Microprocessor tester for the treat upgrade reactor trip system by Lenkszus, F. R. & Bucher, R. G.
A MICROPROCESSOR TESTER FOR THE TREAT UPGRADE REACTOR TRIP SYSTEM
F. R. Lenkszus and R. G. Bucher C O N F - 8 4 1 0 0 7 39
Argonne National Laboratory
Argonne, Illinoie 60439 DE85 0040 82
Introduction
The upgrading of the Transient Reactor Test
(TREAT) Facility at ANL-Idaho has been designed to
provide additional experlnental capabilities for the
study of core disruptive accident (CDA) phenomena.1 To
iaprove the analytical extrapolation of test results
to full-size asseably bundles, the faci l i ty upgrade
will increase the maximum size of the test bundle from
7 to 37 fuel pins. By creating a core convertor zone
around the test location, the neutron spectrua
incident on the test asseably will be hardened and the
•axlaua energy deposited in the sample wil l be
Increased. In addition, a programaable Autoaated
Reactor Control System (ARCS) v i l l perait high-power
transients up to 11,000 MW having a controlled reactor
period of froa IS to 0.1 sec. These modifications to
the core neutronics will laprove simulation of LMFBR
accident conditions. Finally, a sophist icated,
multiply-redundant safety system , the Reactor Trip
System (RTS), will provide safe operation for both
steady state and transient production operating aodes.
To Insure that this complex safety system i s
functioning properly, a Dedicated Microprocessor
Tester (DMT) has been Implemented to perform a
thorough checkout of the RTS prior to a l l TREAT
operations. A quantitative rel iabil i ty analysis of
the RTS shows that the unreliability, that Is, the
probability of failure, is acceptable for a 10 hour
mission time or risk interval. Consequently, an
autoaated tester is necessary to complete the RTS
checkouts and allow reactor operations within this
restricted Interval; it Is expected that the complete
RTS checkout sequence will require less than two
hours. Additionally, the DMT will Improve the
reliability of the checkout by reducing the potential
for gross human error; that Is, the DMT will monitor
the RTS to verify that the operator responded
correctly to each DMT-requested action, e.g., to press
a button. Therefore the DMT will both increase the
efficiency of the RTS checkout and improve the
reliability of the validation.
RTS Description
The basic function of the Reactor Trip Systea
(RTS) is to protect the reactor facility by preventing
potentially daaaglng uncontrolled react iv i ty
excursions. The RTS aonltors the faci l i ty for the
occurrence of abnormal operating conditions by
continuously comparing Instrumentation signals against
preset l imi t s . Upon tensing an o u t - o f - l i a i t »
condition, the RTS init iates a reactor scram by
removing the control-rod-drive latch voltage. The RTS
is designed to monitor both steady state and transient
production operations; bypasses are employed, as
needed, to circumvent steady state trip circuits In
the transient production mode. A comprehensive block
diagram of the entire RTS is presented In Figure 2;
the quantities in parentheses indicate the number of
signals represented by the single line.
P(v)
E(v)
Figure la. Transient-Dependent Parameters
for Transient Input Trip Logic




Figure lb. Transient-Dependent Dynamic
Period Trip
The RTS transient instrumentation in a triply-
redundant system; each group, identified by A, B, or
C, consists of Linear Power, Integrated Power or
Energy, and Log/Period nuclear channels that deliver
analog inputs to the Transient Input Trip Logic. The
Input trip logic compares these analog Inputs to
specif ied reference values which define the
operational boundary for transient production. The
boundaries for the power and energy signals are
displayed on the power versus energy (PE) plane In
Figure la , along with the trace of a typical
transient; the scans Indicated on the figure are
discutaed In Test Procedures. Two boundaries, and
hence two separate trip circuits, are defined: one,
the transient-dependent which Is adjustable using 10-
turn potentiometer* on the front panel and, two, the
transient-Independent which Is internally hard-wired.
NOTICE
POUTIOMl Of THIS REPORT ARE Il lESIKE.
