COMPARING OF LICENSING APPROACHES FOR FPGA-BASED SAFETY I&C PLATFORMS Vladimir Sklyar, Ievgenii Bakhmach, Vyacheslav Kharchenko RPC Radiy
[email protected],
[email protected],
[email protected]
ABSTRACT Harmonization of different regulatory requirements and licensing approaches is still a hot topic. Concerning relatively new technologies like Field Programmable Gates Array (FPGA) in Instrumentation and Control (I&C) systems deficiency of regulations makes this problem more difficult. That raises a discussion about harmonization versus different licensing approach. The paper presents an approach to comparison of licensing requirements for FPGA-based safety I&C platforms. At the moment in the world there are three the main approaches to NPP I&C licensing: 1) U.S. NRC requirements based; 2) Safety Integrity Level (SIL) requirements based (in accordance with standards series IEC 61508); 3) IEC nuclear standards requirements based. The paper focuses on U.S. NRC approach to claim licensing goals for FPGA-based NPP I&C systems. The chapters below describe the main topic in licensing process for FPGA-based platform such as equipment qualification assessment and I&C platform life cycle review. After that an approach to implement a life cycle for FPGA-based NPP application is discussed. Key Words: Field Programmable Gates Array, Safety I&C Platform, Licensing
1
INTRODUCTION
FPGA is a trend in nuclear I&C providing advantages for NPP I&C systems [1,2]: - FPGA is proven in use technology with extensive experience of operation at NPPs and other safety critical applications, - FPGA allows implementation of safety functions without the use of any software and operating system, - Supporting parallel performance of all control algorithms with communication functions ensures high response time with deterministic value, - Providing transparent and simple design what allows reducing the efforts necessary for development and V&V, - Resilience to obsolescence due to the portability of the Hardware Description Language (HDL) code between various FPGA-chips produced by different manufacturers, - FPGA is fit for reverse engineering via emulation of obsolete CPU without modification of existing software code, - Providing specific beneficial properties regarding cyber security that are different from those of Programmable Logic Controller (PLC) based technologies (no viruses for FPGA). At the same time barriers like the following are recognized for installation of FPGA-based NPP I&C systems [3,4]: - Nobody has never modernized all scope of NPP I&C system on the base of FPGA,
- Nobody likes to be the first in NPP I&C systems modernizations, - FPGA allow to improve I&C diversity (FPGA versus PLC), but at the same time maintainability will be decreased because different hardware, - There are too few success stories about FPGA-based applications in comparison with PLC-based applications, - Regulatory Authorities expect complete explanation of technology. It could entail some additional requirement versus usual standards mapping. Following standards and guidelines should be considered when dealing with FPGA-based NPP I&C systems: - IEC 62566 «Nuclear Power Plants–Instrumentation and control important to safety–Development of HDL-programmed integrated circuits for systems performing category A functions», - IEC 61508: 2010 ed. 2.0 (7 parts) «Functional safety of electrical/electronic/programmable electronic safety-related systems», - EPRI TR 1019181 «Guidelines on the Use of Field Programmable Gate Arrays in Nuclear Power Plant I&C Systems», - EPRI TR 1022983 «Recommended Approaches and Design Criteria for Application of FPGAs in NPP I&C Systems», - NUREG/CR-7006 «Review Guidelines for Field-Programmable Gate Arrays in Nuclear Power Plant Safety Systems». EPRI TR 1019181 contains five examples of NPP FPGA-based applications: - Example A1, Wolf Creek Plant, USA, Main Steam and Feedwater Isolation System Replacement, - Example A2 Darlington Plant, Canada, Digital Control Computer Upgrade, - Example A3, Japan, Advanced Boiling Water Reactor Plant, Power Range Neutron Monitoring System, - Example A4 Kozloduy Plant Units 5 & 6, Bulgaria, Modernization