Modeling the critical safety functions status tree of NPP using FPGA by Farias, Marcos Santana et al.
2013 International Nuclear Atlantic Conference - INAC 2013 
Recife, PE, Brazil, November 24-29, 2013 
ASSOCIAÇÃO BRASILEIRA DE ENERGIA NUCLEAR - ABEN 
ISBN: 978-85-99141-05-2 
 
MODELING THE CRITICAL SAFETY FUNCTIONS STATUS TREE OF 
A NPP USING FPGA 
 
Marcos Santana Farias1, Mauro Vitor de Oliveira1, Guilherme Dutra Gonzaga Jaime 1, 
José Carlos Soares de Almeida1 and Silas Cordeiro Augusto1 
 
1
 Divisão de Engenharia Nuclear 
Instituto de Engenharia Nuclear - IEN 
Comissão Nacional de Energia Nuclear - CNEN 
Rua Hélio de Almeida, 75 
21941-906 Rio de Janeiro, RJ 
msantana@ien.gov.br, mvitor@ien.gov.br, gdjaime@ien.gov.br, jcsa@ien.gov.br, silas@ien.gov.br 
 
 
 
ABSTRACT 
 
Field programmable gate arrays (FPGAs) based systems and equipment are beginning to appear in new plants 
I&C applications, as well as in retrofits for operating plants, in particular for safety applications due to their 
capability to face the systems obsolescence since they are circuit independent.  The circuits implemented can be 
portable to different FPGAs architectures.  Moreover, they reduce complexity for regulatory approval as 
compared to conventional microprocessor-based systems.  Critical safety function (CSF) is the most significant 
design concept for prioritize operator actions for NPP based on the potential threat to the three barriers (fuel 
cladding, primary coolant system boundary, and containment) and allows the operator to respond to these threats 
prior to event diagnosis.  CSF has a hierarchical information structure that organizes the system variables 
affecting the plant safety in terms of goal-means relations.  This paper describes the application of FPGA in the 
implementation of the CSFs status tree logic for a Westinghouse 3-loops NPP simulator. 
 
 
1. INTRODUCTION 
 
FPGA is a semiconductor complex programmable device which can be configured to perform 
a custom-required function.  FPGA includes millions of logic gates aligned in an array and 
the interconnections between each gate are allowed to be programmed in the field.  FPGA 
technology offers an alternative to microprocessor technologies.  FPGA is parallel in its 
nature, so the array elements in the FPGA can operate simultaneously.  This parallel nature of 
FPGAs not only contributes to higher performance, but also reduces complexity of 
microprocessor-based systems by eliminating needs of context switching and memory 
access [1]. 
 
This paper introduces the FPGA-based technology in implementation of the Critical Safety 
Functions (CSFs) status tree logic for a Westinghouse 3-loops Nuclear Power Plant (NPP) 
simulator provided by Human-System Interface Laboratory (LABIHS) at Instituto de 
Engenharia Nuclear (IEN).  The sections of this paper are organized as follows: first, in 
Section 2, the CFS concepts are explained.  Later, in Section 3, we review briefly the 
application of FPGA in nuclear reactors.  In Section 4 we describe the hardware development 
and the objectives of the proposed architecture.  Thereafter, in Section 5, we present some 
results to show the efficiency of the proposed implementation.  Last, in Section 6, we draw 
some conclusions and point out some directions for future work. 
 
INAC 2013, Recife, PE, Brazil. 
 
2. CRITICAL SAFETY FUNCTIONS CONCEPTS 
 
Critical safety function prioritize operator actions based on the potential threat to the three 
barriers (fuel cladding, primary coolant system boundary, and containment) and allows the 
operator to respond to these threats prior to event diagnosis.  CSF has a hierarchical 
information structure that organizes the system variables affecting the plant safety in terms of 
goal-means relations.  It is important that the operator should be aware of various success 
paths associated with each CSF in order to respond to unanticipated system failures quickly.  
When an emergency occurs in NPPs, the operators should monitor CSFs periodically and 
identify possible success paths as necessary, and try to stabilize or safely shut down the plant 
using emergency operating procedure (EOP) that includes steps to check the CSFs. 
 