It has bee* reproduced from the best




DiSTMBUTION OF THIS DOCUMENT IS u H l M T H )
DISCLAIMER
This report was prepared as an account of work sponsored by an agency of the United States
Government. Neither the United States Government nor any agency thereof, nor any of their
employees, makes any warranty, express or implied, or assumes any legal liability or responsi-
bility for the accuracy, completeness, or usefulness of any information, apparatus, product, or
process disclosed, or represents tt.at its use would not infringj privately owned rights. Refer-
ence herein to any specific commercial product, process, or service by trade name, trademark,
manufacturer, or otherwise does not necessarily constitute or imply its endorsement, recom-
mendation, or favoring by the United States Government or any agency thereof. The views
and opinions of authors expressed herein do not necessarily state or reflect those of the
United States Government or any agency thereof.
I—jtMMT-tUM »»»» * OlllHli I t * WBHwilj • H *- < I I OUT O H i M w m . Ut k. I . at c
• ttmawf cwMttaa
Figure 2. RTS Block Diagram
The maximum values for the transient-dependent
boundary correspond to those for the transient-
Independent boundary; therefore, the transient-
Independent trip circuits serve as backup to the
transient-dependent trip circuits. Similarly, the
period signal has both dependent and Independent
boundaries and corresponding trip circuits. In
addition, the transient-Independent circuits Include a
dynaalc period boundary which provides an energy-
dependent period trip point. The boundaries for the
dynamic period trip are displayed on the tine versus
energy (TE) plane in Figure lb.
The RTS steady state instrumentation Is a doubly-
redundant system; each group, Identified by A or B,
consists of Linear Power and tog/Period nuclear
channels as well as Fuel Temperature and Pressure
Switch channels that deliver analog and digital
Inputs tc the Steady State Input Trip Logic. As vith
the transient instruments, the function of the Input
trip logic Is to compare the Inputs to specified
reference valuea. The analog power, period, and fuel
temperature Inputs are compared with adjustable limits
set via front panel potentiometers; the digital
pressure switch Inputs are monitored continuously to
Insure the control rod drive pressure exceeds the
minimum operational limits.
The latched t r ip - s ta tue outputs from the f ive
Input Trip Logic uni t s , together with tr ip s i g n a l s
from the ARCS computers and manual scram buttons, are
Input to each of the t r i p l i c a t e d Output Trip Logic
u n i t s . If one of these units senses the tripped-
condit lon on any of i t s inputs , i t s ignal* the s o l i d
s t a t e re lays in the corresponding Trip Unit to turn-
off. Since the Trip Units are in series , turning-off
the re lays v i l l remove the latch power from a l l
control rod dr ives , thus scraaalng the reactor.
Addi t iona l ly , two Independent seismic channels wil l
Ini t iate a scram i f the ground acceleration along any
of the axes In the subplle room exceeds l imits .
PUT Implementation
DMT Hardware
Figure 3 i s block diagram of the DMT hardware.
Since the DHT i s an extension of the TREAT Upgrade
Automatic Reactor Control System (ARCS), i t uses
commercially available hardware compatible with the
ARCS. The DHT's CPU i s an 8066/8087 Multibus* single
board computer. Additional Multibus boards provide
216 b i t s of d i g i t a l I/O, 64 multiplexed channels of
12-b i t analog Input, and 8 channel* of 12-bit analog
output. The DHT d i s t r i b u t i o n panel i s the physical
Interconnect between RTS/DHT cables and the DHT I/O
port s . The d i s t r i b u t i o n panel provides passive R-C
f i l t e r i n g on a l l analog and d i g i t a l inputs and
Interfaces RTS bi-directional analog signals with the
DHT analog to d i g i t a l converter (ADC) and d i g i t a l to
analog converters (DAC). CMOS switches controlled by
DMT dig i ta l outputs are used to connect and disconnect
the DMT d i g i t a l to analog converters. In addi t ion ,
the distribution panel provides 2 reference vo l tages






















Figure 3. DMT Block Diagram
The DHT connects to the ARCS central node
computer via a serial port. The DMT uses this link to
the central node to obtain printer services, to invoke
ARCS initiated stimuli, and to obtain nonvolatile
storage. Since the DMT Is not configured with a
printer, i t must use the central node's line printer
to generate hardcopy of test results. Text Is sent via
the serial port to a print task running on the central
node. The DMT is required to test the RTS response to
ARCS Initiated stimuli such as computer trips and
transient enabling signals. The DMT requests operator
Invocation of these ARCS initiated stimuli by sending
a message via the serial port to the central node
task. Finally, the DMT requires writable nonvolatile
storage for core configuration dependent parameters.