of Engineered Safety Features Actuation Systems (ESFAS), - Example A5 EDF 900 MW Series, France, Rod Control System, Slave Logic Units. The example A4 is devoted to ESFAS on the base of safety I&C platform RadICS, which is a product of RPC Radiy. The RadICS Platform is FPGA-based platform designed to be a basis for implementation of nuclear safety and safety-related digital I&C systems. The RadICS Platform includes components (cabinets, chassis, hardware modules, etc.) that can be configured and programmed in various ways in order to perform application-specific functions. The RadICS Platform has built-in selfdiagnostic features and is designed to implement safety systems in a custom-made architecture (redundancy and voting can be implemented, as needed). Scope of equipment (number of hardware modules, chassis, cabinets and other components) is determined for each particular I&C system on the basis of functional requirements analysis (e.g., number and complexity of safety functions, architecture restrictions and specifications of external interfaces). Using the features of the RadICS Platform, RPC Radiy supplied complex I&C systems for more than sixty applications in nuclear power plants (NPPs) in Ukraine and Bulgaria. Therefore, RPC Radiy as a system developer, has extensive experience in implementing the following systems based on its RadICS Platform: - Reactor Trip System; - Engineered Safety Features Actuation System;
- Reactor Power Control and Limitation System; - Rod Control System; - Nuclear Island Control System; - Convention Island Control Systems; - I&C Systems for Research Reactors. This paper purpose is to discuss an approach to qualify FPGA-based I&C platform against regulatory requirements which are implemented by U.S. NRC.
2
ASSESSMENT CRITERIA FOR FPGA-BASED I&C SYSTEMS
The used assessment criteria are defined in NUREG-0800, “Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants”, Revision 5, dated March 2007. NUREG-0800 establishes a method for reviewing compliance with relevant sections of Title 10 of the Code of Federal Regulations (10 CFR) Part 50, “Domestic Licensing of Production and Utilization Facilities”. Chapter 7 of NUREG-0800, titled “Instrumentation and Controls”, addresses the requirements for I&C systems in NPPs of light-water reactor designs. Also, Chapter 7 is supported by procedures (Guidance) for review of digital systems given in appendixes to NUREG-0800, such as Appendix 7.1-C, “Guidance for evaluation of conformance to IEEE Std. 603”, and Appendix 7.1-D, “Guidance for evaluation of the application of IEEE Std 7-4.3.2”. This guidance provides acceptance criteria for appropriate IEEE standards: IEEE Std. 603, “IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations”, and IEEE Std 7-4.3.2, “IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations”; the standards should be used in cases when the equipment is intended for use in safety systems and other safety-related applications. Chapter 7 of NUREG-0800 identifies regulatory guides (RGs), branch technical positions (BTPs), and industry standards that contain information, recommendations, and guidance and provide an acceptable basis to implement the requirements for both hardware and software features of safety-related digital I&C systems. The RadiCS Platform can be treated as commercial off-the-shelf (COTS) component for digital I&C systems, therefore some specific dedication and qualification processes are applicable for it. Thus, the following documents shall be taken into account during the assessment: - EPRI TR-106439, “Guideline on Evaluation and Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Applications”; - EPRI TR-107330, “Generic Requirements Specification for Qualifying a Commercially Available PLC for Safety-Related Applications in Nuclear Power Plants”; - TR-102323, “Guidelines for Electromagnetic Interference Testing in Power Plants”. The chapters below describe the main topic in licensing process for FPGA-based platform such as equipment qualification assessment and I&C platform life cycle review. After that an approach to implement a life cycle for FPGA-based NPP application is discussed.
