A case for digital I&C12 March 2020
Robert Ammon and Mark Burzynski make the case for a transition to digital instrumentation and control technologies, which offer safer designs, reduce costs and minimise obsolescence
THERE ARE COSTS AND RISKS associated with postponing adoption of digital technology and clinging instead to analogue products that are difficult and expensive to find in today’s market. Digital technology for nuclear safety instrumentation and control (I&C) system can deliver benefits that enable utilities to improve equipment and plant reliability with safer designs, reduce operating costs, and minimise the impact of obsolescence. These benefits support the shared goals of the nuclear industry and regulators to achieve safe, reliable, and cost-efficient operation of commercial nuclear power plants.
Digital I&C technology provides the flexibility that allows designers to create highly reliable applications that can minimise spurious reactor scrams at a significantly lower cost than analogue applications. This technology enables utilities to incorporate operational lessons learned and design improvements, resulting in more robust system implementations with inherently safer designs.
Basic hardware improvements
State-of-the art digital equipment is constructed from modern components using modern circuit board designs, with higher capacity modules and chassis. The result is fewer types and numbers of modules required to implement a system than the old analogue equipment they replace. The number of hardware components in I&C equipment can be reduced by up to 80% using digital technology, reducing the probability of random failures. This improves reliability for important safety-related equipment.
Self-testing, monitoring, and diagnostic features
Modern digital technology provides extensive self-testing, diagnostic, and monitoring features that provide for early detection of problems. These features help maintenance personnel to troubleshoot problems and effect corrective maintenance, which simplifies maintenance work and shortens repair times. Typically, the diagnostics can inform the maintenance staff of the exact module that needs to be replaced, using a hot swap feature. This increases I&C system availability and reduces the direct maintenance effort dedicated to I&C systems.
Modern digital I&C systems also can provide more performance data about the I&C system and other connected equipment (eg, input sensors and output actuators) to support performance-based monitoring and trending. The data can be used to diagnose degrading equipment and take action before it fails. The diagnostics can inform maintenance staff of less critical failures via alarms, and allow time to plan corrective maintenance.
Digital technology allows for advanced control strategies that could not be achieved using analogue technology (eg continuous testing of digital outputs). Many modern digital I&C platforms incorporate self-monitoring techniques to ensure that errors and failures are detected early enough to maintain availability. These designs employ ‘graceful degradation’ strategies to ensure safe system response to detected failures commensurate with the fault significance, which reduces plant transients caused by equipment failures (IEC 61508 allows for graceful degradation techniques to maintain critical system function availability, despite failures, by dropping less critical functions). For example, alarm and diagnostic messages can be used to signal lower level faults and module outputs can be put in a predefined safe state for critical faults. Different fault management strategies can be incorporated to handle intermittent and sustained communication problems.
Flexible modular design
The flexibility of the digital technology coupled with the higher capacity of the modular equipment makes it much simpler to implement redundancy in digital I&C architectures than it is using analogue technology. Added redundancy for channels can be incorporated into input module designs, and redundancy can be added to output signals at the output module level and within a chassis using multiple output modules. Further redundancies can be added at the train level for voter subsystems and at the system level with parallel subsystems. These options can be used to increase reliability and availability, facilitate maintenance and testing, and improve protection from undesirable spurious actuations. These changes can be used to eliminate important failure vulnerabilities and improve both I&C system and overall plant reliability.
Simpler design improvements
Digital technology makes it easier to implement applications with the desired redundancies and architectures, since many desirable features can be provided in the programmable digital portion of the design rather than in additional hardware. In field programmable gate array (FPGA) technology redundant circuits can be incorporated into the electronic designs on a single FPGA. FPGA technology has enabled some vendors to develop diversity strategies based on internal architecture features to address digital common cause failure (CCF) with simpler solutions than those used for microprocessor-based technologies.
These technologies also make it easier to incorporate advanced control strategies as part of I&C systems. These can be software-based algorithms that provide the alarms and diagnostic messages, or take defined actions for detected faults that would be very difficult or impossible in purely hardware-based environments.
Digital technology makes it simpler to implement design changes. In most cases, changes to the system functionality will involve only software or (in the FPGA case) electronic design changes rather than hardware changes.