Since the DMi has only FROM and RAM memory, i t must
use the Winchester disk on the central node to store
and recall core configuration dependent parameters.
Again this is accomplished through communications with
a central node task via the serial port.
DMT Software
The DMT software system uses Inte l ' s 1RMX88
executive. IRMX88 is PROM-based, event-driven and
multitasking. All applications code for the DMT i s
written in I n t e l ' s PLM86 high level compiling
language. The code i s generally structured into a
program, subprogram and module organization. Basic
functions such as analog and digital input and output
are at the module level. These modules are Invoked by
subprograms to test Individual instruments. The
subprograms in turn are invoked by the DHT RTS test
task which performs testing of the RTS.
Figure A graphically depicts the DMT's software
task organization. At power-on or reset IRMX88 creates
and starts the Initialization/null tesk. This task in
turn creates exchanges required for intertask
communications, initializes flags and variables, and
creates and s tar t s the time, terminal, and
communications tasks. The tine task measures elapsed
tlme'wltt; a one millisecond resolution. The terminal
ta6k handles communications with the DHT console by
using exchanges to communicate with the IRMX88
terminal driver. The communications task, which
provides communications wit the central node via the
serial port, actually consists of two tasks, a
communications input task and a communications output
task. These tasks communicate via exchanges with
Interrupt service routines which Interact with the
serial port to effect transfers.
The terminal task operates in either of two
modes, data entry or command entry. In data entry
mode, operator console Input i s passed via an
interface routine to the requesting routine. The
interface routine simplifies programming by handling
the message Interchange between the communications
task and the requesting routine. A routine needing
operator console input cal ls the interface routine
with buffer pointer and maximum count parameters. The
Interface routine sets the terminal task node to data
entry, forms a message and sends i t to the terminal
task and then waits at a response exchange. The
communications task upon receipt of operator input
from the terminal handler via the terminal handler
response exchange, forms the operator Input into a
message and passes It to the interface routine. The
interface routine then moves the operator input to the
buffer pointed to by the buffer pointer parameter,
restores the terminal task to command entry mode, and
returns to the requesting routine.
In the command entry node, the terminal task
processes operator console input received froa the
terminal handler as DMT commands by passing the input
through a command line interpreter. Upon recognition
of a legal DMT command, the appropriate command
handling procedure is invoked. Legal DMT coamai is are




Figure «. DMT Software System
Start, Abort, Pause, Continue, Setup, Help, Repeat,
Tine, Execute, and Acknowledge. Setup Is used to
specify items such as enable and disable output of
hardcopy test results on the central node's line
printer. Start is used to Initiate a complete test of
the RTS and to begin elapsed t iae counting. Upon
recognition of a Start command, the terainal task
creates and starts the RTS test task which executes
the RTS test procedure. The Execute coaaand causes
the terainal task to create and start the execute task
which perforas a s ingle step of the RTS test
procedure. Because it allows the selective execution
of a single DMT step, the Execute coaaand Is
particularly useful during RTS maintenance, test, and
calibration. Abort, Pause and Continue respectively
kill, suspend or resuae the RTS teat or execute tasks.
The Tiae coaaand displays the t lae elapsed since
issuance of the Start coaaand. The Repaat command
causes the last DMT step specified In an Execute
command to be repeated. The Acknowledge command Is
used to signal the DMT that a DMT requested operator
action has been coapleted.