3
EQUIPMENT QUALIFICATION ASSESSMENT
Qualification testing of the FPGA-based Platform has to be performed in accordance with the requirements of IEEE Standard 323-2003, “Standard for Qualifying Class 1E Equipment for Nuclear Power Stations”. This standard is endorsed by the U.S. NRC in RG 1.209, “Guidelines for Environmental
Qualification of Safety-Related Computer-Based Instrumentation and Control Systems in Nuclear Power Plants”. The Electric Power Research Institute (EPRI) Technical Report TR-107330, “Generic Requirements Specification for Qualifying a Commercially Available PLC for Safety-Related Applications in Nuclear Power Plants” describes an approach for generically qualifying commercial Programmable Logic Controllers (PLCs) for safety-related applications. This approach was found acceptable by the U.S. NRC as documented in U.S. NRC Safety Evaluation Report (SER) Letter dated July 30, 1998 to Mr. J. Naser (EPRI). The U.S. NRC RG 1.180 Rev. 1, “Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference in Safety-Related Instrumentation and Control Systems” describes methods acceptable to the U.S. NRC for complying with regulations on testing practices to address the effects of electromagnetic and radio-frequency interference (EMI/RFI) and power surges on safety-related I&C systems. For specific FPGA-based platform testing a Qualification Test and Analysis Plan has to be produced. Test procedures are usually based on the standard equipment qualification requirements, described in the EPRI TR-107330 (paragraphs 4.3.1 “General Requirements”, 4.3.2 “Input Requirements”, 4.3.3 “Output Requirements”, 4.3.4 “Processor / Other System Component Requirements”, 4.3.5 “Programming Terminal requirements”), using Design Documentation Analysis and Equipment Checks methods for all independent typical functional parts (modules and sets of the modules in the chassis) of the overall scope of the equipment sets. The test prototype of a FPGA-based Platform has to include one chassis in operating mode with the representative set of I/O, logic, diagnostic and other modules. The following basic set of test has to be performed to qualify FPGA-based platform. Pre-Qualification Acceptance Testing includes: - Pre-Qualification testing System Setup and Checkout testing; - Application Logic Validation testing; - Pre-Qualification Operability testing; - Pre-Qualification Prudency testing. Qualification Testing includes: 1) Radiation Exposure Withstand testing (according to the EPRI TR-107330 requirements), including: - Radiation Exposure Operability testing; - Post Radiation Exposure Operability testing; - Post Radiation Exposure Prudency testing. 2) Environmental testing (according to the EPRI TR-107330 requirements), including: - High Temperature and High Humidity Operability testing; - High Temperature and High Humidity Prudency testing; - Low Temperature and Low Humidity Operability testing; - Ambient Temperature and Ambient Humidity Operability testing. 3) Seismic testing (according to the IEEE 344 requirements), including:
- OBE (Operating Basis Earthquake) seismic operability testing and aging testing (five OBE seismic tests); - SSE (Safe Shutdown Earthquake) seismic testing; - Post Seismic Operability testing; - Post Seismic Prudency testing. 4) Electromagnetic Compatibility testing, including: - EMI/RFI Emissions testing (according to IEC 61000-6-4 or MIL-STD-461E methods, using the requirements described in the U.S. NRC RG 1.180 Rev. 1 and EPRI TR-102323); - EMI/RFI Susceptibility testing using the EPRI TR-102323 requirements and according to IEC 61000-4-3 (test hardness class 3 requirements), IEC 61000-4-6 (test hardness class 2 & class 3 requirements), IEC 61000-4-8 (test hardness class 4 requirements), IEC 61000-4-9 (test hardness class 4 requirements), IEC 61000-4-10 (test hardness class 4 requirements), IEC 61000-4-12 (test hardness class 3 requirements), IEC 61000-4-13 (test hardness class 2 requirements), IEC 61000-4-16 (test hardness class 3 requirements); - Electrical Fast Transient testing according to IEC 61000-4-4 (test hardness class 4 requirements); - Surge Withstand testing according to IEC 61000-4-5 (test hardness class 4 requirements); - Electrostatic Discharge testing according to IEC 61000-4-2 (test hardness class 4 requirements); - Electrical Insulation testing according to IEC 61010-1; - Class 1E to Non-1E Isolation testing according to IEEE 384-2008, IEC 60709 and EPRI TR107330 requirements. Tests Reports have to include the following items: - Test purpose; - Equipment to be tested; - Test Specimen safety functions; - Scope of test, testing methods and levels; - Measurement and test equipment used during the test (list, technical characteristics and latest calibration proof information); - Test control (including QA system description); - Test and analysis results (including description of the test procedure and used methods, test and analysis results, testing equipment qualification performance assessment results); - Remarks, comments and recommendations (if needed); - Conclusions on compliance (or discrepancy) of the Test Specimen object to the verified requirements; - Evidence of tests performance by the responsible personnel with that personnel signatures; - References and annexes (if needed).
