is segregated from
monitoring function. Thus, conventional EM relay
logic built with ladder diagram is used to control dam-
pers, whereas a computer-based system is used for mon-
itoring sodium flow, temperature, etc. This helps in
simplification of safety circuit and usage of minimum
number of components in the system.
2. Electromagnetic relays are used to implement the
logic rather than solid-state circuits. Relays are kept ener-
gized during normal condition and are de-energized to indi-
cate a demand condition (since EM relays are predominantly
in fail-open mode). Additionally, “Normally Open” contacts
are used. Thus, dampers will open upon loss of control power
supply, failures in EM relays, and cable cut.
3. “De-energize to OPEN”–type solenoid valves are
used in pneumatic dampers so that upon failure of control
power supply, dampers will fully open.
4. A counterweight is provided on pneumatically
operated dampers. Pneumatic pressure is required to close
the dampers. Thus, loss of pressure will lead to an opening of
dampers.
IV. DISCUSSION
Based on the literature survey and from the study of
safety critical I&C of PFBR, the following observations
are made on three parts of the I&C chain, namely, sen-
sors, processing electronics, and final control elements:
1. Sensors: The sensor failures are adequately covered
by discordance monitoring (comparison of readings from
redundant sensors) and signal validation.
NUCLEAR TECHNOLOGY · VOLUME 201 · FEBRUARY 2018
187
2. Processing electronics: The SGE and voting logic
employs sophisticated electronics or computer systems in
which fail-safe design is adequately implemented by using
techniques like finite impulse tests, test signal superimposi-
tion, discordance monitoring, etc. A very high coverage
factor could be achieved due to end-to-end testing, exploiting
the simplicity in the functional requirement (the SGE is
basically a threshold comparator).
3. Fail safeness in absorber rods (final control
elements): Falling under gravity is a natural phenomenon,
and failure probability to insert the rods is remote. The
rods drop under failures like loss of power supply, cable
cut, and common failures in output circuit.
Thus, the design principles are well applied in all
three sections of the I&C loop, namely, sensors, SGE, and
final control elements. The possible areas identified for
further investigation are discussed below.
IV.A. Electromagnetic Relays with Online Weld
Detection
Most of the safety systems in PFBR implement a fail-safe
design. However, there is a huge dependency on the assump-
tion that EM relays fail in open mode. As per literature,17,18
contact weld failure also is one of the possible failure modes
(though the predominant failure mode of a relay is fail open
for low current ratings). Electromagnetic relays are kept
energized during normal operation and de-energized upon a
shutdown demand to achieve a fail-safe behavior. In current
practice, contact weld failure in relays is detected by periodic
opening of contacts in one of the redundant channels and
checking the status of the auxiliary contact. Current methods
do not allow for reliable online diagnostics of this failure
mode without actually opening/closing the relays or without
making measurements at contact side. This author and her
team have proposed a new method to detect failure of relay
contacts in weld mode without actually de-energizing the
relay. In this method, healthiness of relay contact is monitored
by interpreting the coil current decay curve of the relay by
giving the de-energization command. The relay is re-
energized before the contacts start to open. The novelty of
the technique is that relays can be tested with no effect on the
load connected to the contacts of the relay. This technique is
detailed in our previous work.19
To demonstrate the practicality of the technique, an
ROC suitable for usage in computer-based CTMS dis-
cussed in Sec. III.B has been designed and fabricated.
The Markov model is established to determine unsafe
state probability of the system using such ROC. It has
been proven that the diagnostic circuitry in ROC
188 SRAVANTHI et al. · SAFETY CRITERIA AND DEPENDABILITY MANAGEMENT PRACTICES