Six critical safety functions were identified for the reference plant and they were 
implemented in the human-system interface (HSI) of the simulator interface to support the 
operator’s tasks to monitor and identify the associated success path for Westinghouse 3-loops 
NPP.  In order of priority, they are: 
1. Subcriticality (SC); 
2. Core cooling (CC); 
3. Heat sink (HS); 
4. Reactor Coolant System Integrity (RI); 
5. Containment Environment (CE); 
6. Reactor Coolant Inventory (CI). 
 
The Critical Function Status Tree (CFST) main screen of the LABIHS [2] control room 
simulator is showed in Fig. 1. 
 
 
 
 
Figure 1:  CFST main screen with containment environment violation. 
 
 
INAC 2013, Recife, PE, Brazil. 
 
The six CSFs are presented on this screen with the correspondent status of each one, i.e., the 
priority degree of each CSF.  The priority degree of the CSFs is divided in four categories or 
severity degrees (SATISFIED, LOW, MEDIUN and HIGH).  The SATISFIED condition is 
lit (green color) when the CSF has no potential dangerous to the plant safety.  The LOW 
condition is lit (yellow color) when the CSF has little potential dangerous to the plant safety, 
i.e., it is a warning to the operators about of an off-normal condition in the plant safety.  The 
MEDIUM condition is lit (purple color) when plant is in a potentially dangerous condition.  
The HIGH condition is lit (red color) when exist hazardous condition to the plant safety.  The 
priority level is lit with the highest condition of all CSFs.  The navigation buttons to each 
CFST is show at the bottom left side of the screen.  Clicking on CSF navigation buttons the 
system will open the correspondent status tree of the selected critical function.  All the CSFs 
screens were developed based on NUREG-0700 [3] using iLog Studio [4] and the tree logic 
was implemented in C language. 
 
 
3. APPLICATION OF FPGA IN NUCLEAR REACTORS 
 
FPGAs were first introduced in non-safety related systems in NPPs, where no special 
regulatory requirements for development applications with FPGA should be satisfied.  
However, to use FPGAs for safety related systems, more stringent processes will be imposed 
by nuclear regulators to ensure the reliability and safety of the systems [5].  The logic to be 
programmed into the FPGA is described using hardware design languages (HDLs).  Because 
the development process of FPGA is similar to that of software for microprocessor-based 
systems, the conventional safety software development process including V&V methods can 
be applied.  New International Electrotechnical Commission (IEC) standards are dedicated to 
this topic [6]. 
 
In conventional computer-based systems, a separation can be drawn between the hardware 
and software parts.  But with FPGAs, Instrumentation and Control (I&C) designers may build 
application functions directly in one integrated circuit.  According to IEC 62566 [6], to 
achieve the reliability required for safety I&C systems, the development of FPGA-based 
system shall comply with strict process and technical requirements. 
 
The safety function applications implemented by FPGAs are executed without running any 
software or operating systems, which is an advantage.  This reduces the vulnerability of the 
digital I&C system and can make easier the licensing process.  A second advantage, FPGA-
based applications have more resilience due to the portability of the HDL code between 
various versions of FPGA-chips produced by different manufacturers. 
 
 
4. HARDWARE DEVELOPMENT 
 
In this work, the six CSFs identified for the reference plant were described in digital 
hardware.  In this work we present the status tree logic of two CSF: 
• Containment Environment Status Tree (Fig. 2). 
• Reactor Coolant System Integrity Status Tree (Fig. 3). 
 
In each figure one can see blocks of the critical safety function status tree that perform the 
comparison logic of one or more variables that affect the plant safety. These variables are 
INAC 2013, Recife, PE, Brazil. 
 
compared with predetermined values and, the comparison result will lead to the 
correspondent functional restoration (FR) guideline to be used by the operators to leave the 
plant to safety condition. 
 
 
 
Figure 2:  Containment Environment Status Tree. 
 
 
 
 
Figure 3:  Reactor Coolant System Integrity Status Tree. 
 