4
DEVELOPMENT AND V&V PROCESSES OF FPGA ELECTRONIC DESIGN FOR FPGA BASED NPPS I&C SYSTEMS
The main processes of FPGA-based I&C systems lifecycle is development and V&V processes. This section will discuss the main steps and features of FPGA electronic design development and V&V [8,9]. The development process consists of design and implementation phases. The FPGA electronic design integration is a completion phase of development process. V&V process supports each step of development process (the outputs of the step) with appropriate checks and analysis. The development and V&V processes of FPGA electronic design for FPGA-based NPPs I&C systems is shown on Fig. 1. Before the starting of FPGA electronic design development following artifacts shall be prepared and reviewed : - Technical Requirement Specification (Technical Spec.) – should describe all customer and commercial goals and technical goals for the system development; - Safety Requirements Specification (SRS) - should identify all safety-related requirements of the system, including requirements from appropriate nuclear standards and basic safety standards such as IEC 61508, and from the specific safety requirements for the intended application(s); - System Architecture Description (SAD) - should give an overview of the system and should allocate the requirements to the different subsystems (e.g., hardware, software, and FPGA). All this artifacts shall be reviewed and approved before getting down to the subsystem (component) level. Later they shall be verified after subsystems integration.
4.1 Design development The initial and most critical phase of the development process is design development, which includes preliminary or architectural design and detailed design. Preliminary design should define all functional blocks, their interfaces and other information necessary for the next phase. At this step such important criteria as reliability, design traceability and design verifiability should be taken into account. Textual or/and graphical description (diagrams) of design partitioning and other design requirements is the result of preliminary development. Upon completion of this design activity the design review should be performed. The result of the review may require a different design partitioning or correction of the initial requirements. Detailed design refines preliminary design into FPGA electronic design behavior description. Detailed design should implement the functionality of the FPGA electronic design. The design entry typically used to implement detailed design are HDL coding (VHDL, Verilog) and schematic representation. Detailed design is finalized by elaboration of FPGA electronic design components (assembles all the files that compose the design, and performs some checks) and RTL model synthesis. In RTL model, a circuit's behavior is defined in terms of the flow of signals (or transfer of data) between hardware registers, and the logical operations performed on those signals. One of the safety related feature connected with detailed design development is application of coding rules. Such rules may support different safety aspects of the design, for example: avoidance of asynchronous logic; support of error detection and correction mechanisms; clocks; loops; description of final state machines; naming convention; coding style, etc.
Design
Diagrams
Technical Spec., SRS,SAD
Preliminary FPGA electronic design development
Design Review
Detailed FPGA electronic design development (elaboration & RTL synthesis)
Functional Simulation, Static Analysis
FPGA electronic design logic synthesis
Gate-level Simulation
FPGA electronic design placement and routing
Timing Simulation, STA
Coding rules Schematic VHDL
RTL model Design Constraints
Net List Design Constraints Floor Plan
Bitstream Generation
Conf. file
FPGA electronic design integration
Development process
V&V process
FPGA ED Implementation
Integration Testing
Development artifacts
Figure 1. FPGA electronic design development and V&V processes.