Since Integrity of the DMT Is crucial to proper
testing of the RTS, the DMT executes self tests
iaaediately prior to and subsequent to RTS testing.
The tests check FROM, RAH, analog-to-digltal (ADC) and
digital-to-analog (DAC) converter calibration, and the
distribution panel CMOS switches. FROM contents are
verified by coaparlson of a computed checktua with a
checksua stored in FROM. The readability, writsbility
and addressability of RAM Is checked with a sliding
ones and zeroes test. The ADC calibration Is checked
at three points against references within the
distribution panel. The calibration of each DAC Is
checked against the ADC at two point* by looping each
DAC output bsck to the ADC, outputtlng values to each
DAC, reading each DAC's output with the ADC and
comparing the result to Hal t s . The distribution
panel's CMOS switches are checked through a procedure
of applying voltages with the DACs and aonitorlng
response with the ADC while the switches are operated
in a.prescribed sequence.
In normal operation prior to transient
production, the Setup command is used to enable
hardcopy output of test results on the central node's
line printer. The Start command i s then Issued to
Initiate the RTS test procedure and begin counting
elapsed time. The DMT then verifies i ts integrity by
executing its self tests. Upon successful coapletion
of the self tests , the DMT requests the operator to
enter the date, time, core Identification and operator
identification. The RTS test procedure commence* upon
operator confiraatlon that the requested inforaation
is correct. During execution of RTS test procedure,
the Pause and Continue coaaand« may be used to suspend
and resume RTS testing. Pause does not affect the
counting of elapsed time. Each page of the DMT output
identifies the instrument under test , the tests
performed, the allowable Halts for each test result,
and the test results. Each page of the test results
displays the date, the core Id, a conaecutive page
nunber, the elapsed tlae since test Initiation, and a
valid or Invalid teat indicator. Each page is aarked
valid until a failure occurs. When » test result i s
out-of - l la l t s , the out-of - l ia l ts result i s printed
with a failure message and marked with a flag. In
addition, the current page and each subsequent page of
the test result printout is marked invalid to signal
that a fai lure has been detected. Operational
procedures require the RTS test procedure to be
executed from start to finish without a detected
failure. Thus when failures are detected, the causes
aust be corrected and the entire RTS test procedure
repeated. Execution of the entire test without failure
Is necessary to ensure that a corrective action has
not Inadvertently com promised a part of the RTS teated
prior to a failure.
Test Procedures
The methodology of the test procedures i s
primarily the application of an external stimulus
followed by the observation of the system response.
Two techniques are employed to assert the initiating
stimulus. In the first, the DMT automatically
initiates the stimulus either by enabling a test
circuit within the instrument or by injecting an
external signal into the Instrument's circuits. In
the second, the DMT requests the operator to initiate
the stimulus, e.g., by pressing a button, and to
acknowledge that the action has been completed; when
possible, the DMT verifies that the requested action
was properly executed. If necessary, the DMT also
examines the state of the instrument prior to the
