The Systems and Control Laboratory (SCL) of SZTAKI has a long-term successful research and development collaboration with the Paks nuclear power plant to provide new methods and tools for the development of safety software in the plant. Some notable recent results of this work (listed according to their role in the development life cycle) are the following:
- Specification: the verification of detailed functional specifications of safety functions with formal methods.
- Development and implementation:
- Microcontroller level: the hardware and software for the microcontroller-based smart test plugs of the Universal Test System (UTS)
- Programmable Logic Controller level: the distributed control hardware and software of the new Primary Pressure Controller
- Application level: the UTS test management software.
the Universal Test System.
Formal Verification of Functional Block-based Specifications
Each reactor unit of the nuclear power plant is supervised by a Reactor Protection System (RPS), which continuously monitors the nuclear process in order to intervene and safely shut down the unit in an emergency situation. The plant experts specify the safety functions of the RPS using the Functional Block Diagram (FBD) description method. The software for the RPS is then created automatically by a certified code generation process.
The primary means for finding errors in the specification are simulation and testing. However, this approach cannot guarantee the correctness and completeness of the specification. Formal analysis of the safety functions is therefore required to prove that the system cannot enter into unsafe states; remains operational (no deadlock or livelock); does not trigger the safety actions unnecessarily (no spurious activation); and always triggers them when required (no activation masking).
The Systems and Control Laboratory supplemented the development process with a verification procedure based on the formal modelling of the RPS safety functions. The basic function blocks are described by Coloured Petri Net (CPN) subnets. The formal model of a given safety function is obtained by the proper composition of these subnets into a hierarchical CPN, copying the structure of the FBD-based specification. This formal model is then analysed using the behavioural properties of the CPN and model-checking methods.
Functional Testing of the RPS During Normal Operation
The Universal Test System is a distributed, computerized test system developed by members of the Systems and Control Laboratory to facilitate the testing of the RPS during the start-up stage and also during normal operation.
The UTS is composed of three main components:
- The Central Test Machine is an industrial PC that provides the user interface to the UTS, initiates test execution, controls the testing process by communicating with the Local Test Machines (LTMs), and queries and automatically evaluates the test results from the plant database.
- The LTMs download the tests to the appropriate active test plugs and supervise the tests that use the communication interfaces.
- The active test plugs are intelligent, microcontroller-based cards, which perform their dedicated part of the test procedure autonomously. For safety reasons the cards are backlash-free and are powered only during the test.
The functional and physical distribution of the components means the LTMs and the active test plugs have a simple and robust design. Various software development methods and environments were used due to the heterogeneous hardware platforms.
The new Primary Pressure Controller
A new pressurizer control system for maintaining the pressure safely within the range of 122.75-123.25 bar was designed and successfully implemented by the members of SCL. The control algorithm is based on the simplified dynamic model of the pressurizer.
The redesigned pressure controller is a distributed digital system comprised of units based on the Programmable Logic Controller (PLC) and connected by an Ethernet network. The pressure is measured by a high-precision instrument located in a hermetically sealed area. The pressure measurement loop has a redundant architecture. The data are transferred to a Siemens S300 control unit using the Profibus PA protocol. This controller checks the status of the pressure measurements and transfers them to the other units. The endpoints of the system are three Wago intelligent controllers that operate the electric heaters and the valves: these are the real actuators in the system, located at different points in the power plant. The three controllers are able to work independently in reduced mode in case of a failure.
The software of each PLC contains the control algorithm and performs the communication in the distributed system. Both the Siemens and the Wago PLCs were programmed using development tools compliant with IEC 61131-3.
The main feature of the new controller is that it uses a continuous range (0-360 kW) of heating power to guarantee a very stable pressure value. The amplitude of the pressure oscillations was reduced from 1 bar to 0.1 bar compared to the old controller. This made possible a safe increase in the thermal power of the units by 1-2%. The operational results are very good: using the more efficient control, a much smoother overall operation has been obtained.
These developments are part of the complete refurbishment of the instrumentation and control infrastructure at the Paks nuclear power plant. In these days of the 'nuclear renaissance', there are more and more refurbishment and life-time extension projects in Europe and throughout the world. As the old analogue and wired logic is replaced with modern digital programmable equipment, the amount of safety-critical software multiplies, meaning such developments are vital to maintain and ideally increase the safety and efficiency of the nuclear power.
Tamás Bartha, István Varga
Tel: +36 1 279 6227
E-mail: barthasztaki.hu, ivargasztaki.hu