INDIA’S DEPARTMENT OF ATOMIC ENERGY (DAE) is no stranger to the benefits of digitalisation of instrumentation & control (I&C) for its reactor fleet. Eight-bit or 16-bit microprocessor-based controls were introduced for main equipment back in the late 1980s and networking was emphasised in the 1990s, but India was also a relatively early mover in the progressive deployment of field- programmable gated array (FPGA) and application-specific integrated circuit (ASIC) equipment. The digital evolution of I&C systems deployed in Indian nuclear reactors is supported indigenous research and development (R&D). Full-scope simulators were used to test the I&C systems before deployment.

The newer reactors operated by DAE’s main utility, the Nuclear Power Cooperation of India (NPCIL), have I&C architectures built around programmable logic controllers ultimately slaved to mosaic-based control rooms via computerised operator information systems (COISs) and control panels. Reactors currently under construction, and those planned for the future, will all have distributed I&C architecture based on high-integrity real-time embedded systems using standardised FPGA/ASIC hardware. This I&C architecture would typically include large screen displays and screen-based controls as the human-machine interface, with enhanced safety and cybersecurity features.

This embedded I&C setup has grown out of the experience at Tarapur 3&4, the first medium-sized Indian PHWR built. Commissioned in the first decade of the 2000s, Tarapur 3&4 were the first Indian PHWRs to have fully computerised key safety systems.

In a typical PHWR (or Candu) of contemporary design, the main control equipment for automated plant control, including automatic safe shut down, are: reactor protection system; (RPS), reactor regulating system (RRS); coolant channel temperature monitoring system; process control; safety interlocks; the fuel handling system; and the electrical SCADA.

Tarapur 3&4 were the first IPHWRs to boast a fully computerised reactor protection system, to offer better reliability and maintainability than in previous plants. Each reactor has two diverse RPS or shutdown systems, which are configured as triplicated alarm units in order to handle three-channel inputs and generate trip outputs. Operator interface is via redundant display units that communicate with each other on isolated serial links but the trip generating function is kept independent of the display units or the communication between them. Diagnostic routines monitor the system and the detection of any failure will result in the outputs being driven to trip condition. The process control system used in Tarapur 3&4 is a microcomputer-based fault-tolerant real-time system based on dual-processor hot-standby architecture as a defence- in-depth measure. It uses dual-redundant optical fibre ethernet networks for data communication.

At 540MWe Tarapur 3&4 were also considerably larger than the 220MWe (initially 235MW) versions that had preceded them, so they required more input-output signals and reactivity control devices. These in turn necessitated the development of a new multinodal system architecture for the regulating system, which relies entirely on digital communication. Configured as a functionally partitioned distributed control system with nine nodes, this incorporated new functions such as zonal control of neutron flux, shutoff rods withdrawal on startup and step back. Linked by dual redundant high-speed ethernet, these nodes work independently while performing their functions. There are two operator consoles from where power manoeuvring and manual operation of reactivity devices are carried out.

The RRS also includes a new reactivity device in the form of a liquid zone containment system (LZCS). Owing to its novelty in India, a LZCS test setup was installed at the Reactor Control Division of the Bhabha Atomic Research Centre (BARC), Trombay, for design validation and integrated testing with RRS algorithms. DAE considers this test set-up to have contributed significantly to cost savings in the construction of Tarapur 3&4, by reducing overall commissioning time.

DAE sets great store by the use of simulators for development and training. A case in point is using real-time dynamic simulators for the fuel handling system. From Tarapur 3 onwards this is software-driven with minimal use of hardware, so a premium has been placed on debugging the control software by using PC-based dynamic simulators developed specifically for the purpose that use software models for fuelling machine components. Such custom simulators have also been developed and deployed by DAE for FHS-related training purposes as well.

Beginning with Tarapur 3&4, the coolant channel temperature monitoring system (CCTMS) in IPHWR designs has incorporated a new function in the form of automatic reactor set-back (reduction of reactor power output). The CCTMS receives inputs from resistance temperature detectors mounted on each of the 392 channel outlets connected to two identical and independent computer systems. In line with the philosophy of integrating plant wide data at a single location, the CCTMS sends the data to the reactor parameter display system, which acts as one of the gateways to COIS. The CCTMS has additional features, such as checking irrational low limit, dynamic alarm generation, online setback test, switching of failed RTDs between installations and ethernet connectivity.

Standardising electronics

The four 700MWe PHWRs currently under construction in India have essentially the same I&C architecture as Tarapur 3&4, with a measure of increased complexity due to the addition of a regional overpower protection system to the protection system and the interleaving of the primary heat transporters. What is most notable is that various digital boards employed in the computer systems have their controllers and sequencers implemented on field programmeable gated arrays. For example, the fuel handling system in the IPHWR-700, which is designed to perform all the operations in auto mode from the main control room, has its manual and safety logic implemented using FPGAs in order to reduce wiring density. Similarly, on the digital communications side for these reactors, Ethernet 802.3 MAC protocol has been implemented in a FPGA.