applying the stimulus to insure that al l applicable
trip circuits have been reset and that the correct
operating modes have been established. Two segments
of the test procedure have been chosen to lllustrace

















l l - l
ENTEI C TO CO4FM1| Hi. ELSE TO «EP»T. »
BffEl C TO CWFIMl M i ELSE TO KPEAT. »
BttEl C TO CWIIH| AU ttSE TO REPEAT. »
BtTEt C TO tfdflHII Hi. ELSE TO KPHT. »
EKTEI C TO CQFIR1I AU USE TO IEP»T. »
ENTEI t TO C O * I « | ML ELSE Tl KPEAT. »
ENTEI TO C O * I * | AU ELSE TO REPEAT. »
M « VALUE HI LD1IT 10 L M H WITS OUT OF LIMITS
SW 13 VK 1.714 1.744 I.O4 VOLTS
PLUS3VK 3.113 3.111 4 .W VXTS
WOtOWM) l i-» Mil 1.331 VOLTS « • > •
2Enacat u-i MII MIS -MII VXTS
It-IACM. l*-3 f.114 ».IM l.t« WITS
ll-4 A CM l«-4 ».Ml M 3 ( I.M VOLTS
I.-3ACAL lt-3 MI4 MM I.M VXTS
ll-< A CM l(-4 f .117 M M I.M3 VXTS
U-7ACM K-7 Mtt f.lli Mil VXTS
I d A CM. It-t I.m *.S4I I.4M VXTS
IWMCM. li-4 . J.fM i.ia 1.1U
IAIN SETT1NS
MCE NO: IS • • INIMLIO i • ETl H l H l M
Figure 5. Testing of RTS Transient
Linear Channel
The first example, the testing of the Transient
Linear Channel, is typical of the checkout of the
steady state and transient nuclear channels. The
printout fro« this test is shown in Figure 5. The
initial portion verifies the capability of the DMT to
select the instrument range. To accomplish this, the
DMT sets up each range and requests the operator to
confirm this setting by visual inspection of range
Indicator on the instrument. The second portion
contains the checkout of the power supplies, the
background current, the zero of the output, and the
calibration of each range. Each test requires
selecting the appropriate range and subsequently
reading the channel output; the calibration tests also
require the enabling of the internally-generated
calibration current. The printout from these tests
Includes the instrument range, the value of the
channel output, the acceptance limits for this output,
and the units for these values. If the value is not
within the acceptance limits inclusive, the test is
flagged (****) an<j the instrument test is marked
Invalid. The final test, the LIN FWR CAL GAIN
SETTING, measures the gain of an adjustable amplifier
in the Transient Input Trip Logic unit; this gain Is
compared to the configuration-dependent value which
had been predetermined and saved on the central node's
Winchester disk.
STEPt l l t t CHTEi 11/24/14
™ « l ™ GOREi TEST-MI
TMNSIHI INPUT TFSP LOGIC TESTINC - TM6IENT OEPBBEKT CIRCUIT - G*0U» A
HESET IS PROPEK.
KT0t FKtNT POUCH VALUE, 177 TO I 2 M H I . » 1 I M
FMHT POUCH WLUf • t i l l H i , PI • M M V.
W T O FKNT PORCH TMNSITIIH, t42 TO I 4 M HJ. » l l l l
FKNI POKH TMNSITIM • l l l l I U , E2 • 2.43* V.
EKTEI UPPEt rCUER VM.UE, 2313 TO 11333 I V . » I M S !
UPPER POUn VALUE • M i l l W , P3 • I . N I V.
m a eon VM.UE, im TO 4in NJ. » 4in
BCKY VALUE • 4111 HJ, E4 • 1 M I I V.
EHTE« SLOPE COSTAST O W E A T M ) , 1123 TO 4111 HJ. » 3011
SLOPE CnSTMT > 30JI W , T5 • 7.317 V .
ona c TO ci»Fim INPUTI M I a s TO KMU. » c
str Aojusnrars PI , E2, n, u, T3, M ACWOUUNE.
• FAILUK «
SCAN TEST VALUE HI LIMIT 10 LIHIT UNITS OUT OF LIMITS
FRONT POUCH POUCH TI IP I . H 7 MM M7I VOLTS
F«HT POUCH ENEKY TRIP 2.431 2.44* 2.421 VOLTS
UPPEIPOUEI TRIP M O ? Mil l.» VOLTS









7.31* 7.417 7.217 VOLTS
effER PEI.10D TI IP VALUE, M i l TO M 7 S SEC. » .1
PERIOD TI IP VALUE • I . H I SEC, T4 • 1.231 V.
ENTEI C TO C O f i m INPUTg ALL ELSE TO K K T E t . » C
SETANUSTHENT T< WO ACmOULEDCE.