 
The variables value of each status tree are the inputs for the hardware that performs the 
digital logic. 
 
4.1. Proposed Hardware Architecture 
 
This section provides an overview of the architecture and contains information on the broad 
objectives of the proposed hardware.  The hardware implements the six CFSs mentioned.  For 
INAC 2013, Recife, PE, Brazil. 
 
each 2-seconds interval, the hardware needs to read and record the number of input variables 
used in the evaluating process of the six CSFs logic.  The output of the hardware architecture 
should present the status of each CSF, i.e., the priority degree violation (HIGH, MEDIUM, 
LOW, SATISFIED) of each CSF and the correspondent functional restoration (FR) to achieve 
the success path, as showed in Table 1. 
 
 
Table 1:  CFST Status Log Sheet. 
 
PRIORITY DEGREE Critical Safety 
Function HIGH MEDIUM LOW SATISFIED 
Subcriticality FRSM-1 FRSM-1 FRSM-2 SAT 
Core Cooling FRCC-1 FRCC-2 FRCC-3 SAT 
Heat Sink FRHS-1  
FRHS-2 
FRHS-3 
FRHS-4 
FRHS-5 
SAT 
Reactor Coolant 
System Integrity 
FRTS-1 FRTS-1 FRTS-2 SAT 
Containment  
Environment 
FRCE-1 FRCE-1 FRCE-2 FRCE-3 SAT 
Reactor Coolant 
Inventory 
  
FRCI-1 
FRCI-2 
FRCI-3 
SAT 
 
 
Fig. 4 presents the proposed architecture.  It includes 33 registers to maintain the input 
variables during the processing.  The list of variables for Containment Environment and 
Reactor Coolant System Integrity CSFs is found in the status trees of Figures 2 and 3.  The 
input of the registers are connected to a single data bus.  This bus has the same number of bit 
of the registers and receives the variables value as serial data, that is, the value of each one of 
the 33 variables is available during few clock cycles to be loaded into the corresponding 
register.  A state machine based controller (CRTL) has been described in hardware to control 
the loading of the registers sequentially.  The registers have a input bit (LE) that enables the 
loading.  The registers are described in hardware as a set of units of flip-flops, one for each 
bit, and a single bit for loading. 
 
The architecture showed in Fig. 4 has six components that perform the logic of six CSFs.  
The components are: Subcriticality, Core_Cooling, Heat_Sink, RCS_Integrity, 
Containment_Environment and Coolant_Inventory.  Fig. 5 shows the internal architecture of 
component Containment_Environment.  It has four Comparators components and some logic 
gates to perform the CSF Containment  Environment Status Tree (see Fig. 2).  The internal 
architecture of the other components is similar.  Only the RCS_Integrity component has a 
different architecture compared to the other components, since it requires three FIFO memory 
with 1800 positions to store temperature measurements of the three cold legs of the reactor 
primary loops in last sixty minutes of operation.  In this application it is supposed that all 
INAC 2013, Recife, PE, Brazil. 
 
variables are updated at each 2 seconds.  The difference between the maximum and minimum 
of these 1800 measures temperature should be monitored to not exceed 38 oC to avoid 
thermal shocks in primary circuits. 
 
 
 
Figure 4:  Proposed architecture. 
 
 
A state machine based controller is necessary to control the read and write cycles in the 
memory components.  This control component is also responsible for reviewing the 
memories, get the maximum and minimum values, and then load them on the buses of 
memories to do the subtraction.  Then, it is checked if the calculated value has exceeded or 
not 38 oC. 
 
The components of the architecture were modeled in Very-high-speed integrated circuits 
Hardware Description Language (VHDL), a language specifically used for hardware 
description and representation of digital systems.  So, the hardware description of these 
INAC 2013, Recife, PE, Brazil. 
 
functions were simulated in ModelSimtm to be validate.  ModelSimtm is a popular hardware 
simulation and debug environment primarily targeted at FPGA design. 
 
 
 
Figure 5:  Containment Environment architecture. 
 