Coding rules shall require application of HDL languages to its specification i.e. to comply with appropriate standards (for example, IEEE 1076). Vendor specific coding guidance should be also considered. Coding rules shall be documented for each specific project in form of quality procedure. Also they shall be kept under configuration management control. To verify detailed design outputs following techniques may be used: - functional simulation; - static analysis. Functional simulation also referred to as behavior simulation is used to verify the behavior of the HDL code. Functional simulation is implemented using corresponding tools. Simulation coverage criteria, including positive (requirements coverage) and negative (error coverage) testing stimuli, should be identified and followed taking into account appropriate regulatory documents. Static analysis aims for detection of coding rules violations. It can be implemented using special lint tools, for example Alint from Aldec. Such tolls allow to perform in automated mode a source code check to detect deviations from coding rules. It is possible to develop a library for a lint tool containing project specific coding rules and apply it when necessary.
4.2 Implementation and integration Implementation is the next important phase, which comprises, logic synthesis, placement and routing and bit stream generation. The appropriate procedures of V&V are connected with each activity of implementation phase. The first step of FPGA electronic design implementation is FPGA electronic design logic synthesis. During logic synthesis the synthesizer transforms RTL model of FPGA electronic design into gate\cell level scheme (Net List). Most synthesizers generate FPGA-independent schematic representation of the RTL model as well as the FPGA-specific schematic representation. For FPGA-specific schematic representation gates\cells may differ. The result of logic synthesis is textual (e.g. EDIF) or graphical files. The synthesizer may apply different kinds of optimizations which could be defined in terms of design constraints. Design constraints basically could affect following attributes of FPGA electronic design: - logic synthesis; - timing characteristics; - pins assignment and adjustment; - topology of FPGA electronic design in the FPGA chip. Design constraints are typically defined in constraint files, using the constraint editor. One or more constraint files can be mapped to an FPGA electronic design by adding them to a project configuration The syntaxes used for defining design constraints files are usually vendor specific. A special attention should be paid by the design and V&V teams to provide hard evidence on correctness and consistency of design constraints. It looks appropriate for each specific project (group of projects for I&C platforms), explicitly, in the way of quality procedure defining how to handle the design constraints. To support the development of such procedures a vendor’s guides and recommendations (Altium, 2008; Actel, 2010) could be used, but complete understanding of design team of the effect of each constraint is required.
The verification process at this level consists in gate-level simulation, which is technologydependent in contrast to functional simulation. But the input stimuli and expected outputs should be the same. Any differences must be justified. During gate-level simulation timing characteristics for FPGA electronic design are based on assumed gate and routing delays since the design has not yet been placed or routed. After the logic synthesis FPGA electronic design placement and routing is carried out. It is tooldriven process that determines where registers and gates determined in Net List will be placed within an FPGA chip. This process also determines the connection paths between design elements. The resulting design connectivity is defined by the Floor Plan. The place and route tool also generates a timing file that is more accurate than the one produced by synthesis, since it also includes timing associated with routing. Design constraints should be considered for placement and routing as well as for logic synthesis. Generated Floor Plan can be verified by timing simulation. The input stimuli are the same as for two previous types of simulation. But this one is important because of its exact timing analysis. In addition, information such as fan-out and delays for each connection path can be derived using the static timing analysis (STA). Thus, the purpose of this verification procedure is to define that all timing requirements are met. The last step of the implementation phase is bitstream generation. The output is the configuration file, which can be implemented into FPGA chip. It contains all data to configure FPGA chip. The verification of configuration file is conducted after FPGA electronic design integration into FPGA chip. During FPGA electronic design integration phase the configuration files, which have been derived at the previous step, are being downloaded to FPGA chip. Special hardware such as configuration interfaces (e.i. JTAG) are required to download configuration file into FPGA chip. Some FPGA chips and appropriate tools provide automatic checking of integration correctness. Integration testing is indented for justification that FPGA electronic design in the chip performs to its specification and system architecture. During integration testing the FPGA chip with integrated FPGA electronic design is on the board for which it was developed. The inputs of the board are connected to a special testbench which feeds them with input signals in accordance with testing stimuli. The outputs of the board are connected to data acquisition system which collects the response of the board on input stimuli. Output signals (response) are analyzed in accordance with pass\fail criteria.