As above, digital technology has self-diagnostic and messaging capabilities that can simplify maintenance, troubleshoot and reduce repair times, which leads to lower I&C maintenance costs.
The reliability of modern digital I&C components and the ability to allocate functionality to software results in lower part costs and reduced spare parts inventory (both stock items and stock levels per item). The improved reliability achieved through added redundancy and the elimination of single point vulnerabilities will improve plant capacity factors and reduce generation costs.
The use of engineering workstations simplifies the tasks to make setpoint changes or verify set-point correctness by eliminating the need to manipulate components in the equipment racks. The engineering workstations can employ verification techniques to reduce human errors.
Optimised surveillance testing
The self-testing and self-monitoring features available in modern digital I&C platforms can be used to optimise system surveillance testing. Input channel data can be checked by automated comparisons, and an alarm in an online monitoring system can replace existing analogue channel checks. Self-testing features can replace standard analogue channel functional tests used to verify setpoints and protection systems trip actuation capability (eg, continuously checking integrity of module software or electronic design). Auto-calibration features in input modules can simplify the standard channel calibration surveillance requirement for an entire instrument loop, and automated test carts can be used to shorten the time to perform end-to-end testing during outages.
In the US, one digital retrofit project achieved substantial cost savings. The new design enabled the plant operators to eliminate the individual input channel checks they performed every shift. Instead, these parameters were continuously monitored by the plant process computer, which sent alarms to the operators when deviations were detected. The platform self-testing features were used to eliminate all online surveillance testing of the system, and the high reliability of the placement system eliminated plant transients caused by I&C component failures. The ‘graceful degradation’ features eliminated the need for any rapid response maintenance support, since failures were detected early and safe system operation was maintained in the interim period.
Support for Big Data initiatives
Digital technology can also support other big data initiatives. The data export capabilities of digital safety systems can feed data to analytic software initiatives for advanced plant performance monitoring or performance- based maintenance and surveillance testing.
Reduced exposure to obsolescence
All electronic components will eventually become obsolete; therefore, managing obsolescence in the I&C system life cycle is critically important. A typical nuclear power plant contains approximately 17,000 I&C components, up to 25% of them at or near the point of obsolescence. Using proven digital I&C equipment can be a solution to the obsolescence of analogue components.
Microprocessor technology limitations
A concern with microprocessor-based technology is its rapid obsolescence and short lifetime. It is not unusual for relay-based and analogue components to be maintained in full operation for 30 years. It is unlikely this will be possible with microprocessor-based equipment (hardware and software); however, some vendors offer product lines for nuclear service that have longevity comparable to analogue equipment. With the extended operating lifetimes of nuclear power units, digital I&C systems may need multiple replacements over time.
FPGA technology benefits
FPGA-based solutions can be designed to ease long-term support and allow for future replacements of ageing and/ or obsolete FPGA circuits without needing a major redesign. The FPGA-based design should be developed with long-term support and obsolescence protection in mind. A well-designed FPGA solution should be ‘portable’ to other circuits, even those from a different manufacturer, with standard languages and avoiding circuit-dependent features. Of course, if the new FPGA has a different footprint or pin-out, the circuit board will need some redesign.
The greater portability of FPGA designs and the degree of protection they offer against circuit obsolescence can be achieved by using available industry guidance in project planning, in designing the architecture of the circuit, in choosing the particular blank circuit to be used along with the associated toolsets, and in the coding rules and practices followed in programming the circuit. It is necessary to place requirements or constraints on how the design is developed, implemented, and documented so that goals for long-term support, ease of modification, and design portability can be met. Project plans should specify what portions or levels of the design will be kept circuit-independent so that those portions can be re-used, even if a different blank circuit must be used for future replacements or upgrades. There may be requirements or constraints related to the use of third-party intellectual property cores or pre-developed blocks that are not circuit-independent.
When the I&C system design incorporates proper provisions for obsolescence management, only the final FPGA design steps (synthesis plus place and route) depend on the particular FPGA circuit chosen. If the FPGA circuit becomes obsolete it can be replaced by another one using the currently available technology and the circuit- independent (register-transfer level) representation of the design.
Author information: Robert Ammon, Director of safety system integration and technical fellow at Curtiss-Wright Corporation; Mark Burzynski, President of NewClear Day, Inc.