 
5. RESULTS 
 
In this section we will present some simulations results to show the efficiency of the 
proposed architecture.  Fig. 6 shows the simulation results with the values sent and the 
received signals after processing by the component Containment_Environment.  In the 
simulation, the input data are read from a text file that has the log of the variables, updated at 
each 2 seconds.  In the FPGA implementation the inputs are read from a serial interface.  The 
output signals of the component are listed in the row Containment Environment of Table 1: 
Green_Sat, Yellow_FRCE-3, Purple_FRCE-2, Purple_FRCE-1 and Red_FRCE-1. 
 
The simulation assumes a 50 MHz frequency (20 ns of period).  It is possible to verify in the 
Fig. 6 (simulation one) and Fig. 7 (simulation two) that the hardware responds correctly to 
the logic provided, in accordance with Fig 2.  Variable values were multiplied by 100.  In Fig. 
6, when the value of the variable ZINST26 is greater than 3.3 Kg/cm2 (330), the signal 
INAC 2013, Recife, PE, Brazil. 
 
Red_FRCE-1 goes to logic level 1.  In Fig. 7, when the variable ZINST26 is less than 1 
Kg/cm2 (100) and the variable ZSUMP is not less than 78% (292.38), the signal 
Purple_FRCE-2 goes to 1 and all other output signals goes to 0. 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Figure 6:  Simulation one with Containment Environment architecture. 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Figure 7:  Simulation two with Containment Environment architecture. 
 
 
 
The performed simulations showed the feasibility of proposed hardware to model the CSFs of 
a NPP and make easier and efficient the further hardware implementation thorough the 
FPGA. 
 
 
INAC 2013, Recife, PE, Brazil. 
 
6. CONCLUSIONS 
 
In this work, we introduce the FPGA-based technology in implementation of the CFST logic 
for a Westinghouse 3-loops NPP simulator of LABIHS laboratory at IEN institute. 
 
FPGA-based systems can provide cost-effective options for I&C systems in nuclear reactors, 
ensuring safe and reliable operation.  With FPGA-based system, meeting licensing 
requirements, such as separation, redundancy and diversity, can be provided in more 
convincing way due to its design simplicity. 
 
The results showed that the proposed architecture fulfills the initial goal of designing a 
hardware that performs efficiently the task of implementing the CFSTs logic of nuclear 
reactors. 
 
Following this work, we intend to develop a complete CSF equipment, based on FPGA, and 
compare its performance with the CSF tree logic, implemented in the LABIHS simulator, 
using C language.  For the hardware implementation we intent to use the Starter Kit board, 
which has a model Spartan 3E FPGA from Xilinx company.  In near future, will be possible 
to develop circuits with FPGA technology for other safety and non-safety related functions of 
nuclear reactors. 
 
 
REFERENCES 
 
1. NUREG/CR-6992, “Instrumentation and Controls in Nuclear Power Plants: An Emerging 
Technologies Update United States Nuclear Regulatory Commission”, U.S. Nuclear 
Regulatory Commission Research, Washington & USA (2009). 
2. Oliveira, M.V., Moreira, D.M., Santos, I.J.A.L., Cordeiro, S.A., Abreu, A.C.M., Grecco, 
C.H.S., Carvalho, P.V.R., “Desenvolvimento e Avaliação de Interfaces Homem-Sistema 
para Salas de Controle Avançadas de Plantas Industriais”, Technical Report RT-IEN-
14/2006, Rio de Janeiro & Brazil (2006) (in Portuguese). 
3. NUREG-0700, “Human-System Interface Design Review Guidelines”, U.S. Nuclear 
Regulatory Commission Research, Washington & USA (2002). 
4.  iLOG, “iLOG Views Studio 4.0 - User’s Manual” (2000). 
5. Hayashi, T. et all. “Application of FPGA to nuclear power plant I&C systems”, Nuclear 
Safety and Simulation, Vol. 3, Number 1, March (2012). 
6. IEC 62566, “Nuclear power plants – Instrumentation and control important to safety – 
Development of HDL-programmed integrated circuits for systems performing category A 
functions”, International Electrotechnical Commission, Washington & USA (2012).  
 
