Safety and security of digital I&C software22 March 2013
Controlling and managing software as a part of digital I&C equipment is a major issue in planning to use it in nuclear power facilities. The implications, risks, and advantages of digital signal processing channels, especially regarding the two key aspects of operational safety and security are addressed. By Ewald Liebhart
In nuclear facilities a large variety of radiation detectors are used and they generate very special signals. The measurement range that needs to be covered often starts at extremely low currents or pulse rates and spreads over a wide range, comprising many orders of magnitude. Although digital, software-driven technology introduces new challenges, compared to its analogue equivalent, as it becomes the technology of choice for processing signals of this kind.
Advantages of a digital system include its operational flexibility and comfort, such as easier configuration and parameterization, but also the large variety of features and functions that permit a higher degree of reliability and performance (which is generally superior to its analogue predecessors). These include functions that are very complex and sometimes impossible to integrate in an analogue system.
One of the major issues analogue systems have to overcome is the obsolescence of analogue components. The problem of spares for installed systems is growing and even for new designs the variety of available components, for example semiconductors and integrated circuits, is declining.
Apart from solving issues with analogue systems, software-based equipment also offers a series of advantages. First, there is almost no limitation for signal processing algorithms, allowing for higher precision and flexibility; for example, the calculation of logarithmic scales, the calculation and precision of alarm thresholds (no more gradually-shifting thresholds); the calibration of the signal by simple multiplication (neutron flux density, percent of full reactor power); flexible parameters. Second, complex functions are more easily implemented: for example the merging of pulse signal and Campbell signal into a combined, overlapping, smooth wide range signal.
Digital signal processing with systems such as the Mirion Technologies proTKTM (TK 250), which has been designed for safety related applications in nuclear measurement, for example, radiation monitoring and neutron flux instrumentation, conveys additional advantages. First, it allows a high degree of self-monitoring for hardware and software, therefore reducing the risk of undetected failures. Second, extensive self-testing features both shorten the required time for performing the tests, for example by remotely activating test generators for input signals or by numerically simulating output signals, but also extend the time between two tests because of proven enhanced reliability. Third, algorithms are fixed in an EPROM (erasable programmeable read-only memory) and can be continuously monitored for changes. Fourth, precision and response times are determined mainly by the software, which is fixed in the EPROM. Fifth, parameters are easily checked for correctness, for example after a deliberate adjustment.
|Number of channels in operation||>280|
|Number of reactors||> 20|
|Total number of years in operation||> 3000 years|
|Average mean time between failures (MTBF) of single electronic boards||4,000,000 hours|
|Total number of software failures||0|
Despite the long list of advantages, a digital system also has new challenges to overcome, the most prominent being common cause failure (CCF), the risk that a single effect could disable multiple systems considered independent. This issue has been addressed in many standards regulating nuclear applications such as IEEE Std 7-4.3.2, IEC 60880 or IEC 61513.
Development of the Mirion proTKTM digital channels has undertaken certain measures to reduce the risk of a CCF. These included: following a thorough verification and validation plan according to the applicable standards, continuously monitoring the quality assurance programme and implementing a real safety culture, as well as performing type tests supervised and certified by independent experts (for example TÜV in Germany).
Like analogue systems, the obsolescence of components is a main concern for hardware. Components of a digital channel are computer products and therefore part of a fast-changing industry. The risk of obsolescence can be minimised by very careful component choice. Therefore, a designer's obligation is to use a well-established industry-standard product instead of the best-performing one in terms of features. However, this restriction falls in line with a self-imposed limitation to only design in essential functions in order to minimise the risk of undetected software errors.
One important advantage of a digital system is the possibility to exchange digital data with an external terminal, for parameterization or for setting the equipment into test mode. This always raises the question how the system can be protected against unintentional or intentional interference from outside. Established measures now exist to protect the systems. For example, in the Mirion proTKTM the risk is minimised through a firewall that restricts the operator's access in a predefined manner. Examples of levels of access restrictions include no access through an external computer (that is, manual access through the keypad on the channel only), read-only (for parameters and measurement results), and access to dedicated op-codes only (for example, re-calibration or activation of test mode).
Dr. Ewald Liebhart, R&D Director, Mirion Technologies (MGPI H&B) GmbH, Landsberger Str. 328a, 80687 Munich, Germany.
This article is based on a presentation given at the American Nuclear Society's 8th International Topical Meeting on Nuclear Plant Instrumentation, Control and Human Machine Interface Technologies (NPIC & HMIT 2012)