significantly reduces unsafe state probability. The signif-
icant reduction in unsafe state probability is achieved
with very low test interval, which is turn is possible
because the proposed method is amenable for online
implementation. It is also demonstrated that failures in
diagnostic circuitry have much less significance on the
unsafe state (steady state) probability of the system. This
work is detailed in our previous work.20 From this, it is
recommended to deploy online diagnostics of relays for
scram communication in future designs.
IV.B. Using Inherently Fail-Safe Circuits
All scram processing electronics are deployed with
online self-diagnostics and subsequent fail-safe outputs in
case of faults. Only one of the two voting logic circuits
uses an inherently fail-safe design (PCSL). Inherently,
fail-safe systems will automatically lead to a safe state
in case of failures in the system. It does not require an
additional diagnostic circuit. So these circuits have a
lower unsafe failure probability since the periodicity of
self-test is tending to zero and the issues arising out of
failures in diagnostic circuitry do not exist. A failure
mode effect analysis (FMEA) has to be used to assess
the effects of each potential component failure on the
system. This is performed by analyzing each component
with all dominant failure modes as listed in Failure Mode/
Mechanism Distributions in Ref. 21 and consequences of
such failures on the system. IEC 60812 is the recom-
mended standard for carrying out FMEA (Ref. 22).
The crucial part of an inherent fail-safe design is
that it has to be proved that the circuit is fail-safe
under all postulated failure cases. However, certain
failures that are not immediately revealed give oppor-
tunity for multiple failures to accumulate over time,
leading to an unsafe scenario. The failure correspond-
ing to this is λDNI (dangerous noninherent failure rate).
To prevent these failures, the circuit has to be tested
with selected test points every proof test interval once
in designated interval (proof test interval). PFDAvg is
reduced by designing a circuit with λDNI as minimum
as possible. A comparison between system design
with periodic self-test and inherently fail-safe design
is given in Table IV. Considering these, inherently
fail-safe AND/OR gates is recommended for designs
with simple combinational logics. A case study on
SGDHR damper control logic with inherent fail-safe
AND gate is studied.23 From this, inherent fail-safe
designs are suggested as a diverse method to imple-
ment redundant instrumentation provisions for safety
critical applications.
V. CONCLUSION
Various dependability practices in I&C of a mod-
ern fast-breeder reactor are described. The relationship
between conventional qualitative safety criteria with
quantitative reliability parameters is highlighted. Such
a review has resulted in prioritizing efforts on future
improvement and an improved insight into the benefit
of any such improvement. Possible improvements by
adopting existing new techniques are also highlighted.
This technical note will be highly beneficial to the
nuclear I&C community working on dependability
management.

TABLE IV
Comparison of PFDAvg for Different Logics

Logic PFDAvg

Solid-state electronics logic with periodic testing From IEC 61508:

 
λDU  τ  λ
DD
PFDAvg ¼ ðλDU þ λDD Þ þ MRT þ MTTR ;
λD 2 λD
where diagnostic test circuitry failures are ignored, and
λDU is minimized by improved diagnostic coverage to reduce PFDAvg.

Solid-state electronics—inherent fail-safe circuit In such a design, λDD is zero and λDU is λDNI. So the above equation becomes
 
λDNI  τ τ 
PFDAvg ¼ ðλD Þ þ MRT ¼ λDNI þ MRT ;
λD 2 2
where λDNI has to be shown to approach zero to reduce PFDAvg.

