Game changer in addressing I&C common cause failure protection Game changer in addressing I&C common cause failure protection and diversity requirements implementation
List of authors:
- Mr. Ievgenii Bakhmach, “RPC Radics” LLC, Chief Executive Officer
- Mr. Ievgen Brezhniev, “RPC Radics” LLC, Strategic Marketing Director
- Mr. Vyacheslav Kharchenko, Director of Scientific and Technical Center, PC “RPC Radiy”
- Mark J. Burzynski, SunPort, Chief Executive Officer
- Sean Kelley, SunPort, Chief Operating Officer
Radiy is proud to present the RadlCS Digital Instrumentation and Control (l&C) Platform that was approved by the U.S. Nuclear Regulatory Commission (NRC) on July 31, 2019.
The RadlCS Platform is robust, flexible, and scalable. It provides state-of-the-art functions, services, and safeguards for both safety and non-safety applications in the nuclear industry. RPC Radiy uses Field Programmable Gate Array (FPGA) technology in its digital platform to implement customized solutions to NPPs I&C systems. The RadlCS Platform consists of a Logic Module, basic input/output modules, and specialty modules all housed in a seismically qualified chassis. Since the early use of digital computer based safety systems in nuclear power plants, there have been concerns of potential for common system failures due to latent errors in software. These latent errors could defeat the redundancy built-into the system architecture and leave digital instrumentation and control (I&C) systems potentially vulnerable to the inability to protect the plant due to these common cause failures (CCF).
The RadlCS Platform creates a new paradigm for addressing common cause failure (CCF) vulnerabilities and CCF defense. The old (traditional) paradigm relies on the addition of a separate diverse actuation system to address the CCF vulnerabilities associated with microprocessor-based systems. The old paradigm adds system complexity along with increased costs and longer schedules for protection system modernization projects.
The RadICS Platform is based on FPGA technology that incorporates a unique diversity strategy based on internal features of the RadICS Modules to address the CCF vulnerabilities. No separate diverse actuation system is needed to address the CCF vulnerabilities, which eliminates system complexity along with the associated cost and schedule impacts.
The RadICS diversity strategy is supported by IEC 61508:2010 SIL 3 certification, which incorporated extensive and robust self-monitoring features to achieve the SIL 3 rating in a single channel configuration. Fault insertion tests were used to validate the self-monitoring features. The characteristics of the SIL certification are a high degree of coverage for self-monitoring using robust measures (including independence and diversity attributes) that put the Modules in the safe state when critical failures are detected. The RadlCS Platform design was evaluated using the methodology described in the NRC document NUREG/CR-7007, “Diversity Strategies for Nuclear Power Plant Instrumentation and Control Systems.” The evaluation credits important functional and technology diversity features and demonstrates the internal diversity of the RadICS Platform which allows for implementation without the use of a Diverse Actuation System (DAS).
The RadICS Platform employs several internal-diversity features to provide sufficient protection to address CCF vulnerabilities that may be introduced by the FPGA technology:
- Functionally Independent and Diverse Self-Testing and Diagnostics: Provides physically separate FPGA logic circuits for self-monitoring features that are independent and functionally diverse from the FPGA logic circuits executing control functions. The self- monitoring features put the Modules in the safe state when critical failures are detected.
- Functionally Independent and Diverse Power Supply and Watchdog (PSWD) Monitoring: Provides a functionally and structurally diverse method of monitoring the FPGA logics and power supplies. The PSWD Unit provides an independent method of placing a RadlCS Module in a safe state when critical failures are detected.
- Separate Clocks for Diverse Functional Domains: Physically separate clocks are used for safety functions, self-testing, and PSWD monitoring to ensure different timing or order of execution based on the parallel processing of the FPGA and CPLD circuits.
- Diverse Chip Technologies: The CPLD (Complex Programmable Logic Device)-based PSWD Unit is separate and inherently diverse from the Module FPGAs.
The internal diversity features of the RadICS Platform augment the existing diversity features of the I&C system designs for the operating fleet. The key decisions to use FPGA and CPLD chip designs resulted in a number inherent diversity attributes for the RadICS Platform. The FPGA technology allows for more deterministic performance than a microprocessor due to capability of executing logic functions and control algorithms in a parallel mode due to the hardware parallelism inherent to FPGA technology. This parallelism also provides the ability to segregate safety functions and self-test and diagnostics functions. The resulting circuits are pure hardware without additional layers of platform software (operating system, drivers, etc.). Dedicated separate hardware for all functions provides the advantages of computational efficiency, but from the reliability point of view, a more important aspect is the separation of functions. There is no need for resource allocation such as memory, processor time, or data transfer on a bus. This eliminates the risk of functions interfering with each other or with the operating system or other platform functions.
24 years in the nuclear business
The RadICS Platform diversity strategy represents a stronger diversity case than other platforms previously accepted by the NRC. The RadlCS Platform diversity approach provides other benefits by simplifying the overall l&C systems designs, since a separate DAS is not required to mitigate digital CCF vulnerabilities.
The NRC determined the RadICS platform design, development and test approach provides a measure of diversity within the RadICS modules. Consistent with NUREG/CR-6303, the NRC determined that licensees can use these diversity attributes in future system applications of the RadICS platform for plant-specific evaluations to determine whether platform and application logic CCFs can be eliminated from further consideration. In the absence of comprehensive testing, elimination of CCFs from further consideration is allowed by BTP 7-19 when sufficient diversity has been demonstrated by an applicant or licensee. The NRC further determined the RadICS platform supports inclusion of application-specific functional diversity and signal diversity, which could be implemented to achieve an additional degree of overall system diversity beyond the diversity provided by the platform design.
Research and Production Corporation (RPC) Radiy, a Ukrainian company, has a long history of working with operating NPPs and installing new I&C systems in turn-key projects. RPC Radiy provides a wide variety of I&C solutions ranging from full-scope turn-key modernization projects to reverse engineering and printed circuit board-level, like-for-like replacement as well as solutions to ageing and obsolescence problems, both for safety and non-safety applications. RadICS platform-based I&C systems (Reactor Trip System, Engineered Safety Feature Actuation System, Conventional Island Control System, Nuclear Island I&C Instrumentation System) are successfully operated in Ukraine since 2015 assuring safety and reliability of Ukrainian NPPs.