5
LYFE CYCLE OF FPGA-BASED I&C APPLICATION
Standard review plan BTP 7-14, Revision 5, “Guidance on Software Reviews for Digital ComputerBased Instrumentation and Control Systems”, presents review guidance and acceptance criteria in terms of planning documents, implementation process documents, and design outputs. Review of planning documents addresses the software development planning activities and products to assure the establishment of an acceptable high quality process. Review of implementation process documents focuses on specific life cycle process implementation activities and documentation to determine that the quality plans have been properly executed. Review of design outputs concentrates on the products of the development process that describe the end product (e.g., code, model, system) to provide confidence that the resultant software is of high quality). Typical I&C life cycle includes the following activities (see Figure 2): - Planning;
- Requirements; - Design; - Implementation; - Integration; - Validation; - Installation; - Operation and maintenance.
Figure 2. I&C lifecycle activities.
Each of these activities is accompanied by the release of appropriate documents. Some of these documents can be combined into a single document depending on project-specific requirements. At the same time, some additional documents can be issued. Typical company’s Quality Management System, shall, for example, define the following set of planning documents for each I&C project: Management plan, Development plan, Quality assurance plan, Integration plan, Installation plan, Maintenance plan, Training plan, Operation plan, Safety plan, Verification and validation plan, Configuration management plan.
6
CONCLUSIONS
RPC Radiy also gained significant experience in supporting a national licensing process which is similar to a typical U.S. NRC licensing process. The proposed approach has been applied for FPGA-based RadICS Platform which is a product of RPC Radiy as well as for FPGA-based application for NPP on the base of that platform. The test results showed that the RadICS Platform has maintained its operability in accordance with operability and prudency criteria during and after exposure to: - Normal and abnormal environmental conditions (incident gamma radiation, temperature, humidity, saline atmosphere); - Multiple Operating Basis Earthquakes (OBEs) and Safe Shutdown Earthquake (SSE) seismic events; - Electromagnetic Interference/Radio-Frequency Interference (EMI/RFI), voltage surges; - Electrical fast transients; - Electrostatic discharges; - Electrical faults applied to selected external interface points. Activities of RPC Radiy, aimed at software (code in Hardware Description Language for FPGA) development, comply with the requirements of BTP 7-14, “Guidance on Software Reviews for Digital Computer-Based Instrumentation and Control Systems”. Operational experience of I&C systems based on RadICS Platform demonstrate that it is a “provenin-use” technical solution with a large number of reference cases (more than 60 I&C systems in operation since 2004, with a total operational time of more than 30 millions hours). Reliability indexes from the field experience of RadICS Platform based applications complies with Safety Integrity Level 3 (SIL3) requirements for safety systems; Third part assessments of RPC Radiy Quality Management System and products have been performed in the past two years by IAEA (Independent Engineering Review of I&C Systems in Nuclear Power Plants – IERICS in 2010-2011), Atomic Energy of Canada Limited (Quality Management System audit in 2010), exida LLC (FMEA for the RadICSTM Platform, a Gap Analysis of RadICSTM Platform development processes). These assessment results confirmed that the RadICS Platform is in compliance with the safety requirements.
7
REFERENCES
1. NUREG/CR-7006, “Review Guidelines for Field-Programmable Gate Arrays in Nuclear Power Plant Safety Systems,” U.S. Nuclear Regulatory Commission (2010). 2. V. Kharchenko, V. Sklyar (Edits), FPGA-based NPP Instrumentation and Control Systems: Development and Safety Assessment, Research and Production Corporation “Radiy”, National Aerospace University named after N.E. Zhukovsky “KhAI”, State Scientific Technical Center on Nuclear and Radiation Safety (2008). 3. EPRI TR1019181, “Guidelines on the Use of Field Programmable Gate Arrays (FPGAs) in Nuclear Power Plant I&C Systems,” Electric Power Research Institute (2009). 4. EPRI TR1022983, “Recommended Approaches and Design Criteria for Application of Field Programmable Gate Arrays in Nuclear Power Plant I&C Systems,” Electric Power Research Institute (2011).