NUCLEAR TECHNOLOGY · VOLUME 201 · FEBRUARY 2018

 SAFETY CRITERIA AND DEPENDABILITY MANAGEMENT PRACTICES · SRAVANTHI et al.
Acknowledgments
The authors are greatly thankful for the support and moti-
vation by A. K. Bhaduri, Director, Indira Gandhi Centre for
Atomic Research (IGCAR). S. Sravanthi thanks Department of
Atomic Energy fellowship for a perspective research grant for
this work. The authors acknowledge EID colleagues, IGCAR,
for the inputs on card details of computer-based systems.
References
1. IEC 61508, “Functional Safety of Electrical/Electronics/
Programmable Electronic Safety-Related Systems, Parts
1–7,” International Electrotechnical Commission (2010).
2. IAEA Safety Standards Series No. NS-R-4, “Safety of
Research Reactors,” International Atomic Energy Agency
(2005).
3. IAEA Safety Standard Series No. SSR-2/1, “Safety of
Nuclear Power Plants: Design,” Specific Safety
Requirements, International Atomic Energy Agency
(2016).
4. IAEA Safety Standards Series No. NS-G-1.3,
“Instrumentation and Control Systems Important to Safety
in Nuclear Power Plants,” International Atomic Energy
Agency (2002).
5. M. RAUSAND, Reliability of Safety Critical Systems:
Theory and Applications, Wiley, Hoboken, New Jersey
(2014).
6. IEC 61511, “Functional Safety—Safety Instrumented
Systems for the Process Industry Sector, Part 1–3,”
International Electrotechnical Commission (2003).
7. “Safety Systems for Pressurized Heavy Water
Reactors,” AERB Safety Guide No. AERB/NPP-
PHWR/SG/D-10, Atomic Energy Regulatory Board
(2005).
8. H. JAHANIAN, “Generalizing PFD Formulas of IEC
61508 for KooN Configurations,” ISA Trans., 55, 168
(Mar. 2015); https://doi.org/10.1016/j.isatra.2014.07.
011.
9. F. E. NADIR et al., “Influence of Failure Modes and
Effects Analysis on the Average Probability of Failure
on Demand for a Safety Instrumented System,” Proc. 4th
IEEE Int. Mtg. Information Science and Technology,
Tangier-Assilah, Morocco, October 24–26, 2016.
10. J. JIN et al., “Impact of Proof Test Interval and Coverage
on Probability of Failure of Safety Instrumented Function,”
Ann. Nucl. Energy, 87, 2, 537 (2016); https://doi.org/10.
1016/j.anucene.2015.09.028.
NUCLEAR TECHNOLOGY · VOLUME 201 · FEBRUARY 2018
189
11. İ. ÜSTOĞLU, Ö. T. KAYMAKÇI, and J. BÖRCSÖK, “Effects
of Varying Diagnostic Coverage on Functional Safety,” Proc.
IEEE Int. Symp. Fundamentals of Electrical Engineering
(ISFEE 2014), Bucharest, Romania, November 28–29, 2014.
12. W. VELTEN-PHILIPP and M. HOUTERMANS, “The Effect
of Diagnostic and Periodic Proof Testing on the Availability of
Programmable Safety Systems,” Proc. 10th WSEAS Int. Conf.
Communications, Athens, Greece, July 13–15, 2006.
13. S. C. CHETAL et al., “The Design of the Prototype Fast
Breeder Reactor,” Nucl. Eng. Des., 236, 852 (Apr. 2006);
https://doi.org/10.1016/j.nucengdes.2005.09.025.
14. C. S. KUMAR et al., “Reliability Analysis of Shutdown
System,” Ann. Nucl. Energy, 32, 1, 63 (Jan. 2005); https://
doi.org/10.1016/j.anucene.2004.08.002.
15. M. SAKTHIVEL and K. MADHUSOODANAN, “Core
Temperature Monitoring System for Prototype Fast
Breeder Reactor,” Nucl. Sci. Eng., 170, 3, 290 (2012);
https://doi.org/10.13182/NSE11-07.
16. A. JOHN ARUL et al., “Reliability Analysis of Safety
Grade Decay Heat Removal System of Indian Prototype
Fast Breeder Reactor,” Ann. Nucl. Energy, 33, 2, 180 (Jan.
2006); https://doi.org/10.1016/j.anucene.2005.08.001.
17. A. R. NEUHAUS, W. F. RIEDER, and M. H. SCHMIDT,
“Influence of Electrical and Mechanical Parameters on
Contact Welding in Low Power Switches,” IEEE Trans.
Compon. Packag. Technol., 27, 1, 4 (Mar. 2004); https://
doi.org/10.1109/TCAPT.2004.825777.
18. L. MORIN, N. B. JEMAN, and D. JEANNOT, “Make Arc
Erosion and Welding in the Automotive Area,” IEEE
Trans. Compon. Packag. Technol., 23, 2, 240 (June 2000);
https://doi.org/10.1109/6144.846760.
19. S. SRAVANTHI et al., “A Method for Online Diagnostics
of Electromagnetic Relays against Contact Welding for
Safety Critical Applications,” IEEE Trans. Compon.
Packag. Manu. Technol., 5, 12, 1734 (Dec. 2015); https://
doi.org/10.1109/TCPMT.2015.2498624.
20. S. SRAVANTHI et al., “Reliability Model of a Relay Output
Card with Diagnostic Circuitry for Safety Instrumented
System,” Proc. 2016 Int. Conf. System Reliability and
Science, Paris, France, November 15–18, 2016.
21. “Failure Mode/Mechanism Distributions,” Reliability
Analysis Center (2013).
22. IEC 60812, “Analysis Techniques for System Reliability—
Procedure for Failure Mode and Effects Analysis,”
International Electrotechnical Commission (2006).
23. S. SRAVANTHI et al., “An Inherently Fail-Safe Electronic
Logic Design for a Safety Application in Nuclear Power
Plant,” Process. Saf. Environ. Prot., 111, Supplement C,
232 (Oct. 2017); https://doi.org/10.1016/j.psep.2017.07.008.