VALUE HI LIMIT U LIMIT
FAILWE 01




VALID ET) M t l M 3
Testing of Transient-Dependent Circuits
of Transient Input Trip Log
The second example, the testing of the transient-
dependent circuits of the Transient Input Trip Logic
described in RTS Description, presents an excellent
example of the DMT Injecting signals into the
instrument's circuits. The printout from this test is
present in Figure 6. At the beginning of this test ,
vhe operator enters the boundary parameters for the
transient, as prompted by the DMT. The DMT converts
these physical parameters into voltage levels which
the operator sets via the front panel potentiometers.
When the Input parameters have been confirmed and the
voltage settings have been acknowledged, the DMT
begins execution of a series of voltage scans to test
the transient-dependent trip circuits and, If the
circuit is functioning properly, to measure the actual
trip points. Each scan consists of Inserting a fixed
voltage on either the power or energy Input of the
trip circuits while applying a voltage ramp to the
other input: see Figure 2a. By monitoring the state
of the appropriate trip bistable, the DMT can
determine the point on the voltage ramp at which the
trip occurred. This trip point Is compared to the
appropriate voltage levels computed from the input
boundary parameters; if the measured trip point Is not
within the acceptance l imits , It Is flagged ( * * * * )
and the Instrument test Is marked Invalid. Note that
an adjustment to the measured sloping boundary trip Is
repaired since the scan is executed at a power voltage
different than that specified for the parameter input.
The transient-dependent period trip value Is also
entered and tested by scanning the period signal.
Verification and Validation
Since the DMT Is deemed to be "safety related", a
quality assurance plan for the DMT Implementation was
written which conforms to the requirements of
ANSI/ASME standard N45.2-1977, Quality Assurance
Program Requirement for Nuclear Faci l i t i es . The QA
plan spawned a number of control procedures addressing
areas 6uch as hardware and software design control,
software development control, system test control,
document control, etc.
Software v e r i f i c a t i o n and validation i s an
integral, significant factor in the DMT software
design, development and testing process. A detailed
software specification down to the module level wes
developed and veri f ied against DMT functional
requirements. Software development began after review
and acceptance of the specification. Verification
during the development phase consisted of review of
module and subprogram listings and testing of modules
and subprograms.
DMT system t e s t i n g c o n s i s t s of system
v e r i f i c a t i o n , va l idat ion , rever i f i ca t ion , and
revalldatlon phases. The verification and validation
phases will be performed with the DMT's program in RAM
rather than PROM to fac i l i tate correction of any
software problems. In the verification phase the DMT
Is required to successfully complete a test of an RTS
system known to be error free. The validation phase
cons i s t s of performing an error-seeded test to
demonstrate the DMT's ability to detect and announce
RTS failures. Approximately 300 errors wil l be
sequentially seeded in the RTS to exercise all the
DMT's fault detection capabilities.
Upon successful coapletlon of the verification
and val idat ion t e s t s , the DMT program w i l l be
committed to PROM and software configuration control
wi l l commence. The software configuration control
requires the documentation of software problems in
Software Problem Report* (SPR's) and the documentation
of corrective actions or modifications In Software
Change Orders (SCO's). An SPR Identifies the nature
of the problem, the conditions under which the problem
manifested itself and the name and version number of
the module causing the problem. After review of the
SPR, an SCO is generated which specifies a software
change, the purpose of the change, the module to be
changed, the new module version number, the programmer
to make the change, the date the change was made and
the date the change was tested. The SPR's and SCO's
provide an audltable trail of software changes.
After the DMT's program Is transferred to PROM,
the verification and validation tests Ji l l be repeated
for the FROM resident version (reverifIcation and
revalldation) to ensure that the transfer has not
Introduced problems.
Conclusion
The DMT is currently undergoing testing with
Individual RTS units as they become available. DMT
system testing (verification and validation) will
begin in late November when the full RTS becomes
available. The DMT is scheduled to be shipped to
TREAT in mid February of 1985.
Reference
1 C. E. Dickernan, e t . s i . , "Upgrading of TREAT
Experimental Capabi l i t i es ," Proceeding Fast ,
Thermal, and Fusion Reactor Experiments, vol. 1, pp.
1-130, Salt Lake City, Utah, April 12-15, 1982.