DAE was subject to sanctions regimes in the past, and it has long emphasised the use of FPGAs in its embedded systems, since they can mitigate the effects of obsolescence in an environment where there might be constraints on microprocessor imports. While that might have been the strategic reason for using FPGAs, the fact that they also improve the reliability of a system by reducing component count was very much kept in mind. The advantages of using FPGAs — they are smaller, dissipate less power and are more reliable (with fewer external connections) – along with giving a ‘proprietary’ touch to the instruments developed have all been contributing factors in DAE’s attraction to FPGAs.

DAE has developed a variety of input-output (I/O) boards with on-board intelligence implemented in FPGA. The components used on these boards are low voltage with higher density and low power consumption. They also have extensive diagnostic and self-test features built in.

While the I&C architecture of IPHWR-700s will resemble that of the PHWR-540s, much more futuristic systems can be expected on planned reactors such as the thorium-based 300MWe advanced heavy water reactor (AHWR). AHWR control and monitoring will use fully computer-based operator interfaces, except for safety systems, for which control and monitoring is performed from dedicated hardwired panels. AHWR’s I&C architecture will be based on extensive use of pre-configured programmable controllers and networking. This is expected to lead to greater uniformity in hardware and software, and will ease commissioning and servicing requirements.

In particular, a seven-layered advanced operator interface system (AOIS) has been developed which will acquire complete plant information in real time from computer-based front-end systems and present it to operators throughout the plant in a composite manner. AOIS will collect data from safety, non-safety and safety- related systems, segregating them at the data concentrator and SCADA server levels to improve overall reliability. An integrated test station comprising full-scale prototypes of AHWR I&C systems is currently operational at BARC. It is the latest of DAE’s full-scope simulators meant for testing and validating control algorithms using ‘hardware in loop’ simulations.

Software

Software reliability is key to embedded I&C systems performing safety critical functions. DAE has long been refining its verification & validation methodology, using techniques such as static analysis and assertion-based verification of safety critical software.

The Atomic Energy Regulatory Board’s (AERB’s) regulatory framework has evolved alongside with the development of I&C software in India. Domestic standards and guidelines developing safety-critical software have also emerged. AERB’s safety classifications and the process standards (D-25) guide the development of I&C software in India’s nuclear sector. Alongside D-25, IEC60880 standard is also followed throughout the development of I&C software.

Developments in instrumentation

Any control system is only as good as the instrumentation providing feedback. IPHWRs typically have a whole host of instrumentation and actuators deployed including thermocouples, RTDs, pressure gauges and transmitters, flow gauges and transmitters, self-powered neutron detectors, ion chambers, BF3 counters, potentiometers, linear variable differential transformers, rotary variable differential transformers etc.

IPHWR-700s for instance feature 102 vanadium neutron detectors, which are used by the flux mapping system, which informs the zonal flux mapping function of the RRS. FMS periodically acquires neutron flux signals sensed by the in-core neutron detectors, computes the neutron flux profile and average thermal power in each of the fourteen zones and sends the zone power correction factors to the reactor regulating system to compute flux tilts. The system also delivers information on burn-up and build-up history. To speed up the response time of the vanadium detectors, BARC has developed an on-line DSP-based algorithm which reduces response time from five minutes to 40 milliseconds. This algorithm is coded to an FPGA which is fitted on a ‘piggyback board’ inside the SPND amplifier. (BARC has also developed Inconel 600 SPND as an alternative to cobalt detectors for in-core neutron monitoring.)

In recent years, DAE has developed LOCA-qualified absolute pressure sensors with remotely mounted electronics.

These pressure sensors are located inside the containment, connected to the electronics module outside the containment through a long-screened cable. This arrangement ensures that only the pressure sensors, designed to withstand and operate under a steam water mixture at 180°C temperature, 10 bar pressure and high gamma radiation, and the electronics module will encounter any accidental ambient conditions.

Several 10B lined ionisation chambers with and without gamma compensation have also been developed, with cylindrical and parallel plate electrode geometry. These detectors were developed after extensive studies on the optimisation of neutron and gamma sensitivities, the voltage and current characteristics and the response of the detectors as a function of neutron flux. Alongside the above, gamma-compensated boron-lined ionisation chambers employing the parallel plate electrode geometry with specially designed springs and ceramic spacers have been developed for the first time, for use in future LWRs. These are mechanically rugged and designed for continuous operation up to 300°C with linearity of better than 10% over a flux range of 104 nv (one thermal neutron per square centimetre per second) to 1011 nv. These detectors have been successfully integrated with hanger assemblies and qualified for shock, vibration and LOCA conditions.


Author information: Saurav Jha is an author and commentator on energy and security, based in New Delhi